PEN - Professional Exploitation Network_tester

PEN is a modular, interactive penetration testing tool written in Go. It automates the scanning and exploitation of common web application security tests including IDOR enumeration, file upload testing, SQL injection detection, lateral movement checks, GraphQL endpoint discovery, WebSocket security testing, Git repository exposure scanning, server fingerprinting, and misconfiguration checks. Designed for authorized security assessments.

Features

• IDOR Enumeration – scans /api/users/{id} style endpoints for unauthorized profile access
• File Upload Testing – checks for path traversal and basic CSV/KML upload acceptance
• SQL Injection Detection – time‑based and error‑based tests on common API parameters
• Lateral Movement – attempts to access other users’ upload history via parameter tampering
• Exploitation Module – optional password hash cracking (bcrypt via John) and privilege escalation attempts
• GraphQL Endpoint Testing – discovers GraphQL endpoints and tests for introspection
• WebSocket Security – finds WebSocket URLs in JavaScript and attempts connection
• Git Repository Exposure – detects accessible .git/HEAD, dumps repository, scans for secrets (patterns + CI/CD files)
• Server & Framework Fingerprinting – identifies web server headers and common framework paths
• Common Misconfigurations – checks for directory listing, backup files, and exposed config files
• Persistent Configuration – saves target URL and Bearer token to ~/.pen_config.json

Installation

Prerequisites

• Go 1.21 or higher
• Debian‑based distribution (recommended for external tools)
• Optional tools (for full functionality):
• john – password cracking (sudo apt install john)
• git-dumper – repository dumping (pip install git-dumper)
• websocat – WebSocket connections (sudo apt install websocat)

Build from source

git clone https://github.com/ekomsSavior/PEN.git
cd PEN
go mod init pen
go mod tidy
go build -o pen main.go

Run

./pen

On first run, you will be prompted for the target base URL (e.g., https://example.com) and an optional Bearer token. The tool saves this configuration for future runs.

Usage

After starting, the main menu presents 12 options:

1. IDOR Enumeration (user profiles)
2. File Upload Test (requires token)
3. SQL Injection Test
4. Lateral Movement (other users' uploads)
5. Exploitation (crack hashes, privilege escalation)
6. GraphQL Testing
7. WebSocket Testing
8. Git Repository Exposure & Secret Scanning
9. Server & Framework Fingerprinting
10. Common Misconfigurations
11. Run All Scans
12. Exit

Select a number and press Enter. Most modules provide real‑time feedback with status indicators:

• [+] – positive finding or successful operation
• [-] – error or negative result
• [*] – informational message
• [!] – vulnerability confirmed or important warning

Example walkthrough

./pen
Enter target base URL (e.g., https://example.com): https://target.com
Enter Bearer token (if any, leave empty for none): eyJhbGciOiJIUzI1NiIs...

After configuration, choose option 1 to enumerate user profiles, or option 11 to run all tests sequentially.

Output Interpretation

• IDOR Enumeration – lists discovered user IDs, roles, and any exposed sensitive fields (password hash, IP addresses). If no sensitive fields appear, the endpoint is likely safe.
• Lateral Movement – if access is granted to other users’ uploads, the application may have a broken access control.
• Git Exposure – if .git/HEAD is accessible, the tool will dump the repository and scan for secret patterns (Google OAuth, AWS keys, GitHub tokens, Stripe keys, Slack tokens, private keys) and CI/CD configuration files.
• File Upload – a 200 status with success:true indicates the endpoint accepts the file. A path traversal test that returns 200 indicates a high‑severity vulnerability.
• SQL Injection – a 500 error or a difference in response length between a normal and injected request suggests a possible injection point.
• Common Misconfigurations – reports directory listing, exposed backup files, and readable config files (.env, web.config, phpinfo.php).

Configuration File

The tool stores your settings in ~/.pen_config.json:

{
  "target": "https://example.com",
  "token": "your_bearer_token"
}

To reset, delete the file or choose not to use saved configuration when prompted.

Limitations

• The tool assumes API endpoints follow common patterns (/api/users/{id}, /api/upload/csv, /api/networks, /api/my-uploads). For targets with custom paths, manual adjustment of the source code may be required.
• SQL injection tests are basic; they may not detect blind or second‑order injections. Use sqlmap for deeper analysis.
• File upload tests are limited to CSV/KML formats. Modify the createMultipart function for other file types.
• WebSocket testing requires websocat to be installed and may not work over TLS if the certificate is self‑signed.

Disclaimer

This tool is intended for authorized security testing and educational purposes only. Use it only on systems you own or have explicit permission to test. The author assumes no liability for misuse.

MIT License Copyright (c) 2026 ek0mssavi0r / Church of Malware Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. USE AT YOUR OWN RISK. NO WARRANTY PROVIDED.