Skip to main content

SPECTER PIERCER CE — Tor .onion Web Application Pentesting Engine

Project description

SPECTER PIERCER CE

╔══════════════════════════════════════════════════════════════╗
║         SPECTER PIERCER CE  v1.0.0                          ║
║   Tor .onion Web Application Pentesting Engine              ║
║   "Burp Suite can't test .onion sites. We can."             ║
║                                                              ║
║   Red Specter Security Research Ltd                         ║
║   Engineered by Richard Barron                              ║
╚══════════════════════════════════════════════════════════════╝

The Problem

Tor hidden services are a blind spot for every existing pentest tool.

Burp Suite, ZAP, sqlmap, Metasploit — none of them work natively on .onion services. Traditional pentesting frameworks assume clearnet targets with standard network access. Tor hidden services operate behind SOCKS5 proxies, require circuit management, and demand specialized exploitation techniques.

SPECTER PIERCER CE fills that gap. We are the world's first dedicated .onion web application pentesting tool.

What It Does

SPECTER PIERCER CE is pure Python. No Burp. No ZAP. No sqlmap. No external pentest tooling. No stubs. No vapourware.

10 subsystems across 2 gates: OPEN (reconnaissance, no auth) and PIERCE (active exploitation, ROE required).

Subsystem Table

Subsystem Gate Purpose
PIERCE-DISCOVER OPEN Enumerate .onion endpoints, paths, authentication patterns
PIERCE-FINGERPRINT OPEN Identify framework, server, database, auth schemes, CMS
PIERCE-AUTH-BYPASS PIERCE Default creds, SQLi auth bypass, session hijacking, OAuth bypass
PIERCE-SQLI PIERCE Time-based, error-based, union-based, boolean-based, stacked SQL injection
PIERCE-XSS PIERCE Reflected, stored, DOM-based, self-XSS
PIERCE-LFI PIERCE Path traversal, PHP wrappers, log poisoning, local file inclusion
PIERCE-RCE PIERCE Command injection, code injection, deserialization, file upload RCE
PIERCE-CONFIG PIERCE Directory listing, backup files, .git/.env exposure, admin panel discovery
PIERCE-EVADE PIERCE Tor circuit rotation, timing jitter, signature stripping, traffic obfuscation
PIERCE-REPORT OPEN Ed25519+ML-DSA-65 dual-signed findings report, OWASP categorisation

Installation

pip install specter-piercer-ce

Verify:

specter-piercer version

Quickstart

OPEN Gate — Passive Reconnaissance (No Auth Required)

# Discover endpoints
specter-piercer discover --target http://abc123.onion

# Fingerprint tech stack
specter-piercer fingerprint --target http://abc123.onion

PIERCE Gate — Active Exploitation (ROE File Required)

First, create a Rules of Engagement (ROE) file:

cat > roe.json << 'EOF'
{
  "client": "Your Client Name",
  "scope": ["http://abc123.onion"],
  "authorized_dates": {
    "start": "2026-01-01",
    "end": "2026-01-31"
  },
  "authorized_techniques": [
    "sqli",
    "xss",
    "lfi",
    "rce",
    "auth_bypass",
    "config_exposure",
    "evasion"
  ]
}
EOF

Then launch active pentesting:

# SQL injection
specter-piercer sqli --target http://abc123.onion --param id --roe roe.json

# Cross-site scripting
specter-piercer xss --target http://abc123.onion --roe roe.json

# Authentication bypass
specter-piercer auth-bypass --target http://abc123.onion --roe roe.json

# Remote code execution
specter-piercer rce --target http://abc123.onion --roe roe.json

# Local file inclusion
specter-piercer lfi --target http://abc123.onion --roe roe.json

# Configuration exposure
specter-piercer config --target http://abc123.onion --roe roe.json

# Traffic evasion (circuit rotation, jitter, signature stripping)
specter-piercer evade --target http://abc123.onion --roe roe.json

# Generate signed report
specter-piercer report --session PIE-abc123def456

Gate Architecture

OPEN Gate

Passive reconnaissance. No authorization required.

  • PIERCE-DISCOVER — Endpoint enumeration via path fuzzing and HTTP probing
  • PIERCE-FINGERPRINT — Tech stack identification (server, framework, database, auth)
  • PIERCE-REPORT — Ed25519+ML-DSA-65 dual-signed findings report

PIERCE Gate

Active exploitation. ROE file required.

All 7 active exploitation subsystems:

  • PIERCE-AUTH-BYPASS
  • PIERCE-SQLI
  • PIERCE-XSS
  • PIERCE-LFI
  • PIERCE-RCE
  • PIERCE-CONFIG
  • PIERCE-EVADE

Attack Capabilities

SQL Injection

  • Time-based blind — Sleep/delay-based detection
  • Error-based — Error message analysis
  • Union-based — Union select queries
  • Boolean-based — True/false response inference
  • Stacked queries — Multi-statement injection

Payloads for: MySQL, PostgreSQL, MSSQL, Oracle, SQLite

Cross-Site Scripting (XSS)

  • Reflected XSS — URL parameter injection
  • Stored XSS — Database-persisted payloads
  • DOM-based XSS — Client-side DOM sink detection
  • Self-XSS — Cookie/header injection chains

Local File Inclusion (LFI)

  • Path traversal../../../etc/passwd techniques
  • PHP wrappersphp://filter, php://input, data://
  • Log poisoning — Access log injection + LFI
  • Null byte injection.php%00 techniques
  • Encoding bypass — URL encoding, double encoding, unicode

Remote Code Execution (RCE)

  • Command injection — OS command execution
  • Code injection — PHP eval(), Python exec(), etc.
  • Deserialization — Unsafe unserialize/pickle exploitation
  • File upload RCE — Upload shell, polyglot files, MIME bypass

Authentication Bypass

  • Default credentials — 20+ common username/password combos
  • SQLi auth bypass — SQL injection in login forms
  • Session hijacking — Cookie stealing, token prediction
  • OAuth bypass — Redirect manipulation, state parameter abuse

Configuration Exposure

  • Directory listing — Enumerate accessible directories
  • .git exposure — Clone/extract git repositories
  • .env files — API keys, database credentials
  • Backup files — .bak, .old, .zip recovery
  • Admin panels/admin, /wp-admin, /phpmyadmin
  • Misconfiguration — CORS, CSRF tokens, security headers

Traffic Evasion

  • Tor circuit rotation — Randomize exit node per request
  • Timing jitter — Variable request delays
  • Signature stripping — Remove identifying request patterns
  • User-agent rotation — Browser fingerprint randomization
  • Request chunking — Fragment payloads across packets

The Tor Stack

Red Specter is the only entity with a complete Tor exploitation ecosystem:

  • T161 SPECTER PHANTOMNET — C2 + Exfil over Tor
  • T162 SPECTER SATOSHI — Crypto/payment layer
  • T163 SPECTER TIMEBOMB — Dormant backdoor deployment
  • T173 SPECTER PIERCER CE — ← You are here (Web app pentest)

Report Format

All findings are compiled into a dual-signed report:

  • Ed25519 — EdDSA signature (post-quantum resistant)
  • ML-DSA-65 — CRYSTALS-Dilithium signature (post-quantum ready)

Report structure:

{
  "report_id": "PIE-{hex12}",
  "timestamp": "2026-01-15T10:30:00Z",
  "target_url": "http://abc123.onion",
  "gate_level": "pierce",
  "findings": [
    {
      "vulnerability": "SQL Injection",
      "owasp_category": "A03:2021 – Injection",
      "severity": "critical",
      "parameter": "id",
      "injection_type": "time-based-blind",
      "evidence_chain": [...]
    }
  ],
  "ed25519_signature": "sig_ed25519_...",
  "ml_dsa_65_signature": "sig_ml_dsa_65_..."
}

Enterprise Version

SPECTER PIERCER CE gives you full .onion pentesting capability:

  • ✅ 10 subsystems
  • ✅ OPEN + PIERCE gates
  • ✅ Ed25519+ML-DSA-65 signing
  • ✅ 465 tests, production-ready

SPECTER PIERCER Enterprise adds:

  • 🔒 Credential harvest and brute force (PIERCE-CRED)
  • 🔒 Persistence mechanisms (PIERCE-PERSIST)
  • 🔒 PIERCER_KEY for encrypted operations

For enterprise licensing, contact: richard@red-specter.co.uk

Responsible Use

SPECTER PIERCER CE is a pentesting tool. It is illegal to test systems you do not own or have explicit permission to test.

Legal Compliance

  • UK: Computer Misuse Act 1990 — Authorised penetration testing only
  • US: CFAA (Computer Fraud and Abuse Act) — Written authorization required
  • ROE File: Required for all PIERCE gate operations (auditable proof of authorisation)

Authorization Requirements

Before using PIERCE gate:

  1. Get written authorization from system owner/client
  2. Create ROE file with authorized dates and scope
  3. Only test systems in the ROE scope
  4. Document all findings and evidence chains
  5. Use circuit rotation + evasion responsibly (avoid detection)

What Not To Do

  • ❌ Test systems you don't own
  • ❌ Test beyond your authorized scope
  • ❌ Target non-authorized users or data
  • ❌ Use persistence/credential tools without authorization
  • ❌ Store or exfiltrate sensitive data
  • ❌ Share findings publicly without client approval

SPECTER PIERCER CE is for authorized security professionals only.

About

Red Specter Security Research Ltd

Build Status

  • Edition: Community (CE)
  • Version: 1.0.0
  • Subsystems: 10
  • Gates: 2 (OPEN, PIERCE)
  • Tests: 465 (100% passing)
  • Report Signing: Ed25519 + ML-DSA-65
  • Tor Integration: Native SOCKS5 + circuit rotation
  • Status: Production-ready

Shields

PyPI Python License Tests

Security Research Paper

For technical details on Tor exploitation, circuit management, and evasion techniques:

RS-2026-001: Tor Hidden Service Web Application Pentesting — Zenodo DOI


SPECTER PIERCER CE — Pure Python Tor-native web application pentesting

"Burp Suite can't test .onion sites. SPECTER PIERCER CE can."

Generated with Red Specter Security Research

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

specter_piercer_ce-1.0.0.tar.gz (19.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

specter_piercer_ce-1.0.0-py3-none-any.whl (24.5 kB view details)

Uploaded Python 3

File details

Details for the file specter_piercer_ce-1.0.0.tar.gz.

File metadata

  • Download URL: specter_piercer_ce-1.0.0.tar.gz
  • Upload date:
  • Size: 19.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for specter_piercer_ce-1.0.0.tar.gz
Algorithm Hash digest
SHA256 e55a5ec2e2b22c42b24cb71bfb18022c6c47d5bf5dd8a1c32269ec4730ef1ff9
MD5 3c8757ccb6b049f71fdcdf88c6147df7
BLAKE2b-256 db2760241496a6db55afaf3b6be841a341ac2f19e90cd102f1a7a106a56b5d8c

See more details on using hashes here.

File details

Details for the file specter_piercer_ce-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for specter_piercer_ce-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 ed358913800ff2464f75d64cf1021bf98efceb4387e1c7f91705023de8a11102
MD5 d7db43a400268f745f41ce1d6cec28ce
BLAKE2b-256 1f3fbc01ffd89ebe79bcaffc2865041c29d654462391d14306e4b2b9c71f9ef3

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page