JA3 is an open source SSL/TLS client fingerprinting tool developed by John Althouse, Josh Atkins, and Jeff Atkinson. Since it’s release a few months ago in a blog post, it has gained wide adoption across the industry and we’ve seen conference talks highlighting it’s features. However, there’s been some confusion on it’s capabilities and how best to utilize it. So, then, it’s about time we do a talk on JA3 and what it can really do.
In this talk we will show the benefits of SSL fingerprinting, JA3’s capabilities, and how best to utilize it in your detection and response operations. We will show how to utilize JA3 to find and detect SSL malware on your network. Imagine detecting every Meterpreter shell, regardless of C2 and without the need for SSL interception. We will also announce JA3S, JA3 for SSL server fingerprinting. Imagine detecting every Metasploit Multi Handler or [REDACTED] C2s on AWS. Then we’ll tie it all together, making you armed to the teeth for detecting all things SSL.