# Install from source cd /path/to/red-specter-specter-fracture pip install -e . # Verify specter-fracture --version # specter-fracture 1.0.0 # Initialise auth key specter-fracture auth init # Key initialised at ~/.red-specter/specter-fracture/
Real AST-based vulnerability detection for Python via PythonASTScanner. Walks the AST to detect dangerous patterns without executing code. GenericScanner provides regex-based detection for JS, TypeScript, Go, PHP, Java, Ruby, and C#.
AiCodeDetector scores the probability that code was AI-generated (0.0–1.0) based on: comment density, generic variable names (result, data, response, output, temp), and try/except pass patterns that suppress errors.
specter-fracture scan path /path/to/app specter-fracture scan path /path/to/app --json-out specter-fracture scan path /path/to/app --save scan.json
Cross-references SCAN findings against CVE_CLASS_DB (10 entries) and detects privilege escalation patterns via PRIVESC_PATTERNS (10 regex patterns covering setuid(0), docker socket, K8s serviceaccount token, cloud metadata SSRF, IAM AssumeRole).
specter-fracture hunt path /path/to/app specter-fracture hunt path /path/to/app --json-out
Active probing of live endpoints with payloads per vulnerability class. Confirmation via error pattern matching, timing (TIMING_THRESHOLD=2.5s for blind detection), and reflection (49 for SSTI). probe_disclosure() checks common debug endpoints.
specter-fracture probe endpoint http://target/api --vuln sql_injection --param q specter-fracture probe endpoint http://target/run --vuln command_injection --param cmd --method POST specter-fracture probe disclosure http://target
LLM-augmented exploit generation. When ANTHROPIC_API_KEY is set, calls claude-sonnet-4-6 to generate a custom exploit for the specific vulnerability, target, and endpoint. Falls back to six built-in templates: sql_injection, command_injection, ssti, path_traversal, hardcoded_secret, deserialization.
specter-fracture forge exploit /path/to/app \
--vuln command_injection \
--target http://target \
--endpoint /api/run \
--param cmd
Assembles findings into a phased kill chain using KILL_CHAIN_PHASE mapping. Generates a syntactically valid Python master script that executes each phase in sequence. WMD class ai_code_chain_exploit triggered when average CVSS across findings ≥8.0. MITRE ATT&CK technique IDs mapped per vuln class. Requires UNLEASHED gate.
specter-fracture chain build /path/to/app --target http://target
Safe subprocess execution of exploits. Writes to a temp file, runs via sys.executable with 15s timeout, checks SUCCESS_INDICATORS per vuln class in stdout+stderr. Timeout itself is a success indicator for blind SQL/command injection. syntax_check() uses ast.parse to validate Python syntax without execution.
specter-fracture verify exploit /path/to/exploit.py --vuln command_injection specter-fracture verify syntax /path/to/exploit.py
Scans source files and optionally git history for secrets. 26 regex patterns cover all major providers. Shannon entropy analysis flags high-entropy strings ≥4.5 that don't match known patterns. Git history scan uses git log --all + git show against last 200 commits — finds secrets deleted in subsequent commits.
specter-fracture harvest path /path/to/app specter-fracture harvest path /path/to/app --git-history specter-fracture harvest path /path/to/app --json-out
Ed25519-signed FRC-{hex12} reports via PyNaCl. Risk score 0–10, forced ≥8.5 when any CRITICAL finding present. Per-finding remediation guidance. JSON, Markdown, and text output. report verify checks signature against the stored public key.
specter-fracture report build /path/to/app --operator red specter-fracture report build /path/to/app --full --save report.json specter-fracture report verify report.json
Full automation from vulnerability discovery through kill chain assembly. Requires UNLEASHED gate clearance, --confirm-destroy flag, and an operator key. Produces an Ed25519-signed FRC-{hex12} report.
specter-fracture auth create-scope --tier UNLEASHED --target /path/to/app specter-fracture annihilate /path/to/app \ --operator red \ --confirm-destroy \ --key ~/.red-specter/specter-fracture/operator.key
| Gate | Commands | Auth Required |
|---|---|---|
| OPEN | scan, report build/verify, auth status | None |
| INJECT | hunt, probe, forge, verify, harvest | Ed25519 scope token (INJECT tier) |
| UNLEASHED | chain, annihilate | Ed25519 scope token (UNLEASHED tier) + --confirm-destroy |
| CVE / CWE | vuln_class | CVSS | Framework |
|---|---|---|---|
| CVE-2025-67644 | sql_injection | 9.0 | LangGraph |
| CVE-2025-68664 | deserialization | 9.3 | LangChain |
| CVE-2026-34070 | path_traversal | 7.5 | LangChain |
| CVE-2026-25592 | ssrf | 9.1 | Semantic Kernel .NET |
| CVE-2026-26030 | ssti | 8.8 | Semantic Kernel Python |
| CVE-2017-18342 | yaml_unsafe | 9.8 | PyYAML |
| CWE-78 | command_injection | 10.0 | Python subprocess |
| CWE-798 | hardcoded_secret | 9.3 | All |
| CWE-918 | ssrf | 7.7 | All |
| CVE-2026-44338 | missing_auth | 7.5 | PraisonAI/Generic |
Five WMD classification values registered in NIGHTFALL ARMORY v6.4.0. Triggered by confirmed kill chains with average CVSS ≥8.0. Require UNLEASHED gate clearance in wmd_scope.json.
ai_code_rce ai_code_secret_exfil ai_code_chain_exploit ai_code_supply_chain_compromise ai_code_privesc
| vuln_class | MITRE ATT&CK | OWASP |
|---|---|---|
| command_injection | T1059 — Command and Scripting Interpreter | LLM02 Insecure Output Handling |
| sql_injection | T1190 — Exploit Public-Facing Application | LLM02 Insecure Output Handling |
| hardcoded_secret | T1552 — Unsecured Credentials | LLM09 Overreliance |
| deserialization | T1059.006 — Python | LLM02 Insecure Output Handling |
| ssrf | T1548 — Abuse Elevation Control Mechanism | LLM07 System Prompt Leakage |
| ssti | T1059 — Command and Scripting Interpreter | LLM02 Insecure Output Handling |
| path_traversal | T1083 — File and Directory Discovery | LLM06 Excessive Agency |
SPECTER FRACTURE offensive findings map directly to AI Shield defensive modules: