JARM (JA3 Active Reconnaissance Method) is an active Transport Layer Security (TLS) server fingerprinting tool developed by Salesforce. It assists in identifying server software by analyzing how servers respond to a series of specially crafted TLS handshake requests.
How JARM Fingerprinting Works?
Unlike passive fingerprinting methods like JA3S, which observe existing traffic, JARM actively probes servers. It sends 10 customized TLS Client Hello packets to a target server, each varying in protocol versions, cipher suites, and extensions. The server's responses (Server Hello messages) are then analyzed to extract specific attributes. These responses are aggregated and hashed to produce a unique 62-character JARM fingerprint.
Applications of JARM Fingerprinting
-
Identifying Server Software and Configurations
Different server software and configurations respond uniquely to the crafted TLS handshakes. By comparing JARM fingerprints, one can infer the type of server software or specific configurations in use.
-
Detecting Malicious Servers and Command & Control (C2) Infrastructure
Malware often uses servers with distinctive TLS configurations. JARM can help identify such servers by matching their fingerprints against known malicious patterns. For instance, many Cobalt Strike C2 servers share similar JARM fingerprints.
-
Grouping and Managing Server Assets
Organizations can use JARM to ensure consistency across their servers. By comparing fingerprints, they can verify that all servers in a group have the same TLS configuration, aiding in asset management and compliance.
Example Use Case
Suppose an organization wants to ensure that all its web servers are configured identically. By running JARM scans on each server, they can compare the resulting fingerprints. Any discrepancies would indicate a deviation in configuration, prompting further investigation.
Considerations and Limitations
-
Not Definitive for Maliciousness: A matching JARM fingerprint indicates similar TLS configurations but doesn't conclusively identify malicious servers. Further analysis is required.
-
Potential for Evasion: Advanced adversaries might modify their server configurations to mimic benign fingerprints, evading detection.
-
Dynamic Configurations: Servers with frequently changing TLS settings might produce varying fingerprints over time.
JARM fingerprinting enhances TLS scanning by providing a method to actively identify and categorize servers based on their TLS handshake behaviors. This capability is valuable for security assessments, threat hunting, and infrastructure management.