I Built an AI That Fingerprints Better Than Any Pentesting Tool
What happens when a pentesting tool actually understands what it's seeing?
Most fingerprinting tools tell you surface-level information. Nmap tells you the OS. WhatWeb tells you the web server. Wappalyzer tells you the JavaScript framework.
They each see one piece of the puzzle. None of them connect the dots.
I built Prometheus — an autonomous AI pentesting framework — and in the process, created something unexpected: a fingerprinting engine that doesn't just collect data, but builds intelligence.
The Problem with Traditional Tools
A standard workflow looks like this:
nmap -sV target.com # OS? Linux. Ports? 80, 443.
whatweb target.com # Apache? WordPress? jQuery?
nikto -h target.com # Any known vulnerabilities?
Three tools. Three separate outputs. No connections between them.
The human pentester has to manually connect: "Oh, Apache 2.4 means CVE-2021-41773 might work."
Prometheus does this automatically.
What Prometheus Extracts
When pointed at a target, it doesn't just scan ports. It builds a complete intelligence profile:
1. Network Layer (Traditional)
OS Fingerprint: Solaris/BSD (TTL=255)
Open ports: 80 (HTTP), 8443 (HTTPS)
2. Service Layer (Enhanced)
Product: Sangfor SSL VPN / IAM
Build: websph120
Build date: 2022-04-21
Framework: Vue.js + Element UI
Now we know exactly what we're attacking — not just "web server."
3. JavaScript Analysis (The Game Changer)
Prometheus fetches and parses every JavaScript file it finds. This reveals:
Hidden API endpoints not in the HTML:
/api/vpn/user/login
/cgi-bin/backup.conf
/ui/login
Authentication parameters:
username, password, captcha, token
Response code meanings (decoded from switch statements):
200: Success / Login OK
508: Invalid credentials
308: Second factor required (credentials valid!)
This tells us how the application thinks — without ever logging in.
4. Source Map Analysis (The Gold Mine)
When source maps are exposed (common in misconfigured production apps), Prometheus extracts:
Source map reveals 847 source files
Internal IP found: 10.0.0.25
Internal hostname: dev-api.internal.company.com
Developer IPs. Internal hostnames. Hidden services. All from public JavaScript files.
5. Vulnerability Matching
With product, version, and build number identified:
Known vulnerability: Sangfor SSL VPN RCE (CVE-2022-3632)
No manual CVE searching. No guesswork.
6. Attack Chain Generation
The Central Nervous System automatically builds a targeted attack strategy:
Phase 1: sangfor_attack_chain (Sangfor-specific exploits)
Phase 2: web_attack_chain (SQLi, command injection)
Phase 3: universal_exploitation (protocol-agnostic)
The Comparison
| Capability | Nmap | WhatWeb | Wappalyzer | Prometheus |
|---|---|---|---|---|
| OS detection | ✅ | ❌ | ❌ | ✅ |
| Service versions | ✅ | ✅ | ❌ | ✅ |
| Product identification | ❌ | ❌ | ❌ | ✅ |
| Build number extraction | ❌ | ❌ | ❌ | ✅ |
| Hidden API endpoints | ❌ | ❌ | ❌ | ✅ |
| Source map parsing | ❌ | ❌ | ❌ | ✅ |
| Internal IP discovery | ❌ | ❌ | ❌ | ✅ |
| CVE matching | ❌ | ❌ | ❌ | ✅ |
| Attack chain generation | ❌ | ❌ | ❌ | ✅ |
Why This Matters
What takes a human pentester hours — scanning, browsing, viewing source, analyzing JS, searching CVEs — Prometheus does in seconds.
Not because it's faster at running commands. Because it understands what it's seeing.
It reads JavaScript not as text, but as a map of the application's internal structure. It parses source maps not as comments, but as blueprints of the development environment.
This is not fingerprinting. This is intelligence gathering at machine speed.
The Stack
- 17,000+ lines of Python
- Central Nervous System architecture (perception → understanding → planning → execution → reflection)
- 30+ attack modules
- Self-modifying code (can rewrite itself based on findings)
- No external APIs. No cloud dependencies. Runs entirely locally.
The Result
A fingerprinting engine that tells you not just what's running, but:
- What product and version (Sangfor SSL VPN, build 120)
- When it was built (April 2022)
- What framework it uses (Vue.js + Element UI)
- Hidden API endpoints (/cgi-bin/backup.conf)
- What parameters it expects (username, password, captcha)
- What response codes mean (200=success, 508=invalid credentials)
- Internal infrastructure (10.0.0.25, dev-api.internal)
- Known CVEs (CVE-2022-3632)
- Which exploits to try
All from public information. All automated. All in seconds.
Built by a solo developer from Nairobi. 17,000+ lines. One file. One mind.
Want to see it in action? Check out the logs below.
Top comments (0)