Automated web reconnaissance and vulnerability detection tool built for penetration testers.
____ _____ _ _ ____ ____ ___ ____ _____
| _ \| ____| \ | / ___| / ___/ _ \| _ \| ____|
| |_) | _| | \| \___ \| | | | | | |_) | _|
| __/| |___| |\ |___) | |__| |_| | __/| |___
|_| |_____|_| \_|____/ \____\___/|_| |_____|
Web Pentesting Toolkit v1.0
PenScope automates the initial recon and scanning phases of a web pentest. Point it at a target and it runs four modules in sequence:
| Module | What it finds |
|---|---|
| Recon | Server info, tech stack, SSL, security headers misconfigs |
| Vuln Scan | SQL Injection and XSS in GET parameters |
| Dir Bruteforce | Hidden directories, backup files, exposed configs |
| Subdomain Enum | Active subdomains with IP, HTTP status and page title |
At the end it prints a clean summary and can export an HTML or JSON report.
git clone https://github.com/YOUR_USERNAME/PenScope.git
cd PenScope
pip install -r requirements.txtRequirements: Python 3.8+
# Full scan
python penstool.py http://target.com
# Test specific parameters for SQLi / XSS
python penstool.py "http://target.com/page.php?id=1&name=test"
# Export HTML report
python penstool.py http://target.com --output html
# Skip directory bruteforce (faster)
python penstool.py http://target.com --no-dirs
# Recon only
python penstool.py http://target.com --only-recon
# Custom threads and timeout
python penstool.py http://target.com --threads 25 --timeout 15 url Target URL
--no-recon Skip recon module
--no-scan Skip vulnerability scan
--no-dirs Skip directory bruteforce
--no-subs Skip subdomain enumeration
--only-recon Run recon module only
--output {html,json,both}
Export report to file
--threads, -t Threads for dir/sub scan (default: 15)
--timeout Request timeout in seconds (default: 10)
[*] Target: http://testphp.vulnweb.com
[*] Domain: testphp.vulnweb.com
=== MODULE 1: RECON ===
[+] Status: 200 | Server: nginx/1.19.0
[!] Informational headers:
Server: nginx/1.19.0
X-Powered-By: PHP/5.6.40
[+] Technologies detected: PHP, jQuery, Bootstrap
Security Headers:
+-----------------------------------------------------+
| Header | Status | Severity |
|---------------------------+------------+------------|
| Strict-Transport-Security | MISSING | HIGH |
| Content-Security-Policy | MISSING | HIGH |
| X-Frame-Options | MISSING | MEDIUM |
...
=== MODULE 2: VULNERABILITY SCAN ===
[+] GET parameters found: id, cat
[!] SQL INJECTION — 2 vulnerable parameter(s)
-> Param: id
Payload: '
Evidence: you have an error in your sql syntax
-> Param: cat
Payload: ' OR 1=1--
Evidence: warning: mysql
[!] XSS — 1 vulnerable parameter(s)
-> Param: searchFor (Reflected XSS)
Payload: <script>alert(1)</script>
=== MODULE 3: DIRECTORY BRUTEFORCE ===
[+] 8 path(s) found
http://target.com/admin 200
http://target.com/login.php 200
http://target.com/.git 403
http://target.com/backup 403
...
=== MODULE 4: SUBDOMAINS ===
[+] 4 subdomain(s) found
mail.target.com 1.2.3.4 200 Webmail Login
dev.target.com 1.2.3.5 200 Development Server
api.target.com 1.2.3.6 200 API v2
admin.target.com 1.2.3.7 403 -
──────────────────── SUMMARY ────────────────────
[!] SQL Injection: 2 vulnerable parameter(s)
[!] XSS: 1 vulnerable parameter(s)
[!] Headers: 5 missing (2 critical)
[i] Stack: PHP, nginx, jQuery, Bootstrap
[i] Directories: 8 found (4 accessible, 4 forbidden)
[i] Subdomains: 4 found
Use --output html to generate a full dark-themed report:
- Executive summary with counters
- Vulnerability details with payloads and evidence
- Security headers table
- Directory listing with status codes
- Subdomain table with IPs and titles
PenScope/
├── penstool.py # CLI entry point
├── requirements.txt
└── modules/
├── recon.py # Headers, tech detection, SSL
├── scanner.py # SQLi, XSS, directory bruteforce
├── subdomain.py # DNS-based subdomain enumeration
└── reporter.py # Terminal summary + HTML/JSON export
- Detects 15+ technologies (WordPress, Laravel, Django, React, Vue, Angular, Apache, Nginx, IIS, PHP, ASP.NET...)
- Checks 7 security headers with severity rating (HIGH / MEDIUM / LOW)
- SSL/TLS version and expiry date
- Flags informational headers that leak server info (
X-Powered-By,X-Runtime,X-Backend-Server...)
SQL Injection — tests error-based SQLi using 11 payloads, detects errors from MySQL, PostgreSQL, MSSQL, Oracle, SQLite and DB2.
XSS — tests reflected XSS with 6 payloads across all GET parameters. Checks if payload appears unencoded in the response.
Directory bruteforce — 100+ paths: admin panels, backup files, .env, .git, phpinfo.php, API endpoints, CMS-specific paths. Uses threading for speed.
- Wordlist of 60+ common subdomains (
api,dev,staging,mail,vpn,admin,jenkins,grafana...) - DNS resolution via
socket.gethostbyname - HTTP probe to get status code and page title
- Threaded for fast enumeration
This tool is intended for authorized security testing only. Running it against systems without explicit written permission is illegal. The author is not responsible for any misuse.
Only use PenScope on:
- Systems you own
- Systems you have written authorization to test
- CTF / lab environments (HackTheBox, TryHackMe, DVWA, WebGoat)
- DVWA (Damn Vulnerable Web Application)
- WebGoat
- HackTheBox machines
- TryHackMe rooms
Built as part of a web pentesting portfolio.
Feel free to open issues or PRs.