This method allows you to interrogate Fingerbank with different network patterns (DHCP informations, HTTP+UPnP User-Agents, MAC address, etc) and obtain the device that matches the most those attributes. It will also provide a confidence level (score) on a scale of 100 for the patterns you provided.
Providing more attributes will provide more accurate matching with a higher score. See the following page for a detailed example.
The score is based on a scale of 0 to 100 and represents the confidence level Fingerbank has on the result it is providing (device and version)
The score is computed by passing the attributes through all the patterns known by Fingerbank. Once all the patterns have been extracted, they are put together by which device that pattern matches. Fingerbank then analyses which device has the strongest patterns (for example matching DHCP informations has more weight than an HTTP User-Agent since the latest is easily spoofable).
Once it has found the device with the strongest matching patterns, it weights the score using the following rules:
Code | Description |
---|---|
401 | This request is unauthorized. Either your key is invalid or wasn't specified. |
403 | This request is forbidden. Your account may have been blocked. |
429 | The amount of requests per minute has been exceeded. All accounts (even the unlimited ones) are rate limited to 250 requests per minute unless agreed otherwise with Inverse. |
502 | No API backend was able to process the request. The system may be overloaded, in maintenance or experiencing an issue. Retrying shortly after should work. |
404 | No device profiling result was found for the signatures that were provided. |
Example body: {"dhcp_fingerprint":"1,15,3,6,44,46,47,31,33,121,249,43"}
Example response: { "device": { "created_at": "2014-09-09T15:09:51.000Z", "id": 33, "name": "Microsoft Windows Kernel 6.0", "parent_id": 7536, "parents": [ { "created_at": "2015-09-18T12:51:27.000Z", "id": 7536, "name": "Microsoft Windows Kernel 6.x", "parent_id": 1, "updated_at": "2015-09-22T08:11:35.000Z", "virtual_parent_id": null }, { "created_at": "2014-09-09T15:09:50.000Z", "id": 1, "name": "Windows OS", "parent_id": 16879, "updated_at": "2017-09-20T15:46:53.000Z", "virtual_parent_id": null }, { "created_at": "2017-09-14T18:41:06.000Z", "id": 16879, "name": "Operating System", "parent_id": null, "updated_at": "2017-09-18T16:33:18.000Z", "virtual_parent_id": null } ], "updated_at": "2015-09-18T12:53:32.000Z", "virtual_parent_id": null }, "device_name": "Operating System/Windows OS/Microsoft Windows Kernel 6.x/Microsoft Windows Kernel 6.0", "score": 75, "version": "Vista/Server 2008" }
Example using curl using DHCPv4 fingerprint: curl -X GET -d "{\"dhcp_fingerprint\":\"1,15,3,6,44,46,47,31,33,121,249,43\"}" --header "Content-type: application/json" https://api.fingerbank.org/api/v2/combinations/interrogate?key=
Example using curl without a body payload: curl 'https://api.fingerbank.org/api/v2/combinations/interrogate?dhcp_fingerprint=1,15,3,6,44,46,47,31,33,121,249,43&key='
Example using curl using DHCPv4 fingerprint, User-Agent and MAC address: curl -X GET -d "{\"dhcp_fingerprint\":\"1,121,3,6,15,119,252\", \"user_agents\":[\"Mozilla/5.0 (iPad; CPU OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13G36 Safari/601.1\"], \"mac\": \"e0b9ba88158a\"}" --header "Content-type: application/json" https://api.fingerbank.org/api/v2/combinations/interrogate?key=
Example using curl with more advanced parameters: curl -X GET -d "{\"dhcp_fingerprint\":\"1,15,3,6,44,46,47,31,33,121,249,43\", \"destination_hosts\":[\"updates.microsoft.com\"], \"mdns_services\":[\"_printer._tcp.local\"]}" --header "Content-type: application/json" 'https://api.fingerbank.org/api/v2/combinations/interrogate?key='
Param name | Description |
---|---|
key required |
Your API key (you can optionally use the Authorization header for improved security) Validations:
Metadata: Type: query parameter Example: "?key=68989f507420b6187c7e4fa32245db311efed505" |
debug optional |
Whether or not to add additionnal debug information in the response. ‘on’ activates it Validations:
Metadata: Type: query parameter Example: "?debug=yes" |
client_hints optional |
The HTTP client hints of the endpoint as seen in the various client hints headers (supports only sec-ch-ua, sec-ch-ua-platform, sec-ch-ua-model, sec-ch-ua-arch). The keys of the hash must be the value of the sec-ch-ua header, then the hash value must contain key value pairs of the different headers and their respective value. sec-ch-ua: My Example UA sec-ch-ua-platform: ACME Corp sec-ch-ua-model: Revolutionary Model 123 sec-ch-ua-arch: i386 {"My Example UA":{"sec-ch-ua-platform": "ACME Corp", "sec-ch-ua-model": "Revolutionary Model 123", "sec-ch-ua-arch": "i386"}} {"My Example UA":{"sec-ch-ua-platform": "ACME Corp", "sec-ch-ua-model": "Revolutionary Model 123", "sec-ch-ua-arch": "i386"}, "Browsinator 3000":{sec-ch-ua-arch: i386}} Validations:
Metadata: Type: payload Limit: The amount of elements must be limited to 5 elements. If not, only the 5 first will be taken into account in the discovery process. |
dhcp_fingerprint optional |
The DHCP fingerprint of the endpoint. Must be a comma-delimited list of numbers following this standard: 1,2,3,4,5,6,7. The order of the options must be the same as in the DHCP packet and nothing else than commas and numbers are allowed in this field. Validations:
Metadata: Type: payload Example: '128,229,32,44,52,64,17' |
dhcp6_fingerprint optional |
The DHCPv6 fingerprint of the endpoint. Must be a comma-delimited list of numbers following this standard: 1,2,3,4,5,6,7. The order of the options must be the same as in the DHCP packet and nothing else than commas and numbers are allowed in this field. Validations:
Metadata: Type: payload Example: '24,25,58,24' |
dhcp_vendor optional |
The DHCP vendor of the endpoint as seen in the DHCP packet. Validations:
Metadata: Type: payload Example: MSFT 5.0 |
dhcp6_enterprise optional |
The DHCPv6 enterprise of the endpoint. Must be the identifier present in the packet (a number) Validations:
Metadata: Type: payload |
mac optional |
The MAC address of the device following any of the following formats: 001122334455, 00-11-22-33-44-55, 00:11:22:33:44:55 Validations:
Metadata: Type: payload |
destination_hosts optional |
The destination hosts (domains) this endpoint has send data to Validations:
Metadata: Type: payload Limit: The amount of elements must be limited to 5 elements. If not, only the 5 first will be taken into account in the discovery process. |
hostname optional |
The hostname of the endpoint. Validations:
Metadata: Type: payload |
ja3_fingerprints optional |
The JA3 fingerprints detected for this endpoint. The signatures must be the MD5 of the full JA3 fingerprint. Validations:
Metadata: Type: payload Limit: The amount of elements must be limited to 5 elements. If not, only the 5 first will be taken into account in the discovery process. Example: b32309a26951912be7dba376398abc3b |
ja3_data optional |
The JA3+JA3s fingerprints detected for this endpoint with their matching server host and port. The signatures must be the MD5 of the full fingerprint. {"api.fingerbank.org:443":["b32309a26951912be7dba376398abc3b;36856d086af670bd60710ecad0ed2b25"]} {"api.fingerbank.org:443":["b32309a26951912be7dba376398abc3b;36856d086af670bd60710ecad0ed2b25"], "www.inverse.ca:443":["97b33baaeeec3cdf3eb4d053a8bb3440;fe1d51cf85a3d7c9d8ef94275fa442b1", "a55a17a2e48c91c5d1ee64e67f565c99;fe1d51cf85a3d7c9d8ef94275fa442b1"]} Validations:
Metadata: Type: payload Limit: The amount of elements must be limited to 10 keys (host+port) and each key in the hash must contain an array that doesn't have more than 3 JA3+JA3s couples |
mdns_services optional |
The MDNS services that this endpoint has advertised Validations:
Metadata: Type: payload Limit: The amount of elements must be limited to 5 elements. If not, only the 5 first will be taken into account in the discovery process. |
upnp_user_agents optional |
The UPnP User Agents (USER-AGENT header) that this endpoint has advertised Validations:
Metadata: Type: payload Limit: The amount of elements must be limited to 5 elements. If not, only the 5 first will be taken into account in the discovery process. |
upnp_server_strings optional |
The UPnP Server strings (SERVER header) that this endpoint has advertised Validations:
Metadata: Type: payload |
tcp_syn_signatures optional |
The TCP SYN signatures detected for this endpoint. The signatures must follow the p0f standard. Validations:
Metadata: Type: payload Limit: The amount of elements must be limited to 5 elements. If not, only the 5 first will be taken into account in the discovery process. Example: 4:128+0:0:1460:8192,2:mss,nop,ws,nop,nop,sok:df,id+:0 |
tcp_syn_ack_signatures optional |
The TCP SYN-ACK signatures detected for this endpoint. The signatures must follow the p0f standard. Validations:
Metadata: Type: payload Limit: The amount of elements must be limited to 5 elements. If not, only the 5 first will be taken into account in the discovery process. Example: 4:128+0:0:1460:8192,2:mss,nop,ws,nop,nop,sok:df,id+:0 |
user_agents optional |
The HTTP User Agents of the endpoint as seen in the User-Agent header of the HTTP requests the endpoint does. Validations:
Metadata: Type: payload Limit: The amount of elements must be limited to 5 elements. If not, only the 5 first will be taken into account in the discovery process. |
Device profiling result
Param name | Description |
---|---|
device required |
The device object that was profiled using the input parameters Validations:
|
device[can_be_more_precise] required |
Whether or not the result can be more precise than the one that is returned. This can be used as an indicator that the profiling result cannot be improved. Validations:
|
device[child_devices_count] required |
The amount of direct childs the device has Validations:
|
device[child_virtual_devices_count] required |
The amount of virtual childs the device has Validations:
|
device[created_at] required |
The date that the device was created in Fingerbank Validations:
|
device[id] required |
The numeric identifier of the device in Fingerbank Validations:
|
device[name] required |
The name of the device Validations:
|
device[parent_id] required |
The numeric identifier of the parent of this device Validations:
|
device[parents] required |
A list of simple representations of the parents of this device Validations:
|
device[parents][created_at] required |
The date that the device was created in Fingerbank Validations:
|
device[parents][id] required |
The numeric identifier of the device in Fingerbank Validations:
|
device[parents][name] required |
The name of the device Validations:
|
device[parents][parent_id] required |
The numeric identifier of the parent of this device Validations:
|
device[parents][updated_at] required |
The date that the device was last updated in Fingerbank Validations:
|
device[parents][virtual_parent_id] required |
The numeric identifier of the virtual parent of this device (if any, defaults to null if there is none). Virtual parents are non-mandatory and will usually link a physical device (ex: Generic Android) with its operating system (Android OS) Validations:
|
device_name required |
The unique device name with all its hierarchy separated by the ‘/’ character Validations:
|
manufacturer required |
Optional object that follows the exact same structure as the ‘device’ attribute of the response. When present, it will contain the manufacturer of the device that was profiled. For example, in the case of a Samsung Galaxy S8, this will contain the hardware manufacturer Samsung. This will only be true if enough information is provided to tie the Samsung Galaxy S8 result to Samsung and will not be present for that device if for example only the HTTP User-Agent is provided which doesn’t allow to tie the device to the manufacturer. In our current example tying the device to the manufacturer is done through the MAC address of the device. Validations:
|
manufacturer[can_be_more_precise] required |
Whether or not the result can be more precise than the one that is returned. This can be used as an indicator that the profiling result cannot be improved. Validations:
|
manufacturer[child_devices_count] required |
The amount of direct childs the device has Validations:
|
manufacturer[child_virtual_devices_count] required |
The amount of virtual childs the device has Validations:
|
manufacturer[created_at] required |
The date that the device was created in Fingerbank Validations:
|
manufacturer[id] required |
The numeric identifier of the device in Fingerbank Validations:
|
manufacturer[name] required |
The name of the device Validations:
|
manufacturer[parent_id] required |
The numeric identifier of the parent of this device Validations:
|
manufacturer[parents] required |
A list of simple representations of the parents of this device Validations:
|
manufacturer[parents][created_at] required |
The date that the device was created in Fingerbank Validations:
|
manufacturer[parents][id] required |
The numeric identifier of the device in Fingerbank Validations:
|
manufacturer[parents][name] required |
The name of the device Validations:
|
manufacturer[parents][parent_id] required |
The numeric identifier of the parent of this device Validations:
|
manufacturer[parents][updated_at] required |
The date that the device was last updated in Fingerbank Validations:
|
manufacturer[parents][virtual_parent_id] required |
The numeric identifier of the virtual parent of this device (if any, defaults to null if there is none). Virtual parents are non-mandatory and will usually link a physical device (ex: Generic Android) with its operating system (Android OS) Validations:
|
operating_system required |
Optional object that follows the exact same structure as the ‘device’ attribute of the response. When present, it will contain the most probable operating system for the device based on the result contained in the ‘device’ field of the response. For example, in the case of a Samsung Galaxy S8, this will contain the operating system Android OS. This will only be true if enough information is provided to tie the Samsung Galaxy S8 result to Android OS and will not be present for that device if for example only the hostname is provided which doesn’t allow to tie the device to the Android OS operating system. In our current example tying the device to the OS is done through the DHCP fields, HTTP User-Agent, etc. Validations:
|
operating_system[can_be_more_precise] required |
Whether or not the result can be more precise than the one that is returned. This can be used as an indicator that the profiling result cannot be improved. Validations:
|
operating_system[child_devices_count] required |
The amount of direct childs the device has Validations:
|
operating_system[child_virtual_devices_count] required |
The amount of virtual childs the device has Validations:
|
operating_system[created_at] required |
The date that the device was created in Fingerbank Validations:
|
operating_system[id] required |
The numeric identifier of the device in Fingerbank Validations:
|
operating_system[name] required |
The name of the device Validations:
|
operating_system[parent_id] required |
The numeric identifier of the parent of this device Validations:
|
operating_system[parents] required |
A list of simple representations of the parents of this device Validations:
|
operating_system[parents][created_at] required |
The date that the device was created in Fingerbank Validations:
|
operating_system[parents][id] required |
The numeric identifier of the device in Fingerbank Validations:
|
operating_system[parents][name] required |
The name of the device Validations:
|
operating_system[parents][parent_id] required |
The numeric identifier of the parent of this device Validations:
|
operating_system[parents][updated_at] required |
The date that the device was last updated in Fingerbank Validations:
|
operating_system[parents][virtual_parent_id] required |
The numeric identifier of the virtual parent of this device (if any, defaults to null if there is none). Virtual parents are non-mandatory and will usually link a physical device (ex: Generic Android) with its operating system (Android OS) Validations:
|
request_id required |
The unique identifier of the request Validations:
|
score required |
The confidence level in the result that is provided. See the ‘Scoring’ section of this page for more details. Validations:
|
version required |
The version of the device. When it cannot be found, an empty string is provided. Example: A Samsung Galaxy S8 running Android version 9.0.0 will have the value ‘9.0.0’ in the version field if the input data allowed Fingerbank to detect the version properly. Validations:
|
Unknown device profiling result
Param name | Description |
---|---|
errors required |
The errors that have occured Validations:
|
errors[details] required |
An explanation on why the device profiling yielded an unknown result Validations:
|
request_id required |
The unique identifier of the request Validations:
|
Header name | Description |
---|---|
Authorization optional |
Authorization header containing your API key (Bearer standard). Example value for the header: `Bearer 68989f507420b6187c7e4fa32245db311efed505` |