Reaper

Your first Operation

This guide will help you launch your first Operation for an internet based investigation on demo and testing resources maintained by Method Security. Operations are usually investigative or offensive in nature; this guide will be investigative and very basic.

Confirm Testing Environment is ready

For this guide and your other guides, we recommend creating an Environment specifically for yourself, so you can keep your tutorial data separate from production data.

See how to do so by following the Create an Environment guide.

Once created, navigate to the Reaper homepage.

Launch Reaper

Begin the Operation

  1. Select the New Operation button in the top-right corner of the screen.

  2. A new operation will launch a new workspace.

Blank Workspace

Setup the Operation

The following example depicts a internet-based reconnaissance and investigation operation of several web services:

  1. Name your Operation - <yourname>-first-tutorial-operation
  2. Select Copilot
  3. Provide a description Objective - Discover and enumerate web and network resources under wayneindustries.xyz
Set Objective

  1. Specify the Entry point:

    a. Environment - <yourname>-first-tutorial b. Access vector – Internet c. Starting points - with FQDN selected, add wayneindustries.xyz

Set Entry Point

  1. Skip Intelligence and Rules of engagement sections

  2. Select Begin Operation

Execute

  1. Run the Passive Subdomain Enumeration tool to enumerate wayneindustries.xyz’s subdomains

    a. Select Passive Subdomain Enumeration from the search box b. Hit Run

Passive Subdomain Enumeration
  1. Confirm there are AI suggestions for next steps
AI Recommendations

  1. Accept and reject some AI suggestions on next steps:

    a. If you see Port Scan as a next step, hit Run

    Accept Port Scan Step

    b. If you see Web Probe as a next step, hit Run

    Accept Web Probe Step

    c. For all other steps recommended, hit Reject

  2. Next, change into Manual mode; this is to get a feel for not having the AI provide suggestions.

Change to Manual mode
  1. Take a look at some data; click X objects found on the top-right to open up the Operation Report
View Operation Report Data

  1. Fingerprint the services found after the Port Scan

    a. After the Port Scan step, click the arrow and then select Choose next tool

    Tool after Port Scan

    b. Search for and select Service Fingerprint

    Select Service Fingerprint

    c. Click and configure the execution; adjust Optional parameter - timeout to be 5, and hit Run

    Configure Service Fingerprint

  2. Inspect the raw data and resulting Objects from Service fingerprint

    a. Click on the Service Fingerprint node

    b. Click on the Executions tab

    c. For each execution, view both the instruction and DECODED CONTENT

    Service Fingerprint Step Inspection

Iterate

This was a simple, non-intrusive, tutorial to get you familiar with some of the functionality in Operator Mode. Continue the Operation against these cloud hosted resources, start a new one against new targets (e.g. new FQDN, IP, CIDR), or Deploy and Agent and launch an Operation from an installed Access Vector.

Coming Soon

Intelligence

Operators will soon be able to upload PDFs that contain threat intelligence, adversary profiles, and detection coverage documentation to provide additional operational context.

Rules of Engagement

You’ll also be able to define the rules of engagement for AI assistants. This feature will allow you to set operational intensity, apply advanced controls, and limit operations to specific domains.