Back to skills
SkillHub ClubResearch & OpsFull StackSecurityTesting
muki-fingerprint
MUKI asset fingerprinting tool for red team reconnaissance. Use when performing authorized penetration testing, asset discovery, service fingerprinting, vulnerability scanning, and attack surface mapping. Supports active/passive fingerprinting with 30,000+ signatures, sensitive path detection, and sensitive information extraction. Requires explicit authorization for target systems.
Packaged view
This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.
Stars
3,030
Hot score
99
Updated
March 20, 2026
Overall rating
C4.0
Composite score
4.0
Best-practice grade
B73.6
Install command
npx @skill-hub/cli install openclaw-skills-muki-fingerprint
Repository
openclaw/skills
Skill path: skills/admin4giter/muki-fingerprint
MUKI asset fingerprinting tool for red team reconnaissance. Use when performing authorized penetration testing, asset discovery, service fingerprinting, vulnerability scanning, and attack surface mapping. Supports active/passive fingerprinting with 30,000+ signatures, sensitive path detection, and sensitive information extraction. Requires explicit authorization for target systems.
Open repositoryBest for
Primary workflow: Research & Ops.
Technical facets: Full Stack, Security, Testing.
Target audience: everyone.
License: Unknown.
Original source
Catalog source: SkillHub Club.
Repository owner: openclaw.
This is still a mirrored public skill entry. Review the repository before installing into production workflows.
What it helps with
- Install muki-fingerprint into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
- Review https://github.com/openclaw/skills before adding muki-fingerprint to shared team environments
- Use muki-fingerprint for development workflows
Works across
Claude CodeCodex CLIGemini CLIOpenCode
Favorites: 0.
Sub-skills: 0.
Aggregator: No.
Original source / Raw SKILL.md
---
name: muki-fingerprint
description: MUKI asset fingerprinting tool for red team reconnaissance. Use when performing authorized penetration testing, asset discovery, service fingerprinting, vulnerability scanning, and attack surface mapping. Supports active/passive fingerprinting with 30,000+ signatures, sensitive path detection, and sensitive information extraction. Requires explicit authorization for target systems.
metadata:
openclaw:
emoji: fingerprint
category: security-assessment
version: 1.0.0
author: OpenClaw
requirements:
- Linux amd64 environment
- Network access to target
- Explicit authorization for targets
allowed-tools: ["Bash"]
---
# MUKI Asset Fingerprinting Tool
MUKI is an active asset fingerprinting tool built for red team operations. It enables security researchers to rapidly pinpoint vulnerable systems from chaotic C-class segments and massive asset lists.
## Prerequisites
- Linux amd64 system
- Network access to target systems
- **Explicit written authorization** for all target systems
## Quick Start
```bash
# Scan single URL
muki -u https://target.com
# Scan multiple URLs from file
muki -l targets.txt
# Scan with proxy
muki -u https://target.com -p socks5://127.0.0.1:1080
# Disable specific modules
muki -u https://target.com -A -N # No active, no directory scan
```
## Command Options
```
-h, --help Show help
-u, --url string Single URL to scan
-l, --list string File containing URLs (one per line)
-o, --output string Output file path
-p, --proxy string Proxy server (http:// or socks5://)
-t, --thread int Number of threads (default: 20, max: 100)
-A, --no-active Disable active fingerprint scanning
-N, --no-dir Disable directory scanning
-x, --no-passive Disable passive fingerprint scanning
```
## Core Modules
### 1. Active Fingerprinting (-A to disable)
Sends protocol-specific probes to identify services with high confidence.
- 300+ active fingerprint rules
- Covers SSH, RDP, web servers, databases
- Protocol-specific probes
### 2. Passive Fingerprinting (-x to disable)
Analyzes response artifacts without additional traffic.
- 30,000+ precision fingerprints
- HTTP headers analysis
- TLS JA3 signatures
- HTML/CMS patterns
- WAF detection
### 3. Sensitive Path Detection (-N to disable)
Checks for high-risk paths using curated dictionaries.
- Admin interfaces (/admin, /manage)
- Config files (.env, config.php)
- Version control (/.git, /.svn)
- Vulnerability endpoints (Actuator, ThinkPHP routes)
- Backup files (.sql, .tar.gz)
### 4. Sensitive Information Extraction
Automatically extracts high-risk information from responses.
**Categories:**
- **Credentials**: Passwords, API keys, JDBC strings
- **Personal Data**: Phone numbers, emails, ID cards
- **Financial**: Bank cards
- **System Info**: Internal IPs, versions
- **Vulnerability Indicators**: ID parameters, redirect URLs
## Output Formats
### JSON Output
```json
{
"target": "https://example.com",
"fingerprints": [
{
"service": "Apache",
"version": "2.4.41",
"confidence": "high"
}
],
"sensitive_paths": [
{
"path": "/admin",
"status": 200,
"risk": "high"
}
],
"sensitive_data": [
{
"type": "email",
"value": "[email protected]",
"source": "response body"
}
]
}
```
### Excel Output
Structured .xlsx report with multiple sheets:
- Asset inventory
- Service fingerprints
- Sensitive paths
- Extracted data
## Workflow
### Standard Reconnaissance
```bash
# 1. Prepare target list
cat > targets.txt << 'EOF'
https://target1.com
https://target2.com
192.168.1.0/24
EOF
# 2. Run full scan
muki -l targets.txt -o results.json
# 3. Review results
cat results.json | jq '.fingerprints[]'
# 4. Generate Excel report
muki -l targets.txt -o report.xlsx
```
### Stealth Scan (with proxy)
```bash
# Use Tor proxy for anonymity
muki -u https://target.com -p socks5://127.0.0.1:9050
# Or use HTTP proxy
muki -u https://target.com -p http://127.0.0.1:8080
```
### Targeted Scan
```bash
# Fast scan - only passive fingerprinting
muki -u https://target.com -A -N
# Deep scan - all modules
muki -u https://target.com -t 50
```
## Fingerprint Databases
### finger.json (30,000+ fingerprints)
Passive fingerprint database covering:
- Web frameworks (React, Vue, Django, Spring)
- Middleware (Apache, Nginx, IIS, Tomcat)
- CMS (WordPress, Drupal, Joomla)
- WAFs (Cloudflare, ModSecurity, AWS WAF)
- APIs (GraphQL, REST, SOAP)
- Known vulnerabilities (CVE signatures)
### active_finger.json (300+ rules)
Active probing rules for:
- Web servers
- Databases (MySQL, PostgreSQL, MongoDB)
- Remote access (SSH, RDP, Telnet)
- Services (Redis, Elasticsearch, Docker)
### Rules.yml
Sensitive information extraction rules organized by groups:
- **疑似漏洞**: ID parameters (SQLi indicators)
- **指纹信息**: URL redirects, sensitive paths
- **敏感信息**: Passwords, accounts, JDBC strings
- **基础信息**: Emails, ID cards, phones, bank cards
## Best Practices
### 1. Authorization
- Always obtain written authorization before scanning
- Define scope clearly (IPs, domains, time windows)
- Respect rate limits and business hours
### 2. Stealth
- Use proxies for external targets
- Adjust thread count to avoid detection
- Consider using -A -N for passive-only recon
### 3. Data Handling
- Store results securely
- Encrypt sensitive findings
- Limit access to authorized personnel only
- Delete data after engagement ends
### 4. False Positive Reduction
- Cross-reference findings with manual verification
- Use multiple detection methods
- Check context of extracted sensitive data
## Legal and Ethical Considerations
**WARNING**: This tool is for authorized security testing only.
- Unauthorized scanning may violate laws (CFAA, Computer Misuse Act, etc.)
- Only use on systems you own or have explicit permission to test
- Extracting sensitive data without authorization is illegal
- Report findings responsibly through proper channels
## Integration
### With Other Tools
```bash
# Chain with nuclei for vulnerability scanning
cat muki_output.txt | nuclei -t cves/
# Import to Burp Suite
cat results.json | jq -r '.sensitive_paths[].path' > burp_scope.txt
# Feed to SQLMap for SQL injection testing
cat results.json | jq -r '.vulnerable_params[]' | sqlmap -m -
```
## Troubleshooting
### High Memory Usage
- Reduce thread count: `-t 10`
- Scan in smaller batches
- Disable passive fingerprinting: `-x`
### False Positives
- Verify findings manually
- Check rule specificity in Rules.yml
- Adjust confidence thresholds
### Connection Issues
- Check proxy configuration
- Verify network connectivity
- Increase timeout values
## References
- Original Repository: https://github.com/yingfff123/MUKI
- Fingerprint Databases: See references/finger.json, active_finger.json
- Extraction Rules: See references/Rules.yml
## License
MIT License - See original repository for details.
---
## Skill Companion Files
> Additional files collected from the skill directory layout.
### _meta.json
```json
{
"owner": "admin4giter",
"slug": "muki-fingerprint",
"displayName": "MUKI Asset Fingerprinting",
"latest": {
"version": "1.0.0",
"publishedAt": 1771607044699,
"commit": "https://github.com/openclaw/skills/commit/a858bb15fdcfcce03faa8372b84d658198fc5046"
},
"history": []
}
```
### references/Rules.yml
```yaml
rules:
- group: 疑似漏洞
rule:
- name: GET 明文id
loaded: true
f_regex: (\b(?<!_)(id|\w+id)=(\d{2,15})\b(?![-_\\/]))
s_regex: ''
format: '{0}'
color: green
scope: request line
engine: nfa
sensitive: false
- name: GET JSON id
loaded: true
f_regex: ((?:'|")?([a-zA-Z_]*[iI][dD])(?:'|")?\s*:\s*(?:'|"?)(\d{2,15})(?![a-zA-Z0-9_\\/-])(?:'|")?|\s*(\d{2,15})(?![a-zA-Z0-9_\\/-])))
s_regex: ''
format: '{0}'
color: green
scope: request line
engine: nfa
sensitive: false
- name: GET JSON编码 id
loaded: true
f_regex: ((?:%22|%27)?([a-zA-Z_]*id[a-zA-Z0-9.]*)(?:%22|%27)?\s*(?:%3A|:)\s*(?:%22|%27)?(\d{2,15})(?!([a-zA-Z0-9_\\/-]))(?:%22|%27)?)
s_regex: ''
format: '{0}'
color: green
scope: request line
engine: nfa
sensitive: false
- name: POST 明文id
loaded: true
f_regex: (\b(?<!_)(id|\w+id)=(\d{2,15})\b(?![-_\\/]))
s_regex: ''
format: '{0}'
color: green
scope: request body
engine: nfa
sensitive: false
- name: POST JSON id
loaded: true
f_regex: ((?:'|")?([a-zA-Z_]*[iI][dD])(?:'|")?\s*:\s*(?:'|"?)(\d{2,15})(?![a-zA-Z0-9_\\/-])(?:'|")?|\s*(\d{2,15})(?![a-zA-Z0-9_\\/-])))
s_regex: ''
format: '{0}'
color: green
scope: request body
engine: nfa
sensitive: false
- name: POST JSON编码 id
loaded: true
f_regex: ((?:%22|%27)?([a-zA-Z_]*id[a-zA-Z0-9.]*)(?:%22|%27)?\s*(?:%3A|:)\s*(?:%22|%27)?(\d{2,15})(?!([a-zA-Z0-9_\\/-]))(?:%22|%27)?)
s_regex: ''
format: '{0}'
color: green
scope: request body
engine: nfa
sensitive: false
- group: 指纹信息
rule:
- name: url跳转参数
loaded: true
f_regex: ((?<=[?&])(goto|redirect_to|redirect_url|jump_to|to|target|jump|returnUrl|redirect|url|forward_url|continue|u|link|domain|link_to|next|r)(=))
s_regex: ''
format: '{0}'
color: red
scope: request line
engine: nfa
sensitive: false
- name: 敏感路径
loaded: true
f_regex: ((\/)(?:admin|manage|manager|system|newconsole|console|dashboard|newoa)([\w\/\\#]*?(?=[^\w\/\\#]))|(?:\b|\B)(admin|manage|manager|system|newconsole|console|dashboard|newoa)[\w#\\\/]*?\/[\w#\\\/]*?(?=[^\w#\\\/]|$))
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: nfa
sensitive: false
- group: 敏感信息
rule:
- name: 密码
loaded: true
f_regex: ((|'|")([p](ass|wd|asswd|assword))(|'|")(:|=)( |)('|")(.*?)('|")(|,))
s_regex: ''
format: '{0}'
color: red
scope: response body
engine: nfa
sensitive: false
- name: 账号
loaded: true
f_regex: ((|'|")(([u](ser|name|ame|sername))|(account))(|'|")(:|=)( |)('|")(.*?)('|")(|,))
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: nfa
sensitive: false
- name: JDBC
loaded: true
f_regex: (jdbc:[a-z:]+://[a-z0-9.\-_:;=/@?,&]+)
s_regex: ''
format: '{0}'
color: red
scope: any
engine: nfa
sensitive: false
- group: 基础信息
rule:
- name: 邮箱
loaded: true
f_regex: (([a-z0-9][_|\.])*[a-z0-9]+@([a-z0-9][-_|\.])*[a-z0-9]+\.((?!js|css|jpg|jpeg|png|ico)[a-z]{2,}))
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: nfa
sensitive: false
- name: 身份证
loaded: true
f_regex: ((?:身份证|身份证号|身份证号码|idcard|id|identity|card)\s*[:=:]\s*)((?:1[1-5]|2[1-3]|3[1-7]|4[1-6]|5[0-4]|6[1-5]|7[1]|8[1-2]|9[1-3])(?:18|19|20)?\d{2}(?:0[1-9]|1[0-2])(?:0[1-9]|[12]\d|3[01])(?:\d{3}[\dXx]|\d{3}))(?:\s|"|'|\}>|\]|,|\.|\?|!|;|:|$|\\/|\\|\(|\[\{|\<)
s_regex: ''
format: '{0}'
color: red
scope: response body
engine: nfa
sensitive: true
- name: 电话号
loaded: true
f_regex: ((?:电话|手机号|电话号码|手机|phone|mobile|tel|telephone)\s*[:=:]\s*)((?:(?:\+|00)86)?1[3-9]\d{9})(?![\d/-])(?:[\s\"'<>{}\[\]()/\\.,;:!?]|$)
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: nfa
sensitive: true
- name: 银行卡号
loaded: true
f_regex: ((?:银行卡|银行卡号|bank|card)\s*[:=:]\s*)((?:4\d{12}(?:\d{3})?|5[1-5]\d{14}|3[47]\d{13}|6(?:011|5\d{2}|22\d{12})\d{12}|62\d{14,17})(?:\d{3})?)(?:\s|"|'|\}>|\]|,|\.|\?|!|;|:|$|\\/|\\|\(|\[\{|\<)
s_regex: ''
format: '{0}'
color: red
scope: response body
engine: nfa
sensitive: true
- name: 车牌号
loaded: true
f_regex: ([京津沪渝冀豫云辽黑湘皖鲁新苏浙赣鄂桂甘晋蒙陕吉闽贵粤青藏川宁琼使领][A-HJ-NP-Z][A-HJ-NP-Z0-9]{4,5}[A-HJ-NP-Z0-9挂学警港澳])
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: nfa
sensitive: true
```
### references/active_finger精简.json
```json
{
"active_fingerprint": [
{
"cms": "Druid监控面板",
"path": "/druid",
"method": "GET",
"headers": {},
"body": "",
"match": {
"status_code": [
200,
302
],
"keyword": [
"druid",
"Druid",
"监控面板"
],
"location": "body",
"match_type": "keyword"
}
},
{
"cms": "Nacos",
"path": "/nacos",
"method": "GET",
"headers": {},
"body": "",
"match": {
"status_code": [
200,
302
],
"keyword": [
"nacos",
"Nacos",
"NACOS"
],
"location": "body",
"match_type": "keyword"
}
},
{
"cms": "XXL-Job",
"path": "/xxl-job-admin",
"method": "GET",
"headers": {},
"body": "",
"match": {
"status_code": [
200,
302
],
"keyword": [
"xxl-job",
"XXL-Job",
"任务调度"
],
"location": "body",
"match_type": "keyword"
}
},
{
"cms": "GeoServer",
"path": "/geoserver",
"method": "GET",
"headers": {},
"body": "",
"match": {
"status_code": [
200,
302
],
"keyword": [
"GeoServer",
"geoserver",
"OpenGIS"
],
"location": "body",
"match_type": "keyword"
}
},
{
"cms": "Spring Boot Actuator Health",
"path": "/actuator/health",
"method": "GET",
"headers": {},
"body": "",
"match": {
"status_code": [
200
],
"keyword": [
"UP",
"{\"status\":\"UP\""
],
"location": "body",
"match_type": "keyword"
}
},
{
"cms": "Spring Boot Actuator Info",
"path": "/actuator/info",
"method": "GET",
"headers": {},
"body": "",
"match": {
"status_code": [
200
],
"keyword": [
"build",
"version",
"name"
],
"location": "body",
"match_type": "keyword"
}
},
{
"cms": "Spring Boot Actuator",
"path": "/actuator/health",
"method": "GET",
"headers": {},
"body": "",
"match": {
"status_code": [
200
],
"keyword": [
"{\"status\":\"UP\"}",
"{\"status\":\"DOWN\"}"
],
"location": "body",
"match_type": "keyword"
}
},
{
"cms": "Zabbix",
"path": "/zabbix",
"method": "GET",
"headers": {},
"body": "",
"match": {
"status_code": [
200,
302
],
"keyword": [
"Zabbix",
"zabbix",
"监控系统"
],
"location": "body",
"match_type": "keyword"
}
},
{
"cms": "WebLogic",
"path": "/console",
"method": "GET",
"headers": {},
"body": "",
"match": {
"status_code": [
200,
302,
401
],
"keyword": [
"WebLogic",
"weblogic",
"控制台"
],
"location": "body",
"match_type": "keyword"
}
},
{
"cms": "JBoss",
"path": "/web-console",
"method": "GET",
"headers": {},
"body": "",
"match": {
"status_code": [
200,
302,
401
],
"keyword": [
"JBoss",
"jboss",
"管理控制台"
],
"location": "body",
"match_type": "keyword"
}
}
]
}
```
### references/quick-reference.md
```markdown
# MUKI Quick Reference
## Common Use Cases
### 1. Single Target Assessment
```bash
muki-fingerprint -u https://target.com -o result.json
```
### 2. Batch Scanning
```bash
# Create target list
cat > targets.txt << 'EOF'
https://target1.com
https://target2.com
192.168.1.10
192.168.1.11
EOF
# Scan all
muki-fingerprint -l targets.txt -o batch_results.json
```
### 3. Anonymous Scanning (via Tor)
```bash
# Ensure Tor is running on port 9050
muki-fingerprint -u https://target.com -p socks5://127.0.0.1:9050
```
### 4. Stealth / Low Impact
```bash
# Passive only, no active probes
muki-fingerprint -u https://target.com --no-active --no-dir
# Reduce threads
muki-fingerprint -u https://target.com -t 5
```
### 5. Comprehensive Assessment
```bash
# Full scan with increased threads
muki-fingerprint -u https://target.com -t 50 -o full_report.xlsx
```
## Output Processing
### JSON Analysis
```bash
# Extract fingerprints
cat results.json | jq '.fingerprints[] | {service: .service, version: .version}'
# Find sensitive paths
cat results.json | jq '.sensitive_paths[] | select(.status == 200)'
# Count findings by severity
cat results.json | jq '[.sensitive_data[].type] | group_by(.) | map({type: .[0], count: length})'
```
### Excel Export
Results exported as .xlsx include:
- Summary sheet with statistics
- Assets sheet with all targets
- Fingerprints sheet with identified services
- Paths sheet with accessible endpoints
- Data sheet with extracted sensitive information
## Fingerprint Categories
### Web Technologies
- Frameworks: React, Angular, Vue, Django, Spring, Laravel
- Servers: Apache, Nginx, IIS, Tomcat, Jetty
- CMS: WordPress, Drupal, Joomla, Magento
- WAF: Cloudflare, ModSecurity, AWS WAF, Imperva
### Databases
- MySQL, PostgreSQL, MongoDB, Redis, Elasticsearch
- Oracle, MSSQL, SQLite
### Infrastructure
- Docker, Kubernetes, VMWare
- AWS, Azure, GCP services
- CDN: Cloudflare, Akamai, Fastly
## Sensitive Path Patterns
### Admin Panels
```
/admin
/manage
/manager
/system
/console
/dashboard
/phpmyadmin
```
### Configuration
```
/.env
/config.php
/web.config
/settings.py
```
### Version Control
```
/.git
/.svn
/.hg
/.bzr
```
### Backup Files
```
/backup.sql
/database.tar.gz
/www.zip
/site.bak
```
### API Endpoints
```
/api/v1
/swagger
/actuator
/graphql
```
## Rule Categories
### 疑似漏洞 (Vulnerability Indicators)
- ID parameters (potential SQL injection)
- JSON ID parameters
- Redirect parameters (open redirect)
### 指纹信息 (Fingerprinting)
- URL redirect parameters
- Sensitive admin paths
- Technology indicators
### 敏感信息 (Sensitive Data)
- Password patterns
- Account credentials
- Database connection strings (JDBC)
### 基础信息 (Personal Information)
- Email addresses
- Chinese ID numbers
- Phone numbers
- Bank card numbers
- License plates
## Performance Tuning
### Memory Usage
- Default: ~500MB for 1000 targets
- Reduce with: `-t 10` and batch scanning
### Network Bandwidth
- Active scanning: ~50KB per target
- Passive scanning: ~10KB per target
### Scan Speed
- Default threads (20): ~50 targets/minute
- Max threads (100): ~200 targets/minute
- Tor proxy: ~10 targets/minute
## Integration Examples
### With Nmap
```bash
# Port scan first, then fingerprint
nmap -p- target.com -oG - | awk '/Up$/ {print $2}' > targets.txt
muki-fingerprint -l targets.txt
```
### With Nuclei
```bash
# Use MUKI to find targets, Nuclei for CVEs
muki-fingerprint -l targets.txt -o muki.json
cat muki.json | jq -r '.fingerprints[] | select(.service == "WordPress") | .target' | nuclei -t cves/
```
### With Metasploit
```bash
# Import services to Metasploit
muki-fingerprint -l targets.txt -o muki.json
cat muki.json | jq -r '.fingerprints[] | "\(.target) \(.service) \(.version)"' >> msf_targets.txt
```
## Troubleshooting
### "Connection refused"
- Check if target is reachable: `curl -I https://target.com`
- Verify proxy settings
### "Out of memory"
- Reduce thread count: `-t 10`
- Process targets in smaller batches
### False positives
- Manually verify findings
- Check context of extracted data
- Review Rules.yml for pattern specificity
### Slow scan
- Increase threads: `-t 50`
- Disable passive fingerprinting if not needed: `-x`
- Check network latency to target
```