Skip to main content
EtherReaper bundles eight vulnerability checks and payload generators into the VULNERABILITIES panel. Each check is backed by a dedicated FastAPI endpoint and stores its result in DATA → Scan History.
All checks are for authorized assessments and CTF environments only. Several checks are destructive or leave forensic artifacts on the target system.

Available checks

PrintNightmare

CVE-2021-1675 — RCE via the Windows Print Spooler service. Exploits the RpcAddPrinterDriverEx call to load an arbitrary DLL as SYSTEM. Runs unauthenticated against the target. Part of the shared VULNERABILITIES → Vuln Checks panel alongside SMBGhost, MS17-010, noPAC, and NTLM Reflection.

SMBGhost

CVE-2020-1080 — Remote code execution via a buffer overflow in the SMBv3 compression decompression routine (srv2.sys). Unauthenticated check against SMBv3 targets running Windows 10 1903/1909 and Server 2019. Run via the Vuln Checks panel.

MS17-010 (EternalBlue)

EternalBlue — SMBv1 exploitation affecting pre-patched Windows 7, Server 2008, and earlier. Commonly used for lateral movement. Unauthenticated detection via the ms17-010 NetExec module. Run via the Vuln Checks panel.

noPAC

CVE-2021-42287 / 42278 — Domain privilege escalation by exploiting machine account name collision and the sAMAccountName spoofing technique to obtain a TGT as a domain controller. Requires domain credentials. Run via the Vuln Checks panel.

NTLM Reflection

Stages an NTLM relay attack by checking whether the target host is vulnerable to NTLM reflection. Requires credentials. Run via the Vuln Checks panel.

Coerce

Forces Windows hosts to authenticate to your listener using multiple methods: PetitPotam, PrintSpooler, DFSCoerce, and others via the coerce_plus NetExec module. Captures NTLMv2 hashes when paired with Responder.

MasterBaiter

Generates malicious payload files (.lnk, .library-ms, .scf) that trigger automatic Windows NTLM authentication when a victim browses a share or opens the file. Output to recon/loads/ as a downloadable gallery.

Zerologon

CVE-2020-1472 — Unauthenticated DC authentication bypass by exploiting a cryptographic flaw in MS-NRPC. Resets the DC machine account password to empty. Destructive — use only in authorized CTF or lab environments.

Credential and module requirements

CheckUI panelCredentials requiredCVE
PrintNightmareVULNERABILITIES → Vuln ChecksNoCVE-2021-1675
SMBGhostVULNERABILITIES → Vuln ChecksNoCVE-2020-1080
MS17-010VULNERABILITIES → Vuln ChecksNo
noPACVULNERABILITIES → Vuln ChecksYesCVE-2021-42287/42278
NTLM ReflectionVULNERABILITIES → Vuln ChecksYes
CoerceVULNERABILITIES → CoerceOptional
MasterBaiterVULNERABILITIES → MasterBaiterNo
ZerologonAD UnauthenticatedNoCVE-2020-1472

Output and scan history

Every check records a row in the scans table with scan_type, target, status, output_file, created_at, and completed_at. Results are accessible at DATA → Scan History and link directly to the output file in recon/. Output file naming follows a consistent pattern: 
recon/vuln-<module>-<target>.txt       # Vuln Checks (printnightmare, smbghost, ms17-010, nopac, ntlm_reflection)
recon/zerologon-<target>.txt           # Zerologon
recon/coerce_<target>_<timestamp>.txt  # Coerce
recon/loads/<filename>.<ext>           # MasterBaiter payloads

Build docs developers (and LLMs) love

Get started for freeTalk to us