fingerprint-mcp 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (269) hide show
  1. package/LICENSE +663 -0
  2. package/README.ar.md +767 -0
  3. package/README.bn.md +767 -0
  4. package/README.bs.md +767 -0
  5. package/README.da.md +767 -0
  6. package/README.de.md +770 -0
  7. package/README.el.md +767 -0
  8. package/README.es.md +769 -0
  9. package/README.fr.md +769 -0
  10. package/README.hi.md +767 -0
  11. package/README.it.md +767 -0
  12. package/README.ja.md +767 -0
  13. package/README.ko.md +772 -0
  14. package/README.md +767 -0
  15. package/README.no.md +767 -0
  16. package/README.pl.md +767 -0
  17. package/README.pt-BR.md +767 -0
  18. package/README.ru.md +767 -0
  19. package/README.th.md +767 -0
  20. package/README.tr.md +767 -0
  21. package/README.uk.md +767 -0
  22. package/README.vi.md +767 -0
  23. package/README.zh-TW.md +768 -0
  24. package/README.zh.md +768 -0
  25. package/dist/app/index.d.ts +3 -0
  26. package/dist/app/index.d.ts.map +1 -0
  27. package/dist/app/index.js +614 -0
  28. package/dist/app/index.js.map +1 -0
  29. package/dist/composite/analyze.d.ts +3 -0
  30. package/dist/composite/analyze.d.ts.map +1 -0
  31. package/dist/composite/analyze.js +59 -0
  32. package/dist/composite/analyze.js.map +1 -0
  33. package/dist/composite/correlate.d.ts +3 -0
  34. package/dist/composite/correlate.d.ts.map +1 -0
  35. package/dist/composite/correlate.js +184 -0
  36. package/dist/composite/correlate.js.map +1 -0
  37. package/dist/composite/enumerate.d.ts +3 -0
  38. package/dist/composite/enumerate.d.ts.map +1 -0
  39. package/dist/composite/enumerate.js +94 -0
  40. package/dist/composite/enumerate.js.map +1 -0
  41. package/dist/composite/helpers.d.ts +22 -0
  42. package/dist/composite/helpers.d.ts.map +1 -0
  43. package/dist/composite/helpers.js +111 -0
  44. package/dist/composite/helpers.js.map +1 -0
  45. package/dist/composite/index.d.ts +3 -0
  46. package/dist/composite/index.d.ts.map +1 -0
  47. package/dist/composite/index.js +29 -0
  48. package/dist/composite/index.js.map +1 -0
  49. package/dist/composite/meta.d.ts +3 -0
  50. package/dist/composite/meta.d.ts.map +1 -0
  51. package/dist/composite/meta.js +23 -0
  52. package/dist/composite/meta.js.map +1 -0
  53. package/dist/composite/osint.d.ts +3 -0
  54. package/dist/composite/osint.d.ts.map +1 -0
  55. package/dist/composite/osint.js +40 -0
  56. package/dist/composite/osint.js.map +1 -0
  57. package/dist/composite/recon.d.ts +3 -0
  58. package/dist/composite/recon.d.ts.map +1 -0
  59. package/dist/composite/recon.js +131 -0
  60. package/dist/composite/recon.js.map +1 -0
  61. package/dist/composite/scan-dns.d.ts +3 -0
  62. package/dist/composite/scan-dns.d.ts.map +1 -0
  63. package/dist/composite/scan-dns.js +44 -0
  64. package/dist/composite/scan-dns.js.map +1 -0
  65. package/dist/composite/scan-http.d.ts +3 -0
  66. package/dist/composite/scan-http.d.ts.map +1 -0
  67. package/dist/composite/scan-http.js +68 -0
  68. package/dist/composite/scan-http.js.map +1 -0
  69. package/dist/composite/scan-paths.d.ts +3 -0
  70. package/dist/composite/scan-paths.d.ts.map +1 -0
  71. package/dist/composite/scan-paths.js +32 -0
  72. package/dist/composite/scan-paths.js.map +1 -0
  73. package/dist/composite/scan-ports.d.ts +3 -0
  74. package/dist/composite/scan-ports.d.ts.map +1 -0
  75. package/dist/composite/scan-ports.js +79 -0
  76. package/dist/composite/scan-ports.js.map +1 -0
  77. package/dist/composite/scan-services.d.ts +3 -0
  78. package/dist/composite/scan-services.d.ts.map +1 -0
  79. package/dist/composite/scan-services.js +111 -0
  80. package/dist/composite/scan-services.js.map +1 -0
  81. package/dist/composite/scan-tls.d.ts +3 -0
  82. package/dist/composite/scan-tls.d.ts.map +1 -0
  83. package/dist/composite/scan-tls.js +32 -0
  84. package/dist/composite/scan-tls.js.map +1 -0
  85. package/dist/composite/scan-waf.d.ts +3 -0
  86. package/dist/composite/scan-waf.d.ts.map +1 -0
  87. package/dist/composite/scan-waf.js +35 -0
  88. package/dist/composite/scan-waf.js.map +1 -0
  89. package/dist/correlation/index.d.ts +3 -0
  90. package/dist/correlation/index.d.ts.map +1 -0
  91. package/dist/correlation/index.js +1044 -0
  92. package/dist/correlation/index.js.map +1 -0
  93. package/dist/data/analytics-patterns.d.ts +21 -0
  94. package/dist/data/analytics-patterns.d.ts.map +1 -0
  95. package/dist/data/analytics-patterns.js +449 -0
  96. package/dist/data/analytics-patterns.js.map +1 -0
  97. package/dist/data/app-signatures.d.ts +52 -0
  98. package/dist/data/app-signatures.d.ts.map +1 -0
  99. package/dist/data/app-signatures.js +1143 -0
  100. package/dist/data/app-signatures.js.map +1 -0
  101. package/dist/data/c2-signatures.d.ts +54 -0
  102. package/dist/data/c2-signatures.d.ts.map +1 -0
  103. package/dist/data/c2-signatures.js +256 -0
  104. package/dist/data/c2-signatures.js.map +1 -0
  105. package/dist/data/cloud-ranges.d.ts +34 -0
  106. package/dist/data/cloud-ranges.d.ts.map +1 -0
  107. package/dist/data/cloud-ranges.js +628 -0
  108. package/dist/data/cloud-ranges.js.map +1 -0
  109. package/dist/data/cookie-patterns.d.ts +28 -0
  110. package/dist/data/cookie-patterns.d.ts.map +1 -0
  111. package/dist/data/cookie-patterns.js +225 -0
  112. package/dist/data/cookie-patterns.js.map +1 -0
  113. package/dist/data/error-signatures.d.ts +19 -0
  114. package/dist/data/error-signatures.d.ts.map +1 -0
  115. package/dist/data/error-signatures.js +321 -0
  116. package/dist/data/error-signatures.js.map +1 -0
  117. package/dist/data/favicon-hashes.d.ts +25 -0
  118. package/dist/data/favicon-hashes.d.ts.map +1 -0
  119. package/dist/data/favicon-hashes.js +249 -0
  120. package/dist/data/favicon-hashes.js.map +1 -0
  121. package/dist/data/h2-signatures.d.ts +50 -0
  122. package/dist/data/h2-signatures.d.ts.map +1 -0
  123. package/dist/data/h2-signatures.js +211 -0
  124. package/dist/data/h2-signatures.js.map +1 -0
  125. package/dist/data/header-order.d.ts +38 -0
  126. package/dist/data/header-order.d.ts.map +1 -0
  127. package/dist/data/header-order.js +185 -0
  128. package/dist/data/header-order.js.map +1 -0
  129. package/dist/data/jarm-signatures.d.ts +25 -0
  130. package/dist/data/jarm-signatures.d.ts.map +1 -0
  131. package/dist/data/jarm-signatures.js +213 -0
  132. package/dist/data/jarm-signatures.js.map +1 -0
  133. package/dist/data/saas-patterns.d.ts +23 -0
  134. package/dist/data/saas-patterns.d.ts.map +1 -0
  135. package/dist/data/saas-patterns.js +139 -0
  136. package/dist/data/saas-patterns.js.map +1 -0
  137. package/dist/data/sensitive-paths.d.ts +12 -0
  138. package/dist/data/sensitive-paths.d.ts.map +1 -0
  139. package/dist/data/sensitive-paths.js +1539 -0
  140. package/dist/data/sensitive-paths.js.map +1 -0
  141. package/dist/data/service-banners.d.ts +59 -0
  142. package/dist/data/service-banners.d.ts.map +1 -0
  143. package/dist/data/service-banners.js +323 -0
  144. package/dist/data/service-banners.js.map +1 -0
  145. package/dist/data/smtp-signatures.d.ts +12 -0
  146. package/dist/data/smtp-signatures.d.ts.map +1 -0
  147. package/dist/data/smtp-signatures.js +350 -0
  148. package/dist/data/smtp-signatures.js.map +1 -0
  149. package/dist/data/takeover-patterns.d.ts +37 -0
  150. package/dist/data/takeover-patterns.d.ts.map +1 -0
  151. package/dist/data/takeover-patterns.js +249 -0
  152. package/dist/data/takeover-patterns.js.map +1 -0
  153. package/dist/data/tech-patterns.d.ts +44 -0
  154. package/dist/data/tech-patterns.d.ts.map +1 -0
  155. package/dist/data/tech-patterns.js +690 -0
  156. package/dist/data/tech-patterns.js.map +1 -0
  157. package/dist/data/waf-signatures.d.ts +21 -0
  158. package/dist/data/waf-signatures.d.ts.map +1 -0
  159. package/dist/data/waf-signatures.js +318 -0
  160. package/dist/data/waf-signatures.js.map +1 -0
  161. package/dist/dns/index.d.ts +3 -0
  162. package/dist/dns/index.d.ts.map +1 -0
  163. package/dist/dns/index.js +1067 -0
  164. package/dist/dns/index.js.map +1 -0
  165. package/dist/enum/index.d.ts +3 -0
  166. package/dist/enum/index.d.ts.map +1 -0
  167. package/dist/enum/index.js +818 -0
  168. package/dist/enum/index.js.map +1 -0
  169. package/dist/h2/index.d.ts +3 -0
  170. package/dist/h2/index.d.ts.map +1 -0
  171. package/dist/h2/index.js +414 -0
  172. package/dist/h2/index.js.map +1 -0
  173. package/dist/http/index.d.ts +3 -0
  174. package/dist/http/index.d.ts.map +1 -0
  175. package/dist/http/index.js +2444 -0
  176. package/dist/http/index.js.map +1 -0
  177. package/dist/identify/index.d.ts +3 -0
  178. package/dist/identify/index.d.ts.map +1 -0
  179. package/dist/identify/index.js +447 -0
  180. package/dist/identify/index.js.map +1 -0
  181. package/dist/index.d.ts +3 -0
  182. package/dist/index.d.ts.map +1 -0
  183. package/dist/index.js +165 -0
  184. package/dist/index.js.map +1 -0
  185. package/dist/infra/index.d.ts +3 -0
  186. package/dist/infra/index.d.ts.map +1 -0
  187. package/dist/infra/index.js +989 -0
  188. package/dist/infra/index.js.map +1 -0
  189. package/dist/iot/index.d.ts +3 -0
  190. package/dist/iot/index.d.ts.map +1 -0
  191. package/dist/iot/index.js +610 -0
  192. package/dist/iot/index.js.map +1 -0
  193. package/dist/meta/index.d.ts +3 -0
  194. package/dist/meta/index.d.ts.map +1 -0
  195. package/dist/meta/index.js +442 -0
  196. package/dist/meta/index.js.map +1 -0
  197. package/dist/osint/index.d.ts +3 -0
  198. package/dist/osint/index.d.ts.map +1 -0
  199. package/dist/osint/index.js +687 -0
  200. package/dist/osint/index.js.map +1 -0
  201. package/dist/passive/index.d.ts +3 -0
  202. package/dist/passive/index.d.ts.map +1 -0
  203. package/dist/passive/index.js +944 -0
  204. package/dist/passive/index.js.map +1 -0
  205. package/dist/path/index.d.ts +3 -0
  206. package/dist/path/index.d.ts.map +1 -0
  207. package/dist/path/index.js +878 -0
  208. package/dist/path/index.js.map +1 -0
  209. package/dist/protocol/mcp-server.d.ts +4 -0
  210. package/dist/protocol/mcp-server.d.ts.map +1 -0
  211. package/dist/protocol/mcp-server.js +32 -0
  212. package/dist/protocol/mcp-server.js.map +1 -0
  213. package/dist/protocol/tools.d.ts +3 -0
  214. package/dist/protocol/tools.d.ts.map +1 -0
  215. package/dist/protocol/tools.js +5 -0
  216. package/dist/protocol/tools.js.map +1 -0
  217. package/dist/service/index.d.ts +3 -0
  218. package/dist/service/index.d.ts.map +1 -0
  219. package/dist/service/index.js +1053 -0
  220. package/dist/service/index.js.map +1 -0
  221. package/dist/smtp/index.d.ts +3 -0
  222. package/dist/smtp/index.d.ts.map +1 -0
  223. package/dist/smtp/index.js +437 -0
  224. package/dist/smtp/index.js.map +1 -0
  225. package/dist/ssh/index.d.ts +3 -0
  226. package/dist/ssh/index.d.ts.map +1 -0
  227. package/dist/ssh/index.js +676 -0
  228. package/dist/ssh/index.js.map +1 -0
  229. package/dist/tcp/index.d.ts +3 -0
  230. package/dist/tcp/index.d.ts.map +1 -0
  231. package/dist/tcp/index.js +369 -0
  232. package/dist/tcp/index.js.map +1 -0
  233. package/dist/timing/index.d.ts +3 -0
  234. package/dist/timing/index.d.ts.map +1 -0
  235. package/dist/timing/index.js +425 -0
  236. package/dist/timing/index.js.map +1 -0
  237. package/dist/tls/index.d.ts +3 -0
  238. package/dist/tls/index.d.ts.map +1 -0
  239. package/dist/tls/index.js +1332 -0
  240. package/dist/tls/index.js.map +1 -0
  241. package/dist/types/index.d.ts +26 -0
  242. package/dist/types/index.d.ts.map +1 -0
  243. package/dist/types/index.js +8 -0
  244. package/dist/types/index.js.map +1 -0
  245. package/dist/utils/cache.d.ts +11 -0
  246. package/dist/utils/cache.d.ts.map +1 -0
  247. package/dist/utils/cache.js +35 -0
  248. package/dist/utils/cache.js.map +1 -0
  249. package/dist/utils/murmurhash3.d.ts +3 -0
  250. package/dist/utils/murmurhash3.d.ts.map +1 -0
  251. package/dist/utils/murmurhash3.js +57 -0
  252. package/dist/utils/murmurhash3.js.map +1 -0
  253. package/dist/utils/rate-limiter.d.ts +10 -0
  254. package/dist/utils/rate-limiter.d.ts.map +1 -0
  255. package/dist/utils/rate-limiter.js +35 -0
  256. package/dist/utils/rate-limiter.js.map +1 -0
  257. package/dist/utils/require-key.d.ts +2 -0
  258. package/dist/utils/require-key.d.ts.map +1 -0
  259. package/dist/utils/require-key.js +8 -0
  260. package/dist/utils/require-key.js.map +1 -0
  261. package/dist/waf/index.d.ts +3 -0
  262. package/dist/waf/index.d.ts.map +1 -0
  263. package/dist/waf/index.js +767 -0
  264. package/dist/waf/index.js.map +1 -0
  265. package/dist/web/index.d.ts +3 -0
  266. package/dist/web/index.d.ts.map +1 -0
  267. package/dist/web/index.js +1366 -0
  268. package/dist/web/index.js.map +1 -0
  269. package/package.json +66 -0
package/README.md ADDED
@@ -0,0 +1,767 @@
1
+ <p align="center">
2
+ <strong>English</strong> |
3
+ <a href="README.zh.md">简体中文</a> |
4
+ <a href="README.zh-TW.md">繁體中文</a> |
5
+ <a href="README.ko.md">한국어</a> |
6
+ <a href="README.de.md">Deutsch</a> |
7
+ <a href="README.es.md">Español</a> |
8
+ <a href="README.fr.md">Français</a> |
9
+ <a href="README.it.md">Italiano</a> |
10
+ <a href="README.da.md">Dansk</a> |
11
+ <a href="README.ja.md">日本語</a> |
12
+ <a href="README.pl.md">Polski</a> |
13
+ <a href="README.ru.md">Русский</a> |
14
+ <a href="README.bs.md">Bosanski</a> |
15
+ <a href="README.ar.md">العربية</a> |
16
+ <a href="README.no.md">Norsk</a> |
17
+ <a href="README.pt-BR.md">Português (Brasil)</a> |
18
+ <a href="README.th.md">ไทย</a> |
19
+ <a href="README.tr.md">Türkçe</a> |
20
+ <a href="README.uk.md">Українська</a> |
21
+ <a href="README.bn.md">বাংলা</a> |
22
+ <a href="README.el.md">Ελληνικά</a> |
23
+ <a href="README.vi.md">Tiếng Việt</a> |
24
+ <a href="README.hi.md">हिन्दी</a>
25
+ </p>
26
+
27
+ <p align="center">
28
+ <br>
29
+ <picture>
30
+ <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/badchars/fingerprint-mcp/main/.github/banner-dark.svg">
31
+ <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/badchars/fingerprint-mcp/main/.github/banner-light.svg">
32
+ <img alt="fingerprint-mcp" src="https://raw.githubusercontent.com/badchars/fingerprint-mcp/main/.github/banner-dark.svg" width="700">
33
+ </picture>
34
+ </p>
35
+
36
+ <h3 align="center">Universal digital fingerprinting for AI agents.</h3>
37
+
38
+ <p align="center">
39
+ TCP, TLS/SSL, SSH, HTTP, DNS, WAF/CDN, IoT, SMTP, service probing, JARM, JA4X, favicon hashing, infrastructure topology, C2 detection, OSINT enrichment &mdash; unified into a single MCP server.<br>
40
+ Your AI agent gets <b>full-spectrum fingerprinting on demand</b>, not 11 disconnected CLI tools and manual correlation.
41
+ </p>
42
+
43
+ <br>
44
+
45
+ <p align="center">
46
+ <a href="#the-problem">The Problem</a> &bull;
47
+ <a href="#how-its-different">How It's Different</a> &bull;
48
+ <a href="#quick-start">Quick Start</a> &bull;
49
+ <a href="#what-the-ai-can-do">What The AI Can Do</a> &bull;
50
+ <a href="#tools-reference-13-tools-103-techniques">Tools (13)</a> &bull;
51
+ <a href="#data-sources-21">Data Sources</a> &bull;
52
+ <a href="#architecture">Architecture</a> &bull;
53
+ <a href="CHANGELOG.md">Changelog</a> &bull;
54
+ <a href="CONTRIBUTING.md">Contributing</a>
55
+ </p>
56
+
57
+ <p align="center">
58
+ <a href="https://www.npmjs.com/package/fingerprint-mcp"><img src="https://img.shields.io/npm/v/fingerprint-mcp.svg" alt="npm"></a>
59
+ <a href="LICENSE"><img src="https://img.shields.io/badge/license-AGPL--3.0-blue.svg" alt="License"></a>
60
+ <img src="https://img.shields.io/badge/runtime-Bun-f472b6" alt="Bun">
61
+ <img src="https://img.shields.io/badge/protocol-MCP-8b5cf6" alt="MCP">
62
+ <img src="https://img.shields.io/badge/tools-13-ef4444" alt="13 Tools">
63
+ <img src="https://img.shields.io/badge/techniques-103-f97316" alt="103 Techniques">
64
+ </p>
65
+
66
+ <p align="center">
67
+ <img src="https://raw.githubusercontent.com/badchars/fingerprint-mcp/main/.github/demo.gif" alt="fingerprint-mcp demo" width="800">
68
+ </p>
69
+
70
+ ---
71
+
72
+ ## The Problem
73
+
74
+ Fingerprinting a server today means juggling a dozen disconnected tools. You run `nmap` for port scanning, `testssl.sh` for certificate analysis, `curl -I` for HTTP headers, `dig` for DNS, `wafw00f` for WAF detection, `ssh-audit` for SSH, a separate JARM tool, Wappalyzer for tech detection &mdash; and then you spend 30 minutes manually cross-referencing everything in a spreadsheet to figure out what's actually running.
75
+
76
+ ```
77
+ Traditional fingerprinting workflow:
78
+ analyze TLS certificates -> testssl.sh / openssl s_client
79
+ grab HTTP headers -> curl -I
80
+ detect web technologies -> wappalyzer CLI
81
+ DNS reconnaissance -> dig / nslookup / dnsenum
82
+ port scanning -> nmap -sV
83
+ WAF detection -> wafw00f
84
+ SSH audit -> ssh-audit
85
+ service fingerprinting -> nmap scripts
86
+ JARM fingerprint -> jarm (separate tool)
87
+ check OSINT databases -> shodan CLI, censys CLI
88
+ correlate everything -> manually in a spreadsheet
89
+ ──────────────────────────────
90
+ Total: 11 tools, 30+ minutes, manual correlation
91
+ ```
92
+
93
+ **fingerprint-mcp** gives your AI agent 13 composite tools wrapping 103 fingerprinting techniques across 21 providers via the [Model Context Protocol](https://modelcontextprotocol.io). The agent runs multi-layer fingerprinting in parallel, correlates signals across TCP/TLS/HTTP/DNS/SSH layers, detects honeypots and C2 infrastructure, and presents a unified intelligence picture &mdash; in a single conversation.
94
+
95
+ ```
96
+ With fingerprint-mcp:
97
+ You: "Do a deep recon on target.com"
98
+
99
+ Agent: -> recon {url: "https://target.com", depth: "deep"}
100
+
101
+ -> TLS: nginx/1.24.0 via JARM (3fd21b20d00000...),
102
+ Let's Encrypt cert, 2 SANs, TLS 1.2+1.3
103
+ -> HTTP: Express.js behind Cloudflare WAF,
104
+ React SPA, Google Analytics, 14 security headers analyzed
105
+ -> DNS: A/AAAA/MX/TXT records, SPF/DKIM/DMARC configured,
106
+ Slack + Google Workspace detected via CNAME/MX
107
+ -> Ports: 80, 443, 22 (OpenSSH 9.6), 8080 (dev server)
108
+ -> WAF: Cloudflare detected, origin IP discovered via direct-connect
109
+ -> Enumeration: 12 subdomains via CT logs, wildcard DNS detected
110
+ -> "target.com runs nginx/1.24.0 with Express.js behind
111
+ Cloudflare WAF. Origin IP 203.0.113.42 exposed on port 8080.
112
+ TLS is properly configured (A+ equivalent) but the dev server
113
+ on 8080 has no WAF protection. 3 subdomains point to
114
+ decommissioned infrastructure — potential takeover risk."
115
+ ```
116
+
117
+ ---
118
+
119
+ ## How It's Different
120
+
121
+ Existing tools give you raw data one layer at a time. fingerprint-mcp gives your AI agent the ability to **reason across all fingerprinting layers simultaneously**.
122
+
123
+ <table>
124
+ <thead>
125
+ <tr>
126
+ <th></th>
127
+ <th>Traditional Approach</th>
128
+ <th>fingerprint-mcp</th>
129
+ </tr>
130
+ </thead>
131
+ <tbody>
132
+ <tr>
133
+ <td><b>Interface</b></td>
134
+ <td>11 different CLI tools with different output formats</td>
135
+ <td>MCP &mdash; AI agent calls tools conversationally</td>
136
+ </tr>
137
+ <tr>
138
+ <td><b>Techniques</b></td>
139
+ <td>One tool, one layer at a time</td>
140
+ <td>103 techniques across 21 providers, run in parallel</td>
141
+ </tr>
142
+ <tr>
143
+ <td><b>TLS analysis</b></td>
144
+ <td>testssl.sh output, manually parse JARM separately</td>
145
+ <td>Agent combines certificate + JARM + JA4X + cipher suites + SNI + CT logs in one call</td>
146
+ </tr>
147
+ <tr>
148
+ <td><b>Correlation</b></td>
149
+ <td>Copy-paste results into a spreadsheet</td>
150
+ <td>Agent cross-correlates: "JARM matches known C2 framework, HTTP timing confirms honeypot"</td>
151
+ </tr>
152
+ <tr>
153
+ <td><b>WAF bypass</b></td>
154
+ <td>wafw00f detects WAF, you manually hunt for origin</td>
155
+ <td>Agent detects WAF, discovers origin IP, and verifies it serves the same content</td>
156
+ </tr>
157
+ <tr>
158
+ <td><b>API keys</b></td>
159
+ <td>Required for Shodan, Censys, etc.</td>
160
+ <td>80+ active techniques work without any API keys; keys unlock OSINT enrichment</td>
161
+ </tr>
162
+ <tr>
163
+ <td><b>Setup</b></td>
164
+ <td>Install nmap, testssl, wafw00f, ssh-audit, jarm, wappalyzer...</td>
165
+ <td><code>npx fingerprint-mcp</code> &mdash; one command, zero config</td>
166
+ </tr>
167
+ </tbody>
168
+ </table>
169
+
170
+ ---
171
+
172
+ ## Quick Start
173
+
174
+ ### Option 1: npx (no install)
175
+
176
+ ```bash
177
+ npx fingerprint-mcp
178
+ ```
179
+
180
+ All 80+ active fingerprinting techniques work immediately. No API keys required for TCP, TLS, SSH, HTTP, DNS, WAF, path, service, timing, IoT, SMTP, infrastructure, and application fingerprinting.
181
+
182
+ ### Option 2: Clone
183
+
184
+ ```bash
185
+ git clone https://github.com/badchars/fingerprint-mcp.git
186
+ cd fingerprint-mcp
187
+ bun install
188
+ ```
189
+
190
+ ### Environment variables (optional)
191
+
192
+ ```bash
193
+ # OSINT enrichment (all optional — active fingerprinting works without any keys)
194
+ export SHODAN_API_KEY=your-key # Enables osint_shodan, ssh_hostkey_lookup
195
+ export CENSYS_API_ID=your-id # Enables osint_censys (free: 250 queries/month)
196
+ export CENSYS_API_SECRET=your-secret # Censys API secret
197
+ export SECURITYTRAILS_API_KEY=your-key # Enables waf_origin, enum_passive_dns
198
+ export VIRUSTOTAL_API_KEY=your-key # Enables osint_virustotal (free: 500 queries/day)
199
+ ```
200
+
201
+ All API keys are optional. Without them, you still get full TCP/TLS/SSH/HTTP/DNS/WAF/path/service/timing/IoT/SMTP/infrastructure/application fingerprinting, correlation, passive analysis, enumeration, and meta tools &mdash; 80+ techniques that work by directly probing the target.
202
+
203
+ ### Connect to your AI agent
204
+
205
+ <details open>
206
+ <summary><b>Claude Code</b></summary>
207
+
208
+ ```bash
209
+ # With npx
210
+ claude mcp add fingerprint-mcp -- npx fingerprint-mcp
211
+
212
+ # With local clone
213
+ claude mcp add fingerprint-mcp -- bun run /path/to/fingerprint-mcp/src/index.ts
214
+ ```
215
+
216
+ </details>
217
+
218
+ <details>
219
+ <summary><b>Claude Desktop</b></summary>
220
+
221
+ Add to `~/Library/Application Support/Claude/claude_desktop_config.json`:
222
+
223
+ ```json
224
+ {
225
+ "mcpServers": {
226
+ "fingerprint": {
227
+ "command": "npx",
228
+ "args": ["-y", "fingerprint-mcp"],
229
+ "env": {
230
+ "SHODAN_API_KEY": "optional",
231
+ "CENSYS_API_ID": "optional",
232
+ "CENSYS_API_SECRET": "optional",
233
+ "SECURITYTRAILS_API_KEY": "optional",
234
+ "VIRUSTOTAL_API_KEY": "optional"
235
+ }
236
+ }
237
+ }
238
+ }
239
+ ```
240
+
241
+ </details>
242
+
243
+ <details>
244
+ <summary><b>Cursor / Windsurf / other MCP clients</b></summary>
245
+
246
+ Same JSON config format. Point the command to `npx fingerprint-mcp` or your local installation path.
247
+
248
+ </details>
249
+
250
+ ### Start querying
251
+
252
+ ```
253
+ You: "Fingerprint everything about target.com — TLS, HTTP stack, WAF, DNS, open ports"
254
+ ```
255
+
256
+ That's it. The agent handles multi-layer fingerprinting, signal correlation, and infrastructure analysis automatically.
257
+
258
+ ---
259
+
260
+ ## What The AI Can Do
261
+
262
+ ### Quick Recon
263
+
264
+ ```
265
+ You: "Quick recon on target.com"
266
+
267
+ Agent: -> recon {url: "https://target.com", depth: "quick"}
268
+
269
+ -> TCP: ports 80, 443, 22 open
270
+ -> TLS: Let's Encrypt RSA cert, TLS 1.2+1.3, nginx JARM signature
271
+ -> HTTP: nginx/1.24.0, Express.js, React, Cloudflare CDN
272
+ -> DNS: A 203.0.113.42, MX Google Workspace, SPF/DKIM configured
273
+ -> WAF: Cloudflare detected (cf-ray header)
274
+ -> "target.com is a React SPA on Express.js behind nginx/1.24.0,
275
+ served through Cloudflare CDN. TLS properly configured with
276
+ Let's Encrypt. SSH on port 22 running OpenSSH 9.6. Email
277
+ handled by Google Workspace with full SPF/DKIM/DMARC."
278
+ ```
279
+
280
+ ### Deep TLS Investigation
281
+
282
+ ```
283
+ You: "Analyze the TLS configuration of suspicious-server.com in detail"
284
+
285
+ Agent: -> scan_tls {host: "suspicious-server.com"}
286
+
287
+ -> Certificate: self-signed, CN=localhost, expired 47 days ago
288
+ -> JARM: 2ad2ad0002ad2ad00042d42d00000069d641f34fe76acdc05c40262f8815e5
289
+ (matches Cobalt Strike default profile)
290
+ -> JA4X: fingerprint matches known C2 framework pattern
291
+ -> Cipher suites: accepts weak ciphers (RC4, 3DES)
292
+ -> SNI: responds identically to any SNI value
293
+ -> CT logs: certificate not logged (not publicly trusted)
294
+ -> "HIGH RISK: TLS configuration strongly indicates C2 infrastructure.
295
+ Self-signed expired cert, JARM fingerprint matches Cobalt Strike,
296
+ accepts weak ciphers, and responds to arbitrary SNI values.
297
+ Recommend immediate investigation and blocking."
298
+ ```
299
+
300
+ ### WAF Bypass & Origin Discovery
301
+
302
+ ```
303
+ You: "target.com is behind a WAF. Can you find the origin server?"
304
+
305
+ Agent: -> scan_waf {url: "https://target.com"}
306
+ -> scan_dns {domain: "target.com"}
307
+ -> enumerate {domain: "target.com"}
308
+
309
+ -> WAF: Cloudflare (AS13335), challenge page on suspicious requests
310
+ -> DNS: A record points to Cloudflare IP 104.21.x.x
311
+ -> Subdomains: dev.target.com resolves to 203.0.113.42 (non-Cloudflare)
312
+ -> Direct connect to 203.0.113.42:443 returns same TLS cert
313
+ -> SecurityTrails historical: origin was 203.0.113.42 before Cloudflare
314
+ -> "Origin IP found: 203.0.113.42. Discovered via dev.target.com
315
+ subdomain which bypasses Cloudflare. The origin serves the same
316
+ TLS certificate and responds to the target.com Host header.
317
+ Origin has no WAF protection — direct access possible."
318
+ ```
319
+
320
+ ### Service Discovery on a Host
321
+
322
+ ```
323
+ You: "What services are running on 10.0.1.50?"
324
+
325
+ Agent: -> scan_ports {host: "10.0.1.50"}
326
+ -> scan_services {host: "10.0.1.50", ports: [22, 80, 3306, 5432, 6379, 8080]}
327
+
328
+ -> Port 22: OpenSSH 8.9p1 Ubuntu, ED25519 host key
329
+ -> Port 80: Apache/2.4.57, PHP/8.2, WordPress 6.4
330
+ -> Port 3306: MySQL 8.0.36, authentication required
331
+ -> Port 5432: PostgreSQL 16.1, SSL required
332
+ -> Port 6379: Redis 7.2.4, NO authentication (open)
333
+ -> Port 8080: Node.js Express dev server, CORS: *
334
+ -> "CRITICAL: Redis on port 6379 has no authentication — anyone on
335
+ the network can read/write data. The Express dev server on 8080
336
+ has wildcard CORS. MySQL and PostgreSQL properly require auth.
337
+ WordPress is 2 minor versions behind. Immediate action needed
338
+ on Redis and the dev server exposure."
339
+ ```
340
+
341
+ ---
342
+
343
+ ## Tools Reference (13 tools, 103 techniques)
344
+
345
+ <details open>
346
+ <summary><b>recon &mdash; Full reconnaissance with depth-based technique selection</b></summary>
347
+
348
+ | Parameter | Type | Description |
349
+ |-----------|------|-------------|
350
+ | `url` | string | Target URL to fingerprint |
351
+ | `depth` | `quick` \| `standard` \| `deep` | Scan depth: quick=5 techniques, standard=20, deep=50+ |
352
+
353
+ Orchestrates techniques from all providers based on depth level. Quick mode gives a fast overview; deep mode runs exhaustive fingerprinting including enumeration, OSINT, and correlation.
354
+
355
+ </details>
356
+
357
+ <details>
358
+ <summary><b>scan_ports &mdash; TCP port scanning with service detection (3 techniques)</b></summary>
359
+
360
+ | Parameter | Type | Description |
361
+ |-----------|------|-------------|
362
+ | `host` | string | Target host (IP or domain) |
363
+ | `ports` | number[] | Optional &mdash; specific ports to scan (defaults to common ports) |
364
+
365
+ | Technique | Description |
366
+ |-----------|-------------|
367
+ | `tcp_probe` | TCP connect scan to detect open ports |
368
+ | `tcp_banner` | Banner grabbing on open ports for service identification |
369
+ | `tcp_analysis` | Port combination analysis and service inference |
370
+
371
+ </details>
372
+
373
+ <details>
374
+ <summary><b>scan_tls &mdash; Complete TLS/SSL analysis (8 techniques)</b></summary>
375
+
376
+ | Parameter | Type | Description |
377
+ |-----------|------|-------------|
378
+ | `host` | string | Target host (IP or domain) |
379
+ | `port` | number | Optional &mdash; TLS port (default: 443) |
380
+
381
+ | Technique | Description |
382
+ |-----------|-------------|
383
+ | `tls_certificate` | X.509 certificate parsing &mdash; subject, issuer, SANs, validity, chain |
384
+ | `tls_jarm` | JARM active fingerprinting &mdash; 10 TLS Client Hello probes, 62-char hash |
385
+ | `tls_ja4x` | JA4X passive TLS fingerprinting from certificate properties |
386
+ | `tls_ciphers` | Cipher suite enumeration and strength analysis |
387
+ | `tls_protocols` | Supported TLS protocol version detection (SSLv3 through TLS 1.3) |
388
+ | `tls_sni` | SNI behavior testing &mdash; default cert vs. requested hostname |
389
+ | `tls_ct_logs` | Certificate Transparency log lookup via crt.sh |
390
+ | `tls_ocsp` | OCSP stapling and revocation status check |
391
+
392
+ </details>
393
+
394
+ <details>
395
+ <summary><b>scan_dns &mdash; DNS intelligence (7 techniques)</b></summary>
396
+
397
+ | Parameter | Type | Description |
398
+ |-----------|------|-------------|
399
+ | `domain` | string | Target domain |
400
+
401
+ | Technique | Description |
402
+ |-----------|-------------|
403
+ | `dns_records` | Full record enumeration &mdash; A, AAAA, MX, NS, TXT, CNAME, SOA |
404
+ | `dns_email_auth` | SPF, DKIM, and DMARC record analysis |
405
+ | `dns_saas` | SaaS/service detection via CNAME and MX patterns (Slack, Zendesk, etc.) |
406
+ | `dns_server` | DNS server fingerprinting (BIND, PowerDNS, Cloudflare, etc.) |
407
+ | `dns_takeover` | Subdomain takeover detection via dangling CNAME analysis |
408
+ | `dns_zone` | Zone transfer attempt (AXFR) |
409
+ | `dns_caa` | CAA record analysis for certificate authority restrictions |
410
+
411
+ </details>
412
+
413
+ <details>
414
+ <summary><b>scan_http &mdash; HTTP/web fingerprinting (29 techniques)</b></summary>
415
+
416
+ | Parameter | Type | Description |
417
+ |-----------|------|-------------|
418
+ | `url` | string | Target URL |
419
+
420
+ | Technique | Provider | Description |
421
+ |-----------|----------|-------------|
422
+ | `http_headers` | HTTP | Response header analysis and server identification |
423
+ | `http_header_order` | HTTP | Header ordering fingerprint (server software signature) |
424
+ | `http_security_headers` | HTTP | Security header audit (CSP, HSTS, X-Frame-Options, etc.) |
425
+ | `http_cookies` | HTTP | Cookie analysis &mdash; flags, prefixes, framework detection |
426
+ | `http_methods` | HTTP | Allowed HTTP method enumeration (OPTIONS) |
427
+ | `http_cors` | HTTP | CORS policy analysis and misconfiguration detection |
428
+ | `http_compression` | HTTP | Supported compression algorithms (gzip, br, zstd) |
429
+ | `http_caching` | HTTP | Cache header analysis (CDN, reverse proxy detection) |
430
+ | `http_etag` | HTTP | ETag format analysis for backend identification |
431
+ | `http_error` | HTTP | Error page fingerprinting (custom vs. default error pages) |
432
+ | `http_redirect` | HTTP | Redirect chain analysis |
433
+ | `http_timing` | HTTP | Response timing baseline for server performance profiling |
434
+ | `http_favicon` | HTTP | Favicon hash (MurmurHash3) for technology identification |
435
+ | `http_robots` | HTTP | robots.txt parsing and disallowed path extraction |
436
+ | `http_sitemap` | HTTP | Sitemap discovery and URL extraction |
437
+ | `http_wellknown` | HTTP | .well-known endpoint discovery (security.txt, openid, etc.) |
438
+ | `web_tech` | Web | Technology detection via HTML/JS/CSS patterns |
439
+ | `web_analytics` | Web | Analytics and tracking service detection |
440
+ | `web_sourcemaps` | Web | Source map file discovery |
441
+ | `web_websocket` | Web | WebSocket endpoint detection |
442
+ | `web_graphql` | Web | GraphQL endpoint detection and introspection |
443
+ | `web_spa` | Web | Single-page application framework detection |
444
+ | `web_cdn` | Web | CDN detection via response headers and DNS |
445
+ | `web_meta` | Web | HTML meta tag analysis (generator, framework hints) |
446
+ | `web_feed` | Web | RSS/Atom feed discovery |
447
+ | `h2_detect` | HTTP/2 | HTTP/2 protocol support detection |
448
+ | `h2_fingerprint` | HTTP/2 | HTTP/2 server fingerprinting (SETTINGS, WINDOW_UPDATE) |
449
+ | `h2_h3` | HTTP/2 | HTTP/3 (QUIC) support detection via Alt-Svc header |
450
+ | `app_cms` | Application | CMS detection (WordPress, Drupal, Joomla, etc.) |
451
+
452
+ </details>
453
+
454
+ <details>
455
+ <summary><b>scan_paths &mdash; Path intelligence (5 techniques)</b></summary>
456
+
457
+ | Parameter | Type | Description |
458
+ |-----------|------|-------------|
459
+ | `url` | string | Target URL |
460
+ | `categories` | string[] | Optional &mdash; categories to check (sensitive, git, debug, api, config) |
461
+
462
+ | Technique | Description |
463
+ |-----------|-------------|
464
+ | `path_sensitive` | Sensitive file discovery (backup files, config files, database dumps) |
465
+ | `path_robots` | robots.txt and sitemap.xml analysis for hidden paths |
466
+ | `path_git` | Git repository leak detection (.git/HEAD, .git/config) |
467
+ | `path_debug` | Debug endpoint discovery (phpinfo, server-status, debug consoles) |
468
+ | `path_api` | API version and documentation endpoint discovery |
469
+
470
+ </details>
471
+
472
+ <details>
473
+ <summary><b>scan_waf &mdash; WAF/CDN detection and fingerprinting (4 techniques)</b></summary>
474
+
475
+ | Parameter | Type | Description |
476
+ |-----------|------|-------------|
477
+ | `url` | string | Target URL |
478
+
479
+ | Technique | Description |
480
+ |-----------|-------------|
481
+ | `waf_detect` | WAF presence detection via response header and behavior analysis |
482
+ | `waf_cdn` | CDN provider identification (Cloudflare, Akamai, Fastly, etc.) |
483
+ | `waf_fingerprint` | WAF product identification and version detection |
484
+ | `waf_origin` | Origin IP discovery behind WAF/CDN (requires `SECURITYTRAILS_API_KEY`) |
485
+
486
+ </details>
487
+
488
+ <details>
489
+ <summary><b>scan_services &mdash; Service-level probing (12 techniques)</b></summary>
490
+
491
+ | Parameter | Type | Description |
492
+ |-----------|------|-------------|
493
+ | `host` | string | Target host (IP or domain) |
494
+ | `ports` | number[] | Optional &mdash; specific ports to probe |
495
+ | `service` | string | Optional &mdash; specific service to probe (mysql, postgres, redis, ftp, ssh, smtp, vnc, iot) |
496
+
497
+ | Technique | Provider | Description |
498
+ |-----------|----------|-------------|
499
+ | `ssh_probe` | SSH | SSH protocol version and software detection |
500
+ | `ssh_algorithms` | SSH | SSH algorithm audit (KEX, ciphers, MACs, host key types) |
501
+ | `ssh_hostkey_lookup` | SSH | SSH host key lookup via Shodan (requires `SHODAN_API_KEY`) |
502
+ | `svc_mysql` | Service | MySQL version detection and capability fingerprinting |
503
+ | `svc_postgres` | Service | PostgreSQL version detection and SSL support check |
504
+ | `svc_redis` | Service | Redis version detection and authentication status |
505
+ | `svc_ftp` | Service | FTP banner analysis and anonymous login check |
506
+ | `svc_vnc_rdp` | Service | VNC/RDP service detection and security assessment |
507
+ | `smtp_banner` | SMTP | SMTP banner analysis and MTA identification |
508
+ | `smtp_starttls` | SMTP | SMTP STARTTLS support and certificate inspection |
509
+ | `iot_detect` | IoT | IoT device detection via banner patterns and default pages |
510
+ | `iot_upnp` | IoT | UPnP/SSDP device discovery on local network |
511
+
512
+ </details>
513
+
514
+ <details>
515
+ <summary><b>enumerate &mdash; Scope expansion (8 techniques)</b></summary>
516
+
517
+ | Parameter | Type | Description |
518
+ |-----------|------|-------------|
519
+ | `domain` | string | Target domain |
520
+
521
+ | Technique | Description |
522
+ |-----------|-------------|
523
+ | `enum_subdomains` | Subdomain enumeration via multiple methods |
524
+ | `enum_wildcard` | Wildcard DNS detection |
525
+ | `enum_tld` | TLD expansion (target.com -> target.net, target.org, etc.) |
526
+ | `enum_related` | Related domain discovery via shared infrastructure |
527
+ | `enum_asn` | ASN neighbor discovery &mdash; other domains on same network |
528
+ | `enum_ct` | Certificate Transparency log subdomain extraction |
529
+ | `enum_passive_dns` | Passive DNS history (requires `SECURITYTRAILS_API_KEY`) |
530
+ | `enum_scope` | Scope summary and attack surface overview |
531
+
532
+ </details>
533
+
534
+ <details>
535
+ <summary><b>osint &mdash; OSINT enrichment (6 techniques)</b></summary>
536
+
537
+ | Parameter | Type | Description |
538
+ |-----------|------|-------------|
539
+ | `target` | string | IP address or domain to enrich |
540
+ | `type` | `ip` \| `domain` | Optional &mdash; target type (auto-detected if omitted) |
541
+
542
+ | Technique | Auth | Description |
543
+ |-----------|------|-------------|
544
+ | `osint_shodan` | `SHODAN_API_KEY` | Shodan host lookup &mdash; open ports, banners, vulns, OS |
545
+ | `osint_censys` | `CENSYS_API_ID` + `CENSYS_API_SECRET` | Censys host data &mdash; services, TLS, autonomous system |
546
+ | `osint_reverse_ip` | None | Reverse IP lookup &mdash; other domains on same IP |
547
+ | `osint_whois` | None | WHOIS registration data &mdash; registrar, dates, nameservers |
548
+ | `osint_webarchive` | None | Web Archive history &mdash; first/last snapshot, change frequency |
549
+ | `osint_virustotal` | `VIRUSTOTAL_API_KEY` | VirusTotal domain/IP report &mdash; detections, categories, DNS |
550
+
551
+ </details>
552
+
553
+ <details>
554
+ <summary><b>analyze &mdash; Passive fingerprint analysis (3 modes)</b></summary>
555
+
556
+ | Parameter | Type | Description |
557
+ |-----------|------|-------------|
558
+ | `type` | `headers` \| `html` \| `banner` | Type of data to analyze |
559
+ | `data` | string | Raw data to analyze (paste headers, HTML, or banner output) |
560
+
561
+ | Mode | Description |
562
+ |------|-------------|
563
+ | `fp_analyze_headers` | Passive HTTP header analysis &mdash; server, framework, proxy detection without sending traffic |
564
+ | `fp_analyze_html` | Passive HTML analysis &mdash; technology detection, framework identification from source |
565
+ | `fp_analyze_banner` | Passive banner analysis &mdash; service identification from raw banner text |
566
+
567
+ </details>
568
+
569
+ <details>
570
+ <summary><b>correlate &mdash; Multi-signal correlation engine (7 modes)</b></summary>
571
+
572
+ | Parameter | Type | Description |
573
+ |-----------|------|-------------|
574
+ | `type` | `consistency` \| `honeypot` \| `spoofing` \| `compare` \| `topology` \| `c2` \| `identify` | Correlation mode |
575
+ | `signals` | object | Fingerprint signals to correlate (varies by mode) |
576
+
577
+ | Mode | Description |
578
+ |------|-------------|
579
+ | `fp_consistency` | Cross-layer signal consistency check &mdash; do TCP, TLS, HTTP, and DNS fingerprints agree? |
580
+ | `fp_honeypot` | Honeypot detection &mdash; checks for impossible service combinations and behavioral anomalies |
581
+ | `fp_spoofing` | Spoofing detection &mdash; identifies mismatched server headers vs. actual behavior |
582
+ | `fp_compare` | Side-by-side comparison of two hosts' fingerprint profiles |
583
+ | `fp_topology` | Infrastructure topology mapping &mdash; CDN, load balancer, reverse proxy chain |
584
+ | `fp_c2` | C2 framework detection via JARM, TLS, HTTP, and timing correlation |
585
+ | `fp_identify` | Hash-based identification against known signature database |
586
+
587
+ </details>
588
+
589
+ <details>
590
+ <summary><b>meta &mdash; Server configuration and data (3 modes)</b></summary>
591
+
592
+ | Parameter | Type | Description |
593
+ |-----------|------|-------------|
594
+ | `category` | string | Optional &mdash; filter by category |
595
+
596
+ | Mode | Description |
597
+ |------|-------------|
598
+ | `fp_sources` | List all available data sources with configuration and API key status |
599
+ | `fp_config` | Server configuration &mdash; version, loaded providers, technique count |
600
+ | `fp_signatures` | Signature database listing &mdash; JARM, banner, WAF, application signatures |
601
+
602
+ </details>
603
+
604
+ ---
605
+
606
+ ### CLI Usage
607
+
608
+ ```bash
609
+ # List all available tools and techniques
610
+ npx fingerprint-mcp --list
611
+
612
+ # Run any tool directly
613
+ npx fingerprint-mcp --tool recon '{"url":"https://example.com","depth":"quick"}'
614
+ npx fingerprint-mcp --tool scan_tls '{"host":"example.com"}'
615
+ npx fingerprint-mcp --tool scan_ports '{"host":"10.0.1.50","ports":[22,80,443,3306,8080]}'
616
+ npx fingerprint-mcp --tool scan_dns '{"domain":"example.com"}'
617
+ npx fingerprint-mcp --tool scan_http '{"url":"https://example.com"}'
618
+ npx fingerprint-mcp --tool scan_waf '{"url":"https://example.com"}'
619
+ npx fingerprint-mcp --tool scan_services '{"host":"10.0.1.50","service":"redis"}'
620
+ npx fingerprint-mcp --tool enumerate '{"domain":"example.com"}'
621
+ npx fingerprint-mcp --tool analyze '{"type":"headers","data":"Server: nginx/1.24.0\nX-Powered-By: Express"}'
622
+ npx fingerprint-mcp --tool correlate '{"type":"honeypot","signals":{"jarm":"...","banner":"..."}}'
623
+ npx fingerprint-mcp --tool meta '{}'
624
+
625
+ # OSINT tools (require API keys)
626
+ SHODAN_API_KEY=your-key npx fingerprint-mcp --tool osint '{"target":"203.0.113.42","type":"ip"}'
627
+ ```
628
+
629
+ ---
630
+
631
+ ## Data Sources (21)
632
+
633
+ | Source | Auth | What it provides |
634
+ |--------|------|-----------------|
635
+ | TCP probing | None | Port scanning, banner grabbing, service detection |
636
+ | TLS/SSL analysis | None | Certificate parsing, JARM fingerprinting, JA4X, cipher enumeration, SNI testing |
637
+ | SSH probing | None | Protocol version, algorithm audit, software detection |
638
+ | HTTP analysis | None | Header fingerprinting, favicon hashing, cookie analysis, method enumeration, CORS |
639
+ | Web detection | None | Technology detection, analytics, source maps, WebSocket, GraphQL, SPA frameworks |
640
+ | Path discovery | None | Sensitive files, git leaks, debug endpoints, API versions, robots.txt |
641
+ | DNS resolution | None | Record enumeration, email auth analysis, SaaS detection, server fingerprinting |
642
+ | WAF/CDN detection | None | WAF identification, CDN detection, WAF fingerprinting |
643
+ | Timing analysis | None | Response timing baseline, clock skew detection |
644
+ | HTTP/2 & HTTP/3 | None | HTTP/2 detection and fingerprinting, HTTP/3 Alt-Svc discovery |
645
+ | SMTP probing | None | SMTP banner analysis, STARTTLS inspection |
646
+ | IoT/Embedded | None | IoT device detection, UPnP/SSDP discovery |
647
+ | Application detection | None | CMS, framework, and e-commerce platform identification |
648
+ | Service probing | None | MySQL, PostgreSQL, Redis, FTP, VNC/RDP fingerprinting |
649
+ | Infrastructure detection | None | Cloud provider, hosting provider, CDN identification |
650
+ | Correlation engine | None | Signal consistency, honeypot detection, spoofing detection, topology mapping |
651
+ | Identification engine | None | Hash-based identification, C2 detection, signature matching |
652
+ | [Shodan](https://www.shodan.io) | `SHODAN_API_KEY` | Host intelligence &mdash; open ports, banners, vulnerabilities, OS detection |
653
+ | [Censys](https://censys.io) | `CENSYS_API_ID` | Host data &mdash; services, TLS certificates, autonomous system info |
654
+ | [SecurityTrails](https://securitytrails.com) | `SECURITYTRAILS_API_KEY` | WAF origin discovery, passive DNS history, historical records |
655
+ | [VirusTotal](https://www.virustotal.com) | `VIRUSTOTAL_API_KEY` | Domain/IP reputation, detection results, DNS history, categories |
656
+
657
+ ---
658
+
659
+ ## Architecture
660
+
661
+ ```
662
+ src/
663
+ index.ts # CLI entrypoint (--help, --list, --tool, stdio server)
664
+ protocol/
665
+ mcp-server.ts # MCP server setup (stdio transport)
666
+ tools.ts # Tool registry — all 13 composite tools registered here
667
+ types/
668
+ index.ts # Shared types (ToolDef, ToolContext, ToolResult)
669
+ utils/
670
+ rate-limiter.ts # Per-provider rate limiter
671
+ cache.ts # TTL cache for API responses
672
+ require-key.ts # API key validation helper
673
+ murmurhash3.ts # MurmurHash3 for favicon hashing
674
+ composite/ # 13 composite tool orchestrators
675
+ recon.ts # Full recon orchestrator (quick/standard/deep)
676
+ scan-ports.ts # Port scanning composite
677
+ scan-tls.ts # TLS analysis composite
678
+ scan-dns.ts # DNS intelligence composite
679
+ scan-http.ts # HTTP fingerprinting composite
680
+ scan-paths.ts # Path discovery composite
681
+ scan-waf.ts # WAF/CDN detection composite
682
+ scan-services.ts # Service probing composite
683
+ analyze.ts # Passive analysis composite
684
+ correlate.ts # Correlation engine composite
685
+ enumerate.ts # Scope expansion composite
686
+ osint.ts # OSINT enrichment composite
687
+ meta.ts # Server meta composite
688
+ helpers.ts # Shared composite helpers
689
+ tcp/ # TCP probing techniques (3)
690
+ tls/ # TLS/SSL analysis techniques (8)
691
+ ssh/ # SSH probing techniques (3)
692
+ http/ # HTTP fingerprinting techniques (16)
693
+ web/ # Web technology detection techniques (9)
694
+ path/ # Path discovery techniques (5)
695
+ dns/ # DNS intelligence techniques (7)
696
+ waf/ # WAF/CDN detection techniques (4)
697
+ timing/ # Timing analysis techniques (2)
698
+ h2/ # HTTP/2 & HTTP/3 techniques (3)
699
+ smtp/ # SMTP probing techniques (2)
700
+ iot/ # IoT/embedded detection techniques (2)
701
+ app/ # Application detection techniques (3)
702
+ service/ # Service probing techniques (5)
703
+ infra/ # Infrastructure detection techniques (3)
704
+ correlation/ # Correlation engine (5)
705
+ identify/ # Identification engine (3)
706
+ passive/ # Passive analysis (3)
707
+ osint/ # OSINT enrichment techniques (6)
708
+ enum/ # Enumeration techniques (8)
709
+ meta/ # Meta tools (3)
710
+ data/ # Signature databases and pattern libraries
711
+ jarm-signatures.ts # Known JARM fingerprints (C2, servers, CDNs)
712
+ waf-signatures.ts # WAF detection signatures
713
+ service-banners.ts # Service banner patterns
714
+ tech-patterns.ts # Technology detection patterns
715
+ favicon-hashes.ts # Known favicon MurmurHash3 values
716
+ c2-signatures.ts # C2 framework signatures
717
+ ... # 15+ signature/pattern databases
718
+ ```
719
+
720
+ **Design decisions:**
721
+
722
+ - **13 composite tools, 103 techniques** &mdash; The agent calls high-level tools (`recon`, `scan_tls`, `scan_http`). Each composite orchestrates multiple low-level techniques and returns correlated results. This reduces tool-call overhead while maintaining granularity.
723
+ - **21 providers, 1 server** &mdash; Every fingerprinting layer is an independent module. The composite orchestrator selects techniques based on context and depth.
724
+ - **Active-first, OSINT-optional** &mdash; 80+ techniques work by directly probing the target with zero API keys. OSINT providers (Shodan, Censys, VirusTotal, SecurityTrails) add enrichment but are never required.
725
+ - **Per-provider rate limiters** &mdash; Each provider has its own `RateLimiter` instance. Active probing is rate-limited to avoid detection; OSINT APIs are calibrated to their quotas.
726
+ - **TTL caching** &mdash; DNS records (10min), OSINT results (15min), CT logs (30min) are cached to avoid redundant lookups during multi-tool workflows.
727
+ - **Graceful degradation** &mdash; Missing API keys don't crash the server. OSINT tools return descriptive messages: "Set SHODAN_API_KEY to enable Shodan host lookup."
728
+ - **3 dependencies** &mdash; `@modelcontextprotocol/sdk`, `zod`, and `cheerio`. All network I/O via native `fetch()` and Node.js `net`/`tls`/`dns` modules. No nmap, no external binaries.
729
+
730
+ ---
731
+
732
+ ## Limitations
733
+
734
+ - OSINT tools (Shodan, Censys, VirusTotal, SecurityTrails) require API keys for their respective techniques
735
+ - Censys free tier limited to 250 queries/month
736
+ - VirusTotal free tier limited to 500 queries/day
737
+ - Port scanning uses TCP connect (not SYN scan) &mdash; less stealthy than nmap but requires no root privileges
738
+ - JARM fingerprinting requires direct TCP access to the target (may be blocked by firewalls)
739
+ - UPnP/SSDP discovery only works on local networks
740
+ - Service probing (MySQL, PostgreSQL, Redis) connects but does not authenticate
741
+ - Subdomain enumeration relies on CT logs and passive sources (no brute-force)
742
+ - macOS / Linux tested (Windows not tested)
743
+
744
+ ---
745
+
746
+ ## Part of the MCP Security Suite
747
+
748
+ | Project | Domain | Tools |
749
+ |---|---|---|
750
+ | [hackbrowser-mcp](https://github.com/badchars/hackbrowser-mcp) | Browser-based security testing | 39 tools, Firefox, injection testing |
751
+ | [cloud-audit-mcp](https://github.com/badchars/cloud-audit-mcp) | Cloud security (AWS/Azure/GCP) | 38 tools, 60+ checks |
752
+ | [github-security-mcp](https://github.com/badchars/github-security-mcp) | GitHub security posture | 39 tools, 45 checks |
753
+ | [cve-mcp](https://github.com/badchars/cve-mcp) | Vulnerability intelligence | 23 tools, 5 sources |
754
+ | [osint-mcp-server](https://github.com/badchars/osint-mcp-server) | OSINT & reconnaissance | 37 tools, 12 sources |
755
+ | [darknet-mcp-server](https://github.com/badchars/darknet-mcp-server) | Dark web & threat intelligence | 66 tools, 16 sources |
756
+ | **fingerprint-mcp** | **Universal digital fingerprinting** | **13 tools, 103 techniques, 21 providers** |
757
+
758
+ ---
759
+
760
+ <p align="center">
761
+ <b>For authorized security testing and assessment only.</b><br>
762
+ Always ensure you have proper authorization before performing fingerprinting on any target.
763
+ </p>
764
+
765
+ <p align="center">
766
+ <a href="LICENSE">AGPL-3.0 License</a> &bull; Built with Bun + TypeScript
767
+ </p>