Skip to main content
scan4all includes comprehensive web fingerprinting capabilities with over 7000 fingerprints for identifying web technologies, CMS platforms, frameworks, and server software. The fingerprinting engine combines multiple detection methods and databases for maximum accuracy.

Fingerprint Sources

scan4all integrates multiple fingerprint databases:

HTTPx Fingerprints

Web server and technology detection from the httpx project

VScan Fingerprints

Comprehensive fingerprint database from vscan

eHole Fingerprints

eHoleFinger database for CMS and application detection

Local Fingerprints

Custom localFinger database for proprietary applications
Total Coverage: 7000+ unique fingerprints

Detection Methods

scan4all employs multiple detection techniques for accurate identification:

1. Keyword Matching

Searches for specific strings in HTTP responses: 
method: "keyword"
location: "body"  // or "header", "title", "all"
keyword: ["WordPress", "wp-content"]
keywordMathOr: true  // Match any keyword (OR logic)
Example detection: 
<!-- Response body -->
<meta name="generator" content="WordPress 6.0" />
<link rel='stylesheet' href='/wp-content/themes/...' />

2. Regular Expressions

Advanced pattern matching: 
method: "regular"
keyword: ["<title>.*Tomcat.*</title>"]
location: "all"

3. Favicon Hash

Unique fingerprinting via favicon icon hashing: 
method: "faviconhash"
keyword: ["-235013277"]  // Jenkins favicon hash
Hash algorithm: 
func FavicohashMd5(nId int, u *url.URL, body []byte, header *http.Header) string {
    // 1. Extract favicon from HTML or default path
    // 2. Calculate hash using custom algorithm
    // 3. Return unique identifier
}

4. MD5 Hash Matching

Complete response body MD5 fingerprinting: 
method: "md5"
keyword: ["5d41402abc4b2a76b9719d911017c592"]
location: "body"

5. Base64 Detection

Encoded content matching: 
method: "base64"
keyword: ["encoded_pattern"]

6. Hexadecimal Matching

Binary content fingerprinting: 
method: "hex"
keyword: ["504B0304"]  // ZIP file signature

7. Status Code Detection

HTTP status code patterns: 
method: "keyword"
location: "status_code"
keyword: ["403", "401"]

Fingerprint Structure

Fingerprint Definition

type Fingerprint struct {
    Id             int      // Unique fingerprint ID
    Cms            string   // Technology name
    Method         string   // Detection method
    Location       string   // Search location
    Keyword        []string // Match patterns
    KeywordMathOr  bool     // OR vs AND logic
    UrlPath        string   // Specific URL path
}

Example Fingerprints

{
  "id": 1001,
  "cms": "WordPress",
  "method": "keyword",
  "location": "body",
  "keyword": ["wp-content", "wp-includes"],
  "keywordMathOr": true,
  "urlPath": "/"
}

Detection Locations

Fingerprints can target specific parts of HTTP responses:

Response Body

location: "body"
// Searches in HTML content, JavaScript, JSON responses

HTTP Headers

location: "header"
// Searches in Server, X-Powered-By, and custom headers
Common header fingerprints: 
Server: nginx/1.18.0
X-Powered-By: PHP/7.4.3
X-AspNet-Version: 4.0.30319
X-Framework: Laravel

Page Title

location: "title"
// Searches in <title> tag content

Status Code

location: "status_code"
// Matches HTTP response codes

All Locations

location: "all"
// Searches headers + body combined

Fingerprinting Process

1

HTTP Request

Send HTTP request to target URL:
GET / HTTP/1.1
Host: example.com
User-Agent: scan4all
2

Response Collection

Collect response data:
  • Status code
  • Headers (as JSON and raw text)
  • Body content
  • Page title
  • Favicon hash
3

Hash Generation

Generate multiple hashes:
md5Body := FavicohashMd5(0, nil, body, nil)
hexBody := hex.EncodeToString(body)
md5Title := FavicohashMd5(0, nil, []byte(title), nil)
hexHeader := hex.EncodeToString([]byte(headersjson))
4

Fingerprint Matching

Iterate through fingerprint databases:
  • Match by method (keyword, regex, hash, etc.)
  • Check location (body, header, title, etc.)
  • Validate against URL path
  • Apply OR/AND logic for keywords
5

Result Aggregation

Collect and deduplicate identified technologies:
cms = []string{"WordPress", "Nginx", "PHP", "MySQL"}

Smart Features

Honeypot Detection

Automatically identifies and skips honeypots: 
func CheckHoneyport(a []string) (bool, []string) {
    // If > 10 technologies detected = likely honeypot
    bRst := util.EnableHoneyportDetection && 10 < len(a)
    if bRst {
        a = []string{}  // Discard results
    }
    return bRst, a
}
Enable honeypot detection with:
EnableHoneyportDetection=true scan4all -host example.com

Favicon Caching

Each target’s favicon is only processed once: 
var Mfavhash *sync.Map = new(sync.Map)

if _, ok := Mfavhash.Load(u01.Host + favhash); ok {
    return cms  // Skip if already processed
}
Mfavhash.Store(u01.Host + favhash, 1)

URL Path Matching

Fingerprints can target specific paths: 
if finp.UrlPath == "" || strings.HasSuffix(szUrl, finp.UrlPath) {
    // Only check if URL matches required path
}
Example:
  • SpringBoot favicon: /favicon.ico
  • Tomcat manager: /manager/html
  • Jenkins: /

Duplicate Prevention

Same URL + same component ID limited to prevent over-matching: 
var Max_Count = 10  // Maximum fingerprints per URL

if len(cms) >= Max_Count {
    break  // Stop matching
}

Component ID Tracking

Tracks which fingerprints matched: 
var MFid *sync.Map  // Maps URL → Component ID → Match count

func SvUrl2Id(szUrl string, finp *Fingerprint, rMz string) {
    // Track fingerprint matches per URL
    // Prevents duplicate matches
}

Configuration

Enable/Disable Features

# Enable title and header MD5/hex fingerprinting
enableFingerTitleHeaderMd5Hex=true scan4all -host example.com

Custom Fingerprint Files

Add custom fingerprints: 
# Location for custom fingerprints
pkg/fingerprint/dicts/custom_fingerprints.json
Custom fingerprint format: 
{
  "fingerprint": [
    {
      "cms": "Custom App",
      "method": "keyword",
      "location": "header",
      "keyword": ["X-Custom-App"],
      "keywordMathOr": false
    }
  ]
}

Integration with Vulnerability Detection

Fingerprinting directly feeds into POC selection: Automatic POC selection: 
# WordPress detected → 419 WordPress POCs loaded
# Weblogic detected → 11 Weblogic CVE checks loaded
# Spring Boot detected → Spring-specific vulnerabilities checked

Common Detectable Technologies

Web Servers

Apache

Nginx

IIS

Tomcat

Jetty

WebLogic

JBoss

WebSphere

Undertow

CMS Platforms

WordPress

Joomla

Drupal

DedeCMS

Discuz

PhpCMS

帝国CMS

Magento

Shopify

Frameworks

Spring Boot

Laravel

Django

Flask

Ruby on Rails

Express.js

ASP.NET

ThinkPHP

Yii

Technologies

PHP

Java

Python

Node.js

Go

Ruby

.NET

Perl

ASP

Output Format

Console Output

[Fingerprint] https://example.com
  ├─ Web Server: Nginx/1.18.0
  ├─ Framework: Laravel
  ├─ Language: PHP/7.4.3
  ├─ CMS: WordPress 6.0
  ├─ Database: MySQL (inferred)
  └─ Technologies: jQuery, Bootstrap

JSON Output

{
  "url": "https://example.com",
  "fingerprints": ["Nginx", "Laravel", "PHP", "WordPress"],
  "fingerprintIds": ["101", "205", "310", "1001"],
  "timestamp": "2026-03-05T10:30:00Z"
}

Elasticsearch Storage

# Query by technology
curl "http://127.0.0.1:9200/fingerprint_index/_search?q=fingerprints:WordPress"

# Query by URL
curl "http://127.0.0.1:9200/fingerprint_index/_search?q=url:example.com"

Advanced Use Cases

Technology Stack Enumeration

Complete stack identification: 
scan4all -host https://example.com -v
Output: 
Front-end: React, Bootstrap, jQuery
Web Server: Nginx
Application: Node.js + Express
Database: MongoDB (inferred from headers)
Cache: Redis (from port scan)
CDN: Cloudflare

Version Detection

When versions are exposed: 
[Version Info]
  Apache/2.4.41 (Ubuntu)
  PHP/7.4.3
  OpenSSL/1.1.1f

Plugin/Module Detection

For WordPress, Joomla, etc.: 
[WordPress Plugins]
  ├─ WooCommerce 6.5.1
  ├─ Yoast SEO 19.2
  ├─ Contact Form 7
  └─ Wordfence Security

Performance Optimization

Concurrent Fingerprinting

Multiple URLs fingerprinted in parallel: 
// Worker threads for fingerprinting
var ch = make(chan struct{}, util.Fuzzthreads)

Caching

Results cached to prevent re-fingerprinting: 
if util.TestRepeat(u01.Host, "FileFuzz") {
    return []string{}, []string{}  // Skip if already processed
}

Early Exit

Stops after maximum matches: 
if len(cms) >= Max_Count {
    break  // Prevent over-matching
}

Example Workflows

# Fingerprint a single website
scan4all -host https://example.com -np -v

Troubleshooting

No Fingerprints Detected

1

Check HTTP Response

Ensure the target is responding:
curl -I https://example.com
2

Enable Verbose Mode

scan4all -host https://example.com -v -debug
3

Verify Fingerprint Database

Ensure fingerprint files are loaded:
err := LoadWebfingerprintEhole()
err := LoadWebfingerprintLocal()

Too Many Fingerprints (Honeypot)

# Enable honeypot detection
EnableHoneyportDetection=true scan4all -host suspicious.com

# If > 10 technologies detected, results are discarded

Custom Technology Not Detected

Add custom fingerprint: 
// pkg/fingerprint/dicts/localFinger.json
{
  "fingerprint": [
    {
      "cms": "Your Custom App",
      "method": "keyword",
      "location": "header",
      "keyword": ["X-Your-Custom-Header"],
      "keywordMathOr": false
    }
  ]
}

Best Practices

1

Combine with Port Scanning

Let port scanning discover web services first:
scan4all -host 192.168.1.1 -v
2

Use Verbose Output

Monitor fingerprinting process:
scan4all -host example.com -v
3

Export Results

Save for analysis:
scan4all -host example.com -json -o fingerprints.json
4

Correlate with Vulnerabilities

Use fingerprints to guide POC selection:
# Don't use -np flag to enable POC checks
scan4all -host example.com -v

Build docs developers (and LLMs) love

Get started for freeTalk to us