Web & Database Annihilation Engine. SQLi discovery → RCE → irreversible data destruction. MySQL, MSSQL, PostgreSQL, MongoDB, S3. DESTROY gate with Ed25519 + ROE. GZ-signed reports.
SPECTER GROUND ZERO takes the vulnerability findings from REAPER and escalates them to actual, irreversible destruction. Where REAPER finds injection points, GROUND ZERO weaponises them: stacked queries drop databases, INTO OUTFILE writes webshells, xp_cmdshell deletes filesystem artifacts, S3 credentials get scorched.
Every operation is gated behind the four-tier NIGHTFALL gate system. Enumeration is OPEN. Infiltration is INJECT. Log clearing is UNLEASHED. Actual wipe is DESTROY — requiring exact confirmation string, Ed25519 private key, and optionally a signed ROE file. Every report is GZ-{hex12} Ed25519 signed.
DESTROY gate is irreversible. Data wiped by GROUND ZERO cannot be recovered without a prior backup. This tool is designed for authorised penetration testing only. Misuse is criminal. Defensive pair: M142 DATA ANNIHILATION SENTINEL.
Discovers injection points via boolean, time, union, error, stacked query probes. Detects DB type from error signatures (MySQL/MSSQL/PostgreSQL/SQLite/MongoDB). Queries @@secure_file_priv to determine INTO OUTFILE viability. Assesses wipe feasibility: HIGH/MEDIUM/LOW/NONE.
Establishes execution path. Three paths: (1) Stacked queries — MSSQL enables xp_cmdshell via sp_configure; PostgreSQL/MySQL enumerate DBs/tables. (2) INTO OUTFILE — writes gz_*.php webshell to COMMON_WEB_ROOTS, verifies with echo GZ_SHELL_OK. (3) NoSQL — MongoDB deleteMany operator injection.
Post-infiltration credential harvest: env vars, .aws/credentials, wp-config.php, MySQL user table. Plants cron persistence (/etc/cron.d/gz_persist) and systemd unit (svc-update.service) with C2 beacon. Windows: schtasks + scheduled PowerShell beacon.
The wipe engine. Direct DB: TRUNCATE TABLE (MySQL SET FOREIGN_KEY_CHECKS=0 / PostgreSQL CASCADE), DROP DATABASE. Injection: stacked DROP DATABASE / TRUNCATE per table. Filesystem: webshell rm -rf /var/www/html/* / xp_cmdshell del /s /q. S3: paginated deleteMany per bucket. Before/after checksums (CHECKSUM TABLE / md5) programmatically confirm wipe.
Clears Apache/nginx/MySQL/auth/WAF logs via webshell. Unsets shell history (HISTFILE, HISTSIZE=0). Self-deletes webshell via find /var/www -name 'gz_*.php' -delete. Windows: wevtutil cl Application/Security/System, SQL Server error log cycle.
GZ-{hex12} Ed25519-signed JSON. Contains: target, session_id, db_type, execution_path, enumeration (injection_points, feasibility), annihilation (before/after row counts, checksums, wipe_confirmed), sabotage (fields_modified, corruption_confirmed), cover actions, session log, errors. WMD classes and MITRE ATT&CK T1485/T1561/T1489 mapped.
| DB Type | Injection Path | Annihilation Method | Feasibility Condition |
|---|---|---|---|
| MySQL | INTO OUTFILE webshell | Webshell rm -rf + backup purge | secure_file_priv = '' or NULL |
| MySQL | Stacked queries | DROP DATABASE + TRUNCATE TABLE | Stacked queries supported by driver |
| MSSQL | Stacked + xp_cmdshell | del /s /q + DROP DATABASE | sa or sysadmin role |
| PostgreSQL | Stacked queries | TRUNCATE TABLE CASCADE | superuser or table owner |
| MongoDB | NoSQL $ne:null operator | deleteMany across all collections | Unauthenticated endpoint |
| Any (cloud) | Credential harvest via ESCALATE | S3 paginated delete per bucket | s3:DeleteObject permission |
| Class | Description | MITRE |
|---|---|---|
| sql_database_annihilation | Complete relational DB wipe via TRUNCATE/DROP with programmatic before/after verification | T1485 |
| nosql_mass_deletion | MongoDB deleteMany $ne:null across all collections | T1485 |
| filesystem_wipe | Web root annihilation via webshell rm -rf or xp_cmdshell del /s /q | T1561 |
| backup_purge | find + delete *.bak, *.dump, *.sql.gz, *.tar — removes recovery options | T1485 |
| enterprise_denial_of_service | Service unavailability through combined DB wipe + filesystem destruction | T1489 |
| irreversible_data_destruction | Data removed without transaction log — no rollback path | T1485 |
| cloud_storage_scorched_earth | Paginated S3 bucket wipe using harvested IAM credentials | T1485 |
| log_forensic_erasure | Apache/nginx/MySQL/WAF/auth log truncation + self-delete | T1485 |
# Install pip install red-specter-specter-ground-zero # Generate Ed25519 key specter-ground-zero keygen # Prepare ROE file echo "data destruction authorised for target dvwa.local — pentesting engagement" > roe.txt # Step 1: Enumerate specter-ground-zero enum "http://dvwa.local/?id=1" -o enum.json # Step 2: Infiltrate specter-ground-zero infiltrate "http://dvwa.local/?id=1" id --db-type mysql -o session.json # Step 3: Full kill chain (DESTROY gate) specter-ground-zero chain "http://dvwa.local/?id=1" \ --confirm "I UNDERSTAND THIS WILL IRREVERSIBLY DESTROY DATA" \ --key ~/.specter/ground_zero/signing_key.pem \ --roe roe.txt \ --db-host 127.0.0.1 --db-user root --db-pass "" --db-name dvwa \ -o gz-report.json
Three requirements must all be met before any destructive operation executes:
Exact string: I UNDERSTAND THIS WILL IRREVERSIBLY DESTROY DATA. Case-sensitive, no leading/trailing spaces.
Generate with specter-ground-zero keygen. Key must be a valid Ed25519 PEM file. Key proves operator identity and is embedded in signed reports.
ROE file must contain the phrase data destruction authorised (case-insensitive). Provides legal paper trail. Stored in report metadata.
Reports are GZ-{hex12} Ed25519-signed. Signature covers all report fields deterministically (canonical JSON, sorted keys). Tampering with any field breaks signature verification.