NIGHTFALL Documentation

Red Specter NIGHTFALL

AI Offensive Framework — 34 tools. 19 attack chains. 50,387 tests. One install. One CLI.

v1.0.0
Contents
Overview Installation Quick Start CLI Reference The 34 Tools Attack Chain Presets UNLEASHED Mode Destruction Presets Ed25519 Cryptographic Override Engagement Management Reporting Docker Deployment Disclaimer

Overview

NIGHTFALL is the unified offensive security framework from Red Specter Security Research. 34 tools covering every attack surface — from OSINT and reconnaissance through AI model corruption, deepfake weaponisation, and cloud AI infrastructure exploitation. Every tool works standalone. NIGHTFALL connects them all under one CLI with attack chains, engagement management, Ed25519 signed reports, and a full audit trail.

Welcome to NIGHTFALL. Bring your targets.

Installation

Quick Install

$ git clone git@github.com:RichardBarron27/red-specter-ai-offensive-framework.git
$ cd red-specter-ai-offensive-framework
$ ./install.sh

Package Managers

# Debian / Ubuntu / Kali
$ sudo dpkg -i dist/red-specter_1.0.0_all.deb

# RHEL / Fedora
$ sudo rpm -i dist/red-specter-1.0.0.rpm

# Arch / BlackArch
$ sudo pacman -U dist/red-specter-1.0.0.pkg.tar.zst

macOS

# Pure Python — works natively on macOS
$ git clone git@github.com:RichardBarron27/red-specter-ai-offensive-framework.git
$ cd red-specter-ai-offensive-framework
$ pip install -e .
$ red-specter tools

Windows

# Python 3.11+ required — or use Docker Desktop
> git clone git@github.com:RichardBarron27/red-specter-ai-offensive-framework.git
> cd red-specter-ai-offensive-framework
> pip install -e .
> red-specter tools

Docker (any platform)

# Works on Linux, macOS, and Windows with Docker Desktop
$ docker compose up -d
# API: http://localhost:8000
# CLI: docker exec -it rs-tools red-specter tools

All 34 tools are pure Python with no platform-specific dependencies. The entire framework runs natively on Linux, macOS, and Windows.

Quick Start

# See everything in 10 seconds
$ red-specter quickstart

# Run a tool directly
$ red-specter run forge full-scan -t https://target.com
$ red-specter run wraith scan 10.0.0.1 -p top1000
$ red-specter run nemesis engage target.com --mode abyss

# Start a full engagement
$ red-specter engage 192.168.1.0/24 --name "Internal Pentest" --chain infra

# Run an attack chain
$ red-specter chain full-recon -t 192.168.1.1

# Interactive tool selector
$ red-specter tools

CLI Reference

CommandDescription
red-specter quickstartQuick reference — common workflows in one view
red-specter run <tool> <args>Run any tool directly — all args passed through
red-specter engage <target>Start engagement project with target, scope, and chain
red-specter chain <preset> -t <target>Execute an attack chain preset
red-specter chain --listList all 19 chain presets
red-specter toolsInteractive 34-tool selector
red-specter arsenalKill chain view — 13 phases, all tools mapped
red-specter search <keyword>Find tools by capability, description, or category
red-specter statusInstallation status of all 34 tools
red-specter verifyVerify all 34 tools respond
red-specter history --projectsList engagement projects
red-specter report --project <ID>Generate Ed25519 signed report (HTML/JSON/CSV)
red-specter export audit -o audit.csvExport audit trail
red-specter configView and set framework configuration
red-specter updateCheck all tools for updates
red-specter unleashed --infoUNLEASHED mode details
red-specter doctorDiagnose installation issues
red-specter versionVersion information

The 34 Tools

#ToolCLIDomainTests
01FORGEforgeLLM Attack Framework9,298
02ARSENALarsenalAgent Attack Framework2,539
03PHANTOMphantomSwarm Intelligence288
04POLTERGEISTpoltergeistWeb Application Testing1,189
05GLASSglassIntercepting Proxy850
06NEMESISnemesisReasoning Engine (40 Entities)2,011
07SPECTER SOCIALspecter-socialSocial Engineering1,242
08PHANTOM KILLphantom-killOS & Firmware Attacks571
09GOLEMgolemPhysical Security973
10HYDRAhydraSupply Chain Attacks1,039
11IDRISidrisIdentity & Discovery553
12SCREAMERscreamerDisplay Disruption395
13WRAITHwraithInfrastructure Pentest889
14REAPERreaperExploit & Post-Exploitation5,267
15GHOULghoulPassword Cracking1,408
16DOMINIONdominionActive Directory Attacks1,866
17SHADOWMAPshadowmapOSINT & Target Intel930
18BANSHEEbansheeBrowser Exploitation986
19WRAITH MINDwraith-mindAI Model Corruption158
20KRAKENkrakenAI-Orchestrated DDoS62
21HARBINGERharbingerGuardrail Exploitation71
22SIRENsirenIndirect Prompt Injection58
23BLADE RUNNERblade-runnerRogue Agent Termination143
24PROXY WARproxy-warInter-Agent Trust Manipulation127
25ORIONorionAI-Native Reconnaissance210
26RAVENravenThreat Intelligence Assistant174
27LEVIATHANleviathanMCP Server Security409
28JUSTICEjusticeDark AI Disruption339
29KAMIKAZEkamikazeSacrificial Swarm Attack292
30MIRAGEmirageAI Deception & Deepfake204
31ECHOrs-echoAI Memory & RAG Poisoning211
32MIMICmimicAI Code Generation Poisoning220
33CHIMERAchimeraMulti-Model Pipeline Attack206
34VORTEXvortexCloud AI Infrastructure245

Attack Chain Presets

19 pre-built attack chains. One command, multiple tools, automatic sequencing.

PresetCommandPipeline
full-reconred-specter chain full-recon -t <target>ORION → SHADOWMAP → WRAITH → IDRIS
ai-auditred-specter chain ai-audit -t <target>FORGE → ARSENAL → NEMESIS → HYDRA
web-appred-specter chain web-app -t <target>POLTERGEIST → GLASS → WRAITH → BANSHEE → REAPER
active-directoryred-specter chain active-directory -t <target>DOMINION → GHOUL → DOMINION → DOMINION
infrared-specter chain infra -t <target>ORION → WRAITH → REAPER → DOMINION
osintred-specter chain osint -t <target>SHADOWMAP → RAVEN → ORION → IDRIS
passwordred-specter chain password -t <target>REAPER → GHOUL
social-engred-specter chain social-eng -t <target>SHADOWMAP → SPECTER SOCIAL → SPECTER SOCIAL
mcp-securityred-specter chain mcp-security -t <target>LEVIATHAN → PROXY WAR → BLADE RUNNER
dark-aired-specter chain dark-ai -t <target>JUSTICE → KAMIKAZE → BLADE RUNNER
deceptionred-specter chain deception -t <target>MIRAGE (scan → voice → face → liveness)
rag-poisonred-specter chain rag-poison -t <target>ECHO (scan → vector → embed → retrieve → memory)
codegenred-specter chain codegen -t <target>MIMIC (scan → suggest → inject → review)
pipeline-attackred-specter chain pipeline-attack -t <target>CHIMERA (map → chain → cascade → ensemble)
cloud-aired-specter chain cloud-ai -t <target>VORTEX (discover → config → theft → exfil)

UNLEASHED Mode

Every tool has three modes. Standard detects. UNLEASHED destroys.

ModeFlagsBehaviour
Standard(none)Detection, analysis, reporting. No exploitation. No payloads.
Dry Run--overridePlans full engagement. Shows what would work. Ed25519 required. No execution.
Live--override --confirm-destroyFull exploitation. Real payloads. Destructive. Cryptographic key required.

Every tool execution in NIGHTFALL passes through the UNLEASHED gate. The gate prompts for confirmation before any tool runs. Info commands (--help, weapons, techniques, status) bypass the gate automatically.

UNLEASHED Destruction Presets

4 pre-built destruction chains. Standard chains scan and report. These chains destroy.

PresetCommandWhat It Does
ANNIHILATEred-specter chain annihilate -t <target>9 tools. Total destruction. Recon → web → exploit → crack → AD → browser → OS kill. Everything hit. Nothing left.
SCORCHED EARTHred-specter chain scorched-earth -t <target>6 tools. Infrastructure wipeout. Recon → exploit → DCSync → OS kill → sacrificial swarm.
WEB DESTROYred-specter chain web-destroy -t <target>6 tools. Web app total compromise. Recon → web scan → browser exploit → full exploit → crack hashes.
AI DESTROYred-specter chain ai-destroy -t <target>7 tools. AI stack total compromise. LLM → agent → injection → guardrail → model corruption → RAG poison → code gen poison.

Ed25519 Cryptographic Override

One private key exists. It never leaves the operator's machine. Every UNLEASHED execution requires a cryptographic challenge signed with that key. No key, no destruction. No exceptions.

The key cannot be copied, shared, or delegated. One key. One operator. One machine. Every action is signed, timestamped, and written to an immutable Ed25519 audit chain. The audit trail is cryptographically linked — tampering with any entry invalidates the entire chain.

How It Works

Engagement Management

# Start an engagement
$ red-specter engage 192.168.1.0/24 --name "Internal Pentest" --chain infra

# With specific tools
$ red-specter engage target.com --tools forge,arsenal,nemesis

# View engagement history
$ red-specter history --projects

# View specific engagement
$ red-specter history --project <ID>

Engagements track targets, sessions, tool executions, findings, and timing. All persisted to disk. All exportable.

Reporting

# Generate Ed25519 signed HTML report
$ red-specter report --project <ID>

# JSON export
$ red-specter report --project <ID> --format json

# Verify report signature
$ red-specter verify-report report.html

# Export audit trail
$ red-specter export audit --format csv -o audit.csv

Docker Deployment

# Full platform
$ docker compose up -d

# Access
# API: http://localhost:8000
# CLI: docker exec -it rs-tools red-specter tools

# Stop
$ docker compose down

Three containers: Redis (session store), Backend (FastAPI + 34 adapters), Tools (all 34 CLIs installed).

Disclaimer

AUTHORISED USE ONLY. NIGHTFALL and all Red Specter offensive tools are designed exclusively for authorised penetration testing, red team engagements, CTF competitions, and security research. All tool executions are cryptographically signed and logged. Unauthorised use is prohibited and may violate applicable law. Use responsibly and within scope of authorisation.