pip install red-specter-shroud
Cloudflare, Akamai, and Fastly are reverse proxies — not shields. They sit in front of your infrastructure and filter traffic. Find the real IP behind them and every protection they offer becomes irrelevant. The WAF is bypassed. The rate limits disappear. The origin receives raw, unfiltered requests. SHROUD is built to find that IP automatically, across five independent channels, and pivot your entire offensive suite at it.
Organisations configure Cloudflare for HTTP/HTTPS traffic but forget that email often bypasses the CDN entirely. SPF records published in DNS TXT entries expose the real mail server IPs — and mail infrastructure frequently shares hosting with the web origin. SHROUD recursively resolves every ip4: mechanism in the SPF chain.
Every SSL certificate ever issued for a domain is logged publicly in certificate transparency logs. Certificates issued before CDN deployment — or for staging environments — resolve to the real origin IP. crt.sh exposes this history openly. SHROUD mines every entry and resolves every hostname it finds.
Before an organisation moved behind Cloudflare, their DNS A record pointed directly at the origin server. Historical DNS providers store those pre-CDN records. The IP has not changed — only the DNS entry has. SHROUD queries HackerTarget for both historical and current records across all subdomains.
Mail, FTP, cPanel, staging, dev, and admin subdomains are frequently configured to resolve directly to the origin — bypassing the CDN entirely. Administrators add the primary domain to Cloudflare but forget that mail.example.com resolves straight to port 25 on the same server. SHROUD checks 52 bypass subdomains automatically.
Shodan continuously crawls the internet and indexes every open port it finds. If your origin server was ever exposed to the internet — before or after CDN deployment — Shodan has a record of its IP and open services. SHROUD queries Shodan and cross-references every result against the other discovery channels.
Discovery without verification produces noise. SHROUD's PROBE subsystem sends real HTTP requests directly to each candidate IP with the correct Host header — confirming the target's actual content is served, checking for WAF headers, and fingerprinting the real server. Confidence scoring ranks every candidate before STRIKE fires.
SHROUD is built from fifteen subsystems covering the complete origin discovery pipeline. From SPF parsing and certificate transparency mining through subdomain enumeration, direct IP verification, server fingerprinting, confidence scoring, and automated WRAITH pivot — every phase makes real network requests. No hardcoded data. No simulations.
| # | Subsystem | Command | What It Does |
|---|---|---|---|
| 01 | VEIL | shroud veil parse | Parses SPF TXT records from DNS and recursively resolves every include: chain up to four levels deep. Extracts ip4: mechanisms and redirects. Handles redirect= and exp= modifiers. Auxiliary subdomain SPF queries for mail, smtp, and mx. |
| 02 | ATLAS | shroud atlas mine | Queries the crt.sh certificate transparency API for all certificates ever issued to the target domain using the %.domain wildcard. Resolves every discovered hostname to its current IP and checks for direct IP entries. No API key required. |
| 03 | TRACE | shroud trace dns | Queries HackerTarget for historical DNS records — both the hostsearch endpoint (all subdomain:IP pairs ever seen) and the DNS lookup endpoint (current A records). Filters RFC1918 private IPs automatically. No API key required for free tier. |
| 04 | SENSOR | shroud sensor query | Queries Shodan for hosts associated with the target domain. Uses DNS resolve and host search endpoints. Extracts open ports, OS fingerprints, CVE vulnerability lists, and organisation data. Graceful degradation if no SHODAN_API_KEY is set. |
| 05 | SWEEP | shroud sweep subdomains | Attempts DNS resolution for 52 bypass subdomains known to frequently avoid CDN protection. Runs all queries in parallel with 20 workers. Cloudflare, Fastly, Akamai, and CloudFront IPs filtered automatically — only non-CDN candidates promoted. |
| 06 | PROBE | shroud probe verify | Sends real HTTP/HTTPS requests directly to each candidate IP with the correct Host header. Checks for target content, inspects response headers for WAF indicators, tests ports 443, 80, 8443, and 8080 in sequence. 10 parallel workers. No simulation. |
| 07 | MARK | shroud mark fingerprint | Extracts detailed server fingerprints from HTTP response headers. Identifies web server software and version, application framework, programming language, OS hints, and hosting panel indicators. Notes HSTS, CSP, CORS, and X-Frame-Options security header posture. |
| 08 | SCORE | shroud score rank | Aggregates evidence from all five discovery channels and both verification subsystems into a unified confidence score per candidate IP. Weighted scoring: SPF 0.20, CT 0.15, DNS 0.15, Shodan 0.10, Subdomain 0.20. Grades: CONFIRMED / HIGH / MEDIUM / LOW / CANDIDATE. |
| 09 | STRIKE | shroud strike pivot | Once a CONFIRMED or HIGH confidence origin is established, STRIKE automatically invokes WRAITH against the raw origin IP — bypassing the CDN entirely. WARLORD ANNIHILATE chain also supported. Correct Host header passed to WRAITH. Requires UNLEASHED gate. |
| 10 | HERALD | shroud herald report | Produces a complete structured JSON report for every engagement. Records every candidate IP, all discovery methods used, confidence scores, verification results, server fingerprints, and pivot execution details. Report ID: SHD-RPT-{hex} format. Timestamped. |
| 11 | PHANTOM | shroud traverse --phantom | Browser fingerprint spoofing via exact Chrome 120 / Firefox 121 TLS cipher suite order, JA3 fingerprint replication, and full Sec-Ch-Ua / Sec-Fetch-* header injection. Bypasses TLS-layer bot detection without a real browser process. |
| 12 | QUAKE | shroud traverse --quake | HTTP/3 (QUIC) and HTTP/2 transport negotiation. Inspects Alt-Svc headers, upgrades to HTTP/3 via aioquic when available, falls back through HTTP/2 to HTTP/1.1. Evades WAF rules that only inspect HTTP/1.1 traffic. |
| 13 | SPECTRE | shroud traverse --spectre | Cloudflare Turnstile, hCaptcha, and JS challenge bypass via headless Playwright Chromium. Detects challenge type, waits up to 8 seconds for auto-solve, extracts cf_clearance and set-cookie values for downstream requests. |
| 14 | ROTATE | shroud traverse --rotate | Proxy pool round-robin with HTTP, HTTPS, and SOCKS5 support. Three-strike block detection on 429 / 403 responses. Automatic pool reshuffling. Feeds confirmed-origin probes through rotating exit nodes to defeat IP-based rate limiting. |
| 15 | MIMIC | shroud traverse --mimic | Human behavioural simulation: Gaussian inter-request timing (mean 1.8 s, std 0.7 s), persistent cookie jar, Referer chain propagation, and Sec-Fetch-Site flip between same-origin and cross-site. Defeats ML-based bot classifiers that model request cadence. |
SHROUD runs from a single CLI entry point. Discovery-only mode requires no authorisation. Full verification mode probes all candidates directly. Auto-pivot fires WRAITH at every confirmed origin and requires the UNLEASHED dual gate.
$ shroud scan --target example.com --mode discovery-only [ PHASE 1 — DISCOVERY ] Target: example.com VEIL Parsing SPF records... ✓ VEIL: 12 IP(s) via SPF — 203.0.113.1, 198.51.100.5... ATLAS Mining certificate transparency logs (crt.sh)... ✓ ATLAS: 4 IP(s) from 847 CT entries TRACE Querying historical DNS records... ✓ TRACE: 3 IP(s), 6 subdomains SWEEP Enumerating bypass subdomains... ✓ SWEEP: 2 IP(s) from 8 resolved subdomains (14 CDN-filtered) Discovery complete: 18 unique candidate IPs
$ shroud scan --target example.com --mode full --keywords "example,contact" [ PHASE 2 — VERIFICATION ] Probing 18 candidate IPs... WAF BYPASSED: 2 confirmed origin(s): → 203.0.113.42 → 198.51.100.22 CONFIRMED ORIGIN(S): → 203.0.113.42 confidence=CONFIRMED (1.00) server=nginx/1.24.0 → 198.51.100.22 confidence=HIGH (0.85) server=LiteSpeed
$ shroud scan --target example.com --mode full \ --auto-pivot --override --confirm-destroy ━━━ UNLEASHED MODE ACTIVE ━━━ [ PHASE 3 — STRIKE ] Pivoting to 2 confirmed origin(s)... → 203.0.113.42 via wraith — SUCCESS Command: wraith scan --target 203.0.113.42 --host example.com Report: reports/wraith_203_0_113_42_a1b2c3.json
$ shroud traverse --target example.com --phantom --quake --rotate \ --proxy-list proxies.txt --browser chrome120 [ PHASE — WAF TRAVERSAL ] PHANTOM Spoofing TLS fingerprint: Chrome 120 JA3 — cipher order locked ✓ PHANTOM: TLS bypass confirmed — bot score 0 QUAKE Negotiating HTTP/3 via Alt-Svc... ✓ QUAKE: HTTP/3 active — WAF HTTP/1.1 rules bypassed ROTATE Pool: 8 proxies loaded. Rotating every 3 requests... ✓ ROTATE: 0 blocks in 12 probes Traversal complete: 203.0.113.42 accessible via 3 bypass vectors
$ shroud traverse --target example.com --spectre --mimic \ --timing-profile human [ PHASE — CHALLENGE BYPASS ] SPECTRE Detected: Cloudflare Turnstile on / Launching headless Chromium... ✓ SPECTRE: cf_clearance extracted — cookie injected MIMIC Human timing active: mean=1.8s std=0.7s Referer chain ON ✓ MIMIC: 6 requests — 0 bot classifications → Origin confirmed via behavioural bypass: 203.0.113.42 Challenge bypass complete — session active
$ shroud subsystems # List all 15 subsystems $ shroud capabilities # Show discovery methods and pivot chains $ shroud unleashed status # UNLEASHED gate key fingerprint $ shroud unleashed create-scope --targets example.com --days 30 $ shroud scan -t example.com --chain annihilate --override --confirm-destroy
Three phases, executed in sequence. Phase 1 discovers candidate IPs from all available intelligence sources. Phase 2 verifies each candidate by connecting directly — confirming real content and WAF absence. Phase 3 fires WRAITH at every confirmed origin, bypassing the CDN entirely.
Discovery and verification run without any gate — SHROUD can map any target's defensive perimeter without authorisation flags. The STRIKE phase — invoking WRAITH or WARLORD against the confirmed origin — requires both UNLEASHED flags simultaneously. This gate cannot be bypassed in software. The origin will not be pivoted at without explicit operator consent on every invocation.
No flags required. SPF parsing, CT log mining, historical DNS, Shodan queries, and subdomain enumeration run freely. Maps the attack surface without touching any target infrastructure directly.
Direct HTTP probes to candidate IPs. Confirms origin with real network requests. WAF bypass confirmed. Server fingerprinted. Confidence scored. No --override required for verification alone.
Requires --override AND --confirm-destroy. Both flags must be present simultaneously. WRAITH is invoked against the confirmed origin. Ed25519 key at ~/.red-specter/shroud/unleashed.key. Authorised operators only.
THIS TOOL IS FOR AUTHORISED SECURITY TESTING ONLY. EVERY EXECUTION IS SIGNED AND LOGGED.
Red Specter SHROUD is a commercial penetration testing tool available exclusively to authorised security professionals operating under signed engagement contracts and with explicit written permission from target system owners. Unauthorised use against systems you do not own or have explicit permission to test may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. All operator actions are logged, signed, and attributable. Apache License 2.0.