Reaper

Your first Operation

This guide will help you launch your first Operation for an internet-based investigation using resources maintained by Method Security. Operations can be investigative or offensive in nature; this guide focuses on an investigative workflow and walks you through the basic steps to get started.

Confirm Testing Environment is ready

We recommend creating a dedicated Environment for this and other tutorials to keep your tutorial data separate from production data.

See how to do so by following the Create an Environment guide.

Once created, navigate to the Reaper homepage.

Launch Reaper

Begin the Operation

  1. Select the New Operation button in the top-right corner of the screen.

  2. A new operation will launch a new workspace.

Blank Workspace

Setup the Operation

The following example depicts a internet-based reconnaissance and investigation operation of several web services:

  1. Name your Operation - <yourname>-first-tutorial-operation
  2. Select Copilot
  3. Provide a description Objective - Discover and enumerate web and network resources under wayneindustries.xyz.
Set Objective

  1. Specify the Entry point:

    a. Environment - <yourname>-first-tutorial b. Access vector – Internet c. Starting points - with FQDN selected, add wayneindustries.xyz

Set Entry Point

  1. Skip Intelligence and Rules of engagement sections

  2. Select Begin Operation

Execute

  1. Run the Passive Subdomain Enumeration tool to enumerate wayneindustries.xyz’s subdomains.

    a. Select Passive Subdomain Enumeration from the search box

    b. Hit Run

Passive Subdomain Enumeration
  1. Confirm there are AI suggestions for next steps.
AI Recommendations

  1. Accept and reject some AI suggestions on next steps:

    a. If you see Port Scan as a next step, hit Run.

    Accept Port Scan Step

    b. If you see Web Probe as a next step, hit Run.

    Accept Web Probe Step

    c. For all other steps recommended, hit Reject.

  2. Next, change into Manual mode; this is to get a feel for not having the AI provide suggestions.

Change to Manual mode
  1. Take a look at some data; click X objects found on the top-right to open up the Operation Report.
View Operation Report Data

  1. Fingerprint the services found after the Port Scan

    a. After the Port Scan step, click the arrow and then select Choose next tool.

    Tool after Port Scan

    b. Search for and select Service Fingerprint

    Select Service Fingerprint

    c. Click and configure the execution; adjust Optional parameter - timeout to be 5, and hit Run.

    Configure Service Fingerprint

  2. Inspect the raw data and resulting Objects from Service fingerprint

    a. Click on the Service Fingerprint node

    b. Click on the Executions tab

    c. For each execution, view both the Workflow Steps, Object Found, and Signal Output.

    Service Fingerprint Step Inspection

Iterate

This was a simple, non-intrusive, tutorial to get you familiar with some of the functionality in Operator Mode. Continue the Operation against these cloud hosted resources, start a new one against new targets (e.g. new FQDN, IP, CIDR), or Deploy a Jackal and launch an Operation from an installed Access Vector.