MUKI Asset Fingerprinting Tool

MUKI is an active asset fingerprinting tool built for red team operations. It enables security researchers to rapidly pinpoint vulnerable systems from chaotic C-class segments and massive asset lists.

Prerequisites

• Linux amd64 system
• Network access to target systems
• Explicit written authorization for all target systems

Quick Start

# Scan single URL
muki -u https://target.com

# Scan multiple URLs from file
muki -l targets.txt

# Scan with proxy
muki -u https://target.com -p socks5://127.0.0.1:1080

# Disable specific modules
muki -u https://target.com -A -N  # No active, no directory scan

Command Options

-h, --help            Show help
-u, --url string      Single URL to scan
-l, --list string     File containing URLs (one per line)
-o, --output string   Output file path
-p, --proxy string    Proxy server (http:// or socks5://)
-t, --thread int      Number of threads (default: 20, max: 100)
-A, --no-active       Disable active fingerprint scanning
-N, --no-dir          Disable directory scanning  
-x, --no-passive      Disable passive fingerprint scanning

Core Modules

1. Active Fingerprinting (-A to disable)

Sends protocol-specific probes to identify services with high confidence. - 300+ active fingerprint rules - Covers SSH, RDP, web servers, databases - Protocol-specific probes

2. Passive Fingerprinting (-x to disable)

Analyzes response artifacts without additional traffic. - 30,000+ precision fingerprints - HTTP headers analysis - TLS JA3 signatures - HTML/CMS patterns - WAF detection

3. Sensitive Path Detection (-N to disable)

Checks for high-risk paths using curated dictionaries. - Admin interfaces (/admin, /manage) - Config files (.env, config.php) - Version control (/.git, /.svn) - Vulnerability endpoints (Actuator, ThinkPHP routes) - Backup files (.sql, .tar.gz)

4. Sensitive Information Extraction

Automatically extracts high-risk information from responses.

Categories: - Credentials: Passwords, API keys, JDBC strings - Personal Data: Phone numbers, emails, ID cards - Financial: Bank cards - System Info: Internal IPs, versions - Vulnerability Indicators: ID parameters, redirect URLs

Output Formats

JSON Output

{
  "target": "https://example.com",
  "fingerprints": [
    {
      "service": "Apache",
      "version": "2.4.41",
      "confidence": "high"
    }
  ],
  "sensitive_paths": [
    {
      "path": "/admin",
      "status": 200,
      "risk": "high"
    }
  ],
  "sensitive_data": [
    {
      "type": "email",
      "value": "[email protected]",
      "source": "response body"
    }
  ]
}

Excel Output

Structured .xlsx report with multiple sheets: - Asset inventory - Service fingerprints - Sensitive paths - Extracted data

Workflow

Standard Reconnaissance

# 1. Prepare target list
cat > targets.txt << 'EOF'
https://target1.com
https://target2.com
192.168.1.0/24
EOF

# 2. Run full scan
muki -l targets.txt -o results.json

# 3. Review results
cat results.json | jq '.fingerprints[]'

# 4. Generate Excel report
muki -l targets.txt -o report.xlsx

Stealth Scan (with proxy)

# Use Tor proxy for anonymity
muki -u https://target.com -p socks5://127.0.0.1:9050

# Or use HTTP proxy
muki -u https://target.com -p http://127.0.0.1:8080

Targeted Scan

# Fast scan - only passive fingerprinting
muki -u https://target.com -A -N

# Deep scan - all modules
muki -u https://target.com -t 50

Fingerprint Databases

finger.json (30,000+ fingerprints)

Passive fingerprint database covering: - Web frameworks (React, Vue, Django, Spring) - Middleware (Apache, Nginx, IIS, Tomcat) - CMS (WordPress, Drupal, Joomla) - WAFs (Cloudflare, ModSecurity, AWS WAF) - APIs (GraphQL, REST, SOAP) - Known vulnerabilities (CVE signatures)

active_finger.json (300+ rules)

Active probing rules for: - Web servers - Databases (MySQL, PostgreSQL, MongoDB) - Remote access (SSH, RDP, Telnet) - Services (Redis, Elasticsearch, Docker)

Rules.yml

Sensitive information extraction rules organized by groups: - 疑似漏洞: ID parameters (SQLi indicators) - 指纹信息: URL redirects, sensitive paths - 敏感信息: Passwords, accounts, JDBC strings - 基础信息: Emails, ID cards, phones, bank cards

Best Practices

1. Authorization

• Always obtain written authorization before scanning
• Define scope clearly (IPs, domains, time windows)
• Respect rate limits and business hours

2. Stealth

• Use proxies for external targets
• Adjust thread count to avoid detection
• Consider using -A -N for passive-only recon

3. Data Handling

• Store results securely
• Encrypt sensitive findings
• Limit access to authorized personnel only
• Delete data after engagement ends

4. False Positive Reduction

• Cross-reference findings with manual verification
• Use multiple detection methods
• Check context of extracted sensitive data

Legal and Ethical Considerations

WARNING: This tool is for authorized security testing only.

• Unauthorized scanning may violate laws (CFAA, Computer Misuse Act, etc.)
• Only use on systems you own or have explicit permission to test
• Extracting sensitive data without authorization is illegal
• Report findings responsibly through proper channels

Integration

With Other Tools

# Chain with nuclei for vulnerability scanning
cat muki_output.txt | nuclei -t cves/

# Import to Burp Suite
cat results.json | jq -r '.sensitive_paths[].path' > burp_scope.txt

# Feed to SQLMap for SQL injection testing
cat results.json | jq -r '.vulnerable_params[]' | sqlmap -m -

Troubleshooting

High Memory Usage

• Reduce thread count: -t 10
• Scan in smaller batches
• Disable passive fingerprinting: -x

False Positives

• Verify findings manually
• Check rule specificity in Rules.yml
• Adjust confidence thresholds

Connection Issues

• Check proxy configuration
• Verify network connectivity
• Increase timeout values

References

• Original Repository: https://github.com/yingfff123/MUKI
• Fingerprint Databases: See references/finger.json, active_finger.json
• Extraction Rules: See references/Rules.yml

License

MIT License - See original repository for details.