The declarative Breach and Attack Simulation engine
Quick start •
Setup •
Development
Launch manual and automated attacks with pre-defined and always up-to-date templates of your favourite tools.
Designed to transparently run locally, remotely or integrated in pipelines, hckctl is free and open-source, no vendor lock-in, extensible and built using native providers api.
Create a custom vulnerable target (single box with specific CVE or whole infrastructes) or connect to your CTF platform (HTB, TryHackMe, Vulnlab, etc.) without wasting anymore time on boring installations, environment setup or network configurations.
Access the managed cloud platform from anywhere, orchestrate complex scenarios and analyze, aggregate and export your results.
Spin-up a box and access all port-forwarded ports locally
# spawns a temporary docker (default) box locally
hckctl box alpine
# deploys an ephemeral box to your kubernetes cluster
hckctl box arch --provider kube
# creates a managed box
hckctl box parrot --provider cloudAccess your target from a personalized lab
# connects to a vpn, exposes public ports, mount dumps etc.
hckctl lab ctf-linuxTODO
Run a task using pre-defined commands
# use the "default" arguments
hckctl task rustscan --input address=127.0.0.1
# equivalent of
hckctl task rustscan --command default --input address=127.0.0.1
# use the "full" preset arguments
hckctl task nmap --command full --input address=127.0.0.1 --input port=80
# invoke it with custom arguments
hckctl task rustscan --inline -- -a 127.0.0.1Prerequisites
- start the
Lamemachine in your account - add your vpn config
vim ${HOME}/.config/hck/config.yml # edit path network: vpn: - name: htb path: /home/ubuntu/ctf/openvpn/htb_test_eu_vip_28.ovpn
Run your tasks against the machine
# scan with nmap
hckctl task nmap --network-vpn htb --command full --input address=10.10.10.3
# scan with rustscan
hckctl task rustscan --network-vpn htb --inline -- -a 10.10.10.3 --ulimit 5000
# scan with nuclei
hckctl task nuclei --network-vpn htb --input target=10.10.10.3
# TODO ffufSee output example
Launch multiple tasks in parallel, collect and combine the results
hckctl flow scan www.example.com
hckctl flow fuzz 127.0.0.1:8080
hckctl flow sql 127.0.0.1:3306
hckctl flow atomic-red-team 127.0.0.1 T1485
hckctl flow c2 ping
hckctl flow campaign/phishing @example.comExplore all available templates. Pin a git revision to ensure reliability in automated pipelines
hckctl template listPlease, feel free to contribute to the companion repository and add more templates.
Edit default configurations
# vim ${HOME}/.config/hck/config.yml
# prints current configs
hckctl config
# resets default configs
hckctl config --reset- Machine: create and access VMs e.g. DigitalOcean Droplet, AWS EC2, Azure Virtual Machines, QEMU etc.
- Man: combine tldr and cheat
- Plugin: add your custom commands
- TUI: similar to lazydocker and k9s
- Prompt: chatgpt prompt style
Download the latest binaries
# TODO latest
HCKCTL_VERSION=???
curl -sSL https://github.com/hckops/hckctl/releases/download/${HCKCTL_VERSION}/hckctl_linux_x86_64.tar.gz | \
tar -xzf - -C /usr/local/bin# run
go run cmd/main.go
# build
just
./build/hckctlTODO example of how to point to a specific pr/revision in a forked repo
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}