What is JARM?
JARM is an active Transport Layer Security (TLS) server fingerprinting tool developed by Salesforce's security team. It works by sending 10 specially crafted TLS Client Hello packets to a target server and capturing the TLS Server Hello responses. The unique responses are then hashed to produce a 62-character JARM fingerprint.
How JARM Works
- Send 10 different TLS Client Hello packets, varying TLS version, cipher suites, and extensions
- Capture the server's TLS Server Hello response for each packet
- Hash the combined responses into a 62-character fingerprint
The resulting hash uniquely identifies a server's TLS implementation and configuration. Servers running the same software with the same configuration will produce identical JARM hashes.
Example JARM Hashes
| JARM Hash (truncated) | Server Type |
|---|---|
27d40d40d29d40d1dc... |
Cobalt Strike C2 |
07d14d16d21d21d07c... |
Metasploit |
29d29d15d29d29d29d... |
Standard nginx |
Use Cases
- Threat hunting — identify C2 (Command and Control) servers by known JARM signatures
- Server identification — group servers by their TLS configuration
- Malware detection — known malware frameworks have specific JARM signatures
- Infrastructure mapping — identify related servers across different IPs
- CDN identification — different CDNs produce distinct JARM hashes
Search on Zondex
Use the jarm: filter to search by JARM fingerprint:
jarm:<hash>— find all servers matching a specific JARM fingerprinttls:true product:nginx— find TLS-enabled nginx servers to compare JARM hashes