<p align="center"> <img src="ja4+_transparent_logo.png" alt="logo" width="250"/> </p>

JA4+™ Network Fingerprinting <!-- omit from toc -->

JA4+ is a suite of network fingerprinting methods by FoxIO that are easy to use and easy to share. These methods are both human and machine readable to facilitate more effective threat-hunting and analysis. The use-cases for these fingerprints include scanning for threat actors, malware detection, session hijacking prevention, compliance automation, location tracking, DDoS detection, grouping of threat actors, reverse shell detection, and many more.

For a quick explainer on JA4+ and to use as a reference during analysis see:
JA4+ Cheat Sheet

For in-depth detail, please read our blogs on how JA4+ works, why it works, and examples of what can be detected/prevented with it:
JA4+ Network Fingerprinting (JA4/S/H/L/X/SSH)
JA4T: TCP Fingerprinting (JA4T/TS/TScan)
Investigating Surfshark and NordVPN with JA4T (JA4T)

If you love JA4+, consider getting a t-shirt or hoodie:
JA4+ Shirts, Hoodies, and Stickers

Table of contents <!-- omit from toc -->

• Current methods and implementation details
• Implementations
• Tools that support JA4+
• Examples
• Plugins
• Binaries
  • Release Assets
  • Installing tshark
    • Linux
    • macOS
    • Windows
  • Running JA4+
• Database
• Release Process
  • How to Create a Release
• JA4+ Details
• Licensing
• Q&A
• JA4+ was created by

Current methods and implementation details

| Full Name | Short Name | Description | |---|---|---| | JA4 | JA4 | TLS Client Fingerprinting | | JA4Server | JA4S | TLS Server Response / Session Fingerprinting | | JA4HTTP | JA4H | HTTP Client Fingerprinting | | JA4Latency | JA4L | Client to Server Latency Measurment / Light Distance | | JA4LatencyServer | JA4LS | Server to Client Latency Measurement / Light Distance | | JA4X509 | JA4X | X509 TLS Certificate Fingerprinting | | JA4SSH | JA4SSH | SSH Traffic Fingerprinting | | JA4TCP | JA4T | TCP Client Fingerprinting | | JA4TCPServer | JA4TS | TCP Server Response Fingerprinting | | JA4TCPScan | JA4TScan | Active TCP Fingerprint Scanner | | JA4DHCP | JA4D | DHCP Fingerprinting | | JA4DHCPv6 | JA4D6 | DHCPv6 Fingerprinting |

The full name or short name can be used interchangeably. Additional JA4+ methods are in the works...

To understand how to read JA4+ fingerprints, see Technical Details

Implementations

This repo includes JA4+ in

• Python
• Rust
• C, as a Wireshark plugin.
• Zeek

Tools that support JA4+

| Tool/Vendor | JA4+ Support | |-------------|--------------| | Wireshark | JA4+ | | Zeek | JA4+ | | Arkime | JA4+ | | Suricata | JA4+ (under development) | | GreyNoise | JA4+ | | Hunt | JA4+ | | Driftnet | JA4+ | | GoLang | JA4X | | nzyme | JA4+ (under development) | | Netresec's CapLoader | JA4+ (under development) | | Netresec's NetworkMiner | JA4+ (under development) | | NGINX | JA4+ | | F5 BIG-IP | JA4+ | | nfdump | JA4+ | | ntop's ntopng | JA4+ | | ntop's nDPI | JA4 | | Team Cymru | JA4+ | | NetQuest | JA4+ | | Censys | JA4+ | | Exploit.org's Netryx | JA4 and JA4H | | Cloudflare | JA4 | | Fastly | JA4+ (ask for it) | | MISP | JA4+ | | OCSF | JA4+ | | Vercel | JA4 | | Seika | JA4+ | | VirusTotal | JA4 | | AWS Cloudfront | JA4 | | ELLIO | JA4+ | | Webscout | JA4+ | | Rama | JA4 and JA4H | | Vectra | JA4+ | | AWS WAF | JA4 | | Tacticly | JA4+ | | Palo Alto Networks | JA4+ | | ngrok | JA4 | | Vertex Synapse | JA4 and JA4S | | Google Cloud Armor | JA4 | | Fortinet | JA4 | | AppOmni | JA4+ | | IntelliGenesis | JA4+ | | HAProxy | JA4 and JA4H plugins by OXL | | SentinelOne | JA4 | | Akamai | JA4 | | Alibaba Cloud | JA4 | | Huawei Cloud | JA4 | | Google Cloud LBs | JA4 | | eSentire | JA4+ | | Microsoft Azure Front Door CDN | JA4 | | Moat by Arxignis | JA4+ | | Zscaler | JA4 | | ExtraHop | JA4+ | | Validin | JA4+ | | Auth0 | JA4 |

with more to be announced...

Examples

| Application |JA4+ Fingerprints | |----|----| | Chrome | JA4=t13d1516h2_8daaf6152771_02713d6af862 (TCP) <br/> JA4=q13d0312h3_55b375c5d22e_06cda9e17597 (QUIC) <br/> JA4=t13d1517h2_8daaf6152771_b0da82dd1658 (pre-shared key) <br/> JA4=t13d1517h2_8daaf6152771_b1ff8ab2d16f (no key) | | IcedID Malware Dropper | JA4H=ge11cn020000_9ed1ff1f7b03_cd8dafe26982 | | IcedID Malware | JA4=t13d201100_2b729b4bf6f3_9e7b989ebec8 <br/> JA4S=t120300_c030_5e2616a54c73 | | Sliver Malware | JA4=t13d190900_9dc949149365_97f8aa674fd9 <br/> JA4S=t130200_1301_a56c5b993250 <br/> JA4X=000000000000_4f24da86fad6_bf0f0589fc03 <br/> JA4X=000000000000_7c32fa18c13e_bf0f0589fc03 | | Cobalt Strike | JA4H=ge11cn060000_4e59edc1297a_4da5efaf0cbd <br/> JA4X=2166164053c1_2166164053c1_30d204a01551 | | SoftEther VPN | JA4=t13d880900_fcb5b95cb75a_b0d3b4ac2a14 (client) <br/> JA4S=t130200_1302_a56c5b993250 <br/> JA4X=d55f458d5a6c_d55f458d5a6c_0fc8c171b6ae | | Qakbot | JA4X=2bab15409345_af684594efb4_000000000000 | | Pikabot | JA4X=1a59268f55e5_1a59268f55e5_795797892f9c | | Darkgate | JA4H=po10nn060000_cdb958d032b0 | | LummaC2 | JA4H=po11nn050000_d253db9d024b | | Evilginx | JA4=t13d191000_9dc949149365_e7c285222651 | | Reverse SSH Shell | JA4SSH=c76s76_c71s59_c0s70 | | Windows 11 | JA4T=64240_2-1-3-1-1-4_1460_8 | | Epson Printer | JA4TScan=28960_2-4-8-1-3_1460_3_1-4-8-16 | | Windows 11 | JA4D=disco0000in_61-12-60-55_1-3-6-15-31-33-43-44-46-47-119-121-249-252 | | Sony Receiver | JA4D6=solct0010nn_8-1-3-6_24-23 |

For more examples, see ja4plus-mapping.csv
For a complete database, see ja4db.com

Plugins

Wireshark
Zeek
Arkime

Binaries

JA4 binaries are built from the Rust implementation of the suite. To ensure full functionality, tshark (version 4.0.6 or later) is required. Download the latest JA4 binaries from the Releases page. The release versions for the Rust implementation follow [Semant