试用JA3进行STL流量监控

STL原理文章:https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967

项目地址https://github.com/dreadl0ck/ja3

安装完成后对网卡进行抓包,并计算 TLS指纹

[root@localhost ja3]# /root/go/bin/goja3 -ja3s=false -json -iface eth0
timestamp,source_ip,source_port,destination_ip,destination_port,ja3_digest
1600323585.901393,172.17.57.222,30436,160.85.255.180,443,24e00016bfdc9736d1f0f34f407a8b0d
1600323586.169197,160.85.255.180,443,172.17.57.222,30436,28ef90cc3d9d08c96a8a2cb6f365a79e
1600323588.025594,172.17.57.222,30438,160.85.255.180,443,24e00016bfdc9736d1f0f34f407a8b0d
1600323588.292009,160.85.255.180,443,172.17.57.222,30438,28ef90cc3d9d08c96a8a2cb6f365a79e
1600323591.730684,183.39.19.109,60537,172.17.57.222,10087,7f7803d8ca1457545483498225803e09
1600323591.733140,172.17.57.222,10087,183.39.19.109,60537,f4febc55ea12b31ae17cfb7e614afda8
1600323592.309589,172.17.57.222,19772,58.83.177.194,443,6f5e62edfa5933b1332ddf8b9fb3ef9d
1600323592.373415,58.83.177.194,443,172.17.57.222,19772,d154fcfa5bb4f0748e1dd1992c681104

在另一个shell中运行

[root@localhost ~]# curl -X GET 'https://ja3er.com/json'
{"ja3_hash":"24e00016bfdc9736d1f0f34f407a8b0d", "ja3": "771,49196-49162-49195-52393-49161-49200-49172-49199-52392-49171-159-57-56-107-158-52394-51-50-103-22-19-157-53-61-156-47-60-10,0-65281-10-11-13-28,29-23-24-25,0", "User-Agent": "curl/7.29.0"}

看到goja3计算出的指纹无误

也可以在https://ja3er.com/form进行指纹查询和下载

将24e00016bfdc9736d1f0f34f407a8b0d进行查询结果如下

    curl/7.29.0 (count: 5008, last seen: 2020-09-17 06:19:48)
    Mozilla (count: 14, last seen: 2020-08-21 08:07:38)
    Mozilla/5.0 (compatible) (count: 12, last seen: 2020-06-15 17:48:35)

Share on: