Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug]: Custom Cipher Suites doesn't seem to work

See original GitHub issue

Version of the software

0.2.4

Operating system

Windows Server 2019

Browser / Native

Chrome

What happened?

According to https://github.com/salesforce/ja3

JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.

JA3 gathers the decimal values of the bytes for the following fields in the Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. It then concatenates those values together in order, using a “,” to delimit each field and a “-” to delimit each value in each field.

You can view your tls fingerprint here: https://ja3er.com/ or here in JSON format: https://ja3er.com/json

I made a small project to get JA3 fingerprint of Openbullet2(code provided below).

After sending multiple requests, JA3 fingerprint hash was identical for all of them. Next, I changed Http Library to SystemNet and switched on Use Custom Cipher Suites, according to how JA3 fingerprinting works, the hash should change as one of five values is Accepted Ciphers, leaving only of the default listed chipers in OpenBullet2, the hash stayed identical to what I got previously. Proof: https://prnt.sc/D4LP4AEw4bsO and https://prnt.sc/gekBrmu8Mz13 So, my conclusion is: Custom Cipher Suites does not work as it should, giving various custom chipers should change TLS fingerprint to bypass WAF of such companies as Akamai, etc.

Article to better understand how spoofing JA3 works: https://medium.com/cu-cyber/impersonating-ja3-fingerprints-b9f555880e42

Relevant LoliCode if needed

BLOCK:HttpRequest
LABEL:ja3
  url = "https://ja3er.com/json"
  httpLibrary = SystemNet
  useCustomCipherSuites = True
  TYPE:STANDARD
  ""
  "application/x-www-form-urlencoded"
ENDBLOCK

BLOCK:Parse
LABEL:hash
  input = @data.SOURCE
  jToken = "ja3_hash"
  MODE:Json
  => VAR @hash
ENDBLOCK

Issue Analytics

State:
Created a year ago
Comments:6 (3 by maintainers)

Top GitHub Comments

3reactions

AstolfoReversecommented, Jun 22, 2022

Thanks a lot for the reply. Didn’t know it doesn’t work on windows. I’ll try use it on linux. For anyone wondering, how to randomize JA3 fingerprint on windows, I used CycleTLS library for NodeJS (https://github.com/Danny-Dasilva/CycleTLS)

const initCycleTLS = require('cycletls');
// Typescript: import initCycleTLS from 'cycletls';

(async () => {
  // Initiate CycleTLS
  const cycleTLS = await initCycleTLS();

  // Send request
  const response = await cycleTLS('https://ja3er.com/json', {
    body: '',
    ja3: '771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-51-57-47-53-10,0-23-65281-10-11-35-16-5-51-43-13-45-28-21,29-23-24-25-256-257,0',
    userAgent: 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0',
    proxy: 'http://username:password@hostname.com:443'
  }, 'get');

  console.log(response);

  // Cleanly exit CycleTLS
  cycleTLS.exit();

})();

You can also use this code with Openbullet2 nodejs interop block. You can create an array with JA3 fingerprints downloaded from here: https://ja3er.com/downloads.html and then just take random item from array. It worked perfectly for me on Windows 11 + OpenBullet2.

I also wish something like this could be implemented in OpenBullet, since randomizing only ciphers is kinda weak randomization. Thanks!

2reactions

openbulletcommented, Jun 22, 2022

Hello, currently you cannot use this feature on Windows since by default it uses the SChannel TLS provider which does not allow to configure cipher suites on a per-request basis, unless you manually change them from your windows policies. You can only use this feature on macOS/Linux if you installed the latest openssl library.

There is already an issue where I mention this https://github.com/openbullet/OpenBullet2/issues/691

Also on macOS/Linux you need to use RuriLibHttp (which does not support HTTP 2.0) in order to use this feature, or you can use SystemNet (which supports HTTP 2.0) but I’m pretty sure it only works with socks4/4a/5 proxies (not with HTTP proxies, not without proxies).

To sum it up…

RuriLibHttp with latest openssl Does not support HTTP/2.0