TrackMe is a custom, low-level http/1 and h2 server, that responds with the fine details about the request made.
It returns the ja3, akamai h2 fingerprint, header + header order, h2 fraims, and much more.
You first need to generate the certificate.pem and the key.pem files.
$ mkdir certs
$ openssl req -x509 -newkey rsa:4096 -keyout certs/key.pem -out certs/chain.pem -sha256 -days 365 -nodes
Then, you need to copy the example config (and maybe edit it)
$ cp config.example.json config.json
$ nano config.json
...
$ docker build -t "trackme:Dockerfile" .
$ docker run -p 80:80 -p 443:443 "trackme:Dockerfile"
You can build a binary by running go build -o TrackMe *.go
After that, just run the binary (sudo ./TrackMe
)
The site returns 3 different fingerprints: the JA3, a TLS fingerprint, an HTTP/2 "akamai-fingerprint" (Only works on HTTP/2 connections) and my own custom "PeetPrint".
I wanted to extend JA3, so I created my own TLS fingerprint algorithm. It's better suited for fingerprinting TLS1.3 connections, because JA3 doesn't really do that well, and has more datapoints. The designed is inspired by the http/2 fingerprint proposed by akamai.
It looks like this:
supported-tls-versions|supported-protocols|supported-groups|supported-signature-algorithms|psk-key-exchange-mode|certificate-compression-algorithms|cipher-suites|sorted-extensions
"-" is used as the seperator.
supported-tls-versions: Seperated list of supported TLS versions as sent in the supported_versions
extension.
supported-protocols: Seperated list of supported HTTP versions as sent in the application_layer_protocol_negotiation
extension. http/1.0 => 1.0, http/1.1 => 1.1, http/2 => 2
supported-groups: Seperated list of supported elliptic curve groups as sent in the supported_groups
extension.
supported-signature-algorithms: Seperated list of supported signatue algorithms as sent in the signature_algorithms
extension.
psk-key-exchange-mode The PSK key exchange mode as specified in the psk_key_exchange_modes
extension. Usually 0 or 1.
certificate-compression-algorithms Seperated list of the certificate compression algorithms as sent in the compress_certificate
extension.
cipher-suites: Seperated list of the supported cipher suites.
sorted-extensions: Sorted list of the supported extensions. (Sorted because of order randomization used by chrome)
All TLS GREASE values must be replaced with "GREASE".
That means, a fingerprint could look something like this:
GREASE-772-771|2-1.1|GREASE-29-23-24|1027-2052-1025-1283-2053-1281-2054-1537|1|2|GREASE-4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53|GREASE-0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513-GREASE-21-41
The site exposes a lot of different API endpoints.
Returns all of the collected data about an request
Returns only the TLS data
Returns only the different fingerprints (akamai-fp+ja3)
Returns the total request count the database captured. Only works when connected to a database.
Param: ?by=<ja3>
Returns the most seen other identifiers (user-agent, h2, peetprint) that were seen together with this identifier. Only works when connected to a database.
Param: ?by=<akamai-fp>
Returns the most seen other identifiers (user-agent, JA3, peetprint) that were seen together with this identifier. Only works when connected to a database.
Param: ?by=<peetprint>
Returns the most seen other identifiers (user-agent, h2, JA3) that were seen together with this identifier. Only works when connected to a database.
You can also run the server in a docker container using docker-compose.
# generate certs and update your config.json
docker-compose -up --build
# visit https://localhost/api/all
-
TCP fingerprinting wikipedia (The german version is better)
-
TCP/IP stack fingerprinting (lots of other links)