--- license: mit language: - en tags: - penetration-testing - autonomous-agent - mcp - kali-linux - llm - cybersecurity - red-team - ethical-hacking - bug-bounty - python - flask - bug-bounty, - pentesting-tools, - mcp, - mcp-server, - mcp-agent-loop, - ethical-hacker, - ethical-hacking-tools, library_name: other pipeline_tag: text-generation base_model: - Qwen/Qwen2.5-1.5B-Instruct-GGUF --- # 🔐 PenMaster Security **Autonomous AI-powered penetration testing agent — fully local, no cloud, no API keys.** Built on Kali Linux with a local LLM (Qwen 2.5-14B via LM Studio) and a Flask-based MCP tool server. The agent runs recon, attacks, and generates professional pentest reports — all autonomously. ![demo](./Final_EDIT.gif) --- ## What It Does - 🔍 Autonomous recon — masscan + nmap to discover open ports and services - ⚔️ Autonomous attack loop — selects and chains tools based on what it finds - 🧠 Persistent negative experience cache — learns what fails across ALL sessions and never repeats mistakes - 📝 Auto-generates branded HTML pentest reports on session end (Ctrl+C) - 🔒 100% local — Qwen 2.5-14B running in LM Studio, nothing leaves your machine --- ## Tool Arsenal (18 Tools) | Tool | Purpose | |------|---------| | `run_masscan` | Fast port discovery | | `run_nmap` | Deep service/version scanning | | `run_nikto` | Web vulnerability scanning | | `run_sqlmap` | SQL injection testing | | `run_hydra` | Credential brute forcing | | `run_ncrack` | Network authentication cracking | | `run_searchsploit` | CVE/exploit database lookup | | `run_metasploit` | Exploit framework integration | | `run_curl` | HTTP interaction and payload staging | | `run_wget` | File retrieval and payload staging | | `run_enum4linux` | SMB/Samba enumeration | | `run_smbclient` | SMB share access and enumeration | | `run_ftp` | FTP service interaction | | `run_ssh` | SSH service interaction | | `run_telnet` | Telnet service interaction | | `run_wpscan` | WordPress vulnerability scanning | | `run_dirb` | Web directory brute forcing | | `run_set` | Social Engineering Toolkit | --- ## Sovereign Agent Upgrades - ✅ Autonomous tool reasoning — agent selects tools based on discovered services - ✅ Persistent negative experience cache — SHA-256 fingerprinting blacklists failing tool/parameter combos across sessions - ✅ Social Engineering Toolkit (SET) integration - ✅ Auto HTML pentest report generation --- ## Stack - **Model:** Qwen 2.5-14B Instruct (abliterated) via LM Studio - **OS:** Kali Linux - **Server:** Flask MCP server (port 8000) - **Agent:** Python autonomous loop - **Reports:** Auto-generated HTML on exit --- ## Intended Use Designed for: - Professional penetration testing against **authorized targets only** - Security audits for small businesses, WordPress sites, and ecommerce - Bug bounty hunting workflows - AI/security research and development --- ## GitHub [XenoCoreGiger31/Local-Model](https://github.com/XenoCoreGiger31/Local-Model)