AutoPentestX executes a comprehensive 7-phase penetration testing workflow automatically. Each phase builds on the previous one, creating a complete picture of the target’s security posture.
Complete Workflow Overview The run_full_assessment() method in main.py:136 orchestrates all seven phases:
def run_full_assessment ( self ): """Execute complete penetration testing workflow""" self .start_time = time.time() # Phase 1: Database initialization # Phase 2: Network scanning # Phase 3: Vulnerability detection # Phase 4: CVE intelligence # Phase 5: Risk assessment # Phase 6: Exploitation simulation # Phase 7: Report generation
Phase 1: Initialization Database Setup The assessment begins with database initialization (main.py:144-159):
print ( f "[PHASE 1] Initializing attack sequence..." ) self .scan_id = self .db.insert_scan( self .target) if not self .scan_id: print ( f "[✗] CRITICAL ERROR: Database initialization failed" ) return False print ( f "[✓] Mission ID: { self .scan_id } | Status: ACTIVE" )
Create Scan Record
Generates unique scan ID and creates database entry with timestamp
Verify Database
Ensures SQLite connection is active and tables exist
Initialize Storage
Prepares directories for reports, logs, and exploit scripts
The scan ID tracks all results throughout the assessment and allows historical comparison of scans against the same target.
Phase 2: Network Reconnaissance Port Scanning & Service Detection Comprehensive network scanning using Nmap (main.py:161-180):
print ( f "[PHASE 2] Network reconnaissance in progress..." ) scanner = Scanner( self .target) self .scan_results = scanner.run_full_scan() if not self .scan_results: print ( f "[✗] ABORT: Network reconnaissance failed" ) return False print ( f "[✓] Phase 2 complete - { len ( self .scan_results.get( 'ports' , [])) } ports discovered" )
Scanning Capabilities
TCP Scanning All 65,535 TCP ports with service detection
UDP Scanning Top 20 UDP ports for common services
OS Detection Operating system fingerprinting via TCP/IP stack analysis
Banner Grabbing Service version identification from banners
Data Collected
Open port numbers
Service names (HTTP, SSH, FTP, etc.)
Service versions (Apache 2.4.41, OpenSSH 8.2p1)
Operating system family and version
Network latency and responsiveness
Database Storage # Update database with OS detection self .db.update_scan( self .scan_id, os_detection = self .scan_results.get( 'os_detection' , 'Unknown' )) # Store each discovered port for port in self .scan_results.get( 'ports' , []): self .db.insert_port( self .scan_id, port)
Phase 3: Vulnerability Analysis Web Vulnerability Scanning Deep vulnerability analysis using Nikto and SQLMap (main.py:183-207):
if not self .skip_web: print ( f "[PHASE 3] Vulnerability analysis initiated..." ) vuln_scanner = VulnerabilityScanner( self .target, self .scan_results.get( 'ports' , []) ) self .vuln_results = vuln_scanner.run_full_scan()
This phase can be skipped with --skip-web for faster scans or when web testing isn’t needed.
Detection Methods
Common Vulnerabilities
Checks for default credentials, outdated software, misconfigurations
Web Application Scanning
Nikto scans for web server vulnerabilities, dangerous files, outdated versions
SQL Injection Testing
SQLMap tests for SQL injection points in web applications
Service-Specific Checks
Custom checks for FTP, SSH, SMB, and other common services
Vulnerability Storage # Store vulnerabilities in database for vuln in self .vuln_results.get( 'vulnerabilities' , []): self .db.insert_vulnerability( self .scan_id, vuln) # Store web-specific vulnerabilities for web_vuln in self .vuln_results.get( 'web_vulnerabilities' , []): self .db.insert_web_vulnerability( self .scan_id, web_vuln)
Phase 4: CVE Intelligence Automated CVE Lookup Cross-references discovered services with CVE databases (main.py:209-230):
print ( f "[PHASE 4] Accessing CVE intelligence database..." ) cve_lookup = CVELookup() services = self .scan_results.get( 'services' , []) self .cve_results = cve_lookup.lookup_services(services)
CVE Matching Process
Service Identification
Extracts service name and version from scan results
Database Query
Queries CVE databases (NVD, CVE Details) for matching vulnerabilities
CVSS Scoring
Retrieves CVSS scores and severity ratings for each CVE
Exploit Availability
Checks if public exploits exist for identified CVEs
CVE Data Structure for cve in self .cve_results: vuln_data = { 'port' : cve.get( 'port' ), 'service' : cve.get( 'service' ), 'name' : cve.get( 'cve_id' ), 'description' : cve.get( 'description' ), 'cve_id' : cve.get( 'cve_id' ), 'cvss_score' : cve.get( 'cvss_score' ), 'risk_level' : cve.get( 'risk_level' ), 'exploitable' : cve.get( 'exploitable' , False ) } self .db.insert_vulnerability( self .scan_id, vuln_data)
High CVSS scores (7.0+) indicate critical vulnerabilities that require immediate attention.
Phase 5: Risk Assessment Multi-Factor Risk Calculation Comprehensive risk analysis combining all vulnerability data (main.py:233-254):
print ( f "[PHASE 5] Computing threat matrix..." ) risk_engine = RiskEngine() self .risk_results = risk_engine.calculate_overall_risk( self .scan_results, self .vuln_results.get( 'vulnerabilities' , []), self .cve_results, self .vuln_results.get( 'web_vulnerabilities' , []), self .vuln_results.get( 'sql_vulnerabilities' , []) )
Risk Factors
Port Exposure Number and type of open ports (higher = riskier)
Vulnerability Count Total vulnerabilities weighted by severity
CVSS Scores Aggregate CVSS scores from all CVEs
Exploit Availability Whether public exploits exist for vulnerabilities
Risk Levels
CRITICAL : CVSS 9.0-10.0 or actively exploited vulnerabilitiesHIGH : CVSS 7.0-8.9 or multiple serious issuesMEDIUM : CVSS 4.0-6.9 or configuration weaknessesLOW : CVSS 0.1-3.9 or informational findingsINFO : No security impact, awareness only
Database Update self .db.update_scan( self .scan_id, total_ports = len ( self .scan_results.get( 'ports' , [])), open_ports = len ( self .scan_results.get( 'ports' , [])), vulnerabilities_found = self .risk_results.get( 'total_vulnerabilities' , 0 ), risk_score = self .risk_results.get( 'overall_risk_level' , 'UNKNOWN' ), status = 'completed' )
Phase 6: Exploitation Simulation Safe Mode Exploitation Metasploit integration with safety controls (main.py:256-290):
if not self .skip_exploit: print ( f "[PHASE 6] Exploit simulation [SAFE MODE]..." ) exploit_engine = ExploitEngine( safe_mode = self .safe_mode) # Match exploits to vulnerabilities matched_exploits = exploit_engine.match_exploits( self .vuln_results.get( 'vulnerabilities' , []), self .cve_results ) # Simulate exploitation if matched_exploits: self .exploit_results = exploit_engine.simulate_exploitation( matched_exploits, self .target )
Phase 6 can be skipped with --skip-exploit for compliance requirements or faster assessments.
Exploit Matching The exploit engine matches vulnerabilities to known exploits (exploit_engine.py:70-117):
def match_exploits ( self , vulnerabilities , cves ): matched_exploits = [] # Match based on service versions for vuln in vulnerabilities: service = vuln.get( 'service' , '' ).lower() version = vuln.get( 'version' , '' ).lower() for key, exploit in self .exploit_db.items(): if key.lower() in f " { service } { version } " : matched_exploits.append({ 'vulnerability' : vuln, 'exploit' : exploit, 'confidence' : 'HIGH' })
Exploit Database Built-in exploit mappings (exploit_engine.py:22-53):
vsftpd 2.3.4 : Backdoor command executionProFTPD 1.3.3c : Backdoor vulnerabilityEternalBlue (MS17-010) : SMB remote code executionShellshock : Bash environment variable injectionDrupalgeddon2 : Drupal RCE vulnerability
Safe Mode Behavior In safe mode (default), the tool:
Identifies Exploits
Matches vulnerabilities to Metasploit modules
Simulates Execution
Logs what would happen without actually executing
Generates RC Scripts
Creates Metasploit resource scripts for manual testing
Records Results
Stores simulation results in database
if self .safe_mode: print ( "[*] Running in SAFE MODE - No actual exploitation will occur" ) result = { 'status' : 'SIMULATED' , 'safe_mode' : True , 'result' : 'Exploit would be executed in non-safe mode' }
Disabling safe mode with --no-safe-mode can cause system damage or instability. Only disable for authorized testing in isolated environments.
Phase 7: Report Generation Professional PDF Reports Final phase generates comprehensive documentation (main.py:293-310):
print ( f "[PHASE 7] Compiling classified intelligence report..." ) pdf_generator = PDFReportGenerator( self .target, self .scan_id) report_file = pdf_generator.generate_report( self .scan_results, self .vuln_results.get( 'vulnerabilities' , []), self .cve_results, self .vuln_results.get( 'web_vulnerabilities' , []), self .vuln_results.get( 'sql_vulnerabilities' , []), self .risk_results, self .exploit_results, self .tester_name )
Report Contents
High-level overview suitable for non-technical stakeholders:
Overall risk level and score
Critical findings count
Top 5 recommendations
Business impact assessment
Detailed technical information for security teams:
Complete port scan results
All identified vulnerabilities
CVE details with CVSS scores
Exploit simulation results
Comprehensive risk analysis:
Risk calculation methodology
Individual vulnerability ratings
Aggregate risk scoring
Threat prioritization
PDF : Primary format with professional stylingDatabase : SQLite for historical analysisLogs : Text logs for debugging and audit trailsRC Scripts : Metasploit scripts for validation testing
Workflow Execution Automatic Progress All phases execute automatically with real-time progress indicators:
╔══════════════════════════════════════════════════════════════════╗ ║ [PHASE 1] ▶ Initializing attack sequence... ║ ╚══════════════════════════════════════════════════════════════════╝ [✓] Mission ID: 12345 | Status: ACTIVE ╔══════════════════════════════════════════════════════════════════╗ ║ [PHASE 2] ▶ Network reconnaissance in progress... ║ ╚══════════════════════════════════════════════════════════════════╝ [✓] Phase 2 complete - 15 ports discovered
Error Handling The workflow includes comprehensive error handling (main.py:324-341):
except KeyboardInterrupt : print ( f "[!] MISSION ABORT - Operator initiated shutdown" ) if self .scan_id: self .db.update_scan( self .scan_id, status = 'interrupted' ) return False except Exception as e: print ( f "[✗] CRITICAL SYSTEM ERROR: { e } " ) if self .scan_id: self .db.update_scan( self .scan_id, status = 'failed' ) return False
All partial results are saved even if the scan is interrupted, allowing you to review findings up to the failure point.
Typical Execution Times Phase Time Range Factors Phase 1 < 1 second Database initialization Phase 2 3-15 minutes Number of ports, network latency Phase 3 5-20 minutes Number of web services, SQLMap depth Phase 4 1-3 minutes CVE API response times Phase 5 < 1 second Risk calculation Phase 6 1-5 minutes Number of matched exploits Phase 7 1-2 minutes Report complexity
Total : Typically 10-30 minutes for a complete assessmentWhat’s Next?
Safe Mode Details Learn about exploitation safety mechanisms
Run Your First Scan Execute your first penetration test
CLI Reference Complete command-line options
Understanding Reports Interpret generated PDF reports