Documentation Index Fetch the complete documentation index at: https://mintlify.com/GhostTroops/scan4all/llms.txt
Use this file to discover all available pages before exploring further.
scan4all includes comprehensive web fingerprinting capabilities with over 7000 fingerprints for identifying web technologies, CMS platforms, frameworks, and server software. The fingerprinting engine combines multiple detection methods and databases for maximum accuracy.
Fingerprint Sources scan4all integrates multiple fingerprint databases:
HTTPx Fingerprints Web server and technology detection from the httpx project
VScan Fingerprints Comprehensive fingerprint database from vscan
eHole Fingerprints eHoleFinger database for CMS and application detection
Local Fingerprints Custom localFinger database for proprietary applications
Total Coverage: 7000+ unique fingerprints Detection Methods scan4all employs multiple detection techniques for accurate identification:
1. Keyword Matching Searches for specific strings in HTTP responses:
method : "keyword" location : "body" // or "header", "title", "all" keyword : [ "WordPress" , "wp-content" ] keywordMathOr : true // Match any keyword (OR logic)
Example detection: <!-- Response body --> < meta name = "generator" content = "WordPress 6.0" /> < link rel = 'stylesheet' href = '/wp-content/themes/...' />
2. Regular Expressions Advanced pattern matching:
method : "regular" keyword : [ "<title>.*Tomcat.*</title>" ] location : "all"
3. Favicon Hash Unique fingerprinting via favicon icon hashing:
method : "faviconhash" keyword : [ "-235013277" ] // Jenkins favicon hash
Hash algorithm: func FavicohashMd5 ( nId int , u * url . URL , body [] byte , header * http . Header ) string { // 1. Extract favicon from HTML or default path // 2. Calculate hash using custom algorithm // 3. Return unique identifier }
4. MD5 Hash Matching Complete response body MD5 fingerprinting:
method : "md5" keyword : [ "5d41402abc4b2a76b9719d911017c592" ] location : "body"
5. Base64 Detection Encoded content matching:
method : "base64" keyword : [ "encoded_pattern" ]
6. Hexadecimal Matching Binary content fingerprinting:
method : "hex" keyword : [ "504B0304" ] // ZIP file signature
7. Status Code Detection HTTP status code patterns:
method : "keyword" location : "status_code" keyword : [ "403" , "401" ]
Fingerprint Structure Fingerprint Definition type Fingerprint struct { Id int // Unique fingerprint ID Cms string // Technology name Method string // Detection method Location string // Search location Keyword [] string // Match patterns KeywordMathOr bool // OR vs AND logic UrlPath string // Specific URL path }
Example Fingerprints WordPress
Apache Tomcat
Spring Boot
{ "id" : 1001 , "cms" : "WordPress" , "method" : "keyword" , "location" : "body" , "keyword" : [ "wp-content" , "wp-includes" ], "keywordMathOr" : true , "urlPath" : "/" }
Detection Locations Fingerprints can target specific parts of HTTP responses:
Response Body location : "body" // Searches in HTML content, JavaScript, JSON responses
location : "header" // Searches in Server, X-Powered-By, and custom headers
Common header fingerprints: Server : nginx/1.18.0 X-Powered-By : PHP/7.4.3 X-AspNet-Version : 4.0.30319 X-Framework : Laravel
Page Title location : "title" // Searches in <title> tag content
Status Code location : "status_code" // Matches HTTP response codes
All Locations location : "all" // Searches headers + body combined
Fingerprinting Process
HTTP Request
Send HTTP request to target URL: GET / HTTP / 1.1 Host : example . com User - Agent : scan4all
Response Collection
Collect response data:
Status code
Headers (as JSON and raw text)
Body content
Page title
Favicon hash
Hash Generation
Generate multiple hashes: md5Body := FavicohashMd5 ( 0 , nil , body , nil ) hexBody := hex . EncodeToString ( body ) md5Title := FavicohashMd5 ( 0 , nil , [] byte ( title ), nil ) hexHeader := hex . EncodeToString ([] byte ( headersjson ))
Fingerprint Matching
Iterate through fingerprint databases:
Match by method (keyword, regex, hash, etc.)
Check location (body, header, title, etc.)
Validate against URL path
Apply OR/AND logic for keywords
Result Aggregation
Collect and deduplicate identified technologies: cms = [] string { "WordPress" , "Nginx" , "PHP" , "MySQL" }
Smart Features Honeypot Detection Automatically identifies and skips honeypots:
func CheckHoneyport ( a [] string ) ( bool , [] string ) { // If > 10 technologies detected = likely honeypot bRst := util . EnableHoneyportDetection && 10 < len ( a ) if bRst { a = [] string {} // Discard results } return bRst , a }
Enable honeypot detection with: EnableHoneyportDetection = true scan4all -host example.com
Favicon Caching Each target’s favicon is only processed once:
var Mfavhash * sync . Map = new ( sync . Map ) if _ , ok := Mfavhash . Load ( u01 . Host + favhash ); ok { return cms // Skip if already processed } Mfavhash . Store ( u01 . Host + favhash , 1 )
URL Path Matching Fingerprints can target specific paths:
if finp . UrlPath == "" || strings . HasSuffix ( szUrl , finp . UrlPath ) { // Only check if URL matches required path }
Example:
SpringBoot favicon: /favicon.ico
Tomcat manager: /manager/html
Jenkins: /
Duplicate Prevention Same URL + same component ID limited to prevent over-matching:
var Max_Count = 10 // Maximum fingerprints per URL if len ( cms ) >= Max_Count { break // Stop matching }
Component ID Tracking Tracks which fingerprints matched:
var MFid * sync . Map // Maps URL → Component ID → Match count func SvUrl2Id ( szUrl string , finp * Fingerprint , rMz string ) { // Track fingerprint matches per URL // Prevents duplicate matches }
Configuration Enable/Disable Features Enable Advanced Hashing
Config File
# Enable title and header MD5/hex fingerprinting enableFingerTitleHeaderMd5Hex = true scan4all -host example.com
Custom Fingerprint Files Add custom fingerprints:
# Location for custom fingerprints pkg/fingerprint/dicts/custom_fingerprints.json
Custom fingerprint format: { "fingerprint" : [ { "cms" : "Custom App" , "method" : "keyword" , "location" : "header" , "keyword" : [ "X-Custom-App" ], "keywordMathOr" : false } ] }
Integration with Vulnerability Detection Fingerprinting directly feeds into POC selection:
Automatic POC selection: # WordPress detected → 419 WordPress POCs loaded # Weblogic detected → 11 Weblogic CVE checks loaded # Spring Boot detected → Spring-specific vulnerabilities checked
Common Detectable Technologies Web Servers Frameworks Technologies Console Output [Fingerprint] https://example.com ├─ Web Server: Nginx/1.18.0 ├─ Framework: Laravel ├─ Language: PHP/7.4.3 ├─ CMS: WordPress 6.0 ├─ Database: MySQL (inferred) └─ Technologies: jQuery, Bootstrap
JSON Output { "url" : "https://example.com" , "fingerprints" : [ "Nginx" , "Laravel" , "PHP" , "WordPress" ], "fingerprintIds" : [ "101" , "205" , "310" , "1001" ], "timestamp" : "2026-03-05T10:30:00Z" }
Elasticsearch Storage # Query by technology curl "http://127.0.0.1:9200/fingerprint_index/_search?q=fingerprints:WordPress" # Query by URL curl "http://127.0.0.1:9200/fingerprint_index/_search?q=url:example.com"
Advanced Use Cases Technology Stack Enumeration Complete stack identification:
scan4all -host https://example.com -v
Output: Front-end: React, Bootstrap, jQuery Web Server: Nginx Application: Node.js + Express Database: MongoDB (inferred from headers) Cache: Redis (from port scan) CDN: Cloudflare
Version Detection When versions are exposed:
[Version Info] Apache/2.4.41 (Ubuntu) PHP/7.4.3 OpenSSL/1.1.1f
Plugin/Module Detection For WordPress, Joomla, etc.:
[WordPress Plugins] ├─ WooCommerce 6.5.1 ├─ Yoast SEO 19.2 ├─ Contact Form 7 └─ Wordfence Security
Concurrent Fingerprinting Multiple URLs fingerprinted in parallel:
// Worker threads for fingerprinting var ch = make ( chan struct {}, util . Fuzzthreads )
Caching Results cached to prevent re-fingerprinting:
if util . TestRepeat ( u01 . Host , "FileFuzz" ) { return [] string {}, [] string {} // Skip if already processed }
Early Exit Stops after maximum matches:
if len ( cms ) >= Max_Count { break // Prevent over-matching }
Example Workflows Single URL
Multiple URLs
Network Scan
Specific Technology
# Fingerprint a single website scan4all -host https://example.com -np -v
Troubleshooting No Fingerprints Detected
Check HTTP Response
Ensure the target is responding: curl -I https://example.com
Enable Verbose Mode
scan4all -host https://example.com -v -debug
Verify Fingerprint Database
Ensure fingerprint files are loaded: err := LoadWebfingerprintEhole () err := LoadWebfingerprintLocal ()
Too Many Fingerprints (Honeypot) # Enable honeypot detection EnableHoneyportDetection = true scan4all -host suspicious.com # If > 10 technologies detected, results are discarded
Custom Technology Not Detected Add custom fingerprint:
// pkg/fingerprint/dicts/localFinger.json { "fingerprint" : [ { "cms" : "Your Custom App" , "method" : "keyword" , "location" : "header" , "keyword" : [ "X-Your-Custom-Header" ], "keywordMathOr" : false } ] }
Best Practices
Combine with Port Scanning
Let port scanning discover web services first: scan4all -host 192.168.1.1 -v
Use Verbose Output
Monitor fingerprinting process: scan4all -host example.com -v
Export Results
Save for analysis: scan4all -host example.com -json -o fingerprints.json
Correlate with Vulnerabilities
Use fingerprints to guide POC selection: # Don't use -np flag to enable POC checks scan4all -host example.com -v