Package Exports
- pentesting
- pentesting/dist/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (pentesting) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
Pentest
Autonomous Penetration Testing AI Agent.
██████╗ ███████╗███╗ ██╗████████╗███████╗███████╗████████╗
██╔══██╗██╔════╝████╗ ██║╚══██╔══╝██╔════╝██╔════╝╚══██╔══╝
██████╔╝█████╗ ██╔██╗ ██║ ██║ █████╗ ███████╗ ██║
██╔═══╝ ██╔══╝ ██║╚██╗██║ ██║ ██╔══╝ ╚════██║ ██║
██║ ███████╗██║ ╚████║ ██║ ███████╗███████║ ██║
╚═╝ ╚══════╝╚═╝ ╚═══╝ ╚═╝ ╚══════╝╚══════╝ ╚═╝ Features
- Autonomous AI Agent: Analyzes, plans, executes tools, and interprets results automatically
- PTES Methodology: Systematic penetration testing following industry standards
- 30+ Integrated Tools: Nmap, SQLmap, Metasploit, Burp Suite, and more
- Privilege Escalation: Built-in Linux/Windows rooting techniques
- Rabbit Hole Detection: Self-reflection when stuck, tries alternative approaches
- Real-time Thinking Display: Watch the agent's thought process in TUI
Requirements
- Node.js 18+
- Anthropic API Key
- Kali Linux or macOS (for pentesting tools)
Installation
1. Clone and Install
git clone https://github.com/agnusdei1207/pentesting.git
cd pentesting
npm install2. Install SecLists and Wordlists
# SecLists (required for directory bruteforce, fuzzing, etc.)
git clone --depth 1 https://github.com/danielmiessler/SecLists.git /opt/SecLists
# Alternative: Using apt (Kali/Debian)
sudo apt install -y seclists
# RockYou wordlist (for password cracking)
sudo apt install -y wordlists
sudo gunzip /usr/share/wordlists/rockyou.txt.gz 2>/dev/null || true3. Install Pentest Tools
# Core tools
sudo apt install -y nmap masscan gobuster nikto sqlmap hydra john hashcat
# Web tools
sudo apt install -y ffuf nuclei whatweb wfuzz
# Exploitation
sudo apt install -y metasploit-framework exploitdb
# Post-exploitation
sudo apt install -y crackmapexec evil-winrm impacket-scripts chisel
# Browser automation
npm install -g playwright
npx playwright install chromium4. Set API Key
export ANTHROPIC_API_KEY="your-api-key"Build
npm run buildGlobal Installation
npm run build
npm linkNow you can run pentesting from anywhere.
Usage
Quick Start
# Interactive mode
pentesting
# With target
pentesting -t 192.168.1.1
# Auto-approve all tools (dangerous!)
pentesting --dangerously-skip-permissionsCLI Commands
| Command | Description |
|---|---|
pentesting |
Start interactive TUI |
pentesting -t <ip> |
Start with target |
pentesting --dangerously-skip-permissions |
Auto-approve all tool executions |
pentesting run <objective> |
Run single objective |
pentesting scan <target> |
Quick scan target |
Interactive Commands
| Command | Description |
|---|---|
/target <ip> |
Set target IP or hostname |
/start |
Start autonomous mode |
/start <objective> |
Start with specific objective |
/hint <text> |
Provide hint to agent |
/pause |
Pause execution |
/resume |
Resume execution |
/findings |
Show discovered vulnerabilities |
/reset |
Reset session |
Keyboard Shortcuts
| Key | Action |
|---|---|
T |
Toggle thought display |
P |
Pause |
R |
Resume |
Ctrl+C |
Exit |
Examples
# Full autonomous mode (auto-approve everything)
pentesting --dangerously-skip-permissions -t 10.10.10.5
# Run specific objective
pentesting run "Find SQL injection vulnerabilities" -t http://target.com -o report.json
# Quick vulnerability scan
pentesting scan 192.168.1.1 -s vulnAttack Phases
- Reconnaissance - OSINT, DNS, subdomain enumeration
- Scanning - Port scanning, service detection
- Enumeration - Deep service enumeration, user discovery
- Vulnerability Analysis - CVE mapping, vulnerability scanning
- Exploitation - Initial access, web attacks
- Privilege Escalation - Linux/Windows rooting
- Pivoting - Internal network discovery, tunneling
- Persistence - Backdoor installation
- Data Exfiltration - Sensitive data extraction
- Reporting - Findings documentation
Project Structure
pentesting/
├── src/
│ ├── cli/ # TUI components
│ ├── config/ # Constants, theme
│ ├── core/
│ │ ├── agent/ # Autonomous agent
│ │ ├── prompts/ # AI prompts
│ │ └── tools/ # Tool definitions
│ └── mcp/ # MCP server config
├── skills/ # Pentest skill files
└── dist/ # Build outputIntegrated Tools
| Category | Tools |
|---|---|
| Reconnaissance | nmap, masscan, rustscan, theHarvester, amass |
| Web | gobuster, ffuf, nikto, sqlmap, nuclei |
| Exploitation | metasploit, searchsploit, hydra |
| PrivEsc | linpeas, winpeas, mimikatz, bloodhound |
| Post-Exploit | chisel, impacket, crackmapexec |
Environment Variables
| Variable | Description |
|---|---|
ANTHROPIC_API_KEY |
Anthropic API key (required) |
PENTEST_MODEL |
Model override (default: claude-sonnet-4-20250514) |
Disclaimer
This tool is for authorized penetration testing and security research only.
- Always obtain written permission before testing
- Unauthorized testing is illegal
- Developers are not responsible for misuse
License
MIT License