← back to tools

PEN

3 files · ready for inspection

readme

# PEN - Professional Exploitation Network_tester PEN is a modular, interactive penetration testing tool written in Go. It automates the scanning and exploitation of common web application security tests including IDOR enumeration, file upload testing, SQL injection detection, lateral movement checks, GraphQL endpoint discovery, WebSocket security testing, Git repository exposure scanning, server fingerprinting, and misconfiguration checks. Designed for authorized security assessments. ## Features - IDOR Enumeration – scans `/api/users/{id}` style endpoints for unauthorized profile access - File Upload Testing – checks for path traversal and basic CSV/KML upload acceptance - SQL Injection Detection – time‑based and error‑based tests on common API parameters - Lateral Movement – attempts to access other users’ upload history via parameter tampering - Exploitation Module – optional password hash cracking (bcrypt via John) and privilege escalation attempts - GraphQL Endpoint Testing – discovers GraphQL endpoints and tests for introspection - WebSocket Security – finds WebSocket URLs in JavaScript and attempts connection - Git Repository Exposure – detects accessible `.git/HEAD`, dumps repository, scans for secrets (patterns + CI/CD files) - Server & Framework Fingerprinting – identifies web server headers and common framework paths - Common Misconfigurations – checks for directory listing, backup files, and exposed config files - Persistent Configuration – saves target URL and Bearer token to `~/.pen_config.json` ## Installation ### Prerequisites - Go 1.21 or higher - Debian‑based distribution (recommended for external tools) - Optional tools (for full functionality): - `john` – password cracking (sudo apt install john) - `git-dumper` – repository dumping (pip install git-dumper) - `websocat` – WebSocket connections (sudo apt install websocat) ### Build from source ```bash git clone https://github.com/ekomsSavior/PEN.git cd PEN go mod init pen go mod tidy go build -o pen main.go ``` ### Run ```bash ./pen ``` On first run, you will be prompted for the target base URL (e.g., `https://example.com`) and an optional Bearer token. The tool saves this configuration for future runs. ## Usage After starting, the main menu presents 12 options: ``` 1. IDOR Enumeration (user profiles) 2. File Upload Test (requires token) 3. SQL Injection Test 4. Lateral Movement (other users' uploads) 5. Exploitation (crack hashes, privilege escalation) 6. GraphQL Testing 7. WebSocket Testing 8. Git Repository Exposure & Secret Scanning 9. Server & Framework Fingerprinting 10. Common Misconfigurations 11. Run All Scans 12. Exit ``` Select a number and press Enter. Most modules provide real‑time feedback with status indicators: - `[+]` – positive finding or successful operation - `[-]` – error or negative result - `[*]` – informational message - `[!]` – vulnerability confirmed or important warning ### Example walkthrough ```bash ./pen Enter target base URL (e.g., https://example.com): https://target.com Enter Bearer token (if any, leave empty for none): eyJhbGciOiJIUzI1NiIs... ``` After configuration, choose option 1 to enumerate user profiles, or option 11 to run all tests sequentially. ## Output Interpretation - **IDOR Enumeration** – lists discovered user IDs, roles, and any exposed sensitive fields (password hash, IP addresses). If no sensitive fields appear, the endpoint is likely safe. - **Lateral Movement** – if access is granted to other users’ uploads, the application may have a broken access control. - **Git Exposure** – if `.git/HEAD` is accessible, the tool will dump the repository and scan for secret patterns (Google OAuth, AWS keys, GitHub tokens, Stripe keys, Slack tokens, private keys) and CI/CD configuration files. - **File Upload** – a 200 status with `success:true` indicates the endpoint accepts the file. A path traversal test that returns 200 indicates a high‑severity vulnerability. - **SQL Injection** – a 500 error or a difference in response length between a normal and injected request suggests a possible injection point. - **Common Misconfigurations** – reports directory listing, exposed backup files, and readable config files (`.env`, `web.config`, `phpinfo.php`). ## Configuration File The tool stores your settings in `~/.pen_config.json`: ```json { "target": "https://example.com", "token": "your_bearer_token" } ``` To reset, delete the file or choose not to use saved configuration when prompted. ## Limitations - The tool assumes API endpoints follow common patterns (`/api/users/{id}`, `/api/upload/csv`, `/api/networks`, `/api/my-uploads`). For targets with custom paths, manual adjustment of the source code may be required. - SQL injection tests are basic; they may not detect blind or second‑order injections. Use `sqlmap` for deeper analysis. - File upload tests are limited to CSV/KML formats. Modify the `createMultipart` function for other file types. - WebSocket testing requires `websocat` to be installed and may not work over TLS if the certificate is self‑signed. ## Disclaimer This tool is intended for authorized security testing and educational purposes only. Use it only on systems you own or have explicit permission to test. The author assumes no liability for misuse.

source code

files

viewer

select a file
// click a file to view source

license

MIT License Copyright (c) 2026 ek0mssavi0r Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. USE AT YOUR OWN RISK. NO WARRANTY PROVIDED.
download zip // inspect all source before execution
read the code before you run it. always.