Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Quick Tip: Using JARM With a SOCKS Proxy SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Quick Tip: Using JARM With a SOCKS Proxy

Rik talked about JARM yesterday "Threat Hunting with JARM".

JARM is a tool to fingerprint TLS servers.

I made some changes to the JARM code to support a SOCKS proxy.

Now I can use JARM over Tor, for example:

You will miss information when you use a SOCKS proxy: the resolved IP, in case you use a domain name.

And on Linux, there are other methods to achieve this.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

545 Posts
ISC Handler
Nov 29th 2020
The DOC (Bazaar f84b3a056abcbcfd5976afe8776a35c5894b379e65c411ddc421941d3a2a4b8b) is a malware without VBA. It is labeled as "Loki", but it could be a good trial for your TOR jarm.py

Thank for your efforts!
Anonymous

Sign Up for Free or Log In to start participating in the conversation!