Skip to main content

Configuration Settings

AutoPentestX uses a centralized config.json file to manage all tool settings, scanning parameters, and behavior options. This file is located in the root directory of the application.

Configuration File Location

autopentestx/
└── config.json

Application Metadata

app_name
string
default:"AutoPentestX"
Application name displayed in reports and output
version
string
default:"1.0.0"
Current version of AutoPentestX
description
string
Application description for documentation and reports

Scan Settings

Core scanning behavior and network reconnaissance parameters.
scan_settings.default_safe_mode
boolean
default:true
Enable safe mode by default to prevent aggressive scanning
scan_settings.timeout
integer
default:300
Scan timeout in seconds (5 minutes)
scan_settings.max_ports
integer
default:65535
Maximum port range to scan (1-65535)

Scan Techniques

scan_settings.scan_techniques.tcp_scan
boolean
default:true
Enable TCP port scanning
scan_settings.scan_techniques.udp_scan
boolean
default:true
Enable UDP port scanning
scan_settings.scan_techniques.service_detection
boolean
default:true
Enable service version detection
scan_settings.scan_techniques.os_detection
boolean
default:true
Enable operating system fingerprinting
scan_settings.scan_techniques.version_detection
boolean
default:true
Enable detailed version detection for services

Vulnerability Scanning

Settings for web vulnerability scanners (Nikto, SQLMap).
vulnerability_scanning.nikto_enabled
boolean
default:true
Enable Nikto web server scanner
vulnerability_scanning.sqlmap_enabled
boolean
default:true
Enable SQLMap for SQL injection testing
vulnerability_scanning.nikto_timeout
integer
default:300
Nikto scan timeout in seconds
vulnerability_scanning.sqlmap_timeout
integer
default:180
SQLMap scan timeout in seconds
vulnerability_scanning.max_web_crawl_depth
integer
default:2
Maximum depth for web crawling during vulnerability assessment
Web vulnerability scanning can be time-consuming. Use --skip-web flag to bypass these scans when not needed.

CVE Lookup

Configuration for CVE (Common Vulnerabilities and Exposures) database queries.
cve_lookup.enabled
boolean
default:true
Enable automatic CVE lookups for detected services
cve_lookup.api_url
string
default:"https://cve.circl.lu/api"
Primary CVE API endpoint
cve_lookup.nvd_api_url
string
NIST National Vulnerability Database API endpoint
cve_lookup.max_results_per_service
integer
default:10
Maximum number of CVE results to retrieve per service
cve_lookup.cache_results
boolean
default:true
Cache CVE results to improve performance on repeated scans

Exploitation Settings

Controls for exploit simulation and Metasploit integration.
exploitation.safe_mode_default
boolean
default:true
Enable safe mode for exploitation (simulation only)
exploitation.metasploit_enabled
boolean
default:true
Enable Metasploit Framework integration
exploitation.max_exploit_attempts
integer
default:5
Maximum number of exploit attempts per vulnerability
exploitation.generate_rc_scripts
boolean
default:true
Generate Metasploit resource scripts for manual exploitation
Exploitation should ONLY be performed on authorized systems. Safe mode is enabled by default and highly recommended.

Risk Scoring

Risk assessment thresholds and weighting factors.

CVSS Thresholds

risk_scoring.cvss_thresholds.critical
float
Minimum CVSS score for CRITICAL severity (9.0-10.0)
risk_scoring.cvss_thresholds.high
float
Minimum CVSS score for HIGH severity (7.0-8.9)
risk_scoring.cvss_thresholds.medium
float
Minimum CVSS score for MEDIUM severity (4.0-6.9)
risk_scoring.cvss_thresholds.low
float
Minimum CVSS score for LOW severity (0.1-3.9)

Weight Factors

risk_scoring.weight_factors.exploitable
float
Risk multiplier for exploitable vulnerabilities (2x)
risk_scoring.weight_factors.public_exploit
float
Risk multiplier when public exploits exist (1.5x)
risk_scoring.weight_factors.network_accessible
float
Risk multiplier for network-accessible services (1.3x)
risk_scoring.weight_factors.authenticated
float
Risk reducer for vulnerabilities requiring authentication (0.7x)

Reporting

Report generation settings and output formats.
reporting.format
string
default:"pdf"
Default report format (pdf, html, json)
reporting.generate_json
boolean
default:true
Generate JSON output alongside PDF report
reporting.include_screenshots
boolean
default:false
Include screenshots in reports (requires additional tools)
reporting.confidential_watermark
boolean
default:true
Add “CONFIDENTIAL” watermark to PDF reports
reporting.default_tester_name
string
default:"AutoPentestX Team"
Default tester name for reports (can be overridden with -n flag)

Database Configuration

database.type
string
default:"sqlite"
Database type (currently only SQLite is supported)
database.path
string
default:"database/autopentestx.db"
Path to SQLite database file
database.backup_enabled
boolean
default:true
Enable automatic database backups
database.retention_days
integer
default:90
Number of days to retain scan data before cleanup
See Database Configuration for detailed schema information.

Logging

Application logging configuration.
logging.enabled
boolean
default:true
Enable application logging
logging.level
string
default:"INFO"
Log level: DEBUG, INFO, WARNING, ERROR, CRITICAL
logging.log_dir
string
default:"logs"
Directory for log files
logging.max_log_size_mb
integer
default:10
Maximum log file size in megabytes before rotation
logging.backup_count
integer
default:5
Number of rotated log files to keep

Output Directories

Default directories for various output types.
output.reports_dir
string
default:"reports"
Directory for generated reports
output.logs_dir
string
default:"logs"
Directory for application logs
output.database_dir
string
default:"database"
Directory for database files
output.exploits_dir
string
default:"exploits"
Directory for generated exploit scripts

Network Settings

HTTP client configuration for web requests.
network.user_agent
string
default:"Mozilla/5.0 (AutoPentestX Security Scanner)"
User-Agent header for HTTP requests
network.request_timeout
integer
default:30
HTTP request timeout in seconds
network.max_retries
integer
default:3
Maximum number of retries for failed requests
network.rate_limit_delay
integer
default:1
Delay in seconds between requests to avoid rate limiting

Example Configuration

{
  "app_name": "AutoPentestX",
  "version": "1.0.0",
  "description": "Automated Penetration Testing & Vulnerability Assessment Toolkit",
  
  "scan_settings": {
    "default_safe_mode": true,
    "timeout": 300,
    "max_ports": 65535,
    "scan_techniques": {
      "tcp_scan": true,
      "udp_scan": true,
      "service_detection": true,
      "os_detection": true,
      "version_detection": true
    }
  },
  
  "vulnerability_scanning": {
    "nikto_enabled": true,
    "sqlmap_enabled": true,
    "nikto_timeout": 300,
    "sqlmap_timeout": 180,
    "max_web_crawl_depth": 2
  },
  
  "risk_scoring": {
    "cvss_thresholds": {
      "critical": 9.0,
      "high": 7.0,
      "medium": 4.0,
      "low": 0.1
    },
    "weight_factors": {
      "exploitable": 2.0,
      "public_exploit": 1.5,
      "network_accessible": 1.3,
      "authenticated": 0.7
    }
  },
  
  "database": {
    "type": "sqlite",
    "path": "database/autopentestx.db",
    "backup_enabled": true,
    "retention_days": 90
  }
}

Modifying Configuration

  1. Edit the config.json file in the root directory
  2. Validate JSON syntax before saving
  3. Restart AutoPentestX for changes to take effect
Invalid JSON will cause AutoPentestX to fail at startup. Always validate your configuration file after making changes.

Build docs developers (and LLMs) love

Get started for freeTalk to us