I Built a 14-Blade Pentesting Framework at 22 — Here's What I Learned

I'm a third-year telecommunications engineering student in Kenya. I'm also a self-taught penetration tester. A few months ago, I got tired of running 15 different tools manually for every security assessment. So I built something to fix that.

What I Built

Pentest CoPilot — a 14-blade Swiss Army Knife for penetration testing. 26 tools covering the entire kill chain from reconnaissance to reporting.

The Full Arsenal

Blade 1: Reconnaissance — AI-powered scanning. Ports, hidden directories, subdomains, CMS detection, URL parameters. Local AI (Ollama/LLaMA 3.2) correlates findings and generates an attack matrix with specific CVEs.

Blade 2: API Discovery — Detects REST (Swagger/OpenAPI), GraphQL (introspection queries), gRPC (reflection), WebSocket endpoints, and SOAP (WSDL enumeration). Finds what most scanners miss.

Blade 3: Credential Extraction — Pulls API keys, access tokens, internal IP addresses, database connection strings, and configuration paths from exposed endpoints.

Blade 4: Vulnerability Mapping — Full kill chain analysis. Maps initial access vectors through privilege escalation to root exploitation. Kernel-level firewall mapping with ICMP tunneling detection.

Blade 5: Server Exploitation (7 Types) — Auto-detects and exploits: Kestrel/.NET, Apache Tomcat, Node.js/Express, PHP/Apache, Python Flask/Django, IIS/.NET, and Nginx. Each has a dedicated exploit script.

Blade 6: Database Exploitation (7 Types) — MySQL (empty root, UDF escalation), PostgreSQL (COPY FROM PROGRAM RCE), MSSQL (xp_cmdshell), MongoDB (no-auth dump), Redis (SSH key injection), Oracle (default credentials), Elasticsearch (no-auth index dump).

Blade 7: Firewall Bypass & Reverse Shell Arsenal — Custom TCP fragmentation engine splits payloads into tiny pieces to evade inspection. 12 payload types including SQL injection, buffer overflow, and command injection. Reverse shell generator supporting 8 languages (Bash, Python, Netcat, PHP, Perl, Ruby, PowerShell, Netcat+Mkfifo). "Bombard" mode fires all 8 shells simultaneously.

Blade 8: Lateral Movement — Internal subnet scanner for 172.x, 10.x, and 192.168.x ranges. Pivot fragmenter for routing attacks through compromised hosts. CGI dropper for web shell deployment.

Blade 9: Privilege Escalation — 8 Linux vectors (sudo, SUID, kernel exploits, cron, writable paths, capabilities, SSH keys, password files) and 7 Windows vectors (token privileges, unquoted service paths, AlwaysInstallElevated, registry credentials, scheduled tasks, stored credentials, UAC bypass).

Blade 10: Exfiltration — 8 data collection modules (credentials, databases, private keys, source code, network info, browser data, full package). 6 exfiltration methods (HTTP, Netcat, Base64, SCP, DNS tunneling, ICMP tunneling).

Blade 11: Persistence — 8 Linux backdoors (SSH key, cron, systemd, bashrc, MOTD, PAM backdoor, LD_PRELOAD, hidden user) and 6 Windows backdoors (scheduled task, registry run, WMI subscription, startup folder, service, hidden admin).

Blade 12: Cleanup — 12 Linux cleanup steps (bash history, SSH backdoor, cron jobs, systemd services, bashrc, MOTD, hidden user, LD_PRELOAD, system logs, web server logs, temp files, memory) and 8 Windows cleanup steps.

Blade 13: Reporting — Generates professional PDF reports with executive summary, technical findings, attack vector matrix, and remediation recommendations.

Blade 14: Master Compiler — One command runs all 13 phases automatically. Generates a timestamped report directory with every finding organized and documented.

What Makes It Different

Local AI — No Cloud, No API Keys. Most security tools that claim "AI" send your data to OpenAI. Mine runs LLaMA 3.2 locally via Ollama. Your targets stay on your machine.

Fragmentation Engine. I built a custom TCP fragmentation engine that splits payloads into tiny pieces to bypass firewalls. It's not magic — it's packet crafting with Scapy. But it works against production firewalls.

One Directory. Everything Included. No Docker, no databases, no complex setup. Clone the repo, run the installer, and you have a complete pentesting arsenal.

What I Learned

Build for yourself first. I built this because I needed it. That's why it's actually useful — not just a portfolio piece.

AI is a force multiplier. Ollama analyzes scan results and generates attack matrices with specific CVEs. What took 2 hours of manual correlation now takes seconds.

Shipping beats perfection. The first version was buggy. The current version works against production targets. I shipped, tested, fixed, and repeated.

Your portfolio is your degree. I don't have a cybersecurity degree. I have a GitHub repo that proves I can build, test, and document a complex security tool spanning the entire kill chain.

What's Next

• Add Nuclei template scanning for automated vulnerability validation
• Build a web dashboard for real-time engagement monitoring
• Turn it into a SaaS platform for Kenyan SMEs who can't afford enterprise security tools
• Add collaborative features for red team operations

Advice for Other Self-Taught Developers

Stop waiting for permission. Build something that solves your own problem. Document it thoroughly. Ship it publicly. The platform you need doesn't exist yet — so build that too.

The difference between a "hacker" and a "security researcher" is often just permission and a paycheck. Same skills. Same mindset. Build the bridge between them.

---

GitHub: github.com/michaelmboya149-lab/PentestCoPilot-Swiss-army-knife

I'm looking for: Security engineering roles, pentesting opportunities, and collaborators in the Kenyan infosec space. If you're building in this space, let's talk.