IP Intelligence & Infrastructure Fingerprinting Platform

Multi-protocol scanner that builds structured IP identities by probing TCP, TLS, HTTP/2, HTTP/3 (QUIC), WebSocket, and DNS. Detects CDN providers, evaluates tunnel viability (WebSocket, gRPC, Xray, REALITY), and scores each target with explainable multi-dimensional confidence.

Features

Protocol Probes

• TCP — 3-connection burst for latency, jitter, and packet-loss estimation
• TLS — Handshake capture (version, cipher, ALPN, OCSP stapling, session reuse)
• TLS Fingerprint — JA3S/JA4S from raw ServerHello via dpkt or ssl module
• HTTP — GET/HEAD with header analysis, Alt-Svc discovery, WebSocket upgrade test
• HTTP/2 — Multiplex verification, SETTINGS parsing (max concurrent streams, initial window, frame size, server push)
• HTTP/3 (QUIC) — Handshake RTT, 17 transport parameter names, H3 response validation
• DNS — A/AAAA resolution, rDNS lookup
• UDP — QUIC Initial-like datagram probe

Infrastructure Detection

16 provider signatures using multi-signal analysis:

• Issuer keywords, SAN patterns, server header, HTTP header indicators, ASN ranges, ALPN behavior, Alt-Svc patterns
• Providers: Google, Cloudflare, Fastly, Akamai, AWS, Azure, Vercel, Fly.io, Railway, G-Core, Tencent, Alibaba, Hetzner, OVH, DigitalOcean, Vultr

Security Heuristics

• MITM / forged certificate detection
• Transparent proxy detection
• Censorship pattern detection
• Honeypot risk scoring

Tunnel Viability

• WebSocket friendliness
• gRPC / H2 multiplex capability
• Xray routing compatibility
• REALITY TLS compatibility (TLS 1.3 + h2 + CDN + valid cert + latency ≤ 500ms)
• Connection stability (jitter < 50ms, packet loss < 10%)
• Automated tunnel recommendation

Observation Engine

• 14 domain-separated observation types (connectivity, TLS, HTTP, HTTP2, HTTP3, QUIC, WebSocket, DNS, infrastructure, security, tunnel, latency, jitter, TLS fingerprint)
• Structured query interface: filter(), first(), values(), typed accessors
• Collector with store(), store_many(), has_flag(), get_string(), get_numeric()

Scoring

• 7-dimensional weighted scoring (alive, latency, TLS, infrastructure, protocol, tunnel, security)
• Category thresholds: Golden Edge ≥ 92, Strong Edge ≥ 78, Relay Candidate ≥ 65, CDN Node ≥ 55, Generic Server ≥ 40, Weak Node ≥ 25
• Confidence: infra detector confidence as base, adjusted for security penalties, clamped to [0, 0.99]

Scanner Engine

• Bounded worker pool via asyncio.Queue (no unbounded task creation)
• Per-IP semaphore for rate limiting
• Sequential + parallel probe orchestration
• scan_many() with optional on_result callback for streaming

Installation

pip install -r requirements.txt

Optional dependencies:

• dpkt — raw TLS fingerprint parsing (fallback: ssl module)
• h2 — HTTP/2 multiplex probe
• aioquic — QUIC / HTTP/3 probe

Usage

python3 main.py

Select option 1 for direct IP/CIDR input, option 2 for file input.

Configuration

Edit config.yaml to customize concurrency, timeouts, and detection parameters.

Input Formats

• Single IP: 192.168.1.1
• CIDR: 192.168.1.0/24
• Comma/space-separated: 192.168.1.1 192.168.2.0/24

Architecture

scanner/engine.py          — Orchestrator: sequential + parallel probe dispatch
probes/
  tcp_udp.py               — TCP 3-burst + UDP QUIC-initial probe
  dns_probe.py             — DNS resolution + rDNS
  websocket.py             — WebSocket upgrade test
  h2_multiplex.py          — HTTP/2 SETTINGS + multiplex verification
tls/
  handshake.py             — TLS version, cipher, ALPN, OCSP
  cert.py                  — Certificate chain + SAN extraction
  fingerprint.py           — JA3S/JA4S from raw ServerHello
http_client/probe.py       — HTTP GET/HEAD + Alt-Svc
quic/probe.py              — QUIC handshake RTT + H3 + transport params
infrastructure/detector.py — 16-provider multi-signal matching
heuristics/
  security.py              — MITM, censorship, proxy, honeypot
  tunneling.py             — Tunnel viability + REALITY check
scoring/engine.py          — 7-dimension weighted scoring + categorization
models/
  identity.py              — IPIdentity dataclass
  observation.py           — Observation, ObservationSet, ObservationDomain
  enums.py                 — Category, InfrastructureType
observations/collector.py  — Observation store/query helpers
dashboard/app.py           — Textual-based TUI dashboard
export/exporter.py         — JSON, CSV, SQLite export

Detection Pipeline

1. TCP — 3-connect burst for aliveness, latency, jitter, packet loss
2. UDP + DNS — Parallel UDP probe and DNS resolution
3. TLS — Handshake version, cipher, ALPN, OCSP
4. TLS Certificate + Fingerprint — Parallel cert extraction and JA3S/JA4S
5. HTTP + WebSocket + QUIC — Parallel HTTP request, WS upgrade, QUIC connect
6. HTTP/2 — H2 multiplex test (if ALPN negotiated h2)
7. Infrastructure Detection — Multi-signal provider matching
8. Security Heuristics — MITM, censorship, proxy, honeypot
9. Tunneling Heuristics — Tunnel viability + stability
10. Scoring — 7-dimension weighted confidence score + category

Key Bindings (Dashboard)

Key	Action
q	Quit
e	Export data (JSON + CSV + SQLite)
s	Sort by score
d	Drilldown inspect selected IP

Testing

python3 -m pytest . -v

Tests cover scoring, infrastructure detection, identity models, config, and IP cleaning.

Known Limitations

• QUIC/HTTP-3 probe: aioquic._crypto C extension may hang on some OpenSSL builds. The probe auto-detects this at import via subprocess health check and disables gracefully.
• UDP probe: Sends a QUIC Initial-like datagram; responses depend on the target's QUIC implementation.
• OCSP stapling: ssl_obj.get_ocsp_response() is unavailable in Python 3.10; errors silently.
• WebSocket probe: Requires a running WebSocket server on the target.