RED_HAWK: The PHP Pentester’s Swiss Army Knife That Time Forgot
Hook
A 3,570-star penetration testing tool written entirely in PHP hasn’t been updated since 2017, yet continues to attract interest from security researchers. What made this reconnaissance scanner notable in its era?
Context
Before 2017, penetration testers often used multiple separate command-line tools for reconnaissance work, each with its own syntax and output format. RED_HAWK emerged as a unified solution to consolidate these scattered workflows. Built by developer Tuhinshubhra (R3D#@0R_2H1N), it combined information gathering, vulnerability scanning, and web crawling into a single interactive PHP CLI tool. The project targeted penetration testers who needed reconnaissance capabilities in shared hosting environments where compiling specialized tools wasn’t an option. Its pure PHP implementation meant it could run anywhere PHP was installed—a common setup on web servers in 2017. The tool gained attention for its WordPress-specific scanning modules and its unusual “Bloggers View” feature that appears to have combined security metrics with SEO data through Moz.com API integration.
Technical Insight
RED_HAWK’s feature set, based on the README, reveals a tool designed to aggregate multiple reconnaissance functions into a single interface. The main entry point (rhawk.php) presents an interactive menu system for selecting scan types.
The tool offers 15+ distinct scanning capabilities, organized into categories. The Basic Scan performs fundamental reconnaissance: site title extraction, IP address identification, web server detection, CMS detection (supporting WordPress, Joomla, Drupal, and Magento), Cloudflare detection, and robots.txt scanning. According to the changelog, web server detection, CMS detection, and banner grabbing were “improved” in version 2.0.0, though specific implementation details aren’t provided in the README.
The WordPress scanner represents one of the tool’s most developed feature sets, offering three capabilities: version detection, sensitive file crawling, and version-based vulnerability scanning. The README indicates this was added in version 2.0.0 as a new feature specifically targeting WordPress installations.
The subdomain scanner, marked as “improved” in version 2.0.0, identifies subdomains and reports both the subdomain name and its IP address. The Reverse IP Lookup extends this by identifying multiple hostnames on the same IP and attempting CMS detection on each discovered site.
RED_HAWK’s “Bloggers View” feature is architecturally interesting as it combines traditional security scanning with web analytics. According to the README, it provides HTTP response codes, site titles, Alexa rankings, Domain Authority and Page Authority (via Moz.com API integration), social links extraction, and link grabbing. Users must configure the tool with Moz.com API credentials in config.php to enable the Domain/Page Authority features—an unusual requirement for a security tool that suggests the creator envisioned serving both security professionals and content creators.
For port scanning, the README indicates RED_HAWK includes “Nmap Port Scan” functionality, suggesting integration with the Nmap tool rather than implementing TCP scanning natively in PHP. The tool also includes an “Error Based SQLi Scanner” for detecting SQL injection vulnerabilities, though the README provides no details about its methodology.
Additional features include WHOIS lookup, Geo-IP lookup, banner grabbing, DNS lookup, subnet calculator, web crawler, and MX lookup (added in v2.0.0). The README mentions a “Scan For Everything” option described as “The Old Lame Scanner,” suggesting it may be a legacy feature from earlier versions.
The tool’s architecture appears to follow a modular design, with version 2.0.0 specifically noted for separating “all scans so that you are served the amount of information you need” rather than running everything at once.
Gotcha
RED_HAWK’s most critical limitation is its abandonment. The last update (v2.0.0) was released in August 2017, meaning its vulnerability databases, CMS detection signatures, and scanning techniques are over six years outdated. Any hardcoded vulnerability data would miss every CVE published after mid-2017.
The tool’s CMS detection supports exactly four platforms according to the README: WordPress, Joomla, Drupal, and Magento. Modern frameworks and headless CMS architectures won’t be recognized. The Bloggers View’s Alexa ranking integration likely no longer functions, as Alexa’s web ranking service has been discontinued.
The README documents a significant known issue: “Scanner Stops Working After Cloudflare Detection.” The solution requires using the fix command or manually installing php-curl and php-xml modules. This suggests the tool may have compatibility issues with required PHP extensions.
The Error-Based SQL injection scanner, based on its name, likely represents outdated testing methodology that detects only obvious injection points where database errors are exposed. Modern applications typically log errors to files rather than displaying them, which would make error-based detection ineffective.
The TODO list in the README reveals unimplemented features that were never completed: a proper automatic update mechanism, additional CMS support, improved WordPress scanner with user/theme/plugin enumeration, a web-based version, XSS and LFI scanners, and improvements to the link grabber. The tool’s development appears to have stopped before these planned enhancements were implemented.
The Moz.com API integration for Bloggers View requires users to create accounts and obtain API keys, adding setup complexity and potential ongoing costs depending on Moz’s current API pricing structure.
Verdict
RED_HAWK serves as an educational resource for understanding how reconnaissance tools aggregate multiple information sources, and provides a historical snapshot of penetration testing practices from 2017. Its pure PHP implementation makes it portable to shared hosting environments, and the source code may be valuable for learning basic security scanning patterns in PHP. However, it should not be used for professional security assessments or production penetration testing. The tool’s last update in August 2017 means its vulnerability databases are over six years outdated, guaranteeing false negatives on modern systems. Its CMS detection covers only four platforms and will miss contemporary frameworks entirely. The documented Cloudflare detection issue and reliance on potentially discontinued external APIs (Alexa ranking) further limit its reliability. For modern security work, use actively maintained alternatives: Nuclei for vulnerability scanning with continuously updated templates, OWASP ZAP for comprehensive web application security testing, or theHarvester for current OSINT gathering. RED_HAWK belongs in the category of historical security tools—interesting for understanding the evolution of reconnaissance techniques, but unsuitable for current security practices.
