Spoofing JARM signatures. I am the Cobalt Strike server now!

Wireshark capture of 10 TLS Client Hello’s
Wireshark capture of 10 TLS Server Hello’s
if bytes.Contains(request, [] byte {
0x00, 0x8c, 0x1a, 0x1a, 0x00, 0x16, 0x00, 0x33, 0x00,
0x67, 0xc0, 0x9e, 0xc0, 0xa2, 0x00, 0x9e, 0x00, 0x39,
0x00, 0x6b, 0xc0, 0x9f, 0xc0, 0xa3, 0x00, 0x9f, 0x00,
0x45, 0x00, 0xbe, 0x00, 0x88, 0x00, 0xc4, 0x00, 0x9a,
... ...
}) {
fmt.Println("replaying: tls12Forward")
conn.Write([] byte {
0x16, 0x03, 0x03, 0x00, 0x5a, 0x02, 0x00, 0x00,
0x56, 0x03, 0x03, 0x17, 0xa6, 0xa3, 0x84, 0x80,
0x0b, 0xda, 0xbb, 0x3d, 0xe9, 0x3e, 0x92, 0x65,
0x9a, 0x68, 0x7d, 0x70, 0xda, 0x00, 0xe9, 0x7c,
... ...
})
}

(Mis)usage of spoofed signatures

You’re probably thinking: So what? What is the use of spoofed TLS fingerprints? They could be used by malicious actors to hide their applications when tools like JARM scanners are deployed to identify services in a network or on the internet. It can also be used for good. A honeypot replaying the fingerprint of a specific service can be used to setup a digital smokescreen for attackers.

  • jarmscan (jarm-go) is not a product of Salesforce. They’ve published JARM a Python based JARM scanner implementation. Jarmscan (the scanner used here) is a Golang based implementation by @RumbleDiscovery

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store