REAPER v2.1
Full-Spectrum Web Security and Post-Exploitation — T14. 11 phases. 5,439 tests.
Overview
REAPER is a full-spectrum offensive security framework built in pure Python. It covers the complete engagement lifecycle: technology fingerprinting, OWASP Top 10 web scanning, automated exploitation, payload generation, command and control, post-exploitation, privilege escalation, lateral movement, persistence, credential harvesting, and evasion.
Zero Metasploit. Zero Cobalt Strike. Zero Ruby. Every capability is Python code written by Red Specter. Every module is auditable. Every payload is documented. Every finding is structured JSON.
v2.1 introduces ARMORY PRION integration: the PRION mutation engine wires directly into the scan pipeline, replacing static payload lists with dynamically mutated, WAF-bypass variants generated on every engagement.
Installation
PyPI
Docker
Debian / Kali
PKGBUILD (BlackArch / Arch)
From Source
PRION GPU Acceleration (Optional)
Quick Start
CLI Reference
Top-Level Commands
| Command | Description |
|---|---|
| reaper engage <url> | Full engagement — all enabled phases against URL |
| reaper phase <name> <url> | Run a single named phase |
| reaper status | Show active sessions, listeners, PRION state |
| reaper report | Generate report from findings JSON |
| reaper keygen | Generate UNLEASHED Ed25519 key pair |
Phase Names (for reaper phase)
| Phase Name | Number | Gate |
|---|---|---|
| discovery | −1 | OPEN |
| scan | 0 | OPEN |
| exploit | 1 | INJECT |
| payload | 2 | UNLEASHED |
| c2 | 3 | UNLEASHED |
| implant | 4 | UNLEASHED |
| privesc | 5 | OPEN |
| lateral | 6 | UNLEASHED |
| persist | 7 | UNLEASHED |
| harvest | 8 | OPEN |
| evasion | 9 | UNLEASHED |
Global Flags
| Flag | Description |
|---|---|
| --ai-mode | Enable Ollama AI analysis (deepseek-r1:32b default) |
| --model <name> | Override Ollama model for AI mode |
| --ollama <url> | Override Ollama endpoint (default: http://localhost:11434) |
| --no-armory | Force static payload library, skip PRION mutation |
| --unleashed | Enable UNLEASHED-gated phases (requires key + ROE) |
| --confirm-destroy | Permit live execution of UNLEASHED operations |
| --session <id> | Attach to or name a session |
| --output <dir> | Output directory for findings and artefacts |
| --wraith-report <file> | Ingest WRAITH reconnaissance report as Phase −1 input |
| --verbose | Verbose logging |
| --quiet | Suppress non-essential output |
Environment Variables
| Variable | Description |
|---|---|
| REAPER_GATE=INJECT | Enable INJECT-gated phases (Phase 1 exploitation) |
| PRION_LOCAL=true | Enable GPU-accelerated PRION mutation |
| REAPER_KEY=<path> | Path to Ed25519 private key for UNLEASHED |
| REAPER_ROE=<path> | Path to Rules of Engagement file (must contain "authorised") |
ARMORY PRION Integration
v2.1 wires the ARMORY PRION mutation engine directly into the REAPER payload pipeline. When PRION is available, every scan starts with a fresh mutation pass that generates WAF-bypass payload variants tailored to the target. The static 192-payload library becomes a fallback, not the primary source.
2,328 base payloads — 110 categories — 27 mutation techniques
GPU-accelerated via PRION_LOCAL=true (RTX 3090 or equivalent)
Fallback: 192 static payloads when PRION offline or --no-armory set
27 Mutation Techniques
Phase −1: DISCOVERY OPEN
Technology fingerprinting, endpoint enumeration, and API surface discovery. DISCOVERY runs before any probe fires and builds the engagement surface map that every subsequent phase uses.
- Technology fingerprinting — server, framework, CMS, language, and CDN detection via headers, HTML, and JS analysis
- Endpoint enumeration — crawl, sitemap parsing, robots.txt, common path brute-force
- API discovery — OpenAPI/Swagger spec detection, GraphQL introspection, REST pattern inference
- Version detection — version strings from headers, meta tags, JS bundles, and error pages
- Port surface mapping — active port scan for common web service ports
- SSL/TLS analysis — certificate info, cipher suites, protocol version, HSTS, HPKP
- Output — structured
discovery.jsonconsumed by Phase 0 SCAN
Phase 0: SCAN OPEN
OWASP Top 10 automated scan using the 192-payload static library augmented by PRION mutation. Fires across all endpoints discovered in Phase −1. Every scan class fires across multiple bypass variants by default.
- SQL Injection — union, error-based, boolean blind, time-based; auto-detected backend
- Cross-Site Scripting — reflected, DOM, stored; context-aware (attribute / script / HTML); CSP bypass variants
- Server-Side Request Forgery — internal network probing, cloud metadata (AWS/GCP/Azure), protocol smuggling
- XXE — classic, blind, OOB; SSRF chaining; XML/SVG/DOCX/RSS attack surfaces
- Server-Side Template Injection — Jinja2, Twig, Freemarker, Velocity, Smarty detection with RCE escalation
- Command Injection — OS command injection, blind and time-based detection
- Path Traversal — encoding bypass: double URL, null bytes, UNC paths, PRION filter bypass variants
- API Security — GraphQL introspection and injection, REST IDOR, auth bypass, rate limit detection
- PRION integration — each class fires PRION-mutated variants when PRION is online
- Output — structured
scan.jsonwith severity, evidence, and exploit references
Phase 1: EXPLOIT INJECT
Automated exploitation of confirmed scan findings. Requires REAPER_GATE=INJECT. Every exploit is pure Python — no Metasploit modules, no borrowed code.
- Scan-driven exploitation — ingests Phase 0 findings and selects appropriate exploits automatically
- Version-matched targeting — semantic version comparison prevents false positive exploitation
- check_target() — dry-run probe to confirm exploitability before firing
- exploit_target() — execute a confirmed exploit against a specific finding
- auto_exploit() — sequential exploitation of all confirmed findings by severity
- Payload integration — auto-selects appropriate payload type for each exploit class
- Session creation — successful exploits create named sessions for post-exploitation phases
Phase 2: PAYLOAD UNLEASHED
Custom payload generation for confirmed access vectors. Requires UNLEASHED gate. Supports multiple payload types and output formats.
- PayloadType — reverse_shell, bind_shell, stager, beacon, download_exec, inject
- PayloadFormat — python, elf, pe, dll, powershell, shellcode, raw
- generate() — build a payload with specified type, format, and connection parameters
- generate_implant() — full-featured implant with C2 callback, evasion, and persistence
- Encoding — base64, XOR, AES-256 payload encryption
- Platform targeting — Linux x64, Windows x64, cross-platform Python
- Ed25519-signed manifest — every generated payload carries a signed delivery manifest
Phase 3: C2 UNLEASHED
Command and control listeners. Multi-protocol with AES-256-GCM encrypted sessions. Handles implant callbacks, task distribution, and result collection.
- Protocols — HTTP, HTTPS, DNS, TCP raw, WebSocket
- AES-256-GCM encryption on all C2 channels
- Session management — unique session IDs, heartbeat tracking, auto-cleanup
- Task queue — distribute commands to implants, collect results async
- Multi-listener — run multiple protocols simultaneously
- Jitter & sleep — configurable callback intervals with randomisation
Phase 4: IMPLANT UNLEASHED
Agent deployment to compromised targets. Full-featured and minimal variants. Persistent callback with jitter and beacon randomisation.
- Full variant — all 10 capabilities, C2 integration, persistence, evasion, ~45KB
- Minimal variant — command execution, file transfer, basic recon, ~8KB
- 10 capabilities — command execution, file upload/download, screenshot, keylogger, process list, network recon, registry access, privilege check, self-destruct, update
- Deployment modes — drop, inject, fileless, staged download
- Self-update — pull new capabilities from C2 without reinstall
Phase 5: PRIVESC OPEN
Privilege escalation enumeration and exploitation. GTFOBins integration, Linux kernel checks, and Windows LOLBAS techniques. Enumeration is OPEN gate; exploitation requires an active UNLEASHED session.
- GTFOBins (20) — SUID/sudo binary exploits: vim, find, python, nmap, awk, less, more, tar, zip, git, docker, and others
- Linux checks (15) — writable /etc/passwd, SUID binaries, cron jobs, sudo misconfigs, capability abuse, kernel exploits, NFS no_root_squash, writable PATH, Docker socket, wildcard injection
- LOLBAS (10) — Windows binaries: certutil, mshta, regsvr32, rundll32, bitsadmin, and others
- enumerate() — scan for all known escalation vectors
- suggest() — rank vectors by success probability and stealth
Phase 6: LATERAL UNLEASHED
Lateral movement across adjacent hosts via SSH and SMB. Credential reuse, port forwarding, and SOCKS proxy for pivoting.
- SSH movement — key-based and password auth, command execution, file transfer
- SMB movement — share enumeration, file upload, remote execution via WMI/PsExec
- Port forwarding — local and remote tunnels through compromised hosts
- SOCKS proxy — dynamic port forwarding for full network access through pivot
- Credential reuse — spray harvested credentials across discovered hosts
- Network mapping — discover adjacent hosts and subnets from pivot position
Phase 7: PERSIST UNLEASHED
Persistence installation across Linux and Windows with stealth ratings. Install, verify, and remove mechanisms. Every method rated for detection risk.
- 10 Linux methods — crontab, systemd service, .bashrc/.profile, init.d, at job, SSH authorized_keys, LD_PRELOAD, udev rules, XDG autostart, PAM backdoor
- 8 Windows methods — Registry Run keys, Scheduled Tasks, Startup folder, WMI event subscription, DLL search order hijacking, COM object hijacking, Service creation, Bootkit
- install() / verify() / remove() — full lifecycle management
- Stealth ratings — LOW / MEDIUM / HIGH detection risk per method
| Platform | Method | Stealth |
|---|---|---|
| Linux | crontab | MEDIUM |
| Linux | systemd service | MEDIUM |
| Linux | .bashrc/.profile | LOW |
| Linux | SSH authorized_keys | LOW |
| Linux | LD_PRELOAD | HIGH |
| Linux | PAM backdoor | HIGH |
| Windows | Registry Run keys | LOW |
| Windows | Scheduled Tasks | MEDIUM |
| Windows | WMI event subscription | HIGH |
| Windows | COM object hijacking | HIGH |
Phase 8: HARVEST OPEN
Credential extraction and secrets harvesting. 35 Linux and 10 Windows credential paths. 25 regex-based secret patterns for configuration files.
- 35 Linux paths — /etc/shadow, .ssh/, .gnupg/, browser profiles, .bash_history, .env files, database configs, application credentials, keyrings, cloud CLI configs
- 10 Windows paths — SAM, SYSTEM, NTDS.dit, LSA secrets, credential vaults, browser stores, RDP saved creds, WiFi profiles, registry secrets, cached domain creds
- 25 secret patterns — API keys, tokens, passwords, private keys, connection strings, AWS/GCP/Azure secrets, JWT tokens, database URIs
- Shadow extraction — /etc/shadow parse with hash type identification (MD5/SHA-256/SHA-512/bcrypt/yescrypt)
- Browser credential extraction — Chrome, Firefox, Edge stored passwords and cookies
- Output — structured JSON with credential type, source, and confidence
Phase 9: EVASION UNLEASHED
Payload obfuscation and evasion pipeline. 14 techniques with chainable API. Polymorphic engine generates unique variants on every build. Anti-analysis capabilities detect sandboxes and debuggers.
- 14 techniques — string obfuscation, control flow flattening, dead code injection, variable renaming, XOR encoding, AES encryption, base64 layering, process hollowing, DLL sideloading, timestomping, log clearing, AMSI bypass, ETW patching, syscall unhooking
- Pipeline API — chain techniques:
pipeline([obfuscate, encrypt, inject_dead_code]) - Polymorphic engine — structurally unique payload variants with identical functionality
- Anti-analysis — VM detection, sandbox detection, debugger detection, timing checks
- PRION integration — PRION-mutated delivery chains for WAF and AV bypass
AI Mode
Optional GPU-accelerated analysis via Ollama. When --ai-mode is set, REAPER feeds
scan findings into a local reasoning model for context-aware triage, payload selection, and multi-step attack
chain planning. No data leaves the network.
UNLEASHED Protocol
Three-tier cryptographic gating for destructive operations. Dry-run is the default. Live execution requires Ed25519 key authentication, a signed Rules of Engagement file, and the --confirm-destroy flag.
Gate Tiers
| Gate | Phases | Requirement |
|---|---|---|
| OPEN | −1, 0, 5, 8 | No restriction. Discovery, scanning, privesc enumeration, harvesting. |
| INJECT | 1 | REAPER_GATE=INJECT environment variable. |
| UNLEASHED | 2, 3, 4, 6, 7, 9 | Ed25519 key + ROE file containing “authorised” + --unleashed --confirm-destroy |
Standard vs UNLEASHED
| Capability | Standard / OPEN | UNLEASHED |
|---|---|---|
| Scanning | Full — no restriction | Full — no restriction |
| Exploitation | Check only (INJECT: live) | Live exploit execution |
| Payload delivery | Simulated | Real payload deployment |
| C2 channels | Disabled | Active C2 with encryption |
| Persistence | Report only | Live installation |
| Credential harvest | Path enumeration | Full extraction |
| Lateral movement | Discovery only | Active pivoting |
| Evasion | Analysis only | Live evasion pipeline |
Key Setup
UNLEASHED is restricted to authorised operators with Ed25519 key access. Live execution against any target must only occur in authorised test environments with explicit written permission from the system owner. Unauthorised use of UNLEASHED constitutes illegal access under applicable law.
WRAITH Integration
REAPER ingests WRAITH reconnaissance reports via --wraith-report. WRAITH discovers. REAPER exploits. The handoff is seamless — WRAITH findings feed directly into Phase −1 DISCOVERY, eliminating duplicate scanning.
API Reference
Key classes and methods for programmatic use. Import from red_specter_reaper.
ScanEngine
PrionClient
ExploitEngine
EvasionPipeline
Signature Database
REAPER ships with offline databases for scanning, privilege escalation, and credential harvesting. No API calls. No external lookups at scan time.
Payload Library (192 static)
GTFOBins (20 binaries)
| Binary | Vector | Method |
|---|---|---|
| vim | SUID / sudo | Shell escape via :!sh |
| find | SUID / sudo | -exec /bin/sh |
| python | SUID / sudo | os.system() shell spawn |
| nmap | SUID / sudo | --interactive or --script |
| awk | SUID / sudo | system() call |
| less | SUID / sudo | !sh from pager |
| tar | SUID / sudo / wildcard | --checkpoint-action |
| zip | SUID / sudo | -T -TT shell command |
| git | SUID / sudo | Pager shell escape |
| docker | Group membership | Mount host filesystem |
Secret Patterns (25 regex)
Disclaimer
REAPER is for authorised security testing, red team operations, and educational purposes only. You must have explicit written permission from the system owner before running any REAPER phase against a target. Post-exploitation operations carry significant risks including service disruption, data exposure, and persistent access to compromised systems. REAPER must only be used against systems you are authorised to test. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. Red Specter Security Research Ltd accepts no liability for misuse.