Integrated platform for red team operations combining Ghost-Ops (C2 infrastructure) and Ghost-Recon (automated reconnaissance).
- One-click deployment of Sliver C2 infrastructure
- Domain fronting via CloudFront for traffic obfuscation
- Auto-shutdown after inactivity to reduce costs
- SSL/TLS encrypted communication
- Telegram notifications for key events
- Parallel scanning across multiple EC2 instances (Spot Fleet)
- Toolset: subfinder, amass, httpx, ffuf, nuclei, naabu
- Result merging and analysis across nodes
- Target scoring by severity
- Reports in JSON, CSV, and HTML
- Ephemeral infrastructure with forensic cleanup
- State management for idempotent operations
- OPSEC-focused design
- AWS account with appropriate permissions
- AWS CLI configured
- Terraform installed
- Ansible installed
- Python 3.8+
Primera vez? Ver docs/FIRST_RUN_GUIDE.md para instrucciones detalladas de primera ejecución.
git clone https://github.com/Jancsg/RAE-Red-Team-Automation-Engine.git
cd RAE-Red-Team-Automation-Engine
pip3 install -r requirements.txt
pip install -e .cp .env.example .env
# Edit .env with AWS keys, Telegram tokens, etc.
# IMPORTANT: Set RAE_CLIENT_NAME to match your client name (e.g., "example-client")cp terraform/lite/terraform.tfvars.example terraform/lite/terraform.tfvars
# Edit terraform.tfvars and set client_name (e.g., "example-client")
# Set certificate_arn and sliver_domain (see docs/DEPLOYMENT.md)# IMPORTANT: Use the SAME client_name everywhere:
# - terraform.tfvars: client_name = "example-client"
# - .env: RAE_CLIENT_NAME=example-client
# - CLI: --client=example-client
rae deploy --client="example-client" --tracks="ops,recon" --duration="14d"rae recon launch --client="example-client" --target="example.com" --nodes=5 --profile="balanced"
rae recon status --client="example-client"
rae recon report --client="example-client" --format="json"rae destroy --client="example-client" --forceREA/
├── rae/ # Python CLI and tracks
├── ansible/ # Configuration management
├── terraform/lite/ # Infrastructure as code
├── scripts/ # Deploy, destroy, Lambda, orchestration
├── recon/profiles/ # Recon profiles (fast, balanced, thorough)
├── ghost-payload/ # Custom implants (Android agent, etc.)
└── docs/ # Documentation
| Command | Description |
|---|---|
rae deploy --client=NAME [--tracks=ops,recon] [--duration=14d] |
Deploy infrastructure |
rae recon launch --client=NAME --target=DOMAIN [--nodes=5] [--profile=balanced] |
Launch recon |
rae recon status --client=NAME |
Check recon status |
rae recon report --client=NAME [--format=json|csv|html] |
Get recon report |
rae destroy --client=NAME [--force] |
Destroy infrastructure |
| Profile | Duration | Nodes | Use case |
|---|---|---|---|
fast |
~10 min | 1-2 | Quick surface scan |
balanced |
~30 min | 3-5 | Full asset inventory (default) |
thorough |
~60 min | 5-10 | Deep recon |
| Script | Description |
|---|---|
./scripts/deploy.sh --client=NAME |
Deploy via shell |
./scripts/destroy.sh --client=NAME --force |
Destroy via shell |
./scripts/shred_data.sh --client=NAME |
Shred local sensitive data |
./check.sh |
Validate project integrity |
- Deployment Guide
- Recon Usage
- Architecture
- OPSEC
- Troubleshooting
- Android Agent — Guía del operador para el agente Android (Battery & Telecom Service)
- Flipper Zero → Android — Scripts BadUSB para objetivos Android
- Web Payloads — Phishing, autofill abuse, fingerprint (BrowserLeaks-style)
- Payloads Overview — Vista general de todos los vectores
- Windows Payloads — Loader, Sliver, Flipper → Windows
For production deployment, set in terraform.tfvars:
- certificate_arn – ACM certificate ARN for your domain
- sliver_domain – C2 domain (e.g.
c2.example.com)
Leaving these empty will cause Terraform to fail when creating Route53/ACM resources.
RAE is for authorized security testing and research only. Obtain proper authorization before use. The authors are not responsible for misuse.
MIT