README.md
April 10, 2026 · View on GitHub
Nerva
Nerva: Fast Service Fingerprinting CLI
Features • Installation • Quick Start • Usage • Protocols • Library • Use Cases • Troubleshooting
High-performance service fingerprinting written in Go. Identify 170+ network protocols across TCP, UDP, and SCTP transports with rich metadata extraction.
Nerva rapidly detects and identifies services running on open network ports. Use it alongside port scanners like Naabu to fingerprint discovered services, or integrate it into your security pipelines for automated reconnaissance.
Features
- 170+ Protocol Plugins — Databases, remote access, web services, messaging, industrial, and telecom protocols
- 76 HTTP Fingerprinters — Detect web technologies including firewalls, databases, AI/LLM servers, and more
- Security Misconfiguration Detection — Identify common security issues like unauthenticated APIs and cleartext protocols (
--misconfigs) - Multi-Transport Support — TCP (default), UDP (
--udp), and SCTP (--sctp, Linux only) - Proxy Support — Route scanning traffic transparently through SOCKS5 or HTTP proxies with configurable DNS resolution
- Rich Metadata — Extract versions, configurations, and security-relevant details from each service
- Fast Mode — Scan only default ports for rapid reconnaissance (
--fast) - Flexible Output — JSON, CSV, or human-readable formats
- Pipeline Friendly — Pipe from Naabu, Nmap, or any tool that outputs
host:port - Go Library — Import directly into your Go applications
Installation
Releases
Download a prebuilt binary from the Releases page.
From GitHub
go install github.com/praetorian-inc/nerva/cmd/nerva@latest
From Source
git clone https://github.com/praetorian-inc/nerva.git
cd nerva
go build ./cmd/nerva
./nerva -h
Docker
git clone https://github.com/praetorian-inc/nerva.git
cd nerva
docker build -t nerva .
docker run --rm nerva -h
docker run --rm nerva -t example.com:80 --json
Quick Start
Fingerprint a single target:
nerva -t example.com:22
# ssh://example.com:22
Get detailed JSON metadata:
nerva -t example.com:22 --json
# {"host":"example.com","ip":"93.184.216.34","port":22,"protocol":"ssh","transport":"tcp","metadata":{...}}
Pipe from a port scanner:
naabu -host example.com -silent | nerva
# http://example.com:80
# ssh://example.com:22
# https://example.com:443
Usage
nerva [flags]
TARGET SPECIFICATION:
Requires host:port or ip:port format. Assumes ports are open.
EXAMPLES:
nerva -t example.com:80
nerva -t example.com:80,example.com:443
nerva -l targets.txt
nerva --json -t example.com:80
cat targets.txt | nerva
Flags
| Flag | Short | Description | Default |
|---|---|---|---|
--targets | -t | Target or comma-separated target list | — |
--list | -l | Input file containing targets | — |
--output | -o | Output file path | stdout |
--json | Output in JSON format | false | |
--csv | Output in CSV format | false | |
--misconfigs | Enable security misconfiguration detection | false | |
--proxy | Proxy URL (e.g. socks5://127.0.0.1:1080) | — | |
--proxy-auth | SOCKS5 Proxy Auth (e.g. username:password) | — | |
--dns-order | DNS resolution order: p, l, lp, pl | lp | |
--fast | -f | Fast mode (default ports only) | false |
--capabilities | -c | List available capabilities and exit | false |
--udp | -U | Run UDP plugins | false |
--sctp | -S | Run SCTP plugins (Linux only) | false |
--timeout | -w | Timeout in milliseconds | 2000 |
--verbose | -v | Verbose output to stderr | false |
--workers | -W | Concurrent scan workers | 50 |
--max-host-conn | -H | Max concurrent connections per host IP (0=unlimited) | 0 |
--rate-limit | -R | Max scans per second globally (0=unlimited) | 0 |
Examples
Multiple targets:
nerva -t example.com:22,example.com:80,example.com:443
From file:
nerva -l targets.txt --json -o results.json
UDP scanning (may require root):
sudo nerva -t example.com:53 -U
# dns://example.com:53
SCTP scanning (Linux only):
nerva -t telecom-server:3868 -S
# diameter://telecom-server:3868
Fast mode (default ports only):
nerva -l large-target-list.txt --fast --json
Proxy routing with remote DNS resolution:
nerva -t target.internal:80 --proxy socks5://127.0.0.1:1080 --dns-order p
Security Misconfiguration Detection
Nerva can identify common security misconfigurations when enabled with --misconfigs:
nerva -t example.com:2375 --misconfigs --json
Detected misconfigurations:
| Finding ID | Severity | Description |
|---|---|---|
docker-unauth-api | Critical | Docker API accessible without authentication |
x11-unauth-access | Critical | X11 server allows unauthenticated connections |
smb-signing-not-required | Medium | SMB signing not required (relay attack risk) |
telnet-cleartext | Medium | Telnet transmits credentials in cleartext |
vnc-detected | Medium | VNC detected (often weak authentication) |
ssh-password-auth | Medium | Server allows password authentication |
ssh-weak-cipher | Low | Server offers weak ciphers (RC4, 3DES, Blowfish) |
ssh-weak-kex | Low | Server offers weak key exchange algorithms |
ssh-weak-mac | Low | Server offers weak MAC algorithms |
ftp-cleartext | Low | FTP transmits credentials in cleartext |
Example output with misconfigs:
{
"host": "example.com",
"port": 2375,
"protocol": "docker",
"anonymous_access": true,
"security_findings": [
{
"id": "docker-unauth-api",
"severity": "critical",
"description": "Docker API accessible without authentication",
"evidence": "Successfully queried /version endpoint without credentials"
}
]
}
Proxy Support
Nerva supports routing scanning traffic through SOCKS5 and HTTP proxies with configurable DNS resolution.
Supported proxy schemes:
socks5://- SOCKS5 proxy with local DNS resolutionsocks5h://- SOCKS5 proxy with proxy-side DNS resolution (always)http://- HTTP CONNECT proxyhttps://- HTTPS CONNECT proxy
Proxy authentication:
# Inline authentication (URL format)
nerva -t example.com:80 --proxy socks5://username:password@127.0.0.1:1080
# Separate authentication flag
nerva -t example.com:80 --proxy socks5://127.0.0.1:1080 --proxy-auth username:password
DNS resolution strategies (--dns-order):
| Option | Strategy | Use Case |
|---|---|---|
l | Local only | Standard local DNS (default) |
p | Proxy only | Force proxy-side DNS resolution |
lp | Local, fallback to proxy | Try local first, use proxy on failure |
pl | Proxy, fallback to local | Try proxy first, use local on failure |
Note: socks5h:// scheme automatically forces proxy-side DNS (equivalent to --dns-order p)
Tor scanning example:
# Scan .onion services through Tor (SOCKS5 proxy on port 9050)
nerva -t http://example.onion:80 --proxy socks5h://127.0.0.1:9050
UDP through proxy:
# UDP scanning through SOCKS5 proxy (limited support)
nerva -t target.com:161 --proxy socks5://127.0.0.1:1080 --udp
⚠️ UDP Limitations: UDP through SOCKS5 has limited support. Not all SOCKS5 servers support UDP association. Local UDP fallback may occur.
Parallel scanning with rate limiting:
nerva -l large-target-list.txt -W 100 -H 5 -R 50 -v
Graceful shutdown (Ctrl+C returns partial results):
nerva -l huge-target-list.txt -W 50 -v
# Press Ctrl+C to stop — collected results are still printed
Supported Protocols
170+ service detection plugins across TCP, UDP, and SCTP:
HTTP Fingerprint Modules (66)
Technology detection for web services, organized by category:
Firewalls & Network Security (12)
| Module | Description |
|---|---|
| Checkpoint | Check Point Security Gateway |
| Cisco ASA/FTD | Cisco firewall/VPN appliances |
| FortiGate | Fortinet firewall/VPN |
| GlobalProtect | Palo Alto Networks VPN |
| Juniper | Juniper SRX firewalls |
| OPNsense | OPNsense firewall |
| pfSense | pfSense firewall |
| SonicWall | SonicWall firewalls |
| AnyConnect | Cisco AnyConnect SSL VPN |
| Cisco Expressway | Cisco collaboration gateway |
| BigIP | F5 BIG-IP load balancer |
| WinRM | Windows Remote Management |
AI/LLM & Machine Learning (6)
| Module | Description |
|---|---|
| Ollama | Self-hosted LLM inference server |
| LocalAI | Self-hosted LLM inference (OpenAI-compatible) |
| Open WebUI | LLM web interface (ChatGPT-style) |
| Triton | NVIDIA Triton Inference Server |
| Weaviate | Vector database for AI |
| ChromaDB | Vector database |
Databases & Data Stores (12)
| Module | Description |
|---|---|
| ArangoDB | Multi-model database |
| CockroachDB | Distributed SQL database |
| CouchDB | Apache document database |
| Elasticsearch | Search and analytics engine |
| etcd | Distributed key-value store |
| Milvus | Vector database |
| MinIO | S3-compatible object storage |
| Pinecone | Vector database |
| Redis Commander | Redis web management UI |
| TiDB | Distributed SQL database |
| YugabyteDB | Distributed SQL database |
| Qdrant | Vector database |
DevOps & Infrastructure (14)
| Module | Description |
|---|---|
| Artifactory | JFrog artifact repository |
| Consul | HashiCorp service mesh |
| Docker Registry | Container image registry |
| Gitea | Self-hosted Git service |
| Grafana | Observability platform |
| Harbor | Container registry |
| Jaeger | Distributed tracing |
| Jenkins | CI/CD automation |
| Kubernetes | Container orchestration API |
| Portainer | Docker management UI |
| Prometheus | Monitoring system |
| Swagger/OpenAPI | API documentation |
| TeamCity | CI/CD server |
| Vault | HashiCorp secrets management |
Web Servers & Frameworks (10)
| Module | Description |
|---|---|
| Apache HTTPD | Apache HTTP Server |
| Express.js | Node.js web framework |
| GoAhead | Embedded web server |
| Gotenberg | PDF generation service |
| Guacamole | Apache remote desktop gateway |
| SOAP | Web services |
| Tengine | Alibaba web server |
| Tomcat | Apache Tomcat |
| WordPress | CMS platform |
| UPnP | Universal Plug and Play |
Enterprise & Business (8)
| Module | Description |
|---|---|
| AEM | Adobe Experience Manager |
| Dynamics 365 | Microsoft Dynamics 365 / Power Apps |
| Oracle Service Cloud | Oracle CRM platform |
| SAP NetWeaver | SAP enterprise platform |
| Splunk | Log management platform |
| VMware Horizon | Virtual desktop infrastructure |
| QNAP QTS | NAS management |
| Exchange | Microsoft Exchange Server |
Home & IoT (2)
| Module | Description |
|---|---|
| Home Assistant | Home automation platform |
| UniFi/EdgeOS | Ubiquiti network devices |
Other (2)
| Module | Description |
|---|---|
| Go pprof | Go profiling endpoints |
| NATS | Message broker |
Databases (20)
| Protocol | Transport | Default Ports |
|---|---|---|
| PostgreSQL | TCP | 5432 |
| MySQL | TCP | 3306 |
| MSSQL | TCP | 1433 |
| Oracle | TCP | 1521 |
| MongoDB | TCP | 27017 |
| Redis | TCP/TLS | 6379, 6380 |
| Cassandra | TCP | 9042 |
| InfluxDB | TCP | 8086 |
| Neo4j | TCP/TLS | 7687 |
| DB2 | TCP | 446, 50000 |
| Sybase | TCP | 5000 |
| Firebird | TCP | 3050 |
| Memcached | TCP | 11211 |
| ZooKeeper | TCP | 2181 |
| Milvus | TCP | 19530, 9091 |
| CouchDB | HTTP | 5984 |
| Elasticsearch | HTTP | 9200 |
| ArangoDB | HTTP | 8529 |
| ChromaDB | HTTP | 8000 |
| Pinecone | HTTP | 443 |
Remote Access (6)
| Protocol | Transport | Default Ports |
|---|---|---|
| SSH | TCP | 22, 2222 |
| RDP | TCP/TLS | 3389 |
| Telnet | TCP | 23 |
| VNC | TCP | 5900 |
| AnyDesk | TCP | 7070 |
| TeamViewer | TCP | 5938 |
Web & API (2)
| Protocol | Transport | Notes |
|---|---|---|
| HTTP/HTTPS | TCP | HTTP/2, tech detection via Wappalyzer |
| Kubernetes | TCP | API server detection |
Messaging & Queues (10)
| Protocol | Transport | Default Ports |
|---|---|---|
| Kafka | TCP/TLS | 9092, 9093 |
| MQTT 3/5 | TCP/TLS | 1883, 8883 |
| AMQP | TCP/TLS | 5672, 5671 |
| ActiveMQ | TCP/TLS | 61616, 61617 |
| NATS | TCP/TLS | 4222, 6222 |
| Pulsar | TCP/TLS | 6650, 6651 |
| SMTP | TCP/TLS | 25, 465, 587 |
| POP3 | TCP/TLS | 110, 995 |
| IMAP | TCP/TLS | 143, 993 |
| SMPP | TCP | 2775, 2776 |
File & Directory Services (7)
| Protocol | Transport | Default Ports |
|---|---|---|
| FTP | TCP | 21 |
| SMB | TCP | 445 |
| NFS | TCP/UDP | 2049 |
| Rsync | TCP | 873 |
| TFTP | UDP | 69 |
| SVN | TCP | 3690 |
| LDAP | TCP/TLS | 389, 636 |
Network Services (11)
| Protocol | Transport | Default Ports |
|---|---|---|
| DNS | TCP/UDP | 53 |
| DHCP | UDP | 67, 68 |
| NTP | UDP | 123 |
| SNMP | UDP | 161 |
| NetBIOS-NS | UDP | 137 |
| STUN | UDP | 3478 |
| OpenVPN | UDP | 1194 |
| IPsec | UDP | 500 |
| IPMI | UDP | 623 |
| CoAP | UDP | 5683 |
| Echo | TCP/UDP | 7 |
Industrial Control Systems (18)
| Protocol | Transport | Default Ports | Notes |
|---|---|---|---|
| Modbus | TCP | 502 | SCADA/PLC |
| S7comm | TCP | 102 | Siemens PLC |
| EtherNet/IP | TCP | 44818 | Rockwell/Allen-Bradley |
| PROFINET | TCP | 34962-34964 | Siemens industrial |
| BACnet | UDP | 47808 | Building automation |
| OPC UA | TCP | 4840 | Industrial interop |
| OMRON FINS | TCP/UDP | 9600 | OMRON PLC |
| MELSEC-Q | TCP | 5006, 5007 | Mitsubishi PLC |
| KNXnet/IP | UDP | 3671 | Building automation |
| IEC 104 | TCP | 2404 | Power grid SCADA |
| DNP3 | TCP | 20000 | Power grid SCADA |
| Codesys | TCP | 1200, 2455 | PLC runtime |
| Fox | TCP | 1911 | Tridium Niagara |
| PC WORX | TCP | 1962 | Phoenix Contact |
| ProConOS | TCP | 20547 | PLC runtime |
| HART-IP | TCP | 5094 | Process automation |
| EtherCAT | UDP | 34980 | Motion control |
| Crimson v3 | TCP | 789 | Red Lion HMI |
| PCOM | TCP | 20256 | Unitronics PLC |
| GE SRTP | TCP | 18245 | GE PLC |
| ATG | TCP | 10001 | Tank gauges |
Telecom & VoIP (17)
| Protocol | Transport | Default Ports | Notes |
|---|---|---|---|
| Diameter | TCP/SCTP | 3868 | LTE/5G AAA |
| M3UA | SCTP | 2905 | SS7 over IP |
| M2UA | SCTP | 2904 | MTP2 User Adaptation |
| M2PA | SCTP | 3565 | MTP2 Peer Adaptation |
| SGsAP | SCTP | 29118 | Circuit-switched fallback |
| X2AP | SCTP | 36422 | LTE inter-eNodeB |
| IUA | SCTP | 9900 | ISDN over IP |
| SIP | TCP/UDP/TLS | 5060, 5061 | VoIP signaling |
| MEGACO/H.248 | UDP | 2944, 2945 | Media gateway |
| MGCP | UDP | 2427, 2727 | Media gateway |
| H.323 | TCP | 1720 | Video conferencing |
| SCCP/Skinny | TCP | 2000, 2443 | Cisco IP phones |
| IAX2 | UDP | 4569 | Asterisk protocol |
| GTP-C | UDP | 2123 | GPRS control |
| GTP-U | UDP | 2152 | GPRS user plane |
| GTP' | UDP | 3386 | GPRS charging |
| PFCP | UDP | 8805 | 5G user plane |
VPN & Security (11)
| Protocol | Transport | Default Ports |
|---|---|---|
| SSH | TCP | 22, 2222 |
| OpenVPN | UDP | 1194 |
| WireGuard | UDP | 51820 |
| IPsec/IKEv2 | UDP | 500, 4500 |
| L2TP | UDP | 1701 |
| SSTP | TCP | 443 |
| GlobalProtect | HTTP | 443 |
| AnyConnect | HTTP | 443 |
| FortiGate | HTTP | 443 |
| STUN/TURN | UDP | 3478, 5349 |
| Kerberos | TCP | 88 |
Remote Access & Management (10)
| Protocol | Transport | Default Ports |
|---|---|---|
| RDP | TCP/TLS | 3389 |
| VNC | TCP | 5900 |
| Telnet | TCP | 23 |
| WinRM | HTTP | 5985, 5986 |
| IPMI | UDP | 623 |
| SNMP | UDP | 161 |
| Zabbix Agent | TCP | 10050 |
| NRPE | TCP/TLS | 5666 |
| Docker | TCP/TLS | 2375, 2376 |
| X11 | TCP | 6000-6063 |
Developer Tools (8)
| Protocol | Transport | Default Ports |
|---|---|---|
| HTTP/HTTPS | TCP | 80, 443, 8080, 8443 |
| Java RMI | TCP | 1099 |
| JDWP | TCP | 5005 |
| RTSP | TCP | 554 |
| Linux RPC | TCP | 111 |
| JetDirect | TCP | 9100 |
| CUPS/IPP | TCP | 631 |
| SonarQube | TCP | 9000 |
Library Usage
Import Nerva into your Go applications:
package main
import (
"context"
"fmt"
"log"
"net/netip"
"time"
"github.com/praetorian-inc/nerva/pkg/plugins"
"github.com/praetorian-inc/nerva/pkg/scan"
)
func main() {
// Configure scan
config := scan.Config{
DefaultTimeout: 2 * time.Second,
FastMode: false,
UDP: false,
Proxy: "socks5://127.0.0.1:1080", // optional
ProxyAuth: "username:password", // optional
DNSOrder: "p", // resolver strategy
}
// Create target
ip, _ := netip.ParseAddr("93.184.216.34")
target := plugins.Target{
Address: netip.AddrPortFrom(ip, 22),
Host: "example.com",
}
// Run scan
results, err := scan.ScanTargets(context.Background(), []plugins.Target{target}, config)
if err != nil {
log.Fatal(err)
}
// Process results
for _, result := range results {
fmt.Printf("%s:%d - %s (%s)\n",
result.Host, result.Port,
result.Protocol, result.Transport)
}
}
See examples/service-fingerprinting-example.go for a complete working example.
Use Cases
Penetration Testing
Rapidly fingerprint services discovered during reconnaissance to identify potential attack vectors.
Asset Discovery Pipelines
Combine with Naabu or Masscan for large-scale asset inventory:
naabu -host 10.0.0.0/24 -silent | nerva --json | jq '.protocol'
CI/CD Security Scanning
Integrate into deployment pipelines to verify only expected services are exposed.
Bug Bounty Reconnaissance
Quickly enumerate services across scope targets to find interesting endpoints.
Telecom Network Analysis
Fingerprint Diameter nodes in LTE/5G networks using SCTP transport (Linux):
nerva -t mme.telecom.local:3868 -S --json
Architecture
graph LR
A[host:port input] --> B[Target Parser]
B --> C[Scan Engine]
C --> D{Transport}
D -->|TCP| E[TCP Plugins]
D -->|UDP| F[UDP Plugins]
D -->|SCTP| G[SCTP Plugins]
E --> H[Service Detection]
F --> H
G --> H
H --> I[Metadata Extraction]
I --> J[JSON/CSV/Text Output]
Why Nerva?
vs Nmap
- Smarter defaults: Nerva checks the most likely protocol first based on port number
- Structured output: Native JSON/CSV support for easy parsing and pipeline integration
- Focused: Service fingerprinting only — pair with dedicated port scanners for discovery
vs zgrab2
- Auto-detection: No need to specify protocol ahead of time
- Simpler usage:
nerva -t host:portvsecho host | zgrab2 http -p port
Troubleshooting
No output
Cause: Port is closed or no supported service detected.
Solution: Verify the port is open:
nc -zv example.com 80
Timeout errors
Cause: Default 2-second timeout too short for slow services.
Solution: Increase timeout:
nerva -t example.com:80 -w 5000 # 5 seconds
UDP services not detected
Cause: UDP scanning disabled by default.
Solution: Enable with -U flag (may require root):
sudo nerva -t example.com:53 -U
SCTP not working
Cause: SCTP only supported on Linux.
Solution: Run on a Linux system or container:
docker run --rm nerva -t telecom:3868 -S
Terminology
- Service: A network service running on a port (SSH, HTTP, PostgreSQL, etc.)
- Fingerprinting: Detecting and identifying the service type, version, and configuration
- Plugin: A protocol-specific detection module
- Fast Mode: Scanning only the default port for each protocol (80/20 optimization)
- Transport: Network layer protocol (TCP, UDP, or SCTP)
Support
If you find Nerva useful, please consider giving it a star:
Contributing
We welcome contributions! See CONTRIBUTING.md for guidelines.
License
Apache 2.0 — see LICENSE for details.
Acknowledgements
Nerva is a maintained fork of fingerprintx, originally developed by Praetorian's intern class of 2022: