Skip to main content

What is Ghost Scout?

Ghost Scout is an LLM-assisted OSINT and phishing email generation tool that performs reconnaissance on target companies, finds their employees, and builds profiles for personalized emails based on public sources.
Designed for red teamers to automate the reconnaissance and pretext generation phases of phishing campaigns

Key Features

Domain Discovery

Add target domains and find related ones through autodiscover techniques

Email Format Detection

Identify company email patterns and DNS records

Contact Discovery

Find potential contacts/employees using Hunter.io API

Source Scraping

Scrape discovered sources for enrichment information

Profile Generation

Generate detailed employee profiles using AI

Pretext Generation

Create personalized phishing messages with AI

Real-time Updates

Get live feedback as reconnaissance and processing happens

Source Conversion

Convert HTML sources to Markdown for better LLM queries

Technologies

Ghost Scout is built with modern web technologies and AI integration:
  • Backend
  • Frontend
  • External Services
Backend Stack:
  • Framework: Node.js with Fastify
  • Database: SQLite for data storage
  • Job Processing: Bee-Queue with Redis for background tasks
  • Real-time Updates: Socket.io for live feedback

Architecture

Application Structure

/
├── index.js                # Main application entry point
├── db/                     # SQLite database files
├── lib/                    # Library modules
   ├── dnsQueue.js         # Queue for DNS lookups
   ├── autodiscover.js     # Domain autodiscovery service
   ├── hunterService.js    # Hunter.io API integration
   ├── sourceQueue.js      # Queue for source scraping
   ├── profileQueue.js     # Queue for profile generation
   └── pretextQueue.js     # Queue for pretext generation
├── prompt_library/         # YAML templates for AI prompts
└── resources/              # Frontend resources
    ├── pages/              # HTML pages
    ├── js/                 # JavaScript files
    ├── css/                # CSS files
    └── images/             # Image assets

System Components

Database Schema

Ghost Scout uses SQLite with the following tables:
Stores target company domains with DNS recordsPurpose: Track target organizations and their domain configurations
Tracks domains where source data is foundPurpose: Organize discovered information sources by domain
Stores information about target individuals (prospects)Purpose: Track discovered employees and their information
Contains information about URLs where target data was foundPurpose: Track the origin of scraped information for each target
Maps the many-to-many relationship between targets and sourcesPurpose: Associate multiple sources with each target and vice versa
Stores LLM prompts for pretext generationPurpose: Manage prompt templates for different phishing scenarios
Stores generated phishing messagesPurpose: Save and manage AI-generated phishing emails

Operational Workflow

Typical Red Team Campaign

1

Add Target Domain

Enter the target company’s domain into Ghost Scout to begin reconnaissance
2

Start Reconnaissance

Initiate automated discovery of employees and email formats through Hunter.io API
3

Scrape Sources

Ghost Scout scrapes discovered URLs to enrich contact information
4

Generate Profiles

AI generates detailed profiles for discovered contacts based on scraped data
5

Create Pretexts

AI creates personalized phishing emails tailored to each target’s profile
6

Review & Export

Review, approve, and export pretexts for use in phishing campaigns

Data Flow

Use Cases

Objective: Automate OSINT gathering for phishing campaigns
  • Discover employee names and roles at target organizations
  • Identify email formats and patterns
  • Build comprehensive profiles from public sources
  • Generate personalized pretexts at scale
  • Reduce manual reconnaissance time
Objective: Create highly targeted phishing campaigns
  • Research individual targets automatically
  • Leverage AI to create convincing pretexts
  • Personalize messages based on target profiles
  • Increase campaign success rates
  • Scale personalization across many targets
Objective: Gather intelligence for social engineering attacks
  • Identify organizational structure
  • Discover employee interests and roles
  • Find information for pretexting
  • Build rapport through personalization
  • Identify high-value targets

Job Queue System

Ghost Scout uses Redis-backed job queues for asynchronous processing:
  • DNS Queue
  • Source Queue
  • Profile Queue
  • Pretext Queue
Purpose: Process DNS lookups and autodiscovery
  • Queries DNS records for target domains
  • Performs autodiscovery for related domains
  • Stores DNS configuration data

Real-time Features

Live Progress

Socket.io provides real-time updates as reconnaissance and processing tasks execute

Job Status

Monitor queue processing status and job completion in real-time

Instant Feedback

See results as they’re discovered without page refreshes

Background Processing

Continue working while long-running tasks process in the background

AI Integration

Profile Generation

Ghost Scout uses Anthropic’s Claude to generate detailed target profiles:
  • Analyzes scraped source data
  • Identifies key information about targets
  • Creates structured profiles with relevant details
  • Extracts professional information and interests
  • Provides context for pretext generation

Pretext Generation

AI-powered phishing email creation:
  • Leverages target profiles for personalization
  • Uses prompt templates from prompt_library/
  • Generates convincing, contextual pretexts
  • Adapts tone and content to target characteristics
  • Creates multiple pretext variations

Requirements

Ghost Scout requires external API keys to function fully
Required Services:
  • Hunter.io
  • Anthropic
  • Redis
  • MarkItDown-API
Purpose: Contact discovery and email format detection
  • API key required for contact searches
  • Used to find employees at target companies
  • Identifies company email patterns

Detection Considerations

Ghost Scout activities can be detected by security monitoring and rate limiting

Detection Indicators

API Activity:
  • Hunter.io API queries for target domain
  • Patterns of email address enumeration
  • Bulk contact lookups
  • Rapid sequential API requests
Network Activity:
  • Web scraping of public profiles
  • Systematic URL enumeration
  • Connections to MarkItDown-API service
  • High volume of HTTP requests to target-related sites
Hunter.io Alerts:
  • Hunter.io may notify organizations when their domain is searched
  • Target companies may receive alerts about email searches
  • API usage patterns may trigger rate limiting

OPSEC Considerations

  • Use dedicated Hunter.io accounts for operations
  • Be aware that searches may alert target organizations
  • Consider rate limiting to avoid detection
  • Rotate API keys if performing multiple campaigns
  • Respect robots.txt and rate limits
  • Use appropriate user agents
  • Space out requests to avoid detection
  • Consider using proxies for source scraping
  • SQLite database contains all reconnaissance data
  • Secure database files appropriately
  • Consider encryption for sensitive campaign data
  • Regularly clean up old campaign data
  • Redis contains job queue data
  • Secure Redis instance appropriately
  • Consider isolated infrastructure for campaigns
  • Use separate instances per client/campaign

Defensive Recommendations

For Blue Teams:
  • Monitor for Hunter.io searches of your domain (they provide alerts)
  • Watch for systematic enumeration of employee emails
  • Track unusual patterns of social media profile views
  • Alert on bulk scraping of public employee profiles
  • Monitor for AI-generated phishing patterns (unusual personalization)
For Organizations:
  • Limit publicly available employee information
  • Train users to recognize personalized phishing attempts
  • Implement email authentication (SPF, DKIM, DMARC)
  • Use email security gateways with AI detection
  • Monitor for reconnaissance activities via Hunter.io
  • Educate employees about OSINT risks
  • Consider limiting public employee directories

Limitations

Be aware of the following limitations when using Ghost Scout
  • API Dependencies: Requires Hunter.io and Anthropic API keys
  • Rate Limits: Subject to API rate limits from external services
  • Data Quality: Profile quality depends on publicly available information
  • Detection Risk: Hunter.io searches may alert target organizations
  • Manual Review: Generated pretexts should be reviewed before use
  • Legal Compliance: Must be used only for authorized red team engagements

Project Status

Current Features:
  • Domain discovery and DNS enumeration
  • Contact discovery via Hunter.io
  • Source scraping and HTML to Markdown conversion
  • AI-powered profile generation
  • AI-powered pretext generation
  • Real-time updates via Socket.io
  • SQLite data storage
TODO (from project README):
  • Dockerize the application with Docker Compose
  • Page to manage prompt library
  • User/Target info on the pretexts page for manual validation
  • Add more sources for scraping
  • Add more LLM providers
  • Add more pretext templates

Disclaimer

This tool is designed for legitimate penetration testing and red teaming assessments. Always ensure compliance with privacy laws, email regulations, and terms of service of any integrated services. Use responsibly.
Legal and Ethical Use:
  • Only use for authorized red team engagements
  • Obtain proper authorization before reconnaissance
  • Respect privacy laws and regulations
  • Follow terms of service for Hunter.io and Anthropic
  • Do not use for unauthorized phishing campaigns
  • This is for personal use only and should be used responsibly and ethically

Additional Resources

Installation

Setup and installation guide

Usage Guide

Practical usage and workflow examples

Hunter.io

Hunter.io API documentation