v1.2.0 — aimap-profile companion tool
Companion-tool release. Adds aimap-profile/ for target classification, ethics-flag surfacing, honeypot detection, and disclosure-channel routing.
No changes to the aimap Go binary (still v1.1.1), its fingerprint database, CLI flags, or JSON output schema. For the Go binary and prebuilt Linux amd64/arm64 assets, use the v1.1.1 release. This release adds a Python companion script alongside it.
What's new — aimap-profile
Where aimap fingerprints services on a target (what's running?), aimap-profile profiles the target itself (what is it? how should I approach it? where do I disclose?). The two tools are designed to be used together — profile first, then scan.
- Single-file Python (~500 LoC), read-only, passive-first by default
- Emits structured JSON designed for LLM / pipeline consumption
Eight analysis modules
| Module | What it does |
|---|---|
identity |
rDNS, forward DNS, WHOIS org / netname / CIDR / country / ASN |
surface_passive |
Shodan historical record — ports, vulns, services, cert subject / issuer |
surface_active |
nmap top-100 + service detection (full mode only; opt-in) |
discrepancy |
Active vs passive delta + impossible-service-combo honeypot scoring |
classification |
Priority-ordered category + ethics flags + multi-tenant detection |
adjacency |
PTR /29 neighborhood sweep; CT namespace enumeration (full mode) |
web_surface |
Fetches /, extracts window.__NUXT__ / __NEXT_DATA__ / __INITIAL_STATE__; regex-scans for API keys, JWTs, cloud tokens |
disclosure |
security.txt probing, MX records, WHOIS abuse contact |
Priority-ordered category system
honeypot_signal > clinical_hipaa > personal_device > commercial_staging > commercial_saas > research_lab > education
Highest-specificity / highest-ethical-gate wins. Ethics flags auto-generated per category (HIPAA-no-active-probing, CFAA-institutional-CSIRT, personal-device-archive-only, honeypot-adversary-logging, safe-harbor-check, shared-multi-user scoping).
Honeypot detection example
```json
"discrepancy": {
"honeypot_score": 6,
"verdict": "likely honeypot / deception asset",
"signals": [
"honeypot combo detected: ['GlobalProtect', 'Ivanti'] (+3)",
"honeypot combo detected: ['Asus', 'FortiGate'] (+3)"
]
}
```
Active nmap against this target returns "all filtered" — the Shodan passive fingerprint is what reveals the deception.
HIPAA-boundary classification example
```json
"classification": {
"primary_category": "clinical_hipaa",
"all_hits": ["clinical_hipaa", "education", "research_lab"],
"ethics_flags": [
"HIPAA-adjacent network — no active probing of clinical systems",
"Educational institution — CFAA exposure; prefer institutional CSIRT disclosure",
"Research lab / HPC — likely shared multi-user; scope carefully"
]
}
```
Verification
100% primary-category accuracy across 17 real-world targets spanning honeypot / clinical_hipaa / personal_device / commercial_staging / commercial_saas / research_lab / education.
Install
```bash
git clone https://github.com/Nicholas-Kloster/aimap.git
cd aimap/aimap-profile
python3 -m venv .venv
.venv/bin/pip install -r requirements.txt
shodan init <API_KEY> # one-time
./aimap_profile.py --target <ip|host> --mode fast
```
See aimap-profile/README.md for the full heuristics reference and roadmap.
Versioning note
- aimap (Go binary) — v1.1.1, unchanged
- aimap-profile (Python companion) — v0.1.0, new
The companion tool has its own versioning track. Upgrading or skipping it does not affect `aimap` itself.