Open hexagr opened 1 month ago
Hey @hexagr , thanks so much for your contribution!
We also have a Discord server, which you’re more than welcome to join. It's a great place to connect with fellow contributors and stay updated with the latest developments!
duplicate of https://github.com/projectdiscovery/tlsx/pull/395
@dogancanbakir I didn't see your pull request before. My bad. I was just attempting to fix the issue with JA3 after seeing the problem mentioned in the bug tracker.
Upon further investigation, scanning the internet a bit, and logging into Shodan to compare hashes, I don't think this pull request I've made fully solves the issue, despite lining up with a few hashes on Shodan. It needs some work.
The bottom line here should be to figure out how popular services generally do JA3, so that there's a baseline to compare hashes with—to be able to say "tlsx shows md5 [x] for google.com" and have it generally line up with what other internet mapping services say.
Your code looks cleaner than my attempt here. But I might dig around some more and try to develop a stable, comprehensive solution, even if it takes me a month and a thousand lines of code.
Modify ztls.go and ja3.go to fix JA3 issue. This should close bug report #537 and result in coherent Ja3 fingerprints. On my test machine:
This appears to be stable. You can find these fingerprints on Shodan, too. I think this is the correct way to do JA3S. See here: https://beta.shodan.io/search/facet?query=http&facet=ssl.ja3s
These changes reflect the stated JA3 specification here in the Salesforce blog post:
On line 95 in ja3.go, the comment should read to remove the last dashByte. I commented on it wrong. But other than that, this is a first stab at fixing bug #537. I left some fmt.Print statements commented out, which anyone can uncomment for testing. For the print statements to run, just include the 'fmt' package in the imports before uncommenting them.
The fingerprint now reflects the format in the Salesforce blogpost. The ServerHello reply sends us the TLS Version, a chosen cipher, and a few extensions. The only things that need to be ordered are the extensions.
I've used as many fields/extensions from the ServerHello field as possible. There are a few others, like Random and SessionId, but I think using them would cause the fingerprints to be unstable again. Here are the calls available to the ServerHello function, e.g. ServerHello.Version, etc.
One problem is that not a lot of TLS implementations use or have built in functionality for all of the TLS extension fields. Even golang's standard library refuses to push them upstream because they're used mostly for fingerprinting. One solution to this would be to clone the standard library and patch it. See the discussion here: https://github.com/golang/go/issues/32936#issuecomment-1781229365
Another solution would be to parse them raw and handle the bytes. But this pull request uses the functionality available through the APIs and imports tlsx is already using. And it seems to work.