JARM in Censys Search
JARM is a method for fingerprinting TLS configurations on hosts to help identify TLS-enabled services.
Threat Hunters can use JARM to:
-
Search for C2 infrastructure of malicious actors who use a specially crafted TLS configuration.
Attack Surface Managers can use JARM to:
-
Identify anomalies in TLS configurations in their organization’s network.
-
Verify upgrades in TLS configurations.
The 62-character JARM fingerprint is itself a concatenation of 2 fingerprints.
-
First 30 bytes: The output of a hybrid fuzzy hash of the service’s TLS version and cryptographic cipher usage.
-
Second 32 bytes: A SHA-256 digest of the service’s TLS extension usage.
Censys Search provides 4 JARM-related fields for querying at the root level of a service object.
Use the services.jarm.fingerprint
field to search with a full 62-byte JARM fingerprint, or use 1 of the 2 component fingerprints to search with the first 30 bytes or second 32 bytes.
Use the jarm.observed_at
field to restrict your searches to fingerprints obtained within the time frame you feel is fresh enough. The maximum age for JARM fingerprints is 15 days.
Field |
Type |
Description |
---|---|---|
services.jarm.fingerprint |
text |
The 62-byte JARM fingerprint of the service. |
services.jarm.cipher_and_version_fingerprint |
text |
The first 30 bytes the JARM fingerprint, which encode the service’s TLS version and cipher suite configuration. |
services.jarm.tls_extensions_sha256 |
text |
The second 32 bytes of the JARM fingerprint, which is a digest of the service’s TLS extension usage. |
services.jarm.observed_at |
date |
The RFC 3339-formatted timestamp indicating when the service was fingerprinted by Censys. |
Creating a full JARM fingerprint requires 10 separate connections to a TLS-encrypted service.
Censys strives to be a good citizen of the Internet while maintaining the highest quality and accuracy in our host data set, so we are careful to collect TLS data without negatively impacting servers worldwide.
With this in mind, Censys does not attempt JARM fingerprints of any services on super hosts (for example, hosts with more than 99 services).
Also, if a JARM fingerprint is older than 15 days, it is cleared from the service data until it can be respectfully re-fingerprinted. Likewise, if Censys detects a change in a service’s name—the primary identifier of a service—the JARM fingerprint is also cleared, as the likelihood of an identical JARM fingerprint on a new service is very low.
Comments
0 comments
Article is closed for comments.