Profiling and Detecting all Things SSL with JA3

ShmooCon XIV - 2018

Presented by: John B. Althouse, Jeff Atkinson
Date: Saturday January 20, 2018
Time: 11:00 - 11:50
Location: Far Room
Track: Belay It

JA3 is an open source SSL/TLS client fingerprinting tool developed by John Althouse, Josh Atkins, and Jeff Atkinson. Since it’s release a few months ago in a blog post, it has gained wide adoption across the industry and we’ve seen conference talks highlighting it’s features. However, there’s been some confusion on it’s capabilities and how best to utilize it. So, then, it’s about time we do a talk on JA3 and what it can really do.

In this talk we will show the benefits of SSL fingerprinting, JA3’s capabilities, and how best to utilize it in your detection and response operations. We will show how to utilize JA3 to find and detect SSL malware on your network. Imagine detecting every Meterpreter shell, regardless of C2 and without the need for SSL interception. We will also announce JA3S, JA3 for SSL server fingerprinting. Imagine detecting every Metasploit Multi Handler or [REDACTED] C2s on AWS. Then we’ll tie it all together, making you armed to the teeth for detecting all things SSL.

John B. Althouse

John Althouse (@4A4133) is a (self proclaimed) Detection Scientist, firmly believing there’s a way to detect anything. A Bro enthusiast (the NSM). A PC master builder (AIOs are for normies). And a Race Track Instructor (I wanna go fast).

Jeff Atkinson

Jeff Atkinson is a security engineer with over 15 years focused in Information Security. Experienced in Incident Response, Threat Intelligence, and Malware Analysis, Jeff brings a unique perspective on defense strategies. While working in both private and public sectors and Fortune 50, he deployed scalable custom network monitoring solutions, always including his favorite tool Bro.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats