Red Specter SHROUD
Cloudflare/WAF Origin Discovery & Bypass Engine — 10 subsystems. Tool 44 of NIGHTFALL Framework.
Overview
SHROUD is a Cloudflare/WAF origin discovery and bypass engine. It systematically locates the real IP address behind any CDN or WAF using five independent discovery methods, verifies each candidate with direct HTTP probes, scores confidence, and automatically pivots WRAITH at confirmed origins.
Every wall has a crack. SHROUD finds it.
The core premise: CDNs are reverse proxies, not origin protection. Cloudflare intercepts requests — but if you bypass Cloudflare and connect directly to the origin server IP, every protection Cloudflare provides becomes irrelevant. SHROUD finds that IP.
Installation
$ shroud --version
$ shroud subsystems
Basic Usage
$ shroud scan --target example.com --mode discovery-only
# Full scan with verification
$ shroud scan --target example.com --mode full
# Auto-pivot at confirmed origin (UNLEASHED required)
$ shroud scan --target example.com --mode full --auto-pivot --override --confirm-destroy
API Key Requirements
Most discovery methods require no API key. Shodan integration (SENSOR subsystem) requires a Shodan API key set as an environment variable:
# Or pass directly:
$ shroud scan --target example.com --shodan-key your_key_here
Without a Shodan key, SENSOR is skipped gracefully — the other four discovery methods still run. Full Shodan host search requires a paid Shodan account.
VEIL — SPF Record Parsing
VEIL queries DNS TXT records for the target domain and all common mail subdomains (mail, smtp, mx, email, send). It parses every SPF record found, extracting all ip4: mechanisms, and recursively resolves every include: chain up to four levels deep.
How It Works
- DNS query: TXT records via dnspython for domain and mail subdomains
- SPF parsing: v=spf1 records parsed into mechanisms with qualifiers (+, -, ~, ?)
- ip4: extraction: Every CIDR range extracted — the first IP in each range becomes a candidate
- Recursive includes: include: domains queried recursively (max depth 4, loop protection)
- Redirect handling: redirect= modifier followed and resolved
$ shroud scan -t madebyredrose.co.uk --mode discovery-only
# VEIL: 80 IPs via SPF — 49.13.236.206 ranked #1
Why this works: Many organisations configure Cloudflare for web traffic but keep email on the same server. The SPF record for their domain includes ip4:49.13.236.206 — the real origin.
ATLAS — Certificate Transparency
ATLAS queries crt.sh — the public certificate transparency log aggregator — for all SSL certificates ever issued to the target domain. Certificates issued before CDN deployment resolve to the origin IP. Staging and dev certificates frequently bypass CDNs entirely.
How It Works
- API endpoint:
https://crt.sh/?q=%.{domain}&output=json— no API key required - Wildcard query: %.domain captures certificates for all subdomains
- Name extraction: name_value fields parsed, newline-separated names deduped
- Hostname resolution: All non-wildcard hostnames resolved via DNS to current IPs
- Direct IP entries: CT log entries with IP addresses collected directly
Note: crt.sh can be slow or temporarily unavailable. SHROUD handles timeout gracefully and continues with other methods.
TRACE — Historical DNS
TRACE queries HackerTarget's free API for both historical DNS records and current DNS records. The hostsearch endpoint returns all subdomain:IP pairs HackerTarget has ever observed for the domain. The DNS lookup endpoint returns current A records.
API Endpoints Used
- hostsearch:
https://api.hackertarget.com/hostsearch/?q={domain}— subdomain:IP pairs - dnslookup:
https://api.hackertarget.com/dnslookup/?q={domain}— current records
No API key required for free tier. Rate-limited to ~50 requests per day on free accounts. Private IPs (RFC1918, documentation ranges) are filtered automatically.
SENSOR — Shodan Integration
SENSOR queries Shodan's API for internet-wide scan data associated with the target domain. Two Shodan endpoints are used: DNS resolution (free with any key) and host search (paid plans required).
Configuration
Without a key, SENSOR reports capability but returns no results. SHROUD continues with the other four discovery methods. A free Shodan API key enables DNS resolution. A paid account enables full host search with port lists, OS fingerprints, and CVE data.
SWEEP — Subdomain Enumeration
SWEEP attempts DNS resolution for 52 subdomains known to bypass CDN protection. It runs all queries in parallel and filters out IPs that belong to known CDN ranges.
Bypass Subdomain Wordlist (sample)
- Mail infrastructure: mail, smtp, mx, pop, imap, webmail
- File transfer: ftp, sftp
- Hosting panels: cpanel, whm, plesk, directadmin
- Direct access: direct, origin, real
- Environments: staging, stage, dev, development, test, testing
- Admin: admin, management, dashboard
- API/Backend: api, backend, app
- Remote access: vpn, remote, access
- Legacy: www2, old, legacy, v1, v2
CDN Detection
SWEEP maintains CIDR ranges for Cloudflare, Fastly, Akamai, and AWS CloudFront. Subdomains that resolve to CDN IPs are counted as CDN-filtered and excluded from candidates. Only non-CDN IPs are promoted.
PROBE — IP Verification
PROBE sends real HTTP/HTTPS requests directly to each candidate IP with the Host: header set to the target domain. This bypasses the CDN: the request reaches the origin server with the correct domain context.
Verification Logic
- Ports tested: 443 (HTTPS), 80 (HTTP), 8443 (HTTPS), 8080 (HTTP) — in order
- SSL verification: Disabled on direct IP connections (origin cert may not match CDN cert)
- WAF header detection: CF-Ray, X-Sucuri-ID, X-Akamai-Transformed, X-Fastly-Request-ID, X-AMZ-CF-ID
- CDN error patterns: "cloudflare", "just a moment", "checking your browser", "error 10xx"
- Content keywords: Optional —keywords flag; matches confirm target content is served
- Best attempt: Highest-confidence connection per IP is preserved for scoring
10 parallel workers probe all candidates concurrently. Results are sorted by confidence score (highest first) before handoff to SCORE.
MARK — Server Fingerprinting
MARK analyses HTTP response headers from PROBE's connection attempts to extract detailed server fingerprints. No additional network requests are made — MARK works entirely from headers already collected.
What MARK Detects
| Category | Examples |
|---|---|
| Web server | Nginx, Apache, IIS, LiteSpeed, Caddy, OpenResty, Gunicorn, Uvicorn |
| Framework | PHP, ASP.NET, Django, Rails, Express.js, Laravel, WordPress, Drupal |
| Language | PHP, Python, Ruby, Java, Node.js, C#/ASP.NET |
| Hosting panel | cPanel, Plesk, DirectAdmin, ISPConfig, Webmin |
| OS hint | Ubuntu, Debian, CentOS, Red Hat, Windows Server |
| Security headers | HSTS, CSP, CORS, X-Frame-Options presence/absence |
SCORE — Confidence Scoring
SCORE aggregates evidence from all discovery and verification phases into a unified confidence score per candidate IP. IPs found by multiple methods receive a corroboration bonus.
Scoring Weights
| Evidence Source | Weight | Notes |
|---|---|---|
| SPF ip4: (VEIL) | +0.20 | Direct ip4: mechanism in SPF chain |
| CT log (ATLAS) | +0.15 | Resolved from CT log entry |
| Historical DNS (TRACE) | +0.15 | HackerTarget hostsearch or DNS lookup |
| Shodan (SENSOR) | +0.10 | Internet-wide scan result |
| Subdomain (SWEEP) | +0.20 | Resolved from bypass subdomain |
| Corroboration bonus | +0.10 | Found by 2+ methods simultaneously |
| Probe connected (PROBE) | +0.30 | Direct HTTP connection succeeded |
| WAF absent (PROBE) | +0.30 | No WAF headers in response |
| Content match (PROBE) | +0.25 | Target content confirmed in response body |
Confidence Grades
| Grade | Score | Criteria |
|---|---|---|
| CONFIRMED | ≥ 0.80 | WAF bypassed AND content matched |
| HIGH | ≥ 0.65 | WAF bypassed, content match not required |
| MEDIUM | ≥ 0.45 | Strong multi-method discovery, not yet probed |
| LOW | ≥ 0.25 | Single discovery method, not verified |
| CANDIDATE | < 0.25 | Discovered, not yet assessed |
STRIKE — Pivot Controller
STRIKE invokes WRAITH (or WARLORD) against confirmed origin IPs after UNLEASHED authorization is confirmed. The CDN is bypassed entirely — WRAITH receives the raw origin IP with the target domain passed as a Host hint.
WRAITH Pivot
wraith scan --target {origin_ip} --host {domain} --output reports/wraith_{ip}.json --override --confirm-destroy
WARLORD ANNIHILATE Chain
shroud scan -t example.com --mode full --chain annihilate --override --confirm-destroy
STRIKE passes --override and --confirm-destroy through to WRAITH/WARLORD, maintaining the UNLEASHED chain. Both flags must be present or STRIKE returns an error without executing.
HERALD — Report Generation
HERALD saves a complete JSON report to the reports/ directory at the end of every engagement. The report includes all candidates, methods, confidence scores, verification results, server fingerprints, and pivot execution details.
Report Format
"report_id": "SHD-RPT-{hex8}",
"target": "example.com",
"phase": "full",
"candidates_discovered": [{
"candidate_id": "SHD-IP-{hex8}",
"ip_address": "203.0.113.42",
"discovery_methods": ["VEIL (SPF)", "TRACE (Historical DNS)"],
"confidence": "CONFIRMED",
"confidence_score": 1.0,
"waf_absent": true,
"content_verified": true,
"server_fingerprint": "Nginx/1.24.0",
"server_headers": {...}
}],
"confirmed_origins": [...],
"waf_bypassed": true,
"pivot_executed": true,
"pivot_tool": "wraith",
"pivot_command": "wraith scan --target 203.0.113.42 ...",
"created_at": "2026-04-02T18:21:27+00:00"
}
Report filename format: shroud_SHD-RPT-{hex8}_{YYYYMMDD_HHMMSS}.json
UNLEASHED Authorization
SHROUD uses Ed25519 dual-gate authorization for the STRIKE phase. Keys are generated automatically on first run and stored at ~/.red-specter/shroud/.
Key Management
shroud unleashed status
# Generate keys (auto on first run)
shroud unleashed init
# Create authorized scope file
shroud unleashed create-scope --targets example.com --days 30
Gate Requirements
- Discovery mode: No flags required
- Verification mode: No flags required
- STRIKE / pivot:
--overrideAND--confirm-destroyboth required - Key location:
~/.red-specter/shroud/unleashed.key - Operator key:
~/.red-specter/shroud/operator.key
The gate checks both flags on every invocation. Passing only --override or only --confirm-destroy is insufficient — both must be present for STRIKE to execute.
CLI Reference
Scan Commands
| Flag | Description |
|---|---|
| --target / -t | Target domain (required). Scheme stripped automatically. |
| --mode / -m | Scan mode: full (default), discovery-only, verify-only, pivot-only |
| --auto-pivot | Auto-invoke WRAITH on confirmed origin (UNLEASHED required) |
| --chain | Pivot chain: wraith (default) or annihilate (WARLORD) |
| --keywords / -k | Comma-separated content keywords to verify origin (e.g. "example,contact") |
| --shodan-key | Shodan API key (or set SHODAN_API_KEY env var) |
| --override | UNLEASHED gate flag #1 |
| --confirm-destroy | UNLEASHED gate flag #2 |
| --output / -o | Output directory for reports (default: reports/) |
| --verbose / -v | Enable verbose debug output |
Status Commands
| Command | Description |
|---|---|
| shroud subsystems | List all 10 SHROUD subsystems |
| shroud capabilities | Show discovery methods and pivot chains |
| shroud unleashed status | Show UNLEASHED key fingerprint and config path |
| shroud unleashed init | Generate UNLEASHED keys if not present |
| shroud unleashed create-scope | Create signed authorization scope file |
| shroud --version | Show SHROUD version |
Report Format
Every SHROUD engagement saves a JSON report to the reports/ directory. Reports use the SHD-RPT- prefix and include a UTC timestamp in the filename.
All candidate IPs are recorded with their discovery methods, confidence grade, WAF bypass status, server fingerprint, and raw evidence. Confirmed origins and pivot execution details are captured separately for easy extraction.
Authorised Use Only. SHROUD is a commercial penetration testing tool. Use only on systems you own or have explicit written authorisation to test. Unauthorised use is illegal. Red Specter Security Research Ltd (Company No. 17106988) does not condone unauthorised security testing.