/htb_recon_agent

Primary LanguagePythonMIT LicenseMIT

Hawx Recon Agent

Overview

Hawx Recon Agent is an intelligent, autonomous reconnaissance system powered by a Large Language Model (LLM). Designed for offensive security workflows, it automates initial triage and guided follow-up based on live service data. The agent runs in a Dockerized environment and can optionally tunnel through OpenVPN. Output is structured, actionable, and neatly organized per target.

Features

  • ๐Ÿ“ก Autonomous recon workflow
  • ๐Ÿค– LLM-guided command planning and triage
  • ๐Ÿ” CVE and exploit discovery using SearchSploit
  • ๐ŸŒ Optional OpenVPN integration
  • ๐Ÿง  Markdown summaries of recon
  • ๐Ÿ“‚ Clean directory structure per target

Architecture

[Host]
โ””โ”€โ”€ hawx.sh
    โ”œโ”€โ”€ Parses flags (IP, --ovpn, --steps, etc.)
    โ”œโ”€โ”€ Launches Docker container
    โ”‚   โ”œโ”€โ”€ Mounts current directory to /mnt
    โ”‚   โ””โ”€โ”€ Passes env vars
    โ†“

[Inside Docker Container]
โ””โ”€โ”€ entrypoint.sh
    โ”œโ”€โ”€ Starts OpenVPN if provided
    โ”œโ”€โ”€ Verifies target connectivity
    โ”œโ”€โ”€ Maps hostname if specified
    โ””โ”€โ”€ Launches agent.py

[agent.py]
โ”œโ”€โ”€ Runs nmap on target
โ”œโ”€โ”€ Parses and summarizes output
โ”œโ”€โ”€ Picks follow-up tools
โ”œโ”€โ”€ Stores all logs and recon data
โ””โ”€โ”€ Summarizes recon using LLM

Agent Workflow

๐Ÿ”Ž Initial Enumeration

  • Nmap (-sC -sV -p-)
  • Stores raw and structured output

๐Ÿง  Analysis + Planning

  • LLM decides follow-up tools:
    • Web โ†’ httpx, gobuster, nikto
    • FTP/SSH/SMB โ†’ enumeration tools
  • Deduplicates tools across layers

๐Ÿงฐ Follow-Up Tools

Service Toolset
HTTP httpx, gobuster, nikto
FTP ftp-anon, manual login
SMB enum4linux, smbclient
SSH Banner grab
SQL Basic login logic
Custom LLM-based tool picks

๐Ÿ›ก๏ธ CVE Discovery

  • SearchSploit per service/version
  • LLM-based CVE summaries
  • Output written to exploits.txt

๐Ÿ“‹ Executive Summary

  • Clear Markdown (summary.md)
  • Includes:
    • Ports/services
    • CVEs
    • Attack paths
    • Recommended tools

Directory Structure

triage/192.168.1.10/
โ”œโ”€โ”€ nmap_output.txt
โ”œโ”€โ”€ httpx_output.txt
โ”œโ”€โ”€ gobuster.txt
โ”œโ”€โ”€ exploits.txt
โ”œโ”€โ”€ summary.md
โ””โ”€โ”€ summary_exec.md

Usage

1. Prepare Environment

  • Docker installed
  • .env file in repo root:
LLM_API_KEY=your_key
LLM_PROVIDER=groq
MODEL=qwen-2.5-coder-32b

2. Run the Agent

./hawx.sh [--steps N] [--ovpn file.ovpn] [--hostname NAME] <target_ip/domain>

Examples:

./hawx.sh 192.168.1.10
./hawx.sh --steps 2 --ovpn vpn.ovpn --hostname target 192.168.1.10

Flags

Flag Description
--steps Number of recon layers (default: 1, max: 3)
--ovpn OpenVPN config file
--hostname Add target to /etc/hosts as hostname.local
--force-build Rebuild Docker image before execution
--help Show usage help

Roadmap

  • ๐Ÿ”ฌ Add nuclei, wpscan, and brute-force modules
  • ๐Ÿงพ PDF export via Pandoc
  • ๐Ÿ“Š JSON + HTML output formats
  • ๐Ÿ•ต๏ธ Passive recon plugin support

License

MIT License โ€“ use freely, responsibly, and at your own risk.