: The tool was developed as part of research into identifying proxies and VPNs by detecting fingerprint mismatches. Implementation
Kai’s task was simple: recover the scoring algorithm’s root key. His method: not so simple.
The script executes a scoring function ( score_fp ) that outputs an average probability distribution across multiple OS classes. For example, if a fingerprint closely resembles a Linux kernel structure but shares traits with Google's mobile OS, a security checkpoint using the tool will report a split breakdown: Target Operating System Score Probability Linux Windows macOS zardaxt os scoring link
The system looks at the very first "SYN" packet a device sends to start a connection. It assigns point values to different network header fields based on how closely they match known patterns of various operating systems. Key fields analyzed for scoring include:
“The link doesn’t score you. It finds what the system fears most — something it cannot measure.” : The tool was developed as part of
This reveals the presence and density of customized parameters tacked onto the end of the standard 20-byte TCP header block.
Developers looking to integrate these security scoring algorithms into their own web application infrastructure or firewall layers can review the NikolaiT Zardaxt Repository on GitHub. The codebase provides the fundamental structures for raw packet parsing, normalization algorithms, and database mapping scripts. The script executes a scoring function ( score_fp
You can query this endpoint with standard HTTP GET requests. The simplest call returns the OS score for the client IP address that made the request:
The engine normalizes parameters to strip out external network factors. For instance, because routers decrement the TTL field at every hop, the engine rounds the received TTL upward to the nearest canonical starting limit ( 64 , 128 , or 255 ).
NikolaiT/zardaxt: Passive TCP/IP Fingerprinting Tool ... - GitHub