SPECTER PIERCER CE — Tor .onion Web Application Pentesting Engine
Project description
SPECTER PIERCER CE
╔══════════════════════════════════════════════════════════════╗
║ SPECTER PIERCER CE v1.0.0 ║
║ Tor .onion Web Application Pentesting Engine ║
║ "Burp Suite can't test .onion sites. We can." ║
║ ║
║ Red Specter Security Research Ltd ║
║ Engineered by Richard Barron ║
╚══════════════════════════════════════════════════════════════╝
The Problem
Tor hidden services are a blind spot for every existing pentest tool.
Burp Suite, ZAP, sqlmap, Metasploit — none of them work natively on .onion services. Traditional pentesting frameworks assume clearnet targets with standard network access. Tor hidden services operate behind SOCKS5 proxies, require circuit management, and demand specialized exploitation techniques.
SPECTER PIERCER CE fills that gap. We are the world's first dedicated .onion web application pentesting tool.
What It Does
SPECTER PIERCER CE is pure Python. No Burp. No ZAP. No sqlmap. No external pentest tooling. No stubs. No vapourware.
10 subsystems across 2 gates: OPEN (reconnaissance, no auth) and PIERCE (active exploitation, ROE required).
Subsystem Table
| Subsystem | Gate | Purpose |
|---|---|---|
| PIERCE-DISCOVER | OPEN | Enumerate .onion endpoints, paths, authentication patterns |
| PIERCE-FINGERPRINT | OPEN | Identify framework, server, database, auth schemes, CMS |
| PIERCE-AUTH-BYPASS | PIERCE | Default creds, SQLi auth bypass, session hijacking, OAuth bypass |
| PIERCE-SQLI | PIERCE | Time-based, error-based, union-based, boolean-based, stacked SQL injection |
| PIERCE-XSS | PIERCE | Reflected, stored, DOM-based, self-XSS |
| PIERCE-LFI | PIERCE | Path traversal, PHP wrappers, log poisoning, local file inclusion |
| PIERCE-RCE | PIERCE | Command injection, code injection, deserialization, file upload RCE |
| PIERCE-CONFIG | PIERCE | Directory listing, backup files, .git/.env exposure, admin panel discovery |
| PIERCE-EVADE | PIERCE | Tor circuit rotation, timing jitter, signature stripping, traffic obfuscation |
| PIERCE-REPORT | OPEN | Ed25519+ML-DSA-65 dual-signed findings report, OWASP categorisation |
Installation
pip install specter-piercer-ce
Verify:
specter-piercer version
Quickstart
OPEN Gate — Passive Reconnaissance (No Auth Required)
# Discover endpoints
specter-piercer discover --target http://abc123.onion
# Fingerprint tech stack
specter-piercer fingerprint --target http://abc123.onion
PIERCE Gate — Active Exploitation (ROE File Required)
First, create a Rules of Engagement (ROE) file:
cat > roe.json << 'EOF'
{
"client": "Your Client Name",
"scope": ["http://abc123.onion"],
"authorized_dates": {
"start": "2026-01-01",
"end": "2026-01-31"
},
"authorized_techniques": [
"sqli",
"xss",
"lfi",
"rce",
"auth_bypass",
"config_exposure",
"evasion"
]
}
EOF
Then launch active pentesting:
# SQL injection
specter-piercer sqli --target http://abc123.onion --param id --roe roe.json
# Cross-site scripting
specter-piercer xss --target http://abc123.onion --roe roe.json
# Authentication bypass
specter-piercer auth-bypass --target http://abc123.onion --roe roe.json
# Remote code execution
specter-piercer rce --target http://abc123.onion --roe roe.json
# Local file inclusion
specter-piercer lfi --target http://abc123.onion --roe roe.json
# Configuration exposure
specter-piercer config --target http://abc123.onion --roe roe.json
# Traffic evasion (circuit rotation, jitter, signature stripping)
specter-piercer evade --target http://abc123.onion --roe roe.json
# Generate signed report
specter-piercer report --session PIE-abc123def456
Gate Architecture
OPEN Gate
Passive reconnaissance. No authorization required.
- PIERCE-DISCOVER — Endpoint enumeration via path fuzzing and HTTP probing
- PIERCE-FINGERPRINT — Tech stack identification (server, framework, database, auth)
- PIERCE-REPORT — Ed25519+ML-DSA-65 dual-signed findings report
PIERCE Gate
Active exploitation. ROE file required.
All 7 active exploitation subsystems:
- PIERCE-AUTH-BYPASS
- PIERCE-SQLI
- PIERCE-XSS
- PIERCE-LFI
- PIERCE-RCE
- PIERCE-CONFIG
- PIERCE-EVADE
Attack Capabilities
SQL Injection
- Time-based blind — Sleep/delay-based detection
- Error-based — Error message analysis
- Union-based — Union select queries
- Boolean-based — True/false response inference
- Stacked queries — Multi-statement injection
Payloads for: MySQL, PostgreSQL, MSSQL, Oracle, SQLite
Cross-Site Scripting (XSS)
- Reflected XSS — URL parameter injection
- Stored XSS — Database-persisted payloads
- DOM-based XSS — Client-side DOM sink detection
- Self-XSS — Cookie/header injection chains
Local File Inclusion (LFI)
- Path traversal —
../../../etc/passwdtechniques - PHP wrappers —
php://filter,php://input,data:// - Log poisoning — Access log injection + LFI
- Null byte injection —
.php%00techniques - Encoding bypass — URL encoding, double encoding, unicode
Remote Code Execution (RCE)
- Command injection — OS command execution
- Code injection — PHP
eval(), Pythonexec(), etc. - Deserialization — Unsafe unserialize/pickle exploitation
- File upload RCE — Upload shell, polyglot files, MIME bypass
Authentication Bypass
- Default credentials — 20+ common username/password combos
- SQLi auth bypass — SQL injection in login forms
- Session hijacking — Cookie stealing, token prediction
- OAuth bypass — Redirect manipulation, state parameter abuse
Configuration Exposure
- Directory listing — Enumerate accessible directories
- .git exposure — Clone/extract git repositories
- .env files — API keys, database credentials
- Backup files — .bak, .old, .zip recovery
- Admin panels —
/admin,/wp-admin,/phpmyadmin - Misconfiguration — CORS, CSRF tokens, security headers
Traffic Evasion
- Tor circuit rotation — Randomize exit node per request
- Timing jitter — Variable request delays
- Signature stripping — Remove identifying request patterns
- User-agent rotation — Browser fingerprint randomization
- Request chunking — Fragment payloads across packets
The Tor Stack
Red Specter is the only entity with a complete Tor exploitation ecosystem:
- T161 SPECTER PHANTOMNET — C2 + Exfil over Tor
- T162 SPECTER SATOSHI — Crypto/payment layer
- T163 SPECTER TIMEBOMB — Dormant backdoor deployment
- T173 SPECTER PIERCER CE — ← You are here (Web app pentest)
Report Format
All findings are compiled into a dual-signed report:
- Ed25519 — EdDSA signature (post-quantum resistant)
- ML-DSA-65 — CRYSTALS-Dilithium signature (post-quantum ready)
Report structure:
{
"report_id": "PIE-{hex12}",
"timestamp": "2026-01-15T10:30:00Z",
"target_url": "http://abc123.onion",
"gate_level": "pierce",
"findings": [
{
"vulnerability": "SQL Injection",
"owasp_category": "A03:2021 – Injection",
"severity": "critical",
"parameter": "id",
"injection_type": "time-based-blind",
"evidence_chain": [...]
}
],
"ed25519_signature": "sig_ed25519_...",
"ml_dsa_65_signature": "sig_ml_dsa_65_..."
}
Enterprise Version
SPECTER PIERCER CE gives you full .onion pentesting capability:
- ✅ 10 subsystems
- ✅ OPEN + PIERCE gates
- ✅ Ed25519+ML-DSA-65 signing
- ✅ 465 tests, production-ready
SPECTER PIERCER Enterprise adds:
- 🔒 Credential harvest and brute force (PIERCE-CRED)
- 🔒 Persistence mechanisms (PIERCE-PERSIST)
- 🔒 PIERCER_KEY for encrypted operations
For enterprise licensing, contact: richard@red-specter.co.uk
Responsible Use
SPECTER PIERCER CE is a pentesting tool. It is illegal to test systems you do not own or have explicit permission to test.
Legal Compliance
- UK: Computer Misuse Act 1990 — Authorised penetration testing only
- US: CFAA (Computer Fraud and Abuse Act) — Written authorization required
- ROE File: Required for all PIERCE gate operations (auditable proof of authorisation)
Authorization Requirements
Before using PIERCE gate:
- Get written authorization from system owner/client
- Create ROE file with authorized dates and scope
- Only test systems in the ROE scope
- Document all findings and evidence chains
- Use circuit rotation + evasion responsibly (avoid detection)
What Not To Do
- ❌ Test systems you don't own
- ❌ Test beyond your authorized scope
- ❌ Target non-authorized users or data
- ❌ Use persistence/credential tools without authorization
- ❌ Store or exfiltrate sensitive data
- ❌ Share findings publicly without client approval
SPECTER PIERCER CE is for authorized security professionals only.
About
Red Specter Security Research Ltd
- Company No. 17106988 (UK)
- Chester, United Kingdom
- Website: https://red-specter.co.uk
- Engineered by Richard Barron
Build Status
- Edition: Community (CE)
- Version: 1.0.0
- Subsystems: 10
- Gates: 2 (OPEN, PIERCE)
- Tests: 465 (100% passing)
- Report Signing: Ed25519 + ML-DSA-65
- Tor Integration: Native SOCKS5 + circuit rotation
- Status: Production-ready
Shields
Security Research Paper
For technical details on Tor exploitation, circuit management, and evasion techniques:
RS-2026-001: Tor Hidden Service Web Application Pentesting — Zenodo
SPECTER PIERCER CE — Pure Python Tor-native web application pentesting
"Burp Suite can't test .onion sites. SPECTER PIERCER CE can."
Generated with Red Specter Security Research
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file specter_piercer_ce-1.0.0.tar.gz.
File metadata
- Download URL: specter_piercer_ce-1.0.0.tar.gz
- Upload date:
- Size: 19.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e55a5ec2e2b22c42b24cb71bfb18022c6c47d5bf5dd8a1c32269ec4730ef1ff9
|
|
| MD5 |
3c8757ccb6b049f71fdcdf88c6147df7
|
|
| BLAKE2b-256 |
db2760241496a6db55afaf3b6be841a341ac2f19e90cd102f1a7a106a56b5d8c
|
File details
Details for the file specter_piercer_ce-1.0.0-py3-none-any.whl.
File metadata
- Download URL: specter_piercer_ce-1.0.0-py3-none-any.whl
- Upload date:
- Size: 24.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ed358913800ff2464f75d64cf1021bf98efceb4387e1c7f91705023de8a11102
|
|
| MD5 |
d7db43a400268f745f41ce1d6cec28ce
|
|
| BLAKE2b-256 |
1f3fbc01ffd89ebe79bcaffc2865041c29d654462391d14306e4b2b9c71f9ef3
|