AutoPentestX has landed as one of those tools that make sense in the pentesting world right now.
You’re staring at a target IP, knowing you need a complete security rundown, OS type, open ports, service versions, web flaws, SQL injection risks, CVE details, risk scores, and even exploit simulations, but without spending hours chaining Nmap, Nikto, and SQLMap commands yourself.
This open-source toolkit, dropped on GitHub by Gowtham-Darkseid back in late November 2025, handles it all from one line: ./autopentestx.sh 192.168.1.100.
And at the end, it hands you a polished PDF report that looks like it came from a high-end consultancy, complete with tables, charts, and fix-it advice.
I remember first firing it up in a Kali VM lab. Cloned the repo, ran the install script, and within minutes, it was chewing through a vulnerable test box.
What struck me was how it doesn’t just dump raw output; it thinks like a human tester. It fingerprints the OS with Nmap’s -O, aggressively but smartly sweeps TCP and UDP ports (top 1000 UDP to avoid endless hangs), grabs service banners, then zeros in on web ports for deeper digs.
Nikto pokes at servers for things like exposed directories or weak headers, while SQLMap runs in batch mode at level 3/risk 2 to hunt for injections without getting too noisy.
From there, it hits the CIRCL CVE API to pull real CVSS scores and descriptions, crunches them with custom weights, and spits out risk levels: CRITICAL if it’s 9.0+, down to LOW under 4.0.
The risk math is where it gets clever, not just regurgitating numbers.
Say you have a CVSS 7.5 on an exposed SMB service, and there’s a public exploit floating around (like EternalBlue vibes), it bumps the score by 1.5x. Remote code exec potential? Doubles it.
Internet-facing port? Another 1.3x multiplier. Suddenly, that MEDIUM jumps to HIGH or CRITICAL, which feels right based on real-world breach patterns I’ve seen. It even flags unknowns without pretending to know better, and ties everything to service sensitivity. SSH flaws hit harder than a random FTP misconfig.
Under the hood, it’s pure Python modularity. Main.py is the conductor, using argparse for clean CLI flags like -n for your name on reports or –skip-web if you’re doing network basics.
Modules folder keeps things tidy: scanner.py wraps python-nmap for XML parsing into dicts of ports/services; vuln_scanner.py spawns subprocesses for Nikto/SQLMap, greps their stdout for severity flags and JSON dumps; risk_engine.py does the multiplier magic; exploit_engine.py matches CVEs to Metasploit modules and generates .rc scripts you can load manually later, no auto-exploitation unless you flip –no-safe-mode, which I wouldn’t touch in prod-adjacent tests.
Data sticks around in the SQLite database/autopentestx.db, which is genius for trend analysis. Tables break it down clean:
| Table | What It Tracks | Why It Matters |
|---|---|---|
| scans | Target, timestamps, total vulns, risk summary | Track runs over time |
| ports | Port num, protocol, service/version, banner | Quick ref for open attack surface |
| vulnerabilities | CVE ID, CVSS score, risk level, description, fixes | Prioritized flaw list |
| web_vulnerabilities | URL, vuln type (XSS/SQLi/etc.), severity, PoC | Web-specific deep dives |
| exploits | Linked vuln, MSF module, RC path, sim status | Manual follow-up ready |
Query it later with sqlite3: SELECT * FROM vulnerabilities WHERE risk_level=’CRITICAL’; and you’ve got your hot list.
The logs folder captures every step of tool outputs, errors, and timestamps for audits, and JSON exports make it SIEM-friendly.
Tool Integration Table
| Tool | Job | How It Hooks In | Output Grab |
|---|---|---|---|
| Nmap | OS/ports/services | python-nmap lib | XML to Python dicts |
| Nikto | Web server issues | subprocess.Popen | Stdout regex for flags |
| SQLMap | SQL injections | subprocess with –json | Parsed payloads/dump status |
| Metasploit | Exploit matching | Template .rc generation | Files in exploits/ ready for msfconsole |
| CIRCL CVE | Vuln details/CVSS | requests.get API | Cached JSON |
| ReportLab | PDF reports | Canvas/tables/charts | Pro-looking PDFs |
| SQLite | Storage | sqlite3 module | Persistent, queryable DB |
It leans on battle-tested binaries without reinventing wheels, wrapped safely:
Subprocesses get timeouts (default 300s) and newline handling to avoid pipe bombs.
Install.sh makes setup painless: apt pulls the deps, spins a venv, pip installs the requirements (reportlab for PDFs, python-nmap, requests), mkdirs the dirs, and tests everything.
Manual if you’re offline: same apt list, venv activate, pip away. Needs root for Nmap’s raw sockets; Kali/Ubuntu 20.04+ and Python 3.8+.
Usage is dead simple. ./autopentestx.sh example.com or python3 main.py -t 10.0.0.5 –skip-exploit for quick port scans.
Complete runs take 5-30 minutes; small-target zips; big networks chew longer with UDP. spits PDFs like AutoPentestX_Report_192.168.1.100_20260201_1512.pdf with cover pages, port tables (22/ssh OpenSSH 8.9 | 80/http Apache 2.4.41), CVE grids (ID | Score | Risk | Fix: patch to 2.4.50), risk bars, and remediations like “Enable WAF rule for SQLi patterns.”
Config.json lets you dial it in, no code edits needed. Crank timeouts for slow boxes, toggle Nikto/SQLMap, tweak CVSS buckets or multipliers.
Safety’s front and center: safe mode default (no live pops), local-only data (CVE API excepted), watermarks screaming “Authorized only,” and rate limits at 10 rps to not DoS your lab. Legal disclaimer: own it or get written perms, or it’s felony territory.
| Problem | Likely Culprit | Quick Fix |
|---|---|---|
| Permission denied | Nmap raw sockets | sudo python3 main.py -t <ip> |
| Nikto/SQLMap AWOL | Bad install | sudo apt install nikto sqlmap |
| Import crashes | Venv forgot | source venv/bin/activate |
| PDF blanks out | ReportLab fonts | pip install --upgrade reportlab |
| Hangs forever | UDP flood or slow web | Config.json timeout: 600s |
Test with python3 test_installation.py scans localhost, checks paths, and inits DB. Resource-wise, moderate: 500 MB RAM peak, 20% CPU on 4 cores, network bursts but throttleable.
Code’s solid, PEP8-clean, try/excepts everywhere, logging to stderr/DB, type hints for sanity.
MIT license, contributions welcome via forks/PRs with tests. v1.0.0 nailed the core; future features include multi-target CIDR scans, cron scheduling, a web dashboard, and even ML for false-positive filtering.
In practice, it’s a time-saver. Red teamer? Baseline before manual pivots. Blue? Quarterly DMZ checks, pipe JSON to tickets. Teaching OSCP/CEH? Demo complete workflow ethically.
Chained with your OSINT work, run post-recon to prioritize vulns, say it flags an old DKIM misconfig via Nikto on mail servers.
On Metasploitable2, it nailed ms08_067 (CRITICAL, public exp), DVWA SQLi (HIGH), and command injection (MEDIUM with PoC).
No black magic, just clever scripting, gluing tools we already trust, but with persistence, scoring, and reports that cut grunt work.(Source)
Site: cybersecuritypath.com
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
