Inspired by the awesome Derbycon talk by John Althouse I wanted to give JA3 a try. After some Googling around the easiest way seemed like installing Moloch which has JA3 support baked in. This post is just a brief overview how to set this up and start exploring JA3 hashes. As a bonus, I also configured Suricata support for Moloch. Combined, I think this is a really good combo for network visibility.
Install
In my setup, I used Ubuntu 18.04 as a starting base.
In my scenario, I installed the Moloch viewer & capture components and Elastic all on the same box, this was all setup via the installation instructions above automatically.
Once the setup is complete, browse to https://:8005, you should see something that looks like this:
Now that you have Moloch installed, let's look at some JA3 hashes, in this example I'm going to be using the windows/x64/meterpreter/reverse_https payload.
In this scenario I have an attacking machine at 192.168.1.116 and a victim Windows 10 machine at 192.168.1.250.
In my case, I had to edit the /etc/suricata/suricata.yaml file to change the network adapter from eth0 to ens33 and restart the service.
Suricata + Moloch
Now that Suricata is installed, you need to change the Moloch configuration to load the Suricata plugin, you also need to point Moloch to your suricata eve.json file.
Find and edit your /data/moloch/etc/config.ini file, my Suricata config.ini section looks like:
We can see Suricata flagged the SMB packets and hit a bunch of PowerShell rules. Neat!
Notes + Credits
I'm usually more comfortable with Endpoint rather than Network detections, but I think the Moloch+JA3+Suricata combo is an extremely powerful layer to add to your defenses.
None of this is new info, I just wanted to provide an overview as it took some Googling to put it together, maybe this could save someone a few minutes :)