Nerva
_{Nerva: Fast Service Fingerprinting CLI}

Features • Installation • Quick Start • Usage • Protocols • Library • Use Cases • Troubleshooting

High-performance service fingerprinting written in Go. Identify 170+ network protocols across TCP, UDP, and SCTP transports with rich metadata extraction.

Nerva rapidly detects and identifies services running on open network ports. Use it alongside port scanners like Naabu to fingerprint discovered services, or integrate it into your security pipelines for automated reconnaissance.

Features

• 170+ Protocol Plugins — Databases, remote access, web services, messaging, industrial, and telecom protocols
• 76 HTTP Fingerprinters — Detect web technologies including firewalls, databases, AI/LLM servers, and more
• Security Misconfiguration Detection — Identify common security issues like unauthenticated APIs and cleartext protocols (--misconfigs)
• Multi-Transport Support — TCP (default), UDP (--udp), and SCTP (--sctp, Linux only)
• Proxy Support — Route scanning traffic transparently through SOCKS5 or HTTP proxies with configurable DNS resolution
• Rich Metadata — Extract versions, configurations, and security-relevant details from each service
• Fast Mode — Scan only default ports for rapid reconnaissance (--fast)
• Flexible Output — JSON, CSV, or human-readable formats
• Pipeline Friendly — Pipe from Naabu, Nmap, or any tool that outputs host:port
• Go Library — Import directly into your Go applications

Installation

Releases

Download a prebuilt binary from the Releases page.

From GitHub

go install github.com/praetorian-inc/nerva/cmd/nerva@latest

From Source

git clone https://github.com/praetorian-inc/nerva.git
cd nerva
go build ./cmd/nerva
./nerva -h

Docker

git clone https://github.com/praetorian-inc/nerva.git
cd nerva
docker build -t nerva .
docker run --rm nerva -h
docker run --rm nerva -t example.com:80 --json

Quick Start

Fingerprint a single target:

nerva -t example.com:22
# ssh://example.com:22

Get detailed JSON metadata:

nerva -t example.com:22 --json
# {"host":"example.com","ip":"93.184.216.34","port":22,"protocol":"ssh","transport":"tcp","metadata":{...}}

Pipe from a port scanner:

naabu -host example.com -silent | nerva
# http://example.com:80
# ssh://example.com:22
# https://example.com:443

Usage

nerva [flags]

TARGET SPECIFICATION:
  Requires host:port or ip:port format. Assumes ports are open.

EXAMPLES:
  nerva -t example.com:80
  nerva -t example.com:80,example.com:443
  nerva -l targets.txt
  nerva --json -t example.com:80
  cat targets.txt | nerva

Flags

Flag	Short	Description	Default
--targets	-t	Target or comma-separated target list	—
--list	-l	Input file containing targets	—
--output	-o	Output file path	stdout
--json		Output in JSON format	false
--csv		Output in CSV format	false
--misconfigs		Enable security misconfiguration detection	false
--proxy		Proxy URL (e.g. socks5://127.0.0.1:1080)	—
--proxy-auth		SOCKS5 Proxy Auth (e.g. username:password)	—
--dns-order		DNS resolution order: p, l, lp, pl	lp
--fast	-f	Fast mode (default ports only)	false
--capabilities	-c	List available capabilities and exit	false
--udp	-U	Run UDP plugins	false
--sctp	-S	Run SCTP plugins (Linux only)	false
--timeout	-w	Timeout in milliseconds	2000
--verbose	-v	Verbose output to stderr	false
--workers	-W	Concurrent scan workers	50
--max-host-conn	-H	Max concurrent connections per host IP (0=unlimited)	0
--rate-limit	-R	Max scans per second globally (0=unlimited)	0

Examples

Multiple targets:

nerva -t example.com:22,example.com:80,example.com:443

From file:

nerva -l targets.txt --json -o results.json

UDP scanning (may require root):

sudo nerva -t example.com:53 -U
# dns://example.com:53

SCTP scanning (Linux only):

nerva -t telecom-server:3868 -S
# diameter://telecom-server:3868

Fast mode (default ports only):

nerva -l large-target-list.txt --fast --json

Proxy routing with remote DNS resolution:

nerva -t target.internal:80 --proxy socks5://127.0.0.1:1080 --dns-order p

Security Misconfiguration Detection

Nerva can identify common security misconfigurations when enabled with --misconfigs:

nerva -t example.com:2375 --misconfigs --json

Detected misconfigurations:

Finding ID	Severity	Description
docker-unauth-api	Critical	Docker API accessible without authentication
x11-unauth-access	Critical	X11 server allows unauthenticated connections
smb-signing-not-required	Medium	SMB signing not required (relay attack risk)
telnet-cleartext	Medium	Telnet transmits credentials in cleartext
vnc-detected	Medium	VNC detected (often weak authentication)
ssh-password-auth	Medium	Server allows password authentication
ssh-weak-cipher	Low	Server offers weak ciphers (RC4, 3DES, Blowfish)
ssh-weak-kex	Low	Server offers weak key exchange algorithms
ssh-weak-mac	Low	Server offers weak MAC algorithms
ftp-cleartext	Low	FTP transmits credentials in cleartext

Example output with misconfigs:

{
  "host": "example.com",
  "port": 2375,
  "protocol": "docker",
  "anonymous_access": true,
  "security_findings": [
    {
      "id": "docker-unauth-api",
      "severity": "critical",
      "description": "Docker API accessible without authentication",
      "evidence": "Successfully queried /version endpoint without credentials"
    }
  ]
}

Proxy Support

Nerva supports routing scanning traffic through SOCKS5 and HTTP proxies with configurable DNS resolution.

Supported proxy schemes:

• socks5:// - SOCKS5 proxy with local DNS resolution
• socks5h:// - SOCKS5 proxy with proxy-side DNS resolution (always)
• http:// - HTTP CONNECT proxy
• https:// - HTTPS CONNECT proxy

Proxy authentication:

# Inline authentication (URL format)
nerva -t example.com:80 --proxy socks5://username:password@127.0.0.1:1080

# Separate authentication flag
nerva -t example.com:80 --proxy socks5://127.0.0.1:1080 --proxy-auth username:password

DNS resolution strategies (--dns-order):

Option	Strategy	Use Case
l	Local only	Standard local DNS (default)
p	Proxy only	Force proxy-side DNS resolution
lp	Local, fallback to proxy	Try local first, use proxy on failure
pl	Proxy, fallback to local	Try proxy first, use local on failure

Note: socks5h:// scheme automatically forces proxy-side DNS (equivalent to --dns-order p)

Tor scanning example:

# Scan .onion services through Tor (SOCKS5 proxy on port 9050)
nerva -t http://example.onion:80 --proxy socks5h://127.0.0.1:9050

UDP through proxy:

# UDP scanning through SOCKS5 proxy (limited support)
nerva -t target.com:161 --proxy socks5://127.0.0.1:1080 --udp

⚠️ UDP Limitations: UDP through SOCKS5 has limited support. Not all SOCKS5 servers support UDP association. Local UDP fallback may occur.

Parallel scanning with rate limiting:

nerva -l large-target-list.txt -W 100 -H 5 -R 50 -v

Graceful shutdown (Ctrl+C returns partial results):

nerva -l huge-target-list.txt -W 50 -v
# Press Ctrl+C to stop — collected results are still printed

Supported Protocols

170+ service detection plugins across TCP, UDP, and SCTP:

HTTP Fingerprint Modules (66)

Technology detection for web services, organized by category:

Firewalls & Network Security (12)

Module	Description
Checkpoint	Check Point Security Gateway
Cisco ASA/FTD	Cisco firewall/VPN appliances
FortiGate	Fortinet firewall/VPN
GlobalProtect	Palo Alto Networks VPN
Juniper	Juniper SRX firewalls
OPNsense	OPNsense firewall
pfSense	pfSense firewall
SonicWall	SonicWall firewalls
AnyConnect	Cisco AnyConnect SSL VPN
Cisco Expressway	Cisco collaboration gateway
BigIP	F5 BIG-IP load balancer
WinRM	Windows Remote Management

AI/LLM & Machine Learning (6)

Module	Description
Ollama	Self-hosted LLM inference server
LocalAI	Self-hosted LLM inference (OpenAI-compatible)
Open WebUI	LLM web interface (ChatGPT-style)
Triton	NVIDIA Triton Inference Server
Weaviate	Vector database for AI
ChromaDB	Vector database

Databases & Data Stores (12)

Module	Description
ArangoDB	Multi-model database
CockroachDB	Distributed SQL database
CouchDB	Apache document database
Elasticsearch	Search and analytics engine
etcd	Distributed key-value store
Milvus	Vector database
MinIO	S3-compatible object storage
Pinecone	Vector database
Redis Commander	Redis web management UI
TiDB	Distributed SQL database
YugabyteDB	Distributed SQL database
Qdrant	Vector database

DevOps & Infrastructure (14)

Module	Description
Artifactory	JFrog artifact repository
Consul	HashiCorp service mesh
Docker Registry	Container image registry
Gitea	Self-hosted Git service
Grafana	Observability platform
Harbor	Container registry
Jaeger	Distributed tracing
Jenkins	CI/CD automation
Kubernetes	Container orchestration API
Portainer	Docker management UI
Prometheus	Monitoring system
Swagger/OpenAPI	API documentation
TeamCity	CI/CD server
Vault	HashiCorp secrets management

Web Servers & Frameworks (10)

Module	Description
Apache HTTPD	Apache HTTP Server
Express.js	Node.js web framework
GoAhead	Embedded web server
Gotenberg	PDF generation service
Guacamole	Apache remote desktop gateway
SOAP	Web services
Tengine	Alibaba web server
Tomcat	Apache Tomcat
WordPress	CMS platform
UPnP	Universal Plug and Play

Enterprise & Business (8)

Module	Description
AEM	Adobe Experience Manager
Dynamics 365	Microsoft Dynamics 365 / Power Apps
Oracle Service Cloud	Oracle CRM platform
SAP NetWeaver	SAP enterprise platform
Splunk	Log management platform
VMware Horizon	Virtual desktop infrastructure
QNAP QTS	NAS management
Exchange	Microsoft Exchange Server

Home & IoT (2)

Module	Description
Home Assistant	Home automation platform
UniFi/EdgeOS	Ubiquiti network devices

Other (2)

Module	Description
Go pprof	Go profiling endpoints
NATS	Message broker

Databases (20)

Protocol	Transport	Default Ports
PostgreSQL	TCP	5432
MySQL	TCP	3306
MSSQL	TCP	1433
Oracle	TCP	1521
MongoDB	TCP	27017
Redis	TCP/TLS	6379, 6380
Cassandra	TCP	9042
InfluxDB	TCP	8086
Neo4j	TCP/TLS	7687
DB2	TCP	446, 50000
Sybase	TCP	5000
Firebird	TCP	3050
Memcached	TCP	11211
ZooKeeper	TCP	2181
Milvus	TCP	19530, 9091
CouchDB	HTTP	5984
Elasticsearch	HTTP	9200
ArangoDB	HTTP	8529
ChromaDB	HTTP	8000
Pinecone	HTTP	443

Remote Access (6)

Protocol	Transport	Default Ports
SSH	TCP	22, 2222
RDP	TCP/TLS	3389
Telnet	TCP	23
VNC	TCP	5900
AnyDesk	TCP	7070
TeamViewer	TCP	5938

Web & API (2)

Protocol	Transport	Notes
HTTP/HTTPS	TCP	HTTP/2, tech detection via Wappalyzer
Kubernetes	TCP	API server detection

Messaging & Queues (10)

Protocol	Transport	Default Ports
Kafka	TCP/TLS	9092, 9093
MQTT 3/5	TCP/TLS	1883, 8883
AMQP	TCP/TLS	5672, 5671
ActiveMQ	TCP/TLS	61616, 61617
NATS	TCP/TLS	4222, 6222
Pulsar	TCP/TLS	6650, 6651
SMTP	TCP/TLS	25, 465, 587
POP3	TCP/TLS	110, 995
IMAP	TCP/TLS	143, 993
SMPP	TCP	2775, 2776

File & Directory Services (7)

Protocol	Transport	Default Ports
FTP	TCP	21
SMB	TCP	445
NFS	TCP/UDP	2049
Rsync	TCP	873
TFTP	UDP	69
SVN	TCP	3690
LDAP	TCP/TLS	389, 636

Network Services (11)

Protocol	Transport	Default Ports
DNS	TCP/UDP	53
DHCP	UDP	67, 68
NTP	UDP	123
SNMP	UDP	161
NetBIOS-NS	UDP	137
STUN	UDP	3478
OpenVPN	UDP	1194
IPsec	UDP	500
IPMI	UDP	623
CoAP	UDP	5683
Echo	TCP/UDP	7

Industrial Control Systems (18)

Protocol	Transport	Default Ports	Notes
Modbus	TCP	502	SCADA/PLC
S7comm	TCP	102	Siemens PLC
EtherNet/IP	TCP	44818	Rockwell/Allen-Bradley
PROFINET	TCP	34962-34964	Siemens industrial
BACnet	UDP	47808	Building automation
OPC UA	TCP	4840	Industrial interop
OMRON FINS	TCP/UDP	9600	OMRON PLC
MELSEC-Q	TCP	5006, 5007	Mitsubishi PLC
KNXnet/IP	UDP	3671	Building automation
IEC 104	TCP	2404	Power grid SCADA
DNP3	TCP	20000	Power grid SCADA
Codesys	TCP	1200, 2455	PLC runtime
Fox	TCP	1911	Tridium Niagara
PC WORX	TCP	1962	Phoenix Contact
ProConOS	TCP	20547	PLC runtime
HART-IP	TCP	5094	Process automation
EtherCAT	UDP	34980	Motion control
Crimson v3	TCP	789	Red Lion HMI
PCOM	TCP	20256	Unitronics PLC
GE SRTP	TCP	18245	GE PLC
ATG	TCP	10001	Tank gauges

Telecom & VoIP (17)

Protocol	Transport	Default Ports	Notes
Diameter	TCP/SCTP	3868	LTE/5G AAA
M3UA	SCTP	2905	SS7 over IP
M2UA	SCTP	2904	MTP2 User Adaptation
M2PA	SCTP	3565	MTP2 Peer Adaptation
SGsAP	SCTP	29118	Circuit-switched fallback
X2AP	SCTP	36422	LTE inter-eNodeB
IUA	SCTP	9900	ISDN over IP
SIP	TCP/UDP/TLS	5060, 5061	VoIP signaling
MEGACO/H.248	UDP	2944, 2945	Media gateway
MGCP	UDP	2427, 2727	Media gateway
H.323	TCP	1720	Video conferencing
SCCP/Skinny	TCP	2000, 2443	Cisco IP phones
IAX2	UDP	4569	Asterisk protocol
GTP-C	UDP	2123	GPRS control
GTP-U	UDP	2152	GPRS user plane
GTP'	UDP	3386	GPRS charging
PFCP	UDP	8805	5G user plane

VPN & Security (11)

Protocol	Transport	Default Ports
SSH	TCP	22, 2222
OpenVPN	UDP	1194
WireGuard	UDP	51820
IPsec/IKEv2	UDP	500, 4500
L2TP	UDP	1701
SSTP	TCP	443
GlobalProtect	HTTP	443
AnyConnect	HTTP	443
FortiGate	HTTP	443
STUN/TURN	UDP	3478, 5349
Kerberos	TCP	88

Remote Access & Management (10)

Protocol	Transport	Default Ports
RDP	TCP/TLS	3389
VNC	TCP	5900
Telnet	TCP	23
WinRM	HTTP	5985, 5986
IPMI	UDP	623
SNMP	UDP	161
Zabbix Agent	TCP	10050
NRPE	TCP/TLS	5666
Docker	TCP/TLS	2375, 2376
X11	TCP	6000-6063

Developer Tools (8)

Protocol	Transport	Default Ports
HTTP/HTTPS	TCP	80, 443, 8080, 8443
Java RMI	TCP	1099
JDWP	TCP	5005
RTSP	TCP	554
Linux RPC	TCP	111
JetDirect	TCP	9100
CUPS/IPP	TCP	631
SonarQube	TCP	9000

Library Usage

Import Nerva into your Go applications:

package main

import (
    "context"
    "fmt"
    "log"
    "net/netip"
    "time"

    "github.com/praetorian-inc/nerva/pkg/plugins"
    "github.com/praetorian-inc/nerva/pkg/scan"
)

func main() {
    // Configure scan
    config := scan.Config{
        DefaultTimeout: 2 * time.Second,
        FastMode:       false,
        UDP:            false,
        Proxy:          "socks5://127.0.0.1:1080", // optional
        ProxyAuth:      "username:password",       // optional
        DNSOrder:       "p",                       // resolver strategy
    }

    // Create target
    ip, _ := netip.ParseAddr("93.184.216.34")
    target := plugins.Target{
        Address: netip.AddrPortFrom(ip, 22),
        Host:    "example.com",
    }

    // Run scan
    results, err := scan.ScanTargets(context.Background(), []plugins.Target{target}, config)
    if err != nil {
        log.Fatal(err)
    }

    // Process results
    for _, result := range results {
        fmt.Printf("%s:%d - %s (%s)\n",
            result.Host, result.Port,
            result.Protocol, result.Transport)
    }
}

See examples/service-fingerprinting-example.go for a complete working example.

Use Cases

Penetration Testing

Rapidly fingerprint services discovered during reconnaissance to identify potential attack vectors.

Asset Discovery Pipelines

Combine with Naabu or Masscan for large-scale asset inventory:

naabu -host 10.0.0.0/24 -silent | nerva --json | jq '.protocol'

CI/CD Security Scanning

Integrate into deployment pipelines to verify only expected services are exposed.

Bug Bounty Reconnaissance

Quickly enumerate services across scope targets to find interesting endpoints.

Telecom Network Analysis

Fingerprint Diameter nodes in LTE/5G networks using SCTP transport (Linux):

nerva -t mme.telecom.local:3868 -S --json

Architecture

graph LR
    A[host:port input] --> B[Target Parser]
    B --> C[Scan Engine]
    C --> D{Transport}
    D -->|TCP| E[TCP Plugins]
    D -->|UDP| F[UDP Plugins]
    D -->|SCTP| G[SCTP Plugins]
    E --> H[Service Detection]
    F --> H
    G --> H
    H --> I[Metadata Extraction]
    I --> J[JSON/CSV/Text Output]

Why Nerva?

vs Nmap

• Smarter defaults: Nerva checks the most likely protocol first based on port number
• Structured output: Native JSON/CSV support for easy parsing and pipeline integration
• Focused: Service fingerprinting only — pair with dedicated port scanners for discovery

vs zgrab2

• Auto-detection: No need to specify protocol ahead of time
• Simpler usage: nerva -t host:port vs echo host | zgrab2 http -p port

Troubleshooting

No output

Cause: Port is closed or no supported service detected.

Solution: Verify the port is open:

nc -zv example.com 80

Timeout errors

Cause: Default 2-second timeout too short for slow services.

Solution: Increase timeout:

nerva -t example.com:80 -w 5000  # 5 seconds

UDP services not detected

Cause: UDP scanning disabled by default.

Solution: Enable with -U flag (may require root):

sudo nerva -t example.com:53 -U

SCTP not working

Cause: SCTP only supported on Linux.

Solution: Run on a Linux system or container:

docker run --rm nerva -t telecom:3868 -S

Terminology

• Service: A network service running on a port (SSH, HTTP, PostgreSQL, etc.)
• Fingerprinting: Detecting and identifying the service type, version, and configuration
• Plugin: A protocol-specific detection module
• Fast Mode: Scanning only the default port for each protocol (80/20 optimization)
• Transport: Network layer protocol (TCP, UDP, or SCTP)

Support

If you find Nerva useful, please consider giving it a star:

Contributing

We welcome contributions! See CONTRIBUTING.md for guidelines.

License

Apache 2.0 — see LICENSE for details.

Acknowledgements

Nerva is a maintained fork of fingerprintx, originally developed by Praetorian's intern class of 2022:

• Soham Roy
• Jue Huang
• Henry Jung
• Tristan Wiesepape
• Joseph Henry
• Noah Tutt
• Nathan Sportsman