🔬

Tool Identification Report

JA4T + JA4H Correlation Analysis — Attacker Tool Fingerprinting

THREAT ANALYSIS

Indexsecurity_events_1_20536

ES Hostthreats.eu.ast.co.rs:9200

Time Range2026-03-23 12:10 → 2026-03-24 12:10

Generated2026-03-24 (manual analysis)

Targets91.150.97.40 · 45.84.107.182

📡

208

Ukupno događaja

🌐

Source IP-a

🛠️

Faza napada

🖥️

OS / mašine

🔍

Unique JA4T

📋

Unique JA4H

Analiza po IP-u

45.84.107.182

Datacenter / VPS Linux Jumbo Frames

3 događaja · 1 alat · 1 konekcija

Infrastruktura

JA4T

62314_2-4-8-1-3_8902_12

Linux kernel 4.x+

MSS

8902

Jumbo frames MTU ~8942 → datacenter

Window Scale

12 (×4096)

High-performance server okruženje

Source Port

16179 (sva 3 puta)

Ista konekcija — HTTP keep-alive

TCP Options redoslijed

2-4-8-1-3

MSS→SACK→Timestamp→NOP→WScale

Napad tip

Baithive Request Attempt

Samo HTTP, nema TCP scan faze

🌐 HTTP Fingerprint

🔧 httpx / curl s headerima

          ge11nn11enUS_67a5909b5a28_000000000000_000000000000
        

HTTP Metod

GET (ge)

Verzija

HTTP/1.1

Kolačići

NE (n)

Referer

NE (n)

Broj headera

Jezik

en-US

Isti JA4H sva 3 puta, isti src port → jedan alat, jedna HTTP konekcija (keep-alive), kratka proba

11 headera bez kolačića i referera uz en-US jezik → automated HTTP client (httpx, curl s Accept-Language headerom)

Datacenter VPS s jumbo frames — nije korisnikov desktop, to je server posebno podignut za testiranje

91.150.97.40

Windows + Linux exit Proxy / VPN node PPPoE MSS 1412

205 događaja · 7 faza · 2 OS · 33 unique JA4H

JA4T — Dvostruki OS Fingerprint (ključni nalaz)

Raspodjela TCP fingerprintova — ista mreža (MSS 1412 = PPPoE na oba)

65535_2-1-3-1-1-4_1412_8

103×

Windows 10/11

64240_2-4-8-1-3_1412_7

102×

Linux 4.x+

⚠ Zaključak: Proxy / VPN Exit Node

~50/50 split između Windows i Linux JA4T iz istog IP-a ukazuje da ovaj IP nije jedna mašina — to je izlazni čvor kroz koji prolazi saobraćaj s više uređaja ili je isti napadač koristio dva različita sistema (Windows desktop + Linux mašina) koji dijele isti izlazni IP. Oba prolaze kroz PPPoE vezu (MSS 1412 = MTU 1452).

Faze napada (po JA4H kategorijama)

1 TCP Port Scan RAW SOCKET

Win + Lin 75 događaja

Čisti TCP SYN paketi — nema HTTP sloja (nema JA4H). Port scan koji ne završava handshake.

Pojavljuje se s oba JA4T fingerprinata (Windows i Linux) — isti alat pokrenut na oba sistema.

nmap -sS (SYN scan) masscan — raw socket, zahtijeva root/admin

2 Raw HTTP Probe HTTP/1.0 · 0 HEADERA

Win + Lin 9 događaja

HTTP/1.0 sa nultim headerima — nikad pravi browser. Custom skripta ili Nuclei raw template.

ge10nn000000_000000000000	GET HTTP/1.0, 0 headera	4× Lin + 2× Win
op10nn000000_000000000000	OPTIONS HTTP/1.0, 0 headera	2× Lin 1× Win

Python requests (minimal) Go net/http custom Nuclei raw template

3 OPTIONS Recon CORS / WebDAV probe

Win + Lin 27 događaja

OPTIONS HTTP/1.1 sa 3-5 headera, bez kolačića, bez Accept-Language. Tipičan CORS probing ili WebDAV/REST API enumeration.

op11nn050000_dbba02979775	OPTIONS/1.1 · 5 headera · bez lang	8× Win
op11nn050000_c9eb774c23bc	OPTIONS/1.1 · 5 headera · bez lang	8× Lin
op11nn030000_b0d6a43aa599	OPTIONS/1.1 · 3 headera	3× Win
op11nn030000_746ee0e73b1b	OPTIONS/1.1 · 3 headera	2× Lin

Nuclei (CORS/WebDAV template) feroxbuster

4 Web Scanner — UA Rotacija AUTOMATION

Win + Lin 48 događaja

Varijabilni broj headera (3, 12, 15, 16) bez kolačića — web scanner koji rotira konfiguracije/templateove.

Identični JA4H hashevi na Windows i Linux JA4T-u → isti binarni alat kompajliran za oba OS.

ge11nn15enUS_cb03e2138c2f	15 headera · enUS	7× Win 7× Lin
ge11nn16enUS_b771f6aa2c90	16 headera · enUS	11× Win
ge11nn12enUS_9a9494a1019e	12 headera · enUS	9× Lin
ge11nn030000_746ee0e73b1b	3 headera · bez lang	10× Lin
ge11nn030000_b0d6a43aa599	3 headera · bez lang	9× Win

Nuclei httpx

5 Browser Emulacija SCRIPTED CHROMIUM

Win + Lin 28 događaja

GET HTTP/1.1 sa kolačićima i refererom, 9-14 headera, enUS — izgleda kao pravi browser.

⚠ Zašto ovo nije pravi browser

Cookie hash 8eb3ea9bbde6 → ponavlja se kroz 5 različitih sesija

Referer hash 1257a4bff27d → isti referer URL u svim zahtjevima

Pravi korisnik mijenja kolačiće i referer između sesija. Ovdje su fiksirani — skripta s hardkodiranim vrijednostima.

Playwright Puppeteer Selenium

6 HTTP Fuzzing NEVAŽEĆI METOD

Win + Lin 6 događaja

"00" prefiks kao HTTP metod — null byte ili nepostojeći HTTP metod. Tipičan fuzzer ili protocol confusion napad.

0011nn030000_b0d6a43aa599	null metod · 3 headera	1× Win
0011nn030000_746ee0e73b1b	null metod · 3 headera	1× Lin
0011nn040000_07a1d23d6be2	null metod · 4 headera	1× Lin
0011nn040000_85a50c8376b0	null metod · 4 headera	1× Win
0011nn050000_61bdae0040f8	null metod · 5 headera	1× Win

ffuf custom fuzzer

7 HEAD Scan + POST Automation

Win + Lin 6 događaja

HEAD zahtjevi provjeravaju postojanje endpointa bez preuzimanja sadržaja. POST automation targetira API endpointe.

he11nn080000_dcba4d526bc4	HEAD · 8 headera	1× Win
he11nn080000_de1f6c1ce132	HEAD · 8 headera	1× Lin
he11nn030000_b0d6a43aa599	HEAD · 3 headera	1× Win
po11nn040000_71d301d86682	POST · 4 headera · bez lang	2× Lin
po11nn040000_204392bec222	POST · 4 headera · bez lang	1× Win

JA4H Signal — Kako razlikovati alat od browsera

JA4H Pattern	HTTP Verzija	Headeri	Kolačići	Jezik	Verdict	Tipični alat
ge10nn000000_000000000000	HTTP/1.0	0	NE	NE	RAW TOOL	Custom script, Nuclei raw
op10nn000000_000000000000	HTTP/1.0	0	NE	NE	RAW SCANNER	OPTIONS probe, CORS scan
0011nn030000_...	NEVAŽEĆI	3-5	NE	NE	FUZZER	ffuf, custom fuzzer
op11nn050000_...	HTTP/1.1	5	NE	NE	SCANNER	Nuclei, feroxbuster
ge11nn15enUS_...	HTTP/1.1	15	NE	enUS	AUTOMATION	Nuclei, httpx (UA spoof)
he11nn080000_...	HTTP/1.1	8	NE	NE	SCANNER	HEAD recon
po11nn040000_...	HTTP/1.1	4	NE	NE	AUTOMATION	API automation script
ge11cr12enUS_xxx_8eb3ea9bbde6_1257a4bff27d	HTTP/1.1	12	DA*	enUS	SCRIPTED BROWSER	Playwright / Puppeteer
* Zvjezdica: Kolačići i referer postoje ali su fiksirani (isti hash kroz sve sesije) → ne pravi korisnik, skriptovani browser

🎯 Zaključak

45.84.107.182

Datacenter Linux VPS (jumbo frames, MSS 8902)

Jedan alat, jedna HTTP konekcija (keep-alive, src port 16179)

11 headera, enUS, bez kolačića → httpx ili curl s Accept-Language

Kratka jednokratna proba — discovery ili vulnerability check

91.150.97.40

Proxy / VPN exit node — Windows i Linux u ~50/50 omjeru

PPPoE veza (MSS 1412) za oba OS izlaza

Strukturirani recon u 7 faza: port scan → raw HTTP → OPTIONS → web scan → browser emulacija → fuzzing → HEAD/POST

Alati: nmap/masscan · Nuclei · httpx · Playwright/Puppeteer · ffuf

Isti JA4H hashevi na Windows i Linux JA4T → isti alati pokrenuti na oba sistema