npm - pentesting - Versions diffs - 0.52.1 → 0.53.0 - Mend

pentesting 0.52.1 → 0.53.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/main.js CHANGED Viewed

@@ -349,7 +349,7 @@ var ORPHAN_PROCESS_NAMES = [
 // src/shared/constants/agent.ts
 var APP_NAME = "Pentest AI";
-var APP_VERSION = "0.52.1";
+var APP_VERSION = "0.53.0";
 var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
 var LLM_ROLES = {
   SYSTEM: "system",
@@ -931,7 +931,6 @@ var DEFAULT_DIRECTIVE_FOCUS = PHASES.RECON;
 var ALLOWED_BINARIES = /* @__PURE__ */ new Set([
   // Network scanning
   "nmap",
-  "masscan",
   "rustscan",
   // Web scanning
   "ffuf",
@@ -1557,7 +1556,6 @@ function extractBinary(command) {
 import { spawn } from "child_process";
 var TOOL_PACKAGE_MAP = {
   "nmap": { apt: "nmap", brew: "nmap" },
-  "masscan": { apt: "masscan", brew: "masscan" },
   "rustscan": { apt: "rustscan", brew: "rustscan" },
   "ffuf": { apt: "ffuf", brew: "ffuf" },
   "gobuster": { apt: "gobuster", brew: "gobuster" },
@@ -1732,6 +1730,91 @@ async function installTool(toolName, eventEmitter, inputHandler) {
   });
 }
+// src/shared/utils/config.ts
+var ENV_KEYS = {
+  API_KEY: "PENTEST_API_KEY",
+  BASE_URL: "PENTEST_BASE_URL",
+  MODEL: "PENTEST_MODEL",
+  SEARCH_API_KEY: "SEARCH_API_KEY",
+  SEARCH_API_URL: "SEARCH_API_URL",
+  THINKING: "PENTEST_THINKING",
+  THINKING_BUDGET: "PENTEST_THINKING_BUDGET",
+  TOR: "PENTEST_TOR"
+};
+var DEFAULT_SEARCH_API_URL = "https://api.search.brave.com/res/v1/web/search";
+var DEFAULT_MODEL = "glm-4.7";
+function getApiKey() {
+  return process.env[ENV_KEYS.API_KEY] || "";
+}
+function getBaseUrl() {
+  return process.env[ENV_KEYS.BASE_URL] || void 0;
+}
+function getModel() {
+  return process.env[ENV_KEYS.MODEL] || "";
+}
+function getSearchApiKey() {
+  if (process.env[ENV_KEYS.SEARCH_API_KEY]) {
+    return process.env[ENV_KEYS.SEARCH_API_KEY];
+  }
+  return process.env[ENV_KEYS.API_KEY];
+}
+function getSearchApiUrl() {
+  return process.env[ENV_KEYS.SEARCH_API_URL] || DEFAULT_SEARCH_API_URL;
+}
+function isZaiProvider() {
+  const baseUrl = getBaseUrl() || "";
+  return baseUrl.includes("z.ai");
+}
+function isThinkingEnabled() {
+  return process.env[ENV_KEYS.THINKING] === "true";
+}
+function getThinkingBudget() {
+  const val = parseInt(process.env[ENV_KEYS.THINKING_BUDGET] || "", 10);
+  return isNaN(val) ? 8e3 : Math.max(1024, val);
+}
+var TOR_PROXY = {
+  /** SOCKS5 proxy host (Tor daemon listens here) */
+  SOCKS_HOST: "127.0.0.1",
+  /** SOCKS5 proxy port */
+  SOCKS_PORT: 9050,
+  /** Shell wrapper command for proxying CLI tools */
+  WRAPPER_CMD: "proxychains4",
+  /** Flags for the wrapper command (-q = quiet, no banners) */
+  WRAPPER_FLAGS: "-q"
+};
+function isTorEnabled() {
+  return process.env[ENV_KEYS.TOR] === "true";
+}
+function wrapCommandForTor(command) {
+  if (!isTorEnabled()) return command;
+  return `${TOR_PROXY.WRAPPER_CMD} ${TOR_PROXY.WRAPPER_FLAGS} ${command}`;
+}
+function getTorBrowserArgs() {
+  if (!isTorEnabled()) return [];
+  return [`--proxy-server=socks5://${TOR_PROXY.SOCKS_HOST}:${TOR_PROXY.SOCKS_PORT}`];
+}
+function validateRequiredConfig() {
+  const errors = [];
+  if (!getApiKey()) {
+    errors.push(
+      `[config] PENTEST_API_KEY is required.
+  Export it before running:
+    export PENTEST_API_KEY=your_api_key
+  For z.ai: get your key at https://api.z.ai`
+    );
+  }
+  const budgetRaw = process.env[ENV_KEYS.THINKING_BUDGET];
+  if (budgetRaw !== void 0 && budgetRaw !== "") {
+    const parsed = parseInt(budgetRaw, 10);
+    if (isNaN(parsed) || parsed < 1024) {
+      errors.push(
+        `[config] PENTEST_THINKING_BUDGET must be an integer \u2265 1024 (got: "${budgetRaw}")`
+      );
+    }
+  }
+  return errors;
+}
 // src/engine/tools-base.ts
 var globalEventEmitter = null;
 function setCommandEventEmitter(emitter) {
@@ -1801,7 +1884,8 @@ async function executeCommandOnce(command, options = {}) {
       type: COMMAND_EVENT_TYPES.COMMAND_START,
       message: `Executing: ${command.slice(0, DISPLAY_LIMITS.COMMAND_PREVIEW)}${command.length > DISPLAY_LIMITS.COMMAND_PREVIEW ? "..." : ""}`
     });
-    const child = spawn2("sh", ["-c", command], {
+    const execCommand = wrapCommandForTor(command);
+    const child = spawn2("sh", ["-c", execCommand], {
       timeout,
       env: { ...process.env, ...options.env },
       cwd: options.cwd
@@ -2118,12 +2202,13 @@ function startBackgroundProcess(command, options = {}) {
   const stderrFile = createTempFile(FILE_EXTENSIONS.STDERR);
   const stdinFile = createTempFile(FILE_EXTENSIONS.STDIN);
   const { tags, port, role, isInteractive } = detectProcessRole(command);
+  const torCommand = wrapCommandForTor(command);
   let wrappedCmd;
   if (isInteractive) {
     writeFileSync3(stdinFile, "", "utf-8");
-    wrappedCmd = `tail -f ${stdinFile} | ${command} > ${stdoutFile} 2> ${stderrFile}`;
+    wrappedCmd = `tail -f ${stdinFile} | ${torCommand} > ${stdoutFile} 2> ${stderrFile}`;
   } else {
-    wrappedCmd = `${command} > ${stdoutFile} 2> ${stderrFile}`;
+    wrappedCmd = `${torCommand} > ${stdoutFile} 2> ${stderrFile}`;
   }
   const child = spawn3("sh", ["-c", wrappedCmd], {
     detached: true,
@@ -4288,7 +4373,6 @@ var NOISE_CLASSIFICATION = {
     "dns_spoof",
     "traffic_intercept",
     "nmap",
-    "masscan",
     "nuclei",
     "nikto"
   ],
@@ -5594,69 +5678,6 @@ ${formatValidation(validation)}${rawOverride !== void 0 ? ` [confidence overridd
 // src/engine/tools/intel-utils.ts
 import { execFileSync } from "child_process";
-// src/shared/utils/config.ts
-var ENV_KEYS = {
-  API_KEY: "PENTEST_API_KEY",
-  BASE_URL: "PENTEST_BASE_URL",
-  MODEL: "PENTEST_MODEL",
-  SEARCH_API_KEY: "SEARCH_API_KEY",
-  SEARCH_API_URL: "SEARCH_API_URL",
-  THINKING: "PENTEST_THINKING",
-  THINKING_BUDGET: "PENTEST_THINKING_BUDGET"
-};
-var DEFAULT_SEARCH_API_URL = "https://api.search.brave.com/res/v1/web/search";
-var DEFAULT_MODEL = "glm-4.7";
-function getApiKey() {
-  return process.env[ENV_KEYS.API_KEY] || "";
-}
-function getBaseUrl() {
-  return process.env[ENV_KEYS.BASE_URL] || void 0;
-}
-function getModel() {
-  return process.env[ENV_KEYS.MODEL] || "";
-}
-function getSearchApiKey() {
-  if (process.env[ENV_KEYS.SEARCH_API_KEY]) {
-    return process.env[ENV_KEYS.SEARCH_API_KEY];
-  }
-  return process.env[ENV_KEYS.API_KEY];
-}
-function getSearchApiUrl() {
-  return process.env[ENV_KEYS.SEARCH_API_URL] || DEFAULT_SEARCH_API_URL;
-}
-function isZaiProvider() {
-  const baseUrl = getBaseUrl() || "";
-  return baseUrl.includes("z.ai");
-}
-function isThinkingEnabled() {
-  return process.env[ENV_KEYS.THINKING] === "true";
-}
-function getThinkingBudget() {
-  const val = parseInt(process.env[ENV_KEYS.THINKING_BUDGET] || "", 10);
-  return isNaN(val) ? 8e3 : Math.max(1024, val);
-}
-function validateRequiredConfig() {
-  const errors = [];
-  if (!getApiKey()) {
-    errors.push(
-      `[config] PENTEST_API_KEY is required.
-  Export it before running:
-    export PENTEST_API_KEY=your_api_key
-  For z.ai: get your key at https://api.z.ai`
-    );
-  }
-  const budgetRaw = process.env[ENV_KEYS.THINKING_BUDGET];
-  if (budgetRaw !== void 0 && budgetRaw !== "") {
-    const parsed = parseInt(budgetRaw, 10);
-    if (isNaN(parsed) || parsed < 1024) {
-      errors.push(
-        `[config] PENTEST_THINKING_BUDGET must be an integer \u2265 1024 (got: "${budgetRaw}")`
-      );
-    }
-  }
-  return errors;
-}
 // src/shared/constants/search-api.const.ts
 var SEARCH_URL_PATTERN = {
   GLM: "bigmodel.cn",
@@ -5880,7 +5901,7 @@ const { chromium } = require(${safePlaywrightPath});
 (async () => {
     const browser = await chromium.launch({
         headless: true,
-        args: ['${PLAYWRIGHT_ARG.NO_SANDBOX}', '${PLAYWRIGHT_ARG.DISABLE_SETUID_SANDBOX}']
+        args: ['${PLAYWRIGHT_ARG.NO_SANDBOX}', '${PLAYWRIGHT_ARG.DISABLE_SETUID_SANDBOX}', ${JSON.stringify(getTorBrowserArgs()).slice(1, -1)}].filter(Boolean)
     });
     const context = await browser.newContext({
@@ -6066,7 +6087,10 @@ async function fillAndSubmitForm(url, formData, options = {}) {
 const { chromium } = require(${safePlaywrightPath});
 (async () => {
-    const browser = await chromium.launch({ headless: true });
+    const browser = await chromium.launch({
+        headless: true,
+        args: ['--no-sandbox', '--disable-setuid-sandbox', ${JSON.stringify(getTorBrowserArgs()).slice(1, -1)}].filter(Boolean)
+    });
     const page = await browser.newPage();
     try {

package/dist/network/prompt.md CHANGED Viewed

@@ -23,10 +23,10 @@ nmap -Pn -p<ports> -sV -sC -O <target>
 # 5. UDP Key Services
 nmap -Pn -sU --top-ports 30 --min-rate=100 <target>
-# 6. High-Speed Subnet Scan
-masscan <CIDR> -p1-65535 --rate=1000 -oJ .pentesting/workspace/masscan.json
+# 6. Full TCP Connect Scan (Tor-compatible)
+nmap -Pn -sT -p- -T4 --min-rate=1000 <target>
-# 7. Stealth SYN Scan
+# 7. Stealth SYN Scan (local network only, not Tor-compatible)
 nmap -Pn -sS -T2 --max-retries=1 <target>
 ```

package/dist/prompts/evasion.md CHANGED Viewed

@@ -135,7 +135,7 @@ XSS:
 ├── WAF blocks web → try API endpoints (often less protected)
 ├── Web filter blocks → try WebSocket upgrade
 ├── Frontend validates → send request directly (bypass JS validation)
-├── IDS detects nmap → use alternative scanning (masscan, manual /dev/tcp)
+├── IDS detects nmap → use alternative scanning (rustscan, manual /dev/tcp)
 ├── AV detects payload → encode, obfuscate, or use fileless techniques
 ├── Container boundary → escape via kernel vuln, misconfigured mount
 └── Network filter → tunnel through allowed protocols (DNS, HTTPS, ICMP)

package/dist/prompts/recon.md CHANGED Viewed

@@ -250,7 +250,7 @@ After confirming service version, immediately:
 ## Error Handling
 - When [TOOL ERROR ANALYSIS] message appears, **read and follow the instructions**
-- nmap fails → try masscan or other scanning methods
+- nmap fails → try rustscan or other scanning methods
 - Tool not installed → attempt auto-install → on failure, search for alternatives with `web_search`
 - Timeout → reduce port range and retry
 - **Never repeat the same failure 3 times** → must switch to a different approach

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.52.1",
+  "version": "0.53.0",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/main.js",
@@ -19,16 +19,17 @@
     "dev:tsx": "tsx src/platform/tui/main.tsx",
     "build": "tsup",
     "start": "node dist/main.js",
-    "test": "mkdir -p .pentesting && TMPDIR=.pentesting vitest run",
+    "test": "mkdir -p .vitest && TMPDIR=.vitest vitest run && rm -rf .vitest .pentesting",
     "test:watch": "vitest",
     "lint": "tsc --noEmit",
     "prepublishOnly": "npm run build",
+    "docker:build": "docker buildx build -f Dockerfile.base --platform linux/amd64,linux/arm64 -t agnusdei1207/pentesting-base:latest --push .",
     "release": "npm run release:patch && npm run release:docker",
     "publish:token": "npm publish --access public",
     "release:patch": "npm version patch && npm run build && npm run publish:token",
     "release:minor": "npm version minor && npm run build && npm run publish:token",
     "release:major": "npm version major && npm run build && npm run publish:token",
-    "release:docker": "docker buildx build --platform linux/amd64,linux/arm64 -t agnusdei1207/pentesting:latest --push . && docker system prune -af",
+    "release:docker": "docker buildx build -f Dockerfile --platform linux/amd64,linux/arm64 -t agnusdei1207/pentesting:latest --push .",
     "check": "npm run test && npm run build && npm run release:docker && bash test.sh"
   },
   "repository": {