█████╗ ██████╗ ███████╗███████╗
██╔══██╗██╔══██╗██╔════╝██╔════╝
███████║██████╔╝█████╗ ███████╗
██╔══██║██╔══██╗██╔══╝ ╚════██║
██║ ██║██║ ██║███████╗███████║
╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚══════╝
Autonomous Reconnaissance & Exploitation System
⚠️ For authorized lab environments only — HackTheBox · TryHackMe · Personal VMs
ares is a fully autonomous penetration testing agent that combines Nmap, Metasploit, AI decision-making via Groq, and a suite of offensive tools into a single CLI. It executes a full attack chain — recon → exploitation → post-exploitation — without human intervention, and generates professional PDF/JSON reports.
$ python main.py --target 172.20.10.2 --agent
[*] Starting ARES v6.2.1 — Target: 172.20.10.2
[*] Phase 1 — Passive Recon: WHOIS, DNS, Shodan fingerprint...
[*] Phase 2 — Active Scan: Nmap 3-pass (host discovery → ports → services)
[*] 23 ports discovered — Attack surface score: 95/100
[*] AI analysis (Groq Llama-3.3-70b): CVE-2009-3843 identified → tomcat_mgr_deploy
[*] Phase 3 — Exploitation: Launching Metasploit RPC...
[*] Module: exploit/multi/http/tomcat_mgr_deploy → RHOST=172.20.10.2
[+] Session opened → Meterpreter shell active
[*] Phase 4 — Post-Exploitation: uid=daemon → escalating...
[*] GTFOBins + distcc_rce privilege escalation...
[+] uid=0(root) euid=0(root) — ROOT ACCESS ACHIEVED
[*] Credential harvesting: /etc/shadow → 7 hashes extracted
[+] Backdoor installed: SSH key injected + crontab persistence
[+] shell> whoami → root
[+] Report generated: report_172.20.10.2_20250607_142310.pdf| Module | Features |
|---|---|
| 🔍 Passive Recon | WHOIS, DNS enumeration, subdomain discovery, Shodan, HTTP fingerprinting |
| 📡 Active Scan | Nmap 3-pass (host discovery, full port scan, service/version detection) |
| 🌐 Web Enumeration | Directory bruteforce, sensitive file detection, CMS fingerprinting |
| 🔧 Service Enum | SMB, LDAP, FTP, SSH banner grabbing |
| 🤖 AI Decision Engine | Groq Llama-3.3-70b: CVE suggestions, exploit selection, attack vector scoring |
| 💥 Exploitation | Metasploit RPC, SQLMap, Hydra, Nikto, WPScan, SearchSploit integration |
| 🔐 Post-Exploitation | Credential harvesting, GTFOBins privesc, distcc_rce, persistence (SSH + crontab) |
| 🌍 Network Pivot | SOCKS5 routing, ARP scan, network mapping |
| 📱 Android WiFi Attack | Deauth, Evil Twin, WPS Pixie Dust, PMKID capture |
| 🍎 iOS Audit | MDM profile analysis, iCloud bypass, jailbreak detection |
| 📡 Wireless Attacks | WPA2 handshake capture, PMKID, deauth flood, Kismet integration |
| 🎣 Phishing | Custom HTML page cloning, credential capture server |
| 🔎 OSINT | Username enumeration (Sherlock), email breach check, metadata extraction |
| 🖼️ Steganography | LSB detection, hidden data extraction, image forensics |
| 📊 Reporting | PDF (colored by criticality), HTML dashboard, JSON export, CVSS v3.1 scoring |
| Metric | Result |
|---|---|
| 🎯 Target | Metasploitable 2 (172.20.10.2) |
| 🔍 Ports discovered | 23 open ports |
| 📊 Attack surface score | 95 / 100 |
| 💥 Exploit selected by AI | tomcat_mgr_deploy (CVE-2009-3843) |
| 🔐 Access level | ROOT (uid=0) |
| 🗝️ Credentials harvested | 7 password hashes (/etc/shadow) |
| 🔒 Persistence | SSH backdoor + crontab installed |
| ⏱️ Total time | ~4 minutes (full chain, zero interaction) |
| 📄 Report | PDF + JSON generated automatically |
# 1. Clone the repository
git clone https://github.com/Kim-San04/ares
cd ares
# 2. Install dependencies
pip install -r requirements.txt
# 3. Configure environment
cp .env.example .env
# Edit .env with your API keys
# 4. Start Metasploit RPC (required for exploitation)
msfrpcd -P msfrpc_password -S -a 127.0.0.1
# 5. Launch the agent
python main.py --target <IP|CIDR|domain> --agentpython main.py --target <target> [options]| Option | Description | Example |
|---|---|---|
--target |
IP, CIDR, or domain | --target 192.168.1.0/24 |
--agent |
Full autonomous AI agent mode | --agent |
--scan |
Network scan + report only | --scan |
--passive-only |
Passive recon, no active scanning | --passive-only |
--android |
Android WiFi attack menu | --android |
--ios |
iOS security audit | --ios |
--wireless |
Wireless attack suite | --wireless |
--phishing |
Phishing campaign setup | --phishing |
--osint |
OSINT reconnaissance | --osint |
--stego |
Steganography analysis | --stego |
--verbose |
Verbose output | --verbose |
--delay |
Delay between probes (seconds) | --delay 2 |
--output |
Output directory | --output ./results |
ares/
├── main.py # Entry point & CLI
├── agent/
│ ├── core.py # AI decision engine (Groq)
│ ├── recon.py # Passive & active recon
│ ├── scanner.py # Nmap integration (3-pass)
│ ├── exploitation.py # Metasploit RPC + tools
│ ├── post_exploit.py # Post-exploitation & persistence
│ └── report.py # PDF/HTML/JSON reporting
├── modules/
│ ├── android_wifi.py # Android WiFi attack suite
│ ├── ios_audit.py # iOS security analysis
│ ├── wireless.py # Wireless attack tools
│ ├── phishing.py # Phishing framework
│ ├── osint.py # OSINT recon tools
│ └── stego.py # Steganography analysis
├── templates/ # Report HTML templates
├── wordlists/ # Bruteforce dictionaries
├── .env.example # Environment configuration
├── requirements.txt # Python dependencies
├── GUIDE.md # Complete usage guide (EN)
├── GUIDE.fr.md # Guide complet (FR)
└── CHANGELOG.md # Version history
| Version | Phase | Key Features |
|---|---|---|
v1.0.0 |
Phase 1 | Passive recon, Nmap 3-pass, Shodan, AI analysis, PDF/JSON reports |
v2.0.0 |
Phase 2 | Colored PDF, HTML dashboard, Flask UI, CVSS v3.1, FR/EN bilingual |
v3.0.0 |
Phase 3 | Metasploit RPC automation, SQLMap, Hydra, Nikto, WPScan, auto-exploit |
v4.0.0 |
Phase 4 | Post-exploitation, credential harvesting, GTFOBins privesc, SOCKS5 pivot |
v5.0.0 |
Phase 5 | Reactive AI agent, event loop, auto privesc, SSH + crontab backdoors |
v6.0.0 |
Phase 6 | Android WiFi attacks, iOS audit, wireless suite, phishing, OSINT, stego |
v6.2.1 |
Current | Bug fixes, performance improvements, improved AI decision tree |
Python 3.10+
Kali Linux (recommended) or Parrot OS
Nmap 7.x
Metasploit Framework 6.x
Groq API key (free tier available)
Optional tools (auto-detected):
- sqlmap, hydra, nikto, wpscan, searchsploit
- aircrack-ng, airmon-ng, kismet
- sherlock, exiftool, steghide, binwalk
Create your .env file from the template:
cp .env.example .envGROQ_API_KEY=gsk_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
SHODAN_API_KEY=your_shodan_key_here
MSF_RPC_HOST=127.0.0.1
MSF_RPC_PORT=55553
MSF_RPC_PASSWORD=msfrpc_password
REPORT_OUTPUT_DIR=./output
⚠️ THIS TOOL IS FOR AUTHORIZED PENETRATION TESTING ONLY⚠️ ares is designed exclusively for use in controlled lab environments: HackTheBox, TryHackMe, DVWA, and personal virtual machines.
Using this tool against systems without explicit written authorization is ILLEGAL and may result in criminal prosecution under computer fraud laws.
The author assumes no liability for any misuse of this software. Use responsibly. Hack legally.