Interactive Networking Fingerprinting Walkthrough

​Workshop Host: Vlad Iliushin

​As scanning and reconnaissance grow ever more diverse - from public platforms like Shodan and Censys to stealthy probing by botnets and bulletproof hosting - security teams need better ways to profile who’s on the other side of their network connections. This talk traces the evolution of network fingerprinting, beginning with passive tools like p0f and advancing through modern methods such as JA3/JA4, JA4+, and MuonFP.

We’ll demonstrate how each fingerprint reflects subtle variations in the TCP handshake and TLS ClientHello - and how an appreciation for what happens “under the hood” in your OS’s network stack can help you extract even richer signals. You’ll see real-world examples of identifying fast scanners, simple banner-grabbers, VPN tunnels, and jump-server connections.

By the end, you’ll know how to integrate these fingerprints into your security workflows - where they shine, where they fall short, and how they can both harden your defenses and help you avoid detection by public scanning services. Attendees will leave with examples they can apply immediately to protect critical infrastructure.

An understanding of the TCP three-way handshake and of a TLS ClientHello (plus a high-level familiarity with the Linux or Windows network kernel stack, for extra fun) is all you need to get the most out of this session.