Learn cybersecurity by doing — AI-powered toolkit for National Cyber League (NCL) competitions.
NCL Toolkit is built for learning. Whether you're practicing in the NCL Gymnasium or competing live, it provides two modes: a coach that walks you through challenges step by step, and a commander that solves them at competition speed. Both are backed by 9 specialist AI agents, a Kali Linux VM via MCP, and optional GPU-accelerated hash cracking.
The AI coach tells you what command to run and why. You run it on your Kali VM, paste the output, and the coach explains what it means and what to do next. You build real skills.
/ncl-coach "Analyze this wireless pcap and find the WiFi password"
Step 1: Identify wireless networks in the capture
Why: Before we can crack anything, we need to know what networks are in this pcap
and what encryption they use.
Run this:
tshark -r pcap3.pcap -Y 'wlan.fc.type_subtype == 0x08' -T fields \
-e wlan.ssid -e wlan.bssid -e wlan_radio.channel | sort -u
What to look for: SSIDs (network names), BSSIDs (AP MAC addresses), and channels.
Paste your output and I'll walk you through what it means.
At the end of each session, you get a full learning summary — workflow recap, key commands, patterns to remember.
Add --guide to any command (or just say "walk me through this"). The AI solves the challenge but narrates every step — what tool it picked, why, and how to read the output. A compiled walkthrough comes with the answers.
/ncl-crack --guide 5f4dcc3b5aa765d61d8327deb882cf99
No flags, no narration. The commander orchestrates specialist agents, chains their results across domains, and compiles a copy-paste answer table.
/ncl-triage "Given a memory dump, find the user's password"
- Clone and open:
git clone https://github.com/nigel-dev/ncl-toolkit.git cd ncl-toolkit opencode .
- Set up Kali VM — see SETUP.md
- Run preflight checks:
Verifies Kali VM, tools, GPU cracker, browser, wordlists — produces a PASS/WARN/FAIL readiness report.
/ncl-setup - Start learning:
/ncl-coach "your challenge description here"
All commands are prefixed with /ncl-.
| Command | What It Does |
|---|---|
/ncl-coach {challenge} |
Walkthrough mode — you run commands, coach explains step by step |
/ncl-triage {desc} |
Competition mode — categorize, plan workflow, delegate to specialists |
/ncl-setup |
Pre-competition readiness check — verify all systems |
/ncl-load-challenge |
Scrape active CyberSkyline challenge from Brave browser |
| Command | NCL Category | What It Does |
|---|---|---|
/ncl-recon {target} |
Scanning | nmap → service enum → dir bust → vuln scan |
/ncl-web {url} |
Web App Security | SQLi, XSS, auth bypass, LFI/RFI, input validation |
/ncl-crack {hash} |
Password Cracking | Hash ID → GPU cracker → rules → themed wordlists |
/ncl-crypto {data} |
Cryptography | Encoding/cipher ID → decode/decrypt chains |
/ncl-forensics {file} |
Forensics | File ID → metadata → strings → binwalk → stego → memory dumps |
/ncl-traffic {pcap} |
Network Traffic | Protocol analysis → credential extraction → wireless analysis |
/ncl-log {logfile} |
Log Analysis | Format detection → baseline → anomaly → targeted queries |
/ncl-osint {query} |
OSINT | Web search → WHOIS → DNS → social recon |
/ncl-exploit {target} |
Enum & Exploitation | Service enum → vuln ID → exploit → post-exploitation |
/ncl-gpu-crack {hash} |
Password Cracking | Direct GPU offload (RTX 4090) — 100-200x faster |
| Command | What It Does |
|---|---|
/ncl-claim {name} |
Claim a challenge — adds to tracker, commits + pushes |
/ncl-flag {name} {flag} |
Record captured flag — moves to completed, commits + pushes |
/ncl-stuck {name} {notes} |
Request help — moves to stuck table with blocker notes |
/ncl-handoff {name} {notes} |
Hand off a challenge with context for the next person |
/ncl-status |
Pull latest and display team scoreboard |
Two top-level agents, nine specialists:
ncl-coach (practice) ncl-commander (competition)
│ Coaches user step by step │ Plans workflows, chains agents
│ User runs all commands │ Delegates to specialists via task()
│ Explains output, teaches │ Compiles final answer table
│ │
│ (reads methodology context) ├── recon-agent
│ ├── web-exploit-agent
│ ├── crack-agent
│ ├── crypto-agent
│ ├── forensics-agent
│ ├── traffic-agent
│ ├── log-agent
│ ├── osint-agent
│ └── exploit-agent
- Kali MCP Server — nmap, sqlmap, john, hydra, metasploit, tshark, binwalk, and 14+ tools on your Kali VM
- GPU Cracker — Remote RTX 4090 for hash cracking (100-200x faster than CPU)
- Browser Automation — Scrape CyberSkyline challenges directly from Brave
- Context System — Methodologies, tool references, common patterns per category
- Volatility 3 — Pinned to working commit (pip version has regression)
See ARCHITECTURE.md for the full system design.
| Doc | Description |
|---|---|
| SETUP.md | Full installation and configuration guide |
| REQUIREMENTS.md | Prerequisites and tool checklist |
| QUICK-START.md | Command examples and learning workflows |
| ARCHITECTURE.md | System architecture and design |
| TESTING.md | Pre-competition verification checklist |
- NCL Competition — Official NCL site
- CyberSkyline — NCL game platform
- OpenCode — AI coding agent (powers this toolkit)
- Kali Linux — Download Kali
Copyright (c) 2026 Nigel Bazzeghin. All rights reserved.
