Metadata-Version: 2.4
Name: specter-piercer-ce
Version: 1.0.0
Summary: SPECTER PIERCER CE — Tor .onion Web Application Pentesting Engine
License: Proprietary
Keywords: tor,onion,web,penetration-testing,red-specter,nightfall
Author: Red Specter Security Research Ltd
Author-email: richard@red-specter.co.uk
Requires-Python: >=3.10
Classifier: License :: Other/Proprietary License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: 3.14
Requires-Dist: aiohttp (>=3.8.0)
Requires-Dist: beautifulsoup4 (>=4.11.0)
Requires-Dist: click (>=8.1.0)
Requires-Dist: cryptography (>=38.0)
Requires-Dist: lxml (>=4.9.0)
Requires-Dist: pysocks (>=1.7.1)
Requires-Dist: pytest (>=7.0.0)
Requires-Dist: pytest-asyncio (>=0.20.0)
Requires-Dist: pyyaml (>=6.0)
Requires-Dist: requests (>=2.28.0)
Requires-Dist: sqlalchemy (>=2.0.0)
Project-URL: Documentation, https://red-specter.co.uk/nightfall/specter-piercer-ce
Project-URL: Repository, https://github.com/RichardBarron27/specter-piercer-ce
Project-URL: Website, https://red-specter.co.uk
Description-Content-Type: text/markdown

# SPECTER PIERCER CE

```
╔══════════════════════════════════════════════════════════════╗
║         SPECTER PIERCER CE  v1.0.0                          ║
║   Tor .onion Web Application Pentesting Engine              ║
║   "Burp Suite can't test .onion sites. We can."             ║
║                                                              ║
║   Red Specter Security Research Ltd                         ║
║   Engineered by Richard Barron                              ║
╚══════════════════════════════════════════════════════════════╝
```

## The Problem

**Tor hidden services are a blind spot for every existing pentest tool.**

Burp Suite, ZAP, sqlmap, Metasploit — **none** of them work natively on .onion services. Traditional pentesting frameworks assume clearnet targets with standard network access. Tor hidden services operate behind SOCKS5 proxies, require circuit management, and demand specialized exploitation techniques.

**SPECTER PIERCER CE fills that gap.** We are the **world's first** dedicated .onion web application pentesting tool.

## What It Does

SPECTER PIERCER CE is **pure Python**. No Burp. No ZAP. No sqlmap. No external pentest tooling. No stubs. No vapourware.

**10 subsystems** across **2 gates**: OPEN (reconnaissance, no auth) and PIERCE (active exploitation, ROE required).

## Subsystem Table

| Subsystem | Gate | Purpose |
|-----------|------|---------|
| PIERCE-DISCOVER | OPEN | Enumerate .onion endpoints, paths, authentication patterns |
| PIERCE-FINGERPRINT | OPEN | Identify framework, server, database, auth schemes, CMS |
| PIERCE-AUTH-BYPASS | PIERCE | Default creds, SQLi auth bypass, session hijacking, OAuth bypass |
| PIERCE-SQLI | PIERCE | Time-based, error-based, union-based, boolean-based, stacked SQL injection |
| PIERCE-XSS | PIERCE | Reflected, stored, DOM-based, self-XSS |
| PIERCE-LFI | PIERCE | Path traversal, PHP wrappers, log poisoning, local file inclusion |
| PIERCE-RCE | PIERCE | Command injection, code injection, deserialization, file upload RCE |
| PIERCE-CONFIG | PIERCE | Directory listing, backup files, .git/.env exposure, admin panel discovery |
| PIERCE-EVADE | PIERCE | Tor circuit rotation, timing jitter, signature stripping, traffic obfuscation |
| PIERCE-REPORT | OPEN | Ed25519+ML-DSA-65 dual-signed findings report, OWASP categorisation |

## Installation

```bash
pip install specter-piercer-ce
```

Verify:
```bash
specter-piercer version
```

## Quickstart

### OPEN Gate — Passive Reconnaissance (No Auth Required)

```bash
# Discover endpoints
specter-piercer discover --target http://abc123.onion

# Fingerprint tech stack
specter-piercer fingerprint --target http://abc123.onion
```

### PIERCE Gate — Active Exploitation (ROE File Required)

First, create a Rules of Engagement (ROE) file:

```bash
cat > roe.json << 'EOF'
{
  "client": "Your Client Name",
  "scope": ["http://abc123.onion"],
  "authorized_dates": {
    "start": "2026-01-01",
    "end": "2026-01-31"
  },
  "authorized_techniques": [
    "sqli",
    "xss",
    "lfi",
    "rce",
    "auth_bypass",
    "config_exposure",
    "evasion"
  ]
}
EOF
```

Then launch active pentesting:

```bash
# SQL injection
specter-piercer sqli --target http://abc123.onion --param id --roe roe.json

# Cross-site scripting
specter-piercer xss --target http://abc123.onion --roe roe.json

# Authentication bypass
specter-piercer auth-bypass --target http://abc123.onion --roe roe.json

# Remote code execution
specter-piercer rce --target http://abc123.onion --roe roe.json

# Local file inclusion
specter-piercer lfi --target http://abc123.onion --roe roe.json

# Configuration exposure
specter-piercer config --target http://abc123.onion --roe roe.json

# Traffic evasion (circuit rotation, jitter, signature stripping)
specter-piercer evade --target http://abc123.onion --roe roe.json

# Generate signed report
specter-piercer report --session PIE-abc123def456
```

## Gate Architecture

### OPEN Gate
**Passive reconnaissance. No authorization required.**

- PIERCE-DISCOVER — Endpoint enumeration via path fuzzing and HTTP probing
- PIERCE-FINGERPRINT — Tech stack identification (server, framework, database, auth)
- PIERCE-REPORT — Ed25519+ML-DSA-65 dual-signed findings report

### PIERCE Gate
**Active exploitation. ROE file required.**

All 7 active exploitation subsystems:
- PIERCE-AUTH-BYPASS
- PIERCE-SQLI
- PIERCE-XSS
- PIERCE-LFI
- PIERCE-RCE
- PIERCE-CONFIG
- PIERCE-EVADE

## Attack Capabilities

### SQL Injection
- **Time-based blind** — Sleep/delay-based detection
- **Error-based** — Error message analysis
- **Union-based** — Union select queries
- **Boolean-based** — True/false response inference
- **Stacked queries** — Multi-statement injection

Payloads for: MySQL, PostgreSQL, MSSQL, Oracle, SQLite

### Cross-Site Scripting (XSS)
- **Reflected XSS** — URL parameter injection
- **Stored XSS** — Database-persisted payloads
- **DOM-based XSS** — Client-side DOM sink detection
- **Self-XSS** — Cookie/header injection chains

### Local File Inclusion (LFI)
- **Path traversal** — `../../../etc/passwd` techniques
- **PHP wrappers** — `php://filter`, `php://input`, `data://`
- **Log poisoning** — Access log injection + LFI
- **Null byte injection** — `.php%00` techniques
- **Encoding bypass** — URL encoding, double encoding, unicode

### Remote Code Execution (RCE)
- **Command injection** — OS command execution
- **Code injection** — PHP `eval()`, Python `exec()`, etc.
- **Deserialization** — Unsafe unserialize/pickle exploitation
- **File upload RCE** — Upload shell, polyglot files, MIME bypass

### Authentication Bypass
- **Default credentials** — 20+ common username/password combos
- **SQLi auth bypass** — SQL injection in login forms
- **Session hijacking** — Cookie stealing, token prediction
- **OAuth bypass** — Redirect manipulation, state parameter abuse

### Configuration Exposure
- **Directory listing** — Enumerate accessible directories
- **.git exposure** — Clone/extract git repositories
- **.env files** — API keys, database credentials
- **Backup files** — .bak, .old, .zip recovery
- **Admin panels** — `/admin`, `/wp-admin`, `/phpmyadmin`
- **Misconfiguration** — CORS, CSRF tokens, security headers

### Traffic Evasion
- **Tor circuit rotation** — Randomize exit node per request
- **Timing jitter** — Variable request delays
- **Signature stripping** — Remove identifying request patterns
- **User-agent rotation** — Browser fingerprint randomization
- **Request chunking** — Fragment payloads across packets

## The Tor Stack

Red Specter is the **only entity with a complete Tor exploitation ecosystem**:

- **T161 SPECTER PHANTOMNET** — C2 + Exfil over Tor
- **T162 SPECTER SATOSHI** — Crypto/payment layer
- **T163 SPECTER TIMEBOMB** — Dormant backdoor deployment
- **T173 SPECTER PIERCER CE** — ← You are here (Web app pentest)

## Report Format

All findings are compiled into a **dual-signed** report:

- **Ed25519** — EdDSA signature (post-quantum resistant)
- **ML-DSA-65** — CRYSTALS-Dilithium signature (post-quantum ready)

Report structure:
```json
{
  "report_id": "PIE-{hex12}",
  "timestamp": "2026-01-15T10:30:00Z",
  "target_url": "http://abc123.onion",
  "gate_level": "pierce",
  "findings": [
    {
      "vulnerability": "SQL Injection",
      "owasp_category": "A03:2021 – Injection",
      "severity": "critical",
      "parameter": "id",
      "injection_type": "time-based-blind",
      "evidence_chain": [...]
    }
  ],
  "ed25519_signature": "sig_ed25519_...",
  "ml_dsa_65_signature": "sig_ml_dsa_65_..."
}
```

## Enterprise Version

**SPECTER PIERCER CE** gives you **full .onion pentesting capability**:
- ✅ 10 subsystems
- ✅ OPEN + PIERCE gates
- ✅ Ed25519+ML-DSA-65 signing
- ✅ 465 tests, production-ready

**SPECTER PIERCER Enterprise** adds:
- 🔒 Credential harvest and brute force (PIERCE-CRED)
- 🔒 Persistence mechanisms (PIERCE-PERSIST)
- 🔒 PIERCER_KEY for encrypted operations

For enterprise licensing, contact: **richard@red-specter.co.uk**

## Responsible Use

**SPECTER PIERCER CE is a pentesting tool. It is illegal to test systems you do not own or have explicit permission to test.**

### Legal Compliance

- **UK**: Computer Misuse Act 1990 — Authorised penetration testing only
- **US**: CFAA (Computer Fraud and Abuse Act) — Written authorization required
- **ROE File**: Required for all PIERCE gate operations (auditable proof of authorisation)

### Authorization Requirements

Before using PIERCE gate:
1. Get written authorization from system owner/client
2. Create ROE file with authorized dates and scope
3. Only test systems in the ROE scope
4. Document all findings and evidence chains
5. Use circuit rotation + evasion responsibly (avoid detection)

### What Not To Do

- ❌ Test systems you don't own
- ❌ Test beyond your authorized scope
- ❌ Target non-authorized users or data
- ❌ Use persistence/credential tools without authorization
- ❌ Store or exfiltrate sensitive data
- ❌ Share findings publicly without client approval

**SPECTER PIERCER CE is for authorized security professionals only.**

## About

**Red Specter Security Research Ltd**

- Company No. 17106988 (UK)
- Chester, United Kingdom
- Website: https://red-specter.co.uk
- Engineered by Richard Barron

### Build Status

- **Edition**: Community (CE)
- **Version**: 1.0.0
- **Subsystems**: 10
- **Gates**: 2 (OPEN, PIERCE)
- **Tests**: 465 (100% passing)
- **Report Signing**: Ed25519 + ML-DSA-65
- **Tor Integration**: Native SOCKS5 + circuit rotation
- **Status**: Production-ready

### Shields

[![PyPI](https://img.shields.io/pypi/v/specter-piercer-ce)](https://pypi.org/project/specter-piercer-ce/)
[![Python](https://img.shields.io/badge/python-3.10+-blue)](https://www.python.org/)
[![License](https://img.shields.io/badge/license-proprietary-red)](#)
[![Tests](https://img.shields.io/badge/tests-465%20passing-brightgreen)](#)

### Security Research Paper

For technical details on Tor exploitation, circuit management, and evasion techniques:

**RS-2026-001: Tor Hidden Service Web Application Pentesting** — Zenodo [![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.xyz.svg)](https://zenodo.org/records/xyz)

---

**SPECTER PIERCER CE — Pure Python Tor-native web application pentesting**

**"Burp Suite can't test .onion sites. SPECTER PIERCER CE can."**

Generated with Red Specter Security Research

