loading
loading
Network
A standalone utility for service discovery on open ports.
overview
fingerprintx takes a target, or a list of host:port pairs, and works out which service answers on each open port. Instead of trusting the port number, it speaks each protocol and reads the response, so it can tell HTTP from SSH from Redis even when they sit on non-standard ports.
It pairs with a port scanner: naabu or nmap finds the open ports, fingerprintx names what is listening. Plugins cover many TCP and UDP protocols, -U turns on UDP checks, -f trades some coverage for speed, and --json or --csv emit structured records for the next stage.
Chain it after a port scan in a Trickest Network workflow, then route named services into httpx, screenshots, or protocol-specific testing so later nodes act on labeled listeners rather than bare port numbers.
use cases
Pass open ports from a scan to fingerprintx so each one is labeled with the real protocol and service, not guessed from the port number.
Find SSH on 2222 or a database on an odd port by speaking each protocol and reading the reply, so nothing hides behind an unexpected assignment.
Enable -U to fingerprint DNS, SNMP, and other datagram services that a TCP-only scan leaves invisible.
Use --json or --csv so every fingerprinted service becomes a record downstream nodes can filter and route to protocol-specific testing.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | -t | Target or comma separated target list. |
| list | FILE | -l | Input file containing targets. |
| json | BOOLEAN | --json | Output format in JSON. |
| csv | BOOLEAN | --csv | Output format in CSV. |
| udp | BOOLEAN | -U | Run UDP plugins. |
| fast | BOOLEAN | -f | Fast mode. |
| timeout | STRING | -w | Timeout in milliseconds (default 500). |
| verbose | BOOLEAN | -v | Verbose mode. |
Showing key inputs. fingerprintx exposes 8 inputs in total.
example
# fingerprint services on open ports from a naabu list; JSON outfingerprintx -l open-ports.txt --json -w 1000example.com:22/tcp (ssh)example.com:80/tcp (http)example.com:443/tcp (https)api.example.com:8443/tcp (https)staging.example.com:2222/tcp (ssh)198.51.100.24:3306/tcp (mysql)198.51.100.24:6379/tcp (redis)203.0.113.88:53/udp (dns)guidance
Reach for fingerprintx when you already have open ports and need to know what is actually listening on them. It is a service fingerprinter, not a port scanner, so run it after naabu or nmap finds the ports, and before httpx or a scanner that acts on the named services.
Fast port scanner. Finds the open ports fingerprintx then identifies, so the two run in sequence.
Full scanner with its own service and version detection. Heavier, but does discovery and fingerprinting in one tool.
Probes HTTP services specifically. Use it after fingerprintx flags the web ports among many protocols.
faq
related
Quickly map an organization's network ranges using ASN information.
Maximize your resolver count by combining the target's DNS servers with public resolvers.
Expand CIDR ranges into a list of IP addresses easily.
Expand CIDR ranges into a list of IP addresses easily, from a file.
Maintain a list of IPv4 DNS servers verified against baseline servers for accurate responses.
Patched dnsvalidator that keeps only IPv4 resolvers verified against baseline servers.
A target feeds naabu, which finds the open ports and passes them to fingerprintx, which names the service on each port and writes them as a queryable output.
Facts on this page come from the live Trickest tool library.