PentestPilot/HOWTO.md

PentestPilot - HOWTO

Table of Contents

• Overview
• Install & Setup
• Core Env Vars
• Target Workflow
• Automation & Orchestration
• Dashboard (Status & Evidence)
• Manifest (State & Resume)
• AI Integrations
• Web Recon & Routing
• Active Directory & SMB
• Passwords & Wordlists
• Shells, Transfers, Privesc
• Tunnels & Port Forwards
• QoL Utilities
• Post-Exploitation & Reporting
• Safety Notes
• End-to-End Example
• Troubleshooting
• Customization
• Appendix - Common Command Recipes

Overview

• This toolkit streamlines OSCP/HTB workflows: discovery, web recon, AD, credential hygiene, shells, tunnels, transfers, privilege escalation, post‑exploitation, reporting, and AI‑assisted orchestration.
• Everything is CLI‑first, idempotent when possible, and resume‑aware via a per‑target manifest.
• See: README.md:1 for the quick summary and TOOLKIT.md:1 for the command catalog.
• Tips and conventions below assume a Linux attacker VM (Kali/Parrot/Ubuntu). Adjust paths for your OS.

Install & Setup

1. Place the repo in your working directory (e.g., ~/hax/htb).
2. Load the shell profile so aliases and PATH work: echo "source $(pwd)/.zshrc.htb" >> ~/.zshrc exec zsh
3. Optional AI setup:
   • OpenAI: export OPENAI_API_KEY=sk-... (and optionally OPENAI_MODEL)
   • Ollama: install+run, optionally export OLLAMA_MODEL=llama3.1 (default) and OLLAMA_HOST

Recommended Tools

• Install commonly used tools up‑front (Debian/Ubuntu examples): sudo apt update && sudo apt install -y nmap curl jq ripgrep python3 python3-pip tmux sudo apt install -y gobuster seclists ffuf sqlmap sudo apt install -y smbclient ldap-utils snmp snmp-mibs-downloader pipx install httpx-toolkit nuclei gowitness || true pipx runpip nuclei install -U nuclei || true pipx install "impacket" || true gem install wpscan || true pipx install droopescan || true apt install joomscan || true snap install magescan || true

  optional: chisel, socat, naabu, masscan, subfinder/amass, crackmapexec

Notes:

• Some tools (httpx/nuclei) are provided by multiple packages; ensure they are in PATH.
• If a wrapper says a tool is missing, either install or skip that specific step.
• Use pipx (or venv) for Python‑based tools to avoid site‑packages collisions.

Core Env Vars

• HTB_ROOT (default: current repo path) - base for targets and scripts.
• TARGET - a current target convenience var set by settarget.
• OUTDIR - output directory for scans in the current target (set by settarget).
• Proxies: HTTP_PROXY/HTTPS_PROXY can be toggled via proxy_toggle.sh on|off.

Target Workflow

1. Create a target workspace: settarget 10.10.10.10 This creates targets/<target>/{scans,loot,www,exploits} and sets OUTDIR.
2. Notes:
   • notesinit scaffolds notes.md in the target directory.
   • notesattach appends a scan artifacts summary to notes.
3. Directories:
   • targets/<target>/scans - scanner logs, json, summaries
   • targets/<target>/loot - collected artifacts
   • targets/<target>/notes.md - your engagement notes
   • targets/<target>/manifest.json - per-target state (see Manifest below)
4. Common recipes (see Appendix for more):
   • Quick nmap: nq → review scans/*_quick_*.nmap
   • Full TCP then service: nf → review phase1/phase2 outputs
   • UDP quick check: nu → review common UDP services
   • Web checks: headers/methods/tech → dirbuster/param_fuzz → sqli_quick
   • SMB/LDAP: smb_enum.sh / ldap_enum.sh - save listings in scans/

Quick Aliases

• Nmap: nq (quick), nf (full TCP), nu (UDP top)
• Web: webrecon (current TARGET), wideweb <hosts.txt> (lists)
• Full pipeline: fullpipe <domain|hosts.txt> (DNS→httpx→nuclei→tech route, resume‑aware)
• AI agents: agent (multi‑task), aiweb, aiplan, aireview
• Dashboard: dashboard (status), resumeall, techactions
• QoL: proxyon, proxyoff, cleanupscans, tmux_init.sh

Automation & Orchestration

• Minimal recon: auto_recon.sh <target>
• Web recon (current TARGET): web_recon.sh <target|--url URL> → headers/tech/backup/dirb (+screenshots if gowitness)
• Wide recon (list of hosts): wide_web_recon.sh <hosts.txt> → httpx + nuclei + screenshots
• One‑click pipeline: full_pipeline.sh <domain|hosts.txt> [--resume|--force]
  • DNS subenum (if domain) → httpx (balanced) → nuclei (auto severity) → tech route → optional WPScan
  • Resume (default) consults manifest.json and skips completed steps.
  • Writes evidence JSON + summaries (httpx/nuclei) into OUTDIR and manifest.
• Agents (AI-aware): bin/ai/agent_orchestrator.py:1
  • agent full <domain|hosts.txt> - small state machine for the full pipeline; retries resume passes, then runs tech_actions.py --run.
  • agent web <hosts.txt> [--force] - httpx -> nuclei -> screenshots -> AI plan (resume-aware subtasks)
  • agent ad <host> [--force] - enum4linux/smbmap/rpc (resume-aware)
  • agent notes <target> [--force] - notes init + attach (resume-aware)
  • agent post <target> [--force] - linux_loot + report pack (resume-aware)
• Resume all targets: resume_all.py - loops over targets/* and resumes incomplete full_pipeline runs.

Advanced: Pipeline Semantics

• --resume (default) skips steps whose manifest task status is ok.
• --force reruns steps and overwrites evidence (new timestamps/files).
• Each phase records elapsed seconds and evidence file paths in manifest meta.
• If a run fails midway, you can re‑invoke with --resume to continue where you left off.

Dashboard (Status & Evidence)

• Command: dashboard Options: --no-color, --compact, --json
• Columns:
  • target, created, last (timestamp of last pipeline), urls (count)
  • dns, httpx, nuclei, tech, wp - per-phase status with elapsed seconds
  • sev - severity counts (e.g., c:1 h:3 m:2)
  • top-techs - top techs from httpx tech summary (e.g., wordpress:3, drupal:1)
  • bar - colorized severity proportion bar (critical/high/medium/low)
• Evidence sources (auto‑persisted by pipeline):
  • httpx JSON: OUTDIR/httpx_<ts>.json and httpx_<ts>.summary.json
  • nuclei JSON: OUTDIR/httpx2nuclei_<ts>/nuclei.json and summary.json

Manifest (State & Resume)

• Path: targets/<target>/manifest.json
• Schema (high‑level): { "target": "", "created_at": "YYYY-MM-DD HH:MM:SS", "last_pipeline": "", "urls": [ ... ], "tasks": { "dns": {"status":"ok|running|fail","started_at":"...","finished_at":"...","meta":{"subs_file":"...","elapsed_sec":N}}, "httpx": {"meta":{"urls_file":"...","httpx_json":"...","httpx_summary":"...","elapsed_sec":N}}, "nuclei": {"meta":{"log":"...","nuclei_json":"...","nuclei_summary":"...","elapsed_sec":N}}, "techroute": {"meta":{"log":"...","elapsed_sec":N}}, "wpscan": {"meta":{"log":"...","elapsed_sec":N}}, "web_httpx|web_nuclei|web_shots|web_plan": {"meta":{"elapsed_sec":N}}, "ad_", "notes_", "post_*": {"meta":{"elapsed_sec":N}} } }
• CLI: bin/automation/manifest.py:1
• init <target> - create manifest
• set|get <target> <key> [value] - set or read top-level values
• addlist <target> <key> <file|a,b,c> - append to a list
• show <target> - print JSON
• task <target> <name> start|ok|fail [meta-json] - update tasks (status, timestamps, meta)
• taskstatus <target> <name> - prints status; exit 0 if ok, 2 if running, 1 otherwise
• taskreset <target> <name> - remove/reset a task entry

AI Integrations

• Providers: OpenAI (OPENAI_API_KEY) or local Ollama (defaults chosen automatically).
• Robust helpers: bin/ai/_ai_utils.py:1 (retries, timeouts, prompt truncation)
• Tools:
• ask.py - quick prompts
• commands_planner.py - converts a goal/context into ready-to-run toolkit commands
• orchestrate_web.py - probes (httpx) and asks AI for a recon plan
• review_findings.py - summarizes notes into risks + next steps
  • agent_orchestrator.py - orchestrates web/full/ad/notes/post tasks and updates manifest Troubleshooting AI:
• If calls fail, _ai_utils.py retries with exponential backoff.
• If no OPENAI_API_KEY is set, the system falls back to Ollama (ensure it’s running).
• You can reduce output size by setting smaller prompts and using --compact when calling dashboard.

Web Recon & Routing

• Pipeline: httpx_to_nuclei.sh → httpx alive list → nuclei with auto severity (based on URL count) → produces .txt, .json, summary.json.
• Tech routing: httpx_tech_route.py flags:
  • --tech filter; --severity list; --wpscan [--wpscan-limit N]; --extra [--extra-limit N]; --dry-run
  • Presets: wordpress, drupal, joomla, laravel, aspnet, spring, tomcat, iis, exchange, sharepoint, grafana, kibana, gitlab, confluence, jupyter, jenkins, magento, sonarqube, jira, confluence
  • With --extra, auto‑runs quick wrappers when present (e.g., WPScan, Droopescan, Joomscan, Jenkins/SonarQube/Magento/Jira/Confluence quick checks)
• Extras:
  • httpx_presets.sh: concurrency profiles; httpx_probe.sh for fast probes
  • gobuster_dir.sh, gobuster_vhost.sh; dirbuster.sh (ffuf); backup hunters, CORS/methods/TLS, LFI tester

Active Directory & SMB

• Impacket wrappers: getnpusers_wrapper.sh, getspns_wrapper.sh
• kerbrute_wrapper.sh (user enum), cme_quick.sh (shares/sessions/loggedon), rpc_quick.sh
• SMB smbmap_quick.sh and smb_check_write.sh

Passwords & Wordlists

• mutate_words.py, merge_dedupe.sh, wordlist_cleanup.sh - build/clean wordlists
• spray_http_basic.sh - cautious HTTP Basic Auth spray (respect lockout policies)

Shells, Transfers, Privesc

• Shells: reverse one‑liners (revsh.py), listener (listener.sh), TTY upgrade tips
• Transfers: http_serve.sh or serve.py (with web upload), smb_server.sh, dl_oneshots.sh, push_http.sh
• Linux privesc: linux_quick_enum.sh, suid_scan.sh, caps_scan.sh
• Windows privesc: privesc_quick.ps1, find_unquoted_services.ps1, find_path_writable.ps1, win_share_enum.ps1

Tunnels & Port Forwards

• chisel_server.sh / chisel_client.sh - reverse tunnels
• autossh_socks.sh - resilient SOCKS proxy
• socat_forward.sh and port_forward.sh - local/remote forwards

QoL Utilities

• cleanup_scans.sh - prune old scan files
• proxy_toggle.sh - set/unset HTTP(S) proxy env vars
• tmux_init.sh - quick tmux workspace
• extract_urls.py - harvest URLs from files (logs/notes)

Post‑Exploitation & Reporting

• linux_loot.sh - safe, size-capped artifacts collector (config via env: MAX_SIZE, INCLUDE_*)
• windows_loot.ps1 - conservative Windows loot collector (zip fallback)
• pack_report.sh - compiles a markdown with summaries and file listings

Safety Notes

• Use only with explicit authorization.
• Many steps are safe by default (no brute force). Be mindful of account lockout policies when using auth‑related tooling.
• For “unsafe” or exploit‑heavy checks, consider separate gated wrappers and explicit flags.

End‑to‑End Example

1. Set up target and notes: settarget target.htb notesinit
2. Run full autonomous recon (resume‑aware): agent full target.htb
3. Review dashboard: dashboard --compact
4. Let AI suggest next steps from tech: techactions $TARGET
5. Post‑exploitation: agent post $TARGET
6. Resume across multiple targets later: resumeall

Troubleshooting

• Tool missing: wrappers fail gracefully and log hints. Install optional tools (httpx, nuclei, gobuster, gowitness, wpscan, droopescan, joomscan, magescan, impacket).
• Manifest stuck in running: manifest.py taskreset <target> <name>.
• No colors in dashboard: add --no-color or your terminal might not support ANSI.

Customization

• Adjust tags/severity in httpx_to_nuclei.sh:1 and httpx_tech_route.py:1.
• Extend tech presets and quick wrappers in bin/web/.
• Tweak agent behaviors in bin/ai/agent_orchestrator.py:1.
• Add your own manifest keys via manifest.py set <target> key value for custom dashboards.

Appendix - Common Command Recipes

• Directory brute (gobuster): gobuster_dir.sh http://$TARGET/ /usr/share/wordlists/dirb/common.txt php,txt 50
• Vhost brute: gobuster_vhost.sh http://$TARGET/ subdomains-top1million-5000.txt 100
• Probe techs: httpx_probe.sh hosts.txt > live.txt
• Route by tech (with extras): httpx_tech_route.py live.txt --tech wordpress,drupal --extra --wpscan
• Nuclei quick: nuclei_quick.sh live.txt cves,exposures
• SMB write check: smb_check_write.sh $TARGET sharename
• LDAP quick users: ldap_quick_users.sh $TARGET 'DC=target,DC=htb'
• Secrets scan: scan_secrets.sh .

Legend:

• DNS/httpx/nuclei/tech/wp: status + elapsed time (OK(12s)).
• sev: short counts (c:2 h:3 m:5), bar: █ blocks colored per severity.
• --compact removes dates and shows essentials when terminal space is tight.
• --json lets you script your own dashboards. Example manifest snippet: { "target": "target.htb", "tasks": { "httpx": { "status": "ok", "started_at": "2025-10-08 10:21:00", "finished_at": "2025-10-08 10:21:08", "meta": { "urls": 34, "urls_file": "targets/target.htb/scans/urls_20251008_1021.txt", "httpx_json": ".../httpx_20251008_1021.json", "httpx_summary": ".../httpx_20251008_1021.summary.json", "elapsed_sec": 8 } } } } Customizing Tech Routes:
• Edit httpx_tech_route.py to add or adjust presets in the presets map.
• To auto‑launch additional quick wrappers, update the --extra handler.

Auto Severity Tuning (nuclei):

• httpx_to_nuclei.sh sets nuclei severity via --severity auto mapping:

  • 500 URLs → high,critical; >100 → medium,high,critical; else low,medium,high,critical.

• Override with explicit --severity or adjust logic in the script.