Skip to main content
The network info endpoints manage the persistent session context stored in the SQLite database. All authenticated scans pull domain, DC host, and DC IP from this context automatically — you only need to set it once per engagement.

GET /api/network-info

Returns the currently stored network info record. 
curl http://localhost:8000/api/network-info

Response

host
string
Attacker hostname (populated from OS environment).
ip
string
Attacker’s local IP address (e.g. VPN tun0 IP).
domain
string
Active Directory domain name (e.g. corp.local).
dc_host
string
Domain controller hostname (e.g. DC01). Required for Kerberos authentication.
dc_ip
string
Domain controller IP address.
ext_ip
string
External/public IP of the attacker machine.
auth_method
string
Detected authentication method: NTLM, Kerberos, Kerberos+NTLM, or Unknown.
requires_kerberos
integer
1 if the DC only accepts Kerberos, 0 otherwise.
username
string
Operating system username of the app process owner.
Example response: 
{
  "host": "kali",
  "ip": "10.10.14.5",
  "domain": "corp.local",
  "dc_host": "DC01",
  "dc_ip": "10.10.10.1",
  "ext_ip": "1.2.3.4",
  "auth_method": "Kerberos+NTLM",
  "requires_kerberos": 0,
  "username": "kali"
}

GET /api/network-interfaces

Returns all active network interfaces with their assigned IPv4 addresses. VPN interfaces (tun*, tap*) are sorted to the top of the list. 
curl http://localhost:8000/api/network-interfaces

Response

status
string
"success" on success.
interfaces
array
Array of interface objects, VPN interfaces listed first.
Example response: 
{
  "status": "success",
  "interfaces": [
    { "interface": "tun0", "ip": "10.10.14.5", "display": "10.10.14.5 (tun0)" },
    { "interface": "eth0", "ip": "192.168.1.10", "display": "192.168.1.10 (eth0)" }
  ]
}

POST /api/network-info/update

Persists the operator’s network context. If dc_ip is provided and auth_method is not specified, the DC is probed automatically to detect whether it supports Kerberos, NTLM, or both. 
curl -X POST http://localhost:8000/api/network-info/update \
  -H "Content-Type: application/json" \
  -d '{"host": "kali", "ip": "10.10.14.5", "domain": "corp.local", "dc_host": "DC01", "dc_ip": "10.10.10.1"}'

Request Body

host
string
Attacker hostname.
ip
string
Attacker’s local IP (used as listener address in coercion attacks).
domain
string
Active Directory domain name.
dc_host
string
Domain controller hostname. Must be the actual hostname (not IP) when using Kerberos.
dc_ip
string
Domain controller IP address.
ext_ip
string
External IP address of the attacker machine.
auth_method
string
Explicitly set auth method (NTLM, Kerberos, Kerberos+NTLM). If omitted and dc_ip is present, the DC is probed automatically.

Response

status
string
"success" on success.
auth_method
string
The auth method that was stored (auto-detected or explicitly provided).
Example response: 
{
  "status": "success",
  "auth_method": "Kerberos+NTLM"
}

POST /api/network-info/detect-auth

Probes the given DC IP to determine whether it supports Kerberos, NTLM, or both. Updates the stored auth_method and requires_kerberos fields. 
curl -X POST http://localhost:8000/api/network-info/detect-auth \
  -H "Content-Type: application/json" \
  -d '{"dc_ip": "10.10.10.1"}'

Request Body

dc_ip
string
required
IP address of the domain controller to probe.

Response

status
string
"success" on success.
auth_method
string
Detected auth method: "Kerberos", "NTLM", "Kerberos+NTLM", or "Unknown".
requires_kerberos
boolean
true if auth_method is exactly "Kerberos" (DC refuses NTLM).
Example response: 
{
  "status": "success",
  "auth_method": "Kerberos+NTLM",
  "requires_kerberos": false
}

POST /api/kerberos/acquire-tgt

Acquires a Kerberos TGT using impacket-getTGT. Before requesting the ticket, the system clock is synchronized with the DC using ntpdate (Kerberos requires time skew < 5 minutes). The resulting .ccache file is saved to recon/ccache/<username>.ccache. 
curl -X POST http://localhost:8000/api/kerberos/acquire-tgt \
  -H "Content-Type: application/json" \
  -d '{
    "domain": "corp.local",
    "username": "administrator",
    "password": "Password1",
    "dc_ip": "10.10.10.1",
    "sudo_password": "kali"
  }'

Request Body

domain
string
required
Active Directory domain name.
username
string
required
Account username to request the TGT for.
password
string
required
Account password.
dc_ip
string
required
Domain controller IP used for time sync and TGT acquisition.
sudo_password
string
Sudo password required to run ntpdate for clock sync. Optional but strongly recommended.

Response

status
string
"success" on success.
ccache_path
string
Absolute path to the saved ccache file (e.g. /home/kali/etherreaper/recon/ccache/administrator.ccache).
message
string
Human-readable result summary.
Example response: 
{
  "status": "success",
  "ccache_path": "/home/kali/etherreaper/recon/ccache/administrator.ccache",
  "message": "TGT acquired successfully for corp.local/administrator"
}

GET /api/ccache/list

Lists all .ccache files in the recon/ccache/ directory. Used by authenticated scan modals to populate the ccache file selector. 
curl http://localhost:8000/api/ccache/list

Response

status
string
"success" on success.
ccache_files
array
Array of ccache file objects, sorted by modification time (newest first).
count
integer
Total number of ccache files found.
Example response: 
{
  "status": "success",
  "ccache_files": [
    {
      "filename": "administrator.ccache",
      "path": "/home/kali/etherreaper/recon/ccache/administrator.ccache",
      "size": 1024,
      "modified": "2024-01-15 14:32:07"
    }
  ],
  "count": 1
}

Build docs developers (and LLMs) love

Get started for freeTalk to us