./redteamer

Purpose-built Tooling for OffSec Professionals.

RedTeamer enables the codification and orchestration of your red team operations using the existing security tools you know and love.

email_enumuration.rtmod
fortigate_exploit.rtmod
action "gobuster_dir" {
  with     = "core/tools/gobuster/dir"
  base_url = input.target
  wordlist = "/usr/share/wordlists/common.txt"
}


action "email_harvest" {
  with = "core/tools/harvester/emails"
  urls = action.gobuster_dir.results
}

Getting started

Quickstart

Let's learn the basics and get started with RedTeamer.

Installation

Download and install RedTeamer.

Language

Learn the basics of the language.

Blocks Reference

Discover the builtin block types.

Functions reference

Discover the available Functions.

Overview

When conducting red team activities, you may find yourself using many tools and services, hand crafting requests, fiddling with command line arguments, and spending inordinate amounts of time getting the output of one tool or service into the input of another.

This can feel rather tedious, especially when you want reproduce the exact actions sometime in the future.

RedTeamer aims to address these pains by providing purpose-built tooling to compose, model, orchestrate, execute, capture, share, and replay red team operations.

Licensing

This section provides a quick summary of what you can and cannot do with the Software, along with your responsibilities.

Licensing

RedTeamer is freely available to anyone for non-commercial use. For any commercial use, excluding evaluation, a RedTeamer Professional License must be purchased for every RedTeamer user in your business.

See License Agreement and Pricing for more information.

You can:

  • Use the Software for free for non-commercial purposes: personal, research, education, evaluation, or open-source projects.
  • Use the Software for free in educational settings, including for-profit institutions, for teaching or learning purposes (no direct commercial services).

You cannot:

  • Use the Software for commercial purposes excluding evaluation without buying a Professional License.
  • Continue using the Software if the agreement is terminated or if you violate the terms.

You must:

  • Purchase a Professional License to use the Software for business, consulting, or any profit-generating work.
  • Stop using the Software immediately if the agreement is terminated or you violate the terms.

Installation

RedTeamer supports Linux systems only, specifically:

  • AMD64 (x86_64)
  • ARM64 (aarch64)

It is tested on latest releases of Debian and Fedora but should function on any distribution with git and podman installed.

Works on most Linux distributions that have curl, sh, and a package manager available.

curl https://redteamer.io/install | sh

Basics

Modules

Modules are plain text files with the .rtmod.hcl extension. Modules are how you model the actions RedTeamer will perform. True to their name, modules are reusable and designed to be composed together.

Every module file starts with a module block. Here you provide a description and an optional help_url that surface in auto generated documentation and editor intelisense.

Importantly an image argument specifies that OCI container image that will provide the execution environment.

module {
  image       = "docker.io/library/ubuntu:latest"
  description = "My example not very useful module"
  help_url    = "https://example.com"
}

Within modules, you can declare any number import blocks that can enable out-of-the-box integrations with various tools like nmap, metasploit, jacktheripper, and almost anything you can think of. Import blocks are just way to pull in modules from a local or remote source.

import "core" {
  url      = "https://github.com/redteamer-io/core.git"
  version = "~> 1.0"
}

From there, you can compose real-world actions using any number of action blocks. The example action block below has the label gobuster_dir to uniquely identify it within the module.

action "gobuster_dir" {}

Inside these blocks, you use the with argument to declare what action will be invoked, in this case, another module made available by the above import block.

Additionally you can customize the actions by specifying arguments such as a target URL, a wordlist, a scan mode, and anything else you can imagine.

action "gobuster_dir" {
  with     = "core/tools/gobuster/dir"
  base_url = "http://example.com"
  wordlist = "/usr/share/wordlists/dirb/common.txt"
}

A neat feature is that the outputs of one action can be used as inputs for another, with these relationships implicitly determining the correct execution order.

action "harvest_emails" {
  // The reference to another block ensures correct order of execution
  with     = "core/tools/harvester"
  for_each = toset(action.gobuster_dir.results)
  url      = each.value
}

Commands

Now with a module defined, you can use the run command to execute the module.

redteamer run example.rtmod.hcl
[3.00s] wait.name
┃ Waiting for 3s

┃ wait.name = {
"hours"   = 0
"minutes" = 0
"seconds" = 3
}
[2.07s] exec.command.ping
ping 127.0.0.1 -c 3
┃ PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.050 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.032 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.041 ms

┃ --- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2061ms
┃ rtt min/avg/max/mdev = 0.032/0.041/0.050/0.007 ms
┃ exec.command.ping = {
"args" = tolist([
"127.0.0.1",
"-c",
"3",
])
"command"     = "ping"
"envs"        = tomap(null) /* of string */
"exit_code"   = 0
"interpreter" = tolist(null) /* of string */
"name"        = ""
"stderr"      = ""
"stdout"      = <<-EOT
┃   PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.050 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.032 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.041 ms

┃   --- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2061ms
┃   rtt min/avg/max/mdev = 0.032/0.041/0.050/0.007 ms

┃   EOT
"working_dir" = ""
}
[5.12s]
┃ var.boo = "127.0.0.1"
┃ var.cats = 2
┃ var.hats = 1

• Module: /home/localuser/Dev/experiments/redteamer/apple.rtmod.hcl
0.04s ✔ 2


┃ OUTPUTS:

┃ name = "george"
┃ ips = [
"127.0.0.1",
]

Later on, the history command can be used to see past runs.

❯ redteamer history
ID            MODULE                           EXECUTED
a51ef0b5df47  /home/jdoe/demo/test2.rtmod.hcl  one day ago
85c20fdb34e6  /home/jdoe/demo/test1.rtmod.hcl  3 days ago
de3b48a7817b  /home/jdoe/demo/test1.rtmod.hcl  2 days ago
725f761af852  /home/jdoe/demo/test1.rtmod.hcl  3 days ago

The output command can be used to get a past runs outputs.

redteamer output a51ef0b5df47
[3.00s] wait.name
┃ Waiting for 3s

┃ wait.name = {
"hours"   = 0
"minutes" = 0
"seconds" = 3
}
[2.07s] exec.command.ping
ping 127.0.0.1 -c 3
# ...

Official Support

If you've found a bug, have a feature suggestion, or a billing question, please raise an issue on our Support Portal.

We welcome your feedback.

Next
License