pwn 0.5.628 → 0.5.629

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (60) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +29 -21
  3. data/bin/pwn +35 -1
  4. data/bin/pwn_setup +64 -0
  5. data/documentation/AI-Integration.md +48 -9
  6. data/documentation/AWS.md +1 -1
  7. data/documentation/Agent-Tool-Registry.md +24 -0
  8. data/documentation/BurpSuite.md +4 -1
  9. data/documentation/CLI-Drivers.md +27 -10
  10. data/documentation/Configuration.md +37 -10
  11. data/documentation/Contributing.md +13 -3
  12. data/documentation/Extrospection.md +108 -98
  13. data/documentation/FFI.md +14 -2
  14. data/documentation/Fuzzing.md +3 -0
  15. data/documentation/General-PWN-Usage.md +12 -0
  16. data/documentation/Hardware.md +4 -0
  17. data/documentation/Home.md +4 -4
  18. data/documentation/How-PWN-Works.md +2 -1
  19. data/documentation/Installation.md +201 -37
  20. data/documentation/Metasploit.md +4 -1
  21. data/documentation/NmapIt.md +3 -0
  22. data/documentation/Persistence.md +5 -2
  23. data/documentation/Reporting.md +3 -0
  24. data/documentation/SDR.md +4 -0
  25. data/documentation/Skills-Memory-Learning.md +24 -11
  26. data/documentation/Swarm.md +20 -0
  27. data/documentation/Transparent-Browser.md +3 -0
  28. data/documentation/Troubleshooting.md +63 -7
  29. data/documentation/What-is-PWN.md +1 -1
  30. data/documentation/diagrams/agent-tool-registry.svg +120 -109
  31. data/documentation/diagrams/ai-integration-tool-calling.svg +76 -65
  32. data/documentation/diagrams/dot/agent-tool-registry.dot +5 -3
  33. data/documentation/diagrams/dot/ai-integration-tool-calling.dot +3 -2
  34. data/documentation/diagrams/dot/memory-skills-detailed.dot +26 -4
  35. data/documentation/diagrams/dot/overall-pwn-architecture.dot +6 -4
  36. data/documentation/diagrams/dot/persistence-filesystem.dot +4 -2
  37. data/documentation/diagrams/dot/pwn-ai-feedback-learning-loop.dot +31 -10
  38. data/documentation/diagrams/dot/swarm-multi-agent.dot +7 -1
  39. data/documentation/diagrams/extrospection-world-awareness.svg +129 -129
  40. data/documentation/diagrams/memory-skills-detailed.svg +268 -137
  41. data/documentation/diagrams/overall-pwn-architecture.svg +188 -171
  42. data/documentation/diagrams/persistence-filesystem.svg +115 -85
  43. data/documentation/diagrams/pwn-ai-feedback-learning-loop.svg +407 -255
  44. data/documentation/diagrams/sdr-radio-flow.svg +51 -51
  45. data/documentation/diagrams/swarm-multi-agent.svg +156 -119
  46. data/documentation/pwn-REPL.md +1 -0
  47. data/documentation/pwn-ai-Agent.md +50 -22
  48. data/lib/pwn/ai/agent/dispatch.rb +1 -1
  49. data/lib/pwn/ai/agent/learning.rb +1 -1
  50. data/lib/pwn/ai/agent/loop.rb +40 -0
  51. data/lib/pwn/ai/agent/metrics.rb +1 -1
  52. data/lib/pwn/config.rb +2 -2
  53. data/lib/pwn/memory_index.rb +1 -1
  54. data/lib/pwn/plugins/repl.rb +26 -2
  55. data/lib/pwn/setup.rb +563 -0
  56. data/lib/pwn/version.rb +1 -1
  57. data/lib/pwn.rb +1 -0
  58. data/spec/lib/pwn/setup_spec.rb +28 -0
  59. data/third_party/pwn_rdoc.jsonl +15 -1
  60. metadata +5 -1
@@ -442,142 +442,152 @@ extro_correlate # why did it break?
442
442
 
443
443
  ## Example questions that trigger Extrospection
444
444
 
445
- Natural-language prompts that should fire **outward** sensing (grouped by sense organ).
446
- Location-specific details use **Chicago** as the canonical city so the catalog stays
447
- portable across deployments.
448
-
449
- ### RF sense organ (`extro_rf_tune` + RF observations)
450
-
451
- - “What’s playing on 101.1 right now?”
452
- - “What’s on Q101 / 101.1 FM in Chicago?”
453
- - “Is NOAA weather radio for the Chicago area broadcasting an alert?”
454
- - “Tune 433.92 MHz and report signal strength.”
455
- - “Any ADS-B traffic near Chicago O’Hare (ORD) right now?”
456
- - “Sample RDS on 93.1 for 15 secondsstation name and radiotext?”
457
- - “Is the local Chicago 2 m repeater on 146.x active?”
458
-
459
- ### Web sense organ (`extro_watch`, `extro_verify`, `snapshot(sections: [:web])`)
460
-
461
- - “Did the vendor status page change since last check?”
462
- - “Watch https://status.example.com for DOM changes.”
463
- - “Has the bug-bounty scope page been updated?”
464
- - “What’s the weather in Chicago today?” *(live external page)*
465
- - “Fingerprint that login portal’s generator / title / tech stack.”
466
- - “Screenshot + hash https://target/app/version for drift tracking.”
445
+ Natural-language prompts that should route to **outward** sensing rather than
446
+ introspection. These are phrased the way an offensive security researcher
447
+ actually asks them mid-engagement — attack-surface discovery, zero-day
448
+ hunting, hardware/RF poking, and disclosure prep. Location-specific examples
449
+ use **Chicago** so the catalogue stays portable.
450
+
451
+ ### RF / SDR sense organ (`extro_rf_tune` + `:rf` observations)
452
+
453
+ - “Tune 433.92 MHz is the target’s garage/gate remote fixed-code or rolling?”
454
+ - “Sweep the 900 MHz ISM band near the badge reader and log anything > −40 dBFS.”
455
+ - “What’s broadcasting on 101.1 FM right now grab RDS PI/PS so we can prove SDR is live.”
456
+ - “Sample 868.3 MHz for 15 sdoes the smart-meter mesh look like Wireless M-Bus?”
457
+ - “Any ADS-B traffic squawking over the client’s campus (near ORD)?”
458
+ - “Listen on the pager band (929.x MHz) — are unencrypted POCSAG pages leaking PHI?”
459
+ - “Is the site’s DMR/TETRA handheld traffic on 462.x actually encrypted?”
460
+ - “Park on 315 MHz and tell me if the target’s TPMS / key-fob replays cleanly.”
461
+
462
+ ### Web / browser sense organ (`extro_watch`, `extro_verify`, `snapshot(sections: [:web])`)
463
+
464
+ - “Watch the target’s `/api/version` endpoint alert me the moment the build string changes.”
465
+ - “Has the vendor silently patched? Diff today’s changelog DOM against our last hash.”
466
+ - “Did the bug-bounty scope page add or drop assets since we baselined it?”
467
+ - “Fingerprint the login portal’s JS bundle — framework, version, source-map leakage.”
468
+ - “Screenshot + DOM-hash the admin panel so we can prove pre-auth state for the report.”
469
+ - “Render the CSP/`.well-known/security.txt` and tell me who to disclose to.”
470
+ - “Has the target’s TLS cert or issuer rotated since the last watch?”
467
471
 
468
472
  ### OSINT sense organ (`extro_osint`)
469
473
 
470
- - “Reverse lookup +1 312 555 1212.”
471
- - “Who is the registrant for example.com?”
472
- - “What device is FCC ID 2ABIP-ESP32?”
473
- - “Find patents related to software-defined radio receivers.”
474
- - “Pivot on username @octocat across GitHub/GitLab/Reddit.”
475
- - “Is Jane Doe listed on OpenSanctions / Wikipedia?”
476
- - “CT certs for target.acme via crt.sh.”
477
- - “ASN / BGP neighbours for 1.1.1.1.”
478
- - “Any Wayback snapshots of https://target.acme/login?”
474
+ - “Enumerate every subdomain for `*.target.tld` via CT logs (crt.sh + CertSpotter).”
475
+ - “Who owns AS-XXXXX and what netblocks does it announce — expand our in-scope ranges.”
476
+ - “Pull EPSS + CISA KEV for CVE-2024-3094 — is this worth weaponising first?”
477
+ - “What’s Shodan / GreyNoise saying about `203.0.113.10` — already mass-exploited?”
478
+ - “Decode this VIN off the fleet vehicle — what telematics head-unit ships in that trim?”
479
+ - “FCC ID `2ABIP-…` on the IoT doorbell — pull the internal photos and RF test report.”
480
+ - “MAC OUI `AC:DE:48` on the rogue AP — which vendor, and do they have default creds?”
481
+ - “Any prior litigation or SEC 8-K breach filings for `Target Corp` before we disclose?”
482
+ - “Wayback the old `/admin` path — did an earlier deploy expose a debug console?”
483
+ - “Pivot `@lead-dev` across GitHub/GitLab — hardcoded secrets in personal repos?”
479
484
 
480
- ### Serial sense organ (`extro_serial`)
485
+ ### Serial / hardware sense organ (`extro_serial`)
481
486
 
482
- - “What USB serial devices are attached?”
483
- - “Send ATI to the modem on /dev/ttyUSB0 and show the banner.”
484
- - “Talk to the Flipper / RFID reader on ttyACM and dump response hex.”
485
- - “Probe the Arduino console at 115200 8N1.”
487
+ - “What just enumerated on `/dev/ttyUSB*` when I plugged in the router’s UART header?”
488
+ - “Send `AT+GMR` to the ESP32 on `/dev/ttyUSB0` — firmware version and SDK build?”
489
+ - “Dump the boot banner at 115200 8N1 does it drop to an unauthenticated U-Boot shell?”
490
+ - “Probe the Flipper on `ttyACM0` and pull the last captured Sub-GHz raw.”
491
+ - “Talk to the smart-lock’s BLE-UART bridge and echo back whatever it volunteers.”
486
492
 
487
- ### Telecomm sense organ (`extro_telecomm`)
493
+ ### Telecomm / VoIP sense organ (`extro_telecomm`)
488
494
 
489
- - “Is BareSIP running and what is its status?”
490
- - “List SIP ports listening on this host.”
491
- - “Dial sip:echo@example.com via BareSIP.” *(OPSEC: real call)*
492
- - “Hang up the active VoIP call.”
495
+ - “Is BareSIP registered to the client’s PBX, and what codecs did it negotiate?”
496
+ - “Enumerate SIP `OPTIONS` against the exposed SBC — does it leak `User-Agent`/version?”
497
+ - “Dial the IVR at `sip:ivr@target` and record the prompt tree for the social-eng playbook.” *(OPSEC: real call)*
498
+ - “Hang up and note whether the PBX exposed internal extension ranges in the `BYE`.”
493
499
 
494
500
  ### Packet sense organ (`extro_packet`)
495
501
 
496
- - “Inventory capture-capable interfaces and tshark/tcpdump.”
497
- - “Capture 20 packets on eth0 for tcp/443 and summarise.”
498
- - “Summarise this pcap: /tmp/eng.pcap.”
499
- - “What IP conversations dominate that capture?”
502
+ - “Capture 30 s on `eth0` while I trigger the IoT hub — what does it phone home to?”
503
+ - “Summarise `/tmp/eng.pcap` top talkers, cleartext creds, weird ports.”
504
+ - “BPF `udp port 5353` — is mDNS leaking hostnames and service records on the guest VLAN?”
505
+ - “Grab 50 packets of the OT segment — Modbus/TCP or something proprietary?”
506
+ - “Do we see the camera’s RTSP creds in the clear during that capture?”
500
507
 
501
508
  ### Vision / OCR sense organ (`extro_vision`)
502
509
 
503
- - “OCR this screenshot of the login page.”
504
- - “Decode the QR code on /tmp/badge.png.”
505
- - “What languages does tesseract have installed?”
510
+ - “OCR the photo of the switch label — model, firmware, and default-cred sticker.”
511
+ - “Decode the QR on the badge printer — is that a provisioning URL with an embedded token?”
512
+ - “OCR the BIOS/BMC screenshot and pull the exact firmware build for CVE matching.”
513
+ - “Read the barcode on the HSM — serial + part number for supply-chain lookup.”
506
514
 
507
515
  ### Voice sense organ (`extro_voice`)
508
516
 
509
- - “Speak ‘engagement complete’ via TTS.”
510
- - “Transcribe /tmp/voicemail.wav.”
511
- - “What TTS/STT engines are available on this host?”
517
+ - “Transcribe `/tmp/voicemail.wav` did the helpdesk leak the temp-password format?”
518
+ - “STT the recorded IVR tree so we can grep it for extension numbers.”
519
+ - “TTS this vishing pretext to a `.wav` for the approved social-engineering call.”
520
+ - “Which STT/TTS engines are installed — can we run whisper offline on the drop box?”
512
521
 
513
522
  ### Fact-check / claim verification (`extro_verify`)
514
523
 
515
- - “Is CVE-2024-3094 still rated Critical on NVD?”
516
- - “Confirm the latest `pwn` gem on RubyGems is 0.5.x.”
517
- - “Is it true that OpenSSH 9.8p1 is the current stable?”
518
- - “Verify this claim from the advisory against the official page.”
519
- - “Does that docs page actually say what we quoted?”
524
+ - “Before I file this: does CVE-2024-3094 actually list our target’s distro package as affected?”
525
+ - “Confirm the latest upstream OpenSSH is 9.x is the target’s 8.2p1 genuinely EOL?”
526
+ - “Verify the vendor advisory URL really says ‘remote unauthenticated’ — quote it back.”
527
+ - “Is `pwn` on RubyGems still at the version we ship in the report appendix?”
528
+ - “Fact-check my claim that this library has no maintained fork — search says otherwise?”
520
529
 
521
530
  ### Threat intel (`extro_intel` ± `record:true`)
522
531
 
523
- - “Any known exploits for Apache 2.4.58?”
524
- - “Look up CVE-2025-XXXX across NVD / CIRCL / Exploit-DB.”
525
- - “What CVEs hit `libssl` in the last year?”
526
- - “Is there a public PoC for that JetBrains CVE?”
527
- - “Correlate installed nmap version against known CVEs.”
532
+ - “Any public PoC or Exploit-DB entry for the exact `nginx 1.25.3` build we bannered?”
533
+ - “Pull NVD + CIRCL for `libwebp` since 2023 — which are pre-auth RCE vs local?”
534
+ - “Cross-ref this router’s firmware components against known-exploited (KEV).”
535
+ - “What’s the newest CVE touching `Fortinet FortiOS` and is there an exploit module yet?”
536
+ - “Record everything for `Apache Struts` so `extro_correlate` can match our target stack.”
528
537
 
529
538
  ### Host / env / toolchain drift (`extro_snapshot`, `extro_drift`, `extro_stats`)
530
539
 
531
- - “Did the environment change under us since last session?”
532
- - “Take a full extrospection snapshot and show drift.”
533
- - “Is nmap / gqrx / SoapySDR still the version we expect?”
534
- - “What’s listening on this host right now?”
535
- - “Show toolchain + repo HEAD fingerprint.”
536
- - “Why did that tool start failing — world drift or operator error?” → pairs with `extro_correlate`
540
+ - “Snapshot the drop box before we start I want a defensible ‘this is what we brought’ baseline.”
541
+ - “Did anything on this attack host change overnight (kernel, nmap, listening ports)?”
542
+ - “Which offensive bins are actually present in PATH on this jump host?”
543
+ - “Is the SDR / HackRF still attached, or did the USB hub flake again?”
544
+ - “Show repo HEAD + dirty state so the finding is reproducible from a commit hash.”
537
545
 
538
546
  ### Recon memory / observations (`extro_observe`, `extro_observations`)
539
547
 
540
- - “Remember that target X bannered as nginx/1.25.3 on 443.”
541
- - “What recon findings do we have for 10.0.0.5?”
542
- - “List RF observations from today.”
543
- - “Any :web watches that changed this week?”
544
- - “Show intel hits we recorded against this product.”
548
+ - “Remember: `10.0.0.5:8443` self-signed CN leaks internal AD domain — tag `recon,pivot`.”
549
+ - “Log the RF finding: 433.92 MHz fixed-code, 24-bit, replayable — tag `rf,physical`.”
550
+ - “What have we already observed about `*.target.tld` this engagement?”
551
+ - “List every `:intel` observation still fresh so I don’t re-run the same CVE queries.”
552
+ - “Which `:web` watches flipped `changed:true` this week — silent patch candidates?”
545
553
 
546
- ### Correlation / “am I wrong or did the world move?” (`extro_correlate`)
554
+ ### Correlation “am I wrong or did the world move?” (`extro_correlate`)
547
555
 
548
- - “Cross-check recent tool failures against host/toolchain drift.”
549
- - “Did any of our recorded CVEs match installed package versions?”
550
- - “Is that failed shell call explained by missing binaries?”
551
- - “Any refuted claims that should invalidate old memory facts?”
556
+ - “My exploit stopped landing did the target’s DOM/TLS drift or did I break the payload?”
557
+ - “Cross recorded CVE intel against the versions we actually bannered on scope hosts.”
558
+ - “Are any of my `PWN::Memory` facts about this target now refuted by fresh `extro_verify` runs?”
559
+ - “Do the `nmap`/`msf` failures line up with a toolchain upgrade rather than operator error?”
560
+ - “Which watched anchors went unreachable — down-weight intel sourced from them.”
552
561
 
553
562
  ### Operational / lifecycle
554
563
 
555
- - “Enable ambient auto-extrospect after every answer.”
556
- - “Reset extrospection for a new engagement.” *(destructive)*
557
- - “How stale is the current world snapshot?”
558
- - “Toggle auto-extrospect off while we fuzz.”
564
+ - “New engagement, new client wipe extrospection so old recon doesn’t bleed into this report.” *(destructive)*
565
+ - “Turn ambient auto-extrospect **off** while I fuzz — I don’t want baseline noise per turn.”
566
+ - “How stale is our world snapshot — is it still from the pre-patch window?”
567
+ - “Re-enable auto-extrospect for the wrap-up so drift is captured in the final deliverable.”
559
568
 
560
- ### Short trigger patterns the agent should recognize
569
+ ### Short trigger patterns the agent should recognise
561
570
 
562
571
  | Pattern | Likely tools |
563
- |--------|----------------|
564
- | “What’s on MHz / FM / station” | `extro_rf_tune` |
565
- | “Reverse phone / FCC ID / patent / whois / person” | `extro_osint` |
566
- | “Serial / AT modem / ttyUSB / Flipper console” | `extro_serial` |
567
- | “SIP / VoIP / BareSIP / dial” | `extro_telecomm` |
568
- | “Capture packets / summarise pcap” | `extro_packet` |
569
- | “OCR / barcode / QR this image” | `extro_vision` |
570
- | “Speak this / transcribe that audio” | `extro_voice` |
571
- | “Did page change / watch URL” | `extro_watch` |
572
- | “Is it true that / confirm CVE / latest version” | `extro_verify` |
573
- | “Known vulns / CVE / exploit for…” | `extro_intel` |
574
- | “What changed on this host / drift” | `extro_snapshot` + `extro_drift` |
575
- | “Remember this finding about…” | `extro_observe` |
576
- | “Why did X start failing?” | `extro_correlate` + metrics/mistakes |
577
- | “Weather in Chicago / public page content” | `extro_watch` / TransparentBrowser |
572
+ |---|---|
573
+ | “tune / MHz / FM / RDS / ISM / key-fob / pager / ADS-B” | `extro_rf_tune` |
574
+ | “subdomain / CT log / ASN / whois / FCC ID / VIN / MAC OUI / EPSS / KEV / Wayback / pivot @user” | `extro_osint` |
575
+ | “UART / ttyUSB / U-Boot / AT command / Flipper / JTAG banner” | `extro_serial` |
576
+ | “SIP / PBX / IVR / BareSIP / dial / hangup” | `extro_telecomm` |
577
+ | “capture on iface / summarise pcap / mDNS / Modbus / RTSP creds” | `extro_packet` |
578
+ | “OCR sticker / decode QR / read badge / BIOS screenshot” | `extro_vision` |
579
+ | “transcribe wav / TTS pretext / whisper offline” | `extro_voice` |
580
+ | “watch URL / did the page change / silent patch / scope updated / TLS rotated” | `extro_watch` |
581
+ | “is it true that / confirm CVE / verify advisory / latest version of” | `extro_verify` |
582
+ | “known exploits for / any PoC / CVEs affecting / KEV for | `extro_intel` |
583
+ | “what changed on this host / baseline the box / SDR still attached” | `extro_snapshot` + `extro_drift` |
584
+ | “remember this finding / what did we observe about / tag it recon” | `extro_observe` / `extro_observations` |
585
+ | “why did X stop working / my fault or theirs / down-weight that source” | `extro_correlate` |
586
+ | “new engagement clean slate / stop baselining while I fuzz” | `extro_reset` / `extro_auto_toggle` |
578
587
 
579
588
  The **inward** half of the loop (Memory · Skills · Learning · Mistakes · Metrics)
580
- has a matching example catalog in [Skills, Memory & Learning](Skills-Memory-Learning.md#example-questions-that-trigger-introspection).
589
+ has a matching example catalogue in
590
+ [Skills, Memory & Learning](Skills-Memory-Learning.md#example-questions-that-trigger-introspection).
581
591
 
582
592
  **See also:** [Skills, Memory & Learning](Skills-Memory-Learning.md) ·
583
593
  [Mistakes](Mistakes.md) · [SDR](SDR.md) · [Transparent Browser](Transparent-Browser.md) · [Cron](Cron.md) · [pwn-ai Agent](pwn-ai-Agent.md)
data/documentation/FFI.md CHANGED
@@ -12,6 +12,16 @@ PWN::FFI.backends
12
12
  PWN::FFI.available?(mod: :Volk) # => true/false
13
13
  ```
14
14
 
15
+ ## Install the shared objects
16
+
17
+ ```bash
18
+ pwn setup --profile sdr # rtl-sdr · hackrf · SoapySDR · libsndfile · libusb · ffi headers
19
+ ```
20
+
21
+ `pwn setup` (the [doctor](Installation.md)) reports each `PWN::FFI` backend
22
+ as `ok` / `MISSING` and knows the correct package name on `apt` / `dnf` /
23
+ `pacman` / `brew` / `port`.
24
+
15
25
  ## Modules (`lib/pwn/ffi/*.rb`)
16
26
 
17
27
  | Module | Shared object | Role |
@@ -29,8 +39,10 @@ PWN::FFI.available?(mod: :Volk) # => true/false
29
39
  1. **Thin & optional.** Attach a minimal surface; prefer high-level Ruby wrappers
30
40
  (`Liquid.freq_demod`, `Volk.unpack_s16le`) over raw C pointers in call sites.
31
41
  2. **No install-time compile.** Use the system package (`libvolk-dev`,
32
- `libliquid-dev`, `libfftw3-dev`, `libhackrf-dev`, …). On hosts without them
33
- every `.available?` is `false` and pure-Ruby paths keep working.
42
+ `libliquid-dev`, `libfftw3-dev`, `libhackrf-dev`, …). Install them all
43
+ with **`pwn setup --profile sdr`** (see [Installation](Installation.md)).
44
+ On hosts without them every `.available?` is `false` and pure-Ruby paths
45
+ keep working.
34
46
  3. **Namespace hygiene.** `PubFFI = ::FFI` (defined once in `lib/pwn/ffi.rb`)
35
47
  avoids the `PWN::FFI` ↔ `::FFI` collision when modules `extend PubFFI::Library`.
36
48
  4. **Fallbacks in DSP.** `PWN::SDR::Decoder::DSP` probes `PWN::FFI.available?`
@@ -2,6 +2,9 @@
2
2
 
3
3
  ![Fuzzing workflow](diagrams/fuzzing-workflow.svg)
4
4
 
5
+ > **Install:** `pwn setup --profile net` — pcaprub headers · tshark ·
6
+ > tcpdump. See [Installation](Installation.md).
7
+
5
8
  ## Generate
6
9
 
7
10
  ```ruby
@@ -8,12 +8,23 @@ $ pwn --ai "scan 10.0.0.0/24 with NmapIt and summarise open services"
8
8
  $ pwn_nmap_discover_tcp_udp -t 10.0.0.0/24 -o out/ # headless driver
9
9
  ```
10
10
 
11
+ ## Check / provision this host
12
+
13
+ ```bash
14
+ $ pwn setup # doctor: which PWN:: capabilities are usable here?
15
+ $ pwn setup --profile web # install what TransparentBrowser / Burp / ZAP need
16
+ $ pwn setup --list-profiles # core · ai · web · net · db · sdr · vision · voice · exploit · hardware · full
17
+ ```
18
+
19
+ See [Installation](Installation.md) for every flag and the `PWN::Setup` API.
20
+
11
21
  ## Inside the REPL
12
22
 
13
23
  ```ruby
14
24
  PWN.help # top-level help
15
25
  PWN::Plugins.constants.sort # list all 66 plugins
16
26
  PWN::Plugins::NmapIt.help # per-plugin usage
27
+ PWN::Setup.check # capability doctor from inside the REPL
17
28
  ls PWN::Plugins::BurpSuite # Pry: list methods
18
29
  show-source PWN::SAST::SQL.scan # Pry: read the code
19
30
  history # what you've typed → copy into a driver
@@ -25,6 +36,7 @@ history # what you've typed → copy into a driver
25
36
  |---|---|
26
37
  | `pwn-ai` | Enter the agent TUI (SHIFT+ENTER = newline, ENTER = submit) |
27
38
  | `pwn-asm` | Multi-line assembly ↔ opcode workbench |
39
+ | `pwn-vault` | Decrypt → edit `~/.pwn/pwn.yaml` in `$EDITOR` → re-encrypt |
28
40
  | `pwn-ai-memory` | Inspect / edit `~/.pwn/memory.json` |
29
41
  | `pwn-ai-sessions` | List / view / delete transcripts |
30
42
  | `pwn-ai-cron` | List / run scheduled jobs |
@@ -3,6 +3,10 @@
3
3
  ![Hardware hacking](diagrams/hardware-hacking.svg)
4
4
  ![Reverse engineering](diagrams/reverse-engineering-flow.svg)
5
5
 
6
+ > **Install:** `pwn setup --profile hardware` — libusb · adb · baresip
7
+ > (Serial · BusPirate · Android · BareSIP · `extro_serial` ·
8
+ > `extro_telecomm`). See [Installation](Installation.md).
9
+
6
10
  ## Serial / Bus
7
11
 
8
12
  | Module | Use |
@@ -2,7 +2,7 @@
2
2
 
3
3
  > **PWN** (/pōn/) — an open-source offensive-security automation framework and
4
4
  > continuous-security-integration platform written in Ruby.
5
- > 66 plugins · 48 SAST rules · 90 AWS wrappers · 21 WWW drivers · 52 CLI
5
+ > 66 plugins · 48 SAST rules · 90 AWS wrappers · 21 WWW drivers · 53 CLI
6
6
  > drivers · 5 LLM engines · a self-improving multi-agent AI · one REPL.
7
7
 
8
8
  **Repo root:** `/opt/pwn` · **This wiki:** `/opt/pwn/documentation/` ·
@@ -17,9 +17,9 @@
17
17
  | [What is PWN](What-is-PWN.md) | One-paragraph elevator pitch |
18
18
  | [Why PWN](Why-PWN.md) | Design philosophy — why another framework |
19
19
  | [How PWN Works](How-PWN-Works.md) | The five layers, with the architecture diagram |
20
- | [Installation](Installation.md) | RVM, gem, `./install.sh`, first launch |
20
+ | [Installation](Installation.md) | `gem install pwn` `pwn setup` doctor/provisioner · capability profiles |
21
21
  | [General Usage](General-PWN-Usage.md) | Day-one cheat sheet |
22
- | [Configuration](Configuration.md) | `~/.pwn/config.yml` — engines, keys, agent options |
22
+ | [Configuration](Configuration.md) | `~/.pwn/pwn.yaml` (encrypted) — engines, keys, agent options · `pwn-vault` |
23
23
  | **[All Data-Flow Diagrams](Diagrams.md)** | **27 SVGs** in one scrollable page |
24
24
 
25
25
  ## 🚪 Entry Points
@@ -28,7 +28,7 @@
28
28
  |---|---|
29
29
  | [The `pwn` REPL](pwn-REPL.md) | Pry shell with the whole `PWN::` namespace pre-loaded |
30
30
  | [`pwn-ai` Autonomous Agent](pwn-ai-Agent.md) | Natural-language TUI + `pwn --ai PROMPT` one-shot |
31
- | [CLI Drivers `bin/pwn_*`](CLI-Drivers.md) | 52 headless executables for CI/CD |
31
+ | [CLI Drivers `bin/pwn_*`](CLI-Drivers.md) | 53 headless executables for CI/CD |
32
32
  | [Drivers (build your own)](Drivers.md) | Turn a REPL session into a shipped binary |
33
33
 
34
34
  ## 🤖 AI Subsystem (`PWN::AI`)
@@ -19,7 +19,8 @@ hardware).
19
19
  | `pwn` REPL | `lib/pwn/plugins/repl.rb` | Pry with `PWN::` pre-loaded + custom commands |
20
20
  | `pwn-ai` | `lib/pwn/ai/agent/loop.rb` | Agent TUI inside the REPL |
21
21
  | `pwn --ai PROMPT` | `bin/pwn` | Headless one-shot agent (CI-friendly) |
22
- | `bin/pwn_*` | 52 files | Thin OptionParser wrappers over one plugin each |
22
+ | `pwn setup` | `lib/pwn/setup.rb` · `bin/pwn_setup` | Post-install doctor + capability provisioner (also `pwn --setup[=PROFILE]`) |
23
+ | `bin/pwn_*` | 53 files | Thin OptionParser wrappers over one plugin each |
23
24
  | `PWN::Cron` | `lib/pwn/cron.rb` | Scheduled jobs → any of the above |
24
25
 
25
26
  ## L2 — AI agent core (`lib/pwn/ai/agent/`)