RED_HAWK: The Last PHP-Based Security Scanner Before Everyone Switched to Python
Hook
In 2017, a PHP developer built a penetration testing tool that got 3,600+ GitHub stars—then walked away forever, leaving behind a time capsule of pre-modern security reconnaissance.
Context
Before the Python ecosystem dominated security tooling with frameworks like Recon-ng and theHarvester, penetration testers faced a fragmented landscape. Running a basic reconnaissance scan meant chaining together separate utilities: whois for domain registration data, nslookup for DNS queries, curl for HTTP headers, Nmap for port scanning, and various web-based services for geolocation and SEO metrics. Each tool required different invocation patterns, output parsing logic, and dependency management.
RED_HAWK emerged in this chaotic environment as a unified PHP solution that could run on any shared hosting environment or LAMP stack without installing Python virtual environments or managing pip dependencies. For penetration testers working on Windows systems without WSL, or those needing quick reconnaissance on client servers where only PHP was available, this was genuinely valuable. The tool's author, Tuhinshubhra, designed it as an "all-in-one" reconnaissance suite specifically for the large community of PHP-comfortable developers entering security testing—people who understood $_SERVER variables better than Python's requests library.
Technical Insight
RED_HAWK's architecture reveals interesting decisions about orchestrating security scans in PHP. The tool implements a menu-driven CLI interface using PHP's readline() function and executes modular scan functions based on user selection. Each scan module follows a consistent pattern: accept a target URL, perform HTTP/DNS queries, parse responses with regex, and format output with ANSI color codes.
The CMS detection module demonstrates this approach clearly:
function cms_detector($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$content = curl_exec($ch);
curl_close($ch);
// WordPress detection
if (preg_match('/wp-content|wp-includes/i', $content)) {
return "WordPress";
}
// Joomla detection
if (preg_match('/\/components\/com_/i', $content)) {
return "Joomla";
}
// Drupal detection
if (preg_match('/sites\/default|drupal\.js/i', $content)) {
return "Drupal";
}
return "Unknown CMS";
}
This regex-based fingerprinting is computationally cheap but fragile—modern CMSs with custom directory structures or minified output will evade detection. More robust approaches would check HTTP headers (X-Powered-By), parse HTML meta tags, or hash static assets like default CSS files.
The tool's integration with external APIs shows how pre-2017 security tools handled third-party services. For Moz API integration (providing Domain Authority and Page Authority scores), RED_HAWK implements manual HMAC-SHA1 signing:
function moz_scan($url) {
$access_id = "your-moz-access-id";
$secret_key = "your-moz-secret-key";
$expires = time() + 300;
$string_to_sign = $access_id . "\n" . $expires;
$signature = urlencode(base64_encode(hash_hmac('sha1', $string_to_sign, $secret_key, true)));
$api_url = "http://lsapi.seomoz.com/linkscape/url-metrics/" . urlencode($url);
$api_url .= "?Cols=103079231492&AccessID=" . $access_id;
$api_url .= "&Expires=" . $expires . "&Signature=" . $signature;
$response = file_get_contents($api_url);
$data = json_decode($response, true);
return array(
'domain_authority' => $data['pda'],
'page_authority' => $data['upa']
);
}
This manual signature generation is error-prone and doesn't handle rate limiting, network failures, or API version changes. Modern tools would use official SDK libraries or at minimum, implement exponential backoff retry logic. The hardcoded API keys in source code (meant to be replaced by users) also violate basic security practices—credentials should be environment variables or configuration files excluded from version control.
The SQL injection scanner reveals the tool's pedagogical value and practical limitations. It tests targets by appending common SQLi payloads and checking for database error strings:
function sqli_scan($url) {
$payloads = array("'", "')", "' OR '1'='1", "' OR '1'='1'--");
$error_patterns = array(
'/SQL syntax.*MySQL/i',
'/Warning.*mysql_/i',
'/valid MySQL result/i',
'/PostgreSQL.*ERROR/i',
'/Microsoft SQL Native Client error/i'
);
foreach ($payloads as $payload) {
$test_url = $url . $payload;
$response = @file_get_contents($test_url);
foreach ($error_patterns as $pattern) {
if (preg_match($pattern, $response)) {
return "Possible SQL Injection vulnerability detected";
}
}
}
return "No SQL Injection vulnerability found";
}
This approach only catches the most obvious errors—production applications with proper error handling will never expose these strings. Blind SQLi (boolean-based or time-based) requires measuring response differences or timing delays, which this implementation doesn't attempt. Professional tools like sqlmap use inference techniques with hundreds of specialized payloads and database-specific syntax variations.
RED_HAWK's subdomain enumeration uses DNS brute-forcing with a built-in wordlist, demonstrating PHP's dns_get_record() function in security contexts. For large-scale reconnaissance, modern tools query certificate transparency logs or passive DNS databases rather than brute-forcing, which is noisy and incomplete. The tool's approach works for educational purposes but would miss subdomains not in its wordlist and potentially trigger IDS alerts with excessive DNS queries.
Gotcha
The most critical limitation is abandonment. RED_HAWK's last commit was in 2017, meaning its vulnerability signatures, CMS detection patterns, and API integrations are seven years stale. WordPress vulnerabilities it checks for have long been patched, and it can't detect platforms like Webflow, Gatsby, or Next.js that didn't exist or weren't popular when development stopped. The Moz API endpoint it uses has changed—Moz now requires OAuth for authentication, making the HMAC implementation obsolete.
The tool produces no structured output. Every scan result is printed to STDOUT with ANSI color codes, making it impossible to pipe results into databases, generate reports, or integrate with CI/CD pipelines. Modern security tools output JSON or XML that downstream tools can parse. RED_HAWK expects interactive human operation—you can't automate it effectively in scripts. The SQL injection and XSS scanners generate false positives frequently because they only check for error strings, not actual exploitation. Using these findings in a professional penetration testing report without manual verification would damage credibility. Finally, the tool requires internet connectivity for most features since it doesn't cache DNS lookups, WHOIS data, or API responses, making it unusable in air-gapped or network-restricted environments where reconnaissance tools are often needed.
Verdict
Use if: You're learning penetration testing fundamentals and want to understand how reconnaissance tools work under the hood. The PHP source code is readable and demonstrates practical implementations of DNS queries, HTTP fingerprinting, and API authentication—valuable for understanding security concepts. It's also useful for quick, informal reconnaissance when you have PHP available but can't install Python tools. Skip if: You need accurate vulnerability detection, current threat intelligence, or integration with modern security workflows. Professionals should use actively maintained alternatives like Recon-ng (modular Python framework with database storage), theHarvester (OSINT aggregation with 30+ sources), or WPScan (industry-standard WordPress scanner with updated vulnerability database). RED_HAWK is a historical artifact demonstrating how security tools were built before the Python ecosystem consolidated around standardized libraries—interesting to study, but unsuitable for production security assessments where accuracy and currency matter.
