Plugins
Plugins are the core unit of work in BlackRainbow. Each plugin is a self-contained attack module that knows how to generate attack sequences for a specific domain, execute them, and grade the results.
How Plugins Work
Every plugin does two things:
- Generate -- produce attack sequences based on the target and engagement context
- Grade -- evaluate execution results with pass/fail scoring and evidence collection
Plugin.generate(context) → [AttackSequence, AttackSequence, ...]
↓
Target.execute()
↓
Plugin.grade(sequence, result) → GradeResult
When you add a plugin to your config, BlackRainbow calls generate() to create attack sequences, executes them against the target, then calls grade() to evaluate what happened. Grades feed back into the engagement context so downstream plugins can build on what was discovered.
Plugin Categories
| Category | What It Tests | Example Plugins |
|---|---|---|
| Recon | Network enumeration, service discovery, OSINT | recon, dns-enum, web-enum |
| Credential | Password attacks, hash extraction, token abuse | credential-access, kerberoast, spray |
| Web Exploit | Injection, auth bypass, API abuse | web-exploit, sqli, ssrf |
| AD Attack | Domain enumeration, Kerberos, trust abuse | ad-enum, ad-exploit, bloodhound |
| Lateral Movement | Pivoting, remote execution, session hijacking | lateral, psexec, wmi-exec |
| Privilege Escalation | Local privesc, misconfigurations, kernel exploits | privesc, suid-scan, sudo-abuse |
Listing Plugins
See what is available:
br plugins list
Registered Plugins
┏━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┓
┃ ID ┃ Description ┃ Category ┃
┡━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━┩
│ recon │ Network and service enumeration │ recon │
│ credential-access │ Password attacks and hash extraction │ credential│
│ web-exploit │ Web application attack sequences │ web │
│ ad-enum │ Active Directory enumeration │ ad-attack │
│ privesc │ Privilege escalation checks │ privesc │
└───────────────────┴─────────────────────────────────────────┴───────────┘
Using Plugins in Config
Single plugin
plugins:
- recon
Multiple plugins
plugins:
- recon
- credential-access
- web-exploit
With configuration
plugins:
- id: recon
numTests: 5
severity: medium
- id: credential-access
numTests: 10
severity: high
config:
wordlist: /usr/share/wordlists/rockyou.txt
Plugin Selection
Plugins are selected based on two factors:
Target type. Each plugin declares which target types it supports. A web exploit plugin generates sequences for web-application targets, not network-service targets. BlackRainbow skips plugins that do not match the target type.
Engagement scope. Plugins respect scope constraints. If your config excludes certain hosts or networks, plugins will not generate sequences targeting them.
How Plugins Chain
Plugins share state through the engagement context. When the recon plugin discovers services on a host, those services are available to every plugin that runs after it.
recon discovers → SSH on port 22, HTTP on port 80, SMB on port 445
↓
credential-access → generates password attacks against SSH and SMB
↓
web-exploit → generates injection tests against HTTP
This is service accumulation. Each plugin reads what previous plugins found and generates targeted sequences. You do not need to configure this; it happens automatically.
Grading
Every plugin grades its own results. A grade includes:
| Field | Description |
|---|---|
passed | Did this sequence achieve its objective |
score | 0.0 to 1.0 confidence score |
evidence | Discovered services, vulnerabilities, credentials |
mitre_techniques | ATT&CK technique IDs |
reasoning | Human-readable explanation of the result |
Grades accumulate across the engagement. Reports pull from the full grade history to build findings.
Next Steps
- Writing Custom Plugins -- build your own attack module
- Kill Chains -- combine plugins into multi-stage sequences
- Configuration -- plugin config reference