-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support TLS ClientHello randomization #3330
Comments
I suspect the reason for the static JA3 hash is due to automatic cipher ordering in tls.Config{
Certificates: []tls.Certificate{cert},
// shuffle this array here.
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
},
MinVersion: tls.VersionTLS10,
PreferServerCipherSuites: true,
InsecureSkipVerify: true
} From the blog:
Although I did make a quick script to perform a simple TLS request to catch the JA3 to see if the JA3 is static among golang packages and it is not. They had an entirely different JA3 hashes compared to nuclei. Maybe one suggestion to randomize the JA3 is to enable and disable random ciphers since we cannot control the order of the ciphers but we can control what ciphers are used, which will cause the ciphers in the client hello message to be different, and thus change the outcome of the hash. I do something similar in the python script provided in the original post. |
Depends on projectdiscovery/fastdialer#123 |
@rpaul-ghostsec this is now added in dev branch - #3844 (review) |
This is now added to the latest release. |
Feature
-tlsi, -tls-impersonate enable experimental client hello (ja3) tls randomization
See below for the implementation
I noticed that nuclei has the same JA3 hash across multiple different OS and environments (tested OSX, Ubuntu 20.04/22.04, Kali):
19e29534fd49dd27d09234e639c4057e
This makes it extremely easy to identify and block nuclei scans from a WAF perspective, without needing a reverse proxy to decrypt and inspect payloads at all because you only need to inspect the client hello coming from nuclei. See the JA3? Drop the request.
Here is an example of how to generate a random JA3 hash on every single request, which makes detecting scans more difficult and thus improves scan accuracy. Randomizing the cipher order on every single request might be expensive, but it could be done when a nuclei scan is launched so each individual scan has its own JA3, rather than the exact same JA3 every time for everyone using nuclei.
The text was updated successfully, but these errors were encountered: