Downloads, Fingerprintx, Hacking Tools, Scanners, Scanning, Server, Service Discovery

Fingerprintx – Standalone Utility For Service Discovery On Open Ports!

fingerprintx is a utility similar to httpx that also supports fingerprinting services like as RDP, SSH, MySQL, PostgreSQL, Kafka, etc. fingerprintx can be used alongside port scanners like Naabu to fingerprint a set of ports identified during a port scan. For example, an engineer may wish to scan an IP range and then rapidly fingerprint the service running on all the discovered ports.

  • Fast fingerprinting of exposed services
  • Application layer service discovery
  • Plays nicely with other command line tools
  • Automatic metadata collection from identified services

Supported Protocols:


From Github

From source (go version > 1.18)

1.18 $ go build ./cmd/fingerprintx $ ./fingerprintx -h” dir=”auto”>

$ git clone [email protected]:praetorian-inc/fingerprintx.git
$ cd fingerprintx

# with go version > 1.18
$ go build ./cmd/fingerprintx
$ ./fingerprintx -h


$ git clone [email protected]:praetorian-inc/fingerprintx.git
$ cd fingerprintx

# build
docker build -t fingerprintx .

# and run it
docker run --rm fingerprintx -h
docker run --rm fingerprintx -t --json

fingerprintx -h

The -h option will display all of the supported flags for fingerprintx.

fingerprintx [flags]
Requires a host and port number or ip and port number. The port is assumed to be open.
fingerprintx -t
fingerprintx -l input-file.txt
fingerprintx --json -t,

--csv output format in csv
-f, --fast fast mode
-h, --help help for fingerprintx
--json output format in json
-l, --list string input file containing targets
-o, --output string output file
-t, --targets strings target or comma separated target list
-w, --timeout int timeout (milliseconds) (default 500)
-U, --udp run UDP plugins
-v, --verbose verbose mode

The fast mode will only attempt to fingerprint the default service associated with that port for each target. For example, if is the input, only the https plugin would be run. If https is not running on, there will be NO output. Why do this? It’s a quick way to fingerprint most of the services in a large list of hosts (think the 80/20 rule).

With one target:

$ fingerprintx -t

By default, the output is in the form: SERVICE://HOST:PORT. To get more detailed service output specify JSON with the --json flag:

$ fingerprintx -t --json
{"ip":"","port":8000,"service":"http","transport":"tcp","metadata":{"responseHeaders":{"Content-Length":["1154"],"Content-Type":["text/html; charset=utf-8"],"Date":["Mon, 19 Sep 2022 18:23:18 GMT"],"Server":["SimpleHTTP/0.6 Python/3.10.6"]},"status":"200 OK","statusCode":200,"version":"SimpleHTTP/0.6 Python/3.10.6"}}

Pipe in output from another program (like naabu):

/dev/null | fingerprintx″ dir=”auto”>

$ naabu -silent 2>/dev/null | fingerprintx

Run with an input file:

$ cat input.txt | fingerprintx

# or if you prefer
$ fingerprintx -l input.txt

With more metadata output:

Why Not Nmap?

Nmap is the standard for network scanning. Why use fingerprintx instead of nmap? The main two reasons are:

  • fingerprintx works smarter, not harder: the first plugin run against a server with port 8080 open is the http plugin. The default service approach cuts down scanning time in the best case. Most of the time the services running on port 80, 443, 22 are http, https, and ssh — so that’s what fingerprintx checks first.
  • fingerprintx supports json output with the --json flag. Nmap supports numerous output options (normal, xml, grep), but they are often hard to parse and script appropriately. fingerprintx supports json output which eases integration with other tools in processing pipelines.
  • Why do you have a third_party folder that imports the Go cryptography libraries?
    • Good question! The ssh fingerprinting module identifies the various cryptographic options supported by the server when collecting metadata during the handshake process. This makes use of a few unexported functions, which is why the Go cryptography libraries are included here with an export.go file.
  • Fingerprintx is not designed to identify open ports on the target systems and assumes that every target:port input is open. If none of the ports are open there will be no output as there are no services running on the targets.
  • How does this compare to zgrab2?
    • The zgrab2 command line usage (and use case) is slightly different than fingerprintx. For zgrab2, the protocol must be specified ahead of time: echo | zgrab2 http -p 8000, which assumes you already know what is running there. For fingerprintx, that is not the case: echo | fingerprintx. The “application layer” protocol scanning approach is very similar.

fingerprintx is the work of a lot of people, including our great intern class of 2022. Here is a list of contributors so far:

Source : KitPloit – PenTest Tools!

Previous ArticleNext Article
Send this to a friend