👻 Spectre

Modular Reconnaissance Framework

---

Spectre is a modular reconnaissance framework written in Go. It combines port scanning, subdomain enumeration, directory bruteforcing, security header analysis, technology detection, and WHOIS lookups into a single binary with a unified CLI. Zero external dependencies — standard library only.

Architecture

cmd/spectre/          CLI entry point
internal/cli/         Command routing, flag parsing, signal handling
pkg/
├── recon/            Network reconnaissance (portscan, subdomain, whois)
├── web/              HTTP reconnaissance (dirsearch, headers, techdetect)
└── output/           Rendering engine (table, JSON, file output)

Every module implements the output.Renderable interface, enabling consistent formatting across all scan types. Context-aware cancellation ensures clean shutdown on interrupt signals.

Install

go install github.com/mrceha/spectre/cmd/spectre@latest

Or build from source:

git clone https://github.com/mrceha/spectre.git
cd spectre
make build

Modules

Port Scanner

Multi-threaded TCP connect scan with banner grabbing and service identification.

spectre scan 192.168.1.1 --ports 1-1024 --threads 200
spectre scan 10.0.0.1 -p 22,80,443,3306,8080 --json

Subdomain Enumeration

DNS-based subdomain discovery with concurrent resolution and CNAME detection.

spectre subdomain example.com
spectre sub example.com --wordlist subdomains-10k.txt --threads 100

Directory Search

HTTP directory and file bruteforcing with redirect detection.

spectre dirsearch https://example.com --threads 50
spectre dir https://target.com --wordlist dirs.txt --json

Security Headers

Evaluates HTTP security headers against best practices and assigns a letter grade.

spectre headers https://example.com

  HEADER                       STATUS   SEVERITY  NOTE
  ─────────────────────────    ──────   ────────  ────
  Strict-Transport-Security    present  info      HSTS enabled
  Content-Security-Policy      missing  high      No CSP — vulnerable to XSS
  X-Frame-Options              present  info      Clickjacking protection enabled
  X-Content-Type-Options       present  info      MIME sniffing disabled
  Referrer-Policy              missing  medium    No referrer policy

  Security score: 70/100 (Grade: C)

Technology Detection

Fingerprints server technologies, frameworks, and CMS platforms via header and body analysis.

spectre tech https://example.com

WHOIS Lookup

Domain registration data with automatic TLD-to-server resolution and referral following.

spectre whois example.com

Full Reconnaissance

Chains all modules against a single target.

spectre full example.com --json --output report.json

Global Flags

Flag	Default	Description
--timeout	5	Request timeout in seconds
--threads	50	Max concurrent workers
--output	stdout	Write results to file
--json	off	JSON output format
--quiet	off	Suppress banner and progress
--wordlist	built-in	Custom wordlist file path

Design

• Zero dependencies — Built entirely on Go's standard library. No cobra, no urfave/cli, no third-party HTTP clients.
• Context propagation — Every operation accepts a context.Context for clean cancellation on Ctrl+C.
• Bounded concurrency — Worker pools use channel-based fan-out instead of unbounded goroutine spawning.
• Interface-driven output — The Renderable interface decouples scan logic from display formatting.
• Single binary — Cross-compile for any OS/arch with make build-all.

Build

make build          # Build for current platform
make build-all      # Cross-compile for linux/darwin/windows (amd64 + arm64)
make clean          # Remove build artifacts

Legal

This tool is intended for authorized security testing only. You are responsible for obtaining proper authorization before scanning any systems you do not own.

License

MIT — see LICENSE.