Web_URL_Fingerprinting
Web & URL Passive Fingerprinting Guide
Stealthy Enumeration β From Zero-Touch to Low-Noise Active
π Visual Overview
Fingerprinting Stealth Tiers
graph TB
A[Target URL/Domain] --> B{Choose Stealth Tier}
B -->|Tier 0| C[Zero-Touch Passive]
B -->|Tier 1| D[Near-Passive / Looks Like Browsing]
B -->|Tier 2| E[Stealthy Active / Low Noise]
B -->|Tier 3| F[Active but Targeted]
C --> C1[Third-party databases only]
C --> C2[No packets to target]
C --> C3[Target never sees your IP]
D --> D1[Single HTTP requests]
D --> D2[Indistinguishable from browsing]
D --> D3[No fuzzing or enumeration]
E --> E1[Slow scans with evasion]
E --> E2[Decoys and source port tricks]
E --> E3[Detectable with advanced monitoring]
F --> F1[Content discovery]
F --> F2[Rate-limited fuzzing]
F --> F3[Vulnerability scanning]
style C fill:#00ff00
style D fill:#99ff00
style E fill:#ffcc00
style F fill:#ff9900Enumeration Decision Tree
graph LR
A[Need to Fingerprint URL] --> B{What Do You Know?}
B -->|Domain Only| C[Start Tier 0: DNS + crt.sh + Shodan]
B -->|IP + Domain| D[Start Tier 0: Shodan host + Whois + CT]
B -->|Full URL| E[Start Tier 0: Wayback + GAU + Google Dorks]
C --> F{Enough Info?}
D --> F
E --> F
F -->|Yes| G[Analyze & Report]
F -->|No| H[Move to Tier 1: curl headers + SSL + cookies]
H --> I{Enough Info?}
I -->|Yes| G
I -->|No| J[Move to Tier 2: nmap -T2 + nuclei tech]
J --> K{Enough Info?}
K -->|Yes| G
K -->|No| L[Move to Tier 3: ffuf + nuclei CVE]
L --> G
style G fill:#00ff00
style C fill:#00ff00
style H fill:#99ff00
style J fill:#ffcc00
style L fill:#ff9900Information Value vs Detection Risk
graph TD
subgraph "High Value / Low Risk (DO FIRST)"
A1[Shodan Cached Data]
A2[Certificate Transparency]
A3[DNS Records]
A4[Wayback Machine URLs]
A5[Google Dorking]
end
subgraph "High Value / Low Risk (LOOKS LIKE BROWSING)"
B1[HTTP Response Headers]
B2[SSL Certificate Inspection]
B3[robots.txt / sitemap.xml]
B4[Cookie Analysis]
B5[Error Page Fingerprinting]
end
subgraph "High Value / Medium Risk (DETECTABLE)"
C1[Nmap Service Detection]
C2[NSE HTTP Scripts]
C3[WAF Detection]
C4[Nuclei Tech Templates]
end
subgraph "Medium Value / High Risk (LAST RESORT)"
D1[Directory Fuzzing]
D2[Full Port Scan]
D3[API Enumeration]
D4[VHost Fuzzing]
end
style A1 fill:#00ff00
style A2 fill:#00ff00
style A3 fill:#00ff00
style A4 fill:#00ff00
style A5 fill:#00ff00
style B1 fill:#99ff00
style B2 fill:#99ff00
style B3 fill:#99ff00
style B4 fill:#99ff00
style B5 fill:#99ff00
style C1 fill:#ffcc00
style C2 fill:#ffcc00
style C3 fill:#ffcc00
style C4 fill:#ffcc00
style D1 fill:#ff9900
style D2 fill:#ff9900
style D3 fill:#ff9900
style D4 fill:#ff9900Execution Timeline
gantt
title Passive-First Web Fingerprinting Timeline
dateFormat HH:mm
axisFormat %H:%M
section Tier 0 - Zero Touch
Whois + DNS records :00:00, 5m
crt.sh + Shodan host lookup :00:05, 10m
Passive subdomain enum :00:15, 15m
Wayback + GAU historical URLs :00:30, 10m
Google dorking :00:40, 10m
Analyze Tier 0 results :00:50, 20m
section Tier 1 - Near Passive
curl headers + robots.txt :01:10, 5m
SSL cert + cookie analysis :01:15, 5m
whatweb/httpx tech detection :01:20, 5m
Error page + favicon fingerprint :01:25, 5m
Analyze Tier 1 results :01:30, 15m
section Tier 2 - Stealthy Active
Targeted nmap -sS -T2 :01:45, 15m
NSE http-enum + ssl-ciphers :02:00, 10m
WAF detection :02:10, 5m
Analyze before Tier 3 :02:15, 15m
section Tier 3 - Active Targeted
ffuf content discovery (slow) :02:30, 30m
nuclei CVE scan (rate-limited) :03:00, 30mπ― Core Principle: Exhaust Each Tier Before Escalating
| Rule | Why It Matters | Violation Cost |
|---|---|---|
| 1. Always start at Tier 0 | 70% of useful data comes from third parties | Sending packets you didn't need to send |
| 2. Analyze between tiers | You may already have what you need | Unnecessary noise on target network |
| 3. Rate-limit everything active | Velocity = detection | WAF blocks, IDS alerts, IP bans |
| 4. Use a VPN/proxy | Attribution matters | Your real IP in target logs |
| 5. Source port 53 for scans | Firewalls often allow DNS traffic | Scans blocked at perimeter |
| 6. Decoys on active scans | Hide among noise | Single-source scan is obvious |
| 7. Match business hours | Off-hours traffic stands out | SOC correlation flags anomalous timing |
π’ Tier 0: Zero-Touch Passive (No Packets to Target)
These methods query third-party databases only. The target never sees your IP address.
Certificate Transparency Logs
What it reveals: Subdomains, organization name, certificate issuance dates, wildcard patterns.
# Query crt.sh for all certificates
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sort -u
# Filter for unique subdomains only
curl -s "https://crt.sh/?q=%25.target.com&output=json" | \
jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > ct_subdomains.txt
# Check for specific org name in certificates
curl -s "https://crt.sh/?q=%25.target.com&output=json" | \
jq -r '.[].issuer_name' | sort -u
Why it's passive: crt.sh is a public log aggregator. You're querying Google/DigiCert/Let's Encrypt logs, not the target.
Shodan Cached Lookups
What it reveals: Open ports, service banners, OS fingerprint, tech stack, vulnerabilities β all from Shodan's own crawlers.
# Host lookup (0 credits, completely passive)
shodan host <target-IP>
# Organization search
shodan search 'org:"Target Company"'
# SSL certificate association
shodan search 'ssl.cert.subject.cn:*.target.com'
# Count hosts (0 credits)
shodan count 'hostname:target.com'
# Get statistics on infrastructure
shodan stats --facets port,product,country 'org:"Target Company"'
# Download cached data for offline analysis
shodan download target_data.json.gz 'hostname:target.com'
shodan parse --fields ip_str,port,product,hostnames target_data.json.gz
| Shodan Query | What It Finds | Credits |
|---|---|---|
shodan host <IP> |
Ports, banners, OS, org | 0 |
shodan count <query> |
Result count | 0 |
shodan search 'org:"Company"' |
All hosts for org | 0 (no filters) / 1 (with filters) |
shodan search 'ssl.cert.subject.cn:*.target.com' |
Hosts with matching SSL certs | 1 |
shodan search 'http.favicon.hash:<hash>' |
Hosts with same favicon (identify framework) | 1 |
shodan search 'hostname:target.com' |
All hosts resolving to domain | 1 |
DNS Records (Public Resolvers)
What it reveals: Mail servers, nameservers, SPF/DMARC policy, hosting provider, CDN usage, internal naming conventions.
# Query all record types via public resolver (NOT the target's NS)
dig target.com ANY @8.8.8.8
# Specific record types
dig target.com MX @8.8.8.8 # Mail servers β email provider
dig target.com TXT @8.8.8.8 # SPF/DMARC/verification records
dig target.com NS @8.8.8.8 # Nameservers β DNS provider
dig target.com A @8.8.8.8 # IP address
dig target.com AAAA @8.8.8.8 # IPv6 address
dig target.com CNAME @8.8.8.8 # Aliases β CDN/hosting
dig target.com SOA @8.8.8.8 # Start of Authority
# Check for CAA records (Certificate Authority Authorization)
dig target.com CAA @8.8.8.8
# Reverse DNS lookup
dig -x <target-IP> @8.8.8.8
Fingerprinting from DNS:
| Record | What It Reveals | Example |
|---|---|---|
MX β aspmx.l.google.com |
Google Workspace | Company uses Gmail |
MX β *.mail.protection.outlook.com |
Microsoft 365 | Company uses Exchange Online |
TXT β v=spf1 include:_spf.google.com |
Google email infra | SPF confirms Google Workspace |
TXT β MS=ms12345678 |
Microsoft domain verification | Confirms M365 tenant |
TXT β docusign=... |
DocuSign usage | Business process indicator |
CNAME β *.cloudfront.net |
AWS CloudFront CDN | Hosting on AWS |
CNAME β *.azurewebsites.net |
Azure Web Apps | Hosting on Azure |
CNAME β *.herokuapp.com |
Heroku | App platform indicator |
NS β *.awsdns-*.com |
Route53 | AWS DNS infrastructure |
NS β *.cloudflare.com |
Cloudflare | CDN/WAF indicator |
Whois Lookup
# Domain registration details
whois target.com
# IP address registration (who owns the IP block)
whois <target-IP>
What to extract: Registrar, creation/expiry dates, nameservers, registrant org (if not privacy-protected), abuse contacts, ASN.
Passive Subdomain Enumeration
# Amass passive mode (queries APIs, no DNS brute force)
amass enum -passive -d target.com -src -o amass_passive.txt
# Subfinder (dozens of passive API sources)
subfinder -d target.com -silent -o subfinder.txt
# Assetfinder
echo "target.com" | assetfinder --subs-only | sort -u > assetfinder.txt
# Findomain
findomain -t target.com -o
# Combine all sources
cat amass_passive.txt subfinder.txt assetfinder.txt | sort -u > all_subdomains.txt
Historical URL Mining
What it reveals: Deprecated endpoints, old parameters, removed admin panels, previous tech stack, API paths, exposed files.
# Wayback Machine URLs
waybackurls target.com | tee wayback_urls.txt
# GetAllUrls (Wayback + Common Crawl + OTX + URLScan)
gau target.com | tee gau_urls.txt
# Extract unique paths
cat gau_urls.txt | unfurl paths | sort -u > historical_paths.txt
# Extract parameters (potential injection points)
cat gau_urls.txt | grep "=" | sort -u > params.txt
# Find interesting file types in history
cat gau_urls.txt | grep -iE "\.(sql|bak|conf|env|log|xml|json|yml|yaml|ini|cfg|zip|tar|gz|rar)$" > interesting_files.txt
# Find API endpoints in history
cat gau_urls.txt | grep -iE "/api/|/v[0-9]+/|/graphql|/rest/" | sort -u > api_endpoints.txt
Google Dorking
# Exposed files
site:target.com filetype:pdf
site:target.com filetype:sql
site:target.com filetype:env
site:target.com filetype:log
site:target.com filetype:bak
site:target.com filetype:conf
# Admin panels & login pages
site:target.com inurl:admin
site:target.com inurl:login
site:target.com intitle:"dashboard"
site:target.com intitle:"index of"
# Error messages & stack traces
site:target.com "error" "stack trace"
site:target.com "Warning:" "on line"
site:target.com "Fatal error"
# Configuration exposure
site:target.com inurl:config
site:target.com inurl:setup
site:target.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini
# Sensitive directories
site:target.com inurl:.git
site:target.com inurl:.env
site:target.com inurl:wp-content
site:target.com inurl:wp-admin
# Third-party leaks
"target.com" site:github.com
"target.com" site:pastebin.com
"target.com" site:trello.com
BGP / ASN Lookup
# Find ASN for target organization
amass intel -org "Target Company" -src
# Alternative ASN lookup
curl -s "https://bgp.he.net/search?search=targetcompany&commit=Search"
# Enumerate IP ranges for ASN
whois -h whois.radb.net -- '-i origin AS12345'
π‘ Tier 1: Near-Passive (Looks Like Normal Browsing)
These send packets to the target, but look indistinguishable from a normal user visiting the website.
HTTP Response Header Analysis
What it reveals: Web server software, backend language, framework, CDN, caching, security posture.
# Grab response headers (single GET request β looks like browsing)
curl -sI https://target.com
# Targeted header extraction
curl -sI https://target.com | grep -iE "^(server|x-powered|x-frame|x-content|content-security|strict-transport|x-xss|x-aspnet|x-generator|x-drupal|x-varnish|via|cf-ray|x-amz|x-cache|set-cookie)"
Header Fingerprinting Matrix:
| Header | Value | Reveals |
|---|---|---|
Server |
Apache/2.4.41 (Ubuntu) |
Web server + OS |
Server |
nginx/1.18.0 |
Nginx version |
Server |
Microsoft-IIS/10.0 |
IIS + likely Windows Server 2016+ |
Server |
cloudflare |
Behind Cloudflare CDN/WAF |
X-Powered-By |
PHP/7.4.3 |
Backend language + version |
X-Powered-By |
Express |
Node.js Express framework |
X-Powered-By |
ASP.NET |
.NET backend |
X-AspNet-Version |
4.0.30319 |
.NET Framework version |
X-Generator |
WordPress 6.4.2 |
CMS + version |
X-Drupal-Cache |
present | Drupal CMS |
X-Varnish |
present | Varnish cache in front |
Via |
1.1 varnish |
Reverse proxy/CDN indicator |
CF-Ray |
present | Cloudflare CDN confirmed |
X-Amz-Cf-Id |
present | AWS CloudFront CDN |
X-Cache |
HIT from cloudfront |
CloudFront cache |
X-Frame-Options |
DENY / SAMEORIGIN |
Clickjacking protection |
Content-Security-Policy |
present | CSP β security-conscious org |
Strict-Transport-Security |
max-age=... |
HSTS enabled |
X-Content-Type-Options |
nosniff |
MIME sniffing protection |
SSL/TLS Certificate Inspection
# Full certificate details (single TLS handshake)
openssl s_client -connect target.com:443 </dev/null 2>/dev/null | \
openssl x509 -noout -text
# Extract Subject Alternative Names (SANs) β reveals other hostnames
openssl s_client -connect target.com:443 </dev/null 2>/dev/null | \
openssl x509 -noout -ext subjectAltName
# Quick certificate summary
openssl s_client -connect target.com:443 </dev/null 2>/dev/null | \
openssl x509 -noout -subject -issuer -dates -ext subjectAltName
# Check TLS version support
openssl s_client -connect target.com:443 -tls1_2 </dev/null 2>/dev/null && echo "TLS 1.2 supported"
openssl s_client -connect target.com:443 -tls1_3 </dev/null 2>/dev/null && echo "TLS 1.3 supported"
What SANs reveal: Other domains, internal hostnames, staging/dev environments, API endpoints, wildcard patterns.
Publicly Accessible Files
# robots.txt β disallowed paths are high-value targets
curl -s https://target.com/robots.txt
# sitemap.xml β full URL map of the site
curl -s https://target.com/sitemap.xml
curl -s https://target.com/sitemap_index.xml
# Security.txt (RFC 9116)
curl -s https://target.com/.well-known/security.txt
# humans.txt
curl -s https://target.com/humans.txt
# Common config/info files
curl -s https://target.com/crossdomain.xml
curl -s https://target.com/.well-known/openid-configuration
curl -s https://target.com/.well-known/assetlinks.json
Cookie-Based Fingerprinting
Cookies in the response reveal backend technology without any active probing.
| Cookie Name | Technology |
|---|---|
PHPSESSID |
PHP |
JSESSIONID |
Java (Tomcat, JBoss, etc.) |
ASP.NET_SessionId |
ASP.NET |
CFID / CFTOKEN |
ColdFusion |
connect.sid |
Node.js Express |
laravel_session |
Laravel (PHP) |
_rails_session / _session_id |
Ruby on Rails |
csrftoken + sessionid |
Django (Python) |
ci_session |
CodeIgniter (PHP) |
wp-settings-* |
WordPress |
AWSALB / AWSALBCORS |
AWS Application Load Balancer |
__cfduid / cf_clearance |
Cloudflare |
ROUTEID |
HAProxy |
# Extract cookies from response
curl -sI https://target.com | grep -i "set-cookie"
Error Page Fingerprinting
# Request a non-existent page to trigger error handling
curl -s https://target.com/this-page-does-not-exist-12345
# Request with invalid method
curl -s -X TRACE https://target.com/
# Request with malformed path
curl -s "https://target.com/%00"
curl -s "https://target.com/'"
Default error page signatures:
| Error Page Content | Framework/Server |
|---|---|
Apache/2.x.x (Ubuntu) Server at |
Apache default |
nginx (minimal text) |
Nginx default |
Microsoft-IIS/10.0 |
IIS default |
Whitelabel Error Page + Spring |
Spring Boot (Java) |
The page you are looking for... + Django |
Django debug off |
Traceback (most recent call last) |
Python/Django debug on (jackpot) |
Cannot GET /path |
Express.js (Node) |
Not Found. The requested URL was not found |
Flask (Python) |
<!DOCTYPE html><html><head><title>Error</title> |
Generic, check source |
| WordPress-style 404 with theme | WordPress |
Technology Detection (Single Request)
# WhatWeb at aggression level 1 (stealthy β minimal requests)
whatweb -a 1 https://target.com
# httpx with tech detection (single request per host)
echo "target.com" | httpx -title -tech-detect -status-code -server -content-length
# Check multiple subdomains at once
cat all_subdomains.txt | httpx -title -tech-detect -status-code -server -o live_hosts.txt
Favicon Hash Fingerprinting
Default favicons identify unmodified framework installations.
# Download favicon
curl -s https://target.com/favicon.ico -o favicon.ico
# Generate Shodan-compatible hash (Python)
python3 -c "
import mmh3, codecs, requests
response = requests.get('https://target.com/favicon.ico')
favicon = codecs.encode(response.content, 'base64')
hash = mmh3.hash(favicon)
print(f'Favicon hash: {hash}')
print(f'Shodan query: http.favicon.hash:{hash}')
"
# Look up the hash on Shodan
shodan search "http.favicon.hash:<hash>"
| Favicon Hash | Application |
|---|---|
-1237565096 |
Spring Boot default |
116323821 |
Atlassian JIRA |
-305179312 |
Plesk Panel |
1485257654 |
Default Apache |
81586312 |
Grafana |
-697514042 |
Kibana |
HTTP Methods Check
# OPTIONS request β reveals allowed methods
curl -sI -X OPTIONS https://target.com/
# Check for WebDAV
curl -sI -X PROPFIND https://target.com/
# Test dangerous methods (still looks like browsing)
curl -sI -X PUT https://target.com/test.txt
curl -sI -X DELETE https://target.com/test.txt
Dangerous if allowed: PUT (file upload), DELETE (file deletion), TRACE (XST attacks), PROPFIND (WebDAV enumeration).
π Tier 2: Stealthy Active (Low Noise, Detectable with Advanced Monitoring)
WAF Detection (Do BEFORE Any Fuzzing)
# Nmap WAF detection
nmap --script=http-waf-detect,http-waf-fingerprint -p80,443 target.com
# wafw00f (dedicated WAF detector)
wafw00f https://target.com
Why detect WAF first: If Cloudflare/Akamai/ModSecurity is present, aggressive scanning will be blocked instantly. Adjust technique accordingly.
Targeted Nmap Scans
# Stealthy SYN scan on common web ports (T2 = polite timing)
nmap -sS -T2 -Pn -p80,443,8080,8443,8000,8888,3000,9000 target.com
# Service version detection (low intensity = fewer probes)
nmap -sV -T2 --version-intensity 2 -p80,443 target.com
# With decoys + DNS source port for IDS evasion
nmap -sS -T1 -D RND:5 -g 53 --randomize-hosts -Pn -p80,443,8080,8443 target.com
# Fragment packets (bypass some firewalls)
nmap -sS -T2 -f -Pn -p80,443 target.com
Nmap Evasion Flags Reference:
| Flag | Purpose | Why It Helps |
|---|---|---|
-T1 or -T2 |
Slow timing | Avoids velocity-based IDS detection |
-D RND:5 |
5 random decoy IPs | Your IP hides among fakes |
-g 53 |
Source port 53 (DNS) | Many firewalls allow DNS traffic through |
-f |
Fragment packets | Splits packets to evade shallow inspection |
--randomize-hosts |
Random target order | Avoids sequential scan patterns |
--scan-delay 5s |
5 second delay between probes | Further reduces scan speed |
-Pn |
Skip ping | Avoid ICMP-based detection |
NSE HTTP Scripts
# HTTP enumeration (directories, default files)
nmap --script=http-enum -p80,443 target.com
# SSL/TLS cipher enumeration
nmap --script=ssl-enum-ciphers -p443 target.com
# HTTP methods allowed
nmap --script=http-methods --script-args http-methods.url-path='/' -p80 target.com
# HTTP title and server header
nmap --script=http-title,http-server-header -p80,443 target.com
# Check for common web vulns
nmap --script=http-shellshock -p80 target.com
# Backup file discovery
nmap --script=http-backup-finder -p80 target.com
Nuclei Technology Detection
# Technology fingerprinting only (non-intrusive templates)
nuclei -u https://target.com -t technologies/ -rl 5
# Specific tech stacks
nuclei -u https://target.com -t technologies/tech-detect.yaml -rl 5
# Exposed panels
nuclei -u https://target.com -t exposed-panels/ -rl 5
DNS Zone Transfer Attempt
# Check if zone transfer is allowed (misconfiguration)
dig axfr target.com @ns1.target.com
# If successful: reveals entire internal DNS map
# If failed: normal, move on (single failed request = minimal noise)
π΄ Tier 3: Active but Targeted (Only After Passive is Exhausted)
Content Discovery (Rate-Limited)
# ffuf with rate limiting (10 requests/sec max)
ffuf -ac -u https://target.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
-rate 10 -o ffuf_dirs.json
# API endpoint discovery (even slower)
ffuf -u https://target.com/api/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
-rate 5
# Use historical data as custom wordlist (much smaller, targeted)
cat historical_paths.txt | ffuf -u https://target.com/FUZZ -w - -rate 10
# GraphQL endpoint check
curl -s -X POST https://target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query": "{__schema{types{name}}}"}'
Virtual Host (VHost) Fuzzing
# Find hidden virtual hosts on the same IP
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-u http://<target-IP> \
-H "Host: FUZZ.target.com" \
-fs <default-response-size> \
-rate 10
Vulnerability Scanning (Rate-Limited)
# Nuclei CVE scan (rate-limited to 5 requests/sec)
nuclei -u https://target.com -t cves/ -rl 5 -o nuclei_cves.txt
# Nuclei vulnerability templates
nuclei -u https://target.com -t vulnerabilities/ -rl 5
# Against all discovered live hosts
nuclei -l live_hosts.txt -t cves/,vulnerabilities/ -rl 5 -o all_vulns.txt
Full Port Scan (Slow)
# All 65535 ports, slow to avoid detection
nmap -p- -sS -T2 --min-rate 100 --max-rate 200 -Pn target.com -oA full_scan
# With decoys and evasion
nmap -p- -sS -T1 -D RND:5 -g 53 -f --randomize-hosts -Pn target.com -oA full_scan_stealth
π Recommended Execution Order
TIER 0 β ZERO TOUCH (target never sees you)
ββββββββββββββββββββββββββββββββββββββββββ
1. whois target.com [registrar, org, dates]
2. dig target.com ANY @8.8.8.8 [DNS records, providers]
3. crt.sh query [subdomains from CT logs]
4. shodan host <IP> [ports, banners, OS]
5. amass enum -passive + subfinder [subdomain aggregation]
6. waybackurls + gau [historical endpoints]
7. Google dorking [exposed files, panels]
8. BGP/ASN lookup [IP ranges, subsidiaries]
βΈοΈ STOP β Analyze Tier 0 results. Do you have enough?
TIER 1 β NEAR PASSIVE (looks like browsing)
βββββββββββββββββββββββββββββββββββββββββββ
9. curl -sI https://target.com [server, X-Powered-By]
10. openssl s_client SSL cert [SANs, org, issuer]
11. curl robots.txt + sitemap.xml [disallowed paths, URLs]
12. Cookie analysis from Set-Cookie [backend technology]
13. Error page fingerprint (404) [framework identification]
14. whatweb -a1 / httpx -tech-detect [technology stack]
15. Favicon hash [default install detection]
16. HTTP OPTIONS method check [allowed methods]
βΈοΈ STOP β Analyze Tier 1 results. Do you need more?
TIER 2 β STEALTHY ACTIVE (detectable with IDS)
βββββββββββββββββββββββββββββββββββββββββββββββ
17. WAF detection (wafw00f / nmap) [know what you're up against]
18. nmap -sS -T2 on discovered ports [port verification]
19. nmap -sV --version-intensity 2 [service versions]
20. nmap NSE http-enum, ssl-enum-ciphers [directories, weak ciphers]
21. nuclei -t technologies/ -rl 5 [detailed tech fingerprint]
22. DNS zone transfer attempt [full DNS map if misconfigured]
βΈοΈ STOP β Decide if Tier 3 is necessary
TIER 3 β ACTIVE TARGETED (use with caution)
ββββββββββββββββββββββββββββββββββββββββββββ
23. ffuf directory discovery (rate 10) [hidden paths]
24. ffuf API endpoint discovery (rate 5) [REST/GraphQL endpoints]
25. VHost fuzzing [hidden virtual hosts]
26. nuclei -t cves/ -rl 5 [known vulnerabilities]
27. Full port scan nmap -p- -T2 [all 65535 ports]
π Fingerprinting Results: What to Collect
Web Stack Summary Template
TARGET: target.com
IP: x.x.x.x
ASN: ASXXXXX (Provider Name)
INFRASTRUCTURE:
CDN/WAF: Cloudflare / Akamai / None
Web Server: nginx 1.18.0 / Apache 2.4.41 / IIS 10.0
Backend: PHP 7.4 / Java / Node.js / Python / .NET
Framework: WordPress 6.4 / Django / Spring Boot / Express
CMS: WordPress / Drupal / Joomla / None
Database: MySQL / PostgreSQL / MongoDB (if exposed)
OS: Ubuntu / Windows Server / Unknown
Hosting: AWS / Azure / GCP / On-prem / VPS
SECURITY POSTURE:
HSTS: Yes/No
CSP: Yes/No (strict/loose)
X-Frame: DENY / SAMEORIGIN / Missing
WAF: Cloudflare / ModSecurity / None detected
TLS: 1.2 + 1.3 / 1.2 only / Weak ciphers found
SUBDOMAINS: [count] discovered
API ENDPOINTS: [count] historical + [count] active
ADMIN PANELS: [paths found]
INTERESTING FILES: [list]
π Stealth Principles Summary
| Principle | Implementation |
|---|---|
| Exhaust passive before active | Shodan/crt.sh/Wayback give 70% of what you need free |
| Source port 53 on scans | nmap -g 53 β firewalls often allow DNS traffic |
| T1 or T2 timing only | Anything faster gets flagged by IDS |
| Decoys on active scans | nmap -D RND:5 β hide among fake source IPs |
| Rate-limit all fuzzing | --rate 5-10 on ffuf/nuclei |
| VPN/proxy chain always | Never scan from your real IP |
| Analyze between tiers | Don't move to Tier 2 if Tier 0+1 already answered your questions |
| Match business hours | Scans at 3 AM stand out in logs |
| User-Agent rotation | Don't use default curl/python user-agents |
| One thing at a time | Parallel scans from same IP = obvious |
π Tools Checklist
| Tool | Tier | Purpose | Install |
|---|---|---|---|
curl |
0-1 | HTTP requests, header analysis | Built-in |
dig |
0 | DNS queries | Built-in |
whois |
0 | Domain/IP registration | Built-in |
openssl |
1 | SSL/TLS inspection | Built-in |
shodan |
0 | Cached port/banner data | pip install shodan |
amass |
0 | Subdomain enumeration | go install github.com/owasp-amass/amass/v4/...@master |
subfinder |
0 | Fast subdomain discovery | go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest |
httpx |
1 | Live host + tech detection | go install github.com/projectdiscovery/httpx/cmd/httpx@latest |
waybackurls |
0 | Historical URL mining | go install github.com/tomnomnom/waybackurls@latest |
gau |
0 | URL aggregator | go install github.com/lc/gau/v2/cmd/gau@latest |
whatweb |
1 | Technology detection | apt install whatweb |
wafw00f |
2 | WAF detection | pip install wafw00f |
nmap |
2-3 | Port/service scanning | apt install nmap |
ffuf |
3 | Content/VHost fuzzing | go install github.com/ffuf/ffuf/v2@latest |
nuclei |
2-3 | Vulnerability scanning | go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest |
unfurl |
0 | URL parsing | go install github.com/tomnomnom/unfurl@latest |
assetfinder |
0 | Subdomain discovery | go install github.com/tomnomnom/assetfinder@latest |
Last Updated: 2026-02-11
Focus: Pre-engagement web fingerprinting with minimal detection risk
Audience: Red team operators and bug bounty hunters who need maximum intel with minimum footprint
Companion Guides: Stay_Low.md (EDR Evasion), Stay_low_Command.md (Post-Access Command OPSEC)
END OF GUIDE