References and resources¶

Support passive fingerprinting, correlation, and enrichment activities within the Fingerprint Forge. This page focuses on datasets, reference material, and internal discipline required to turn raw artefacts into stable identifiers.

Passive datasets and observation sources¶

Large-scale, passive or quasi-passive datasets used for correlation, prevalence analysis, and historical comparison. These are used for lookups and pattern matching, not active discovery.

• Shodan: internet-wide scan data for banners, services, certificates, and metadata

• Censys: structured scan datasets with strong TLS and service fingerprinting support

• Shadowserver public datasets: community-driven measurements and reports

• Common Crawl: large-scale web crawl data, useful for historical UI assets and web fingerprints

• Vendor firmware mirrors and archives (when available): used for version correlation and artefact comparison

These sources are observational. If it requires you to send packets, it is out of scope for the Forge.

Asset hash databases and fingerprint libraries¶

Resources for matching extracted artefacts against known fingerprints. Hashes and signatures are treated as signals, not proof.

• VirusTotal: multi-engine hash lookups and historical context

• TLSH (Trend Micro Locality Sensitive Hash): fuzzy hashing for binaries and firmware

• SSDeep: context-triggered piecewise hashing

• JA3 / JA3S TLS fingerprinting: client and server TLS fingerprint methodology

• HASSH: SSH fingerprinting via handshake characteristics

Hash matches inform hypotheses. They do not end them.

Protocol references for fingerprinting¶

Protocol documentation used to identify stable fields, version markers, optional features, and implementation quirks that can be fingerprinted passively.

• Modbus protocol specifications

• Siemens S7 protocol overview

• OPC UA specifications

• DNP3 protocol overview

• MQTT protocol specification

• HTTP/1.1 specification (RFC 7230–7235)

• UPnP Device Architecture

Focus is on banners and greetings, default headers and ordering, optional capability advertisements, protocol misuse and edge cases

TLS and certificate analysis references¶

TLS artefacts are often the most stable passive identifiers available.

• X.509 certificate structure (RFC 5280)

• OpenSSL documentation

• crt.sh certificate transparency search

Serial numbers, issuer quirks, key reuse, and certificate lifetimes are all fingerprint material.