Package Exports
- pentesting
- pentesting/dist/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (pentesting) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
Pentesting
π― DEF CON-level Autonomous Penetration Testing AI Agent
β¨ Features
- 7-Phase Attack Workflow: Recon β Scan β Enum β Vuln Analysis β Exploitation β PrivEsc β Reporting
- 9 Specialized Agents: Built-in experts for each security domain
- Ralph Loop: Autonomous iteration until objective is achieved
- Streaming Responses: Real-time output from Claude
- Session Persistence: Save/resume pentesting sessions
- Tool Approval: Manual confirmation for dangerous commands
- MCP Integration: Extend with Model Context Protocol tools
- Docker Toolkit: 50+ pre-installed pentesting tools
Quick Start
Install
npm install -g pentestingConfigure
# Required: API Key (either works)
export PENTEST_API_KEY=your_api_key
# or
export ANTHROPIC_API_KEY=your_api_key
# For other providers (GLM, OpenRouter, etc.)
export PENTEST_BASE_URL=https://your-api-endpoint.com/v1
export PENTEST_MODEL=your-model-name
export PENTEST_MAX_TOKENS=16384Run
pentesting # Interactive mode
pentesting --yolo # Auto-approve all tools (dangerous!)CLI Commands
/target <ip> Set target
/start [objective] Start autonomous pentest
/scan <target> Quick enumeration
/exploit <service> Search for exploits
/privesc [os] Check privilege escalation vectors
/web <url> Web application testing
/hash <hash> Identify and crack hashes
/attack <objective> Execute attack chain
/report Generate pentest report
/sessions List saved sessions
/resume [id] Resume a session
/yolo Toggle auto-approve mode
/approve /deny Approve/deny tool execution
/findings Show findings
/clear Clear screen
/exit ExitBuilt-in Agents
| Agent | Specialty |
|---|---|
| target-explorer | Network reconnaissance, service enumeration |
| exploit-researcher | CVE research, exploit development |
| privesc-master | Linux/Windows privilege escalation |
| web-hacker | OWASP Top 10, SQLi, XSS, SSRF |
| crypto-solver | Hash cracking, cipher analysis |
| forensics-analyst | Memory forensics, file carving |
| reverse-engineer | Binary analysis, exploit development |
| attack-architect | Attack strategy planning |
| finding-reviewer | Vulnerability validation |
Architecture
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β TUI (app.tsx) β
β - Streaming text display β
β - Tool approval prompts β
β - Session management β
ββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β Wire Protocol
ββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββ
β PentestingAgent (Unified) β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β RalphLoop β β Streaming β β Session β β
β β (Auto-iter) β β Handler β β Manager β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β Context β β Retry β β Approval β β
β β Compaction β β Handler β β Manager β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β AutonomousHackingAgent (Core) β β
β β ββββββββββββββββββββββββββββββββββββββββββββ β β
β β β 9 Built-in Specialized Agents β β β
β β β (No plugins needed) β β β
β β ββββββββββββββββββββββββββββββββββββββββββββ β β
β β - Hook System β β
β β - MCP Client for Extended Tools β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β
ββββββββββββββββββΌβββββββββββββββββ
ββββββΌβββββ ββββββΌβββββ ββββββΌβββββ
β Tool β β Bash β β MCP β
βExecutor β β Commandsβ β Servers β
βββββββββββ βββββββββββ βββββββββββProgrammatic Usage
import { PentestingAgent, PENTEST_EVENT } from 'pentesting';
const agent = new PentestingAgent({
yoloMode: false, // Require approval for dangerous tools
useStreaming: true, // Enable streaming responses
maxIterations: 100, // Max Ralph loop iterations
autoSave: true, // Auto-save session state
});
// Listen for events
agent.on(PENTEST_EVENT.FINDING, (finding) => {
console.log(`Found: ${finding.title} (${finding.severity})`);
});
agent.on(PENTEST_EVENT.APPROVAL_NEEDED, (request) => {
console.log(`Approval needed for: ${request.toolName}`);
agent.approveToolCall(request.id, 'approve');
});
agent.on(PENTEST_EVENT.TEXT_DELTA, (text) => {
process.stdout.write(text);
});
// Start pentesting
await agent.start('Get root access', '192.168.1.100');
// Or use individual commands
const scanResult = await agent.chat('/scan 10.10.10.1');
const exploitResult = await agent.chat('/exploit Apache 2.4.49');Docker Environment
# Pull pre-built toolkit (50+ tools)
docker pull agnusdei1207/pentesting-tools:latest
# Run with host network (required for target access)
docker run -d --name pentesting-tools --network host \
-v $(pwd)/workspace:/pentest \
agnusdei1207/pentesting-tools:latest
# Execute tools
docker exec -it pentesting-tools nmap -sCV 10.0.0.1MCP Integration
Extend with additional MCP servers:
const agent = new PentestingAgent();
// Add filesystem access
await agent.addMCPServer('filesystem', 'npx', [
'-y', '@modelcontextprotocol/server-filesystem', '/'
]);
// Add custom security tools
await agent.addMCPServer('security-tools', 'docker', [
'exec', '-i', 'pentesting-tools', '/bin/bash'
]);Configuration
Environment Variables
| Variable | Description | Default |
|---|---|---|
| PENTEST_API_KEY | API key (alternative: ANTHROPIC_API_KEY) | Required |
| PENTEST_BASE_URL | API endpoint URL (for GLM, etc.) | - |
| PENTEST_MODEL | Model name | claude-sonnet-4-20250514 |
| PENTEST_MAX_TOKENS | Max response tokens | 16384 |
| PENTESTING_DOCKER | Force Docker execution | 0 |
| PENTESTING_CONTAINER | Docker container name | pentesting-tools |
Project Structure
src/
βββ index.tsx # CLI entry point
βββ cli/
β βββ app.tsx # TUI with streaming, approval, sessions
βββ core/
β βββ index.ts # All core exports
β βββ agent/
β β βββ pentesting-agent.ts # Unified agent
β β βββ autonomous-agent.ts # Core agent logic
β β βββ agent-orchestrator.ts # Parallel agent execution
β βββ approval/ # Tool approval system
β βββ context/ # Conversation compaction
β βββ hooks/ # Event hooks
β βββ loop/ # Ralph autonomous loop
β βββ session/ # Session persistence
β βββ streaming/ # Real-time streaming
β βββ prompts/ # System prompts
β βββ tools/ # Tool definitions & executor
βββ agents/
β βββ index.ts # 9 built-in specialized agents
βββ commands/
β βββ index.ts # Built-in slash commands
βββ wire/ # Agent-UI communication protocol
βββ mcp/ # MCP client integration
βββ utils/ # Retry logic, utilities
βββ config/ # Constants, themeDevelopment
# Clone
git clone https://github.com/agnusdei1207/pentesting.git
cd pentesting
# Install
npm install
# Build
npm run build
# Dev mode
npm run devLegal
β οΈ Only use on systems you own or have explicit permission to test.
This tool is for authorized penetration testing and CTF competitions only. Unauthorized access to computer systems is illegal.
License
MIT