System Profiler¶
The System Profiler collects browser and system fingerprints from visitors to reconnaissance pages hosted by the relay. When a target visits a profiler page (typically disguised as a phishing landing page or a benign web application), JavaScript running in their browser collects detailed system information and sends it to the relay, which forwards it to the Stentor backend for storage and analysis.
Architecture¶
The profiler is a passive reconnaissance tool. The relay hosts a lightweight HTTP server on a configurable port (PROFILER_PORT) that serves a fingerprinting page. When a visitor loads the page, client-side JavaScript collects system attributes and POSTs them to the relay, which forwards the data to the backend API.
sequenceDiagram
participant Target as Target Browser
participant Relay as Relay<br/>(Profiler HTTP)
participant API as Stentor API
participant DB as PostgreSQL
Target->>Relay: GET /profiler (loads page)
Relay-->>Target: HTML + JavaScript
Target->>Target: Collect fingerprint data
Target->>Relay: POST fingerprint JSON
Relay->>API: POST /api/v1/profiler/visits
API->>DB: INSERT profiler_visits
API-->>Relay: 201 CreatedCollected Data¶
Each profiler visit captures a comprehensive set of browser and system attributes:
| Field | Type | Description |
|---|---|---|
id | UUID | Unique visit identifier |
visitor_ip | string | External IP address of the visitor |
user_agent | string | Full browser User-Agent string |
platform | string | Operating system platform (e.g., Win32, Linux x86_64) |
language | string | Primary browser language (e.g., en-US) |
languages | string | All accepted languages |
timezone | string | IANA timezone (e.g., America/New_York) |
timezone_offset | int | UTC offset in minutes |
screen_width | int | Screen width in pixels |
screen_height | int | Screen height in pixels |
color_depth | int | Display color depth in bits |
plugins | string | JSON array of installed browser plugins |
webgl_vendor | string | GPU vendor string from WebGL |
webgl_renderer | string | GPU renderer string from WebGL |
internal_ip | string | Internal/private IP address (via WebRTC leak) |
cookies_enabled | bool | Whether cookies are enabled |
do_not_track | string | Do Not Track header value |
hardware_concurrency | int | Number of logical CPU cores |
device_memory | float | Device RAM in gigabytes |
relay_id | UUID | Relay that collected the fingerprint (optional) |
created_at | timestamp | When the visit was recorded |
Internal IP via WebRTC
The internal_ip field captures the visitor's private network address using a WebRTC ICE candidate leak. This reveals the target's LAN IP even when they are behind NAT, which is valuable for network mapping and lateral movement planning.
Visit Statistics¶
The stats endpoint aggregates visit data into a summary view showing total visits, unique visitor IPs, and a platform breakdown.
Response fields:
| Field | Type | Description |
|---|---|---|
total_visits | int | Total number of recorded profiler visits |
unique_ips | int | Count of distinct visitor IP addresses |
platforms | object | Map of platform strings to visit counts |
Listing Visits¶
Retrieve collected fingerprints, ordered by most recent first.
[
{
"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"visitor_ip": "203.0.113.42",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...",
"platform": "Win32",
"language": "en-US",
"languages": "en-US,en",
"timezone": "America/New_York",
"timezone_offset": 300,
"screen_width": 1920,
"screen_height": 1080,
"color_depth": 24,
"plugins": "[]",
"webgl_vendor": "Google Inc. (NVIDIA)",
"webgl_renderer": "ANGLE (NVIDIA, NVIDIA GeForce RTX 3070...)",
"internal_ip": "192.168.1.105",
"cookies_enabled": true,
"do_not_track": "1",
"hardware_concurrency": 16,
"device_memory": 32,
"relay_id": null,
"created_at": "2026-02-21T14:30:00Z"
}
]
Query parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
limit | int | 100 | Maximum number of visits to return |
Creating Visits¶
The relay submits fingerprint data via this endpoint. Operators typically do not call this directly -- the relay handles it automatically when a target visits the profiler page.
curl -s -X POST https://stentor.app/api/v1/profiler/visits \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"visitor_ip": "203.0.113.42",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...",
"platform": "Win32",
"language": "en-US",
"timezone": "America/New_York",
"timezone_offset": 300,
"screen_width": 1920,
"screen_height": 1080,
"color_depth": 24,
"webgl_vendor": "Google Inc. (NVIDIA)",
"webgl_renderer": "ANGLE (NVIDIA, NVIDIA GeForce RTX 3070...)",
"internal_ip": "192.168.1.105",
"cookies_enabled": true,
"hardware_concurrency": 16,
"device_memory": 32
}' | jq
Automatic IP detection
If visitor_ip is omitted from the request body, the server automatically uses the client IP from the HTTP request. This is useful when the relay forwards fingerprint data without modifying it.
Clearing Data¶
Remove all profiler visits. This is a destructive operation that cannot be undone.
Irreversible
Clearing profiler data permanently deletes all collected fingerprints. Consider exporting the data first if you need it for reporting.
UI Features¶
The Profiler page in the Stentor UI (/profiler) provides:
- Stats cards showing total visits, unique IPs, and platform breakdown
- Fingerprint table with sortable columns for time, visitor IP, internal IP, platform, screen resolution, and GPU
- Expandable rows -- click any row to reveal full fingerprint details including user agent, language, timezone, hardware specs, WebGL info, cookie status, and plugins
- Refresh button to manually reload fingerprint data
- Clear All button with a confirmation dialog to prevent accidental deletion
Relay Configuration¶
Enable the System Profiler on a relay by setting the PROFILER_PORT environment variable in the relay's .env file:
Set PROFILER_PORT=0 (default) to disable the profiler.
See Relay Management for full relay configuration details.
Use Cases¶
Pre-Engagement Reconnaissance¶
Deploy a profiler page before active exploitation begins. Send the link via phishing email or embed it in a watering hole site. Collected data reveals:
- Target OS and browser versions -- helps select appropriate payloads and exploits
- GPU information -- useful for identifying virtual machines (sandbox detection)
- Internal IP addresses -- maps the target's internal network topology via WebRTC leaks
- Hardware specs -- CPU cores and RAM help distinguish servers from workstations
- Timezone and language -- confirms target geography and locale for social engineering
Phishing Campaign Integration¶
Combine the profiler with phishing campaigns. When a target clicks a phishing link, the profiler page collects fingerprint data before redirecting to the actual phishing content. This provides intelligence even if the target does not fall for the phish.
Sandbox Detection¶
Analyze profiler visits to identify automated analysis environments:
- Low hardware concurrency (1-2 cores) and limited RAM suggest a sandbox
- Generic or virtualized GPU renderers (e.g., "SVGA3D" or "llvmpipe") indicate a virtual machine
- Unusual timezone/language combinations may indicate a researcher rather than a genuine target
API Summary¶
| Method | Endpoint | Description |
|---|---|---|
GET | /api/v1/profiler/visits | List collected fingerprints |
POST | /api/v1/profiler/visits | Create a new visit record |
GET | /api/v1/profiler/stats | Get visit statistics |
DELETE | /api/v1/profiler/visits | Clear all visit data |