JSPM

pentesting

0.2.2
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 1399
  • Score
    100M100P100Q107435F
  • License MIT

Autonomous Penetration Testing AI Agent

Package Exports

  • pentesting
  • pentesting/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (pentesting) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

Pentesting

🎯 DEF CON-level Autonomous Penetration Testing AI Agent

Pentesting Logo

npm version Docker

✨ Features

  • 7-Phase Attack Workflow: Recon β†’ Scan β†’ Enum β†’ Vuln Analysis β†’ Exploitation β†’ PrivEsc β†’ Reporting
  • 9 Specialized Agents: Built-in experts for each security domain
  • Ralph Loop: Autonomous iteration until objective is achieved
  • Streaming Responses: Real-time output from Claude
  • Session Persistence: Save/resume pentesting sessions
  • Tool Approval: Manual confirmation for dangerous commands
  • MCP Integration: Extend with Model Context Protocol tools
  • Docker Toolkit: 50+ pre-installed pentesting tools

Quick Start

Install

npm install -g pentesting

Configure

# Required: API Key (either works)
export PENTEST_API_KEY=your_api_key
# or
export ANTHROPIC_API_KEY=your_api_key

# For other providers (GLM, OpenRouter, etc.)
export PENTEST_BASE_URL=https://your-api-endpoint.com/v1
export PENTEST_MODEL=your-model-name
export PENTEST_MAX_TOKENS=16384

Run

pentesting              # Interactive mode
pentesting --yolo       # Auto-approve all tools (dangerous!)

CLI Commands

/target <ip>        Set target
/start [objective]  Start autonomous pentest
/scan <target>      Quick enumeration
/exploit <service>  Search for exploits
/privesc [os]       Check privilege escalation vectors
/web <url>          Web application testing
/hash <hash>        Identify and crack hashes
/attack <objective> Execute attack chain
/report             Generate pentest report
/sessions           List saved sessions
/resume [id]        Resume a session
/yolo               Toggle auto-approve mode
/approve /deny      Approve/deny tool execution
/findings           Show findings
/clear              Clear screen
/exit               Exit

Built-in Agents

Agent Specialty
target-explorer Network reconnaissance, service enumeration
exploit-researcher CVE research, exploit development
privesc-master Linux/Windows privilege escalation
web-hacker OWASP Top 10, SQLi, XSS, SSRF
crypto-solver Hash cracking, cipher analysis
forensics-analyst Memory forensics, file carving
reverse-engineer Binary analysis, exploit development
attack-architect Attack strategy planning
finding-reviewer Vulnerability validation

Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                        TUI (app.tsx)                         β”‚
β”‚  - Streaming text display                                    β”‚
β”‚  - Tool approval prompts                                     β”‚
β”‚  - Session management                                        β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                          β”‚ Wire Protocol
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                 PentestingAgent (Unified)                    β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”       β”‚
β”‚  β”‚ RalphLoop    β”‚  β”‚ Streaming    β”‚  β”‚ Session      β”‚       β”‚
β”‚  β”‚ (Auto-iter)  β”‚  β”‚ Handler      β”‚  β”‚ Manager      β”‚       β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜       β”‚
β”‚                                                              β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”       β”‚
β”‚  β”‚ Context      β”‚  β”‚ Retry        β”‚  β”‚ Approval     β”‚       β”‚
β”‚  β”‚ Compaction   β”‚  β”‚ Handler      β”‚  β”‚ Manager      β”‚       β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜       β”‚
β”‚                                                              β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”       β”‚
β”‚  β”‚         AutonomousHackingAgent (Core)             β”‚       β”‚
β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”‚       β”‚
β”‚  β”‚  β”‚ 9 Built-in Specialized Agents            β”‚    β”‚       β”‚
β”‚  β”‚  β”‚ (No plugins needed)                       β”‚    β”‚       β”‚
β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚       β”‚
β”‚  β”‚  - Hook System                                    β”‚       β”‚
β”‚  β”‚  - MCP Client for Extended Tools                  β”‚       β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜       β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                          β”‚
         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
    β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”
    β”‚ Tool    β”‚     β”‚  Bash   β”‚     β”‚   MCP   β”‚
    β”‚Executor β”‚     β”‚ Commandsβ”‚     β”‚ Servers β”‚
    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Programmatic Usage

import { PentestingAgent, PENTEST_EVENT } from 'pentesting';

const agent = new PentestingAgent({
    yoloMode: false,          // Require approval for dangerous tools
    useStreaming: true,       // Enable streaming responses
    maxIterations: 100,       // Max Ralph loop iterations
    autoSave: true,           // Auto-save session state
});

// Listen for events
agent.on(PENTEST_EVENT.FINDING, (finding) => {
    console.log(`Found: ${finding.title} (${finding.severity})`);
});

agent.on(PENTEST_EVENT.APPROVAL_NEEDED, (request) => {
    console.log(`Approval needed for: ${request.toolName}`);
    agent.approveToolCall(request.id, 'approve');
});

agent.on(PENTEST_EVENT.TEXT_DELTA, (text) => {
    process.stdout.write(text);
});

// Start pentesting
await agent.start('Get root access', '192.168.1.100');

// Or use individual commands
const scanResult = await agent.chat('/scan 10.10.10.1');
const exploitResult = await agent.chat('/exploit Apache 2.4.49');

Docker Environment

# Pull pre-built toolkit (50+ tools)
docker pull agnusdei1207/pentesting-tools:latest

# Run with host network (required for target access)
docker run -d --name pentesting-tools --network host \
  -v $(pwd)/workspace:/pentest \
  agnusdei1207/pentesting-tools:latest

# Execute tools
docker exec -it pentesting-tools nmap -sCV 10.0.0.1

MCP Integration

Extend with additional MCP servers:

const agent = new PentestingAgent();

// Add filesystem access
await agent.addMCPServer('filesystem', 'npx', [
    '-y', '@modelcontextprotocol/server-filesystem', '/'
]);

// Add custom security tools
await agent.addMCPServer('security-tools', 'docker', [
    'exec', '-i', 'pentesting-tools', '/bin/bash'
]);

Configuration

Environment Variables

Variable Description Default
PENTEST_API_KEY API key (alternative: ANTHROPIC_API_KEY) Required
PENTEST_BASE_URL API endpoint URL (for GLM, etc.) -
PENTEST_MODEL Model name claude-sonnet-4-20250514
PENTEST_MAX_TOKENS Max response tokens 16384
PENTESTING_DOCKER Force Docker execution 0
PENTESTING_CONTAINER Docker container name pentesting-tools

Project Structure

src/
β”œβ”€β”€ index.tsx              # CLI entry point
β”œβ”€β”€ cli/
β”‚   └── app.tsx            # TUI with streaming, approval, sessions
β”œβ”€β”€ core/
β”‚   β”œβ”€β”€ index.ts           # All core exports
β”‚   β”œβ”€β”€ agent/
β”‚   β”‚   β”œβ”€β”€ pentesting-agent.ts   # Unified agent
β”‚   β”‚   β”œβ”€β”€ autonomous-agent.ts   # Core agent logic
β”‚   β”‚   └── agent-orchestrator.ts # Parallel agent execution
β”‚   β”œβ”€β”€ approval/          # Tool approval system
β”‚   β”œβ”€β”€ context/           # Conversation compaction
β”‚   β”œβ”€β”€ hooks/             # Event hooks
β”‚   β”œβ”€β”€ loop/              # Ralph autonomous loop
β”‚   β”œβ”€β”€ session/           # Session persistence
β”‚   β”œβ”€β”€ streaming/         # Real-time streaming
β”‚   β”œβ”€β”€ prompts/           # System prompts
β”‚   └── tools/             # Tool definitions & executor
β”œβ”€β”€ agents/
β”‚   └── index.ts           # 9 built-in specialized agents
β”œβ”€β”€ commands/
β”‚   └── index.ts           # Built-in slash commands
β”œβ”€β”€ wire/                  # Agent-UI communication protocol
β”œβ”€β”€ mcp/                   # MCP client integration
β”œβ”€β”€ utils/                 # Retry logic, utilities
└── config/                # Constants, theme

Development

# Clone
git clone https://github.com/agnusdei1207/pentesting.git
cd pentesting

# Install
npm install

# Build
npm run build

# Dev mode
npm run dev

⚠️ Only use on systems you own or have explicit permission to test.

This tool is for authorized penetration testing and CTF competitions only. Unauthorized access to computer systems is illegal.

License

MIT