Using workflows to discover attack surface

So you’ve gotten an instance of intrigue-core up and running using the Getting Started guide, but what now!? Give workflows a try. Here’s now.

Create a new project, let’s set this one up on with a name of Mastercard – they run a public bounty on Bugcrowd, and likely have a lot of interesting systems on the Internet.

Once created, you’ll drop into the “Start a Workflow” page:

Hit “Profile an Organization” and we’lll add in as many Mastercard domains that we know exist. Bounty program pages can be instructive for finding domains and other seeds. For now, we’ll just start with, but it’s always better to have more seeds.

Now, hit submit, and notice you’re dropped to the “logs” page so you can monitor what’s happening.

You’ll want to refresh a couple times, and as you do, you’ll see more tasks being automatically scheduled.

Now this is all good and well, but where are the results? For that, you’ll want to hit “Entities” in the top menu. When you do, you’ll see something like the following. Now, you might not recognize every entity in here, and that’s okay. If you look to the far right, you’ll see some are scoped, and some are not. This is Core’s auto-scoping capability at work. If it finds something that it’s not sure belongs to our target organization, it’ll remain unscoped.

In fact, let’s try hitting ‘Only Scoped’ in the search section on the left.and filter only by DnsRecord by selecting that entity in the ‘Types’ list. There we go, that looks a bit more familiar.

Also notice the details give us a bit more info about what each entity is, and we can always click into an entity to learn more about it. The enrichment process ensures that we have a lot of detail per entity.

  • The Ancestors section tells us what the original “seed” entity we entered that resulted in us finding this entity. There can be many ancestor entities.
  • The Aliased Entities section tells us what other entities this DnsRecord resolved to. This creates a group and makes it easier to see if this is a service, or a host, or some combination thereof.
  • The Tasks that Created this Entity section shows us that this domain was found through the dns_brute_sub task, in other words, through Subdomain Bruteforce!
  • The Tasks Run on this Entity section tells us what tasks were auto-queued and run with this entity. This is entirely based on the workflow that we chose ‘Profile an Organization’. If we chose to hit the blue button in the upper right and start a new task, that would also show up in this list.

Finally, notice that full details are preserved in the “Entity Details” section – details can be arbitrary length and help give us more context about the entity.

Now, hit entities again, and let’s take a look at the ‘grouped’ view, now that we know what “Aliased Entities” mean. This is a helpful way to better understand a given organization’s infrastructure. In this case, it looks like there are quite a few subdomains resolving to the address, it is likely a load balancer.

Okay, well let’s slice it a different way now. Hit the Analysis -> Domains page, and you’ll see the top level domains, sorted by count, which gives us a view of the first and third party domains around Mastercard:

If we’re interested to see, for example, we can click on that and it’ll drop us back into search:

Now we might want to add the domain into this scan. While it’s almost always better to have the full list of domains at the beginning, we can add it, by browsing to ‘Start’ -> ‘Start a new workflow’ and adding in. However, if we’re not sure about a given domain, we might want to find everything that mentions by CTRL-clicking on the entity type and searching all entity types:

Aha, that top entity might tell us more, let’s click on that one. Looks like it was fingerprinted with Facebook, and Jquery, so it’s probably a marketing or company page. When we browse, you can see a screenshot has already been taken, as well as the certificate stored in the details, giving us a very clear indication that this a Mastercard assets. And in fact, it’s already been scoped automatically.

Okay, so let’s add it to the project by kicking off another workflow on it

And we add the domain as a seed and hit submit.

In this way, you can continuously kick off workflows and keep the system iterating on new entities you discover. .Workflows are incredibly powerful, as they automate the individual tasks inside Intrigue Core. For more information on workflows, see our Workflow help page.

Intrigue Core v0.8 Released!

Announcing the immediate availability of Intrigue Core v0.8.0, the open attack surface discovery engine, and the OSS software that powers the Attack Surface Management platform.

Our 2020 – like many of yours – started out pretty chaotic, but with myself and the rest of the team grounded at home, it was a year of building and improving the platform. This release is a direct outcome of that year of heads-down development, and a signal that positive things can come out of the dumpster fire that was 2020. 

On the team front, Shpend Kurtishaj joined us mid-year as our first full time developer, and brought in new ideas and execution, building upon the excellent work of the existing team. Anas and Maxim were our key open source contributors this year, and yours truly also found a way to make the project full time, so you can expect to see much more goodness over the coming 12 months.

Here’s to a positive, safe, and healthy 2021!

New Features

In this (yet again) truly MASSIVE release, you’ll find the following key features: 

  • NEW! Supported VMWare and VirtualBox images
  • In-App Workflows powered by user-definable YAML files
  • Improved Vulnerability Discovery Capabilities
  • Asynchronous DNS and HTTP bringing new levels of speed
  • 30 new integrations and discovery capabilities 
  • 26 new vulnerability and misconfiguration checks

New Feature – Workflows

The most immediately distinctive feature of this release is something we’ve wanted to add support for, for many years: Automated Workflows. Workflows fully replace the now-legacy concept of “machines” in the platform with a simpler, friendlier YAML syntax but largely the same functionality. Meaning, they’re recursive by default, and when a new entity is created in a project with a workflow is attached to it, it will automatically schedule and run the relevant tasks that the workflow specifies. This, in combination with UX support for workflows makes it easier than ever to discover the attack surface of organizations; and further, for users to build out custom automation on top of the raw capabilities and tasks of Intrigue Core. Check it out:

You’ll notice now, after creating a new project, that you’re directed to the workflows screen and encouraged to enter as many “hints” as you can, and Core takes what you offer and builds upon it using the selected workflow: And if you like the old way of doing it (where a workflow is started on each new entity that’s discovered from a first import or task), you can do that too:

While there’s much to discuss about the other new features and capabilities, we’ll leave the deep dive for a follow-on post. In the meantime, check out some of the new capabilities below.

New Feature – VMWare and Virtualbox Images

One of the most common pieces of feedback is a request to supply a pre-built image of Intrigue Core for ease of use getting started. By popular demand, we now support both VirtualBox and VMWare images, and you can find them in the Getting Started section.

More New Capabilities

Many of these new capabilities are worthy of a post on their own, and there’s simply so many, that all we can do is point out major highlights and trends, such as:

  • Integrations to search and pull metadata from Mobile App stores like iOS and Android
  • Unauthenticated and automated API Endpoint discovery
  • Content discovery on app endpoints using @joohoi’s Ffuf, link extraction and other content discovery techniques
  • Integration of great open source tooling like Subfinder, and Naabu
  • Deeper integration with great services such as C99, BinaryEdge, Spyse, and Zetalytics (there are so many now!)
  • Authenticated Integrations to pull DNS Zones (aws_route53, cloudflare_dns, etc)

The full list of individual new tasks in v0.8.0 is as follows

  • AWS Route53
  • Cloudflare Zones
  • DNS Search TLS Cert Names
  • Naabu Scan
  • SaaS ServiceNow Check
  • SaaS ServiceNow Open KB Articles
  • Search 42matters API for Android/iOS apps
  • Search Apptweak API for Android/iOS apps
  • Search Azure Blob
  • Search BinaryEdge Open Databases
  • Search c99 Subdomainfinder
  • Search DnSimple
  • Search Farsight DNSDB
  • Search Hostio
  • Search Mnemonic
  • Search NeutrinoAPI
  • Search
  • Search Spyse
  • Search Spyse Cert
  • Search Spyse Domain
  • Search WhoisXMLAPI (Reverse Whois)
  • Subfinder
  • URI Brute Generic Content
  • URI Bruteforce Vhosts
  • URI Check API Endpoint
  • URI Check Retire.js
  • URI Extract Linked Hosts
  • URI Extract Tokens
  • URI Ffuf Content Discovery
  • WordPress Enumerate Leaked Logs

If you’d like to know more, you can find descriptions for each task here.

New Entities

To support all these great capabiltiies, you’ve gotta be able to represent the data types, and thus, the following new entities have been added since the last release. While an entity itself might not be exciting, the ability to open up new use cases brings fun challenges and you can expect even more entities in 2021.

  • AndroidApp – Android Mobile Application
  • ApiEndpoint – A HTTP based API endpoint
  • IosApp – IOS Mobile Application
  • MailServer – A Mailserver (MX)
  • UniqueKeyword – A globally unique keyword that can be reliably searched
  • UniqueToken – An api key or analytics id

New Vulnerability Checks

On some days this last year, it felt like literally every webapp and/or network appliance was under threat. 2020 did bring the “wow” CVEs, such as the F5 BigIP bug or RCEs in Sharepoint, Exchange, GlobalProtect…. yep… wow. The checks we now support are below, and the best thing is that these are all automatically driven by fingerprinting. If you find a GlobalProtect instance, and vulnerability checks are enabled for a project, it’ll automatically be tested. Attack surface enumeration should be easy – and ACCURATE – and these checks go a long way in making that a reality.

  • vuln/atlassian_dataexposure_cve_2020_14179
  • vuln/cisco_asa_limited_file_read_cve_2020_3452
  • vuln/cisco_asa_path_traversal_cve_2018_0296
  • vuln/citrix_netscaler_codeinjection_cve_2020_8194
  • vuln/craft_cms_seomatic_cve_2020_9757
  • vuln/f5_bigip_configuration_utility_cve_2020_5902
  • vuln/hadoop_yarn_unathenticated_resourcemanager
  • vuln/icewarp_xss_cve_2020_8512
  • vuln/microsoft_exchange_cve_2020_0688
  • vuln/microsoft_exchange_cve_2020_16875
  • vuln/microsoft_sharepoint_cve_2020_16952
  • vuln/mobileiron_multiple_cves
  • vuln/nextjs_path_traversal_cve_2020_5284
  • vuln/paloalto_globalprotect_check_cve_2020_2021
  • vuln/saas_gitlab_open_reg_check
  • vuln/solarwinds_orion_code_compromise
  • vuln/sonatype_nexus_cve_2020_10204
  • vuln/sonicwall_cve_2020_5135
  • vuln/telerik_crypto_weakness_cve_2017_9248
  • vuln/tomcat_ghostcat_cve_2020_1938
  • vuln/tomcat_persistent_manager_cve_2020_9484
  • vuln/wordpress_file_manager_command_injection_rce
  • vuln/wordpress_loginizer_cve_2020_27615

New Threat Checks

While threat discovery and enrichment is still a nascent use case for the engine, this release brings more goods (thank you Anas!), with even more direct integrations of high quality threat feeds to verify if a given IoC (entity) was found in their database, and where possible – the reason why. Expect this use case will continue to steadily improve in the new year.

  • threat/search_apility
  • threat/search_badips
  • threat/search_blcheck_list
  • threat/search_blocklistde
  • threat/search_dshield
  • threat/search_emerging_threats
  • threat/search_fraudguard
  • threat/search_greynoise
  • threat/search_ibm_x_force
  • threat/search_ipqs
  • threat/search_ipqs_emailaddress
  • threat/search_pulsedive
  • threat/search_talos_blacklist


Luckily we had no bugs in the last release, so this one will continue that illustrious tradition of perfect and bug-free software. (Just kidding, there were simply way too many to mention. You know how to find them.) Security fixes, feature fixes, and all around improving the user experience were a big focus.


No core release to date has been simple, and this one has been well over a year in the making. It would not have been possible without the following fine folks, and so a thank you is well deserved:

  • First and foremost, Thank you to customers, for your support and ideas that make this open source project grow!
  • Thank you to my wonderful wife Jessica and to all of the contributors’ families for supporting the significant time this project requires
  • Thank you @shpendk, for joining us as the first full-time contributor, and for tackling the ugliest challenges of the codebase
  • Thank you @bensalah_anas for consistently driving powerful new cases and capabilities in the platform
  • Thank you Maxim Gofnung, for digging right into the guts of the code with huge enthusiasm
  • Thank you @joeuser47 for the friendly and helpful support in our slack channel
  • Thank you to the folks building powerful open source tooling, particularly @errbysam, @joohoi and @pdiscoveryio
  • Thank you to the teams building innovative APIs, including Zetalytics, Spyse, SecurityTrails, BinaryEdge, Greynoise, and so many more
  • Thank you to the researchers who regularly share techniques and ideas … @th3g3nt3lman, @nahamsec, and so many others
  • Thank you @ebellis and @kennasecurity for your incredible long-term support of this project
  • Finally, thank you to the many open source users and contributors who have provided feedback, support, ideas.

So with that …. and the piece of mind that 2021 is looking up – bringing even more capabilities and velocity to this project, go and get started now! Try it out and send feedback via Email, Slack, or Twitter. Have fun, and keep us posted with any and all feedback!


Expanding our Community

Intrigue Core was first launched in 2015, primarily designed as a hands-on penetration testing automation framework. Over the last five years, we’ve expanded to bug bounty, threat assessment and attack surface enumeration use cases. Now, on the precipice of a new release (v0.8.0), we’re making it easier than ever to try it out. With this upcoming release mind, we’re opening up our slack channel to more users, and hope that you’ll join us on this journey. Come join us by following this link, and when you arrive, drop a quick intro in the #general channel so we can get to know you better!

Scaling Assessment Automation (NahamCon)

In this presentation, delivered on June 13 2020 at the first-ever Nahamcon, we introduce the capability to push data out into Elasticsearch for analysis. We gloss over the configuration a bit in the talk, so if you want the full details on configuring AWS Elasticsearch instance check the slides, shown below.

Internet-Wide Scan Data – Port Coverage

This is an actively updated (last updated 05/14/2020) list of the organizations that offer Internet scanning data for sale, or in some cases, for free. If you have additional information that would be helpful in determining coverage, please contact us via [email protected]!

Below, find a list in alphabetical order, with the public coverage metrics they publish.

BinaryEdge – Currently 240 ports. They also offer on-demand scanning.

Censys – Currently 1045+ Ports. They also offer on-demand scanning.

Onyphye – Currently 100 ports.

Rapid7 (Project Sonar) – Rapid7’s data is open, and while they don’t advertise the number, it’s pretty simple to grep out the per-port coverage. Currently they cover 21 UDP and 133 TCP ports on a monthly basis.

SecurityTrails – Advertises 50+ of the most important ports scanned weekly.

Shodan – The grandaddy of Internet scanning, Shodan does not publish coverage numbers. They also offer on-demand scanning.

Spyse – Relative newcomer to the scene, they advertise coverage of 55 ports and growing.

ZoomEye – Also a relative newcomer, their coverage is currently unknown.

There are other folks that perform Internet scanning as part of their core offering, but don’t sell the data standalone, and for that reason, we’ve not included them in this list.

The takeaway? No single organization offers exactly the same data, and in order to get the most complete coverage of what’s happening on the internet, you might need to combine multiple to get to the the level of visibility needed.

Getting Started on Digital Ocean

We’ve had a few requests in the Slack about getting started on Digital Ocean. It’s as simple as starting a droplet and running the Docker One-Liner, but i’ll document the exact steps below.

First log into Digital Ocean. The interface is pretty straightforward, but first we need to create a project:

No need to move existing resources in, we’re starting a new project, so we’ll click “Skip for now”

Now, we have a project, so let’s create a new Droplet inside it.

And let’s make sure to give it at least 16GB of RAM:

Everything else can be standard, so let’s scroll down. Obviously make sure you set up / use an SSH key you have access to so you can log in. In this case, I’m using a pre-generated SSH key on my local system:

And then click “Create Droplet”

Now, give DO a few seconds, and we can browse to Droplets and get our IP Address

Then, we’ll use our SSH key to log in:

And first things first, let’s update the system and install Docker with the following command:

apt-get -y update && apt-get -y upgrade && apt-get -y install  

Then, simply run the docker one-liner command, found here.

This will generate a dynamic (and random) password, so make sure to make note of that:

Now, back on your laptop or PC, simply connect to the Digital Ocean host on https://YOUR_DROPLET_IP:7777, use the password provided in the startup output, and you’re live! No need to configure firewall or any other specifics for this droplet.

If you have any problems, feel free to file an issue on the Github repository.

Detecting Backported Software (Versions) with Ident

One common challenge with version detection and inference-based vulnerability analysis – the kind we do in Ident and Core- is graceful handling of versions which appear to be vulnerable baed on their versions, but in reality have been backported. 

What do we mean by backporting? Well, some operating systems (*ahem* Red Hat *ahem*) will apply security fixes and patches to previous version of a software package, but not update the software version. Rather, they update their own package version. The software keeps reporting the vulnerable version, but users are protected. This is commonly referred to as backporting.

This is actually a good thing for users, in general, but can result in some false positives when performing unauthenticated vulnerability assessments. So we need to prepare for it. To address this, we added a bit of sophistication to the ident library, which allows us to detect this behavior in cases where we know the operating system, and respond accordingly. 

Below, you can see how our dynamic version detection for PHP, OpenSSL and Apache, all handle this by looking for the existence of RHEL, Red Hat or CentOS, and appending the “(Backported)” bit to the version string. Note that this might result in some false negatives, so we retain the version string for users.

code snippet of ident backporting changes
Version Detection now handles Backporting gracefully

You can see the full set of changes in the Ident repository on Github

When using the Ident CLI utility, previously, you’d have seen results like this, which were false positives

Now, we politely decline to infer these results, while retaining the version information and appending “(Backported)” to the version string. Which results in the following:

Updated results showing no vulnerability inference on Backported software

Core now gives the same result, as it uses the Ident project as a library, and benefits from changes in fingerprinting capabilities, automatically. .

The current Gem version is 0.92 and can be installed directly from Github. This change is also now live on Ident’s master branch, and you can quickly test it out using the pre-built docker image.

Intrigue Core v0.7 Released!

Oh. Hey! Wow. You look, better, even, … i mean … you’re practically glistening. It’s been a year, hasn’t it? You must be working out. What have we been up to? Oh. I’m glad you asked! (PS – if you want to get straight to the goods, go here.)

Ready to go? Let’s dig in.

One underlying but prevailing theme of this release is “scaling up”. As we operationalized more engines over the last year to support our efforts in the service, we needed a proper process management system, and to split out supporting components to their own managed processes. These are services such as:

  • Headless Chrome (for screen grabs, fingerprinting JS, etc)
  • Apache Tika (for parsing pretty much every file format on the planet, safely)
  • An EventMachine-based DNS Resolver for super fast resolution

And once these components were properly managed, database optimization became a focus, getting into the gory guts of Postgres and finally driving the ability to past a million entities per project. (Try the machines feature after running “create_entity” on your domain of choice :], and you’ll see.)

So with that work in place, we focused on a new and improved “Standalone” Docker Image as part of this release, which (finally, we know!) uses Docker’s volume support to allow you to save your data locally. No more starting from scratch each time you spin up an image!

Another key feature of this release is the all-new issue tracking system. Issues are now a first class object – like Entities – and are our way to capture vulnerabilities, misconfigurations, and other findings which should be brought to the attention of an analyst.

This release also adds some other oft-requested features including SSL by default and a much more in-depth automated scoping engine. More on that below.

Even with several major new features in this release, it’s hard to overstate how much has changed in the codebase over last 12 months. And we’re not slowing down. As always with a new release, this one brings tons of new tasks, entities, improvements and bugfixes (…read on for details)

Automated Scoping

One major feature since the last release that will be very visible when you use a Machine is the automated scoping functionality.

Scoping takes the seeds (Entities) you provide and uses them as guidance for what to scan, and more importantly, what NOT to scan. In previous versions, thiis was a blacklist, but now there’s some smarts behind it.

Try it by using the “create_entity” task and the ” machine with a few iterations.

You’ll notice right away on the entities page that some are hidden by default. This is the scoping engine.

You can view them by selecting “Show unscoped” and “Show hidden” on the search screen.

Automated scoping results in entities (and others) being hidden by default…

Give it a try and let us know what you think!

New Discovery Tasks

Okay, so this bit is going to get a little long. And, while it’s been a year, many of these tasks were built and refined over just the last 3 months, thanks in no small part to @anasbensalah who joined as a committer this year.

This v0.7 release includes 23 shiny new tasks, bringing the current total to 124 discovery tasks.

Ready to dig in? The new tasks are in alphabetical order below and each individually linked to their implementation for those brave enough to dive into the codebase.

  • dns_lookup_dkim – Attempts to identify all known DKIM records by iterating through known selectors.
  • dns_morph – Uses the excellent DNSMORPH to find permuted domains.
  • email_brute_gmail_glxu – Uses an enumeration bug in the mail/glxu endpoint on gmail to check account existence.
  • gitrob – Uses the excellent Gitrob to search a given GithubAccount for committed secrets.
  • saas_google_calendar_check – Checks to see if public Google Calendar exists for a given user.
  • search_alienvault_otx_hashes – This task searches AlienVault OTX via API and checks for information related to a FileHash.
  • search_binaryedge – This task hits the BinaryEdge API for a given IpAddress, DnsRecord, or Domain, and creates new entities such as NetworkServices and Uri, as well as associated host details.
  • search_binaryedge_risk_score – This task hits the BinaryEdge API and provides a risk score detail for a given IPAddress. It can optionally create an issue for high risk IPs.
  • search_binaryedge_torrents – This task hits the BinaryEdge API for a given IPAddress, and tells us if the address has seen activity consistent with torrenting
  • search_dehashed – This task hits the Dehashed API for leaked accounts.
  • search_grayhat_warfare – This task hits the Grayhat Warfare API and finds AwsS3Buckets.
  • search_hunter_io – This task hits the API. EmailAddresses are created for a given domain.
  • search_spyonweb – This task hits the SpyOnWEB API for hosts sharing the same IPAddress, Domains, or AnalyticsId.
  • uri_brute_focused_content – Check for juicy content based on the site’s technology stack (This is a special task, part discovery and part vuln check, so it’s listed below, as well).
  • uri_check_subdomain_hijack – Checks for a specific string on a gievn uri, and creates a hijackable subdomain issue if it matches.
  • well_known_gather_and_parse – Checks for files in the /.well-known/ directory, as defined in RFC5785.
  • wordpress_enumerate_plugins -If the provided Uri is running WordPress (as fingerprinted by Ident), this’ll enumerate the plugins
  • wordpress_enumerate_users – If the target’s running WordPress, this’ll enumerate the users

As if that wasn’t enough, the following new tasks help determine if a given Domain or DnsRecord is compromised or otherwise blocked by utilizing the content blocking provided in the respective provider’s DNS service. They’re all very similar in implementation, but may provide different results depending on the provider. These is more great work from Anas.

New Entity Types

Reading carefully above, you might notice some of the tasks are introducing new entity types, and for that matter, new use cases.

This release brings two new entities. First, the “AnalyticsId” which represents an id from an analytics provider like NewRelic or Google. Secondly the “FileHash” entity brings us the ability to represent an md5 or sha1 hash as an entity.

Definitely check the tasks creating these entities (search_spyonweb, and search_alienvault_otx_hashes, respectively) above and have a play around with them. Feedback is very welcome. If you find them useful or have ideas on ways we could improve, let us know and we’ll add support for more providers and hash types.

Major Improvements to Tasks

The following were significantly overhauled during the course of this release, and worth checking out again if you have tried the task previously. These now have a lot more functionality.

  • search_have_i_been_pwned
  • search_phishtank
  • search_shodan
  • search_certspotter
  • scrape_publicwww
  • search_alienvault_otx
  • import/umbrella_top_sites


Luckily we had no bugs in the last release, so this one will continue that tradition. (Just kidding, there were simply way too many to mention. You know how to find them.)

New Vuln Checks

If you were following along over the last year, you probably noticed a significant amount of effort went into testing for vulnerabilities and misconfigurations.

The 0.7 release brings 9 new vuln check tasks, each linked below.

Now that we have a better system for finding and reporting them (blog post forthcoming), you can expect to see more of this kind of shiny goodness in the future.

Thank You!!!

This release has been well over a year in the making and would not have been possible without the following contributors of code, ideas, and bugs. Make sure to say thank you the next time you see these fine folks.

So that’s it you say? Well, it’s as much as we could recollect of the blur that was 2019. There’s surely a bunch of neat stuff that we’ve forgotten and you’ll discover when you get started. So with that, go get started now!

Try it out and send feedback via Email, Slack or Twitter. Have fun, and let’s not let it go another year before we do this again!

Nahamsec interview with @th3g3nt3lman

Here’s a clip of an interview with @nahamsec and @th3g3nt3lman talking about how Intrigue Core can help bug bounty hunters and internal security teams. If you haven’t yet seen Nahamsec’s channel, it’s a good source of techniques and fun to watch.

The clip talking about Intrigue Core starts at the 25:00 min mark. Check it out!

@nahamsec talking bug bounty recon with @th3g3ntl3man

Ident Docker One-Liner

On a pentest or in a hurry and want to try out ident to fingerprint an application quickly? Use this one-liner which pulls the latest build from dockerhub and kicks off a run:

docker pull intrigueio/intrigue-ident && docker run -t intrigueio/intrigue-ident --url YOUR_URL_HERE

Also, handy, add a -v to check for top vulnerabilities in a given technology (as long as we have a version, we’ll match to known CVEs)

If you’re interested in the details of how it works, add a -d to see debug output!

See the checks in all their glorious detail on Github. We’re well over 500 and adding more on a regular basis. If you don’t see a technology you’d like fingerprinted, create an issue or send us a pull request!