Beginner15 min

JA4S - TLS Server Response Fingerprinting

JA4S fingerprints the TLS ServerHello response, capturing the server's selected cipher suite, TLS version, and extensions. Pairing JA4 (client) with JA4S (server) gives a complete picture of TLS negotiations.

Prerequisites

  • JA4 - TLS Client Fingerprinting lab
  • Basic understanding of TLS handshakes

What is JA4S?

JA4S fingerprints the TLS ServerHello message, which is the server's response to the client's ClientHello. While JA4 captures what the client offers, JA4S captures what the server selects. This reveals the server's TLS configuration and helps identify server applications.

Client + Server = Complete Picture
A JA4 + JA4S pair uniquely identifies a complete TLS negotiation. The same JA4S fingerprint across different JA4 clients suggests a consistent server configuration, while variation may indicate load balancers or server-side changes.

JA4S Format

Like JA4, JA4S uses the a_b_c format:

t130200_1301_234ea6891581_N/A

t130200_1301

a section

Protocol, version, extension count, selected cipher

234ea6891581

b section

Truncated SHA-256 of extensions

N/A

c section

Not used in basic JA4S

Section A Breakdown

  • t - Protocol (t = TLS, q = QUIC)
  • 13 - TLS version (13 = TLS 1.3)
  • 02 - Number of extensions in ServerHello
  • 00 - ALPN (if present)
  • 1301 - Selected cipher suite in hex

Extracting JA4S

Using tshark

Extract JA4S fingerprints
# Extract JA4S from a pcap
tshark -r capture.pcap -Y "tls.handshake.type == 2" \
  -T fields -e ip.src -e ip.dst -e ja4s.hash

# Pair JA4 and JA4S for complete handshake view
tshark -r capture.pcap -Y "tls.handshake.type == 1 || tls.handshake.type == 2" \
  -T fields -e frame.number -e ip.src -e ip.dst -e ja4.hash -e ja4s.hash

# Count unique JA4S (server configurations)
tshark -r capture.pcap -Y "tls.handshake.type == 2" \
  -T fields -e ja4s.hash | sort | uniq -c | sort -rn

Wireshark Filters

Display filters for JA4S
# Filter for a specific JA4S
ja4s.hash == "t130200_1301_234ea6891581"

# Show only TLS 1.2 server responses
ja4s.hash matches "^t12"

# Find servers selecting a specific cipher
ja4s.hash contains "c02f"

Analysis Techniques

Server Identification

JA4S fingerprints reveal server software and configuration:

t130200_1301_234ea6891581
Nginx with TLS 1.3Modern config
t120400_c02f_a1b2c3d4e5f6
Apache with TLS 1.2Legacy config
t130100_1301_f1e2d3c4b5a6
Cloudflare EdgeCDN endpoint
Server Impersonation Detection
If a known benign server suddenly presents a different JA4S fingerprint, it could indicate a man-in-the-middle attack or server compromise. Monitor JA4S changes over time for anomaly detection.

Hands-On Exercise

Step 1: Capture Server Responses

tshark -i eth0 -f "tcp port 443" -Y "tls.handshake.type == 2" \
  -T fields -e ip.src -e ja4s.hash -c 50

Step 2: Group by Server

Group JA4S fingerprints by server IP to see if servers are consistent:

tshark -r capture.pcap -Y "tls.handshake.type == 2" \
  -T fields -e ip.src -e ja4s.hash | sort | uniq -c

Step 3: Compare Client-Server Pairs

Match JA4 and JA4S fingerprints by TCP stream to see how different servers respond to the same client. Note which cipher suites each server selects.

Lab Complete
You can now fingerprint TLS server responses. Next, explore JA4H to fingerprint HTTP clients.