1. Censys
  2. Censys Search
  3. Advanced Searching

Other Articles In This Section

In this article:

JARM in Censys Search 2.0

  • Updated
Censys Search 2.0 front page with example jarm fingerprint search shown

Purpose of JARM

JARM is a method for fingerprinting TLS configurations on hosts in order to help identify TLS-enabled services.

Use Cases for JARM in Censys Search

Threat Hunters can use JARM to:

  • Search for C2 infrastructure of malicious actors who use a specially crafted TLS configuration.

Attack Surface Managers can use JARM to:

  • Identify anomalies in TLS configurations in their organization’s network.

  • Verify upgrades in TLS configurations.

JARM Fingerprint Components

The 62-character JARM fingerprint is itself a concatenation of two fingerprints.

  • First 30 bytes: The output of a hybrid fuzzy hash of the service’s TLS version and cryptographic cipher usage.

  • Second 32 bytes: A SHA-256 digest of the service’s TLS extension usage.

Searchable JARM Fields in Censys Search

Censys provides four JARM-related fields for querying at the root level of a service object.

Censys Search 2.0 UI with JARM fields shown in the search bar suggestion dropdown

Use the services.jarm.fingerprint field to search with a full 62-byte JARM fingerprint, or use one of the two component fingerprints to search with the first 30 bytes or second 32 bytes.

Use the jarm.observed_at field to restrict your searches to fingerprints obtained within the time frame you feel is fresh enough. The maximum age for JARM fingerprints is 15 days.

 

Searchable JARM Fields
Field Type Description

services.jarm.fingerprint

text

The 62-byte JARM fingerprint of the service.

services.jarm.cipher_and_version_fingerprint

text

The first 30 bytes the JARM fingerprint, which encode the service’s TLS version and cipher suite configuration.

services.jarm.tls_extensions_sha256

text

The second 32 bytes of the JARM fingerprint, which is a digest of the service’s TLS extension usage.

services.jarm.observed_at

date

The RFC 3339-formatted timestamp indicating when the service was fingerprinted by Censys.

API Events Related to JARM

Censys is introducing a new API event type, called service_enriched, which indicates that data not obtained during one of Censys' traditional service scans (such as JARM), was added to a service.

See our API documentation for more information about the details of this event.

Implementing JARM at Censys

Creating a full JARM fingerprint requires 10 separate connections to a TLS-encrypted service.

Censys strives to be a good citizen of the Internet while maintaining the highest quality and accuracy in our host data set, so we are careful to collect TLS data without negatively impacting servers worldwide.

With this in mind, Censys does not attempt JARM fingerprints of any services on super hosts (i.e., hosts with more than 99 services).

Also, if a JARM fingerprint is older than 15 days, it will be cleared from the service data until it can be respectfully re-fingerprinted. Likewise, if Censys detects a change in a service’s name—the primary identifier of a service—the JARM fingerprint will also be cleared, as the likelihood of an identical JARM fingerprint on a new service is very low.

 

Diàtaxis: tutorial

Related articles

Comments

0 comments

Article is closed for comments.