T122 • NHI Fleet Exploitation Engine • v1.0.0 • 312 tests
pip install specter-ghost # TruffleHog Go binary required: go install github.com/trufflesecurity/trufflehog/v3@latest # Verify: trufflehog --version specter-ghost --version
SPECTER GHOST uses a three-level gate. Initialize before running any subsystem:
# OPEN gate (DISCOVER, HARVEST-NHI, REPORT) specter-ghost gate init --target github.com/myorg --gate OPEN --operator RED # INJECT gate (adds CHAIN, PIVOT) specter-ghost gate init --target github.com/myorg --gate INJECT --operator RED # UNLEASHED gate (adds BLAST-RADIUS) — requires Ed25519 key + ROE file specter-ghost gate keygen --key-path ~/.config/specter/ghost.key echo "This engagement is authorised by Red Specter Security Research Ltd." > roe.txt specter-ghost gate init --target github.com/myorg --gate UNLEASHED \ --key-path ~/.config/specter/ghost.key --roe-path roe.txt
TruffleHog-powered NHI enumeration. Requires OPEN gate. Outputs session ID.
specter-ghost discover \ --target github.com/myorg \ --github-token $GITHUB_TOKEN \ --session-id my-session-001
Targets: GitHub org/repo, GitLab repo URL, Bitbucket repo, local filesystem path. Cloud IMDS and MCP configs scanned by default (disable with --no-imds, --no-mcp).
Credential enrichment with liveness validation, privilege classification, and key age. Requires OPEN gate.
specter-ghost harvest \ --target github.com/myorg \ --session-id my-session-001
| Platform | Liveness Check | Key Age Source |
|---|---|---|
| AWS | sts:GetCallerIdentity | iam:GetAccessKeyLastUsed |
| GitHub | GET /user (PAT validity) | X-OAuth-Scopes header |
| OpenAI | GET /v1/models | billing subscription |
| Anthropic | POST /v1/messages (1 token) | — |
| HuggingFace | GET /api/whoami-v2 | fine-grained scope |
| GCP | tokeninfo endpoint | expires_in field |
| Azure | GET /graph/v1.0/me | token introspection |
Credential-centric NHI trust graph. Requires INJECT gate. Does NOT perform RFC 8693 chain traversal — that is SPECTER FEDERATION's domain.
specter-ghost chain --session-id my-session-001 --dot-output graph.dot dot -Tsvg graph.dot -o graph.svg
Single-hop credential validation. Requires INJECT gate. No multi-hop chain traversal.
specter-ghost pivot --session-id my-session-001 specter-ghost pivot --session-id my-session-001 --credential-id <cred_id>
Full resource enumeration and LLMjacking cost calculation. Requires UNLEASHED gate (Ed25519 key + ROE). Not destructive — enumeration only.
specter-ghost blast-radius --session-id my-session-001 --unleashed
# DISCOVER → HARVEST → CHAIN → PIVOT → REPORT specter-ghost engage \ --target github.com/myorg \ --github-token $GITHUB_TOKEN \ --operator RED # Include BLAST-RADIUS (UNLEASHED gate required) specter-ghost engage \ --target github.com/myorg \ --github-token $GITHUB_TOKEN \ --unleashed \ --output-dir ./ghost-reports
GHOST flags credentials with federation_ready=True when they qualify for RFC 8693 chain traversal. The REPORT output lists all handoff candidates:
# From GHOST report federation_handoff_candidates: specter-federation chain --source-cred <cred_id>
Qualifying platforms: GitHub (repo scope), AWS, Azure, GCP. GHOST performs single-hop validation only — FEDERATION handles the full trust chain traversal.
All reports are GHO-{hex12} prefixed and Ed25519 signed. Three output formats per engagement:
ghost-reports/ GHO-A1B2C3D4E5F6.txt # Human-readable report GHO-A1B2C3D4E5F6.json # Full structured report GHO-A1B2C3D4E5F6_warlord.json # WARLORD-compatible JSON GHO-A1B2C3D4E5F6_nhi_graph.dot # GraphViz trust graph
Docker image layer scanning, NPM/PyPI package manifests, Pastebin/Slack log scanning, container registry scanning.