Red Specter WRAITH

Pure Python Traditional Infrastructure & Web Penetration Testing — 7 modules. 889 tests. Zero wrappers.

v1.0.0

Contents

Overview Installation Quick Start Port Scanner Service Fingerprinting Web Vulnerability Scanner SSL/TLS Analysis Authentication Testing CMS Detection CVE Assessment UNLEASHED Mode CLI Reference NEMESIS Integration Report Output Disclaimer

Overview

WRAITH is a pure Python infrastructure and web penetration testing framework. Zero external tool dependencies. Every module built from scratch using Python stdlib and asyncio. Port scanning via asyncio.open_connection(), web testing via urllib, SSL analysis via Python's ssl module. No nmap. No sqlmap. No nikto. No nuclei. Pure engineering.

Seven modules. 889 tests. Every capability written from first principles. When WRAITH scans a target, every packet, every probe, every analysis is Python code that Red Specter wrote — not a wrapper around someone else's binary.

Pure Python Zero external tool dependencies. stdlib + asyncio only.

7 Modules Ports, services, web vulns, SSL, auth, CMS, CVEs.

889 Tests Full test coverage across every module.

Zero Wrappers No nmap, no sqlmap, no nikto, no nuclei.

Installation

$ pip install red-specter-wraith

Also available as .deb and PKGBUILD (BlackArch).

Or from source:

$ git clone <repo>
$ cd red-specter-wraith
$ pip install -e ".[dev]"
    

Quick Start

# Full scan
$ wraith scan https://target.com

# Port scan only
$ wraith ports 192.168.1.1

# Web vulnerability scan
$ wraith web https://target.com

# SSL/TLS analysis
$ wraith ssl target.com

# Authentication testing
$ wraith creds https://target.com/login

# UNLEASHED mode
$ wraith scan https://target.com --override --confirm-destroy
    

Port Scanner

Async TCP connect scanning built on asyncio.open_connection(). No nmap. No raw sockets. Pure Python async I/O with semaphore-controlled concurrency.

Capabilities wraith ports <target>

Async TCP connect via asyncio.open_connection()
Semaphore-controlled concurrency — default 100 concurrent connections
Banner grabbing with configurable timeout
Port sets: top100, top1000, full (65535 — UNLEASHED)
Returns: port, state, service, banner, response_ms

# Top 100 ports
$ wraith ports 192.168.1.1

# Top 1000 ports
$ wraith ports 192.168.1.1 --ports top1000

# Custom ports
$ wraith ports 192.168.1.1 --ports 22,80,443,8080

# Full 65535 (UNLEASHED)
$ wraith ports 192.168.1.1 --ports full --override --confirm-destroy
    

Service Fingerprinting

Regex-based banner analysis with version extraction. No external fingerprinting databases. Every signature written and maintained by Red Specter.

Capabilities

138 regex-based banner signatures
Covers: SSH, FTP, SMTP, HTTP (Apache/nginx/IIS/Caddy), databases (MySQL/PostgreSQL/MongoDB/Redis/Elasticsearch), mail, DNS, application servers
130 port-to-service fallback mappings
Confidence scoring — 0.0–1.0
Version extraction via regex capture groups

138 Signatures Regex-based banner matching with version capture

130 Fallbacks Port-to-service mapping when banners are unavailable

Confidence Scoring 0.0–1.0 confidence on every identification

Version Extraction Regex capture groups pull exact version strings

Web Vulnerability Scanner

OWASP Top 10 coverage. Every payload hand-crafted. Every detection pattern purpose-built. No nikto signatures. No nuclei templates. Pure Python web testing.

01 SQL Injection

103 payloads covering error-based, UNION, boolean blind, and time blind injection. 51 error detection patterns across MySQL, PostgreSQL, MSSQL, SQLite, and Oracle.

103 payloads — error-based, UNION, boolean blind, time blind
51 error detection patterns
Database coverage: MySQL, PostgreSQL, MSSQL, SQLite, Oracle

02 Cross-Site Scripting (XSS)

72 payloads targeting reflected, stored, DOM-based, and polyglot XSS vectors. Event handlers, SVG injection, and encoded variants.

72 payloads — reflected, stored, DOM, polyglots
Event handlers, SVG, encoded variants

03 Path Traversal

56 traversal sequences with double-encoded, null byte, and unicode variants. Targets 52 Linux and 24 Windows sensitive files.

56 sequences — ../, ..\\, double-encoded, null byte, unicode
52 Linux target files + 24 Windows target files

04 Command Injection

79 payloads covering semicolon, pipe, backtick, $(), &&, ||, and newline injection for both Linux and Windows targets.

79 payloads — ;, |, backtick, $(), &&, ||, newline
Linux + Windows command targets

05 Server-Side Request Forgery (SSRF)

33 cloud metadata endpoints across AWS, GCP, and Azure. 52 internal network probes for service discovery behind the firewall.

33 cloud metadata endpoints — AWS, GCP, Azure
52 internal probes for service discovery

06 Security Headers

10 required security header checks and 12 dangerous header detections. HSTS, CSP, X-Frame-Options, and more.

10 required checks — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, etc.
12 dangerous header detections

07 Information Disclosure

115 paths probed for sensitive file exposure. Environment files, version control, server status, actuator endpoints, and more.

115 paths — .env, .git, robots.txt, server-status, actuator, etc.

# Full web vulnerability scan
$ wraith web https://target.com

# Aggressive mode
$ wraith web https://target.com --mode aggressive
    

SSL/TLS Analysis

Full SSL/TLS stack analysis using Python's ssl module. Protocol enumeration, cipher analysis, certificate validation, and vulnerability generation from findings.

Capabilities wraith ssl <target>

Protocol enumeration: SSLv2, SSLv3, TLS 1.0, 1.1, 1.2, 1.3
Cipher suite analysis with weak cipher detection
Certificate validation: expiry, self-signed, SAN mismatch
HSTS detection and max-age verification
Vulnerability generation from findings

# SSL/TLS analysis
$ wraith ssl target.com

# SSL with port specification
$ wraith ssl target.com --ports 443,8443
    

Authentication Testing

Default credential testing across 22 services. HTTP Basic and form-based login detection. Rate limiting and lockout detection built in.

Capabilities wraith creds <target>

HTTP Basic and form-based login detection
500+ default credentials across 22 services
Services: SSH, FTP, MySQL, PostgreSQL, MongoDB, Redis, Elasticsearch, Tomcat, Jenkins, WordPress, and more
Rate limiting with configurable delay
Lockout detection: account locked, too many attempts, CAPTCHA, 429 status
Standard mode: top 50 credentials. UNLEASHED: full dictionary.

# Authentication testing
$ wraith creds https://target.com/login

# UNLEASHED — full dictionary
$ wraith creds https://target.com/login --override --confirm-destroy
    

CMS Detection

14 CMS types detected through path probing, meta tag analysis, and header fingerprinting. Version extraction and UNLEASHED plugin enumeration for WordPress.

Supported CMS

14 CMS types: WordPress, Drupal, Joomla, Magento, Ghost, Shopify, TYPO3, PrestaShop, OpenCart, MediaWiki, Confluence, SharePoint, Wix, Squarespace
Path probing for CMS-specific files and directories
Meta tag analysis and header fingerprinting
Version extraction
UNLEASHED: WordPress plugin enumeration (56 common plugins), user enumeration via REST API + author archives

CVE Assessment

Real CVE matching against discovered services and versions. Semantic version matching with CVSS-to-severity mapping. No API calls. Offline database.

Capabilities

106 real CVEs across 22 products
Semantic version matching — exact, range, operators
CVSS-to-severity mapping
Products covered: Apache, nginx, OpenSSH, MySQL, PostgreSQL, PHP, WordPress, Drupal, Joomla, Tomcat, IIS, Redis, Elasticsearch, MongoDB, and more

106 CVEs Real CVE entries across 22 products

Semantic Versioning Exact, range, and operator-based matching

CVSS Scoring Severity mapped from CVSS base scores

Offline Database No API calls required. Ships with the tool.

WRAITH UNLEASHED

Cryptographic override. Private key controlled. One operator. Founder's machine only.

Standard mode scans and assesses. UNLEASHED mode removes all safety limits. Full port range. Full credential dictionary. Full plugin enumeration. The difference is not cosmetic.

Capability	Standard	UNLEASHED
Port scanning	Top 100	Full 65535
Credential testing	Top 50	Full dictionary (500+)
Web vulnerability payloads	Standard set	Full payload library
CMS enumeration	Detection only	Plugin + user enumeration
Scan concurrency	100	Unlimited
Rate limiting	Enforced	Configurable / disabled
Report classification	Standard	RESTRICTED
Key required	No	Ed25519

# UNLEASHED (dry run)
$ wraith scan https://target.com --override

# UNLEASHED (live — authorised environments only)
$ wraith scan https://target.com --override --confirm-destroy
    

UNLEASHED mode is restricted to authorised operators with Ed25519 private key access. Live execution against production infrastructure must only occur in authorised test environments with appropriate controls in place. Unauthorised use of UNLEASHED mode against production systems may compromise live services and will violate applicable law.

CLI Reference

Commands

Command	Description
wraith scan <target>	Full engagement scan
wraith ports <target>	Port scan only
wraith web <target>	Web vulnerability scan
wraith ssl <target>	SSL/TLS analysis
wraith creds <target>	Authentication testing

Options

Flag	Description
--mode	standard, stealth, aggressive, web_only, infra_only
--ports	top100, top1000, full, or comma-separated
--timeout	Connection timeout (seconds)
--concurrency	Max concurrent connections
--override	UNLEASHED dry-run
--confirm-destroy	UNLEASHED live execution
--output	Output directory
--session	Session name

NEMESIS Integration

WRAITH operates as a NEMESIS weapon. The Supreme Commander chains WRAITH findings with AI-driven exploitation — infrastructure vulnerabilities discovered by WRAITH become attack vectors that NEMESIS exploits autonomously.

01 WRAITH Discovers

→

02 NEMESIS Chains

→

03 EXPLOIT Executes

WRAITH feeds port data, service versions, web vulnerabilities, SSL weaknesses, default credentials, CMS fingerprints, and CVE matches into NEMESIS. The Supreme Commander analyses the combined findings, identifies attack chains, and executes multi-stage exploitation sequences that no single tool could achieve alone.

Port & Service Data Open ports, banners, and version strings feed NEMESIS target selection

Web Vulnerability Chains SQLi, XSS, SSRF findings become NEMESIS exploitation targets

CVE Correlation Known CVEs matched to services inform NEMESIS weapon selection

Credential Reuse Default credentials discovered by WRAITH enable lateral movement

Report Output

Every WRAITH engagement produces JSON and text reports with full findings documentation. Built for both technical teams and compliance requirements.

JSON + Text Machine-readable and human-readable output

Executive Summary High-level findings overview for stakeholders

Detailed Findings Every vulnerability with evidence and severity

Recommendations Actionable remediation guidance per finding

Report Sections

Header — engagement metadata, target, timestamps
Executive Summary — high-level risk overview
Findings — all vulnerabilities with severity, evidence, and remediation
Ports — open ports, services, banners
Services — fingerprinted services with versions
SSL/TLS — protocol, cipher, and certificate analysis
Authentication — default credential findings
CMS — detected content management systems
CVEs — matched vulnerabilities with CVSS scores
Statistics — scan metrics and coverage data
Recommendations — prioritised remediation steps

# JSON report
$ wraith scan https://target.com --output ./reports

# Named session
$ wraith scan https://target.com --session client-engagement-001 --output ./reports
    

Disclaimer

Red Specter WRAITH is designed for authorised security testing, research, and educational purposes only. You must have explicit written permission from the system owner before running any WRAITH tool against a target. Testing against live infrastructure and web applications carries inherent risks including service disruption and data exposure. WRAITH must only be used against systems you are authorised to test. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse or damage resulting from improper use.