Let AI handle the methodology. You focus on the results.

Features · Installation · Usage · Architecture · Intelligence · Modules · CI/CD · Contributing

</div>

🎯 What is DRAKBEN?

DRAKBEN is an AI-powered autonomous penetration testing framework built in Python. It understands natural language commands and executes full security assessments — from reconnaissance to exploitation to reporting — with minimal human intervention. Instead of memorizing complex tool syntax, describe what you want in plain language.

You: "Scan the target for open ports and check for web vulnerabilities"
DRAKBEN: Executing nmap → Analyzing services → Running nikto → Found 3 potential issues...

v2.5.0 — 228 tracked files · 104 core modules · 38 attack modules · 48 test suites · 34 registered tools · 20 intelligence modules

Key Differentiators

| Feature | Traditional Tools | DRAKBEN | |---------|-------------------|---------| | Interface | CLI flags & syntax | Natural language (TR/EN) | | Decision Making | Manual | AI-driven autonomous | | Learning | Static | Self-evolving (SQLite-backed) | | State Management | Stateless | Persistent singleton state | | Error Recovery | Manual restart | Self-healing with diagnostics | | Memory | None | Stanford graph + ChromaDB vectors | | Evasion | Manual payloads | Polymorphic mutation engine | | Multi-LLM | Single provider | OpenRouter / Ollama / OpenAI / Custom |

✨ Features

🧠 AI-Driven Core

Natural Language Interface — Talk to DRAKBEN like a colleague
Multi-LLM Support — OpenRouter (100+ models), Ollama (local/private), OpenAI, Custom APIs
Stanford Memory System — Graph-based memory with perceive → retrieve → reflect cycle
ChromaDB Vector Store — Persistent embedding-based knowledge retrieval
Anti-Hallucination Protocol — Validates AI outputs against runtime reality
Bilingual UI — Full Turkish and English support (/tr and /en)
Context-Aware Tool Selection — Picks the right tool based on attack phase and target state

🔄 Self-Evolution Engine (Singularity)

Code Synthesis — Generates new tools from natural language descriptions (6 real templates)
AST-Based Refactoring — Real code improvement via Abstract Syntax Trees
Polymorphic Mutation — Transforms attack code to evade detection
Strategy Mutation — Adapts attack strategies based on failure patterns
Dynamic Tool Registration — Creates and registers new tools at runtime

🧬 Evolution Memory

Persistent Learning — Remembers what works across sessions (SQLite-backed)
Tool Penalty System — Deprioritizes failing tools automatically
Strategy Profiles — Multiple behavioral variants per attack type
Pattern Recognition — Extracts actionable patterns from failure contexts

🖥️ Modern UI System

Unified Display — Consistent, minimalist Dracula-themed interface (Cyan/Green)
Interactive Shell — Full bilingual TR/EN support with prompt_toolkit
Real-time Scanning — Live progress indicators during operations
Smart Confirmations — Context-aware prompts for high-risk operations
Web API — FastAPI REST endpoints + SSE event streaming for external dashboards

🧪 Intelligence Pipeline

DRAKBEN's intelligence system spans three generations: built-in reasoning, structured AI reasoning (v2), and advanced predictive modules (v3).

Intelligence v2 — Reasoning Pipeline

| Module | Purpose | |--------|---------| | ReAct Loop | Thought → Action → Observation cycle for structured multi-step LLM reasoning with iteration tracking | | Structured Output Parser | Multi-strategy extraction of JSON, tables, key-value pairs from raw LLM responses with fallback chains | | Tool Output Analyzer | Classifies tool results (success / partial / fail), extracts IPs, ports, CVEs, URLs from output text | | Context Compressor | Token-aware conversation history compression with priority scoring and budget management | | Self-Reflection Engine | Post-action reflection with confidence scoring, lesson extraction, and improvement suggestions |

Intelligence v3 — Advanced AI Modules

| Module | Purpose | |--------|---------| | Few-Shot Learning Engine | Dynamic example selection from past successes for in-context learning with similarity matching | | Cross-Tool Correlator | Pattern recognition across tool outputs: port↔CVE mapping, service↔vulnerability correlation, multi-source evidence | | Adversarial Adapter | WAF/IDS evasion payload generator with encoding mutations (URL, Unicode, hex, double-encode) | | Exploit Predictor | ML-style probability scoring for exploit success based on service fingerprints and version analysis | | Knowledge Base | SQLite-backed cross-session knowledge store with semantic recall and deduplication | | Model Router | Intelligent LLM model selection based on task complexity, token budget, and provider capabilities |

Self-Refining Engine

Policy Engine — Learned behavioral constraints from past runs
Conflict Resolution — Handles conflicting strategy recommendations
Failure Context Analysis — Extracts patterns from diverse error types
Automatic Replanning — Recovers from failed steps without human intervention

🗡️ Attack Modules

🔍 Reconnaissance

Port Scanning — Nmap integration with smart defaults and stealth scans
Service Enumeration — Automatic version detection and fingerprinting
Subdomain Discovery — Multiple techniques (brute force, Certificate Transparency)
WHOIS & DNS Intelligence — Full DNS record analysis (A, AAAA, MX, NS, CNAME, TXT, SOA)
Web Technology Fingerprinting — CMS and framework detection
Passive OSINT — Non-intrusive information gathering

⚡ Exploitation

SQL Injection — Error-based, time-based blind, UNION-based with 5+ DBMS signature detection (SQLMap + native)
NoSQL Injection — MongoDB operator injection
XSS / CSRF / SSTI / LFI / RFI / SSRF — Full web application vulnerability testing
File Inclusion — PHP wrappers (filter, input, data, phar), path traversal with encoding bypass, log poisoning LFI→RCE
File Upload Bypass — 8 techniques for bypassing upload restrictions
Authentication Bypass — JWT token manipulation (none algorithm, claim tampering), session fixation, 20+ default credential sets
Header Security Audit — HTTP security header scoring (A-F grading), CORS misconfiguration, CSP bypass analysis
LDAP Injection — Directory service exploitation
OS Command Injection — String concatenation, wildcard injection techniques
Polyglot Payloads — Context-agnostic exploit strings
CVE Database Integration — NVD-backed automatic exploit matching with CVSS scoring
Symbolic Execution — Boundary-aware constraint solving for vulnerability discovery

🏢 Active Directory Attacks

Domain Enumeration — Users, groups, computers, trusts
Kerberoasting — Extract service account hashes
AS-REP Roasting — Target accounts without pre-authentication
Pass-the-Hash / Pass-the-Ticket — Credential reuse
DCSync — Domain controller replication attack
Lateral Movement — PSExec, WMIExec, WinRM, SSH
BloodHound-style Pathfinding — Shortest path to Domain Admin

🐝 Hive Mind (Distributed Operations)

Network Topology Discovery — Map internal network architecture
Credential Harvesting — SSH keys, passwords, tokens
Attack Path Analysis — Multi-hop path finding and scoring
Pivot Point Management — Coordinate multi-hop attacks
Auto-Pivoting — TunnelManager for automatic lateral movement

📡 Command & Control Framework

Domain Fronting — Hide C2 behind legitimate CDNs
DNS Tunneling — Covert channel over DNS
DNS-over-HTTPS (DoH) — C2 transport over encrypted DNS
Encrypted Beacons — AES-256-GCM communication
Jitter Engine — Human-like traffic patterns to evade detection
Telegram C2 — Use Telegram as control channel
Steganography — Hide data in images (LSB encoding)

🛡️ Evasion & Stealth

Advanced WAF Bypass Engine — Intelligent WAF fingerprinting & adaptive evasion
- WAF Fingerprinting: Cloudflare, AWS WAF, ModSecurity, Imperva, Akamai, F5 BIG-IP, and more
- Multi-layer encoding: Unicode, UTF-8, double URL, hex encoding
- Adaptive mutation with pattern learning (SQLite-backed memory)
- SQL injection bypass: inline comments, case variation, encoding chains

Drakben

Install / Use

README