Recently I have been testing a new tool created by the people at Salesforce. The tool is called JARM and what it does is query TLS instances (HTTPS servers and services) to create a fingerprint of their TLS configuration. Much like analyzing the nuances of network traffic can be used to fingerprint the operating system and version of a server, JARM fingerprints TLS instances to create a fingerprint which can be used to compare one TLS service to another.
JARM can be used for a number of purposes. As the Salesforce blog post says: “JARM fingerprints can be used to:
Shodan has integrated JARM and has generated JARM fingerprints for all TLS instances they have discovered and integrated them into a Shodan facet. You can query Shodan’s JARM results from the Shodan web tool, or from any Linux with Python installed you can use the Shodan command line, or use the Shodan API, to query fingerprints Using this information you could create a script to run across your address space and compare the computed fingerprints to the known malware fingerprints or you could just use Shodan to do this comparison. In this example below I am using the Shodan command line to query the JARM results for AS209 and comparing the result to the fingerprint for Cobalt Strike (a red team tool often dropped by emotet and other malware onto compromised servers).
I have to believe there have to be some false positives in the results, but it gives you a place to start. For more information on JARM, please check out the Salesforce JARM blog post -- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) |
Rick 317 Posts ISC Handler Nov 27th 2020 |
Thread locked Subscribe |
Nov 27th 2020 4 months ago |
Trying with some Emotet C2 from https://feodotracker.abuse.ch/browse/ the fingerprint was just 00..00, maybe a problem with the port-number
|
Anonymous |
Quote |
Nov 28th 2020 4 months ago |
A response of all 0's from JARM means that the port did not answer the TLS Hello request which usually means it is not a TLS enabled service.
|
Rick 317 Posts ISC Handler |
Quote |
Nov 28th 2020 4 months ago |
Sign Up for Free or Log In to start participating in the conversation!