pip install red-specter-shadowmap
Every red team engagement starts with reconnaissance. Most teams cobble together a dozen browser tabs, three SaaS tools, and a spreadsheet. SHADOWMAP replaces all of it. Pure Python. One command. Complete target intelligence before a single packet touches the wire.
DNS lookup here, WHOIS there, Shodan in another tab, LinkedIn in a browser. Ten tools, ten formats, zero correlation. You spend more time copying data between tools than analysing it.
Most OSINT tools actively probe targets. DNS brute force, port scans, direct requests. The target sees you before you see them. Passive reconnaissance should leave zero footprint. Most tools don't understand the difference.
You have subdomains in one list, email patterns in another, tech stacks in a third. Nothing connects. Nothing correlates. A subdomain running a vulnerable CMS with a known email pattern is a high-value target. Your tools don't know that.
Every finding needs manual enrichment. Found a subdomain? Manually check what it runs. Found an email? Manually check breach databases. Hours of manual work per target. SHADOWMAP does it in seconds.
Eight modules. Each one built from scratch in pure Python. No external API dependencies. No SaaS wrappers. Every DNS resolver, every WHOIS parser, every fingerprinting engine written natively. 930 tests. 624 subdomain signatures. Complete target intelligence.
DNS enumeration, subdomain brute force with 624 signatures, WHOIS parsing across 80+ servers, zone transfer detection. Complete domain surface mapping from a single seed domain.
ASN mapping, hosting provider identification across 50+ providers, CDN detection with 18 signatures, IP geolocation. Maps the physical and logical infrastructure behind every target.
Company structure analysis, subsidiary mapping, key employee identification, public filing extraction. Builds the organisational graph that social engineering campaigns target.
Individual profiling, role mapping within target organisations, departure tracking for insider threat assessment. Identifies high-value targets for spear phishing and social engineering.
Email pattern discovery across 15 common formats, validation via SPF/DKIM/DMARC analysis, breach correlation for credential exposure assessment. Builds verified contact lists from zero.
Social media platform discovery, technology mentions in posts and profiles, conference talks, open-source contributions. Maps the digital footprint that reveals internal technology decisions.
Breach data correlation, credential exposure assessment, password pattern analysis, domain-wide breach impact scoring. Quantifies how exposed the target's credentials already are.
Technology stack fingerprinting across 47+ frameworks, 20+ CMS platforms, 30 WAF signatures. CVE mapping from discovered versions. Knows what they're running before you touch it.
Map the entire attack surface from a single domain:
Standard mode is fully passive. Zero footprint on the target. No DNS brute force, no SMTP validation, no active probes. Just intelligence gathered from public sources.
Subdomains link to tech stacks. Tech stacks link to CVEs. Emails link to breaches. Every finding enriches every other finding. One unified intelligence picture.
SHADOWMAP builds the target profile. WRAITH scans what SHADOWMAP found. Subdomains become scan targets. Tech stacks become vulnerability vectors. Intelligence drives exploitation.
Target intelligence feeds directly into NEMESIS. The Supreme Commander uses SHADOWMAP intelligence to select weapons, plan attack chains, and prioritise targets automatically.
Standard mode is passive only. Zero footprint. UNLEASHED mode enables active DNS brute force, SMTP validation, subdomain enumeration at scale, and direct target interaction. Ed25519 key gate required. Two flags must be passed. This is not accidental.
| Capability | Standard | Unleashed |
|---|---|---|
| DNS enumeration | Public records only | Active brute force, zone transfers |
| Subdomain discovery | Passive sources | 624-word brute force + permutations |
| Email validation | Pattern detection only | SMTP validation, deliverability check |
| Breach correlation | Domain-level summary | Individual credential exposure |
| Tech fingerprinting | Header analysis | Active probing, deep fingerprinting |
| Company intelligence | Public filings | Extended profiling, departure tracking |
| Target footprint | Zero — fully passive | Active — target will see probes |
UNLEASHED mode requires an Ed25519 private key at ~/.redspecter/override_private.pem and the --override --confirm-destroy flags. Without both, SHADOWMAP operates in passive mode — gathering intelligence from public sources with zero target footprint. The gate is cryptographic. There is no bypass. One key. One operator. Founder's machine only.
SHADOWMAP is the first link in the kill chain. Every tool downstream uses SHADOWMAP intelligence. Subdomains become WRAITH scan targets. Email patterns become SPECTER SOCIAL phishing vectors. Tech stacks become vulnerability surfaces. Breach data becomes credential attacks. One reconnaissance run powers the entire engagement.
SHADOWMAP maps the entire attack surface. Domains, subdomains, infrastructure, people, emails, technology, breaches. Complete intelligence picture from a single domain seed.
WRAITH takes SHADOWMAP's subdomain list and scans every one. Port scanning, service fingerprinting, web vulnerability testing, CVE mapping. Intelligence becomes vulnerability data.
REAPER uses WRAITH's vulnerability data and SHADOWMAP's technology fingerprints to select and deliver exploits. The right exploit for the right target, informed by intelligence.
GHOUL uses SHADOWMAP's breach data and email patterns to build targeted credential attacks. Known password patterns from breaches inform cracking strategies.
DOMINION uses SHADOWMAP's corporate structure and GHOUL's cracked credentials to attack Active Directory. Organisational intelligence drives privilege escalation paths.
Most OSINT tools are API wrappers around Shodan, Censys, and VirusTotal. SHADOWMAP is actual engineering. Every DNS resolver, every WHOIS parser, every fingerprinting engine written from scratch in pure Python. No API keys. No rate limits. No monthly subscriptions. No dependencies that can revoke access, change pricing, or disappear.
SHADOWMAP is Tool 17 in the Red Specter offensive pipeline. It builds the target intelligence profile that every other tool consumes. Before you attack, you see everything.
SHADOWMAP maps the entire attack surface before a single packet touches the wire. Pure Python. Zero footprint. Complete target intelligence.