GPU-Accelerated Autonomous Credential Intelligence Engine. Ingest from GHOST/REAPER/CODEX. Classify 15+ hash types. Crack on RTX 3090. Validate 13 API providers. Feed WARLORD.
SPECTER RAPTOR is the NIGHTFALL framework's GPU-accelerated autonomous credential intelligence engine. It ingests structured JSON output from upstream NIGHTFALL tools (GHOST, REAPER, CODEX, CHARYBDIS), classifies every credential by type, cracks hashes using the local RTX 3090 via Hashcat, validates API keys against 13 live provider endpoints, extracts JWT secrets, and feeds all validated credentials into the WARLORD registry with blast-radius scores and suggested next-tool routing.
RAPTOR does not require network access for hash cracking — it operates entirely on the local machine using GPU compute. API validation requires INJECT gate and a live RAPTOR_KEY Ed25519 PEM. Full WARLORD feed + autonomous pivot requires UNLEASHED gate.
SPECTER RAPTOR is a NIGHTFALL controlled adversarial testing tool. Validation against live credentials requires prior written authorisation. INJECT gate: RAPTOR_KEY Ed25519 PEM required. UNLEASHED gate: "I UNDERSTAND THESE ARE LIVE CREDENTIALS".
Consumes JSON from GHOST/REAPER/CODEX/CHARYBDIS. Detects 35 credential types via regex patterns. API keys (13 providers), JWT (HS/RS/ES/PS), hashes (15+ types), Bearer tokens, MCP tokens. Priority-scored IntelProfile fleet.
Maps every hash to its Hashcat mode. bcrypt ($2b) → 3200. NTLM → 1000. NetNTLMv2 regex → 5600. SHA-512 (128 hex) → 1700. Argon2 → non-crackable (flagged). JWT asymmetric (RS/ES/PS) → algorithm warning, skip.
deepseek-r1:7b via local Ollama (CPU inference, avoids VRAM conflict). Org name + domain + developer names + AI/ML patterns. Leet substitution (a→@, e→3, i→1, o→0, s→$). Suffix/prefix mutation stack.
RTX 3090 Hashcat subprocess. Temperature monitoring: warn 85°C, pause 90°C. --workload-profile 3. Rules: best64, dive, T0XlCv2. rockyou + targeted org wordlist from WORDLIST-FORGE. MD5 exhausted sub-second.
13 providers: OpenAI, Anthropic, AWS, GCP, Azure, GitHub, GitLab, Slack, Jira, Cohere, Mistral, HuggingFace, Together. Blast radius: AWS=10, GCP/Azure=9, GitHub=8, Anthropic/OpenAI=7–8. X-OAuth-Scopes harvest on GitHub.
JWT HS256/384/512 → Hashcat mode 16500 + pure Python HMAC fallback. RS/ES/PS → algorithm warning, skip. Session cookie entropy analysis (Shannon <3.5 = HIGH). MCP token fingerprinting. Bearer JWT decode.
VALID_ACTIVE registry filter + blast radius DESC sort + suggested_next_tool routing manifest. CHARYBDIS (cloud IAM), GHOST (API keys), LEVIATHAN (MCP), APEX (orchestrators), PARASITE (Bearer). Ed25519 signed.
RPT-{hex12} Ed25519-signed reports. Intel summary, hash crack stats, validation results, token profiles, WARLORD manifest, GPU performance stats. MITRE T1110/T1555/T1528/T1552 mapping. 5 WMD classes.
| Gate | Requirement | Unlocks |
|---|---|---|
OPEN | None | INGEST-INTEL, CLASSIFY-HASH, WORDLIST-FORGE, REPORT |
INJECT | RAPTOR_KEY env var (Ed25519 PEM path) | CRACK-ENGINE, API-KEY-VALIDATE, TOKEN-CRACK |
UNLEASHED | RAPTOR_KEY + exact string "I UNDERSTAND THESE ARE LIVE CREDENTIALS" | FEED-WARLORD (live WARLORD registry population) |
| Hash Type | Hashcat Mode | RTX 3090 Speed | Notes |
|---|---|---|---|
| MD5 | 0 | ~60 GH/s | rockyou <1s |
| SHA-1 | 100 | ~22 GH/s | |
| SHA-256 | 1400 | ~10 GH/s | |
| SHA-512 | 1700 | ~3 GH/s | |
| NTLM | 1000 | ~100 GH/s | AD domain admin |
| NetNTLMv1 | 5500 | ~60 GH/s | Responder capture |
| NetNTLMv2 | 5600 | ~3 GH/s | Responder capture |
| bcrypt | 3200 | ~100 kH/s | Slow — hours/days |
| scrypt | 8900 | ~1 MH/s | |
| Argon2 | N/A | N/A | Not crackable — flagged |
| WPA2 | 22000 | ~1 MH/s | Requires PCAP |
| Django PBKDF2 | 10000 | ~500 kH/s | |
| WordPress md5crypt | 400 | ~50 MH/s | |
| JWT HS256/384/512 | 16500 | ~1 GH/s | HMAC brute force |
| JWT RS/ES/PS | N/A | N/A | Asymmetric — warning + skip |
# GHOST harvests NHI credentials
specter-ghost harvest --output ghost_intel.json
# RAPTOR ingests, classifies, cracks, validates
specter-raptor ingest ghost_intel.json --source ghost
specter-raptor crack --all --wordlist-forge --confirm "I UNDERSTAND THESE ARE LIVE CREDENTIALS"
specter-raptor validate-keys --all
specter-raptor feed-warlord --confirm "I UNDERSTAND THESE ARE LIVE CREDENTIALS"
# CHARYBDIS pivots on cloud IAM keys
charybdis engage --from-warlord --filter-type aws_iam
| Technique | Name | Subsystem |
|---|---|---|
| T1110 | Brute Force | CRACK-ENGINE |
| T1555 | Credentials from Password Stores | INGEST-INTEL, API-KEY-VALIDATE |
| T1528 | Steal Application Access Token | TOKEN-CRACK, FEED-WARLORD |
| T1552 | Unsecured Credentials | INGEST-INTEL, CLASSIFY-HASH |
M157 CREDENTIAL INTELLIGENCE SENTINEL (planned) — detects credential classification, hash cracking attempts, mass API key validation, and WARLORD registry population.