The framework provides an interactive console interface for easy testing:
# Start interactive framework
python start.pyOnce started, you'll see an interactive menu:
pentest> set https://target.example.com # Set target URL
pentest> help # Show all modules help
pentest> help cloud-crypto # Show specific module help
pentest> 1 # Run cloud-crypto test
pentest> owasp-test # Run OWASP testing
pentest> exit # Exit framework
- cloud-crypto - Infrastructure & Cloud Security Testing
- owasp-test - OWASP Top 10 Complete Testing
- owasp-exploit - OWASP Exploitation Attempts
- aggressive - Aggressive Penetration Testing
- web-scan - Advanced Web Application Testing
- exploit-found - Exploit Found Vulnerabilities
- owasp-suite - Combined OWASP Suite (All Tests)
You can also run tests directly without interactive mode:
python pentest.py cloud-crypto --url https://target.example.com
python pentest.py owasp-test
python pentest.py aggressive- DNS reconnaissance - Subdomain discovery, DNS records
- TLS/HTTPS analysis - Certificate validation, cipher suites
- Port scanning - Open ports, service enumeration
- HTTP security headers - CSP, HSTS, X-Frame-Options
- External tool integration - Nikto, Nmap (optional with
--extra)
- A01: Broken Access Control - IDOR, privilege escalation
- A02: Cryptographic Failures - Weak encryption, sensitive data
- A03: Injection - SQLi, XSS, command injection
- A04: Insecure Design - Business logic flaws
- A05: Security Misconfiguration - Debug endpoints, default credentials
- A06: Vulnerable Components - Outdated libraries
- A07: Authentication Failures - Weak auth mechanisms
- A08: Software Integrity - Insecure deserialization
- A09: Logging Failures - Insufficient monitoring
- A10: Server-Side Request Forgery - SSRF vulnerabilities
- Active exploitation attempts of discovered vulnerabilities
- SQL injection payloads with automated testing
- Cross-site scripting proof-of-concepts
- Authentication bypass techniques
- Privilege escalation attempts
- OTP brute force with intelligent patterns
- Account enumeration via timing attacks
- Session hijacking analysis
- Clickjacking vulnerability checks
- CSRF protection testing
- Race condition exploitation
- Information disclosure discovery
- JWT token security analysis
- Content analysis and information gathering
- Cookie security assessment
- CORS misconfiguration detection
- XSS vulnerability scanning
- SQL injection testing
- Directory enumeration
- Rate limiting analysis
- Open redirect detection
- Refresh token theft attempts
- Session fixation attacks
- Token replay vulnerabilities
- CSRF exploitation with generated PoCs
- Algorithm confusion attacks
- None algorithm exploitation
- Weak secret brute force
- Claim manipulation attempts
- Nmap integration for port scanning
- Nikto web scanning
- SQLMap injection testing
- Directory enumeration tools
- Fuzzing attacks
- SSL/TLS configuration analysis
# Set target URLs (optional, defaults to example.com)
export PENTEST_BASE_URL="https://target.example.com"
export PENTEST_BACKEND_API="https://api.example.com"Place authentication tokens in:
saved_cookies.json- Session cookies for authenticated testingsaved_storage.json- Local storage data
All modules generate detailed JSON reports with:
- Timestamped findings with severity levels
- Vulnerability details and proof-of-concepts
- Remediation recommendations
- PoC files for exploits (saved to
/tmp/)
Example report location: cloud_crypto_results.json
# Start interactive framework
python start.py
# In the interactive console:
pentest> set https://your-target.com # Set target
pentest> help # View all available tests
pentest> help cloud-crypto # Get detailed info about specific test
pentest> 1 # Run infrastructure testing (cloud-crypto)
pentest> 2 # Run OWASP Top 10 testing
pentest> 7 # Run complete OWASP suite
pentest> exit # Exit when done$ python start.py
π INTERACTIVE PENETRATION TESTING FRAMEWORK π
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Available Commands:
1. cloud-crypto - Infrastructure & Cloud Security Testing
2. owasp-test - OWASP Top 10 Complete Testing
3. owasp-exploit - OWASP Exploitation Attempts
4. aggressive - Aggressive Penetration Testing
5. web-scan - Advanced Web Application Testing
6. exploit-found - Exploit Found Vulnerabilities
7. owasp-suite - Combined OWASP Suite (All Tests)
set <url> - Set target URL
help - Show detailed help for all modules
help <module> - Show help for specific module
clear - Clear screen
exit - Exit framework
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
pentest> set https://target.example.com
β
Target URL set to: https://target.example.com
pentest> help cloud-crypto
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π Infrastructure & Cloud Security Testing
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[Detailed module information displayed here]
pentest> 1
π Starting cloud-crypto against https://target.example.com...
[Test execution...]
β
Cloud/Crypto pentest finished. Report: cloud_crypto_results.json
pentest> owasp-test
π Starting owasp-test against https://target.example.com...
[Test execution...]
β
OWASP testing completed
pentest> exit
π Exiting framework. Stay safe!# Quick single-test execution
python pentest.py cloud-crypto --url https://target.example.com
python pentest.py owasp-test
python pentest.py aggressiveInstall dependencies:
pip install -r requirements.txtOptional external tools (for enhanced scanning):
# Install on Ubuntu/Debian
sudo apt-get install nmap nikto
# Install on macOS
brew install nmap niktoAll personal data has been sanitized:
- β
Tokens replaced with
[REDACTED_TOKEN] - β
IP addresses replaced with
[REDACTED_IP] - β
Domains replaced with
example.com - β
Phones replaced with
[REDACTED_PHONE] - β
Emails replaced with
[REDACTED_EMAIL]
Usage requirements:
β οΈ Only for legal testing of systems you ownβ οΈ Requires explicit permission from system ownerβ οΈ Unauthorized use is illegal and prosecutable
pentest/
βββ start.py # π Interactive console (MAIN ENTRY POINT)
βββ pentest.py # Direct CLI (alternative interface)
βββ pentestkit/ # Configuration utilities
β βββ config.py # URL and token management
β βββ __init__.py # Package exports
βββ pentest_cloud_crypto.py # Infrastructure security
βββ pentest_advanced.py # Advanced web testing
βββ pentest_aggressive.py # Aggressive pentesting
βββ owasp_suite.py # Consolidated OWASP testing
βββ test_owasp_top10_complete.py # OWASP Top 10 tests
βββ exploit_all_owasp.py # OWASP exploitation
βββ exploit_found_vulns.py # Found vulnerability exploits
βββ jwt_exploitation_real.py # JWT security testing
βββ professional_pentest_v2.py # Multi-tool pentesting
-
start.py- π― Interactive console interface (recommended for users)- User-friendly menu-driven interface
- Built-in help system for all modules
- Interactive target URL configuration
- Command shortcuts (1-7 for quick access)
-
pentest.py- Direct command-line interface (for automation/scripts)- Accepts command-line arguments
- Suitable for CI/CD integration
-
pentestkit/config.py- Centralized configuration- Shared by all modules
- Manages URLs and authentication tokens
# Step 1: Start interactive framework
python start.py
# Step 2: Set target URL
pentest> set https://target.example.com
# Step 3: Get help on available tests
pentest> help
# Step 4: Run infrastructure reconnaissance
pentest> cloud-crypto
# or
pentest> 1
# Step 5: Run web application testing
pentest> web-scan
# or
pentest> 5
# Step 6: Run comprehensive OWASP assessment
pentest> owasp-suite
# or
pentest> 7
# Step 7: Review results and exit
pentest> exit# Run tests via direct command line
python pentest.py cloud-crypto --url https://target.example.com
python pentest.py web-scan --url https://target.example.com
python pentest.py owasp-suite --url https://target.example.comAll modules share:
- Centralized configuration via
pentestkit.config - Unified authentication handling
- Consistent reporting format
- Modular architecture for easy extension