Threat Actor Mindset | LegionHunter: Understanding JARM for TLS Server Fingerprinting

By /

JARM is an active Transport Layer Security (TLS) server fingerprinting tool. JARM fingerprints can be used to:
1. Quickly verify that all servers in a group have the same TLS configuration.
2. Group disparate servers on the internet by configuration, identifying that a server may belong to Google vs. Salesforce vs. Apple, for example.

3. Identify default applications or infrastructure.

  1. Identify malware command and control infrastructure and other malicious servers on the Internet.

You Should Know:

To get started with JARM, you can use the following commands and steps:

1. Install JARM:

  • Clone the JARM repository from GitHub:
    git clone https://github.com/salesforce/jarm.git
cd jarm
  • Install the required dependencies:
    pip install -r requirements.txt

2. Running JARM:

  • To fingerprint a single server:
    python jarm.py -d example.com
  • To fingerprint multiple servers from a list:
    python jarm.py -f servers.txt
  • To save the output to a file:
    python jarm.py -d example.com -o output.txt

3. Analyzing JARM Output:

  • The output will provide a JARM fingerprint, which is a hash representing the server’s TLS configuration.
  • Compare fingerprints to identify similar configurations or detect anomalies.

4. Using JARM for Threat Hunting:

  • You can use JARM to identify malicious servers by comparing their fingerprints against known malicious fingerprints.
  • Example command to scan a list of suspected malicious domains:
    python jarm.py -f malicious_domains.txt -o malicious_fingerprints.txt

5. Integrating JARM with Security Tools:

  • JARM can be integrated with SIEM tools or threat intelligence platforms to automate the detection of malicious servers.
  • Example integration with Splunk:
    | inputlookup jarm_fingerprints.csv | search fingerprint="known_malicious_fingerprint"

What Undercode Say:

JARM is a powerful tool for TLS server fingerprinting, enabling cybersecurity professionals to quickly identify and group servers based on their TLS configurations. This capability is crucial for verifying server consistency, identifying default applications, and detecting malicious infrastructure. By integrating JARM into your security workflow, you can enhance your threat-hunting capabilities and improve your organization’s overall security posture.

For further reading and advanced usage, refer to the official JARM GitHub repository: JARM GitHub.

Related Linux Commands:

  • openssl s_client -connect example.com:443: Test TLS/SSL connection to a server.
  • nmap --script ssl-enum-ciphers -p 443 example.com: Enumerate SSL/TLS ciphers supported by a server.
  • `curl -v https://example.com`: Verbose output of a TLS/SSL connection using curl.

Related Windows Commands:

  • Test-NetConnection -ComputerName example.com -Port 443: Test network connection to a specific port.
  • `Invoke-WebRequest -Uri https://example.com`: Perform a web request to test TLS/SSL connectivity.

By leveraging JARM and these commands, you can effectively enhance your cybersecurity defenses and stay ahead of potential threats.

References:

Reported By: Abhirup Konwar – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts:

Scroll to Top