⛧ Church of Malware / PEN - Professional Exploitation Network_tester

PEN - Professional Exploitation Network_tester

PEN is a modular, interactive penetration testing tool written in Go. It automates the scanning and exploitation of common web application security tests including IDOR enumeration, file upload testing, SQL injection detection, lateral movement checks, GraphQL endpoint discovery, WebSocket security testing, Git repository exposure scanning, server fingerprinting, and misconfiguration checks. Designed for authorized security assessments.

Features

  • IDOR Enumeration – scans /api/users/{id} style endpoints for unauthorized profile access
  • File Upload Testing – checks for path traversal and basic CSV/KML upload acceptance
  • SQL Injection Detection – time‑based and error‑based tests on common API parameters
  • Lateral Movement – attempts to access other users’ upload history via parameter tampering
  • Exploitation Module – optional password hash cracking (bcrypt via John) and privilege escalation attempts
  • GraphQL Endpoint Testing – discovers GraphQL endpoints and tests for introspection
  • WebSocket Security – finds WebSocket URLs in JavaScript and attempts connection
  • Git Repository Exposure – detects accessible .git/HEAD, dumps repository, scans for secrets (patterns + CI/CD files)
  • Server & Framework Fingerprinting – identifies web server headers and common framework paths
  • Common Misconfigurations – checks for directory listing, backup files, and exposed config files
  • Persistent Configuration – saves target URL and Bearer token to ~/.pen_config.json

Installation

Prerequisites

  • Go 1.21 or higher
  • Debian‑based distribution (recommended for external tools)
  • Optional tools (for full functionality):
  • john – password cracking (sudo apt install john)
  • git-dumper – repository dumping (pip install git-dumper)
  • websocat – WebSocket connections (sudo apt install websocat)

Build from source

git clone https://github.com/ekomsSavior/PEN.git
cd PEN
go mod init pen
go mod tidy
go build -o pen main.go

Run

./pen

On first run, you will be prompted for the target base URL (e.g., https://example.com) and an optional Bearer token. The tool saves this configuration for future runs.

Usage

After starting, the main menu presents 12 options:

1. IDOR Enumeration (user profiles)
2. File Upload Test (requires token)
3. SQL Injection Test
4. Lateral Movement (other users' uploads)
5. Exploitation (crack hashes, privilege escalation)
6. GraphQL Testing
7. WebSocket Testing
8. Git Repository Exposure & Secret Scanning
9. Server & Framework Fingerprinting
10. Common Misconfigurations
11. Run All Scans
12. Exit

Select a number and press Enter. Most modules provide real‑time feedback with status indicators:

  • [+] – positive finding or successful operation
  • [-] – error or negative result
  • [*] – informational message
  • [!] – vulnerability confirmed or important warning

Example walkthrough

./pen
Enter target base URL (e.g., https://example.com): https://target.com
Enter Bearer token (if any, leave empty for none): eyJhbGciOiJIUzI1NiIs...

After configuration, choose option 1 to enumerate user profiles, or option 11 to run all tests sequentially.

Output Interpretation

  • IDOR Enumeration – lists discovered user IDs, roles, and any exposed sensitive fields (password hash, IP addresses). If no sensitive fields appear, the endpoint is likely safe.
  • Lateral Movement – if access is granted to other users’ uploads, the application may have a broken access control.
  • Git Exposure – if .git/HEAD is accessible, the tool will dump the repository and scan for secret patterns (Google OAuth, AWS keys, GitHub tokens, Stripe keys, Slack tokens, private keys) and CI/CD configuration files.
  • File Upload – a 200 status with success:true indicates the endpoint accepts the file. A path traversal test that returns 200 indicates a high‑severity vulnerability.
  • SQL Injection – a 500 error or a difference in response length between a normal and injected request suggests a possible injection point.
  • Common Misconfigurations – reports directory listing, exposed backup files, and readable config files (.env, web.config, phpinfo.php).

Configuration File

The tool stores your settings in ~/.pen_config.json:

{
  "target": "https://example.com",
  "token": "your_bearer_token"
}

To reset, delete the file or choose not to use saved configuration when prompted.

Limitations

  • The tool assumes API endpoints follow common patterns (/api/users/{id}, /api/upload/csv, /api/networks, /api/my-uploads). For targets with custom paths, manual adjustment of the source code may be required.
  • SQL injection tests are basic; they may not detect blind or second‑order injections. Use sqlmap for deeper analysis.
  • File upload tests are limited to CSV/KML formats. Modify the createMultipart function for other file types.
  • WebSocket testing requires websocat to be installed and may not work over TLS if the certificate is self‑signed.

Disclaimer

This tool is intended for authorized security testing and educational purposes only. Use it only on systems you own or have explicit permission to test. The author assumes no liability for misuse.