Skip to main content

Starting the Application

From the project directory, run as your regular user: 
./run.sh
run.sh checks for the venv and then launches the app: 
exec ./venv/bin/python etherreaper.py "$@"
Once running, open your browser at: 
http://localhost:8000
Do not run ./run.sh with sudo. The app runs as your regular user by design. When specific tools require elevation (nmap with -O, masscan, Responder, mitm6, ASRepCatcher), a sudo password modal will prompt you in the browser.

CLI Flags

All flags are passed through to the underlying uvicorn server: 
./run.sh --reload       # Auto-reload on code changes (development mode)
./run.sh --port 9000    # Start on a custom port instead of 8000
./run.sh --workers 4    # Production multi-worker mode
./run.sh --help         # Show all available options
Use --reload during development to pick up changes to etherreaper.py automatically. Avoid --reload in production as it uses more resources and disables multi-worker mode.

First Session Setup

1

Open EtherReaper in your browser

Navigate to http://localhost:8000. You will see the EtherReaper interface with a Network Info bar across the top and a sidebar with all tool categories.
2

Fill in the Network Info bar

The Network Info bar is the session-wide configuration used by every scan. Fill in all four fields before running any tools:
FieldValueExample
Your IPYour tun0 or eth0 IP (listener IP for coerce/relay attacks)10.10.14.5
DomainTarget AD domain namecorp.local
DC HostnameDomain controller hostname (required for Kerberos/ccache)DC01
DC IPDomain controller IP address10.10.10.100
For Kerberos ccache authentication, all authenticated scans must use the DC hostname, not the IP. Set DC Hostname correctly before switching Auth Method to Kerberos.
3

Add targets to Scope

Go to DATA → Scope and add your target IP addresses, CIDR ranges, or IP ranges. Scope targets are used as the default target list for discovery scans.Accepted formats:
  • Single IP: 10.10.10.100
  • CIDR range: 10.10.10.0/24
  • IP range: 10.10.10.1-10.10.10.254
4

Run an Nmap scan to populate the hosts database

Go to NETWORK → Nmap and run a scan against your scope. Nmap results are parsed and stored in the SQLite hosts database — this populates the host list used by all downstream scans.
NETWORK → Nmap → select scope targets → Start Scan
After the scan completes, discovered hosts with their open ports, services, OS, and SMB metadata are viewable under DATA → Hosts.

Credential Flow

EtherReaper maintains a persistent credentials database across sessions. Credentials are captured automatically from:
  • Responder — NTLM hashes from LLMNR/NBT-NS/mDNS poisoning
  • netexec — cleartext passwords, NTLM hashes via SMB/LDAP/LSA
  • Kerberoast / AS-REP roast — TGS and AS-REP hashes
  • ESC1 attack — NTLM hash obtained via the automated Certipy ESC1 chain
All captured credentials appear in DATA → Credentials, filterable by source (netexec(SMB), netexec(LDAP), netexec(LSA), manual). Every authenticated scan modal has a Saved Credentials dropdown that pulls from this database — no copy-pasting between tools.

Sudo Password Modal

Some tools require root privileges to function. When you launch one of these tools, EtherReaper will display a sudo password modal in the browser before starting the scan:
ToolReason
nmap -OOS fingerprinting requires raw packet access
masscanRequires raw socket access
ResponderBinds to layer 2 interfaces
mitm6IPv6 poisoning requires raw packet injection
ASRepCatcherKerberos packet capture requires raw socket access
Enter your password once and optionally save it for the remainder of the session. The app itself continues to run as your regular user — only these specific tool invocations are elevated via sudo.

Next Steps

With hosts in the database and your Network Info configured, you have access to all tool categories:
  • NETWORK → Web Screenshots — fingerprint web applications on discovered hosts
  • LAYER2 → Responder — start LLMNR/NBT-NS poisoning to capture hashes
  • VULNERABILITIES → Coerce — force authentication from targets to your listener IP
  • AD → Kerberoast / AS-REP Roast — extract hashes for offline cracking
  • AD → ADCS — enumerate certificate services misconfigurations (ESC1–ESC8+)

Build docs developers (and LLMs) love

Get started for freeTalk to us