Fingerprinting

BuiltWith Cheatsheet Purpose: Passive technology profiling of a domain — current stack plus historical changes, hosting, analytics, ad networks, ecommerce, CDN, certificates, and more. Useful for OSINT recon without touching the target. Format: Web service (free tier + paid API). No local install required for basic lookups. Access Points Surface URL Profile lookup (single domain) https://builtwith.com/ Free quick lookup https://builtwith.com/? Trends / market share https://trends.builtwith.com/ Relationships (same owner / IDs) https://builtwith.com/relationships/ Redirect graph https://builtwith.com/redirect/ API docs (paid) https://api.builtwith.com/ Browser extension (Chrome/Firefox) search “BuiltWith Technology Profiler” in store Quick CLI Lookups (no API key required) # Open profile in default browser xdg-open "https://builtwith.com/target.tld" # Scrape the public profile page (limited; HTML changes) curl -s -A "Mozilla/5.0" "https://builtwith.com/target.tld" -o builtwith.html # Extract technology names (rough) curl -s -A "Mozilla/5.0" "https://builtwith.com/target.tld" \ | grep -oE 'href="/[a-z0-9-]+"[^>]*>[^<]+' | sort -u For reliable structured data, use the paid API below. ...

curl Cheatsheet (Web Fingerprinting) Purpose: Manual HTTP(S) requests for header inspection, banner grabbing, fingerprinting and quick endpoint testing. Core Flags Flag Description -I HEAD request (headers only) -i Include response headers in output -v Verbose (request + response, TLS info) -vv / --trace-ascii - Full wire trace -s Silent (no progress meter) -S Show errors even with -s -L Follow redirects -k / --insecure Ignore TLS cert errors -o <file> Write body to file -O Save with remote filename -A <ua> Set User-Agent -e <ref> Set Referer -H "<hdr>: <val>" Custom header (repeatable) -X <METHOD> HTTP method (GET, POST, PUT, DELETE, etc.) -d <data> POST body (application/x-www-form-urlencoded) --data-raw POST body without @/& interpretation --data-binary POST body as-is (preserve newlines) -F <field>=<val> Multipart form upload -b <cookie> / -c <file> Send cookie / save cookies -u user:pass HTTP Basic auth -x <proxy> Use proxy (e.g. http://127.0.0.1:8080) --resolve host:port:ip Force DNS resolution (Host-header testing) --max-time <s> Hard timeout --connect-timeout <s> Connect timeout -w "<format>" Write-out format (timings, codes) Banner Grabbing / Header Inspection curl -I https://target.tld # HEAD: server, framework, cookies curl -sI https://target.tld | grep -iE 'server|x-powered-by|x-aspnet|via|set-cookie' curl -sIL https://target.tld # Follow redirects, show every hop curl -v https://target.tld 2>&1 | grep -iE '^< ' # All response headers Verbose / TLS Inspection curl -v https://target.tld # Cert chain, ALPN, ciphers curl -vk https://target.tld # Ignore cert errors curl --trace-ascii trace.log https://target.tld # Full request/response dump curl -v --tls-max 1.2 https://target.tld # Pin max TLS version Method / Verb Tampering curl -X OPTIONS -i https://target.tld/ # Allowed methods curl -X PUT -d "test" -i https://target.tld/file.txt curl -X DELETE -i https://target.tld/resource/1 curl -X TRACE -i https://target.tld/ # Cross-Site Tracing check Virtual Host / Host Header Testing curl -s -H "Host: dev.target.tld" http://<ip>/ -o dev.html curl -sI --resolve target.tld:443:<ip> https://target.tld/ curl -s -H "Host: admin.internal" http://<ip>/ # Find vhosts on shared IP Cookies & Sessions curl -c cookies.txt -b cookies.txt https://target.tld/login curl -b "session=abcd1234" https://target.tld/dashboard curl -c - https://target.tld/ # Print Set-Cookie to stdout Authentication curl -u admin:password https://target.tld/admin # Basic curl -H "Authorization: Bearer <jwt>" https://api.target.tld/ curl --ntlm -u 'DOMAIN\user:pass' https://target.tld/ curl --digest -u user:pass https://target.tld/ POST / API Testing # Form data curl -X POST -d "user=admin&pass=admin" https://target.tld/login # Raw JSON curl -X POST -H "Content-Type: application/json" \ -d '{"user":"admin","pass":"admin"}' \ https://target.tld/api/login # File from disk curl -X POST -H "Content-Type: application/json" \ --data-binary @payload.json https://target.tld/api # Multipart upload curl -F "[email protected]" -F "submit=upload" https://target.tld/upload.php Proxy (Burp / ZAP) curl -x http://127.0.0.1:8080 -k https://target.tld/ export https_proxy=http://127.0.0.1:8080 # Per-shell proxy Useful Write-Out Format curl -s -o /dev/null -w \ "code:%{http_code} size:%{size_download} time:%{time_total}s redir:%{redirect_url} " \ https://target.tld/ Fingerprinting Recipes # Quick stack identification curl -sIL https://target.tld | grep -iE 'server|x-powered-by|x-generator|x-drupal|x-aspnet' # Pull robots.txt + sitemap curl -s https://target.tld/robots.txt curl -s https://target.tld/sitemap.xml | head # Search response body for tech tells curl -s https://target.tld/ | grep -iE 'wp-content|drupal|joomla|laravel|generator=' # Check common admin / framework paths for p in admin login wp-admin administrator phpmyadmin server-status; do printf "%-20s " "$p" curl -sk -o /dev/null -w "%{http_code} " "https://target.tld/$p" done Tips HEAD (-I) can lie or be blocked — fall back to -sI -X GET and inspect headers from a real GET. Combine -v with -o /dev/null to inspect headers without dumping a big body. --resolve beats editing /etc/hosts for one-off vhost checks. -k is for testing only; never disable cert checks in production tooling.

Netcraft Cheatsheet Purpose: Passive reconnaissance — hosting history, OS / web server history, SSL certificate history, site report, and subdomain discovery for a target domain. Uses Netcraft’s long-running internet survey, so no traffic touches the target. Format: Web service. Free site-report lookups; subdomain search; commercial APIs for bulk. Access Points Surface URL Site Report (single site) https://sitereport.netcraft.com/?url= Subdomain / Domain search https://searchdns.netcraft.com/ What’s that site running? (legacy) https://toolbar.netcraft.com/site_report?url= Phishing / takedown reporting https://report.netcraft.com/ Anti-phishing browser extension https://www.netcraft.com/apps/ Quick Lookups (URL-style) # Site Report xdg-open "https://sitereport.netcraft.com/?url=https://target.tld" # Subdomain search (DNS knowledge, not zone transfer) xdg-open "https://searchdns.netcraft.com/?host=*.target.tld" # Scrape subdomain list (HTML — fragile, format may change) curl -s -A "Mozilla/5.0" \ "https://searchdns.netcraft.com/?restriction=site+ends+with&host=target.tld" \ | grep -oE '[a-zA-Z0-9.-]+\.target\.tld' | sort -u What the Site Report Reveals Background: site title, description, language, first-seen date Network: IPv4/IPv6, ASN, netblock owner, hosting country, nameservers, reverse DNS Hosting history: OS, web server, hosting provider, IP changes over time (often years) SSL/TLS: certificate issuer, valid-from / valid-to, signature alg, key size, full chain Web trackers: analytics, ad networks, tag managers Site technologies: server-side language, CMS, JS frameworks (similar surface to Wappalyzer/WhatWeb but historical) Risk rating: Netcraft’s own risk scoring (popularity, reputation, phishing flags) OSINT Pivots Hosting history → identify legacy IPs that may still serve content (origin behind CDN, forgotten staging). SSL history → past CN / SAN entries leak retired subdomains and internal hostnames. Same nameservers + hosting across multiple sites → infrastructure attribution. First-seen date → useful for triaging suspicious / typosquat domains. Subdomain Discovery https://searchdns.netcraft.com/?host=*.target.tld Returns publicly known hosts under a domain. Complement, do not replace, [[crt.sh]] / amass / subfinder — Netcraft sees long-tail hosts those miss, and vice versa. Free tier paginates and rate-limits aggressively; expect a CAPTCHA on bulk. Workflow Example DOMAIN=target.tld # 1. Open Site Report xdg-open "https://sitereport.netcraft.com/?url=https://$DOMAIN" # 2. Pull subdomain list (best-effort scrape) curl -s -A "Mozilla/5.0" \ "https://searchdns.netcraft.com/?restriction=site+ends+with&host=$DOMAIN" \ | grep -oE "[a-zA-Z0-9.-]+\.$DOMAIN" | sort -u > netcraft-subs.txt # 3. Cross-check with crt.sh curl -s "https://crt.sh/?q=%25.$DOMAIN&output=json" \ | jq -r '.[].name_value' | tr ',' ' ' | sort -u > crtsh-subs.txt # 4. Merge sort -u netcraft-subs.txt crtsh-subs.txt > all-subs.txt Browser Extension Netcraft’s anti-phishing extension shows live Site Report data inline: ...

Nikto Cheatsheet Purpose: Web server scanner — checks for dangerous files, outdated server software, misconfigurations, and known vulnerabilities. Basic Usage nikto -h <target> # Scan a target (default port 80) nikto -h https://target.tld # HTTPS target nikto -h <ip> -p 443 -ssl # Force SSL on custom port nikto -h <ip> -p 80,443,8080,8443 # Multiple ports nikto -h hosts.txt # Scan a list of targets Common Flags Flag Description -h <host> Target host, URL, or file of hosts -p <ports> Port(s) — single, list, or range -ssl Force SSL/TLS -nossl Disable SSL -root <path> Prepend root path to all requests -vhost <host> Set virtual host (Host header) -id <user:pass> HTTP Basic auth -useragent <ua> Custom User-Agent -useproxy <url> Route through proxy -Display <opts> Output verbosity flags (see below) -Format <fmt> Output format: csv, htm, txt, xml, json, sql -output <file> Write report to file -Tuning <ids> Limit checks to specific categories -Plugins <list> Run specific plugins only -evasion <ids> IDS evasion techniques -timeout <s> Per-request timeout -maxtime <s/m/h> Hard scan time limit (e.g. 30m) -Pause <s> Pause between requests -ask no Don’t prompt to submit findings -update Update plugins / databases -list-plugins List installed plugins Output nikto -h https://target.tld -o report.html -Format htm nikto -h <ip> -o nikto.json -Format json nikto -h <ip> -o nikto.xml -Format xml nikto -h <ip> -o nikto.csv -Format csv -Display flags (combine, e.g. -Display 1V): ...

wafw00f Cheatsheet Purpose: Identify and fingerprint Web Application Firewalls (WAFs) protecting a target web app. Basic Usage wafw00f <url> # Scan a single target wafw00f https://example.com # HTTPS target wafw00f example.com -v # Verbose output wafw00f example.com -vv # Extra verbose (debug) Common Flags Flag Description -v / -vv Verbose / very verbose output -a Find ALL WAFs (don’t stop at first match) -r Disable HTTP redirect following -t <waf> Test only for a specific WAF -o <file> Write results to file -f <format> Output format: csv, json, text -i <file> Read targets from input file -p <proxy> Use proxy (e.g. http://127.0.0.1:8080) -T <n> Set request timeout (seconds) -H <file> Use custom headers from file -l List all WAFs it can detect --no-colors Disable ANSI colored output Listing & Targeted Detection wafw00f -l # List supported WAFs wafw00f example.com -t "Cloudflare (Cloudflare Inc.)" wafw00f example.com -a # Detect every WAF in chain Bulk Scanning wafw00f -i targets.txt -o results.json -f json wafw00f -i urls.txt -a -o waf-report.csv -f csv Routing Through a Proxy (Burp / ZAP) wafw00f https://target.tld -p http://127.0.0.1:8080 Custom Headers File Example headers.txt: ...

Wappalyzer Cheatsheet Purpose: Identify web technologies — CMS, frameworks, JS libraries, analytics, ecommerce, CDNs — from response headers, HTML, cookies, scripts, and DOM. Note: Wappalyzer is primarily a browser extension and web service. The original CLI/NPM package was deprecated; community forks still exist. Access Points Surface URL / Source Browser extension (Chrome / Firefox / Edge) https://www.wappalyzer.com/apps/ Web lookup (single URL) https://www.wappalyzer.com/lookup/ API / bulk lookups (paid) https://www.wappalyzer.com/api/ Legacy NPM CLI (deprecated, archived) npm i -g wappalyzer Community fork (Webappalyzer) https://github.com/enthec/webappanalyzer Browser Extension Workflow Install extension; pin to toolbar. Navigate to target. Click the icon — categories light up: CMS, Web frameworks, JS libs, Analytics, Web servers, Tag managers, CDN, Ecommerce, Payment processors, Font scripts, Issue trackers, etc. Click a detected tech for vendor links and version info (when available). Stealth value: all detection runs in your browser against an already-loaded page → no extra requests to the target. ...

WhatWeb Cheatsheet Purpose: Identify web technologies — CMS, frameworks, web servers, JS libraries, analytics, version numbers — via signature plugins. Basic Usage whatweb <target> # Default scan whatweb https://target.tld whatweb -v https://target.tld # Verbose (full plugin output) whatweb -a 3 https://target.tld # Aggression level 3 whatweb target.tld --colour=never # No ANSI in output Common Flags Flag Description -v Verbose — full plugin details, not just summary -a <0-4> Aggression level (see below) -i <file> Read targets from file --input-file <file> Same as -i -U <ua> Custom User-Agent --header "K: V" Add custom header (repeatable) -c "<cookie>" Set Cookie header --user "<u:p>" HTTP Basic auth --proxy <host:port> Use proxy --proxy-user <u:p> Proxy auth --follow-redirect <mode> never, http-only, meta-only, same-site, always -t <n> Threads (default 25) --open-timeout <s> Connect timeout --read-timeout <s> Read timeout --log-brief <file> One-line summary log --log-verbose <file> Verbose log --log-xml <file> XML output --log-json <file> JSON output --log-magictree <file> MagicTree XML --log-sql <file> SQL insert statements -l List plugins -I <plugin> Show plugin info --plugins <list> Only run listed plugins (comma-separated) --no-errors Suppress connection errors Aggression Levels (-a) Level Name Behavior 1 Stealthy One GET per target, never follows redirects beyond that 2 (unused) Reserved 3 Aggressive Triggers extra requests when plugins want them (e.g. /wp-login.php) 4 Heavy Many requests per plugin; noisy, may set off WAF/IDS whatweb -a 1 target.tld # Single request, low noise whatweb -a 3 target.tld # Recommended for thorough enum whatweb -a 4 -v target.tld # Full noise, full detail Bulk / List Scanning whatweb -i targets.txt --log-brief whatweb.txt whatweb -i urls.txt -a 3 --log-json whatweb.json --no-errors cat ips.txt | whatweb --log-verbose verbose.log CIDR / range scan: ...