{"id":50547268,"url":"https://github.com/praetorian-inc/nerva","last_synced_at":"2026-06-10T21:01:02.110Z","repository":{"id":341031281,"uuid":"1141520429","full_name":"praetorian-inc/nerva","owner":"praetorian-inc","description":"Fast service fingerprinting CLI for 170+ protocols (TCP/UDP/SCTP) - built by Praetorian","archived":false,"fork":false,"pushed_at":"2026-06-03T22:54:01.000Z","size":14461,"stargazers_count":293,"open_issues_count":10,"forks_count":28,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-06-04T00:19:15.625Z","etag":null,"topics":["capability","cli-tool","external-network-security","go-library","network-scanner","pentesting","port-scanner","protocol-detection","reconnaissance","sctp","security-tool","service-discovery","service-fingerprinting","telecom"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/praetorian-inc.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-25T00:48:54.000Z","updated_at":"2026-06-03T22:53:41.000Z","dependencies_parsed_at":null,"dependency_job_id":"074405ed-9b31-40d3-9327-87a651c0c48b","html_url":"https://github.com/praetorian-inc/nerva","commit_stats":null,"previous_names":["praetorian-inc/nerva"],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/praetorian-inc/nerva","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Fnerva","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Fnerva/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Fnerva/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Fnerva/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/praetorian-inc","download_url":"https://codeload.github.com/praetorian-inc/nerva/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Fnerva/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34170161,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-10T02:00:07.152Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["capability","cli-tool","external-network-security","go-library","network-scanner","pentesting","port-scanner","protocol-detection","reconnaissance","sctp","security-tool","service-discovery","service-fingerprinting","telecom"],"created_at":"2026-06-04T00:00:54.302Z","updated_at":"2026-06-10T21:01:02.072Z","avatar_url":"https://github.com/praetorian-inc.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cimg width=\"2976\" height=\"1440\" alt=\"Nerva - Fast service fingerprinting CLI for network reconnaissance supporting 170+ protocols\" src=\"https://github.com/user-attachments/assets/8bb40a77-a2cf-42a2-acbb-195a36623e00\" /\u003e\n\u003ch1 align=\"center\"\u003e\n  Nerva\n  \u003cbr\u003e\n  \u003csub\u003eNerva: Fast Service Fingerprinting CLI\u003c/sub\u003e\n\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n\u003ca href=\"https://github.com/praetorian-inc/nerva/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/praetorian-inc/nerva?style=flat-square\" alt=\"Release\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/praetorian-inc/nerva/actions\"\u003e\u003cimg src=\"https://img.shields.io/github/actions/workflow/status/praetorian-inc/nerva/ci.yml?style=flat-square\" alt=\"Build Status\"\u003e\u003c/a\u003e\n\u003ca href=\"https://goreportcard.com/report/github.com/praetorian-inc/nerva\"\u003e\u003cimg src=\"https://goreportcard.com/badge/github.com/praetorian-inc/nerva?style=flat-square\" alt=\"Go Report Card\"\u003e\u003c/a\u003e\n\u003ca href=\"https://opensource.org/licenses/Apache-2.0\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-Apache%202.0-blue.svg?style=flat-square\" alt=\"License\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/praetorian-inc/nerva/stargazers\"\u003e\u003cimg src=\"https://img.shields.io/github/stars/praetorian-inc/nerva?style=flat-square\" alt=\"Stars\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#features\"\u003eFeatures\u003c/a\u003e •\n  \u003ca href=\"#installation\"\u003eInstallation\u003c/a\u003e •\n  \u003ca href=\"#quick-start\"\u003eQuick Start\u003c/a\u003e •\n  \u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e •\n  \u003ca href=\"#supported-protocols\"\u003eProtocols\u003c/a\u003e •\n  \u003ca href=\"#library-usage\"\u003eLibrary\u003c/a\u003e •\n  \u003ca href=\"#use-cases\"\u003eUse Cases\u003c/a\u003e •\n  \u003ca href=\"#troubleshooting\"\u003eTroubleshooting\u003c/a\u003e\n\u003c/p\u003e\n\n\u003e **High-performance service fingerprinting written in Go.** Identify 170+ network protocols across TCP, UDP, and SCTP transports with rich metadata extraction.\n\nNerva rapidly detects and identifies services running on open network ports. Use it alongside port scanners like [Naabu](https://github.com/projectdiscovery/naabu) to fingerprint discovered services, or integrate it into your security pipelines for automated reconnaissance.\n\n## Features\n\n- **170+ Protocol Plugins** — Databases, remote access, web services, messaging, industrial, and telecom protocols\n- **76 HTTP Fingerprinters** — Detect web technologies including firewalls, databases, AI/LLM servers, and more\n- **Security Misconfiguration Detection** — Identify common security issues like unauthenticated APIs and cleartext protocols (`--misconfigs`)\n- **Multi-Transport Support** — TCP (default), UDP (`--udp`), and SCTP (`--sctp`, Linux only)\n- **Proxy Support** — Route scanning traffic transparently through SOCKS5 or HTTP proxies with configurable DNS resolution\n- **Rich Metadata** — Extract versions, configurations, and security-relevant details from each service\n- **Fast Mode** — Scan only default ports for rapid reconnaissance (`--fast`)\n- **Flexible Output** — JSON, CSV, or human-readable formats\n- **Pipeline Friendly** — Pipe from Naabu, Nmap, or any tool that outputs `host:port`\n- **Go Library** — Import directly into your Go applications\n\n## Installation\n\n### Releases\nDownload a prebuilt binary from the [Releases](https://github.com/praetorian-inc/nerva/releases) page.\n\n### From GitHub\n\n```sh\ngo install github.com/praetorian-inc/nerva/cmd/nerva@latest\n```\n\n### From Source\n\n```sh\ngit clone https://github.com/praetorian-inc/nerva.git\ncd nerva\ngo build ./cmd/nerva\n./nerva -h\n```\n\n### Docker\n\n```sh\ngit clone https://github.com/praetorian-inc/nerva.git\ncd nerva\ndocker build -t nerva .\ndocker run --rm nerva -h\ndocker run --rm nerva -t example.com:80 --json\n```\n\n## Quick Start\n\nFingerprint a single target:\n\n```sh\nnerva -t example.com:22\n# ssh://example.com:22\n```\n\nGet detailed JSON metadata:\n\n```sh\nnerva -t example.com:22 --json\n# {\"host\":\"example.com\",\"ip\":\"93.184.216.34\",\"port\":22,\"protocol\":\"ssh\",\"transport\":\"tcp\",\"metadata\":{...}}\n```\n\nPipe from a port scanner:\n\n```sh\nnaabu -host example.com -silent | nerva\n# http://example.com:80\n# ssh://example.com:22\n# https://example.com:443\n```\n\n## Usage\n\n```\nnerva [flags]\n\nTARGET SPECIFICATION:\n  Requires host:port or ip:port format. Assumes ports are open.\n\nEXAMPLES:\n  nerva -t example.com:80\n  nerva -t example.com:80,example.com:443\n  nerva -l targets.txt\n  nerva --json -t example.com:80\n  cat targets.txt | nerva\n```\n\n### Flags\n\n| Flag | Short | Description | Default |\n|------|-------|-------------|---------|\n| `--targets` | `-t` | Target or comma-separated target list | — |\n| `--list` | `-l` | Input file containing targets | — |\n| `--output` | `-o` | Output file path | stdout |\n| `--json` | | Output in JSON format | false |\n| `--csv` | | Output in CSV format | false |\n| `--misconfigs` | | Enable security misconfiguration detection | false |\n| `--proxy` | | Proxy URL (e.g. socks5://127.0.0.1:1080) | — |\n| `--proxy-auth` | | SOCKS5 Proxy Auth (e.g. username:password) | — |\n| `--dns-order` | | DNS resolution order: `p`, `l`, `lp`, `pl` | `lp` |\n| `--fast` | `-f` | Fast mode (default ports only) | false |\n| `--capabilities` | `-c` | List available capabilities and exit | false |\n| `--udp` | `-U` | Run UDP plugins | false |\n| `--sctp` | `-S` | Run SCTP plugins (Linux only) | false |\n| `--timeout` | `-w` | Timeout in milliseconds | 2000 |\n| `--verbose` | `-v` | Verbose output to stderr | false |\n| `--workers` | `-W` | Concurrent scan workers | 50 |\n| `--max-host-conn` | `-H` | Max concurrent connections per host IP (0=unlimited) | 0 |\n| `--rate-limit` | `-R` | Max scans per second globally (0=unlimited) | 0 |\n\n### Examples\n\n**Multiple targets:**\n\n```sh\nnerva -t example.com:22,example.com:80,example.com:443\n```\n\n**From file:**\n\n```sh\nnerva -l targets.txt --json -o results.json\n```\n\n**UDP scanning** (may require root):\n\n```sh\nsudo nerva -t example.com:53 -U\n# dns://example.com:53\n```\n\n**SCTP scanning** (Linux only):\n\n```sh\nnerva -t telecom-server:3868 -S\n# diameter://telecom-server:3868\n```\n\n**Fast mode** (default ports only):\n\n```sh\nnerva -l large-target-list.txt --fast --json\n```\n\n**Proxy routing with remote DNS resolution:**\n\n```sh\nnerva -t target.internal:80 --proxy socks5://127.0.0.1:1080 --dns-order p\n```\n\n### Security Misconfiguration Detection\n\nNerva can identify common security misconfigurations when enabled with `--misconfigs`:\n\n```sh\nnerva -t example.com:2375 --misconfigs --json\n```\n\n**Detected misconfigurations:**\n\n| Finding ID | Severity | Description |\n|------------|----------|-------------|\n| `docker-unauth-api` | Critical | Docker API accessible without authentication |\n| `x11-unauth-access` | Critical | X11 server allows unauthenticated connections |\n| `smb-signing-not-required` | Medium | SMB signing not required (relay attack risk) |\n| `telnet-cleartext` | Medium | Telnet transmits credentials in cleartext |\n| `vnc-detected` | Medium | VNC detected (often weak authentication) |\n| `ssh-password-auth` | Medium | Server allows password authentication |\n| `ssh-weak-cipher` | Low | Server offers weak ciphers (RC4, 3DES, Blowfish) |\n| `ssh-weak-kex` | Low | Server offers weak key exchange algorithms |\n| `ssh-weak-mac` | Low | Server offers weak MAC algorithms |\n| `ftp-cleartext` | Low | FTP transmits credentials in cleartext |\n\n**Example output with misconfigs:**\n\n```json\n{\n  \"host\": \"example.com\",\n  \"port\": 2375,\n  \"protocol\": \"docker\",\n  \"anonymous_access\": true,\n  \"security_findings\": [\n    {\n      \"id\": \"docker-unauth-api\",\n      \"severity\": \"critical\",\n      \"description\": \"Docker API accessible without authentication\",\n      \"evidence\": \"Successfully queried /version endpoint without credentials\"\n    }\n  ]\n}\n```\n\n### Proxy Support\n\nNerva supports routing scanning traffic through SOCKS5 and HTTP proxies with configurable DNS resolution.\n\n**Supported proxy schemes:**\n\n- `socks5://` - SOCKS5 proxy with local DNS resolution\n- `socks5h://` - SOCKS5 proxy with proxy-side DNS resolution (always)\n- `http://` - HTTP CONNECT proxy\n- `https://` - HTTPS CONNECT proxy\n\n**Proxy authentication:**\n\n```sh\n# Inline authentication (URL format)\nnerva -t example.com:80 --proxy socks5://username:password@127.0.0.1:1080\n\n# Separate authentication flag\nnerva -t example.com:80 --proxy socks5://127.0.0.1:1080 --proxy-auth username:password\n```\n\n**DNS resolution strategies** (`--dns-order`):\n\n| Option | Strategy | Use Case |\n|--------|----------|----------|\n| `l` | Local only | Standard local DNS (default) |\n| `p` | Proxy only | Force proxy-side DNS resolution |\n| `lp` | Local, fallback to proxy | Try local first, use proxy on failure |\n| `pl` | Proxy, fallback to local | Try proxy first, use local on failure |\n\n**Note:** `socks5h://` scheme automatically forces proxy-side DNS (equivalent to `--dns-order p`)\n\n**Tor scanning example:**\n\n```sh\n# Scan .onion services through Tor (SOCKS5 proxy on port 9050)\nnerva -t http://example.onion:80 --proxy socks5h://127.0.0.1:9050\n```\n\n**UDP through proxy:**\n\n```sh\n# UDP scanning through SOCKS5 proxy (limited support)\nnerva -t target.com:161 --proxy socks5://127.0.0.1:1080 --udp\n```\n\n⚠️ **UDP Limitations:** UDP through SOCKS5 has limited support. Not all SOCKS5 servers support UDP association. Local UDP fallback may occur.\n\n**Parallel scanning with rate limiting:**\n\n```sh\nnerva -l large-target-list.txt -W 100 -H 5 -R 50 -v\n```\n\n**Graceful shutdown** (Ctrl+C returns partial results):\n\n```sh\nnerva -l huge-target-list.txt -W 50 -v\n# Press Ctrl+C to stop — collected results are still printed\n```\n\n## Supported Protocols\n\n**170+ service detection plugins** across TCP, UDP, and SCTP:\n\n### HTTP Fingerprint Modules (66)\n\nTechnology detection for web services, organized by category:\n\n#### Firewalls \u0026 Network Security (12)\n\n| Module | Description |\n|--------|-------------|\n| Checkpoint | Check Point Security Gateway |\n| Cisco ASA/FTD | Cisco firewall/VPN appliances |\n| FortiGate | Fortinet firewall/VPN |\n| GlobalProtect | Palo Alto Networks VPN |\n| Juniper | Juniper SRX firewalls |\n| OPNsense | OPNsense firewall |\n| pfSense | pfSense firewall |\n| SonicWall | SonicWall firewalls |\n| AnyConnect | Cisco AnyConnect SSL VPN |\n| Cisco Expressway | Cisco collaboration gateway |\n| BigIP | F5 BIG-IP load balancer |\n| WinRM | Windows Remote Management |\n\n#### AI/LLM \u0026 Machine Learning (6)\n\n| Module | Description |\n|--------|-------------|\n| Ollama | Self-hosted LLM inference server |\n| LocalAI | Self-hosted LLM inference (OpenAI-compatible) |\n| Open WebUI | LLM web interface (ChatGPT-style) |\n| Triton | NVIDIA Triton Inference Server |\n| Weaviate | Vector database for AI |\n| ChromaDB | Vector database |\n\n#### Databases \u0026 Data Stores (12)\n\n| Module | Description |\n|--------|-------------|\n| ArangoDB | Multi-model database |\n| CockroachDB | Distributed SQL database |\n| CouchDB | Apache document database |\n| Elasticsearch | Search and analytics engine |\n| etcd | Distributed key-value store |\n| Milvus | Vector database |\n| MinIO | S3-compatible object storage |\n| Pinecone | Vector database |\n| Redis Commander | Redis web management UI |\n| TiDB | Distributed SQL database |\n| YugabyteDB | Distributed SQL database |\n| Qdrant | Vector database |\n\n#### DevOps \u0026 Infrastructure (14)\n\n| Module | Description |\n|--------|-------------|\n| Artifactory | JFrog artifact repository |\n| Consul | HashiCorp service mesh |\n| Docker Registry | Container image registry |\n| Gitea | Self-hosted Git service |\n| Grafana | Observability platform |\n| Harbor | Container registry |\n| Jaeger | Distributed tracing |\n| Jenkins | CI/CD automation |\n| Kubernetes | Container orchestration API |\n| Portainer | Docker management UI |\n| Prometheus | Monitoring system |\n| Swagger/OpenAPI | API documentation |\n| TeamCity | CI/CD server |\n| Vault | HashiCorp secrets management |\n\n#### Web Servers \u0026 Frameworks (10)\n\n| Module | Description |\n|--------|-------------|\n| Apache HTTPD | Apache HTTP Server |\n| Express.js | Node.js web framework |\n| GoAhead | Embedded web server |\n| Gotenberg | PDF generation service |\n| Guacamole | Apache remote desktop gateway |\n| SOAP | Web services |\n| Tengine | Alibaba web server |\n| Tomcat | Apache Tomcat |\n| WordPress | CMS platform |\n| UPnP | Universal Plug and Play |\n\n#### Enterprise \u0026 Business (8)\n\n| Module | Description |\n|--------|-------------|\n| AEM | Adobe Experience Manager |\n| Dynamics 365 | Microsoft Dynamics 365 / Power Apps |\n| Oracle Service Cloud | Oracle CRM platform |\n| SAP NetWeaver | SAP enterprise platform |\n| Splunk | Log management platform |\n| VMware Horizon | Virtual desktop infrastructure |\n| QNAP QTS | NAS management |\n| Exchange | Microsoft Exchange Server |\n\n#### Home \u0026 IoT (2)\n\n| Module | Description |\n|--------|-------------|\n| Home Assistant | Home automation platform |\n| UniFi/EdgeOS | Ubiquiti network devices |\n\n#### Other (2)\n\n| Module | Description |\n|--------|-------------|\n| Go pprof | Go profiling endpoints |\n| NATS | Message broker |\n\n### Databases (20)\n\n| Protocol | Transport | Default Ports |\n|----------|-----------|---------------|\n| PostgreSQL | TCP | 5432 |\n| MySQL | TCP | 3306 |\n| MSSQL | TCP | 1433 |\n| Oracle | TCP | 1521 |\n| MongoDB | TCP | 27017 |\n| Redis | TCP/TLS | 6379, 6380 |\n| Cassandra | TCP | 9042 |\n| InfluxDB | TCP | 8086 |\n| Neo4j | TCP/TLS | 7687 |\n| DB2 | TCP | 446, 50000 |\n| Sybase | TCP | 5000 |\n| Firebird | TCP | 3050 |\n| Memcached | TCP | 11211 |\n| ZooKeeper | TCP | 2181 |\n| Milvus | TCP | 19530, 9091 |\n| CouchDB | HTTP | 5984 |\n| Elasticsearch | HTTP | 9200 |\n| ArangoDB | HTTP | 8529 |\n| ChromaDB | HTTP | 8000 |\n| Pinecone | HTTP | 443 |\n\n### Remote Access (6)\n\n| Protocol | Transport | Default Ports |\n|----------|-----------|---------------|\n| SSH | TCP | 22, 2222 |\n| RDP | TCP/TLS | 3389 |\n| Telnet | TCP | 23 |\n| VNC | TCP | 5900 |\n| AnyDesk | TCP | 7070 |\n| TeamViewer | TCP | 5938 |\n\n### Web \u0026 API (2)\n\n| Protocol | Transport | Notes |\n|----------|-----------|-------|\n| HTTP/HTTPS | TCP | HTTP/2, tech detection via Wappalyzer |\n| Kubernetes | TCP | API server detection |\n\n### Messaging \u0026 Queues (10)\n\n| Protocol | Transport | Default Ports |\n|----------|-----------|---------------|\n| Kafka | TCP/TLS | 9092, 9093 |\n| MQTT 3/5 | TCP/TLS | 1883, 8883 |\n| AMQP | TCP/TLS | 5672, 5671 |\n| ActiveMQ | TCP/TLS | 61616, 61617 |\n| NATS | TCP/TLS | 4222, 6222 |\n| Pulsar | TCP/TLS | 6650, 6651 |\n| SMTP | TCP/TLS | 25, 465, 587 |\n| POP3 | TCP/TLS | 110, 995 |\n| IMAP | TCP/TLS | 143, 993 |\n| SMPP | TCP | 2775, 2776 |\n\n### File \u0026 Directory Services (7)\n\n| Protocol | Transport | Default Ports |\n|----------|-----------|---------------|\n| FTP | TCP | 21 |\n| SMB | TCP | 445 |\n| NFS | TCP/UDP | 2049 |\n| Rsync | TCP | 873 |\n| TFTP | UDP | 69 |\n| SVN | TCP | 3690 |\n| LDAP | TCP/TLS | 389, 636 |\n\n### Network Services (11)\n\n| Protocol | Transport | Default Ports |\n|----------|-----------|---------------|\n| DNS | TCP/UDP | 53 |\n| DHCP | UDP | 67, 68 |\n| NTP | UDP | 123 |\n| SNMP | UDP | 161 |\n| NetBIOS-NS | UDP | 137 |\n| STUN | UDP | 3478 |\n| OpenVPN | UDP | 1194 |\n| IPsec | UDP | 500 |\n| IPMI | UDP | 623 |\n| CoAP | UDP | 5683 |\n| Echo | TCP/UDP | 7 |\n\n### Industrial Control Systems (18)\n\n| Protocol | Transport | Default Ports | Notes |\n|----------|-----------|---------------|-------|\n| Modbus | TCP | 502 | SCADA/PLC |\n| S7comm | TCP | 102 | Siemens PLC |\n| EtherNet/IP | TCP | 44818 | Rockwell/Allen-Bradley |\n| PROFINET | TCP | 34962-34964 | Siemens industrial |\n| BACnet | UDP | 47808 | Building automation |\n| OPC UA | TCP | 4840 | Industrial interop |\n| OMRON FINS | TCP/UDP | 9600 | OMRON PLC |\n| MELSEC-Q | TCP | 5006, 5007 | Mitsubishi PLC |\n| KNXnet/IP | UDP | 3671 | Building automation |\n| IEC 104 | TCP | 2404 | Power grid SCADA |\n| DNP3 | TCP | 20000 | Power grid SCADA |\n| Codesys | TCP | 1200, 2455 | PLC runtime |\n| Fox | TCP | 1911 | Tridium Niagara |\n| PC WORX | TCP | 1962 | Phoenix Contact |\n| ProConOS | TCP | 20547 | PLC runtime |\n| HART-IP | TCP | 5094 | Process automation |\n| EtherCAT | UDP | 34980 | Motion control |\n| Crimson v3 | TCP | 789 | Red Lion HMI |\n| PCOM | TCP | 20256 | Unitronics PLC |\n| GE SRTP | TCP | 18245 | GE PLC |\n| ATG | TCP | 10001 | Tank gauges |\n\n### Telecom \u0026 VoIP (17)\n\n| Protocol | Transport | Default Ports | Notes |\n|----------|-----------|---------------|-------|\n| Diameter | TCP/SCTP | 3868 | LTE/5G AAA |\n| M3UA | SCTP | 2905 | SS7 over IP |\n| M2UA | SCTP | 2904 | MTP2 User Adaptation |\n| M2PA | SCTP | 3565 | MTP2 Peer Adaptation |\n| SGsAP | SCTP | 29118 | Circuit-switched fallback |\n| X2AP | SCTP | 36422 | LTE inter-eNodeB |\n| IUA | SCTP | 9900 | ISDN over IP |\n| SIP | TCP/UDP/TLS | 5060, 5061 | VoIP signaling |\n| MEGACO/H.248 | UDP | 2944, 2945 | Media gateway |\n| MGCP | UDP | 2427, 2727 | Media gateway |\n| H.323 | TCP | 1720 | Video conferencing |\n| SCCP/Skinny | TCP | 2000, 2443 | Cisco IP phones |\n| IAX2 | UDP | 4569 | Asterisk protocol |\n| GTP-C | UDP | 2123 | GPRS control |\n| GTP-U | UDP | 2152 | GPRS user plane |\n| GTP' | UDP | 3386 | GPRS charging |\n| PFCP | UDP | 8805 | 5G user plane |\n\n### VPN \u0026 Security (11)\n\n| Protocol | Transport | Default Ports |\n|----------|-----------|---------------|\n| SSH | TCP | 22, 2222 |\n| OpenVPN | UDP | 1194 |\n| WireGuard | UDP | 51820 |\n| IPsec/IKEv2 | UDP | 500, 4500 |\n| L2TP | UDP | 1701 |\n| SSTP | TCP | 443 |\n| GlobalProtect | HTTP | 443 |\n| AnyConnect | HTTP | 443 |\n| FortiGate | HTTP | 443 |\n| STUN/TURN | UDP | 3478, 5349 |\n| Kerberos | TCP | 88 |\n\n### Remote Access \u0026 Management (10)\n\n| Protocol | Transport | Default Ports |\n|----------|-----------|---------------|\n| RDP | TCP/TLS | 3389 |\n| VNC | TCP | 5900 |\n| Telnet | TCP | 23 |\n| WinRM | HTTP | 5985, 5986 |\n| IPMI | UDP | 623 |\n| SNMP | UDP | 161 |\n| Zabbix Agent | TCP | 10050 |\n| NRPE | TCP/TLS | 5666 |\n| Docker | TCP/TLS | 2375, 2376 |\n| X11 | TCP | 6000-6063 |\n\n### Developer Tools (8)\n\n| Protocol | Transport | Default Ports |\n|----------|-----------|---------------|\n| HTTP/HTTPS | TCP | 80, 443, 8080, 8443 |\n| Java RMI | TCP | 1099 |\n| JDWP | TCP | 5005 |\n| RTSP | TCP | 554 |\n| Linux RPC | TCP | 111 |\n| JetDirect | TCP | 9100 |\n| CUPS/IPP | TCP | 631 |\n| SonarQube | TCP | 9000 |\n\n## Library Usage\n\nImport Nerva into your Go applications:\n\n```go\npackage main\n\nimport (\n    \"context\"\n    \"fmt\"\n    \"log\"\n    \"net/netip\"\n    \"time\"\n\n    \"github.com/praetorian-inc/nerva/pkg/plugins\"\n    \"github.com/praetorian-inc/nerva/pkg/scan\"\n)\n\nfunc main() {\n    // Configure scan\n    config := scan.Config{\n        DefaultTimeout: 2 * time.Second,\n        FastMode:       false,\n        UDP:            false,\n        Proxy:          \"socks5://127.0.0.1:1080\", // optional\n        ProxyAuth:      \"username:password\",       // optional\n        DNSOrder:       \"p\",                       // resolver strategy\n    }\n\n    // Create target\n    ip, _ := netip.ParseAddr(\"93.184.216.34\")\n    target := plugins.Target{\n        Address: netip.AddrPortFrom(ip, 22),\n        Host:    \"example.com\",\n    }\n\n    // Run scan\n    results, err := scan.ScanTargets(context.Background(), []plugins.Target{target}, config)\n    if err != nil {\n        log.Fatal(err)\n    }\n\n    // Process results\n    for _, result := range results {\n        fmt.Printf(\"%s:%d - %s (%s)\\n\",\n            result.Host, result.Port,\n            result.Protocol, result.Transport)\n    }\n}\n```\n\nSee [examples/service-fingerprinting-example.go](examples/service-fingerprinting-example.go) for a complete working example.\n\n## Use Cases\n\n### Penetration Testing\n\nRapidly fingerprint services discovered during reconnaissance to identify potential attack vectors.\n\n### Asset Discovery Pipelines\n\nCombine with Naabu or Masscan for large-scale asset inventory:\n\n```sh\nnaabu -host 10.0.0.0/24 -silent | nerva --json | jq '.protocol'\n```\n\n### CI/CD Security Scanning\n\nIntegrate into deployment pipelines to verify only expected services are exposed.\n\n### Bug Bounty Reconnaissance\n\nQuickly enumerate services across scope targets to find interesting endpoints.\n\n### Telecom Network Analysis\n\nFingerprint Diameter nodes in LTE/5G networks using SCTP transport (Linux):\n\n```sh\nnerva -t mme.telecom.local:3868 -S --json\n```\n\n## Architecture\n\n```mermaid\ngraph LR\n    A[host:port input] --\u003e B[Target Parser]\n    B --\u003e C[Scan Engine]\n    C --\u003e D{Transport}\n    D --\u003e|TCP| E[TCP Plugins]\n    D --\u003e|UDP| F[UDP Plugins]\n    D --\u003e|SCTP| G[SCTP Plugins]\n    E --\u003e H[Service Detection]\n    F --\u003e H\n    G --\u003e H\n    H --\u003e I[Metadata Extraction]\n    I --\u003e J[JSON/CSV/Text Output]\n```\n\n## Why Nerva?\n\n### vs Nmap\n\n- **Smarter defaults**: Nerva checks the most likely protocol first based on port number\n- **Structured output**: Native JSON/CSV support for easy parsing and pipeline integration\n- **Focused**: Service fingerprinting only — pair with dedicated port scanners for discovery\n\n### vs zgrab2\n\n- **Auto-detection**: No need to specify protocol ahead of time\n- **Simpler usage**: `nerva -t host:port` vs `echo host | zgrab2 http -p port`\n\n## Troubleshooting\n\n### No output\n\n**Cause**: Port is closed or no supported service detected.\n\n**Solution**: Verify the port is open:\n\n```sh\nnc -zv example.com 80\n```\n\n### Timeout errors\n\n**Cause**: Default 2-second timeout too short for slow services.\n\n**Solution**: Increase timeout:\n\n```sh\nnerva -t example.com:80 -w 5000  # 5 seconds\n```\n\n### UDP services not detected\n\n**Cause**: UDP scanning disabled by default.\n\n**Solution**: Enable with `-U` flag (may require root):\n\n```sh\nsudo nerva -t example.com:53 -U\n```\n\n### SCTP not working\n\n**Cause**: SCTP only supported on Linux.\n\n**Solution**: Run on a Linux system or container:\n\n```sh\ndocker run --rm nerva -t telecom:3868 -S\n```\n\n## Terminology\n\n- **Service**: A network service running on a port (SSH, HTTP, PostgreSQL, etc.)\n- **Fingerprinting**: Detecting and identifying the service type, version, and configuration\n- **Plugin**: A protocol-specific detection module\n- **Fast Mode**: Scanning only the default port for each protocol (80/20 optimization)\n- **Transport**: Network layer protocol (TCP, UDP, or SCTP)\n\n## Support\n\nIf you find Nerva useful, please consider giving it a star:\n\n[![GitHub stars](https://img.shields.io/github/stars/praetorian-inc/nerva?style=social)](https://github.com/praetorian-inc/nerva)\n\n## Contributing\n\nWe welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\n## License\n\nApache 2.0 — see [LICENSE](LICENSE) for details.\n\n## Acknowledgements\n\nNerva is a maintained fork of [fingerprintx](https://github.com/praetorian-inc/fingerprintx), originally developed by Praetorian's intern class of 2022:\n\n* [Soham Roy](https://github.com/praetorian-sohamroy)\n* [Jue Huang](https://github.com/jue-huang)\n* [Henry Jung](https://github.com/henryjung64)\n* [Tristan Wiesepape](https://github.com/qwetboy10)\n* [Joseph Henry](https://github.com/jwhenry28)\n* [Noah Tutt](https://github.com/noahtutt)\n* [Nathan Sportsman](https://github.com/nsportsman)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpraetorian-inc%2Fnerva","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpraetorian-inc%2Fnerva","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpraetorian-inc%2Fnerva/lists"}