원클릭으로 Manus에서 모든 스킬 실행

$pwd:

fingerprinting-server-software

Name: Fingerprinting Server Software
Author: jeremylongshore

// Identify the server software, framework, and component versions a target is running from its HTTP response signatures — Server header, X-Powered-By, Via, X-AspNet-Version, X-Runtime, X-Drupal-Cache, X-Generator, Set-Cookie name patterns, error-page artwork, HTTP method behavior signatures. Use when: penetration test reconnaissance phase, post-deploy audit of fingerprintable exposure, or before reporting "no obvious version disclosure" to an auditor. Threshold: any version string in a response header (e.g., Server header with nginx/1.18.0, X-Powered-By with PHP/7.4.21, X-Generator with Drupal 9), or any framework-default Set-Cookie name (PHPSESSID, JSESSIONID, connect.sid, _csrf_token). Trigger with: "fingerprint server", "version disclosure", "tech-stack identification", "what's this site running".

Manus에서 실행

$ git log --oneline --stat

stars:2,267

forks:315

updated:2026년 5월 31일 03:41

파일 탐색기

4 개 파일

SKILL.md

readonly

name	fingerprinting-server-software
description	Identify the server software, framework, and component versions a target is running from its HTTP response signatures — Server header, X-Powered-By, Via, X-AspNet-Version, X-Runtime, X-Drupal-Cache, X-Generator, Set-Cookie name patterns, error-page artwork, HTTP method behavior signatures. Use when: penetration test reconnaissance phase, post-deploy audit of fingerprintable exposure, or before reporting "no obvious version disclosure" to an auditor. Threshold: any version string in a response header (e.g., Server header with nginx/1.18.0, X-Powered-By with PHP/7.4.21, X-Generator with Drupal 9), or any framework-default Set-Cookie name (PHPSESSID, JSESSIONID, connect.sid, _csrf_token). Trigger with: "fingerprint server", "version disclosure", "tech-stack identification", "what's this site running".
allowed-tools	["Read","Bash(python3:)","Bash(curl:)"]
disallowed-tools	["Bash(rm:)","Edit(/etc/)"]
version	3.0.0-dev
author	Jeremy Longshore <jeremy@intentsolutions.io>
license	MIT
compatibility	Designed for Claude Code
tags	["security","information-disclosure","fingerprinting","reconnaissance","pentest"]

Fingerprinting Server Software

Overview

Version disclosure is the cheapest recon an attacker buys. A single GET request returns the Server: header, the X-Powered-By: header, and any framework-default cookies. From those three signals the attacker derives: web server family + exact version, app-framework + version, language runtime + version. That maps directly to a CVE catalog query: every published CVE affecting any of those components, filtered to ones an unauthenticated attacker can trigger.

The fix is operationally trivial (one line in nginx, one line in Apache, one line in IIS) but the discipline isn't universal. This skill enumerates the signals + reports each disclosure with the severity matching how much it enables follow-on attack.

When the skill produces findings

Finding	Severity	Threshold	Affected control
Server header discloses version	MEDIUM	`Server: nginx/1.18.0` or similar with explicit version	CWE-200
Server header discloses minor version	LOW	`Server: nginx` (no version)	CWE-200
X-Powered-By discloses framework version	MEDIUM	`X-Powered-By: PHP/7.4.21`, `Express`, `ASP.NET`	CWE-200
X-AspNet-Version present	HIGH	Specific dotnet runtime version	CWE-200
X-Runtime / X-Rails / X-Django headers present	LOW	Framework identification, no version	CWE-200
X-Generator: drupal/wordpress + version	MEDIUM	CMS family + version disclosure	CWE-200
Via header discloses proxy chain	LOW	Reveals upstream architecture (Varnish, Squid, CloudFront)	CWE-200
Framework-default Set-Cookie pattern	LOW	`PHPSESSID`, `JSESSIONID`, `connect.sid`, etc.	CWE-200
Error page reveals stack trace	HIGH	5xx response body contains source file paths or framework banner	CWE-209
HTTP/2 server-push fingerprint	LOW	HTTP/2 `:server` pseudo-header with version	CWE-200
ETag format identifies cluster member	LOW	Apache-style hex ETags reveal node	CWE-200

Prerequisites

Python 3.9+ with requests
Authorization for non-local targets

Instructions

Step 1 — Confirm Authorization

"Do you have authorization to perform server-fingerprinting probes on
 this target? I need confirmation before proceeding."

Step 2 — Run the scanner

python3 ${CLAUDE_PLUGIN_ROOT}/skills/fingerprinting-server-software/scripts/fingerprint_server.py \
    https://target.example.com \
    --authorized

Options:

Usage: fingerprint_server.py URL [OPTIONS]

Options:
  --authorized       Attest authorization (required for non-local)
  --output FILE      Write findings to FILE
  --format FMT       json | jsonl | markdown (default: markdown)
  --min-severity SEV (default: info)
  --timeout SECS     Per-probe timeout (default: 10)
  --trigger-error    Send a malformed request to surface error-page disclosure
                     (off by default — some WAFs block on this)

The scanner sends a baseline GET + an OPTIONS + (optionally) a malformed request to surface error-page disclosure. For each response, it parses the standard fingerprinting headers and classifies each match against the threshold table above.

Step 3 — Interpret findings

The vast majority of findings will be MEDIUM or LOW. CWE-200 is by itself rarely a critical vulnerability — it's a recon enabler.

The exception: error-page stack-trace disclosure (CWE-209) is HIGH because production error pages should never leak server-internal paths or framework banners. If the error page reveals /home/app/src/handlers/auth.py, the attacker now knows the source layout AND that the language is Python.

Step 4 — Cross-skill chaining

After this skill, suggest:

detecting-debug-endpoints (#7) — fingerprinted framework points to which debug endpoints to probe (e.g., Server: nginx → check /nginx_status; X-Powered-By: Spring → check /actuator/*).
detecting-exposed-secrets-files (#6) — framework fingerprint informs which CI / IDE / build-tool configs to probe for.

Examples

Example 1 — Post-deploy version-disclosure audit

User: "Make sure we're not leaking nginx version on prod."

python3 ${CLAUDE_PLUGIN_ROOT}/skills/fingerprinting-server-software/scripts/fingerprint_server.py \
    https://app.example.com --authorized --min-severity medium

Expected on a properly-configured host: zero findings of medium+.

Example 2 — Tech-stack identification on an unknown target

User: "Bug bounty submission. We don't know what stack this runs. What's the surface?"

python3 ${CLAUDE_PLUGIN_ROOT}/skills/fingerprinting-server-software/scripts/fingerprint_server.py \
    https://target.example.com --authorized --format markdown

Use the output to inform which subsequent skills to chain (debug- endpoint probe, secrets-file probe).

Example 3 — Error-page exposure check

User: "Audit production error pages for stack-trace disclosure."

python3 ${CLAUDE_PLUGIN_ROOT}/skills/fingerprinting-server-software/scripts/fingerprint_server.py \
    https://app.example.com --authorized --trigger-error --min-severity high

The --trigger-error flag sends a malformed request to provoke a 500. Some WAFs block on this; check with the target's ops team if the result comes back empty.

Output

JSON / JSONL / Markdown. Exit codes: 0 clean, 1 high/critical, 2 error.

Error Handling

WAF blocks fingerprinting requests → expected on Cloudflare/Imperva targets. The CDN itself is what gets fingerprinted, not the origin.
Connection error → exit 2.

Resources

references/THEORY.md — Per-header reasoning: what each disclosure enables, threat-modeling guidance, CVE-lookup workflow
references/PLAYBOOK.md — Per-server-type remediation snippets (nginx server_tokens, Apache ServerTokens, IIS removeHeader, Express helmet hidePoweredBy, framework-default cookie renaming)
../analyzing-tls-config/references/AUTHORIZATION.md — Active-scan authorization pattern

related-skills.json

같은 저장소

detecting-command-injection-patterns.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for command-injection vulnerable patterns: shell=True calls in Python subprocess, os.system / os.popen with interpolated strings, Node child_process.exec with template literals, Ruby backticks / Kernel#system / Kernel#exec with interpolation, Go exec.Command with shell wrapping, PHP system / passthru / shell_exec / backticks with $-interpolation, Java Runtime.exec with concatenated args. Use when: pre-commit gate on code that calls out to shell utilities, audit of file-processing / archive-handling / image-conversion code, post-bug-report investigation for "we shell out to a tool." Threshold: any shell-invocation API called with a string that contains a variable interpolation, OR shell=True with anything other than a fixed literal. Trigger with: "scan command injection", "shell=True audit", "find exec calls", "check os.system".

2026-05-312.3k

detecting-eval-exec-usage.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for dynamic-code-execution APIs that an attacker can hijack: Python eval / exec / compile, JavaScript eval / Function() / setTimeout(string), Ruby eval / instance_eval / class_eval, Java ScriptEngine, PHP eval / assert($str), .NET Activator.CreateInstance / Reflection.Emit with dynamic input. Use when: pre-commit gate on any application that parses user-uploaded code (rule engines, formula evaluators, plugin systems), or post-bug-report when "we run user-supplied expressions." Threshold: any call to eval / exec / Function / similar where the argument is not a string literal. Trigger with: "scan eval", "find dynamic exec", "audit eval calls", "code injection patterns".

2026-05-312.3k

detecting-insecure-deserialization.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".

2026-05-312.3k

detecting-sql-injection-patterns.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for SQL-injection vulnerable patterns: string concatenation into queries, f-string interpolation in SQL, string-format substitution into raw queries, deprecated cursor methods (cursor.execute with % formatting), Knex / Sequelize raw() with template interpolation, sequelize.query with replacements. Use when: pre-commit code review, post-feature SQL-touching release, inheriting a legacy codebase that predates ORMs, or post-bug-report investigation. Threshold: any source line where SQL keywords (SELECT / INSERT / UPDATE / DELETE / FROM / WHERE) appear in a string that's being built via concatenation, f-string, %-format, or .format() with variable input. Trigger with: "scan for sqli", "sql injection patterns", "check raw queries", "audit cursor.execute".

2026-05-312.3k

detecting-weak-cryptography.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source tree for weak cryptographic primitives: MD5 / SHA-1 used for security purposes, DES / 3DES / RC4 ciphers, ECB block mode, custom-built crypto (XOR loops, hand-rolled HMAC), hardcoded IVs, predictable random (Math.random / java.util.Random for crypto seeds), missing certificate verification (verify=False, rejectUnauthorized: false). Use when: pre-merge gate on crypto-touching code, audit before SOC2 / PCI assessment, post-incident review when "we found a weakness in our token signing." Threshold: any call to a known-weak algorithm with non-test context, OR cert verification explicitly disabled, OR a custom crypto loop pattern. Trigger with: "scan weak crypto", "find MD5 usage", "check ECB mode", "audit ssl verify", "weak random".

2026-05-312.3k

scanning-for-hardcoded-secrets.md

from "jeremylongshore/claude-code-plugins-plus-skills"

Scan a source-code tree for hardcoded credentials embedded in source files: AWS access keys, GitHub tokens, Stripe keys, Slack tokens, Anthropic API keys, OpenAI keys, JWT signing secrets, generic base64-encoded passwords, RSA / SSH private keys, and high-entropy string literals that pattern-match common credential shapes. Use when: pre-commit gate before pushing a feature branch, audit before SOC2, post-incident scan after a leak, or inheriting a codebase you didn't write. Threshold: any source file contains a string that matches a canonical credential regex (AWS AKIA prefix, GitHub ghp_ prefix, etc.) OR a string with Shannon entropy above 4.5 in a field context (key=, token:, secret=). Trigger with: "scan secrets", "credential scan", "find hardcoded keys", "leak check".

2026-05-312.3k

package.json

"author": "jeremylongshore"

"repository": "jeremylongshore/claude-code-plugins-plus-skills"

GitHub 저장소 열기 Creator 저장소 보기

$ install --global

$ download --local

Manus에서 실행

$ useful --forSOC

정보 보안 분석가컴퓨터 및 수학직15-1212L4

fingerprinting-server-software

Fingerprinting Server Software

Overview

When the skill produces findings

Prerequisites

Instructions

Step 1 — Confirm Authorization

Step 2 — Run the scanner

Step 3 — Interpret findings

Step 4 — Cross-skill chaining

Examples

Example 1 — Post-deploy version-disclosure audit

Example 2 — Tech-stack identification on an unknown target

Example 3 — Error-page exposure check

Output

Error Handling

Resources

이 저장소의 다른 Skills

이 저장소의 다른 Skills

Fingerprinting Server Software

Overview

When the skill produces findings

Prerequisites

Instructions

Step 1 — Confirm Authorization

Step 2 — Run the scanner

Step 3 — Interpret findings

Step 4 — Cross-skill chaining

Examples

Example 1 — Post-deploy version-disclosure audit

Example 2 — Tech-stack identification on an unknown target

Example 3 — Error-page exposure check

Output

Error Handling

Resources