# Foxio Labs – Full Content

> Open-source platform for JA4+ network fingerprinting education, training, and hands-on labs. Maintained by FoxIO LLC.

## What is JA4+?

JA4+ is a suite of 19 network fingerprinting methods created by John Althouse (creator of the original JA3 fingerprinting standard). These methods allow security teams to passively and actively fingerprint network clients and servers at the protocol level — without relying on easily-spoofed fields like User-Agent strings.

JA4+ fingerprints are used by Fortune 500 companies including Microsoft, Amazon, and Google to detect bots, proxies, session hijacking, VPN usage, and hacking tools.

### JA4+ Method Reference

| Method | Short Name | Description | Status |
|--------|-----------|-------------|--------|
| JA4 | JA4 | TLS Client Fingerprinting | Active |
| JA4Server | JA4S | TLS Server Response / Session Fingerprinting | Active |
| JA4HTTP | JA4H | HTTP Client Fingerprinting | Active |
| JA4Latency | JA4L | Client to Server Latency / Light Distance | Active |
| JA4LatencyServer | JA4LS | Server to Client Latency / Light Distance | Active |
| JA4X509 | JA4X | X509 TLS Certificate Fingerprinting | Active |
| JA4SSH | JA4SSH | SSH Traffic Fingerprinting | Active |
| JA4TCP | JA4T | TCP Client Fingerprinting | Active |
| JA4TCPServer | JA4TS | TCP Server Response Fingerprinting | Active |
| JA4TCPScan | JA4TScan | Active TCP Fingerprint Scanner | Active |
| JA4DHCP | JA4D | DHCP Fingerprinting | Active |
| JA4DHCPv6 | JA4D6 | DHCPv6 Fingerprinting | Active |
| JA4Scan | JA4Scan | Active TLS Server Fingerprint Scanner | In Dev |
| JA4Email | JA4E | Email Header Fingerprinting | In Dev |
| JA4HTTPServer | JA4HS | HTTP Server Response Fingerprint | Backlog |
| JA4WiFi | JA4W | Wireless Client Fingerprint | Backlog |
| JA4BGP | JA4B | BGP Fingerprinting | Backlog |
| JA4IPv6 | JA46 | IPv6 Fingerprinting | Backlog |

## Inbound Threat Detection

### Proxy Detection

Detect residential proxied traffic on a per-session basis by analyzing JA4T, JA4L, and User-Agent discrepancies. Identify when the proxy OS does not match the claimed client OS.

Example — Proxied Connection:
- `JA4T: 65535_2-4-8-1-3_1460_4`
- Claimed Windows, but JA4T = Android

### Bot & Tool Detection

Browsers include ALPN in TLS ClientHello (JA4_a ends in h1/h2/h3). Non-browsers end in 00. Browsers prefer HTTP/2+ and list accept-language. Bots and hacking tools do not.

Example — Evilginx detected:
- `JA4H: ge10nn100000`
- No language, HTTP/1.0 = not a browser

### VPN Fingerprinting

VPN overhead reduces MSS by a fixed amount. A JA4T_c (MSS) below 1300 indicates VPN traffic. Specific JA4T fingerprints identify WireGuard, OpenVPN, NordVPN, and iCloud Relay.

Example — WireGuard detected:
- `JA4T: 65340_2-1-3-1-1-4_1210_8`
- MSS=1210 < 1300 = VPN overhead

### Light Distance / Geolocation

JA4L measures latency in microseconds between the TCP and application handshakes to estimate physical distance. Formula: D = jc/p where c = 0.128 miles per microsecond in fiber.

Example — Proxy distance:
- `JA4L: 5191_42_45014`
- Proxy 415mi, Client 3,185mi away

### OS Identification

Identify client operating systems passively using TCP window scale options and observed TTL values, independent of User-Agent strings which are easily spoofed.

JA4T TCP Options:
- `*_2-1-3-1-1-4_*` = Windows
- `*_2-4-8-1-3_*` = Linux / Android

### Session Hijacking Detection

Intercepting proxies like Evilginx initiate all communication to the server. All fingerprints observed server-side become the proxy program fingerprint, exposing the attack.

Example — Sliver C2:
- UA: Safari/macOS but JA4T=Windows
- JA4H reveals GoLang, not Safari

## Labs & Tutorials

### Quick Labs

- **JA4 – TLS Client** (Beginner): Learn the a_b_c format and TLS ClientHello fingerprinting.
- **JA4H – HTTP Client** (Intermediate): Fingerprint HTTP clients and detect spoofed User-Agents.
- **JA4T – TCP Client** (Intermediate): TCP fingerprinting for OS identification and VPN detection.
- **JA4S – TLS Server** (Beginner): Server response fingerprinting and session analysis.
- **JA4SSH – SSH Traffic** (Advanced): Identify interactive vs automated SSH sessions.
- **Wireshark Plugin** (Beginner): Install and use the JA4+ Wireshark dissector.

### Advanced Labs

Advanced scenarios combining multiple JA4+ methods for complex threat detection workflows.

## Key Resources

- JA4+ GitHub: https://github.com/FoxIO-LLC/ja4
- JA4 Database: https://ja4db.foxio.io
- FoxIO Blog: https://blog.foxio.io
- JA4+ Network Fingerprinting article: https://blog.foxio.io/ja4%2B-network-fingerprinting
- JA4T TCP Fingerprinting article: https://blog.foxio.io/ja4t-tcp-fingerprinting
- JA4 Programming Guide: https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md

## Platform Integrations

Foxio Labs content and fingerprint data is registered with and available via:
- Platphormnews: https://platphormnews.com
- Platphormnews MCP: https://mcp.platphormnews.com
- Platphormnews Logslash: https://logslash.platphormnews.com