JA4TS - TCP Server Response Fingerprinting
JA4TS fingerprints the TCP SYN-ACK packet from servers, revealing the server's operating system and TCP/IP stack configuration. Paired with JA4T, it provides complete TCP-level fingerprinting of both sides of a connection.
Prerequisites
- JA4T lab completed
- Understanding of TCP SYN-ACK
What is JA4TS?
JA4TS analyzes the SYN-ACK response from a server. The server's TCP window size, MSS, TCP options, and their ordering reflect the server OS kernel's default TCP/IP stack settings. This is particularly useful for identifying server operating systems behind load balancers or CDNs.
JA4TS Format
65535
Window Size
TCP window size from SYN-ACK
2-1-3-1-1-8
TCP Options
TCP option kinds in SYN-ACK order
1460
MSS
Server's Maximum Segment Size
7
Window Scale
Server's window scaling factor
Extracting JA4TS
# Extract JA4TS from SYN-ACK packets
tshark -r capture.pcap -Y "tcp.flags.syn == 1 && tcp.flags.ack == 1" \
-T fields -e ip.src -e ja4ts.hash
# Compare client (JA4T) and server (JA4TS) fingerprints
tshark -r capture.pcap -Y "tcp.flags.syn == 1" \
-T fields -e frame.number -e ip.src -e ip.dst \
-e tcp.flags.ack -e ja4t.hash -e ja4ts.hash
# Group servers by JA4TS fingerprint
tshark -r capture.pcap -Y "tcp.flags.syn == 1 && tcp.flags.ack == 1" \
-T fields -e ip.src -e ja4ts.hash | sort | uniq -c | sort -rnHands-On Exercise
Step 1: Capture SYN-ACK Responses
tshark -i eth0 -f "tcp[tcpflags] == tcp-syn|tcp-ack" -w synack.pcap -c 50Step 2: Extract Server Fingerprints
tshark -r synack.pcap -T fields -e ip.src -e ja4ts.hash | sort -uStep 3: Map Server OS Distribution
Create a mapping of server IPs to their JA4TS fingerprints. Identify which servers run Linux vs Windows based on their TCP characteristics.