There are several ways to start the interactive CLI:
./run.shpoetry run python src/main.pypython3 src/main.pyThe PenWeb CLI provides an interactive menu with 7 integrated tools (3 defensive, 2 utility, 2 offensive):
Device location tracking with multi-provider support.
Default: Uses free Traccar demo server with IP-based geolocation - NO hardware or account required!
Use Cases:
- Track device location
- Fleet management
- Personal location history
Multi-provider VPN manager.
Default: Uses free VPNGate public servers - NO account required!
Use Cases:
- Privacy protection
- Bypass geo-restrictions
- Secure public WiFi usage
Temporary email address manager.
Default: Uses free 1secmail API - NO account required!
Use Cases:
- Privacy protection for online registrations
- Testing email workflows
- Avoid spam
Test URL availability and measure response time.
Use Case:
- Check if a website is online
- Measure server response time
- Validate endpoint accessibility
Example Flow:
- Select option
4 - Enter target URL (e.g.,
https://example.com) - View status code and response time
Download website HTML, CSS, and JavaScript files for offline analysis.
Use Case:
- Create local copy of website for analysis
- Extract frontend resources
- Study website structure
Example Flow:
- Select option
5 - Enter website URL
- Specify output directory (default:
.output/cloned_site) - Wait for download to complete
Test rate limiting by making repeated requests to a URL.
Use Case:
- Test API rate limiting effectiveness
- Validate WAF (Web Application Firewall) configuration
- Stress test endpoint capacity
Example Flow:
- Select option
6 - Confirm authorization
- Enter target URL
- Set request interval (e.g.,
0.5seconds) - Set max attempts (optional, press Enter for unlimited)
- Monitor requests until blocked or limit reached
- Press Ctrl+C to stop early
Output:
- Real-time request status
- Success/failure counts
- Final blocking status
- Error messages
Test login form security by attempting credential combinations.
Use Case:
- Test login rate limiting
- Verify CAPTCHA implementation
- Validate account lockout mechanisms
- Security audit compliance
Example Flow:
- Select option
7 - Confirm authorization
- Enter login page URL
- Provide email addresses (comma-separated):
- Example:
admin@site.com, user@site.com, test@site.com
- Example:
- Provide password keywords (comma-separated):
- Example:
password, admin, welcome - Tool will generate variations:
Password123,admin!, etc.
- Example:
- Set delay between attempts (e.g.,
1.0seconds) - Set max attempts (optional)
- Monitor login attempts
- Press Ctrl+C to stop early
Output:
- Detected form fields
- Generated password variations
- Real-time attempt status
- Blocking detection
- Summary with success/failure counts
- Select option: Enter number
0-7 - Cancel input: Press
Ctrl+C - Exit program: Select option
0or pressCtrl+C
IMPORTANT:
- ✅ Always obtain proper authorization before testing any system
⚠️ Unauthorized access is illegal - you can face criminal charges- 📝 Document your authorization - keep written permission
- 🛡️ Test responsibly - avoid disrupting services
- 🤝 Follow disclosure practices - report vulnerabilities properly
- Testing your own websites and systems
- Authorized penetration testing with written permission
- Bug bounty programs with proper scope
- Security audits with client contracts
- Educational purposes on your own infrastructure
- Testing third-party websites without permission
- "Curiosity testing" on public websites
- Testing competitors' systems
- Any unauthorized access attempts
If you get module import errors:
# Make sure you're in the project root
cd /home/quantium/labs/websec
# Install dependencies
poetry installIf tools fail with missing dependencies:
poetry installIf script won't run:
chmod +x run.shSelect option: 4
Enter URL to ping: https://google.com
Result: Status 200, 45ms response time
Select option: 5
Enter website URL: https://example.com
Output directory: (press Enter for default .output/cloned_site)
Result: Downloaded 5 files (1 HTML, 2 CSS, 2 JS)
Select option: 6
Authorization confirmed: yes
Enter URL: https://api.mysite.com/endpoint
Request interval: 0.5
Max attempts: 100
Result: Blocked after 47 requests with 429 status code
Select option: 7
Authorization confirmed: yes
Enter login URL: https://mysite.com/login
Emails: admin@mysite.com, test@mysite.com
Keywords: password, admin
Delay: 1.0 seconds
Max attempts: 50
Result: Blocked after 15 attempts, CAPTCHA triggered
- ✨ Interactive menu with color-coded options
- 🎨 Beautiful ASCII art banner
- ⚖️ Legal warnings and authorization checks
- 🔍 Real-time progress monitoring
- 📊 Detailed result summaries
- ⌨️ Clean error handling
- 🛑 Graceful interruption (Ctrl+C)
- 🟢 Green: Success messages, safe operations
- 🔴 Red: Errors, offensive tools
- 🟡 Yellow: Warnings, important notices
- 🔵 Cyan: User prompts, information
- ⚪ Gray: Secondary information
- Start with Ping: Test basic connectivity first
- Check Authorization: Always verify you have permission before using offensive tools
- Start Conservative: Use longer delays and lower attempt counts initially
- Monitor Resources: Keep an eye on network traffic and system resources
- Document Everything: Keep logs of your testing activities
- Respect Rate Limits: Don't overwhelm systems even when authorized
For issues or questions:
- Check the main README.md
- Review docs/CLI_SETUP.md for installation help
- Open an issue on GitHub
Current Version: v0.3.1 Last Updated: November 2025
Remember: With great power comes great responsibility. Use these tools ethically and legally! 🛡️