Skip to content

AlecHaring/TrackMe

 
 

Repository files navigation

TrackMe - Server side http/tls tracking demo in go

TrackMe is a custom, low-level http/1 and h2 server, that responds with the fine details about the request made.

It returns the ja3, akamai h2 fingerprint, header + header order, h2 frames, and much more.

Running it

You first need to generate the certificate.pem and the key.pem files.

$ mkdir certs
$ openssl req -x509 -newkey rsa:4096 -keyout certs/key.pem -out certs/chain.pem -sha256 -days 365 -nodes

Then, you need to copy the example config (and maybe edit it)

$ cp config.example.json config.json
$ nano config.json
...

You can build a binary by running go build -o TrackMe *.go

After that, just run the binary (sudo ./TrackMe)

Different fingerprints

The site returns 3 different fingerprints: the JA3, a TLS fingerprint, an HTTP/2 "akamai-fingerprint" (Only works on HTTP/2 connections) and my own custom "PeetPrint".

Custom Fingerpint ("PeetPrint")

I wanted to extend JA3, so I created my own TLS fingerprint algorithm. It's better suited for fingerprinting TLS1.3 connections, because JA3 doesn't really do that well, and has more datapoints. The designed is inspired by the http/2 fingerprint proposed by akamai.

It looks like this:

supported-tls-versions|supported-protocols|supported-groups|supported-signature-algorithms|psk-key-exchange-mode|certificate-compression-algorithms|cipher-suites|extensions

"-" is used as the seperator.

supported-tls-versions: Seperated list of supported TLS versions as sent in the supported_versions extension.

supported-protocols: Seperated list of supported HTTP versions as sent in the application_layer_protocol_negotiation extension. http/1.0 => 1.0, http/1.1 => 1.1, http/2 => 2

supported-groups: Seperated list of supported elliptic curve groups as sent in the supported_groups extension.

supported-signature-algorithms: Seperated list of supported signatue algorithms as sent in the signature_algorithms extension.

psk-key-exchange-mode The PSK key exchange mode as specified in the psk_key_exchange_modes extension. Usually 0 or 1.

certificate-compression-algorithms Seperated list of the certificate compression algorithms as sent in the compress_certificate extension.

cipher-suites: Seperated list of the supported cipher suites.

extensions: Seperated list of the supported extensions.

All TLS GREASE values must be replaced with "GREASE".

That means, a fingerprint could look something like this:

GREASE-772-771|2-1.1|GREASE-29-23-24|1027-2052-1025-1283-2053-1281-2054-1537|1|2|GREASE-4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53|GREASE-0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513-GREASE-21-41

API endpoints

The site exposes a lot of different API endpoints.

/api/all

Returns all of the collected data about an request

/api/tls

Returns only the TLS data

/api/clean

Returns only the different fingerprints (akamai-fp+ja3)

/api/request-count

Returns the total request count the database captured. Only works when connected to a database.

/api/search-ja3

Param: ?by=<ja3>

Returns the most seen other identifiers (user-agent, h2, peetprint) that were seen together with this identifier. Only works when connected to a database.

/api/search-h2

Param: ?by=<akamai-fp>

Returns the most seen other identifiers (user-agent, JA3, peetprint) that were seen together with this identifier. Only works when connected to a database.

/api/search-peetprint

Param: ?by=<peetprint>

Returns the most seen other identifiers (user-agent, h2, JA3) that were seen together with this identifier. Only works when connected to a database.

TLS & HTTP2 fingerprinting resources

Releases

No releases published

Packages

No packages published

Languages

  • Go 70.3%
  • HTML 29.7%