ARGUS - All-seeing Recon & General Unified Security

     █████╗ ██████╗  ██████╗ ██╗   ██╗███████╗
    ██╔══██╗██╔══██╗██╔════╝ ██║   ██║██╔════╝
    ███████║██████╔╝██║  ███╗██║   ██║███████╗
    ██╔══██║██╔══██╗██║   ██║██║   ██║╚════██║
    ██║  ██║██║  ██║╚██████╔╝╚██████╔╝███████║
    ╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝  ╚═════╝ ╚══════╝

v5.4.0 // 82 tools across four categories + AI Search + Botnet Mode

ARGUS is a comprehensive terminal-based OSINT and security toolkit written in Python. It provides 82 tools organized into four categories (reconnaissance, exploitation testing, stress testing, and phishing simulation), all accessible through an interactive two-column menu. It includes an AI Search feature that uses natural language to find the best tool for your needs, a Botnet Mode that automatically collects WordPress sites with both system.multicall and pingback.ping XML-RPC vectors and uses them as multicall pingback amplifiers, and a hardened Stealth Mode with multi-layer anonymization: Tor/SOCKS5/HTTP proxy routing, IPv6 leak blocking, DNS leak prevention, full HTTP fingerprint randomization, MAC address spoofing, and Tor circuit rotation.

---

Table of Contents

• Disclaimer
• Requirements
• Installation
• Usage
• AI Search
• Botnet Mode
  • How It Works
  • Why Both Vectors Are Required
  • Botnet Menu
  • Relay Benchmark
  • JSON Database
• API Backend
• Stealth Mode
  • Protection Layers
  • Kill-Switch
  • Menu Options
  • Known Limitations
• Tools
  • OSINT and Reconnaissance (41)
  • Exploitation Testing (21)
  • Stress Testing (10)
  • Phishing Simulation (10)
• Authorization System
• Dependencies
• License

---

Disclaimer

This tool is intended for authorized security testing, educational purposes, and legitimate penetration testing engagements only. Unauthorized use against systems you do not own or have explicit permission to test is illegal. The authors assume no liability for misuse.

Exploitation, stress testing, and phishing tools require explicit confirmation before use. Stress and phishing modules require typing "I ACCEPT ALL RESPONSIBILITY" to proceed. Once accepted, your authorization is saved locally to accepted_responsibility.json so you won't be prompted repeatedly for the same category.

---

Requirements

• Python 3.8 or higher
• pip (Python package manager)
• Tor (for Stealth Mode with Tor routing)

---

Installation

1. Clone the repository:

git clone https://github.com/nickquellovero/ARGUS.git
cd ARGUS

2. Create and activate a virtual environment (recommended):

python3 -m venv venv
source venv/bin/activate

3. Install the dependencies:

pip install -r requirements.txt

4. (Optional) Install and enable Tor for Stealth Mode:

sudo pacman -S tor          # Arch
sudo apt install tor         # Debian/Ubuntu
sudo systemctl enable tor
sudo systemctl start tor

To enable Tor circuit rotation (option 9 in Stealth Menu), add the following to /etc/tor/torrc:

ControlPort 9051
CookieAuthentication 1

Then restart Tor: sudo systemctl restart tor

---

Usage

Launch ARGUS from the terminal:

python3 argus.py

An interactive two-column menu will appear with all 82 tools organized by category. Enter the number corresponding to the tool you want to use and follow the on-screen prompts. Special options at the bottom of the menu:

| Key | Action | |-----|--------| | A | Open AI Search | | S | Open Stealth Mode configuration | | B | Open Botnet Mode (XML-RPC Multicall Pingback Amplification) | | W | Open Botnet Web Map Dashboard (Interactive geolocation view) | | 0 | Exit |

You can interrupt any running operation with Ctrl+C.

The menu is color-coded by category:

• Cyan = OSINT / Reconnaissance
• Red = Exploitation, Stress Testing, and Botnet
• Magenta = Phishing Simulation
• Green = AI Search

---

AI Search

ARGUS includes an AI-powered search feature that helps you find the right tool using natural language. Press A from the main menu, describe what you want to do (e.g. "scan a website for SQL injection" or "find subdomains of a target"), and the AI will return up to 3 matching tools ranked by relevance with an explanation of why each tool fits your query. You can then launch the selected tool directly from the results.

AI Search connects to a remote API backend hosted on Vercel. No API key or local setup is required on the client side.

---

Botnet Mode

Botnet Mode lets you use vulnerable WordPress sites as DDoS amplifiers via XML-RPC system.multicall + pingback.ping. Instead of sending individual pingback requests, ARGUS batches multiple pingback.ping calls inside a single system.multicall request, massively amplifying the attack: each HTTP request you send to a relay generates dozens or hundreds of HTTP requests from the relay to the victim.

Press B from the main menu to access it. It requires the same double authorization as stress testing tools (confirmation + "I ACCEPT ALL RESPONSIBILITY").

How It Works

The attack flow has two phases:

Phase 1 - Discovery (automatic)

When you run the CMS Vulnerability Scanner (tool 50) against a WordPress site, ARGUS probes /xmlrpc.php and enumerates all available methods. If both pingback.ping and system.multicall are confirmed active, the site is automatically saved to a local JSON database (botnet_zombies.json) with its URL, detected CMS, and discovered vectors. Sites that only have one of the two vectors are not saved — both are required for the multicall amplification attack.

Phase 2 - Multicall Amplification (manual)

From Botnet Mode (option B), you select XML-RPC Multicall Pingback Amplification and configure:

| Parameter | Range | Default | Description | |-----------|-------|---------|-------------| | Victim URL | any URL | — | The target to flood | | Threads per relay | 1-50 | 10 | Concurrent threads sending multicalls to each relay | | Pings per multicall | 1-500 | 50 | How many pingback.ping calls to batch in each system.multicall request | | Duration | 1-300s | 30 | How long the attack runs |

Each thread sends a system.multicall XML payload to the relay's /xmlrpc.php containing N pingback.ping calls. The relay WordPress server processes each call and makes an HTTP GET to the victim URL to "verify" the pingback. The result: 1 HTTP request from you = N HTTP requests from the relay to the victim.

Your machine                    WordPress relay                    Victim
    |                                |                                |
    |── system.multicall ──────────► |  /xmlrpc.php                   |
    |   (contains 50x pingback.ping) |                                |
    |                                |── HTTP GET ──────────────────► |
    |                                |── HTTP GET ──────────────────► |
    |                                |── HTTP GET ──────────────────► |
    |                                |   ... ×50 per multicall        |
    |                                |                                |
    |── system.multicall ──────────► |  (next request)                |
    |   (another 50x pingback.ping)  |                                |
    |                                |── HTTP GET ──────────────────► |  ×50 more

Amplification math: with 192 relays, 10 threads/relay, and batch size 50:

• You send: 1,920 concurrent multicall streams
• Each multicall triggers 50 pingbacks
• The victim receives up to ~38,400 HTTP requests/second from 192 different IPs, none of which are yours

During the attack, a live status line shows:

• Total pingbacks triggered
• Total HTTP requests sent to relays
• Rate (pingbacks/second)
• Errors
• Per-relay breakdown

Why Both Vectors Are Required

system.multicall and pingback.ping serve different roles in the amplification chain:

| Vector | Role | |--------|------| | pingback.ping | The actual DDoS primitive — WordPress makes an HTTP GET to the victim URL to "verify" the pingback source | | system.multicall | The multiplier — batches N pingback.ping calls into a single HTTP request, so 1 request from you = N requests from the relay |

Without system.multicall, you can only send one pingback.ping per HTTP request (1:1 ratio, no amplification). Without pingback.ping, system.multicall has nothing to batch. Both are needed for the amplification to work.

Botnet Menu

| Option | Description | |--------|-------------| | 1 | XML-RPC Multicall Pingback Amplification - Uses all saved relays to flood a victim URL. Configurable threads per relay (1-50), pings per multicall batch (1-500), and duration (1-300s). Shows live stats with per-relay pingback counts, HTTP request counts, and total rate. | | 2 | Add zombie manually - Add a WordPress site URL to the database without scanning it first. | | 3 | Remove zombie - Remove a specific zombie from the database by number. | | 4 | Clear all zombies - Wipe the entire database. | | 5 | Benchmark relay reliability & power - Tests relay health, speed, and attack readiness. Choose a single relay, a range (e.g. 1-5), or all relays at once. See Relay Benchmark below. | | 0 | Back to main menu |

The menu header shows the total number of zombies in the database. Each zombie is listed with its URL, CMS type, discovered vectors, and the date it was added.

Rel