[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-79890":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":13,"stars7d":15,"stars30d":12,"stars90d":14,"forks30d":14,"starsTrendScore":15,"compositeScore":16,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":17,"fork":17,"defaultBranch":18,"hasWiki":19,"hasPages":17,"topics":20,"createdAt":9,"pushedAt":9,"updatedAt":21,"readmeContent":22,"aiSummary":23,"trendingCount":14,"starSnapshotCount":14,"syncStatus":24,"lastSyncTime":25,"discoverSource":26},79890,"nightcrawler","garagehq\u002Fnightcrawler","garagehq","Local AI powered red teamer on a phone",null,"Python",101,4,1,0,3,2.1,false,"main",true,[],"2026-06-12 02:03:55","# Nightcrawler\n\nAn autonomous penetration testing agent that runs entirely on a smartphone. Drop the phone on a network, walk away, and it discovers hosts, maps services, finds vulnerabilities, and generates a pentest report — all without cloud connectivity.\n\n```\n ░█▄░█ █ █▀▀ █░█ ▀█▀ █▀▀ █▀█ ▄▀█ █░█░█ █░░ █▀▀ █▀█\n ░█░▀█ █ █▄█ █▀█ ░█░ █▄▄ █▀▄ █▀█ ▀▄▀▄▀ █▄▄ ██▄ █▀▄ v0.1.0\n\n AUTONOMOUS MOBILE PENTEST AGENT\n OnePlus 8 · NetHunter · Qwen3.5-2B · OpenCL GPU\n```\n\n## What is this?\n\n**Penetration testing** (pentesting) is the practice of testing a computer network's security by simulating an attack — with the network owner's explicit permission. Professional pentesters are hired to find vulnerabilities *before* real attackers do.\n\nNightcrawler automates this process on a phone. It uses a small AI model (2 billion parameters) running locally on the phone's GPU to decide what to do next — which host to probe, which tool to use, what to look for. No internet connection or cloud API required.\n\n### How it works\n\n1. **WiFi Breach** (optional) — If dropped without WiFi, it can autonomously crack WPA2 networks using an external USB WiFi adapter\n2. **Reconnaissance** — Discovers devices on the network using stealthy scans\n3. **Enumeration** — Probes discovered services (web servers, file shares, SSH, DNS, etc.)\n4. **Exploitation** — Tests for known vulnerabilities and default credentials\n5. **Reporting** — Generates a structured pentest report with findings and remediation advice\n\nThe agent operates like a patient human pentester — it rotates across hosts, does one small action per turn, and builds knowledge gradually over hours. This makes it much harder to detect than traditional vulnerability scanners that blast every host at once.\n\n### Key concepts\n\n| Term | What it means |\n|------|--------------|\n| **Drop box** | A device left on a target network to perform testing autonomously |\n| **Scope** | The set of networks\u002Fhosts you're authorized to test |\n| **Rules of Engagement (ROE)** | A legal document specifying what you're allowed to do |\n| **Stealth** | Techniques to avoid detection by network monitoring (IDS\u002FIPS) |\n| **MCP** | Model Context Protocol — a standard interface for AI tool use |\n| **C2** | Command and Control — the web dashboard for monitoring and steering the agent |\n\n## Architecture\n\n```\n┌──────────────────────────────────────────────────────────┐\n│ PHONE (OnePlus 8) │\n│ │\n│ ┌─────────────┐ ┌──────────────────┐ │\n│ │ Qwen 3.5 │ │ Agent Loop │ │\n│ │ 2B model │◄───►│ (main.py) │ │\n│ │ on GPU │ │ Decides what │ │\n│ │ (:8080) │ │ to do next │ │\n│ └─────────────┘ └────────┬─────────┘ │\n│ │ │\n│ ┌────────▼─────────┐ │\n│ │ Scope Proxy │ ← Safety layer │\n│ │ Validates every │ Blocks out- │\n│ │ command before │ of-scope │\n│ │ execution │ actions │\n│ └────────┬─────────┘ │\n│ │ │\n│ ┌────────▼─────────┐ │\n│ │ Kali MCP Server │ ← Runs the │\n│ │ nmap, curl, │ actual │\n│ │ smbclient, ... │ commands │\n│ └──────────────────┘ │\n│ │\n│ ┌──────────────────┐ ┌──────────────────┐ │\n│ │ Web Dashboard │ │ SQLite DB │ │\n│ │ (:8888) │ │ Hosts, vulns, │ │\n│ │ Monitor & steer │ │ creds, commands │ │\n│ └──────────────────┘ └──────────────────┘ │\n└──────────────────────────────────────────────────────────┘\n```\n\nFor the full system design, see [docs\u002FARCHITECTURE.md](docs\u002FARCHITECTURE.md).\n\n## Features\n\n- **Fully autonomous** — no human in the loop during operation\n- **100% local inference** — AI runs on the phone's GPU, no cloud needed\n- **Scope-enforced** — two-layer defense prevents out-of-scope actions\n- **Stealth-first** — slow scan rates, host rotation, cover traffic, nmap -T2 only\n- **27 exploit playbooks** — multi-step attack chains that execute automatically\n- **24,956-entry CVE database** — version-aware vulnerability matching\n- **Web dashboard** — real-time monitoring, host management, C2 controls\n- **WiFi breach mode** — autonomous WPA2 cracking with USB adapter (Pwnagotchi-inspired)\n- **Passive discovery** — background capture of mDNS\u002FNBNS\u002FDHCP\u002FARP broadcasts\n- **Multi-network** — data isolated per network, survives DHCP changes via MAC-keyed hosts\n- **Self-healing** — garbage detection, context reset, watchdogs, stuck detection\n- **Training capture** — logs successful interactions for future model fine-tuning\n- **Report generation** — downloadable pentest report with vulns, exploit chains, remediation\n\nSee [docs\u002FFEATURES.md](docs\u002FFEATURES.md) for the complete feature reference.\n\n## Hardware\n\n### Required\n- **Android phone** with [Kali NetHunter](https:\u002F\u002Fwww.kali.org\u002Fdocs\u002Fnethunter\u002F) (tested on OnePlus 8, Snapdragon 865)\n- **Root access** via [Magisk](https:\u002F\u002Fgithub.com\u002Ftopjohnwu\u002FMagisk)\n- **12GB+ RAM** (model uses ~3.4GB, Android uses ~4GB, rest for tools)\n\n### Optional\n- **USB WiFi adapter** for offline WiFi breach mode (Ralink RT3572 recommended)\n- **Custom kernel** with MAC80211 for monitor mode ([build guide](docs\u002FKERNEL_BUILD_PROMPT.md))\n- **NVIDIA AGX** for offloading to a larger model over Tailscale\n\n### GPU Performance\n\nAll inference via OpenCL on Adreno 650 GPU:\n\n| Model | Quantization | Prompt Speed | Generation Speed |\n|-------|-------------|-------------|-----------------|\n| Qwen3.5-2B | Q8_0 | 23.3 tok\u002Fs | 4.8 tok\u002Fs |\n| Qwen3.5-0.8B | Q8_0 | 30.5 tok\u002Fs | 6.3 tok\u002Fs |\n| Qwen3.5-4B | Q4_0 | 10.1 tok\u002Fs | 2.0 tok\u002Fs |\n\n> **Note:** Android throttles the GPU on battery power (6x slowdown). Nightcrawler includes a GPU governor daemon that forces max performance and auto-throttles at ≤15% battery.\n\n## Quick Start\n\n```bash\n# 1. Install (inside Kali NetHunter chroot)\nbash INSTALL.sh\n\n# 2. Wait for llama-server to start (~5 min after boot)\ncurl -s http:\u002F\u002F127.0.0.1:8080\u002Fhealth # Should return {\"status\":\"ok\"}\n\n# 3. Start all services\nbash scripts\u002Frun-36h.sh\n\n# 4. Open the web dashboard (from any device on your Tailscale network)\n# https:\u002F\u002F\u003Cyour-tailscale-hostname>:8888\n```\n\n### Dry Run (no real commands executed)\n\n```bash\nNC_DRY_RUN=1 python3 main.py\n```\n\nThis uses a mock Kali server so you can test the agent loop without executing real network commands.\n\n### Manual Start (if not using tmux launcher)\n\n```bash\nkali-server-mcp --port 5000 &\npython3 scope_proxy.py --config config.yaml --port 8800 --upstream http:\u002F\u002F127.0.0.1:5000 &\nbash scripts\u002Fwebui-daemon.sh start\npython3 main.py &\n```\n\n## Configuration\n\nEdit `config.yaml` before deployment:\n\n```yaml\nmission:\n id: \"CLIENT-YYYY-XXX\" # Your engagement ID\n scope:\n networks: [\"auto\"] # \"auto\" = detect from wlan0 at startup\n excluded_hosts: [\"auto\"] # \"auto\" = gateway + self IP\n excluded_ports: [502, 503] # SCADA\u002FICS ports to never touch\n authorization: \"ROE-YYYY-XXX.pdf\"\n max_runtime_hours: 0 # 0 = no limit\n\nmodel:\n local:\n ctx_size: 8192\n port: 8080\n```\n\n**Dynamic scope detection** means zero config changes when moving between networks — the agent reads the current subnet from `wlan0` at startup.\n\n## Project Structure\n\n```\nnightcrawler\u002F\n├── main.py # Entry point\n├── config.yaml # Mission scope + model config\n├── scope_proxy.py # Scope enforcement proxy\n├── INSTALL.sh # Installer\n│\n├── agent\u002F # Core agent logic\n│ ├── loop.py # Decision loop + error recovery\n│ ├── planner.py # Phase state machine (recon → exploit)\n│ ├── llm_client.py # LLM API client (llama.cpp \u002F remote)\n│ ├── db.py # SQLite backend (hosts, vulns, creds)\n│ ├── host_memory.py # Per-host observations + auto-tagging\n│ ├── cve_db.py # 24,956-entry CVE database\n│ ├── attack_planner.py # Strategic directives for exploit phase\n│ ├── output_parser.py # Extract structured data from tool output\n│ ├── offline_manager.py # WiFi breach pipeline state machine\n│ ├── net_detect.py # Auto-detect network from wlan0\n│ ├── cover_traffic.py # Stealth blending with realistic web traffic\n│ ├── passive_capture.py # Background tcpdump for broadcast traffic\n│ └── ...\n│\n├── proxy\u002F # Scope enforcement components\n│ ├── scope.py # IP\u002Fport\u002Fhost validation\n│ ├── rate_limiter.py # Command rate limiting + jitter\n│ └── command_filter.py # Destructive command blocklist\n│\n├── webui\u002F # Web dashboard (Flask)\n│ ├── server.py # API + stealth middleware\n│ └── templates\u002Findex.html # Dashboard UI\n│\n├── data\u002F # Static data files\n│ ├── cve_exploits.json # CVE→exploit command mappings\n│ └── playbooks.json # 27 multi-step attack playbooks\n│\n├── prompts\u002F # LLM prompt templates (hot-reloadable)\n├── scripts\u002F # Operational scripts (start, stop, watchdogs)\n├── tests\u002F # Test suites (API, UI, offline mode)\n├── kernels\u002F # WiFi driver modules + kernel docs\n├── simulation\u002F # Dry-run mock server\n├── docs\u002F # Architecture, GPU setup, features\n├── logs\u002F # Runtime data (gitignored)\n└── models\u002F # Model files (gitignored)\n```\n\n## How the Agent Thinks\n\nThe agent uses a simple but effective loop:\n\n1. **Pick a target** — weighted random selection (70% hosts with known ports, 30% new discovery)\n2. **Build context** — inject host memory, network observations, phase guidance into prompt\n3. **Ask the LLM** — model produces `REASONING: ... COMMAND: ...`\n4. **Validate** — scope proxy checks the command is in-scope and not destructive\n5. **Execute** — command runs via Kali MCP server\n6. **Learn** — output parser extracts findings, updates host memory\n7. **Reset context** — clear conversation, keep persistent memory, repeat\n\nThe 2B model has a ~50% command success rate (inherent to its size). The agent compensates with:\n- **Garbage detection** — 5-streak reset with varied few-shot examples\n- **Duplicate detection** — forces tool\u002Ftarget diversification\n- **Time-based stuck detection** — 5-minute backstop forces context reset\n- **Direct playbook execution** — multi-step attacks bypass the LLM entirely\n\n## Web Dashboard\n\nThe dashboard at `:8888` provides real-time monitoring and control:\n\n- **Live feed** — every command, finding, and agent decision\n- **Host cards** — clickable cards showing ports, services, vulnerabilities\n- **Network map** — interactive force-directed graph (drag, zoom, pan)\n- **Vulnerability details** — CVE tags, exploit chains, remediation steps\n- **C2 controls** — star\u002Fblacklist hosts, force phase, pause\u002Fresume, inject commands\n- **Offline mode** — Pwnagotchi-inspired WiFi attack UI with animated face\n\nThe dashboard is stealth-filtered: it spoofs nginx headers and returns empty 404s to connections from the target network.\n\n## Tested Results\n\nFrom 72+ hours of autonomous operation across multiple networks:\n\n- **30+ hosts** discovered per network\n- **2,000+ commands** executed autonomously\n- **10+ vulnerabilities** found across multiple services\n- **6+ playbooks** executed via direct execution\n- Agent memory stable at 35-50MB throughout (no leaks)\n\n## Contributing\n\nContributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\n### Areas where help is needed\n\n- **Model fine-tuning** — improving command format compliance from ~50% to 85%+\n- **New playbooks** — adding exploit chains for more services\n- **CVE database** — expanding coverage beyond the current 24,956 entries\n- **Adapter support** — testing with more USB WiFi chipsets\n- **Documentation** — tutorials, setup guides for different phones\n- **Testing** — more test coverage, especially for edge cases\n\n### Development setup\n\n```bash\n# Clone the repo\ngit clone https:\u002F\u002Fgithub.com\u002Fgaragehq\u002Fnightcrawler.git\ncd nightcrawler\n\n# Dry-run mode (no real commands, no hardware needed)\nNC_DRY_RUN=1 python3 main.py\n\n# Run tests\npython3 -m pytest tests\u002F\n```\n\n## Legal\n\n**This tool is for authorized penetration testing only.** You must have written permission (Rules of Engagement) from the network owner before deploying Nightcrawler. Unauthorized use against networks you don't own or have permission to test is illegal.\n\n## License\n\nMIT — see [LICENSE](LICENSE) for details.\n","Nightcrawler 是一个运行在智能手机上的自动化渗透测试代理。其核心功能包括自动发现网络中的主机、服务映射、漏洞检测以及生成渗透测试报告,所有操作均在本地完成,无需云连接或互联网支持。项目利用了小型AI模型(20亿参数)在手机GPU上运行,以决定下一步的操作策略。适合于需要在现场进行安全评估但又希望保持隐蔽性的场景,如企业内部网络的安全审计。通过采用逐步渐进的方式执行任务,Nightcrawler比传统的漏洞扫描工具更难被检测到,从而提供了一种更加隐秘且高效的渗透测试手段。",2,"2026-06-11 03:58:24","CREATED_QUERY"]