All-in-one pentest toolkit — JWT vulnerability analyzer, web reconnaissance automation, packet sniffing, and vulnerability history in one containerized platform
PentestKit is a web-first penetration testing platform that combines three essential tools in one clean web interface:
✅ JWT Analyzer — Detect token vulns (alg:none, expired, weak secrets)
✅ Web Recon Automation — IP resolution, WHOIS, DNS enum, header analysis
✅ Packet Sniffer — Real-time network traffic capture with protocol detection
✅ Scan History — Automatic logging to PostgreSQL for trend analysis
✅ Docker + Kubernetes Ready — Deploy anywhere in minutes
Use Case: Pentesters, bug bounty hunters, security students, and development teams testing their security posture.
Decode and analyze JSON Web Tokens for vulnerabilities:
| Feature | Capability |
|---|---|
| Header Decoding | Algorithm, token type, kid extraction |
| Payload Inspection | Claims analysis, expiration check, sensitive data detection |
| Vulnerability Detection | ✅ alg:none bypass ✅ Expired tokens ✅ Weak secrets ✅ Algorithm confusion ✅ Sensitive data exposure |
| Risk Scoring | SAFE / LOW / MEDIUM / HIGH / CRITICAL |
| Secret Validation | Test common weak secrets (123456, password, etc.) |
Example Vulnerabilities Detected:
❌ "alg": "none" → CRITICAL: No signature verification
❌ "exp": 1600000000 → CRITICAL: Token already expired
❌ "kid": "../../../etc/passwd" → HIGH: Path traversal in kid parameter
❌ Sensitive data in payload → MEDIUM: Credentials exposed in JWT
Automated reconnaissance for target websites:
| Function | What It Does |
|---|---|
| IP Resolution | DNS lookup → IP address |
| WHOIS Lookup | Registrant info, registration date, DNS servers |
| DNS Records | A, AAAA, MX, NS, TXT, CNAME enumeration |
| HTTP Headers | Security headers analysis (CSP, HSTS, X-Frame, etc.) |
| Subdomain Enum | Common subdomain wordlist scan |
| SSL Certificate | Expiry, issuer, alternative names |
Example Output:
Target: example.com
├─ IP: 93.184.216.34
├─ Registrar: VeriSign Global Registry Services
├─ DNS Servers: a.iana-servers.net, b.iana-servers.net
├─ Subdomains Found:
│ ├─ api.example.com (93.184.216.34)
│ ├─ admin.example.com (93.184.216.35)
│ └─ dev.example.com (93.184.216.36)
├─ Security Headers:
│ ✅ HSTS: max-age=31536000
│ ✅ CSP: default-src 'self'
│ ❌ X-Frame-Options: Missing
│ ❌ X-Content-Type-Options: Missing
└─ SSL Certificate: Valid until 2025-05-17
Real-time network traffic capture with intelligent protocol detection:
| Feature | Details |
|---|---|
| Live Capture | Real-time packet sniffer using PyShark |
| Protocol Detection | HTTP, HTTPS, DNS, SSH, FTP, TCP, UDP, ICMP, ARP |
| Payload Display | Full packet payload (requests, responses, DNS queries) |
| Live Stats | Packets/sec, bytes/sec, top protocols, top IPs |
| Filter Options | By protocol, IP, port, VLAN |
Example Traffic Capture:
HTTP Request:
GET /api/users HTTP/1.1
Host: internal-api.local
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
DNS Query:
Query: admin-panel.internal.local (A record)
Response: 192.168.1.50
SSH Connection:
Source: 192.168.1.100:54321 → Dest: 192.168.1.50:22
Status: Connected (banner received)
All scans automatically saved to PostgreSQL:
- JWT Scans — Token, findings, risk score, timestamp
- Recon Scans — Target, IPs found, subdomains, headers, timestamp
- Packet Captures — Protocol stats, conversation count, duration
- Trending — Which vulnerabilities are most common in your network?
┌─────────────────────────────────────────────────────────┐
│ PentestKit Stack │
├─────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────────────────────────────────────┐ │
│ │ Web UI (Flask + HTML) │ │
│ │ - JWT Analyzer form │ │
│ │ - Web Recon input │ │
│ │ - Sniffer controls │ │
│ │ - History dashboard │ │
│ └──────────────┬───────────────────────────────┘ │
│ │ │
│ ┌──────────────▼────────────────────────────────┐ │
│ │ Flask Backend (Python 3.11) │ │
│ ├──────────────────────────────────────────────┤ │
│ │ • jwt_analyzer.py → Token validation │ │
│ │ • recon_tool.py → Network enum │ │
│ │ • packet_sniffer.py → Live capture (PyShark) │
│ │ • database.py → PostgreSQL queries │ │
│ └──────────────┬───────────────────────────────┘ │
│ │ │
│ ┌──────────────▼────────────────────────────────┐ │
│ │ PostgreSQL Database (Persistent) │ │
│ │ - scan_history table │ │
│ │ - findings table │ │
│ │ - audit_log table │ │
│ └───────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘
Deployment:
Docker Compose → Single command, local dev
Kubernetes → Production-grade scaling
pentestkit/
├── README.md # This file
│
├── app/ # Flask application
│ ├── app.py # Main Flask app + routes
│ │
│ ├── modules/ # Business logic
│ │ ├── jwt_analyzer.py # JWT vulnerability detection
│ │ ├── recon_tool.py # Automated web recon
│ │ ├── packet_sniffer.py # Network capture module
│ │ └── database.py # PostgreSQL ORM
│ │
│ ├── templates/ # HTML frontend
│ │ ├── base.html # Layout base
│ │ ├── index.html # Dashboard
│ │ ├── jwt.html # JWT analyzer UI
│ │ ├── recon.html # Web recon UI
│ │ ├── sniffer.html # Packet sniffer UI
│ │ ├── history.html # Scan history & charts
│ │ └── static/
│ │ ├── css/style.css # Styling
│ │ └── js/charts.js # D3.js vulnerability trends
│ │
│ ├── requirements.txt # Python dependencies
│ ├── config.py # Database & app config
│ └── utils.py # Helper functions
│
├── tests/ # Unit tests
│ ├── test_jwt_analyzer.py # JWT test cases
│ ├── test_recon.py # Recon module tests
│ └── test_integration.py # End-to-end tests
│
├── docs/ # Documentation
│ ├── USAGE.md # How to use each tool
│ ├── VULNERABILITIES.md # JWT vulnerabilities explained
│ ├── API.md # REST API documentation
│ └── DEPLOYMENT.md # Docker/K8s guides
│
├── Dockerfile # Container image definition
├── docker-compose.yml # Local dev stack
│
├── k8s/ # Kubernetes manifests
│ ├── namespace.yaml # Create pentestkit namespace
│ ├── configmap.yaml # App configuration
│ ├── secrets.yaml # Database credentials
│ ├── postgres-deployment.yaml # PostgreSQL service
│ ├── postgres-pvc.yaml # Persistent volume for DB
│ ├── app-deployment.yaml # PentestKit app pods
│ ├── app-service.yaml # K8s service (LoadBalancer)
│ ├── app-hpa.yaml # Horizontal Pod Autoscaling
│ └── ingress.yaml # Ingress (optional, for domain)
│
├── .env.example # Environment template
├── docker-compose.override.yml # Local overrides
└── .gitignore # Git exclusions
# Clone repository
git clone https://github.com/Kg4REAL/PentestKit.git
cd PentestKit
# Copy environment template
cp .env.example .env
# Start all services
docker-compose up --build
# Access the application
# Web UI: http://localhost:5000
# PostgreSQL: localhost:5432First run setup:
# Initialize database (if not auto-created)
docker-compose exec app python -c "from app import db; db.create_all()"
# Check logs
docker-compose logs -f app# Create namespace
kubectl create namespace pentestkit
# Create secrets (database credentials)
kubectl create secret generic db-credentials \
--from-literal=POSTGRES_USER=pentestkit \
--from-literal=POSTGRES_PASSWORD=SecurePass123! \
-n pentestkit
# Deploy stack
kubectl apply -f k8s/ -n pentestkit
# Port forward to access
kubectl port-forward svc/pentestkit-service 5000:5000 -n pentestkit
# Web UI: http://localhost:5000Scale deployment:
# Auto-scale app pods (2-10 based on CPU)
kubectl autoscale deployment pentestkit-app \
--min=2 --max=10 --cpu-percent=70 -n pentestkit
# Check status
kubectl get pods -n pentestkit
kubectl get svc -n pentestkit# Create virtual environment
python3 -m venv venv
source venv/bin/activate
# Install dependencies
pip install -r app/requirements.txt
# Set environment variables
export DATABASE_URL="postgresql://user:pass@localhost/pentestkit"
export FLASK_ENV=development
# Run Flask app
cd app
python app.py
# Access: http://localhost:5000Input:
eyJhbGciOiJub25lIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTYwMDAwMDAwMH0.
Output:
{
"header": {
"alg": "none",
"typ": "JWT"
},
"payload": {
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"exp": 1600000000
},
"vulnerabilities": [
{
"severity": "CRITICAL",
"type": "No Signature Algorithm",
"description": "Algorithm set to 'none' - no signature verification. Token can be forged.",
"fix": "Always verify signature with HS256, RS256, or ES256"
},
{
"severity": "CRITICAL",
"type": "Token Expired",
"description": "exp (1600000000) is before current time",
"fix": "Refresh token or re-authenticate"
}
],
"risk_score": "CRITICAL"
}Input: example.com
Output:
{
"target": "example.com",
"dns_records": {
"A": ["93.184.216.34"],
"AAAA": ["2606:2800:220:1:248:1893:25c8:1946"],
"MX": ["mail.example.com"],
"TXT": ["v=spf1 include:sendgrid.net ~all"]
},
"whois": {
"registrar": "VeriSign Global Registry Services",
"registered": "1995-08-14",
"expires": "2025-08-13"
},
"subdomains": [
"api.example.com",
"admin.example.com",
"mail.example.com"
],
"security_headers": {
"strict-transport-security": "max-age=31536000; includeSubDomains",
"content-security-policy": "default-src 'self'",
"x-frame-options": "DENY",
"x-content-type-options": "nosniff"
},
"ssl_certificate": {
"issuer": "Let's Encrypt",
"valid_until": "2025-05-17",
"san": ["example.com", "www.example.com"]
}
}Capture Filter: tcp port 443 or port 80
Output:
[HTTP] 192.168.1.100:52341 → 93.184.216.34:443
GET /api/v1/users HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
[DNS] 192.168.1.100:54321 → 8.8.8.8:53
Query: internal-admin.local (A)
[SSH] 192.168.1.50:22 ← 192.168.1.100:52342
Banner: SSH-2.0-OpenSSH_7.4
Stats:
Total packets: 1,247
HTTP: 234 packets
HTTPS: 567 packets
DNS: 156 packets
SSH: 89 packets
Other: 201 packets
Bytes sent: 2.3 MB
Bytes received: 5.1 MB
Scan History Page shows:
- Last 30 scans with timestamp, tool used, target, findings
- Vulnerability trends — Pie chart of risks (CRITICAL, HIGH, MEDIUM, LOW)
- Most detected vulnerabilities — Bar chart of top issues
- Recon data — Subdomains found, headers missing, etc.
- Export options — CSV, JSON reports
| Component | Technology | Purpose |
|---|---|---|
| Backend | Python 3.11 + Flask | RESTful API & web server |
| Frontend | HTML5 + Bootstrap + D3.js | Responsive UI + charts |
| Database | PostgreSQL 14+ | Persistent scan history |
| Network | PyShark (Wireshark) | Packet capture & analysis |
| JWT | PyJWT | Token parsing & validation |
| DNS/WHOIS | dnspython + python-whois | Reconnaissance automation |
| Containerization | Docker | Consistent environments |
| Orchestration | Kubernetes | Production deployments |
- ✅ No credentials stored — All operations performed on-the-fly
- ✅ HTTPS ready — SSL/TLS certificate support
- ✅ Database encryption — PostgreSQL at rest encryption
- ✅ Access logging — All scans logged with source IP, timestamp
- ✅ API authentication — Optional JWT-based API auth
- ✅ CORS configured — Restricted origins only
Single instance (Docker Compose):
- Up to 100 concurrent JWT analyses/sec
- Up to 50 concurrent web recon scans
- Packet capture limited by interface bandwidth
Kubernetes cluster:
- Horizontal Pod Autoscaling (min 2, max 10 pods)
- Load balancing across replicas
- Dedicated PostgreSQL pod with persistent volume
- Scales to handle 1000+ concurrent operations
See /docs/ folder:
- USAGE.md — Step-by-step guides for each tool
- VULNERABILITIES.md — JWT vulnerability explanations
- API.md — REST API endpoints and responses
- DEPLOYMENT.md — Docker, K8s, cloud deployment
Run unit tests:
cd app
pytest tests/ -v
pytest tests/ --cov=modules # Coverage reportIssue: "Connection refused" to PostgreSQL
# Check DB container is running
docker-compose ps
# Restart PostgreSQL
docker-compose restart db
# Check logs
docker-compose logs dbIssue: JWT Analyzer returns empty results
# Ensure PyJWT is installed
pip install PyJWT
# Check token format (should be base64-encoded JSON)
python3 -c "import jwt; print(jwt.decode(token, options={'verify_signature': False}))"- GraphQL API — Alternative to REST
- Threat Intelligence — VirusTotal, AlienVault integration
- Burp Suite Integration — Direct scan export
- Slack Notifications — Alert on critical findings
- API Rate Limiting — Protect against abuse
- Multi-user Dashboard — Team collaboration
- Mobile App — iOS/Android companion
- Machine Learning — Anomaly detection in scan patterns
Found a bug? Want a feature? Submit issues or PRs!
# Fork → Clone → Branch → Commit → Push → PR
git checkout -b feature/your-feature
git commit -m "feat: Add new feature"
git push origin feature/your-feature🔗 GitHub: @Kg4REAL
🔗 LinkedIn: Ibrahima Dia - Cybersecurity
📧 Issues? Open a GitHub issue
MIT License — Free for commercial and personal use
Last Updated: May 17, 2026
Status: ✅ Production-Ready — Tested, scalable, documented