npm - pentesting - Versions diffs - 0.12.13 → 0.16.2 - Mend

pentesting 0.12.13 → 0.16.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/README.md +90 -95
package/dist/main.js +3103 -0
package/package.json +13 -13
package/dist/auto-update-6CLBRLE3.js +0 -24
package/dist/chunk-3RG5ZIWI.js +0 -10
package/dist/chunk-5IKQY4A4.js +0 -134
package/dist/chunk-6IXHQS2A.js +0 -525
package/dist/chunk-AOJBE232.js +0 -457
package/dist/index.js +0 -16445
package/dist/replay-ABCV4F64.js +0 -130
package/dist/skill-2AON6M2V.js +0 -416
package/dist/update-34NDFWS3.js +0 -24
package/dist/web-search-XQYEM24B.js +0 -43
package/src/agents/specs/crypto.yaml +0 -79
package/src/agents/specs/default.yaml +0 -60
package/src/agents/specs/exploit.yaml +0 -70
package/src/agents/specs/privesc.yaml +0 -83
package/src/agents/specs/recon.yaml +0 -65
package/src/agents/specs/web.yaml +0 -73
/package/dist/{index.d.ts → main.d.ts} +0 -0

package/README.md CHANGED Viewed

@@ -1,156 +1,151 @@
 <div align="center">
 ```
-  ██████╗ ███████╗███╗   ██╗████████╗███████╗███████╗████████╗██╗███╗   ██╗ ██████╗
-  ██╔══██╗██╔════╝████╗  ██║╚══██╔══╝██╔════╝██╔════╝╚══██╔══╝██║████╗  ██║██╔════╝
+  ██████╗ ███████╗███╗   ██╗████████╗███████╗███████╗████████╗██╗███╗   ██╗ ██████╗
+  ██╔══██╗██╔════╝████╗  ██║╚══██╔══╝██╔════╝██╔════╝╚══██╔══╝██║████╗  ██║██╔════╝
   ██████╔╝█████╗  ██╔██╗ ██║   ██║   █████╗  ███████╗   ██║   ██║██╔██╗ ██║██║  ███╗
   ██╔═══╝ ██╔══╝  ██║╚██╗██║   ██║   ██╔══╝  ╚════██║   ██║   ██║██║╚██╗██║██║   ██║
   ██║     ███████╗██║ ╚████║   ██║   ███████╗███████║   ██║   ██║██║ ╚████║╚██████╔╝
-  ╚═╝     ╚══════╝╚═╝  ╚═══╝   ╚═╝   ╚══════╝╚══════╝   ╚═╝   ╚═╝╚═╝  ╚═══╝ ╚═════╝
+  ╚═╝     ╚══════╝╚═╝  ╚═══╝   ╚═╝   ╚══════╝╚══════╝   ╚═╝   ╚═╝╚═╝  ╚═══╝ ╚═════╝
   ────────────────────────────────────────────────────────────────────────────────
                   A U T O N O M O U S   S E C U R I T Y   A G E N T
 ```
-**v0.12.10 | Multi-Agent System | 50+ Security Tools**
 [![npm](https://img.shields.io/badge/npm-pentesting-red)](https://www.npmjs.org/package/pentesting)
-[![Docker](https://img.shields.io/badge/docker-kalilinux%2Fkali--rolling-blue)](https://hub.docker.com/r/kalilinux/kali-rolling)
-[![License: MIT](https://img.shields.io/badge/License-MIT-red.svg)](https://opensource.org/licenses/MIT)
 </div>
 ---
-## ⚠️ Requirements
-**This agent requires Kali Linux environment for full functionality.**
+## Quick Start
-### Option 1: Native Kali Linux (Recommended)
 ```bash
-# On Kali Linux
-sudo apt update && sudo apt install -y kali-linux-headless nodejs npm
 npm install -g pentesting
-pentesting
-```
-### Option 2: Docker with Kali Image
-```bash
-# Pull official Kali Linux image
-docker pull kalilinux/kali-rolling
-# Run with full tools
-docker run -it --rm --network host \
-  -e PENTEST_API_KEY="your_key" \
-  -e PENTEST_BASE_URL="https://api.openai.com/v1" \
-  -e PENTEST_MODEL="gpt-4-turbo" \
-  kalilinux/kali-rolling bash -c "
-    apt update && apt install -y nodejs npm kali-tools-top10 && \
-    npm install -g pentesting && \
-    pentesting
-  "
-```
+# Required environments
+export PENTEST_API_KEY="your_api_key"
+export PENTEST_BASE_URL="https://api.z.ai/api/anthropic"
+export PENTEST_MODEL="glm-4.7"
-### Option 3: Kali on WSL2 (Windows)
-```bash
-# Install Kali from Microsoft Store, then:
-sudo apt update && sudo apt install -y kali-linux-headless nodejs npm
-sudo npm install -g pentesting
 pentesting
 ```
 ---
-## Quick Start
+## Features
-```bash
-npm install -g pentesting
+### 🤖 Multi-Agent Architecture
-# requirements
-export PENTEST_API_KEY="your_api_key"
-export PENTEST_BASE_URL="https://api.z.ai/api/anthropic"
-export PENTEST_MODEL="glm-4.7"
+Autonomous penetration testing with specialized agents:
-pentesting
+```
+Orchestrator → Recon → Vuln → Exploit → Post
+                ↓         ↓        ↓       ↓
+              Web      Infra    Report
 ```
-**Note:** If a security tool is not installed, the agent will automatically attempt to install it using `apt`.
+Each agent is a simple `while(true) { think → tool → observe }` loop with:
+- **Specialized prompts** (not code)
+- **Dedicated tool sets**
+- **State slicing** for token efficiency
----
+### 🎯 CTF Expert Knowledge
+Built-in security expertise including:
+- **Essential options**: `nmap -Pn` (never forget)
+- **CVE detection**: Apache 2.4.49 → CVE-2021-41773
+- **Service-specific exploits**: Samba, VSFTPD, MS17-010
+- **Web attack vectors**: SQLi, XSS, SSRF, XXE
+- **AD infrastructure**: BloodHound, CrackMapExec
+### 🔍 Transparent Execution
+Full visibility into agent decision-making:
+```
+Orchestrator agentLoop
+│ think: "Start with reconnaissance"
+│ tool_call: delegate('recon', 'Subnet scan')
+│
+├─▶ RECON agentLoop
+│   │ tool_call: nmap -Pn 10.10.10.0/24 [confirm → y]
+│   │ observe: 3 hosts discovered
+│   │ escalate ↑: recon → vuln
+│   └─▶ return "Apache 2.4.49 found"
+│
+└─▶ VULN agentLoop
+    │ tool_call: curl --path-as-is ... [review → yes]
+    │ observe: /etc/passwd exposure confirmed
+    └─▶ return "CVE-2021-41773 Critical confirmed"
+```
-## Core Features
+### 🛡️ Safety First
-| Feature | Description |
-|---------|-------------|
-| **Multi-Agent System** | 5 specialist agents (Recon, Web, Exploit, PrivEsc, Lateral) |
-| **Autonomous Orchestration** | Strategic planning, self-diagnostics, quality gates |
-| **50+ Security Tools** | nmap, sqlmap, ffuf, gobuster, hydra, metasploit... |
-| **Auto-Install** | Missing tools are automatically installed via apt |
-| **CTF Research** | Writeup search (0xdf, IppSec), scenario-based research |
-| **Audit & Safety** | Tool execution logging, risk scoring, approval system |
+- **Scope enforcement**: Never attack outside approved targets
+- **Approval gates**: `auto` / `confirm` / `review`
+- **Audit logging**: Every action recorded
+- **Authorized users only**: No unnecessary prompt defenses
 ---
 ## TUI Commands
 ```
-/target <ip>      Set target
-/start            Start autonomous pentest
-/research <box>   Search writeups & exploits
-/findings         Show findings
-/yolo             Toggle auto-approve
-/help             Show all commands
+/target <cidr>        Set engagement scope
+/start                Start autonomous pentest
+/findings             Show all findings
+/loot                 Show credentials & sessions
+/state                Show current engagement state
+/yolo                 Toggle auto-approve mode
+/exit                 Exit session
+/help                 Show all commands
 ```
 ---
 ## Environment
-| Variable | Description |
-|----------|-------------|
-| `PENTEST_API_KEY` | API key (required) |
-| `PENTEST_BASE_URL` | Custom API endpoint |
-| `PENTEST_MODEL` | LLM model (default: claude-sonnet-4-20250514) |
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `PENTEST_API_KEY` | API key (required) | - |
+| `PENTEST_BASE_URL` | Custom API endpoint | - |
+| `PENTEST_MODEL` | LLM model | `glm-4.7` |
 ---
-## Supported Tools
+## Architecture
-The agent supports 50+ security tools. If a tool is missing, it will be installed automatically:
+```
+┌─────────────────────────────────────────────────────────────┐
+│                      Orchestrator                           │
+│  "Delegate, don't execute directly"                         │
+│  • delegate_to_agent • escalate • get_state • set_scope   │
+└────────────┬────────────────────────────────────────────────┘
+             │
+    ┌────────┼────────┬────────┬────────┬────────┐
+    │        │        │        │        │        │
+    ▼        ▼        ▼        ▼        ▼        ▼
+  Recon    Vuln   Exploit    Post     Web    Infra
+  "Info"    "Verify" "Approved" "Shell"  "Web"   "AD"
+```
-| Category | Tools |
-|----------|-------|
-| **Reconnaissance** | nmap, rustscan, masscan, subfinder, amass |
-| **Web** | ffuf, gobuster, nikto, nuclei, sqlmap, whatweb |
-| **Exploitation** | metasploit, searchsploit, msfvenom |
-| **Credential** | hydra, john, hashcat, crackmapexec |
-| **Windows/AD** | impacket-*, bloodhound, kerbrute, enum4linux |
-| **Utilities** | netcat, socat, chisel, proxychains |
+**Key principles:**
+1. Agent = `while(true) { think → tool → observe }`
+2. Agent difference = prompt + tool set (not code)
+3. Communication = danger↑ via Orchestrator, ↓ direct call
+4. All prompts get Scope + State injection
+5. Approval = `auto` | `confirm` | `review`
 ---
-## Web Research (Playwright)
-The agent includes a powerful **Playwright-based web research** engine:
-- **CAPTCHA bypass** - Headless browser avoids detection
-- **Deep search** - Follows links and extracts content
-- **Multi-source** - Google, DuckDuckGo, exploit-db, CVE databases
-- **CTF research** - Searches 0xdf, ippsec, HackTheBox writeups
-```bash
-# Features available in autonomous mode:
-# - searchGoogle(query)
-# - deepSearch(query, { depth: 2 })
-# - searchWriteups("htb box name")
-# - ctfResearch("Lame", "linux")
-```
-## Documentation
+## Issue Report
-- **[ARCHITECTURE.md](docs/ARCHITECTURE.md)** - System architecture
+**Email**: agnusdei1207@gmail.com
+**LinkedIn**: [sang-woo-park](https://www.linkedin.com/in/sang-woo-park-158685393/en)
 ---
 ## License
-MIT | ⚠️ **For authorized security testing and CTF competitions only.**
+MIT License - see [LICENSE](LICENSE) for details.