What is EtherReaper?
EtherReaper is a web-based Active Directory penetration testing framework. It brings together the tools used across internal network assessments — host discovery, credential capture, AD enumeration, vulnerability checks, and data management — into a single persistent interface you operate entirely from a browser. All scan output is logged, stored in SQLite, and viewable after the fact. Credentials captured across sessions are deduplicated and available as a dropdown when running authenticated scans. No CLI juggling, no losing terminal state between reboots. Stack: FastAPI backend, Vanilla JS frontend, SQLite storage. No containers required.Technology Stack
| Component | Technology |
|---|---|
| Backend | Python 3.10+, FastAPI |
| Frontend | Vanilla JavaScript |
| Database | SQLite (data/reaper.db) |
| Browser automation | Playwright (Chromium) |
| HTTP probing | aiohttp |
| AD/Kerberos | impacket |
| Platform | Kali Linux or Debian-based |
Feature Categories
Network Reconnaissance
Fast host and port discovery with Masscan, deep service scanning with Nmap, template-based vulnerability scanning with Nuclei, and SMB signing checks to identify relay targets across your scope.Web Screenshots
Playwright-based web application discovery with automatic technology fingerprinting across HTTP headers, DOM content, JavaScript environment, and observed network requests. Results are scored by attack surface value — Jenkins, Exchange, and admin panels ranked at the top.Layer 2 Attacks
Long-running background tools with live output streaming: Responder (LLMNR/NBT-NS/mDNS poisoning), mitm6 (IPv6 DHCPv6 spoofing), and ASRepCatcher (AS-REP relay and listen modes).Vulnerability Checks
Point-and-click checks for PrintNightmare (CVE-2021-1675), SMBGhost (CVE-2020-1080), MS17-010 (EternalBlue), noPAC (CVE-2021-42287/42278), NTLM reflection, Coerce authentication (PetitPotam, PrintSpooler, DFSCoerce, and more), and MasterBaiter payload generation.Active Directory Enumeration
Unauthenticated and authenticated AD attack modules including BloodHound collection, Kerberoasting, AS-REP roasting, ADCS enumeration (ESC1–ESC8+) with automated ESC1 exploitation, GMSA passwords, delegation enumeration, and domain info gathering. All authenticated scans support NTLM credentials or Kerberos ccache.Data Management
Persistent SQLite views for credentials, scan history, discovered hosts, scope targets, domain info, and domain users and groups. Includes a Hash Calculator to derive NTLM, AES-128, and AES-256 Kerberos keys from plaintext passwords using impacket.Get Started
Installation
System requirements, tools installed by setup.sh, and step-by-step setup instructions.
Quickstart
Start the app, configure your first session, add scope targets, and run your first scan.