fingerprint-mcp 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +663 -0
- package/README.ar.md +767 -0
- package/README.bn.md +767 -0
- package/README.bs.md +767 -0
- package/README.da.md +767 -0
- package/README.de.md +770 -0
- package/README.el.md +767 -0
- package/README.es.md +769 -0
- package/README.fr.md +769 -0
- package/README.hi.md +767 -0
- package/README.it.md +767 -0
- package/README.ja.md +767 -0
- package/README.ko.md +772 -0
- package/README.md +767 -0
- package/README.no.md +767 -0
- package/README.pl.md +767 -0
- package/README.pt-BR.md +767 -0
- package/README.ru.md +767 -0
- package/README.th.md +767 -0
- package/README.tr.md +767 -0
- package/README.uk.md +767 -0
- package/README.vi.md +767 -0
- package/README.zh-TW.md +768 -0
- package/README.zh.md +768 -0
- package/dist/app/index.d.ts +3 -0
- package/dist/app/index.d.ts.map +1 -0
- package/dist/app/index.js +614 -0
- package/dist/app/index.js.map +1 -0
- package/dist/composite/analyze.d.ts +3 -0
- package/dist/composite/analyze.d.ts.map +1 -0
- package/dist/composite/analyze.js +59 -0
- package/dist/composite/analyze.js.map +1 -0
- package/dist/composite/correlate.d.ts +3 -0
- package/dist/composite/correlate.d.ts.map +1 -0
- package/dist/composite/correlate.js +184 -0
- package/dist/composite/correlate.js.map +1 -0
- package/dist/composite/enumerate.d.ts +3 -0
- package/dist/composite/enumerate.d.ts.map +1 -0
- package/dist/composite/enumerate.js +94 -0
- package/dist/composite/enumerate.js.map +1 -0
- package/dist/composite/helpers.d.ts +22 -0
- package/dist/composite/helpers.d.ts.map +1 -0
- package/dist/composite/helpers.js +111 -0
- package/dist/composite/helpers.js.map +1 -0
- package/dist/composite/index.d.ts +3 -0
- package/dist/composite/index.d.ts.map +1 -0
- package/dist/composite/index.js +29 -0
- package/dist/composite/index.js.map +1 -0
- package/dist/composite/meta.d.ts +3 -0
- package/dist/composite/meta.d.ts.map +1 -0
- package/dist/composite/meta.js +23 -0
- package/dist/composite/meta.js.map +1 -0
- package/dist/composite/osint.d.ts +3 -0
- package/dist/composite/osint.d.ts.map +1 -0
- package/dist/composite/osint.js +40 -0
- package/dist/composite/osint.js.map +1 -0
- package/dist/composite/recon.d.ts +3 -0
- package/dist/composite/recon.d.ts.map +1 -0
- package/dist/composite/recon.js +131 -0
- package/dist/composite/recon.js.map +1 -0
- package/dist/composite/scan-dns.d.ts +3 -0
- package/dist/composite/scan-dns.d.ts.map +1 -0
- package/dist/composite/scan-dns.js +44 -0
- package/dist/composite/scan-dns.js.map +1 -0
- package/dist/composite/scan-http.d.ts +3 -0
- package/dist/composite/scan-http.d.ts.map +1 -0
- package/dist/composite/scan-http.js +68 -0
- package/dist/composite/scan-http.js.map +1 -0
- package/dist/composite/scan-paths.d.ts +3 -0
- package/dist/composite/scan-paths.d.ts.map +1 -0
- package/dist/composite/scan-paths.js +32 -0
- package/dist/composite/scan-paths.js.map +1 -0
- package/dist/composite/scan-ports.d.ts +3 -0
- package/dist/composite/scan-ports.d.ts.map +1 -0
- package/dist/composite/scan-ports.js +79 -0
- package/dist/composite/scan-ports.js.map +1 -0
- package/dist/composite/scan-services.d.ts +3 -0
- package/dist/composite/scan-services.d.ts.map +1 -0
- package/dist/composite/scan-services.js +111 -0
- package/dist/composite/scan-services.js.map +1 -0
- package/dist/composite/scan-tls.d.ts +3 -0
- package/dist/composite/scan-tls.d.ts.map +1 -0
- package/dist/composite/scan-tls.js +32 -0
- package/dist/composite/scan-tls.js.map +1 -0
- package/dist/composite/scan-waf.d.ts +3 -0
- package/dist/composite/scan-waf.d.ts.map +1 -0
- package/dist/composite/scan-waf.js +35 -0
- package/dist/composite/scan-waf.js.map +1 -0
- package/dist/correlation/index.d.ts +3 -0
- package/dist/correlation/index.d.ts.map +1 -0
- package/dist/correlation/index.js +1044 -0
- package/dist/correlation/index.js.map +1 -0
- package/dist/data/analytics-patterns.d.ts +21 -0
- package/dist/data/analytics-patterns.d.ts.map +1 -0
- package/dist/data/analytics-patterns.js +449 -0
- package/dist/data/analytics-patterns.js.map +1 -0
- package/dist/data/app-signatures.d.ts +52 -0
- package/dist/data/app-signatures.d.ts.map +1 -0
- package/dist/data/app-signatures.js +1143 -0
- package/dist/data/app-signatures.js.map +1 -0
- package/dist/data/c2-signatures.d.ts +54 -0
- package/dist/data/c2-signatures.d.ts.map +1 -0
- package/dist/data/c2-signatures.js +256 -0
- package/dist/data/c2-signatures.js.map +1 -0
- package/dist/data/cloud-ranges.d.ts +34 -0
- package/dist/data/cloud-ranges.d.ts.map +1 -0
- package/dist/data/cloud-ranges.js +628 -0
- package/dist/data/cloud-ranges.js.map +1 -0
- package/dist/data/cookie-patterns.d.ts +28 -0
- package/dist/data/cookie-patterns.d.ts.map +1 -0
- package/dist/data/cookie-patterns.js +225 -0
- package/dist/data/cookie-patterns.js.map +1 -0
- package/dist/data/error-signatures.d.ts +19 -0
- package/dist/data/error-signatures.d.ts.map +1 -0
- package/dist/data/error-signatures.js +321 -0
- package/dist/data/error-signatures.js.map +1 -0
- package/dist/data/favicon-hashes.d.ts +25 -0
- package/dist/data/favicon-hashes.d.ts.map +1 -0
- package/dist/data/favicon-hashes.js +249 -0
- package/dist/data/favicon-hashes.js.map +1 -0
- package/dist/data/h2-signatures.d.ts +50 -0
- package/dist/data/h2-signatures.d.ts.map +1 -0
- package/dist/data/h2-signatures.js +211 -0
- package/dist/data/h2-signatures.js.map +1 -0
- package/dist/data/header-order.d.ts +38 -0
- package/dist/data/header-order.d.ts.map +1 -0
- package/dist/data/header-order.js +185 -0
- package/dist/data/header-order.js.map +1 -0
- package/dist/data/jarm-signatures.d.ts +25 -0
- package/dist/data/jarm-signatures.d.ts.map +1 -0
- package/dist/data/jarm-signatures.js +213 -0
- package/dist/data/jarm-signatures.js.map +1 -0
- package/dist/data/saas-patterns.d.ts +23 -0
- package/dist/data/saas-patterns.d.ts.map +1 -0
- package/dist/data/saas-patterns.js +139 -0
- package/dist/data/saas-patterns.js.map +1 -0
- package/dist/data/sensitive-paths.d.ts +12 -0
- package/dist/data/sensitive-paths.d.ts.map +1 -0
- package/dist/data/sensitive-paths.js +1539 -0
- package/dist/data/sensitive-paths.js.map +1 -0
- package/dist/data/service-banners.d.ts +59 -0
- package/dist/data/service-banners.d.ts.map +1 -0
- package/dist/data/service-banners.js +323 -0
- package/dist/data/service-banners.js.map +1 -0
- package/dist/data/smtp-signatures.d.ts +12 -0
- package/dist/data/smtp-signatures.d.ts.map +1 -0
- package/dist/data/smtp-signatures.js +350 -0
- package/dist/data/smtp-signatures.js.map +1 -0
- package/dist/data/takeover-patterns.d.ts +37 -0
- package/dist/data/takeover-patterns.d.ts.map +1 -0
- package/dist/data/takeover-patterns.js +249 -0
- package/dist/data/takeover-patterns.js.map +1 -0
- package/dist/data/tech-patterns.d.ts +44 -0
- package/dist/data/tech-patterns.d.ts.map +1 -0
- package/dist/data/tech-patterns.js +690 -0
- package/dist/data/tech-patterns.js.map +1 -0
- package/dist/data/waf-signatures.d.ts +21 -0
- package/dist/data/waf-signatures.d.ts.map +1 -0
- package/dist/data/waf-signatures.js +318 -0
- package/dist/data/waf-signatures.js.map +1 -0
- package/dist/dns/index.d.ts +3 -0
- package/dist/dns/index.d.ts.map +1 -0
- package/dist/dns/index.js +1067 -0
- package/dist/dns/index.js.map +1 -0
- package/dist/enum/index.d.ts +3 -0
- package/dist/enum/index.d.ts.map +1 -0
- package/dist/enum/index.js +818 -0
- package/dist/enum/index.js.map +1 -0
- package/dist/h2/index.d.ts +3 -0
- package/dist/h2/index.d.ts.map +1 -0
- package/dist/h2/index.js +414 -0
- package/dist/h2/index.js.map +1 -0
- package/dist/http/index.d.ts +3 -0
- package/dist/http/index.d.ts.map +1 -0
- package/dist/http/index.js +2444 -0
- package/dist/http/index.js.map +1 -0
- package/dist/identify/index.d.ts +3 -0
- package/dist/identify/index.d.ts.map +1 -0
- package/dist/identify/index.js +447 -0
- package/dist/identify/index.js.map +1 -0
- package/dist/index.d.ts +3 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +165 -0
- package/dist/index.js.map +1 -0
- package/dist/infra/index.d.ts +3 -0
- package/dist/infra/index.d.ts.map +1 -0
- package/dist/infra/index.js +989 -0
- package/dist/infra/index.js.map +1 -0
- package/dist/iot/index.d.ts +3 -0
- package/dist/iot/index.d.ts.map +1 -0
- package/dist/iot/index.js +610 -0
- package/dist/iot/index.js.map +1 -0
- package/dist/meta/index.d.ts +3 -0
- package/dist/meta/index.d.ts.map +1 -0
- package/dist/meta/index.js +442 -0
- package/dist/meta/index.js.map +1 -0
- package/dist/osint/index.d.ts +3 -0
- package/dist/osint/index.d.ts.map +1 -0
- package/dist/osint/index.js +687 -0
- package/dist/osint/index.js.map +1 -0
- package/dist/passive/index.d.ts +3 -0
- package/dist/passive/index.d.ts.map +1 -0
- package/dist/passive/index.js +944 -0
- package/dist/passive/index.js.map +1 -0
- package/dist/path/index.d.ts +3 -0
- package/dist/path/index.d.ts.map +1 -0
- package/dist/path/index.js +878 -0
- package/dist/path/index.js.map +1 -0
- package/dist/protocol/mcp-server.d.ts +4 -0
- package/dist/protocol/mcp-server.d.ts.map +1 -0
- package/dist/protocol/mcp-server.js +32 -0
- package/dist/protocol/mcp-server.js.map +1 -0
- package/dist/protocol/tools.d.ts +3 -0
- package/dist/protocol/tools.d.ts.map +1 -0
- package/dist/protocol/tools.js +5 -0
- package/dist/protocol/tools.js.map +1 -0
- package/dist/service/index.d.ts +3 -0
- package/dist/service/index.d.ts.map +1 -0
- package/dist/service/index.js +1053 -0
- package/dist/service/index.js.map +1 -0
- package/dist/smtp/index.d.ts +3 -0
- package/dist/smtp/index.d.ts.map +1 -0
- package/dist/smtp/index.js +437 -0
- package/dist/smtp/index.js.map +1 -0
- package/dist/ssh/index.d.ts +3 -0
- package/dist/ssh/index.d.ts.map +1 -0
- package/dist/ssh/index.js +676 -0
- package/dist/ssh/index.js.map +1 -0
- package/dist/tcp/index.d.ts +3 -0
- package/dist/tcp/index.d.ts.map +1 -0
- package/dist/tcp/index.js +369 -0
- package/dist/tcp/index.js.map +1 -0
- package/dist/timing/index.d.ts +3 -0
- package/dist/timing/index.d.ts.map +1 -0
- package/dist/timing/index.js +425 -0
- package/dist/timing/index.js.map +1 -0
- package/dist/tls/index.d.ts +3 -0
- package/dist/tls/index.d.ts.map +1 -0
- package/dist/tls/index.js +1332 -0
- package/dist/tls/index.js.map +1 -0
- package/dist/types/index.d.ts +26 -0
- package/dist/types/index.d.ts.map +1 -0
- package/dist/types/index.js +8 -0
- package/dist/types/index.js.map +1 -0
- package/dist/utils/cache.d.ts +11 -0
- package/dist/utils/cache.d.ts.map +1 -0
- package/dist/utils/cache.js +35 -0
- package/dist/utils/cache.js.map +1 -0
- package/dist/utils/murmurhash3.d.ts +3 -0
- package/dist/utils/murmurhash3.d.ts.map +1 -0
- package/dist/utils/murmurhash3.js +57 -0
- package/dist/utils/murmurhash3.js.map +1 -0
- package/dist/utils/rate-limiter.d.ts +10 -0
- package/dist/utils/rate-limiter.d.ts.map +1 -0
- package/dist/utils/rate-limiter.js +35 -0
- package/dist/utils/rate-limiter.js.map +1 -0
- package/dist/utils/require-key.d.ts +2 -0
- package/dist/utils/require-key.d.ts.map +1 -0
- package/dist/utils/require-key.js +8 -0
- package/dist/utils/require-key.js.map +1 -0
- package/dist/waf/index.d.ts +3 -0
- package/dist/waf/index.d.ts.map +1 -0
- package/dist/waf/index.js +767 -0
- package/dist/waf/index.js.map +1 -0
- package/dist/web/index.d.ts +3 -0
- package/dist/web/index.d.ts.map +1 -0
- package/dist/web/index.js +1366 -0
- package/dist/web/index.js.map +1 -0
- package/package.json +66 -0
package/README.md
ADDED
|
@@ -0,0 +1,767 @@
|
|
|
1
|
+
<p align="center">
|
|
2
|
+
<strong>English</strong> |
|
|
3
|
+
<a href="README.zh.md">简体中文</a> |
|
|
4
|
+
<a href="README.zh-TW.md">繁體中文</a> |
|
|
5
|
+
<a href="README.ko.md">한국어</a> |
|
|
6
|
+
<a href="README.de.md">Deutsch</a> |
|
|
7
|
+
<a href="README.es.md">Español</a> |
|
|
8
|
+
<a href="README.fr.md">Français</a> |
|
|
9
|
+
<a href="README.it.md">Italiano</a> |
|
|
10
|
+
<a href="README.da.md">Dansk</a> |
|
|
11
|
+
<a href="README.ja.md">日本語</a> |
|
|
12
|
+
<a href="README.pl.md">Polski</a> |
|
|
13
|
+
<a href="README.ru.md">Русский</a> |
|
|
14
|
+
<a href="README.bs.md">Bosanski</a> |
|
|
15
|
+
<a href="README.ar.md">العربية</a> |
|
|
16
|
+
<a href="README.no.md">Norsk</a> |
|
|
17
|
+
<a href="README.pt-BR.md">Português (Brasil)</a> |
|
|
18
|
+
<a href="README.th.md">ไทย</a> |
|
|
19
|
+
<a href="README.tr.md">Türkçe</a> |
|
|
20
|
+
<a href="README.uk.md">Українська</a> |
|
|
21
|
+
<a href="README.bn.md">বাংলা</a> |
|
|
22
|
+
<a href="README.el.md">Ελληνικά</a> |
|
|
23
|
+
<a href="README.vi.md">Tiếng Việt</a> |
|
|
24
|
+
<a href="README.hi.md">हिन्दी</a>
|
|
25
|
+
</p>
|
|
26
|
+
|
|
27
|
+
<p align="center">
|
|
28
|
+
<br>
|
|
29
|
+
<picture>
|
|
30
|
+
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/badchars/fingerprint-mcp/main/.github/banner-dark.svg">
|
|
31
|
+
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/badchars/fingerprint-mcp/main/.github/banner-light.svg">
|
|
32
|
+
<img alt="fingerprint-mcp" src="https://raw.githubusercontent.com/badchars/fingerprint-mcp/main/.github/banner-dark.svg" width="700">
|
|
33
|
+
</picture>
|
|
34
|
+
</p>
|
|
35
|
+
|
|
36
|
+
<h3 align="center">Universal digital fingerprinting for AI agents.</h3>
|
|
37
|
+
|
|
38
|
+
<p align="center">
|
|
39
|
+
TCP, TLS/SSL, SSH, HTTP, DNS, WAF/CDN, IoT, SMTP, service probing, JARM, JA4X, favicon hashing, infrastructure topology, C2 detection, OSINT enrichment — unified into a single MCP server.<br>
|
|
40
|
+
Your AI agent gets <b>full-spectrum fingerprinting on demand</b>, not 11 disconnected CLI tools and manual correlation.
|
|
41
|
+
</p>
|
|
42
|
+
|
|
43
|
+
<br>
|
|
44
|
+
|
|
45
|
+
<p align="center">
|
|
46
|
+
<a href="#the-problem">The Problem</a> •
|
|
47
|
+
<a href="#how-its-different">How It's Different</a> •
|
|
48
|
+
<a href="#quick-start">Quick Start</a> •
|
|
49
|
+
<a href="#what-the-ai-can-do">What The AI Can Do</a> •
|
|
50
|
+
<a href="#tools-reference-13-tools-103-techniques">Tools (13)</a> •
|
|
51
|
+
<a href="#data-sources-21">Data Sources</a> •
|
|
52
|
+
<a href="#architecture">Architecture</a> •
|
|
53
|
+
<a href="CHANGELOG.md">Changelog</a> •
|
|
54
|
+
<a href="CONTRIBUTING.md">Contributing</a>
|
|
55
|
+
</p>
|
|
56
|
+
|
|
57
|
+
<p align="center">
|
|
58
|
+
<a href="https://www.npmjs.com/package/fingerprint-mcp"><img src="https://img.shields.io/npm/v/fingerprint-mcp.svg" alt="npm"></a>
|
|
59
|
+
<a href="LICENSE"><img src="https://img.shields.io/badge/license-AGPL--3.0-blue.svg" alt="License"></a>
|
|
60
|
+
<img src="https://img.shields.io/badge/runtime-Bun-f472b6" alt="Bun">
|
|
61
|
+
<img src="https://img.shields.io/badge/protocol-MCP-8b5cf6" alt="MCP">
|
|
62
|
+
<img src="https://img.shields.io/badge/tools-13-ef4444" alt="13 Tools">
|
|
63
|
+
<img src="https://img.shields.io/badge/techniques-103-f97316" alt="103 Techniques">
|
|
64
|
+
</p>
|
|
65
|
+
|
|
66
|
+
<p align="center">
|
|
67
|
+
<img src="https://raw.githubusercontent.com/badchars/fingerprint-mcp/main/.github/demo.gif" alt="fingerprint-mcp demo" width="800">
|
|
68
|
+
</p>
|
|
69
|
+
|
|
70
|
+
---
|
|
71
|
+
|
|
72
|
+
## The Problem
|
|
73
|
+
|
|
74
|
+
Fingerprinting a server today means juggling a dozen disconnected tools. You run `nmap` for port scanning, `testssl.sh` for certificate analysis, `curl -I` for HTTP headers, `dig` for DNS, `wafw00f` for WAF detection, `ssh-audit` for SSH, a separate JARM tool, Wappalyzer for tech detection — and then you spend 30 minutes manually cross-referencing everything in a spreadsheet to figure out what's actually running.
|
|
75
|
+
|
|
76
|
+
```
|
|
77
|
+
Traditional fingerprinting workflow:
|
|
78
|
+
analyze TLS certificates -> testssl.sh / openssl s_client
|
|
79
|
+
grab HTTP headers -> curl -I
|
|
80
|
+
detect web technologies -> wappalyzer CLI
|
|
81
|
+
DNS reconnaissance -> dig / nslookup / dnsenum
|
|
82
|
+
port scanning -> nmap -sV
|
|
83
|
+
WAF detection -> wafw00f
|
|
84
|
+
SSH audit -> ssh-audit
|
|
85
|
+
service fingerprinting -> nmap scripts
|
|
86
|
+
JARM fingerprint -> jarm (separate tool)
|
|
87
|
+
check OSINT databases -> shodan CLI, censys CLI
|
|
88
|
+
correlate everything -> manually in a spreadsheet
|
|
89
|
+
──────────────────────────────
|
|
90
|
+
Total: 11 tools, 30+ minutes, manual correlation
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
**fingerprint-mcp** gives your AI agent 13 composite tools wrapping 103 fingerprinting techniques across 21 providers via the [Model Context Protocol](https://modelcontextprotocol.io). The agent runs multi-layer fingerprinting in parallel, correlates signals across TCP/TLS/HTTP/DNS/SSH layers, detects honeypots and C2 infrastructure, and presents a unified intelligence picture — in a single conversation.
|
|
94
|
+
|
|
95
|
+
```
|
|
96
|
+
With fingerprint-mcp:
|
|
97
|
+
You: "Do a deep recon on target.com"
|
|
98
|
+
|
|
99
|
+
Agent: -> recon {url: "https://target.com", depth: "deep"}
|
|
100
|
+
|
|
101
|
+
-> TLS: nginx/1.24.0 via JARM (3fd21b20d00000...),
|
|
102
|
+
Let's Encrypt cert, 2 SANs, TLS 1.2+1.3
|
|
103
|
+
-> HTTP: Express.js behind Cloudflare WAF,
|
|
104
|
+
React SPA, Google Analytics, 14 security headers analyzed
|
|
105
|
+
-> DNS: A/AAAA/MX/TXT records, SPF/DKIM/DMARC configured,
|
|
106
|
+
Slack + Google Workspace detected via CNAME/MX
|
|
107
|
+
-> Ports: 80, 443, 22 (OpenSSH 9.6), 8080 (dev server)
|
|
108
|
+
-> WAF: Cloudflare detected, origin IP discovered via direct-connect
|
|
109
|
+
-> Enumeration: 12 subdomains via CT logs, wildcard DNS detected
|
|
110
|
+
-> "target.com runs nginx/1.24.0 with Express.js behind
|
|
111
|
+
Cloudflare WAF. Origin IP 203.0.113.42 exposed on port 8080.
|
|
112
|
+
TLS is properly configured (A+ equivalent) but the dev server
|
|
113
|
+
on 8080 has no WAF protection. 3 subdomains point to
|
|
114
|
+
decommissioned infrastructure — potential takeover risk."
|
|
115
|
+
```
|
|
116
|
+
|
|
117
|
+
---
|
|
118
|
+
|
|
119
|
+
## How It's Different
|
|
120
|
+
|
|
121
|
+
Existing tools give you raw data one layer at a time. fingerprint-mcp gives your AI agent the ability to **reason across all fingerprinting layers simultaneously**.
|
|
122
|
+
|
|
123
|
+
<table>
|
|
124
|
+
<thead>
|
|
125
|
+
<tr>
|
|
126
|
+
<th></th>
|
|
127
|
+
<th>Traditional Approach</th>
|
|
128
|
+
<th>fingerprint-mcp</th>
|
|
129
|
+
</tr>
|
|
130
|
+
</thead>
|
|
131
|
+
<tbody>
|
|
132
|
+
<tr>
|
|
133
|
+
<td><b>Interface</b></td>
|
|
134
|
+
<td>11 different CLI tools with different output formats</td>
|
|
135
|
+
<td>MCP — AI agent calls tools conversationally</td>
|
|
136
|
+
</tr>
|
|
137
|
+
<tr>
|
|
138
|
+
<td><b>Techniques</b></td>
|
|
139
|
+
<td>One tool, one layer at a time</td>
|
|
140
|
+
<td>103 techniques across 21 providers, run in parallel</td>
|
|
141
|
+
</tr>
|
|
142
|
+
<tr>
|
|
143
|
+
<td><b>TLS analysis</b></td>
|
|
144
|
+
<td>testssl.sh output, manually parse JARM separately</td>
|
|
145
|
+
<td>Agent combines certificate + JARM + JA4X + cipher suites + SNI + CT logs in one call</td>
|
|
146
|
+
</tr>
|
|
147
|
+
<tr>
|
|
148
|
+
<td><b>Correlation</b></td>
|
|
149
|
+
<td>Copy-paste results into a spreadsheet</td>
|
|
150
|
+
<td>Agent cross-correlates: "JARM matches known C2 framework, HTTP timing confirms honeypot"</td>
|
|
151
|
+
</tr>
|
|
152
|
+
<tr>
|
|
153
|
+
<td><b>WAF bypass</b></td>
|
|
154
|
+
<td>wafw00f detects WAF, you manually hunt for origin</td>
|
|
155
|
+
<td>Agent detects WAF, discovers origin IP, and verifies it serves the same content</td>
|
|
156
|
+
</tr>
|
|
157
|
+
<tr>
|
|
158
|
+
<td><b>API keys</b></td>
|
|
159
|
+
<td>Required for Shodan, Censys, etc.</td>
|
|
160
|
+
<td>80+ active techniques work without any API keys; keys unlock OSINT enrichment</td>
|
|
161
|
+
</tr>
|
|
162
|
+
<tr>
|
|
163
|
+
<td><b>Setup</b></td>
|
|
164
|
+
<td>Install nmap, testssl, wafw00f, ssh-audit, jarm, wappalyzer...</td>
|
|
165
|
+
<td><code>npx fingerprint-mcp</code> — one command, zero config</td>
|
|
166
|
+
</tr>
|
|
167
|
+
</tbody>
|
|
168
|
+
</table>
|
|
169
|
+
|
|
170
|
+
---
|
|
171
|
+
|
|
172
|
+
## Quick Start
|
|
173
|
+
|
|
174
|
+
### Option 1: npx (no install)
|
|
175
|
+
|
|
176
|
+
```bash
|
|
177
|
+
npx fingerprint-mcp
|
|
178
|
+
```
|
|
179
|
+
|
|
180
|
+
All 80+ active fingerprinting techniques work immediately. No API keys required for TCP, TLS, SSH, HTTP, DNS, WAF, path, service, timing, IoT, SMTP, infrastructure, and application fingerprinting.
|
|
181
|
+
|
|
182
|
+
### Option 2: Clone
|
|
183
|
+
|
|
184
|
+
```bash
|
|
185
|
+
git clone https://github.com/badchars/fingerprint-mcp.git
|
|
186
|
+
cd fingerprint-mcp
|
|
187
|
+
bun install
|
|
188
|
+
```
|
|
189
|
+
|
|
190
|
+
### Environment variables (optional)
|
|
191
|
+
|
|
192
|
+
```bash
|
|
193
|
+
# OSINT enrichment (all optional — active fingerprinting works without any keys)
|
|
194
|
+
export SHODAN_API_KEY=your-key # Enables osint_shodan, ssh_hostkey_lookup
|
|
195
|
+
export CENSYS_API_ID=your-id # Enables osint_censys (free: 250 queries/month)
|
|
196
|
+
export CENSYS_API_SECRET=your-secret # Censys API secret
|
|
197
|
+
export SECURITYTRAILS_API_KEY=your-key # Enables waf_origin, enum_passive_dns
|
|
198
|
+
export VIRUSTOTAL_API_KEY=your-key # Enables osint_virustotal (free: 500 queries/day)
|
|
199
|
+
```
|
|
200
|
+
|
|
201
|
+
All API keys are optional. Without them, you still get full TCP/TLS/SSH/HTTP/DNS/WAF/path/service/timing/IoT/SMTP/infrastructure/application fingerprinting, correlation, passive analysis, enumeration, and meta tools — 80+ techniques that work by directly probing the target.
|
|
202
|
+
|
|
203
|
+
### Connect to your AI agent
|
|
204
|
+
|
|
205
|
+
<details open>
|
|
206
|
+
<summary><b>Claude Code</b></summary>
|
|
207
|
+
|
|
208
|
+
```bash
|
|
209
|
+
# With npx
|
|
210
|
+
claude mcp add fingerprint-mcp -- npx fingerprint-mcp
|
|
211
|
+
|
|
212
|
+
# With local clone
|
|
213
|
+
claude mcp add fingerprint-mcp -- bun run /path/to/fingerprint-mcp/src/index.ts
|
|
214
|
+
```
|
|
215
|
+
|
|
216
|
+
</details>
|
|
217
|
+
|
|
218
|
+
<details>
|
|
219
|
+
<summary><b>Claude Desktop</b></summary>
|
|
220
|
+
|
|
221
|
+
Add to `~/Library/Application Support/Claude/claude_desktop_config.json`:
|
|
222
|
+
|
|
223
|
+
```json
|
|
224
|
+
{
|
|
225
|
+
"mcpServers": {
|
|
226
|
+
"fingerprint": {
|
|
227
|
+
"command": "npx",
|
|
228
|
+
"args": ["-y", "fingerprint-mcp"],
|
|
229
|
+
"env": {
|
|
230
|
+
"SHODAN_API_KEY": "optional",
|
|
231
|
+
"CENSYS_API_ID": "optional",
|
|
232
|
+
"CENSYS_API_SECRET": "optional",
|
|
233
|
+
"SECURITYTRAILS_API_KEY": "optional",
|
|
234
|
+
"VIRUSTOTAL_API_KEY": "optional"
|
|
235
|
+
}
|
|
236
|
+
}
|
|
237
|
+
}
|
|
238
|
+
}
|
|
239
|
+
```
|
|
240
|
+
|
|
241
|
+
</details>
|
|
242
|
+
|
|
243
|
+
<details>
|
|
244
|
+
<summary><b>Cursor / Windsurf / other MCP clients</b></summary>
|
|
245
|
+
|
|
246
|
+
Same JSON config format. Point the command to `npx fingerprint-mcp` or your local installation path.
|
|
247
|
+
|
|
248
|
+
</details>
|
|
249
|
+
|
|
250
|
+
### Start querying
|
|
251
|
+
|
|
252
|
+
```
|
|
253
|
+
You: "Fingerprint everything about target.com — TLS, HTTP stack, WAF, DNS, open ports"
|
|
254
|
+
```
|
|
255
|
+
|
|
256
|
+
That's it. The agent handles multi-layer fingerprinting, signal correlation, and infrastructure analysis automatically.
|
|
257
|
+
|
|
258
|
+
---
|
|
259
|
+
|
|
260
|
+
## What The AI Can Do
|
|
261
|
+
|
|
262
|
+
### Quick Recon
|
|
263
|
+
|
|
264
|
+
```
|
|
265
|
+
You: "Quick recon on target.com"
|
|
266
|
+
|
|
267
|
+
Agent: -> recon {url: "https://target.com", depth: "quick"}
|
|
268
|
+
|
|
269
|
+
-> TCP: ports 80, 443, 22 open
|
|
270
|
+
-> TLS: Let's Encrypt RSA cert, TLS 1.2+1.3, nginx JARM signature
|
|
271
|
+
-> HTTP: nginx/1.24.0, Express.js, React, Cloudflare CDN
|
|
272
|
+
-> DNS: A 203.0.113.42, MX Google Workspace, SPF/DKIM configured
|
|
273
|
+
-> WAF: Cloudflare detected (cf-ray header)
|
|
274
|
+
-> "target.com is a React SPA on Express.js behind nginx/1.24.0,
|
|
275
|
+
served through Cloudflare CDN. TLS properly configured with
|
|
276
|
+
Let's Encrypt. SSH on port 22 running OpenSSH 9.6. Email
|
|
277
|
+
handled by Google Workspace with full SPF/DKIM/DMARC."
|
|
278
|
+
```
|
|
279
|
+
|
|
280
|
+
### Deep TLS Investigation
|
|
281
|
+
|
|
282
|
+
```
|
|
283
|
+
You: "Analyze the TLS configuration of suspicious-server.com in detail"
|
|
284
|
+
|
|
285
|
+
Agent: -> scan_tls {host: "suspicious-server.com"}
|
|
286
|
+
|
|
287
|
+
-> Certificate: self-signed, CN=localhost, expired 47 days ago
|
|
288
|
+
-> JARM: 2ad2ad0002ad2ad00042d42d00000069d641f34fe76acdc05c40262f8815e5
|
|
289
|
+
(matches Cobalt Strike default profile)
|
|
290
|
+
-> JA4X: fingerprint matches known C2 framework pattern
|
|
291
|
+
-> Cipher suites: accepts weak ciphers (RC4, 3DES)
|
|
292
|
+
-> SNI: responds identically to any SNI value
|
|
293
|
+
-> CT logs: certificate not logged (not publicly trusted)
|
|
294
|
+
-> "HIGH RISK: TLS configuration strongly indicates C2 infrastructure.
|
|
295
|
+
Self-signed expired cert, JARM fingerprint matches Cobalt Strike,
|
|
296
|
+
accepts weak ciphers, and responds to arbitrary SNI values.
|
|
297
|
+
Recommend immediate investigation and blocking."
|
|
298
|
+
```
|
|
299
|
+
|
|
300
|
+
### WAF Bypass & Origin Discovery
|
|
301
|
+
|
|
302
|
+
```
|
|
303
|
+
You: "target.com is behind a WAF. Can you find the origin server?"
|
|
304
|
+
|
|
305
|
+
Agent: -> scan_waf {url: "https://target.com"}
|
|
306
|
+
-> scan_dns {domain: "target.com"}
|
|
307
|
+
-> enumerate {domain: "target.com"}
|
|
308
|
+
|
|
309
|
+
-> WAF: Cloudflare (AS13335), challenge page on suspicious requests
|
|
310
|
+
-> DNS: A record points to Cloudflare IP 104.21.x.x
|
|
311
|
+
-> Subdomains: dev.target.com resolves to 203.0.113.42 (non-Cloudflare)
|
|
312
|
+
-> Direct connect to 203.0.113.42:443 returns same TLS cert
|
|
313
|
+
-> SecurityTrails historical: origin was 203.0.113.42 before Cloudflare
|
|
314
|
+
-> "Origin IP found: 203.0.113.42. Discovered via dev.target.com
|
|
315
|
+
subdomain which bypasses Cloudflare. The origin serves the same
|
|
316
|
+
TLS certificate and responds to the target.com Host header.
|
|
317
|
+
Origin has no WAF protection — direct access possible."
|
|
318
|
+
```
|
|
319
|
+
|
|
320
|
+
### Service Discovery on a Host
|
|
321
|
+
|
|
322
|
+
```
|
|
323
|
+
You: "What services are running on 10.0.1.50?"
|
|
324
|
+
|
|
325
|
+
Agent: -> scan_ports {host: "10.0.1.50"}
|
|
326
|
+
-> scan_services {host: "10.0.1.50", ports: [22, 80, 3306, 5432, 6379, 8080]}
|
|
327
|
+
|
|
328
|
+
-> Port 22: OpenSSH 8.9p1 Ubuntu, ED25519 host key
|
|
329
|
+
-> Port 80: Apache/2.4.57, PHP/8.2, WordPress 6.4
|
|
330
|
+
-> Port 3306: MySQL 8.0.36, authentication required
|
|
331
|
+
-> Port 5432: PostgreSQL 16.1, SSL required
|
|
332
|
+
-> Port 6379: Redis 7.2.4, NO authentication (open)
|
|
333
|
+
-> Port 8080: Node.js Express dev server, CORS: *
|
|
334
|
+
-> "CRITICAL: Redis on port 6379 has no authentication — anyone on
|
|
335
|
+
the network can read/write data. The Express dev server on 8080
|
|
336
|
+
has wildcard CORS. MySQL and PostgreSQL properly require auth.
|
|
337
|
+
WordPress is 2 minor versions behind. Immediate action needed
|
|
338
|
+
on Redis and the dev server exposure."
|
|
339
|
+
```
|
|
340
|
+
|
|
341
|
+
---
|
|
342
|
+
|
|
343
|
+
## Tools Reference (13 tools, 103 techniques)
|
|
344
|
+
|
|
345
|
+
<details open>
|
|
346
|
+
<summary><b>recon — Full reconnaissance with depth-based technique selection</b></summary>
|
|
347
|
+
|
|
348
|
+
| Parameter | Type | Description |
|
|
349
|
+
|-----------|------|-------------|
|
|
350
|
+
| `url` | string | Target URL to fingerprint |
|
|
351
|
+
| `depth` | `quick` \| `standard` \| `deep` | Scan depth: quick=5 techniques, standard=20, deep=50+ |
|
|
352
|
+
|
|
353
|
+
Orchestrates techniques from all providers based on depth level. Quick mode gives a fast overview; deep mode runs exhaustive fingerprinting including enumeration, OSINT, and correlation.
|
|
354
|
+
|
|
355
|
+
</details>
|
|
356
|
+
|
|
357
|
+
<details>
|
|
358
|
+
<summary><b>scan_ports — TCP port scanning with service detection (3 techniques)</b></summary>
|
|
359
|
+
|
|
360
|
+
| Parameter | Type | Description |
|
|
361
|
+
|-----------|------|-------------|
|
|
362
|
+
| `host` | string | Target host (IP or domain) |
|
|
363
|
+
| `ports` | number[] | Optional — specific ports to scan (defaults to common ports) |
|
|
364
|
+
|
|
365
|
+
| Technique | Description |
|
|
366
|
+
|-----------|-------------|
|
|
367
|
+
| `tcp_probe` | TCP connect scan to detect open ports |
|
|
368
|
+
| `tcp_banner` | Banner grabbing on open ports for service identification |
|
|
369
|
+
| `tcp_analysis` | Port combination analysis and service inference |
|
|
370
|
+
|
|
371
|
+
</details>
|
|
372
|
+
|
|
373
|
+
<details>
|
|
374
|
+
<summary><b>scan_tls — Complete TLS/SSL analysis (8 techniques)</b></summary>
|
|
375
|
+
|
|
376
|
+
| Parameter | Type | Description |
|
|
377
|
+
|-----------|------|-------------|
|
|
378
|
+
| `host` | string | Target host (IP or domain) |
|
|
379
|
+
| `port` | number | Optional — TLS port (default: 443) |
|
|
380
|
+
|
|
381
|
+
| Technique | Description |
|
|
382
|
+
|-----------|-------------|
|
|
383
|
+
| `tls_certificate` | X.509 certificate parsing — subject, issuer, SANs, validity, chain |
|
|
384
|
+
| `tls_jarm` | JARM active fingerprinting — 10 TLS Client Hello probes, 62-char hash |
|
|
385
|
+
| `tls_ja4x` | JA4X passive TLS fingerprinting from certificate properties |
|
|
386
|
+
| `tls_ciphers` | Cipher suite enumeration and strength analysis |
|
|
387
|
+
| `tls_protocols` | Supported TLS protocol version detection (SSLv3 through TLS 1.3) |
|
|
388
|
+
| `tls_sni` | SNI behavior testing — default cert vs. requested hostname |
|
|
389
|
+
| `tls_ct_logs` | Certificate Transparency log lookup via crt.sh |
|
|
390
|
+
| `tls_ocsp` | OCSP stapling and revocation status check |
|
|
391
|
+
|
|
392
|
+
</details>
|
|
393
|
+
|
|
394
|
+
<details>
|
|
395
|
+
<summary><b>scan_dns — DNS intelligence (7 techniques)</b></summary>
|
|
396
|
+
|
|
397
|
+
| Parameter | Type | Description |
|
|
398
|
+
|-----------|------|-------------|
|
|
399
|
+
| `domain` | string | Target domain |
|
|
400
|
+
|
|
401
|
+
| Technique | Description |
|
|
402
|
+
|-----------|-------------|
|
|
403
|
+
| `dns_records` | Full record enumeration — A, AAAA, MX, NS, TXT, CNAME, SOA |
|
|
404
|
+
| `dns_email_auth` | SPF, DKIM, and DMARC record analysis |
|
|
405
|
+
| `dns_saas` | SaaS/service detection via CNAME and MX patterns (Slack, Zendesk, etc.) |
|
|
406
|
+
| `dns_server` | DNS server fingerprinting (BIND, PowerDNS, Cloudflare, etc.) |
|
|
407
|
+
| `dns_takeover` | Subdomain takeover detection via dangling CNAME analysis |
|
|
408
|
+
| `dns_zone` | Zone transfer attempt (AXFR) |
|
|
409
|
+
| `dns_caa` | CAA record analysis for certificate authority restrictions |
|
|
410
|
+
|
|
411
|
+
</details>
|
|
412
|
+
|
|
413
|
+
<details>
|
|
414
|
+
<summary><b>scan_http — HTTP/web fingerprinting (29 techniques)</b></summary>
|
|
415
|
+
|
|
416
|
+
| Parameter | Type | Description |
|
|
417
|
+
|-----------|------|-------------|
|
|
418
|
+
| `url` | string | Target URL |
|
|
419
|
+
|
|
420
|
+
| Technique | Provider | Description |
|
|
421
|
+
|-----------|----------|-------------|
|
|
422
|
+
| `http_headers` | HTTP | Response header analysis and server identification |
|
|
423
|
+
| `http_header_order` | HTTP | Header ordering fingerprint (server software signature) |
|
|
424
|
+
| `http_security_headers` | HTTP | Security header audit (CSP, HSTS, X-Frame-Options, etc.) |
|
|
425
|
+
| `http_cookies` | HTTP | Cookie analysis — flags, prefixes, framework detection |
|
|
426
|
+
| `http_methods` | HTTP | Allowed HTTP method enumeration (OPTIONS) |
|
|
427
|
+
| `http_cors` | HTTP | CORS policy analysis and misconfiguration detection |
|
|
428
|
+
| `http_compression` | HTTP | Supported compression algorithms (gzip, br, zstd) |
|
|
429
|
+
| `http_caching` | HTTP | Cache header analysis (CDN, reverse proxy detection) |
|
|
430
|
+
| `http_etag` | HTTP | ETag format analysis for backend identification |
|
|
431
|
+
| `http_error` | HTTP | Error page fingerprinting (custom vs. default error pages) |
|
|
432
|
+
| `http_redirect` | HTTP | Redirect chain analysis |
|
|
433
|
+
| `http_timing` | HTTP | Response timing baseline for server performance profiling |
|
|
434
|
+
| `http_favicon` | HTTP | Favicon hash (MurmurHash3) for technology identification |
|
|
435
|
+
| `http_robots` | HTTP | robots.txt parsing and disallowed path extraction |
|
|
436
|
+
| `http_sitemap` | HTTP | Sitemap discovery and URL extraction |
|
|
437
|
+
| `http_wellknown` | HTTP | .well-known endpoint discovery (security.txt, openid, etc.) |
|
|
438
|
+
| `web_tech` | Web | Technology detection via HTML/JS/CSS patterns |
|
|
439
|
+
| `web_analytics` | Web | Analytics and tracking service detection |
|
|
440
|
+
| `web_sourcemaps` | Web | Source map file discovery |
|
|
441
|
+
| `web_websocket` | Web | WebSocket endpoint detection |
|
|
442
|
+
| `web_graphql` | Web | GraphQL endpoint detection and introspection |
|
|
443
|
+
| `web_spa` | Web | Single-page application framework detection |
|
|
444
|
+
| `web_cdn` | Web | CDN detection via response headers and DNS |
|
|
445
|
+
| `web_meta` | Web | HTML meta tag analysis (generator, framework hints) |
|
|
446
|
+
| `web_feed` | Web | RSS/Atom feed discovery |
|
|
447
|
+
| `h2_detect` | HTTP/2 | HTTP/2 protocol support detection |
|
|
448
|
+
| `h2_fingerprint` | HTTP/2 | HTTP/2 server fingerprinting (SETTINGS, WINDOW_UPDATE) |
|
|
449
|
+
| `h2_h3` | HTTP/2 | HTTP/3 (QUIC) support detection via Alt-Svc header |
|
|
450
|
+
| `app_cms` | Application | CMS detection (WordPress, Drupal, Joomla, etc.) |
|
|
451
|
+
|
|
452
|
+
</details>
|
|
453
|
+
|
|
454
|
+
<details>
|
|
455
|
+
<summary><b>scan_paths — Path intelligence (5 techniques)</b></summary>
|
|
456
|
+
|
|
457
|
+
| Parameter | Type | Description |
|
|
458
|
+
|-----------|------|-------------|
|
|
459
|
+
| `url` | string | Target URL |
|
|
460
|
+
| `categories` | string[] | Optional — categories to check (sensitive, git, debug, api, config) |
|
|
461
|
+
|
|
462
|
+
| Technique | Description |
|
|
463
|
+
|-----------|-------------|
|
|
464
|
+
| `path_sensitive` | Sensitive file discovery (backup files, config files, database dumps) |
|
|
465
|
+
| `path_robots` | robots.txt and sitemap.xml analysis for hidden paths |
|
|
466
|
+
| `path_git` | Git repository leak detection (.git/HEAD, .git/config) |
|
|
467
|
+
| `path_debug` | Debug endpoint discovery (phpinfo, server-status, debug consoles) |
|
|
468
|
+
| `path_api` | API version and documentation endpoint discovery |
|
|
469
|
+
|
|
470
|
+
</details>
|
|
471
|
+
|
|
472
|
+
<details>
|
|
473
|
+
<summary><b>scan_waf — WAF/CDN detection and fingerprinting (4 techniques)</b></summary>
|
|
474
|
+
|
|
475
|
+
| Parameter | Type | Description |
|
|
476
|
+
|-----------|------|-------------|
|
|
477
|
+
| `url` | string | Target URL |
|
|
478
|
+
|
|
479
|
+
| Technique | Description |
|
|
480
|
+
|-----------|-------------|
|
|
481
|
+
| `waf_detect` | WAF presence detection via response header and behavior analysis |
|
|
482
|
+
| `waf_cdn` | CDN provider identification (Cloudflare, Akamai, Fastly, etc.) |
|
|
483
|
+
| `waf_fingerprint` | WAF product identification and version detection |
|
|
484
|
+
| `waf_origin` | Origin IP discovery behind WAF/CDN (requires `SECURITYTRAILS_API_KEY`) |
|
|
485
|
+
|
|
486
|
+
</details>
|
|
487
|
+
|
|
488
|
+
<details>
|
|
489
|
+
<summary><b>scan_services — Service-level probing (12 techniques)</b></summary>
|
|
490
|
+
|
|
491
|
+
| Parameter | Type | Description |
|
|
492
|
+
|-----------|------|-------------|
|
|
493
|
+
| `host` | string | Target host (IP or domain) |
|
|
494
|
+
| `ports` | number[] | Optional — specific ports to probe |
|
|
495
|
+
| `service` | string | Optional — specific service to probe (mysql, postgres, redis, ftp, ssh, smtp, vnc, iot) |
|
|
496
|
+
|
|
497
|
+
| Technique | Provider | Description |
|
|
498
|
+
|-----------|----------|-------------|
|
|
499
|
+
| `ssh_probe` | SSH | SSH protocol version and software detection |
|
|
500
|
+
| `ssh_algorithms` | SSH | SSH algorithm audit (KEX, ciphers, MACs, host key types) |
|
|
501
|
+
| `ssh_hostkey_lookup` | SSH | SSH host key lookup via Shodan (requires `SHODAN_API_KEY`) |
|
|
502
|
+
| `svc_mysql` | Service | MySQL version detection and capability fingerprinting |
|
|
503
|
+
| `svc_postgres` | Service | PostgreSQL version detection and SSL support check |
|
|
504
|
+
| `svc_redis` | Service | Redis version detection and authentication status |
|
|
505
|
+
| `svc_ftp` | Service | FTP banner analysis and anonymous login check |
|
|
506
|
+
| `svc_vnc_rdp` | Service | VNC/RDP service detection and security assessment |
|
|
507
|
+
| `smtp_banner` | SMTP | SMTP banner analysis and MTA identification |
|
|
508
|
+
| `smtp_starttls` | SMTP | SMTP STARTTLS support and certificate inspection |
|
|
509
|
+
| `iot_detect` | IoT | IoT device detection via banner patterns and default pages |
|
|
510
|
+
| `iot_upnp` | IoT | UPnP/SSDP device discovery on local network |
|
|
511
|
+
|
|
512
|
+
</details>
|
|
513
|
+
|
|
514
|
+
<details>
|
|
515
|
+
<summary><b>enumerate — Scope expansion (8 techniques)</b></summary>
|
|
516
|
+
|
|
517
|
+
| Parameter | Type | Description |
|
|
518
|
+
|-----------|------|-------------|
|
|
519
|
+
| `domain` | string | Target domain |
|
|
520
|
+
|
|
521
|
+
| Technique | Description |
|
|
522
|
+
|-----------|-------------|
|
|
523
|
+
| `enum_subdomains` | Subdomain enumeration via multiple methods |
|
|
524
|
+
| `enum_wildcard` | Wildcard DNS detection |
|
|
525
|
+
| `enum_tld` | TLD expansion (target.com -> target.net, target.org, etc.) |
|
|
526
|
+
| `enum_related` | Related domain discovery via shared infrastructure |
|
|
527
|
+
| `enum_asn` | ASN neighbor discovery — other domains on same network |
|
|
528
|
+
| `enum_ct` | Certificate Transparency log subdomain extraction |
|
|
529
|
+
| `enum_passive_dns` | Passive DNS history (requires `SECURITYTRAILS_API_KEY`) |
|
|
530
|
+
| `enum_scope` | Scope summary and attack surface overview |
|
|
531
|
+
|
|
532
|
+
</details>
|
|
533
|
+
|
|
534
|
+
<details>
|
|
535
|
+
<summary><b>osint — OSINT enrichment (6 techniques)</b></summary>
|
|
536
|
+
|
|
537
|
+
| Parameter | Type | Description |
|
|
538
|
+
|-----------|------|-------------|
|
|
539
|
+
| `target` | string | IP address or domain to enrich |
|
|
540
|
+
| `type` | `ip` \| `domain` | Optional — target type (auto-detected if omitted) |
|
|
541
|
+
|
|
542
|
+
| Technique | Auth | Description |
|
|
543
|
+
|-----------|------|-------------|
|
|
544
|
+
| `osint_shodan` | `SHODAN_API_KEY` | Shodan host lookup — open ports, banners, vulns, OS |
|
|
545
|
+
| `osint_censys` | `CENSYS_API_ID` + `CENSYS_API_SECRET` | Censys host data — services, TLS, autonomous system |
|
|
546
|
+
| `osint_reverse_ip` | None | Reverse IP lookup — other domains on same IP |
|
|
547
|
+
| `osint_whois` | None | WHOIS registration data — registrar, dates, nameservers |
|
|
548
|
+
| `osint_webarchive` | None | Web Archive history — first/last snapshot, change frequency |
|
|
549
|
+
| `osint_virustotal` | `VIRUSTOTAL_API_KEY` | VirusTotal domain/IP report — detections, categories, DNS |
|
|
550
|
+
|
|
551
|
+
</details>
|
|
552
|
+
|
|
553
|
+
<details>
|
|
554
|
+
<summary><b>analyze — Passive fingerprint analysis (3 modes)</b></summary>
|
|
555
|
+
|
|
556
|
+
| Parameter | Type | Description |
|
|
557
|
+
|-----------|------|-------------|
|
|
558
|
+
| `type` | `headers` \| `html` \| `banner` | Type of data to analyze |
|
|
559
|
+
| `data` | string | Raw data to analyze (paste headers, HTML, or banner output) |
|
|
560
|
+
|
|
561
|
+
| Mode | Description |
|
|
562
|
+
|------|-------------|
|
|
563
|
+
| `fp_analyze_headers` | Passive HTTP header analysis — server, framework, proxy detection without sending traffic |
|
|
564
|
+
| `fp_analyze_html` | Passive HTML analysis — technology detection, framework identification from source |
|
|
565
|
+
| `fp_analyze_banner` | Passive banner analysis — service identification from raw banner text |
|
|
566
|
+
|
|
567
|
+
</details>
|
|
568
|
+
|
|
569
|
+
<details>
|
|
570
|
+
<summary><b>correlate — Multi-signal correlation engine (7 modes)</b></summary>
|
|
571
|
+
|
|
572
|
+
| Parameter | Type | Description |
|
|
573
|
+
|-----------|------|-------------|
|
|
574
|
+
| `type` | `consistency` \| `honeypot` \| `spoofing` \| `compare` \| `topology` \| `c2` \| `identify` | Correlation mode |
|
|
575
|
+
| `signals` | object | Fingerprint signals to correlate (varies by mode) |
|
|
576
|
+
|
|
577
|
+
| Mode | Description |
|
|
578
|
+
|------|-------------|
|
|
579
|
+
| `fp_consistency` | Cross-layer signal consistency check — do TCP, TLS, HTTP, and DNS fingerprints agree? |
|
|
580
|
+
| `fp_honeypot` | Honeypot detection — checks for impossible service combinations and behavioral anomalies |
|
|
581
|
+
| `fp_spoofing` | Spoofing detection — identifies mismatched server headers vs. actual behavior |
|
|
582
|
+
| `fp_compare` | Side-by-side comparison of two hosts' fingerprint profiles |
|
|
583
|
+
| `fp_topology` | Infrastructure topology mapping — CDN, load balancer, reverse proxy chain |
|
|
584
|
+
| `fp_c2` | C2 framework detection via JARM, TLS, HTTP, and timing correlation |
|
|
585
|
+
| `fp_identify` | Hash-based identification against known signature database |
|
|
586
|
+
|
|
587
|
+
</details>
|
|
588
|
+
|
|
589
|
+
<details>
|
|
590
|
+
<summary><b>meta — Server configuration and data (3 modes)</b></summary>
|
|
591
|
+
|
|
592
|
+
| Parameter | Type | Description |
|
|
593
|
+
|-----------|------|-------------|
|
|
594
|
+
| `category` | string | Optional — filter by category |
|
|
595
|
+
|
|
596
|
+
| Mode | Description |
|
|
597
|
+
|------|-------------|
|
|
598
|
+
| `fp_sources` | List all available data sources with configuration and API key status |
|
|
599
|
+
| `fp_config` | Server configuration — version, loaded providers, technique count |
|
|
600
|
+
| `fp_signatures` | Signature database listing — JARM, banner, WAF, application signatures |
|
|
601
|
+
|
|
602
|
+
</details>
|
|
603
|
+
|
|
604
|
+
---
|
|
605
|
+
|
|
606
|
+
### CLI Usage
|
|
607
|
+
|
|
608
|
+
```bash
|
|
609
|
+
# List all available tools and techniques
|
|
610
|
+
npx fingerprint-mcp --list
|
|
611
|
+
|
|
612
|
+
# Run any tool directly
|
|
613
|
+
npx fingerprint-mcp --tool recon '{"url":"https://example.com","depth":"quick"}'
|
|
614
|
+
npx fingerprint-mcp --tool scan_tls '{"host":"example.com"}'
|
|
615
|
+
npx fingerprint-mcp --tool scan_ports '{"host":"10.0.1.50","ports":[22,80,443,3306,8080]}'
|
|
616
|
+
npx fingerprint-mcp --tool scan_dns '{"domain":"example.com"}'
|
|
617
|
+
npx fingerprint-mcp --tool scan_http '{"url":"https://example.com"}'
|
|
618
|
+
npx fingerprint-mcp --tool scan_waf '{"url":"https://example.com"}'
|
|
619
|
+
npx fingerprint-mcp --tool scan_services '{"host":"10.0.1.50","service":"redis"}'
|
|
620
|
+
npx fingerprint-mcp --tool enumerate '{"domain":"example.com"}'
|
|
621
|
+
npx fingerprint-mcp --tool analyze '{"type":"headers","data":"Server: nginx/1.24.0\nX-Powered-By: Express"}'
|
|
622
|
+
npx fingerprint-mcp --tool correlate '{"type":"honeypot","signals":{"jarm":"...","banner":"..."}}'
|
|
623
|
+
npx fingerprint-mcp --tool meta '{}'
|
|
624
|
+
|
|
625
|
+
# OSINT tools (require API keys)
|
|
626
|
+
SHODAN_API_KEY=your-key npx fingerprint-mcp --tool osint '{"target":"203.0.113.42","type":"ip"}'
|
|
627
|
+
```
|
|
628
|
+
|
|
629
|
+
---
|
|
630
|
+
|
|
631
|
+
## Data Sources (21)
|
|
632
|
+
|
|
633
|
+
| Source | Auth | What it provides |
|
|
634
|
+
|--------|------|-----------------|
|
|
635
|
+
| TCP probing | None | Port scanning, banner grabbing, service detection |
|
|
636
|
+
| TLS/SSL analysis | None | Certificate parsing, JARM fingerprinting, JA4X, cipher enumeration, SNI testing |
|
|
637
|
+
| SSH probing | None | Protocol version, algorithm audit, software detection |
|
|
638
|
+
| HTTP analysis | None | Header fingerprinting, favicon hashing, cookie analysis, method enumeration, CORS |
|
|
639
|
+
| Web detection | None | Technology detection, analytics, source maps, WebSocket, GraphQL, SPA frameworks |
|
|
640
|
+
| Path discovery | None | Sensitive files, git leaks, debug endpoints, API versions, robots.txt |
|
|
641
|
+
| DNS resolution | None | Record enumeration, email auth analysis, SaaS detection, server fingerprinting |
|
|
642
|
+
| WAF/CDN detection | None | WAF identification, CDN detection, WAF fingerprinting |
|
|
643
|
+
| Timing analysis | None | Response timing baseline, clock skew detection |
|
|
644
|
+
| HTTP/2 & HTTP/3 | None | HTTP/2 detection and fingerprinting, HTTP/3 Alt-Svc discovery |
|
|
645
|
+
| SMTP probing | None | SMTP banner analysis, STARTTLS inspection |
|
|
646
|
+
| IoT/Embedded | None | IoT device detection, UPnP/SSDP discovery |
|
|
647
|
+
| Application detection | None | CMS, framework, and e-commerce platform identification |
|
|
648
|
+
| Service probing | None | MySQL, PostgreSQL, Redis, FTP, VNC/RDP fingerprinting |
|
|
649
|
+
| Infrastructure detection | None | Cloud provider, hosting provider, CDN identification |
|
|
650
|
+
| Correlation engine | None | Signal consistency, honeypot detection, spoofing detection, topology mapping |
|
|
651
|
+
| Identification engine | None | Hash-based identification, C2 detection, signature matching |
|
|
652
|
+
| [Shodan](https://www.shodan.io) | `SHODAN_API_KEY` | Host intelligence — open ports, banners, vulnerabilities, OS detection |
|
|
653
|
+
| [Censys](https://censys.io) | `CENSYS_API_ID` | Host data — services, TLS certificates, autonomous system info |
|
|
654
|
+
| [SecurityTrails](https://securitytrails.com) | `SECURITYTRAILS_API_KEY` | WAF origin discovery, passive DNS history, historical records |
|
|
655
|
+
| [VirusTotal](https://www.virustotal.com) | `VIRUSTOTAL_API_KEY` | Domain/IP reputation, detection results, DNS history, categories |
|
|
656
|
+
|
|
657
|
+
---
|
|
658
|
+
|
|
659
|
+
## Architecture
|
|
660
|
+
|
|
661
|
+
```
|
|
662
|
+
src/
|
|
663
|
+
index.ts # CLI entrypoint (--help, --list, --tool, stdio server)
|
|
664
|
+
protocol/
|
|
665
|
+
mcp-server.ts # MCP server setup (stdio transport)
|
|
666
|
+
tools.ts # Tool registry — all 13 composite tools registered here
|
|
667
|
+
types/
|
|
668
|
+
index.ts # Shared types (ToolDef, ToolContext, ToolResult)
|
|
669
|
+
utils/
|
|
670
|
+
rate-limiter.ts # Per-provider rate limiter
|
|
671
|
+
cache.ts # TTL cache for API responses
|
|
672
|
+
require-key.ts # API key validation helper
|
|
673
|
+
murmurhash3.ts # MurmurHash3 for favicon hashing
|
|
674
|
+
composite/ # 13 composite tool orchestrators
|
|
675
|
+
recon.ts # Full recon orchestrator (quick/standard/deep)
|
|
676
|
+
scan-ports.ts # Port scanning composite
|
|
677
|
+
scan-tls.ts # TLS analysis composite
|
|
678
|
+
scan-dns.ts # DNS intelligence composite
|
|
679
|
+
scan-http.ts # HTTP fingerprinting composite
|
|
680
|
+
scan-paths.ts # Path discovery composite
|
|
681
|
+
scan-waf.ts # WAF/CDN detection composite
|
|
682
|
+
scan-services.ts # Service probing composite
|
|
683
|
+
analyze.ts # Passive analysis composite
|
|
684
|
+
correlate.ts # Correlation engine composite
|
|
685
|
+
enumerate.ts # Scope expansion composite
|
|
686
|
+
osint.ts # OSINT enrichment composite
|
|
687
|
+
meta.ts # Server meta composite
|
|
688
|
+
helpers.ts # Shared composite helpers
|
|
689
|
+
tcp/ # TCP probing techniques (3)
|
|
690
|
+
tls/ # TLS/SSL analysis techniques (8)
|
|
691
|
+
ssh/ # SSH probing techniques (3)
|
|
692
|
+
http/ # HTTP fingerprinting techniques (16)
|
|
693
|
+
web/ # Web technology detection techniques (9)
|
|
694
|
+
path/ # Path discovery techniques (5)
|
|
695
|
+
dns/ # DNS intelligence techniques (7)
|
|
696
|
+
waf/ # WAF/CDN detection techniques (4)
|
|
697
|
+
timing/ # Timing analysis techniques (2)
|
|
698
|
+
h2/ # HTTP/2 & HTTP/3 techniques (3)
|
|
699
|
+
smtp/ # SMTP probing techniques (2)
|
|
700
|
+
iot/ # IoT/embedded detection techniques (2)
|
|
701
|
+
app/ # Application detection techniques (3)
|
|
702
|
+
service/ # Service probing techniques (5)
|
|
703
|
+
infra/ # Infrastructure detection techniques (3)
|
|
704
|
+
correlation/ # Correlation engine (5)
|
|
705
|
+
identify/ # Identification engine (3)
|
|
706
|
+
passive/ # Passive analysis (3)
|
|
707
|
+
osint/ # OSINT enrichment techniques (6)
|
|
708
|
+
enum/ # Enumeration techniques (8)
|
|
709
|
+
meta/ # Meta tools (3)
|
|
710
|
+
data/ # Signature databases and pattern libraries
|
|
711
|
+
jarm-signatures.ts # Known JARM fingerprints (C2, servers, CDNs)
|
|
712
|
+
waf-signatures.ts # WAF detection signatures
|
|
713
|
+
service-banners.ts # Service banner patterns
|
|
714
|
+
tech-patterns.ts # Technology detection patterns
|
|
715
|
+
favicon-hashes.ts # Known favicon MurmurHash3 values
|
|
716
|
+
c2-signatures.ts # C2 framework signatures
|
|
717
|
+
... # 15+ signature/pattern databases
|
|
718
|
+
```
|
|
719
|
+
|
|
720
|
+
**Design decisions:**
|
|
721
|
+
|
|
722
|
+
- **13 composite tools, 103 techniques** — The agent calls high-level tools (`recon`, `scan_tls`, `scan_http`). Each composite orchestrates multiple low-level techniques and returns correlated results. This reduces tool-call overhead while maintaining granularity.
|
|
723
|
+
- **21 providers, 1 server** — Every fingerprinting layer is an independent module. The composite orchestrator selects techniques based on context and depth.
|
|
724
|
+
- **Active-first, OSINT-optional** — 80+ techniques work by directly probing the target with zero API keys. OSINT providers (Shodan, Censys, VirusTotal, SecurityTrails) add enrichment but are never required.
|
|
725
|
+
- **Per-provider rate limiters** — Each provider has its own `RateLimiter` instance. Active probing is rate-limited to avoid detection; OSINT APIs are calibrated to their quotas.
|
|
726
|
+
- **TTL caching** — DNS records (10min), OSINT results (15min), CT logs (30min) are cached to avoid redundant lookups during multi-tool workflows.
|
|
727
|
+
- **Graceful degradation** — Missing API keys don't crash the server. OSINT tools return descriptive messages: "Set SHODAN_API_KEY to enable Shodan host lookup."
|
|
728
|
+
- **3 dependencies** — `@modelcontextprotocol/sdk`, `zod`, and `cheerio`. All network I/O via native `fetch()` and Node.js `net`/`tls`/`dns` modules. No nmap, no external binaries.
|
|
729
|
+
|
|
730
|
+
---
|
|
731
|
+
|
|
732
|
+
## Limitations
|
|
733
|
+
|
|
734
|
+
- OSINT tools (Shodan, Censys, VirusTotal, SecurityTrails) require API keys for their respective techniques
|
|
735
|
+
- Censys free tier limited to 250 queries/month
|
|
736
|
+
- VirusTotal free tier limited to 500 queries/day
|
|
737
|
+
- Port scanning uses TCP connect (not SYN scan) — less stealthy than nmap but requires no root privileges
|
|
738
|
+
- JARM fingerprinting requires direct TCP access to the target (may be blocked by firewalls)
|
|
739
|
+
- UPnP/SSDP discovery only works on local networks
|
|
740
|
+
- Service probing (MySQL, PostgreSQL, Redis) connects but does not authenticate
|
|
741
|
+
- Subdomain enumeration relies on CT logs and passive sources (no brute-force)
|
|
742
|
+
- macOS / Linux tested (Windows not tested)
|
|
743
|
+
|
|
744
|
+
---
|
|
745
|
+
|
|
746
|
+
## Part of the MCP Security Suite
|
|
747
|
+
|
|
748
|
+
| Project | Domain | Tools |
|
|
749
|
+
|---|---|---|
|
|
750
|
+
| [hackbrowser-mcp](https://github.com/badchars/hackbrowser-mcp) | Browser-based security testing | 39 tools, Firefox, injection testing |
|
|
751
|
+
| [cloud-audit-mcp](https://github.com/badchars/cloud-audit-mcp) | Cloud security (AWS/Azure/GCP) | 38 tools, 60+ checks |
|
|
752
|
+
| [github-security-mcp](https://github.com/badchars/github-security-mcp) | GitHub security posture | 39 tools, 45 checks |
|
|
753
|
+
| [cve-mcp](https://github.com/badchars/cve-mcp) | Vulnerability intelligence | 23 tools, 5 sources |
|
|
754
|
+
| [osint-mcp-server](https://github.com/badchars/osint-mcp-server) | OSINT & reconnaissance | 37 tools, 12 sources |
|
|
755
|
+
| [darknet-mcp-server](https://github.com/badchars/darknet-mcp-server) | Dark web & threat intelligence | 66 tools, 16 sources |
|
|
756
|
+
| **fingerprint-mcp** | **Universal digital fingerprinting** | **13 tools, 103 techniques, 21 providers** |
|
|
757
|
+
|
|
758
|
+
---
|
|
759
|
+
|
|
760
|
+
<p align="center">
|
|
761
|
+
<b>For authorized security testing and assessment only.</b><br>
|
|
762
|
+
Always ensure you have proper authorization before performing fingerprinting on any target.
|
|
763
|
+
</p>
|
|
764
|
+
|
|
765
|
+
<p align="center">
|
|
766
|
+
<a href="LICENSE">AGPL-3.0 License</a> • Built with Bun + TypeScript
|
|
767
|
+
</p>
|