Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using JA3_string= doesnt work, and the JA3 string is hard coded and cant be changed #123

Open
itsFriday2 opened this issue May 19, 2024 · 0 comments

Comments

@itsFriday2
Copy link

This product doesnt work at all.

  1. Open Wireshark, and type this in the search box: ssl.handshake.type == 1
  2. Use this code:

import tls_client
s = tls_client.Session(client_identifier="chrome_120")

response = s.get('https://yahoo.com')

  1. Run this code several times, and in Wireshark click on each request and go to "Transport Layer Security" > "TLS1.3" > "Handshake Protocol" - Look at "JA3 fullstring". Notice the JA3 fullstring value for each request is exactly the same. I tried different websites, I always see the same JA3 for each request, which is: 771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-45-43-5-23-35-13-65281-16-65037-18-51-10-11-17513-27,29-23-24,0. It appears to be hard coded. If I try a different client_identifier it changes to a different string, but again it appears hard code, every request has the same JA3 string which can be confirmed using Wireshark. This product is supposed to spoof JA3, but its not when the same JA3 string never changes.
  2. If you add the option "random_tls_extension_order=True", it randomize the JA3 string, but again it appears the JA3 string is hard coded, and all this option does is move around the numbers. I think it would be easy to detect, all you would have to do is look for the numbers in the string. The order changes, but not the numbers.
  3. If you remove the client_identifier and add a JA3_string= it doesnt work. Wireshark shows the hard coded JA3 string is still used. The value you put for JA3_string isnt used.

There are some very obvious problems here:

  1. The documentation doesnt say if you use client_identifier YOU HAVE TO USE random_tls_extension_order=True otherwise the JA3 string will be exactly the same for each response. This is how I identified the issue, all of a sudden a website was quickly blocking me. When I ran Wireshark and looked at the JA3 I realised each request I was making had exactly the same JA3 string.

Originally I got the impression that if I am emulating Chrome version 120, I wouldn't need to use random_tls_extension_order=True because Chrome 120 randomizes each string. If you are emulating Chrome 120, there should be no need to use random_tls_extension_order=True because the Chrome web browser randomizes the string. The documentation should explicitly state that you always have to use random_tls_extension_order=True for Chrome when using client_identifier. Or it should be made the default.

  1. The JA3 string appears to be hard coded. Even using the JA3_string doesnt cause the JA3 string to change. I would expect whatever value I put for JA3_string should be used, but it's not.
  2. The documentation should clearly state that you have to use either client_identifier or JA3_string, but not both. I dont think the documentation says this.
  3. By default Chrome randomizes the JA3 string, so why do I need to put random_tls_extension_order=True when using client_identifider? That makese no sense to me. By default Chrome randomizes the JA3 string, but by default this product doesnt. If you are spoofing Chrome, shouldnt the JA3 by default look like a JA3 string Chrome would use? I have no idea why you need to specify random_tls_extension_order=True, it should be the default. Why would someone use this and not want the JA3 random?

In the past, with a older version, I know that specifying the JA3_string DID work, because I would run my script with the JA3 string statically assigned, and in wireshark I would see the JA3 string I specified. But in the current version, 1.0.1 it doesnt work. In Wireshark I do not see the JA3 I specify, I just see the same JA3 string over and over. I will not consider using this package again until JA3_string works again. The documentation badly needs updating. This product doesnt work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant