Share
## https://sploitus.com/exploit?id=94E07749-2E3B-5055-A6CE-12ABD0B09A88
# π€ XBOW-Metascan: AI-Powered Autonomous Pentesting Platform
[](https://opensource.org/licenses/MIT)
[](https://www.python.org/downloads/)
[](https://www.docker.com/)
[](https://github.com/psf/black)
> **AI-driven autonomous penetration testing platform inspired by XBOW, tailored for Metascan's vulnerability scanning ecosystem**
## π― Overview
XBOW-Metascan is an enterprise-grade autonomous penetration testing platform that combines:
- **Multi-Agent AI Architecture** for distributed vulnerability discovery
- **LLM-Powered Exploit Generation** with OpenAI/Anthropic/Local models
- **Real-time Integration** with Metascan's scanning infrastructure
- **Automated PoC Generation** with curl/Docker command outputs
- **Intelligent Orchestration** for coordinated attack campaigns
### Key Differentiators vs XBOW
| Feature | XBOW (Commercial) | XBOW-Metascan (Open Source) |
|---------|-------------------|-----------------------------|
| Agent Architecture | Proprietary closed-source | Open multi-agent framework with LangChain/CrewAI |
| Exploit Database | 1092+ proprietary vulns | Integration with Metascan's 29 engines + OSS databases |
| Target Scope | Generic web/API | Optimized for Russian/CIS infrastructure |
| Pricing | Enterprise SaaS | Self-hosted, free for unlimited assets |
| Integration | Standalone platform | Deep Metascan API integration |
| Validation | AI-driven PoC | curl/docker cmdline generation for DevSecOps |
---
## π Table of Contents
- [Architecture](#-architecture)
- [Features](#-features)
- [Installation](#-installation)
- [Quick Start](#-quick-start)
- [Configuration](#-configuration)
- [Usage](#-usage)
- [AI Agents](#-ai-agents)
- [Integration with Metascan](#-integration-with-metascan)
- [Development](#-development)
- [Roadmap](#-roadmap)
- [Contributing](#-contributing)
- [License](#-license)
---
## ποΈ Architecture
See [ARCHITECTURE.md](./ARCHITECTURE.md) for comprehensive technical design.
```mermaid
graph TB
subgraph "Control Plane"
API[FastAPI REST API]
WS[WebSocket Server]
ORCH[Orchestrator Engine]
end
subgraph "AI Agent Layer"
RECON[Reconnaissance Agent]
VULN[Vulnerability Scanner Agent]
EXPLOIT[Exploit Generator Agent]
VALID[Validation Agent]
REPORT[Reporting Agent]
end
subgraph "LLM Providers"
GPT4[GPT-4 Turbo]
CLAUDE[Claude 3.5 Sonnet]
OLLAMA[Ollama Local]
end
subgraph "External Integrations"
METASCAN[Metascan API]
NVD[NVD Database]
EXPLOITDB[ExploitDB]
end
API --> ORCH
WS --> ORCH
ORCH --> RECON
ORCH --> VULN
ORCH --> EXPLOIT
ORCH --> VALID
ORCH --> REPORT
RECON -.LLM.-> GPT4
VULN -.LLM.-> CLAUDE
EXPLOIT -.LLM.-> OLLAMA
RECON --> METASCAN
VULN --> NVD
EXPLOIT --> EXPLOITDB
```
### Core Components
1. **Orchestrator Engine** - Central coordinator using state machines
2. **AI Agent Framework** - LangChain/CrewAI-based autonomous agents
3. **Exploit Repository** - Versioned library of PoCs and exploits
4. **Validation Engine** - Safe sandbox for exploit testing
5. **Integration Layer** - Metascan API client with webhook support
---
## β¨ Features
### π Autonomous Discovery
- **Asset enumeration** via Metascan's 5 domain discovery mechanisms
- **Port scanning** integration with Metascan's 0-65535 full-range scanners
- **Service fingerprinting** using AI-enhanced signature matching
- **Attack surface mapping** with knowledge graph construction
### π§ AI-Powered Analysis
- **Multi-model LLM support** (GPT-4, Claude, LLaMA, Mistral via Ollama)
- **Chain-of-thought reasoning** for complex vulnerability chains
- **Self-healing exploits** that adapt to target responses
- **Context-aware payloads** generated based on target tech stack
### π₯ Exploit Automation
- **Zero-day research** using mutation-based fuzzing guided by LLMs
- **N-day weaponization** with CVE-to-PoC automation
- **Exploit chaining** for privilege escalation paths
- **Payload obfuscation** to evade WAF/IDS
### β
Validation & Reporting
- **PoC generation** as curl commands and Docker one-liners
- **Evidence collection** with screenshots and HTTP captures
- **CVSS scoring** with automated severity calculation
- **JSON/PDF reports** compatible with Metascan's dashboard
### π Metascan Integration
- **Bidirectional sync** with Metascan's vulnerability database
- **Scheduled scanning** triggered by Metascan's daily checks
- **Lua script generation** for custom Metascan probes
- **ASN/RIPE integration** for automatic target expansion
---
## π Installation
### Prerequisites
- **Python 3.11+** (async/await features required)
- **Docker 24.0+** & Docker Compose v2
- **8GB RAM minimum** (16GB recommended for LLM inference)
- **PostgreSQL 15+** or use Docker container
- **Redis 7+** for task queue
### Option 1: Docker Compose (Recommended)
```bash
# Clone repository
git clone https://github.com/Teketkom/metascan-xbow-ai-pentester.git
cd metascan-xbow-ai-pentester
# Copy environment template
cp .env.example .env
# Edit configuration (add API keys)
vim .env
# Start all services
docker-compose up -d
# Check status
docker-compose ps
# View logs
docker-compose logs -f orchestrator
```
Services will be available at:
- **API**: http://localhost:8000
- **WebSocket**: ws://localhost:8000/ws
- **Swagger docs**: http://localhost:8000/docs
- **PostgreSQL**: localhost:5432
- **Redis**: localhost:6379
### Option 2: Manual Installation
```bash
# Create virtual environment
python3.11 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install dependencies
pip install -r requirements.txt
# Setup database
psql -U postgres -c "CREATE DATABASE xbow_metascan;"
alembic upgrade head
# Start services
# Terminal 1: Redis
redis-server
# Terminal 2: Celery worker
celery -A app.worker worker --loglevel=info
# Terminal 3: API server
uvicorn app.main:app --reload --host 0.0.0.0 --port 8000
```
---
## β‘ Quick Start
### 1. Configure LLM Provider
```yaml
# config/config.yaml
llm:
provider: "openai" # Options: openai, anthropic, ollama
model: "gpt-4-turbo-preview"
api_key: "${OPENAI_API_KEY}"
temperature: 0.7
max_tokens: 4096
```
### 2. Connect Metascan
```bash
# Add Metascan API credentials
export METASCAN_API_KEY="your_api_key_here"
export METASCAN_BASE_URL="https://api.metascan.ru"
# Test connection
python -m app.cli metascan test-connection
```
### 3. Launch Your First Campaign
```bash
# Via CLI
python -m app.cli campaign create \
--target example.com \
--scope "web,api" \
--intensity medium
# Via API
curl -X POST http://localhost:8000/api/v1/campaigns \
-H "Content-Type: application/json" \
-d '{
"target": "example.com",
"scope": ["web", "api"],
"intensity": "medium"
}'
```
### 4. Monitor Progress
```bash
# Watch campaign in real-time
python -m app.cli campaign watch
# Or via WebSocket
wscat -c ws://localhost:8000/ws/campaigns/
```
### 5. Export Results
```bash
# Generate report
python -m app.cli report generate \
--campaign \
--format json,pdf \
--output ./reports/
# Push to Metascan
python -m app.cli metascan push-results
```
---
## βοΈ Configuration
### Environment Variables
```bash
# Core Settings
APP_ENV=production
DEBUG=false
LOG_LEVEL=INFO
# Database
DATABASE_URL=postgresql://user:pass@localhost:5432/xbow_metascan
REDIS_URL=redis://localhost:6379/0
# LLM Providers
OPENAI_API_KEY=sk-...
ANTHROPIC_API_KEY=sk-ant-...
OLLAMA_BASE_URL=http://localhost:11434
# Metascan Integration
METASCAN_API_KEY=your_key
METASCAN_BASE_URL=https://api.metascan.ru
METASCAN_WEBHOOK_SECRET=webhook_secret
# Security
JWT_SECRET_KEY=your_jwt_secret
ENCRYPTION_KEY=fernet_key_here
# Rate Limiting
RATE_LIMIT_PER_MINUTE=60
MAX_CONCURRENT_CAMPAIGNS=5
```
### Advanced Configuration
See [docs/configuration.md](./docs/configuration.md) for:
- Agent behavior tuning
- Custom exploit modules
- Webhook configuration
- Performance optimization
---
## π Usage
### CLI Commands
```bash
# Campaign Management
app.cli campaign create --target TARGET
app.cli campaign list
app.cli campaign status
app.cli campaign stop
# Agent Control
app.cli agent list
app.cli agent spawn --type recon --count 3
app.cli agent kill
# Metascan Integration
app.cli metascan sync
app.cli metascan import-scan
app.cli metascan generate-lua --vuln CVE-2023-1234
# Reporting
app.cli report generate --campaign
app.cli report list
app.cli report export --format pdf
```
### Python API
```python
from app.client import XBOWClient
# Initialize client
client = XBOWClient(
api_url="http://localhost:8000",
api_key="your_api_key"
)
# Create campaign
campaign = client.campaigns.create(
target="example.com",
scope=["web", "api"],
intensity="high"
)
# Monitor progress
for update in client.campaigns.watch(campaign.id):
print(f"Status: {update.status}")
print(f"Findings: {len(update.vulnerabilities)}")
# Get results
results = client.campaigns.get_results(campaign.id)
for vuln in results.vulnerabilities:
print(f"[{vuln.severity}] {vuln.title}")
print(f"PoC: {vuln.proof_of_concept.curl_command}")
```
---
## π€ AI Agents
### Agent Types
#### 1. Reconnaissance Agent
**Purpose**: Asset discovery and enumeration
**Tools**: Subfinder, Amass, DNSRecon, Shodan API
**LLM Tasks**:
- Identify interesting subdomains
- Prioritize attack surface
- Correlate OSINT data
#### 2. Vulnerability Scanner Agent
**Purpose**: Detect known and unknown vulnerabilities
**Tools**: Nuclei, Nikto, SQLMap, custom probes
**LLM Tasks**:
- Analyze HTTP responses for anomalies
- Suggest custom scan configurations
- Identify zero-day patterns
#### 3. Exploit Generator Agent
**Purpose**: Create working exploits for discovered vulns
**Tools**: Metasploit, custom exploit templates
**LLM Tasks**:
- Generate exploit code in Python/Bash
- Create obfuscated payloads
- Adapt exploits to target environment
#### 4. Validation Agent
**Purpose**: Verify exploits work safely
**Tools**: Docker sandboxes, HTTP capture
**LLM Tasks**:
- Analyze exploit output
- Generate curl/docker commands
- Calculate CVSS scores
#### 5. Reporting Agent
**Purpose**: Compile findings into actionable reports
**LLM Tasks**:
- Write vulnerability descriptions
- Suggest remediation steps
- Generate executive summaries
### Agent Communication
Agents coordinate via:
1. **Shared Knowledge Graph** - Neo4j database of findings
2. **Message Queue** - Redis pub/sub for events
3. **LLM Context Sharing** - RAG-based memory system
---
## π Integration with Metascan
### Bidirectional Sync
```python
# Import Metascan scan into XBOW campaign
client.metascan.import_scan(
scan_id="metascan_123",
campaign_id="xbow_456"
)
# Push XBOW findings back to Metascan
client.metascan.push_vulnerabilities(
campaign_id="xbow_456",
metascan_project="project_789"
)
```
### Webhook Integration
```yaml
# Metascan triggers XBOW on new assets
POST /api/v1/webhooks/metascan
{
"event": "scan.completed",
"scan_id": "123",
"assets": ["example.com"],
"findings_count": 42
}
```
### Lua Script Generation
```bash
# Generate Metascan probe for discovered vuln
app.cli metascan generate-lua \
--vuln-id xbow_vuln_123 \
--output probes/custom_xss.lua
# Output: Metascan-compatible Lua NSE script
```
---
## π οΈ Development
### Project Structure
```
metascan-xbow-ai-pentester/
βββ app/
β βββ agents/ # AI agent implementations
β βββ api/ # FastAPI routes
β βββ core/ # Business logic
β βββ db/ # Database models
β βββ integrations/ # External API clients
β βββ llm/ # LLM provider abstractions
β βββ worker/ # Celery tasks
βββ config/ # Configuration files
βββ docker/ # Dockerfiles
βββ docs/ # Documentation
βββ exploits/ # Exploit templates
βββ probes/ # Metascan Lua scripts
βββ tests/ # Test suite
βββ scripts/ # Utility scripts
```
### Running Tests
```bash
# Unit tests
pytest tests/unit/
# Integration tests
pytest tests/integration/
# E2E tests (requires Docker)
pytest tests/e2e/
# Coverage
pytest --cov=app tests/
```
### Code Quality
```bash
# Linting
ruff check app/
# Formatting
black app/
isort app/
# Type checking
mypy app/
```
---
## πΊοΈ Roadmap
### Phase 1: MVP (Q1 2025) β
- [x] Core orchestrator engine
- [x] Basic agent framework
- [x] Metascan API integration
- [x] OpenAI/Anthropic LLM support
### Phase 2: Advanced Features (Q2 2025)
- [ ] Exploit chaining engine
- [ ] Local LLM support (Ollama)
- [ ] Neo4j knowledge graph
- [ ] Web UI dashboard
### Phase 3: Enterprise (Q3 2025)
- [ ] Multi-tenancy support
- [ ] RBAC and audit logs
- [ ] Custom agent development SDK
- [ ] Marketplace for exploits/probes
### Phase 4: Research (Q4 2025)
- [ ] Zero-day discovery using fuzzing
- [ ] Autonomous exploit development
- [ ] Adversarial ML for evasion
- [ ] Integration with Bug Bounty platforms
---
## π€ Contributing
We welcome contributions! See [CONTRIBUTING.md](./CONTRIBUTING.md) for guidelines.
### Areas for Contribution
1. **New Agents** - Implement specialized agents (e.g., mobile, IoT)
2. **Exploits** - Add PoCs to `exploits/` directory
3. **Integrations** - Connect with other security tools
4. **Documentation** - Improve guides and examples
5. **Bug Fixes** - Help maintain code quality
---
## π License
MIT License - see [LICENSE](./LICENSE) for details.
---
## π Acknowledgments
- **XBOW** for inspiration and approach methodology
- **Metascan** for integration partnership
- **LangChain/CrewAI** for agent framework
- **OpenAI/Anthropic** for LLM access
- Open source security community
---
## π Contact
- **Author**: Dmitriy Shalimov (Teketkom)
- **GitHub**: [@Teketkom](https://github.com/Teketkom)
- **Email**: [Your contact]
- **Issues**: [GitHub Issues](https://github.com/Teketkom/metascan-xbow-ai-pentester/issues)
---
**Built with β€οΈ for the security community**