Intrigue-ident: Multi-Protocol Fingerprinting with Built-in CVE Mapping

Hook

Most fingerprinting tools stop at HTTP headers, but intrigue-ident speaks Oracle T3, SAP NI, and Cisco Smart Install protocols—then automatically maps findings to known CVEs.

Context

Service fingerprinting has historically been fragmented across protocol boundaries. Nmap excels at network-level identification, web scanners focus on HTTP/HTTPS, and specialized tools handle individual protocols like SSH or SMTP. Security teams needed to chain multiple tools together, correlate results manually, and then cross-reference identified software against vulnerability databases—a tedious, error-prone workflow that slowed down reconnaissance and vulnerability assessment.

Intrigue-ident emerged from Intrigue.io's security platform to solve this consolidation problem. Rather than building yet another HTTP-only fingerprinting tool, the team created a multi-protocol engine that could identify everything from web servers and databases to obscure enterprise protocols, all while automatically mapping findings to CPE identifiers and CVEs. The goal was simple: give security practitioners a single library that could fingerprint an entire network infrastructure and immediately contextualize findings with vulnerability data.

Technical Insight

At its core, intrigue-ident uses a dual-library approach for network communication. Typhoeus, a libcurl-backed HTTP client, handles web protocols with parallel request support, while Socketry manages raw TCP/UDP sockets for protocols like Oracle T3, SAP Network Interface, and various database services. This architectural split allows the tool to maintain high performance for HTTP-heavy workloads while supporting exotic protocols that require custom packet construction.

The fingerprinting engine revolves around a check system where each signature is a Ruby hash defining match conditions. Here's a simplified example of how a check identifies Apache Tomcat:

{
  :type => "fingerprint",
  :category => "application",
  :tags => ["COTS", "Web Server"],
  :vendor => "Apache",
  :product => "Tomcat",
  :references => ["https://tomcat.apache.org"],
  :version_detection => [
    {
      :type => "content_body",
      :match_type => :content_body,
      :match_content => /<title>Apache Tomcat\/([\d\.]+)<\/title>/i,
      :dynamic_version => lambda { |x| x.match(/<title>Apache Tomcat\/([\d\.]+)<\/title>/i)[1] }
    },
    {
      :type => "content_headers",
      :match_type => :content_headers,
      :match_details => "Server: Apache-Coyote"
    }
  ],
  :inference => true
}

Notice the multiple match conditions combined within a single check. The engine evaluates both page content and HTTP headers, using regex patterns for version extraction. The dynamic_version lambda captures version numbers directly from matched content, avoiding brittle static version lists. This approach scales better than maintaining thousands of individual version signatures.

The match engine supports six primary match types: content_body (HTML/text content), content_title (page titles), content_headers (HTTP response headers), content_cookies (cookie names and values), content_code (HTTP status codes), and protocol-specific matches for non-HTTP services. Each check can specify multiple conditions that must all succeed (AND logic) or define alternative detection paths.

For non-HTTP protocols, intrigue-ident sends protocol-specific probes and analyzes raw responses. Here's how it identifies Oracle WebLogic's T3 protocol:

def check_t3_protocol(host, port)
  socket = TCPSocket.new(host, port)
  probe = "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\n\n"
  socket.write(probe)
  response = socket.read(256)
  socket.close
  
  if response =~ /HELO:([\d\.]+)/
    version = $1
    return {
      :vendor => "Oracle",
      :product => "WebLogic",
      :version => version,
      :protocol => "T3"
    }
  end
end

This raw socket approach enables fingerprinting of proprietary protocols that lack HTTP interfaces. The tool includes similar probes for SMB, SMTP, IMAP, POP3, Redis, MongoDB, Elasticsearch, and others—basically any service that responds to network queries with identifiable data.

What sets intrigue-ident apart is its integrated CPE and CVE mapping. After identifying software, it automatically generates Common Platform Enumeration (CPE) strings like cpe:2.3:a:apache:tomcat:9.0.1:*:*:*:*:*:*:* and queries CVE databases to return known vulnerabilities. This happens in-memory during fingerprinting, not as a separate post-processing step. For security workflows, this means reconnaissance immediately produces actionable vulnerability intelligence rather than just software inventory lists.

The library exposes both a command-line interface and a Ruby API for embedding into larger applications. The CLI tool accepts targets via command line and outputs JSON or text reports, while the API lets you integrate fingerprinting into custom security tools. Intrigue's own platform uses this embedded approach, calling fingerprinting functions during network reconnaissance phases and feeding results into vulnerability assessment pipelines. The modular design makes it straightforward to add custom checks or extend protocol support, though the unmaintained status means you're on your own for adding modern software signatures.

Gotcha

The elephant in the room is maintenance status. Intrigue-ident hasn't received meaningful updates since October 2021, and was re-licensed under Mandiant's Limited Open Source License after Mandiant acquired Intrigue. This license restricts commercial use and derivative works more than the original BSD license, effectively closing it to community contributions. For a fingerprinting tool, staleness is particularly problematic—software versions released after 2021 won't be detected accurately, and modern application frameworks may have changed response patterns that invalidate existing signatures.

Protocol coverage also reveals practical limitations. While 20+ protocols sounds comprehensive, many modern cloud-native services aren't included. No Kubernetes API fingerprinting, no GraphQL endpoint detection, no gRPC service identification. The tool reflects security priorities circa 2018-2021, focused on traditional enterprise infrastructure rather than containerized or serverless architectures. If you're primarily assessing cloud-native environments, intrigue-ident will miss significant attack surface. Additionally, the Ruby runtime and native extension dependencies (libcurl for Typhoeus) can create installation headaches on some systems, particularly when dealing with SSL/TLS library mismatches or outdated Ruby versions.

Verdict

Use if: You need multi-protocol service fingerprinting with immediate CVE context, work primarily with traditional infrastructure (databases, web servers, enterprise protocols), can validate fingerprint accuracy against known-good test environments, and are comfortable maintaining or forking unmaintained code. It's particularly valuable if you're already building Ruby-based security tools and want embeddable fingerprinting without reinventing protocol handling. Skip if: You require up-to-date signatures for software released after 2021, need active community support and regular updates, want standard open-source licensing for commercial use, or focus on cloud-native architectures where protocol coverage is incomplete. For production security assessments, consider actively maintained alternatives like Nuclei or supplement with Nmap NSE scripts to ensure fingerprint accuracy.