JARM in Censys Search 2.0

Purpose of JARM
JARM is a method for fingerprinting TLS configurations on hosts in order to help identify TLS-enabled services.
Use Cases for JARM in Censys Search
Threat Hunters can use JARM to:
-
Search for C2 infrastructure of malicious actors who use a specially crafted TLS configuration.
Attack Surface Managers can use JARM to:
-
Identify anomalies in TLS configurations in their organization’s network.
-
Verify upgrades in TLS configurations.
JARM Fingerprint Components
The 62-character JARM fingerprint is itself a concatenation of two fingerprints.
-
First 30 bytes: The output of a hybrid fuzzy hash of the service’s TLS version and cryptographic cipher usage.
-
Second 32 bytes: A SHA-256 digest of the service’s TLS extension usage.
Searchable JARM Fields in Censys Search
Censys provides four JARM-related fields for querying at the root level of a service object.

Use the services.jarm.fingerprint
field to search with a full 62-byte JARM fingerprint, or use one of the two component fingerprints to search with the first 30 bytes or second 32 bytes.
Use the jarm.observed_at
field to restrict your searches to fingerprints obtained within the time frame you feel is fresh enough. The maximum age for JARM fingerprints is 15 days.
Field | Type | Description |
---|---|---|
|
text |
The 62-byte JARM fingerprint of the service. |
|
text |
The first 30 bytes the JARM fingerprint, which encode the service’s TLS version and cipher suite configuration. |
|
text |
The second 32 bytes of the JARM fingerprint, which is a digest of the service’s TLS extension usage. |
|
date |
The RFC 3339-formatted timestamp indicating when the service was fingerprinted by Censys. |
API Events Related to JARM
Censys is introducing a new API event type, called service_enriched
, which indicates that data not obtained during one of Censys' traditional service scans (such as JARM), was added to a service.
See our API documentation for more information about the details of this event.
Implementing JARM at Censys
Creating a full JARM fingerprint requires 10 separate connections to a TLS-encrypted service.
Censys strives to be a good citizen of the Internet while maintaining the highest quality and accuracy in our host data set, so we are careful to collect TLS data without negatively impacting servers worldwide.
With this in mind, Censys does not attempt JARM fingerprints of any services on super hosts (i.e., hosts with more than 99 services).
Also, if a JARM fingerprint is older than 15 days, it will be cleared from the service data until it can be respectfully re-fingerprinted. Likewise, if Censys detects a change in a service’s name—the primary identifier of a service—the JARM fingerprint will also be cleared, as the likelihood of an identical JARM fingerprint on a new service is very low.
Diàtaxis: tutorial
Comments
0 comments
Article is closed for comments.