GPU-Accelerated Autonomous Credential Intelligence Engine. CLI reference, gate architecture, hash type table, API provider coverage, WARLORD feed, kill chain integration.
git clone git@github.com:RichardBarron27/red-specter-specter-raptor.git cd red-specter-specter-raptor pip install -e . specter-raptor --help
SPECTER RAPTOR operates on a 3-tier gate system. INJECT requires a valid Ed25519 PEM key at RAPTOR_KEY. UNLEASHED requires the exact confirmation string.
| Gate | Environment | Confirmation | Unlocks |
|---|---|---|---|
OPEN | None required | None | INGEST-INTEL, CLASSIFY-HASH, WORDLIST-FORGE, REPORT |
INJECT | RAPTOR_KEY=/path/to/key.pem | None | CRACK-ENGINE, API-KEY-VALIDATE, TOKEN-CRACK |
UNLEASHED | RAPTOR_KEY required | "I UNDERSTAND THESE ARE LIVE CREDENTIALS" | FEED-WARLORD |
# Generate Ed25519 key
python -c "
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
from cryptography.hazmat.primitives.serialization import Encoding, NoEncryption, PrivateFormat
k = Ed25519PrivateKey.generate()
open('raptor.pem','wb').write(k.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption()))
"
export RAPTOR_KEY=$(pwd)/raptor.pem
specter-raptor ingest <path> --source <ghost|reaper|codex|charybdis|manual> specter-raptor ingest ghost_output.json --source ghost specter-raptor ingest reaper_scan.json --source reaper
Ingests structured JSON from NIGHTFALL upstream tools. Detects all credential types automatically. Outputs priority-scored IntelProfile list.
specter-raptor classify <hash> specter-raptor classify "5f4dcc3b5aa765d61d8327deb882cf99" specter-raptor classify "\$2b\$12\$LqvFQP..."
Classifies a single hash, returns type, Hashcat mode, estimated RTX 3090 crack time, and whether it is crackable.
specter-raptor wordlist-forge --target "AcmeCorp" --domain acme.com \
--extra-context "kubernetes devops jenkins" --output wordlist.txt
Uses deepseek-r1:7b via local Ollama (CPU inference) to generate a targeted wordlist. Applies leet substitution and suffix/prefix mutations.
specter-raptor crack --hash <hash> --wordlist wordlist.txt specter-raptor crack --hash-file hashes.txt --wordlist-forge --target "AcmeCorp" specter-raptor crack --hash-file hashes.txt --mode dict --rules best64 dive
Runs Hashcat on the local GPU. Requires INJECT gate. Temperature monitoring active throughout.
specter-raptor validate-keys --keys keys.txt specter-raptor validate-keys --keys keys.txt --providers openai anthropic aws specter-raptor validate-keys --keys keys.txt --all-providers
Validates API keys against live provider endpoints. Requires INJECT gate. Reports blast radius and active permissions.
specter-raptor crack-tokens --token <jwt_or_cookie> specter-raptor crack-tokens --token "eyJ..." --wordlist wordlist.txt specter-raptor crack-tokens --token "eyJ..." --use-hashcat
Cracks JWT HS* secrets via Hashcat (mode 16500) or pure Python HMAC. Detects asymmetric algorithms and issues warning.
specter-raptor feed-warlord \
--confirm "I UNDERSTAND THESE ARE LIVE CREDENTIALS" \
--session-id sess-$(date +%s)
Feeds all VALID_ACTIVE credentials into the WARLORD SQLite registry. Requires UNLEASHED gate. Outputs routing manifest by suggested_next_tool.
specter-raptor report --output report.json specter-raptor report --output report.txt --format text
Generates an RPT-{hex12} Ed25519-signed report. Includes intel summary, crack stats, validation results, WARLORD manifest, and GPU performance.
specter-raptor engage \
--intel ghost_output.json \
--source ghost \
--wordlist-forge-target "AcmeCorp" \
--confirm "I UNDERSTAND THESE ARE LIVE CREDENTIALS"
Full engagement mode. Runs all 8 subsystems in sequence: ingest → classify → forge → crack → validate → crack-tokens → feed-warlord → report.
| Provider | Key Pattern | Validation Endpoint | Blast Radius |
|---|---|---|---|
| AWS | AKIA[0-9A-Z]{16} | sts.amazonaws.com GetCallerIdentity | 10 |
| GCP | AIza[0-9A-Za-z-_]{35} | cloudresourcemanager.googleapis.com | 9 |
| Azure | Bearer token | management.azure.com/subscriptions | 9 |
| GitHub | ghp_/gho_[a-zA-Z0-9]{36} | api.github.com/user + X-OAuth-Scopes | 8 |
| Anthropic | sk-ant-[a-zA-Z0-9-_]{40+} | POST api.anthropic.com/v1/messages | 8 |
| OpenAI | sk-[a-zA-Z0-9]{40+} | GET api.openai.com/v1/models | 7 |
| GitLab | glpat-[a-zA-Z0-9-_]{20} | gitlab.com/api/v4/user | 7 |
| HuggingFace | hf_[a-zA-Z0-9]{36+} | huggingface.co/api/whoami-v2 | 6 |
| Cohere | Cohere token | api.cohere.ai/v1/tokenize | 5 |
| Mistral | Mistral token | api.mistral.ai/v1/models | 5 |
| Together | Together token | api.together.xyz/v1/models | 5 |
| Slack | xoxb-/xoxp-[a-zA-Z0-9-]{10+} | slack.com/api/auth.test | 4 |
| Jira | Jira token | /rest/api/3/myself | 4 |
# Query WARLORD for RAPTOR credentials SELECT * FROM credentials WHERE status='VALID_ACTIVE' ORDER BY blast_radius DESC; # Suggested next-tool routing aws_iam → CHARYBDIS (cloud pivot) api_key_openai / api_key_anthropic → GHOST (NHI fleet) mcp_token → LEVIATHAN (protocol exploit) bearer_token → PARASITE (gateway) jwt_hs → APEX (orchestrator)
| Credential Type | Next Tool | Rationale |
|---|---|---|
| AWS IAM / GCP SA / Azure MSI | CHARYBDIS | Cloud infrastructure pivot |
| OpenAI / Anthropic / Cohere / Mistral / Together | GHOST | NHI fleet registration |
| MCP token | LEVIATHAN | Protocol exploitation |
| Bearer token | PARASITE | Gateway interception |
| JWT (cracked) | APEX | Orchestrator session hijack |
| GitHub / GitLab PAT | CODEX | Developer toolchain exploit |
| Variable | Required | Description |
|---|---|---|
RAPTOR_KEY | INJECT+ | Path to Ed25519 PEM private key |
WARLORD_DB | Optional | Override WARLORD SQLite path |