Skip to content

CyberWardion/ai-pentest-agent

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

🔐 AI Pentest Agent v4

Automated web application penetration testing powered by Claude AI

Python License Tor AI

🎯 What It Does

Automatically discovers, exploits, and reports vulnerabilities in web applications using AI-driven reasoning. Give it a target URL — it figures out the rest.

⚡ Results

Target Steps Findings Time
OWASP Juice Shop 5 9 (7 Critical) ~8 min
DVWA Low/Med/High 3 SQLi+XSS+CMDi ~5 min
WordPress 6 User enum, XML-RPC, REST API ~10 min

🛠️ Capabilities

App Detection (automatic)

  • WordPress — user enumeration, plugin CVE lookup, XML-RPC brute force, REST API mapping
  • REST API / JWT — SQLi dump, hash cracking, auth bypass, BOLA, IDOR
  • PHP apps — CSRF-aware sessions, form-based auth, DVWA all difficulty levels

OPSEC

  • Tor routing on every request (--tor flag)
  • Randomized User-Agent rotation
  • Adaptive delays (3-7s with Tor)
  • WAF detection and auto-backoff

Reporting

  • Professional pentest report generation
  • AI-written finding descriptions
  • CVSS 3.1 scoring
  • Evidence files saved per finding

📦 Install

git clone https://github.com/CyberWardion/ai-pentest-agent
cd ai-pentest-agent
pip install anthropic requests pysocks urllib3
cp config/.env.example config/.env
# Add your ANTHROPIC_API_KEY to .env

🚀 Usage

# Activate environment
source venv/bin/activate
set -a; source config/.env; set +a

# Test against OWASP Juice Shop (local)
python3 scripts/ai_agent_v4.py \
  --target http://localhost:3000 \
  --client "JuiceShop" \
  --steps 10

# Real target with Tor routing
python3 scripts/ai_agent_v4.py \
  --target https://target.com \
  --client "ClientName" \
  --steps 12 \
  --tor

# WordPress deep exploitation
python3 scripts/wp_exploit.py https://target.com --tor

# Plugin CVE lookup
python3 scripts/cve_lookup.py

# DVWA all difficulty levels
python3 scripts/dvwa_test.py http://localhost:8080

📁 Scripts

Script Purpose
ai_agent_v4.py Main AI agent — full automated engagement
ai_report.py Professional report generator
wp_exploit.py WordPress smart exploitation
wp_deep_scan.py WordPress API + CVE scanning
cve_lookup.py Plugin CVE lookup via Wordfence API
dvwa_test.py DVWA Low/Medium/High/Impossible
js_secrets.py JavaScript secret scanning
dork_recon.py Google dork reconnaissance
sessions.py JWT session management
crack_hashes.py MD5 hash cracking via rockyou

🔧 Lab Setup

# OWASP Juice Shop
docker run -d -p 3000:3000 bkimminich/juice-shop

# DVWA
docker run -d -p 8080:80 vulnerables/web-dvwa

# Tor
systemctl start tor

⚠️ Legal

This tool is for authorized security testing only.

  • Only test systems you own or have written authorization to test
  • Unauthorized testing is illegal under computer fraud laws worldwide
  • The authors take no responsibility for misuse

🏢 About

Built by CyberWardion — Professional cybersecurity services.

About

AI-powered automated penetration testing agent. Finds and exploits vulnerabilities in web apps, WordPress, and REST APIs using Claude AI with Tor routing.

Topics

Resources

License

Stars

3 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors