DEV Community

Cover image for THC Scalpel - Stealth Reconnaissance Toolkit for Red Team Operations
KL3FT3Z
KL3FT3Z

Posted on

THC Scalpel - Stealth Reconnaissance Toolkit for Red Team Operations

#cybersecurity #redteam #webdev #infosec

A Tribute to The Hacker's Choice Legacy

We want to express our deepest gratitude to The Hacker's Choice (THC) - one of the oldest and most respected hacker groups in the infosec community. Since 1995, THC has been pioneering security research, developing legendary tools, and sharing knowledge with the community.

Their latest contribution, ip.thc.org, is a game-changer for reconnaissance operations. This service provides:

  • 🌐 Reverse DNS lookups across the entire internet
  • πŸ”Ž Subdomain enumeration from massive datasets
  • πŸ”— CNAME tracking for infrastructure mapping
  • πŸ“¦ Monthly bulk dumps with ~4.75 billion records

What makes it truly remarkable? It's completely free and open. No "$199/month OSINT-as-a-Service" nonsense. This is how OSINT tools should look in 2025.

🎯 Introducing THC Scalpel

THC Scalpel is our contribution to the community - a toolkit that automates reconnaissance workflows using the ip.thc.org API with advanced stealth capabilities.

⚑ Key Features

  • Reverse DNS Resolution - IP to hostname mapping for single IPs or entire subnets
  • Subdomain Discovery - Comprehensive subdomain enumeration
  • CNAME Lookup - Find domains pointing to your target
  • Bulk Operations - Parallel processing with configurable threading
  • Stealth Mode - Customizable delays and rate limiting
  • Smart Filtering - Keyword-based filtering for interesting targets (admin, dev, staging, etc.)
  • Multiple Output Formats - JSON, CSV, XML support
  • Cross-Platform - Python and PowerShell implementations

πŸ“¦ What We're Open-Sourcing

For ethical and operational security reasons, we're releasing only 2 out of 4 tools from our internal toolkit:

βœ… Public Release (GitHub)

  1. thc-scalpel.py - Python-based reconnaissance tool
  2. thc-scalpel.ps1 - PowerShell version for Windows environments

πŸ”’ Private (Internal Use Only)

The following remain proprietary to hackteam.red:

  • Bulk dump analyzer - DuckDB-powered analysis of 4.75B+ records
  • Framework integration module - Metasploit, Nuclei, Amass, etc.
  • Advanced automation scripts - Custom workflows and OPSEC features

These tools are too powerful for public release and are reserved for our authorized red team engagements.

πŸš€ Quick Start

Python Version 

# Installation
git clone https://github.com/toxy4ny/thc-scalpel
cd thc-scalpel
pip install -r requirements.txt

# Basic usage
python thc-scalpel.py -i 140.82.121.3                    # Single IP
python thc-scalpel.py -s 140.82.121.0/24                 # Subnet scan
python thc-scalpel.py -d github.com                      # Subdomain enum
python thc-scalpel.py -c pages.github.com                # CNAME lookup

# Bulk reconnaissance
python thc-scalpel.py -f targets.txt -t ip -o results.json

# Stealth mode with filtering
python thc-scalpel.py -d example.com \
    -k admin,dev,test,staging \
    --delay 2.0 \
    --threads 3 \
    -o interesting.json
Enter fullscreen mode Exit fullscreen mode

PowerShell Version 

# Basic usage
.\thc-scalpel.ps1 -Target "140.82.121.3" -Type rdns

# Subdomain discovery with output
.\thc-scalpel.ps1 -Target "github.com" -Type subdomain -OutputFile results.json

# Bulk operations
.\thc-scalpel.ps1 -InputFile targets.txt -Type rdns -Delay 1 -Threads 3

# Stealth mode
.\thc-scalpel.ps1 -InputFile domains.txt -Type subdomain -Stealth
Enter fullscreen mode Exit fullscreen mode

πŸŽ“ Real-World Red Team Scenarios

Scenario 1: Attack Surface Expansion 

# Step 1: Discover subdomains
python thc-scalpel.py -d target-company.com -o subdomains.json

# Step 2: Filter interesting targets
python thc-scalpel.py -d target-company.com \
    -k admin,dev,test,staging,api,internal \
    -o high_value_targets.json

# Step 3: Map infrastructure
python thc-scalpel.py -f high_value_targets.json -t domain -o infrastructure.json
Enter fullscreen mode Exit fullscreen mode

Scenario 2: Shadow Infrastructure Discovery 

# Find forgotten/legacy systems
python thc-scalpel.py -d target.com \
    -k old,legacy,backup,archive,deprecated \
    -o shadow_infra.json

# Discover dev/test environments (often poorly secured)
python thc-scalpel.py -d target.com \
    -k dev,test,staging,qa,demo,sandbox \
    -o dev_environments.json
Enter fullscreen mode Exit fullscreen mode

Scenario 3: Bug Bounty Reconnaissance 

# Comprehensive subdomain discovery
python thc-scalpel.py -d bugbounty-target.com -o api_results.json

# Find interesting endpoints
python thc-scalpel.py -d target.com -k api,admin,upload -o endpoints.json

# CNAME lookup for subdomain takeover opportunities
for subdomain in $(cat api_results.json | jq -r '.[] | .data[]' | awk '{print $2}'); do
    python thc-scalpel.py -c $subdomain -o "cname_${subdomain}.json"
done
Enter fullscreen mode Exit fullscreen mode

πŸ›‘οΈ OPSEC & Stealth Considerations

Built-in Stealth Features 

# Increase delays between requests
python thc-scalpel.py -f targets.txt --delay 2.0 --threads 2

# Use minimal threading
python thc-scalpel.py -f large_list.txt --threads 1 --delay 3.0
Enter fullscreen mode Exit fullscreen mode

Best Practices

βœ… DO:

  • Use stealth mode for sensitive engagements
  • Vary your User-Agent strings
  • Route through VPN/Tor for API requests
  • Split large target lists across multiple IPs
  • Use time-based distribution (spread over hours/days)

❌ DON'T:

  • Hammer the API without delays
  • Run bulk scans from corporate IPs
  • Use default User-Agents
  • Ignore rate limiting

πŸ“Š Output Examples

JSON Output 

{
  "github.com": {
    "success": true,
    "data": [
      "140.82.121.3 github.com",
      "140.82.121.4 api.github.com",
      "140.82.121.5 assets-cdn.github.com"
    ],
    "count": 3
  }
}
Enter fullscreen mode Exit fullscreen mode

CSV Output 

Target,IP,Hostname
github.com,140.82.121.3,github.com
github.com,140.82.121.4,api.github.com
github.com,140.82.121.5,assets-cdn.github.com
Enter fullscreen mode Exit fullscreen mode

πŸ” Legal & Ethical Use

⚠️ IMPORTANT: THC Scalpel is designed EXCLUSIVELY for:

  • βœ… Authorized penetration testing engagements
  • βœ… Bug bounty programs with explicit permission
  • βœ… Educational labs and CTF competitions
  • βœ… Analysis of your own infrastructure

Unauthorized use is illegal and punishable by law.

Before Using This Tool:

  • Ensure you have written authorization for testing
  • Verify the target is within the scope of your engagement
  • Follow all rules of engagement and legal requirements
  • Respect rate limits and terms of service

🏒 About hackteam.red

hackteam.red is a boutique offensive security firm specializing in:

  • 🎯 Advanced Persistent Threat (APT) simulation
  • πŸ”΄ Full-spectrum Red Team operations
  • πŸ›‘οΈ Purple Team exercises
  • πŸ” Security research and tool development

We maintain a private arsenal of proprietary tools for authorized client engagements. THC Scalpel represents our commitment to giving back to the community while maintaining operational security for our clients.

Interested in our services? Contact us at: b0x@hackteam.red

🀝 Contributing

While the bulk analyzer and framework integrations remain private, we welcome contributions to the public tools:

  • πŸ› Bug reports and fixes
  • πŸ“ Documentation improvements
  • ✨ Feature suggestions (within ethical boundaries)
  • 🌍 Translations

Pull requests are welcome!

πŸ“š Additional Resources

πŸ™ Acknowledgments

Massive respect to:

  • The Hacker's Choice (THC) - For 30 years of legendary contributions to the security community
  • van Hauser & THC Team - For creating and maintaining ip.thc.org
  • The OSINT Community - For continuous innovation in reconnaissance techniques
  • Bug Bounty Hunters - For pushing the boundaries of ethical hacking

πŸ“„ License

THC Scalpel is released under the MIT License.

Copyright (c) 2025 hackteam.red

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
Enter fullscreen mode Exit fullscreen mode

πŸ”— Links

- Twitter: @hackteam_red

πŸ’¬ Final Thoughts

The security community thrives on knowledge sharing and collaboration. THC has exemplified this ethos for three decades, and we're honored to contribute our small part.

Remember: With great power comes great responsibility. Use these tools ethically, legally, and always with proper authorization.

Stay curious. Stay ethical. Stay sharp. πŸ”ͺ

Article written by the hackteam.red offensive security research team

Special thanks to THC for inspiring a generation of security researchers

πŸ“’ Spread the Word

If you find THC Scalpel useful, please:

  • ⭐ Star the repository
  • πŸ”„ Share with your network
  • πŸ’¬ Provide feedback
  • πŸ› Report issues

Let's build better security tools together!

cybersecurity #redteam #osint #pentest #bugbounty #infosec #hacking #reconnaissance #ethicalhacking #thc

Top comments (0)