{"slug": "hackingpal", "title": "Hackingpal", "summary": "HackingPal, an open-source AI-assisted security workbench, launches for macOS and Linux, offering an engagement-centric workflow with human-approved actions, full audit trails, and client-ready reports. The tool integrates a Claude-powered copilot that suggests next steps without running tools autonomously, ensuring accountable penetration testing. It is designed for authorized engagements only, bundling port scanners, vulnerability probes, and other modules.", "body_md": "*The AI-assisted security workbench for authorized, accountable engagements.*\n\n*Human-approved actions. Full audit trail. Client-ready reports. Local. Offline-first. Open source.*\n\n**It runs a whole engagement, not just isolated tools.** Most security tooling\nhands you a port scanner, a fuzzer, a hash cracker — and a stack of disconnected\noutput to glue together yourself. HackingPal is built around the engagement: a\nnamed, scoped container for a single piece of work. Targets are first-class.\nPlaybooks chain tools. Every scan result auto-attaches to the active engagement\nas evidence. The end of the workflow is a report, not a folder of CSVs.\n\n**Every action is human-approved and logged — copilot, not autopilot,\ndeliberately.** A Claude-powered assistant watches the session, helps interpret\noutput, drafts text for findings, and suggests next steps. It does not run\ntools on its own. Every active check waits for explicit human go-ahead, every\nscan start/finish/error writes to an append-only audit log, and every sudoers\ngrant the app holds can be revoked in one click. The AI is there to make you\nfaster, not to take you out of the loop. That's a design choice, not a\nlimitation — accountable testing is the point.\n\n**It produces a real report at the end.** Promote any result to a tracked\nfinding. Score it with the built-in CVSS v3.1 calculator (the band drives the\nbadge across the whole app). Attach evidence items with capture timestamps —\nscan output, request/response pairs, analyst notes, screenshots, commands —\neach marking when the proof was observed. When you're done, export a\nclient-ready report in Markdown or PDF: executive summary, severity counts,\nevery finding with its CVSS vector and full evidence timeline, methodology,\nand the authorized-testing disclaimer. The executive summary is\ntemplate-rendered, so reports generate with no API key configured.\n\n```\nEngagement → Targets → Playbook → Tools → Evidence → Report\n```\n\n**Download HackingPal-macos-arm64.dmg →**\n\nMount the DMG, drag the app to `/Applications`\n\n, then first-launch via right-click\n→ **Open** (the build is unsigned — no paid Apple Developer cert yet).\nSubsequent launches work normally.\n\n**Download HackingPal-linux-x86_64.AppImage →**\n\n`chmod +x`\n\nand run.\n\n```\ngit clone https://github.com/hackingpal/hackingpal.git\ncd hackingpal && docker compose up -d\ncurl http://127.0.0.1:8765/health\n```\n\nPer-platform install guides: [macOS](/hackingpal/hackingpal/blob/main/docs/README-macos.md) ·\n[Linux](/hackingpal/hackingpal/blob/main/docs/README-linux.md) · [Windows (experimental)](/hackingpal/hackingpal/blob/main/docs/README-windows.md).\nSee [docs/SIGNING.md](/hackingpal/hackingpal/blob/main/docs/SIGNING.md) for the current code-signing status.\n\nmacOS and Linux are the actively maintained targets. Windows builds appear in CI but parity is not a v1.0 commitment. Use Docker or the macOS/Linux builds for serious work.\n\nHackingPal works without an Anthropic key. Open **Settings → API keys** to\nadd one and unlock the copilot — it'll watch the session, interpret tool\noutput, draft finding summaries, and help with the report. Without a key:\n\n- Every tool still runs.\n- Findings still track, CVSS still scores, evidence still timelines.\n- The report exporter still works — the executive summary is template-based, not LLM-generated.\n\nThe roadmap keeps the provider layer flexible. Local-model and cheaper-provider support are on the list.\n\nThis is testing software. It bundles port scanners, vulnerability probes, web-application attack modules, credential testers, network capture, cloud and Active Directory enumeration — useful in legitimate engagements, illegal to point at infrastructure you don't own or have written permission to test.\n\nBy installing or running HackingPal you agree to use it only for authorized\nwork: your own systems, CTFs, training labs, or engagements with explicit\nwritten authorization. The full disclaimer is at [DISCLAIMER.md](/hackingpal/hackingpal/blob/main/DISCLAIMER.md).\n\nActive checks (XSS, SQLi, command injection, SSRF, IDOR, LFI, password spraying, Kerberos roasting, exploit launches) are gated behind a per-tool authorization checkbox and scope-policy guard. The engagement's scope is the fence; targets outside it are rejected with a clear refusal, not a runtime error.\n\nThe audit log is the trust anchor — every action is recorded, durably, with the engagement it belonged to.\n\nThe tool library lives *inside* engagements; it is the resource the workflow\ncalls into, not the product itself. ~75 tools across:\n\n**Discovery**— LAN Scan, IP Checker, DNS Recon, WHOIS/ASN, Local Discovery (mDNS/SSDP/LLMNR), Ping.** Recon**— Port Scanner, Nmap (full 612-NSE-script surface, multi-target, SYN/UDP/OS), Network Audit, TLS Auditor, Fingerprint, HTTP Probe, TCPDump.**OSINT**— CT Logs, Email Sec (SPF/DMARC/DKIM), Subdomain Takeover, Reverse IP, Breach Lookup, Dorking, GitHub Leak Scanner, Shodan/Censys, People/Email Enum, Profile Finder, Wayback URLs, URLScan.**Web exploit**— XSS, SQLi, Command Injection, LFI, SSRF, IDOR — each gated by authorization checkbox + scope guard.** Cloud**— AWS / Azure / GCP read-only recon (boto3 / azure-identity / google-auth), IMDS tester, S3 bucket scanner.** Active Directory**— LDAP enumerator, SMB enumerator, password sprayer, Kerberos roasting, BloodHound ingestor, lateral movement planner.** Wireless**— WiFi Scan, Evil Twin detector, Bluetooth recon, WPA / PMKID handshake capture.** Red Team**— Reverse Shell builder/listener, payload obfuscator, pivoting helper, credential harvester, C2 beacon simulator, SearchSploit.**Forensics & posture**— Persistence audit, process inspector, steganography (LSB embed/extract, chi-square detector, AES-GCM), macOS / Linux / Windows posture, firewall rules, systemd units, users audit.**Engagement layer**— Findings Tracker, CVSS v3.1 Calculator, multi-item evidence timeline with capture timestamps, audit log, report exporter.**Playbooks**— composable presets that chain tools across phases. Built-ins include external red team, internal network, web app assessment, AD kill chain, AWS assessment, WiFi/physical, container/k8s escape, bug-bounty stealth, and a compromise assessment.\n\nA more detailed catalogue with endpoints + acceptance criteria lives in\n[ROADMAP.md](/hackingpal/hackingpal/blob/main/ROADMAP.md) and the per-page docs.\n\nHybrid **Electron + React + TypeScript** frontend with a bundled\n**FastAPI + Python** sidecar that owns all the network / forensics /\nexploitation logic.\n\n```\nhackingpal/\n├── backend/        FastAPI server — ~75 routers\n│   ├── lib/        engagement, audit_log, cvss, report, target_policy, ...\n│   ├── routers/    one router per tool surface\n│   └── main.py     loopback-only startup guard + per-launch auth token\n└── frontend/\n    ├── electron/   main + preload (Electron host)\n    └── src/\n        ├── pages/         one .tsx per sidebar entry\n        ├── components/    Sidebar, ChatBubble, EngagementPill, ...\n        └── lib/           engagement state, sessionLog, theme, nav\n```\n\nBackend listens on **127.0.0.1:8765** only. The startup guard refuses to bind\na wildcard host. Every privileged endpoint is gated by `Depends(require_local_auth)`\n\nplus a per-launch token. Streaming routers follow a uniform WS protocol with a\n`{\"action\":\"stop\"}`\n\nabort message. Credentials live in the OS keystore\n(Keychain / Secret Service / Credential Manager) — nothing else writes\ncredentials to disk. The audit log is append-only and is the trust anchor for\nevery report.\n\nFull developer guide: [CLAUDE.md](/hackingpal/hackingpal/blob/main/CLAUDE.md). Security model:\n[SECURITY.md](/hackingpal/hackingpal/blob/main/SECURITY.md).\n\nTwo terminals:\n\n```\n# Terminal 1 — backend (FastAPI on 8765, auto-reload)\ncd backend && python3 -m uvicorn main:app --reload --port 8765\n\n# Terminal 2 — frontend (Vite + Electron)\ncd frontend && npm install && npm run dev:all\n```\n\nRun only the browser frontend with `npm run dev`\n\nand open\n`http://localhost:5173`\n\n. Build a release with `npm run dist:mac`\n\n(or\n`dist:linux`\n\n); CI matrix builds + tagged releases live in\n[ .github/workflows/build.yml](/hackingpal/hackingpal/blob/main/.github/workflows/build.yml).\n\nContribution guide: [CONTRIBUTING.md](/hackingpal/hackingpal/blob/main/CONTRIBUTING.md).\n\n[MIT](/hackingpal/hackingpal/blob/main/LICENSE). HackingPal is open source, free to use for authorized work,\nand offered without warranty. Please read [DISCLAIMER.md](/hackingpal/hackingpal/blob/main/DISCLAIMER.md) and\n[SECURITY.md](/hackingpal/hackingpal/blob/main/SECURITY.md) before pointing it at anything.\n\n`>;)`\n\nHackingPal", "url": "https://wpnews.pro/news/hackingpal", "canonical_source": "https://github.com/hackingpal/hackingpal", "published_at": "2026-06-20 23:18:33+00:00", "updated_at": "2026-06-20 23:37:12.407465+00:00", "lang": "en", "topics": ["ai-tools", "ai-safety", "ai-ethics", "developer-tools", "ai-agents"], "entities": ["HackingPal", "Claude", "Anthropic", "CVSS v3.1", "macOS", "Linux", "Docker"], "alternates": {"html": "https://wpnews.pro/news/hackingpal", "markdown": "https://wpnews.pro/news/hackingpal.md", "text": "https://wpnews.pro/news/hackingpal.txt", "jsonld": "https://wpnews.pro/news/hackingpal.jsonld"}}