Red Specter SHADOWMAP

Pure Python OSINT & Target Intelligence Engine — 8 modules. 930 tests. Zero external dependencies.

v1.0.0

Contents

Overview Installation Quick Start DOMAIN Module NETWORK Module COMPANY Module PEOPLE Module EMAIL Module SOCIAL Module BREACH Module TECH Module UNLEASHED Mode CLI Reference Pipeline Integration Report Output Disclaimer

Overview

SHADOWMAP is a pure Python OSINT and target intelligence engine. Zero external API dependencies. No Shodan wrappers. No Censys API calls. No VirusTotal subscriptions. Every DNS resolver, WHOIS parser, fingerprinting engine, and correlation module built from scratch using Python stdlib. Before you attack, you see everything.

Eight modules. 930 tests. 624 subdomain signatures. 80+ WHOIS servers. 47+ framework fingerprints. 30 WAF signatures. Complete target intelligence from a single domain seed.

Pure Python Zero external API dependencies. stdlib only.

8 Modules Domain, network, company, people, email, social, breach, tech.

930 Tests Full test coverage across every module.

Passive by Default Zero footprint in standard mode. No active probes.

Installation

$ pip install red-specter-shadowmap

Also available as .deb and PKGBUILD (BlackArch).

Or from source:

$ git clone <repo>
$ cd red-specter-shadowmap
$ pip install -e ".[dev]"
    

Quick Start

# Full reconnaissance scan
$ shadowmap scan target.com

# Domain intelligence only
$ shadowmap domain target.com

# Network mapping
$ shadowmap network target.com

# Email discovery
$ shadowmap email target.com

# Technology fingerprinting
$ shadowmap tech target.com

# UNLEASHED mode
$ shadowmap scan target.com --override --confirm-destroy
    

DOMAIN Module

Complete DNS and domain intelligence. Enumerates all record types, discovers subdomains, parses WHOIS data across 80+ registrar servers, and detects zone transfer misconfigurations.

01 Capabilities shadowmap domain <target>

DNS enumeration: A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, PTR records
Subdomain discovery: 624 common subdomain signatures for passive enumeration
WHOIS parsing: 80+ registrar WHOIS servers with structured data extraction
Zone transfer detection: AXFR misconfiguration testing (UNLEASHED)
Subdomain brute force: Active enumeration with 624-word dictionary (UNLEASHED)

# Domain intelligence
$ shadowmap domain target.com

# UNLEASHED — active brute force
$ shadowmap domain target.com --override --confirm-destroy
    

NETWORK Module

Infrastructure mapping from IP addresses. ASN identification, hosting provider detection, CDN fingerprinting, and geolocation intelligence.

02 Capabilities shadowmap network <target>

ASN mapping: Autonomous System identification and ownership
Hosting detection: 50+ hosting provider signatures (AWS, Azure, GCP, DigitalOcean, etc.)
CDN detection: 18 CDN signatures (Cloudflare, Akamai, Fastly, CloudFront, etc.)
IP geolocation: Country, region, city-level location intelligence

COMPANY Module

Corporate intelligence gathering. Organisational structure, subsidiary mapping, key personnel identification, and public filing extraction.

03 Capabilities shadowmap company <target>

Structure analysis: Parent company, subsidiaries, acquisitions
Employee identification: Key personnel, roles, departments
Public filings: Companies House, SEC, regulatory filings
Extended profiling: Departure tracking, hiring patterns (UNLEASHED)

PEOPLE Module

Individual profiling for social engineering target selection. Role mapping, seniority analysis, and departure tracking for insider threat assessment.

04 Capabilities shadowmap people <target>

Individual profiling: Name, role, seniority, department
Role mapping: Organisational hierarchy reconstruction
Departure tracking: Former employees, role changes, insider threat indicators
High-value targeting: Identifies executives, IT administrators, finance personnel

EMAIL Module

Email pattern discovery, validation, and breach correlation. Identifies naming conventions, validates deliverability, and checks credential exposure.

05 Capabilities shadowmap email <target>

Pattern discovery: 15 email pattern formats (firstname.lastname, f.lastname, etc.)
SPF/DKIM/DMARC analysis: Email authentication policy assessment
Breach correlation: Cross-reference discovered emails with breach databases
SMTP validation: Active deliverability verification (UNLEASHED)

# Email discovery
$ shadowmap email target.com

# UNLEASHED — SMTP validation
$ shadowmap email target.com --override --confirm-destroy
    

Social media footprint mapping. Discovers platform presence, technology mentions, conference talks, and open-source contributions.

06 Capabilities shadowmap social <target>

Platform discovery: LinkedIn, GitHub, Twitter/X, Facebook, Instagram, YouTube
Technology mentions: Stack references in posts, repos, and profiles
Conference talks: Speaker appearances revealing internal architecture
Open-source contributions: GitHub repos, npm packages, PyPI packages

BREACH Module

Breach data correlation and credential exposure assessment. Domain-wide impact scoring and password pattern analysis.

07 Capabilities shadowmap breach <target>

Breach correlation: Domain-wide breach impact assessment
Credential exposure: Count and severity of exposed credentials
Password patterns: Common patterns from breach data analysis
Individual exposure: Per-user credential exposure (UNLEASHED)

TECH Module

Technology stack fingerprinting with CVE mapping. Identifies frameworks, CMS platforms, WAFs, and maps known vulnerabilities to discovered versions.

08 Capabilities shadowmap tech <target>

Framework fingerprinting: 47+ frameworks (React, Angular, Vue, Django, Rails, Spring, etc.)
CMS detection: 20+ CMS platforms with version extraction
WAF identification: 30 WAF signatures (Cloudflare, AWS WAF, Imperva, ModSecurity, etc.)
CVE mapping: Version-to-CVE correlation for discovered technology
Active probing: Deep fingerprinting with direct requests (UNLEASHED)

47+ Frameworks React, Angular, Vue, Django, Rails, Spring, Express, and more

20+ CMS WordPress, Drupal, Joomla, Shopify, Magento, Ghost, and more

30 WAFs Cloudflare, AWS WAF, Imperva, ModSecurity, Sucuri, and more

CVE Mapping Automatic CVE correlation from discovered versions

SHADOWMAP UNLEASHED

Cryptographic override. Private key controlled. One operator. Founder's machine only.

Standard mode is fully passive with zero target footprint. UNLEASHED mode enables active reconnaissance: DNS brute force, SMTP validation, subdomain enumeration at scale, and direct target interaction. The target will see your probes.

Capability	Standard	UNLEASHED
DNS enumeration	Public records	Active brute force + zone transfers
Subdomain discovery	Passive sources	624-word brute force + permutations
Email validation	Pattern detection	SMTP validation, deliverability
Breach correlation	Domain-level	Individual credential exposure
Tech fingerprinting	Header analysis	Active probing, deep fingerprinting
Target footprint	Zero	Active probes visible to target
Key required	No	Ed25519

# UNLEASHED (dry run)
$ shadowmap scan target.com --override

# UNLEASHED (live — authorised environments only)
$ shadowmap scan target.com --override --confirm-destroy
    

UNLEASHED mode is restricted to authorised operators with Ed25519 private key access. Active reconnaissance against targets must only occur with explicit written authorisation. UNLEASHED mode generates network traffic visible to the target and may trigger security alerts.

CLI Reference

Commands

Command	Description
shadowmap scan <target>	Full reconnaissance scan
shadowmap domain <target>	DNS & domain intelligence
shadowmap network <target>	Infrastructure mapping
shadowmap company <target>	Corporate intelligence
shadowmap people <target>	Personnel profiling
shadowmap email <target>	Email discovery & validation
shadowmap social <target>	Social footprint mapping
shadowmap breach <target>	Breach data correlation
shadowmap tech <target>	Technology fingerprinting
shadowmap report <session>	Generate report from session
shadowmap version	Show version information

Options

Flag	Description
--target	Target domain or organisation
--full	Run all modules
--override	UNLEASHED dry-run
--confirm-destroy	UNLEASHED live execution
--output	Output directory
--session	Session name
--format	Output format: json, html, text

Pipeline Integration

SHADOWMAP is Tool 17 in the Red Specter offensive pipeline. It builds the target intelligence profile that feeds every downstream tool. SHADOWMAP discovers, WRAITH scans, REAPER exploits, GHOUL cracks, DOMINION owns, NEMESIS orchestrates.

17 SHADOWMAP Builds profile

→

12 WRAITH Scans surface

→

13 REAPER Exploits

→

14 GHOUL Cracks creds

→

16 DOMINION Owns AD

→

06 NEMESIS Orchestrates

Subdomain Feed Discovered subdomains become WRAITH scan targets automatically

Tech Stack Feed Framework versions inform REAPER exploit selection

Breach Feed Exposed credentials drive GHOUL cracking strategies

Org Feed Corporate structure informs DOMINION AD attack paths

Report Output

Every SHADOWMAP engagement produces JSON, HTML, and text reports with complete intelligence documentation.

JSON + HTML + Text Machine-readable and human-readable output formats

Executive Summary High-level target profile for stakeholders

Attack Surface Map Complete correlated intelligence picture

Risk Assessment Breach exposure, CVE risk, configuration gaps

# JSON report
$ shadowmap scan target.com --output ./reports

# Named session
$ shadowmap scan target.com --session client-recon-001 --output ./reports
    

Disclaimer

Red Specter SHADOWMAP is designed for authorised security testing, research, and educational purposes only. Standard mode performs passive reconnaissance using publicly available information. UNLEASHED mode performs active reconnaissance that generates network traffic to the target. You must have explicit written permission before running UNLEASHED mode against any target. Unauthorised reconnaissance may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse or damage resulting from improper use.