The increasing ubiquity of digital systems in daily life has significantly expanded the attack surface for cyber threats, demanding new tools and methodologies for efective defense. Traditional security practices are no longer suficient in the face of evolving and sophisticated cyberattacks. Therefore, this paper introduces Red Team Knife (RTK), a tool designed to support cybersecurity education and practice by guiding users-both novices and experts-through structured penetration testing activities aligned with the Cyber Kill Chain model. RTK integrates widely-used red teaming tools (e.g., Nmap, Sqlmap, theHarvester) within a user-friendly graphical interface built on the MVC paradigm. It provides contextual guidance and execution support to enhance usability and streamline pentesting workflows. The tool was tested on vulnerable virtual machines (XVWA and OWASP BWA), demonstrating its ability to identify security flaws, assist users with targeted hints, and maintain a persistent knowledge base through result saving and restoration features. RTK represents a valuable contribution to cybersecurity training and operational eficiency. Providing a guided, modular, and extensible environment for penetration testing improves educational outcomes and real-world security assessments.
It is undeniable that the ubiquity of computer systems in our daily lives has created new challenges for
security professionals [
In this dynamic scenario, knowledge of the available ’tools’ becomes critical. Computer security
professionals must be able to use a wide range of tools and technologies to protect data and digital
infrastructures efectively [
This research work aims to provide a set of tools that are accessible to both novices and experts performing computer system security testing, to ensure a more uniform and consistent workflow,
CEUR
ceur-ws.org similar to being guided by a ’compass’. The efectiveness of this ’Red Team Knife’ will be tested by pentesting a real platform to produce a security report that identifies any existing vulnerabilities and associated risks.
The Cyber Kill Chain model, originally developed to analyze cyber threats, consists of seven stages:
Reconnaissance, Weaponization, Delivery, Exploit, Installation, Command & Control, and Actions
[
Seven phases are defined in the cyber kill chain [ 11]: 1. Reconnaissance. The attacker gathers information about the target, such as vulnerabilities, system configurations, and user details, to plan the attack. 2. Weaponization. Malicious tools are created by the attacker, like malware or ransomware, to exploit the identified vulnerabilities. 3. Delivery. The malicious payload is delivered to the target, often through phishing emails, malicious links, or exploiting software vulnerabilities. 4. Exploitation. The malicious code is executed on the target system, exploiting the vulnerabilities to gain unauthorized access. 5. Installation. Malware or other malicious components are installed on compromised systems. 6. Command and Control (C2). The attacker establishes communication channels to control compromised systems and execute their plans. 7. Actions on Objectives. The attacker achieves their goals, such as data theft, system disruption, or ifnancial gain.
A penetration test (or pentest) is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. The pentest is performed to identify weaknesses or vulnerabilities, including the potential for unauthorized parties to gain access to the system’s features and data. Thus enabling a comprehensive risk assessment to be carried out.
Red Team Knife1 serves as an interface to a range of valuable red teaming tools (Figure 1), including: Nmap, Nmap vulnerability scanner, Feroxbuster, theHarvester, Dig, w4af, SMTP Email spoofer, Commix, Sqlmap. Therefore, the aim of Red Team Knife (RTK) is to provide a set of tools accessible experts and non-experts in cybersecurity activities performing security inspections on systems. It is evident that, despite the wide availability of accessible tools for penetration testing, there is a lack of a platform that provides comprehensive and structured support to perform a security analysis. Indeed, existing platforms are not yet well-established, or are only specialised in certain areas.
Therefore, the idea behind RED Team Knife emerged from the need to have a guideline during penetration testing activities. Despite the wide availability of publicly accessible tools, there is a lack of a platform that provides complete and structured support for conducting a security analysis. The existing platforms are either not yet established or are only specialised in certain areas. The aim of
‘Red Team Knife’ is, therefore, to provide an organic and interconnected set of tools, which intelligently guides the pentester during use.
These features can be useful both for those who are approaching the discipline of computer security for the first time, often in need of useful indications that are dificult to find immediately from other sources, and for those who already have experience in the field and simply want an improvement in their workflow, which can be greatly enhanced and extended with an efective graphic interface. The tool is designed to guide the user through the steps of the Cyber Kill Chain.
Finally, Red Team Knife aims to ofer the possibility of saving and restoring, without excessive efort, the scans performed, so as to conduct an all-round analysis of the system concerned, keeping the results in a cohesive knowledge base.
RTK provides guidelines in the execution of penetration testing with respect to the phases of the Cyber Kill Chain. The tools made available to the user have been linked by providing useful hints proposing a possible continuation after a satisfactory result has been found. It is important to note that the w4af tool can make the user ’backtrack’ to the use of Dig. This is because the tool provides useful information for both reconnaissance and weaponisation (Figure 2).
The adopted architectural paradigm is inspired by the MVC (Model-View-Controller) pattern, which comprises three principal components: Model, View and Controller. The Model is responsible for encapsulating the domain-specific structure and implementing the application functionality, i.e. the state and operations that can change the state, using an Observer pattern. The Model also maintains dependencies with the Controller and the View, which notifies of the change of state. The View is responsible for presenting information via a graphical interface, and when the information contained in the View undergoes an update by the responsible Model, the View receives a notification and will change its representation appropriately. Finally, the Controller is responsible for responding to actions that the user performs on the graphical interface.
In particular, the general operating principle of the application is based on the encapsulation of the tools by a controller, which manages the execution, locking and retrieval of the results.
Most of the included tools have command-line interfaces whose results, provided on standard output, are dificult to examine and de-serialise. To overcome this problem, the possibility of saving the results of the tool’s execution to a file was exploited, which we refer to in our context as temp_file . The operation of the controller is thus as follows: receives an execution request in which target and options are specified; creates the command to be executed by formatting the options correctly; initialises a thread instance in which to execute a command with subprocessṖopen(); communicates with the thread to report any required stops; retrieves data from the temp_file that the command generated and stores it appropriately.
Preliminary testing of the system’s operation was carried out using XVWA2 and the OWASP Broken Web Applications project3, by means of some virtual machines available online.
XVWA, an acronym for Xtreme Vulnerable Web Application, is a web application developed in PHP/MySQL with intentional vulnerabilities. It was specially designed to help computer security beginners in their learning. The ‘Live ISO’ version was used to start a virtual machine and use the service.
Both target machines were used for testing the integrated tools. Below is an example of the results of the vulnerability scan on XVWA with Nmap.
The SQL Injection section of XVWA makes it possible to clearly identify the parameter and type of request required to execute the attack. Below is an example of a hint command for running a shell via SQLMap (Figure 4).
The OS Command Injection section of XVWA has the same features as mentioned above, so it is an excellent target on which to test the tool’s operation (Figure 5).
The Red Team Knife (RTK) is designed to provide both beginners and experienced professionals in cybersecurity with an accessible, structured, and integrated set of tools for penetration testing. It enhances the penetration testing workflow by ofering guidance along the Cyber Kill Chain, supports
saving/restoring results, and wraps command-line tools in a more user-friendly interface using an MVC-based architecture.
Preliminary experimentation on known vulnerable platforms (like XVWA and OWASP BWA) demonstrated its usefulness in identifying vulnerabilities and guiding users through exploitation steps.
Overall, RTK aims to support cybersecurity education and practice by acting as a compass for efective and educational penetration testing activities.
This work was partially supported by the following projects: SERICS - “Security and Rights in the CyberSpace - SERICS” (PE00000014) under the MUR National Recovery and Resilience Plan funded by the European Union - NextGenerationEU; Accordo Quadro CrASte - “Cyber Academy for Security and Intelligence”.
Computational Collective Intelligence, Springer International Publishing, Cham, 2019, pp. 406–416. [10] T. Yadav, A. M. Rao, Technical aspects of cyber kill chain, in: J. H. Abawajy, S. Mukherjea, S. M. Thampi, A. Ruiz-Martínez (Eds.), Security in Computing and Communications, Springer International Publishing, Cham, 2015, pp. 438–452. [11] E. M. Hutchins, M. J. Cloppert, R. M. Amin, et al., Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains, Leading Issues in Information Warfare & Security Research 1 (2011) 80.