Skip to content


Repository files navigation


As of October 1, 2021, this component of the Intrigue project is no longer actively maintained at this location, and the code in this repository has been re-licensed under the terms of the Mandiant Limited Open Source License Agreement (see:


Ident is an application and service fingerprinting library used within Intrigue Core.

The Ident project has a few stated goals:

  • To deeply identify network service and app software while remaining extremely fast - limiting unnecessary requests
  • To have the most complete set of identification checks for modern application and server software
  • To integrate well as a library, for easy use in other projects such as Intrigue Core
  • To maintain a robust command line interface for use as a standalone tool
  • To be commercially viable through use of the BSD license

Ident is written in Ruby and uses the lightning fast libcurl-backed Typhoeus and the powerful Socketry libraries to make requests.

Below, find instruction on how to get stated:

Using ident via Docker image:

  1. Pull and run the docker image! It'll download directly from DockerHub if the image doesnt exist locally docker run -t intrigueio/intrigue-ident -u


$ bundle exec ruby ./util/ident.rb -c -v -u
 - PHP PHP 5.4.16  - x-powered-by header (CPE: cpe:2.3:a:php:php:5.4.16:) (Tags: ["Web Framework"])
   - Vuln: CVE-2016-5768 (CVSSv3: 9.8)
   - Vuln: CVE-2016-4538 (CVSSv3: 9.8)
 - PHP PHP   - PHPSESSID cookie (CPE: cpe:2.3:a:php:php::) (Tags: ["Web Framework"])
 - Apache HTTP Server 2.4.6  - Apache web server - server header - with versions (CPE: cpe:2.3:a:apache:http_server:2.4.6:) (Tags: ["Web Server"])
   - Vuln: CVE-2018-1312 (CVSSv3: 9.8)
   - Vuln: CVE-2017-15715 (CVSSv3: 8.1)
 - Wordpress Wordpress   - common link (CPE: cpe:2.3:a:wordpress:wordpress::) (Tags: ["CMS"])
 - Yoast Wordpress SEO   - unique string (CPE: cpe:2.3:a:yoast:wordpress_seo::) (Tags: ["Marketing", "Wordpress Plugin"])
 - Bootstrap Bootstrap   - boostrap css (CPE: cpe:2.3:a:bootstrap:bootstrap::) (Tags: ["Web Framework"])
 - OpenSSL OpenSSL 1.0.2k-fips  - server header (CPE: cpe:2.3:a:openssl:openssl:1.0.2k-fips:) (Tags: ["Library"])
   - Vuln: CVE-2018-0732 (CVSSv3: 7.5)
Content Checks:
 - Authentication - HTTP: false
 - Authentication - Session Identifier: true
 - Google Analytics Account Detected: false
 - Location Header:
 - Directory Listing Detected: false
 - Form Detected: false
 - File Upload Form Detected: false
 - Email Addresses Detected: []
 - Access-Control-Allow-Origin Header: false
 - P3P Header: false
 - X-Frame-Options Header: true
 - X-XSS-Protection Header: false

For Check Writers:

Check types can be written against supported protocols:

  • AMQP
  • Apache Zookeeper Atomic Broadcast (Raw)
  • Cisco Smart Install
  • DNS
  • Elasticsearch
  • FTP
  • Ganglia (Raw)
  • Memcached (Raw)
  • Mongodb
  • Mysql
  • Oracle IIOP (Raw)
  • Oracle T3 (Raw)
  • Pop3
  • RDP (Raw)
  • Redis
  • SAP NI (Raw)
  • SMB
  • SMTP
  • SNMP
  • SSH
  • Telnet

Generally speaking, checks have the following structure. This is a check for HTTP and HTTPS:

          type: "fingerprint",
          category: "service",
          vendor: "Some",
          product: "Product",
          website: "",
          match_logic: :all,
          matches: [
              match_type: :content_title,
              match_content: /The Title of the Page/i
              match_type: :content_body,
              match_content: /any body string/i
              match_type: :content_code,
              match_content: 200
          description: "just an example check",
          paths: [ { path: "#{url}", follow_redirects: true } ]

There are many types of matchers, which tell the check what part of the target's response to check.

 - content_body: checks should be run against body
 - content_code: checks should be run against code returned in the response as an integer (note that this is generally only useful for follow-on checks)
 - content_cookies: checks should be run against the set-cookie: header (do not include the header name, just the content when writing checks)
 - content_generator:  checks should be run against text inside the <meta generator> tag (do not include the tag when writing checks)
 - content_headers: checks should be run against response headers (assumes one string of text, each header '\n' delimited)
 - content_title: checks should be run against text inside the <title> tag (do not include the tag when writing checks)

Multiple matches per check are supported, see: #87

For more details, have a look at the checks in the 'checks' directory, or jump into our slack channel for help.


A special thanks to the following contributors who help make ident awesome!

  • @adambakalar: Protocol support and Fingerprints
  • @duartemateus: Bugfixes, Architecture, Protocol support and Fingerprints
  • @chowdud: Fingerprints++ **
  • @jen140: Fingerprints
  • @shpendk: Fingerprints, Architecture
  • @m-q-t: Fingerprints, Architecture
  • @bensalah_anas: Fingerprints
  • @bcoles: Fingerprints, Bugfixes, JSON output
  • @bmcdevitt: Fingerprints
  • @retornam: Dockerization