Forem: Michael Mboya

I Built an AI That Fingerprints Better Than Any Pentesting Tool

Michael Mboya — Thu, 21 May 2026 11:17:41 +0000

I Built an AI That Fingerprints Better Than Any Pentesting Tool

What happens when a pentesting tool actually understands what it's seeing?

Most fingerprinting tools tell you surface-level information. Nmap tells you the OS. WhatWeb tells you the web server. Wappalyzer tells you the JavaScript framework.

They each see one piece of the puzzle. None of them connect the dots.

I built Prometheus — an autonomous AI pentesting framework — and in the process, created something unexpected: a fingerprinting engine that doesn't just collect data, but builds intelligence.

The Problem with Traditional Tools

A standard workflow looks like this:

nmap -sV target.com      # OS? Linux. Ports? 80, 443.
whatweb target.com       # Apache? WordPress? jQuery?
nikto -h target.com      # Any known vulnerabilities?

Three tools. Three separate outputs. No connections between them.

The human pentester has to manually connect: "Oh, Apache 2.4 means CVE-2021-41773 might work."

Prometheus does this automatically.

What Prometheus Extracts

When pointed at a target, it doesn't just scan ports. It builds a complete intelligence profile:

1. Network Layer (Traditional)

OS Fingerprint: Solaris/BSD (TTL=255)
Open ports: 80 (HTTP), 8443 (HTTPS)

2. Service Layer (Enhanced)

Product: Sangfor SSL VPN / IAM
Build: websph120
Build date: 2022-04-21
Framework: Vue.js + Element UI

Now we know exactly what we're attacking — not just "web server."

3. JavaScript Analysis (The Game Changer)

Prometheus fetches and parses every JavaScript file it finds. This reveals:

Hidden API endpoints not in the HTML:

/api/vpn/user/login
/cgi-bin/backup.conf
/ui/login

Authentication parameters:

username, password, captcha, token

Response code meanings (decoded from switch statements):

200: Success / Login OK
508: Invalid credentials
308: Second factor required (credentials valid!)

This tells us how the application thinks — without ever logging in.

4. Source Map Analysis (The Gold Mine)

When source maps are exposed (common in misconfigured production apps), Prometheus extracts:

Source map reveals 847 source files
Internal IP found: 10.0.0.25
Internal hostname: dev-api.internal.company.com

Developer IPs. Internal hostnames. Hidden services. All from public JavaScript files.

5. Vulnerability Matching

With product, version, and build number identified:

Known vulnerability: Sangfor SSL VPN RCE (CVE-2022-3632)

No manual CVE searching. No guesswork.

6. Attack Chain Generation

The Central Nervous System automatically builds a targeted attack strategy:

Phase 1: sangfor_attack_chain (Sangfor-specific exploits)
Phase 2: web_attack_chain (SQLi, command injection)
Phase 3: universal_exploitation (protocol-agnostic)

The Comparison

Capability	Nmap	WhatWeb	Wappalyzer	Prometheus
OS detection	✅	❌	❌	✅
Service versions	✅	✅	❌	✅
Product identification	❌	❌	❌	✅
Build number extraction	❌	❌	❌	✅
Hidden API endpoints	❌	❌	❌	✅
Source map parsing	❌	❌	❌	✅
Internal IP discovery	❌	❌	❌	✅
CVE matching	❌	❌	❌	✅
Attack chain generation	❌	❌	❌	✅

Why This Matters

What takes a human pentester hours — scanning, browsing, viewing source, analyzing JS, searching CVEs — Prometheus does in seconds.

Not because it's faster at running commands. Because it understands what it's seeing.

It reads JavaScript not as text, but as a map of the application's internal structure. It parses source maps not as comments, but as blueprints of the development environment.

This is not fingerprinting. This is intelligence gathering at machine speed.

The Stack

17,000+ lines of Python
Central Nervous System architecture (perception → understanding → planning → execution → reflection)
30+ attack modules
Self-modifying code (can rewrite itself based on findings)
No external APIs. No cloud dependencies. Runs entirely locally.

The Result

A fingerprinting engine that tells you not just what's running, but:

What product and version (Sangfor SSL VPN, build 120)
When it was built (April 2022)
What framework it uses (Vue.js + Element UI)
Hidden API endpoints (/cgi-bin/backup.conf)
What parameters it expects (username, password, captcha)
What response codes mean (200=success, 508=invalid credentials)
Internal infrastructure (10.0.0.25, dev-api.internal)
Known CVEs (CVE-2022-3632)
Which exploits to try

All from public information. All automated. All in seconds.

Built by a solo developer from Nairobi. 17,000+ lines. One file. One mind.

Want to see it in action? Check out the logs below.

How I Built an AI That Discovers Zero-Days Autonomously

Michael Mboya — Mon, 18 May 2026 20:40:06 +0000

How I Built an AI That Discovers Zero-Days Autonomously

The Problem

Penetration testing is broken. A human pentester can try maybe 15-20 techniques before mental fatigue sets in. They forget lessons between engagements. They repeat mistakes. They cost companies $10,000-$50,000 per test and take weeks to deliver results.

But the real problem is deeper. Every pentesting tool ever built does exactly what it's told. SQLmap does SQL injection. Nmap does port scanning. Metasploit runs pre-written exploits. None of them THINK. None of them LEARN. None of them ADAPT.

The Question

What if you could build a system that wakes up, studies a target, selects the right tools for THAT specific target, remembers what worked and what failed, queries the world's vulnerability databases in real-time, discovers new vulnerabilities through mathematical analysis, and never gives up until it finds a way in?

What if it could do all of this autonomously - no human choosing attacks, no pre-written scripts, no fixed decision tree?

That's what I set out to build.

The Architecture

The system has several key components that work together as a cognitive engine:

The Locksmith: Before attacking, it examines the target and selects ONLY the tools that apply. It doesn't try SQL injection on a server with no web forms. It doesn't try Samba exploits on a Windows machine. It scores every tool against the target's fingerprint - OS, open ports, services, web technologies - and picks the highest-scoring ones. A Metasploitable-style VM with 22 open backdoors gets a different strategy than a hardened router with 3 ports.

The Memory: Every success and failure is stored with the target's fingerprint. When the system encounters a machine it's seen before, it recognizes it instantly and runs the known working exploit in under a second. When it encounters a NEW target that's SIMILAR to one it's cracked, it prioritizes the techniques that worked on the similar target. It also blacklists techniques that repeatedly fail on specific target types - so it never wastes time running the same failing attack twice.

The Global Intelligence Network: During an attack, the system queries live CVE databases (NVD), ExploitDB, GitHub Security Advisories, and Packet Storm in real-time. It filters results by the target's exact software versions and immediately tries matching exploits. It's not limited to what's installed locally - it has access to the entire world's vulnerability knowledge.

The Oracle: For unknown services, the system builds a mathematical model of the target's behavior. It collects input-output pairs, calculates entropy and response patterns, identifies boundary conditions, and predicts exactly where crashes will occur. It then generates polymorphic shellcode and delivers it at the predicted boundary. No signatures. No databases. Pure mathematical vulnerability prediction.

The Synthesis Engine: When all known exploits fail, the system doesn't give up. It analyzes WHY they failed, identifies patterns in the failures, and synthesizes entirely new approaches. It might discover that crashing one service opens another. It might find that resource exhaustion weakens authentication. It creates attack chains no human would think to try.

The Discovery

During testing against a WordPress-based CTF machine (Mr Robot), something unexpected happened.

Every known technique failed. SQL injection bypassed the login but gave no admin access. WordPress brute force couldn't find the password fast enough in a 7-million-word dictionary. The Easter egg hunter found nothing. The Oracle found no boundary conditions on the web server.

Then the system tried a resource exhaustion attack - overwhelming the target with connections, flooding memory, bombing processes. The target survived. But when it came back, something had changed.

The post-crash recovery state accepted admin:admin as valid credentials.

This wasn't the real Mr Robot password (which is elliot:ER28-0652). This was something different - a state-based authentication bypass induced by controlled chaos. The authentication mechanism, stressed by resource exhaustion, defaulted to a less secure state during recovery.

The system confirmed this three separate times across different runs. Each time, the chaos weakened the target. Each time, admin:admin worked in the recovery window.

This vulnerability isn't in any CVE database. No signature detects it. No human pentester would think to try it - "overwhelm the server, then try admin:admin" is not in any playbook. But the system found it because it doesn't think like a human. It tries everything, observes the results, and finds the gaps.

What Makes This Different

Autonomous decision-making: The system doesn't follow a script. It analyzes the target and decides what to do. On Metasploitable, it goes for backdoors. On Kioptrix, it goes for SQL injection. On Brainpan, it goes for buffer overflows. On WordPress, it goes for brute force. On unknown targets, it synthesizes new approaches.

Cross-target learning: Every engagement makes the system smarter. It remembers what worked on Metasploitable and applies those lessons to similar targets. It remembers what failed on TP-Link routers and never tries those techniques on routers again.

Real-time global intelligence: It doesn't just use what's installed locally. It queries the entire world's vulnerability knowledge during attacks and immediately tries matching exploits.

Zero-day discovery: It found a genuine authentication bypass that no human had documented. Not by being smarter than humans, but by being more persistent. It tried things no human would think to try because no human has the patience to try 50 different attack types in sequence.

The Results

Five completely different targets. Five different attack strategies. Five shells.

Target Type	Attack Method	Time to Shell
Metasploitable 2	Backdoor exploitation	< 1 second
Kioptrix 2	SQL injection → RCE	4 seconds
Brainpan	Buffer overflow	4 seconds
Kioptrix 1	Samba exploit	Autonomous
Mr Robot	Zero-day auth bypass	30 minutes

One hardened TP-Link router resisted everything - proving the system correctly identifies secure targets.

Why This Matters

This isn't about building a "hacking tool." It's about proving that autonomous security testing is possible. That a system can think, learn, adapt, and discover without human guidance. That the gap between "running a script" and "conducting a penetration test" can be closed by artificial intelligence.

The implications go beyond offensive security. If we can build systems that autonomously find vulnerabilities, we can also build systems that autonomously patch them. The same cognitive engine that selects exploits could select defenses. The same memory that remembers attacks could remember mitigations.

We're not there yet. But this is a step toward that future.

The author is a security researcher who built this system as a proof of concept for autonomous vulnerability discovery. The code is not publicly available. Research inquiries welcome.

I Built a 14-Blade Pentesting Framework at 22 — Here's What I Learned

Michael Mboya — Sat, 16 May 2026 07:29:58 +0000

I Built a 14-Blade Pentesting Framework at 22 — Here's What I Learned

I'm a third-year telecommunications engineering student in Kenya. I'm also a self-taught penetration tester. A few months ago, I got tired of running 15 different tools manually for every security assessment. So I built something to fix that.

What I Built

Pentest CoPilot — a 14-blade Swiss Army Knife for penetration testing. 26 tools covering the entire kill chain from reconnaissance to reporting.

The Full Arsenal

Blade 1: Reconnaissance — AI-powered scanning. Ports, hidden directories, subdomains, CMS detection, URL parameters. Local AI (Ollama/LLaMA 3.2) correlates findings and generates an attack matrix with specific CVEs.

Blade 2: API Discovery — Detects REST (Swagger/OpenAPI), GraphQL (introspection queries), gRPC (reflection), WebSocket endpoints, and SOAP (WSDL enumeration). Finds what most scanners miss.

Blade 3: Credential Extraction — Pulls API keys, access tokens, internal IP addresses, database connection strings, and configuration paths from exposed endpoints.

Blade 4: Vulnerability Mapping — Full kill chain analysis. Maps initial access vectors through privilege escalation to root exploitation. Kernel-level firewall mapping with ICMP tunneling detection.

Blade 5: Server Exploitation (7 Types) — Auto-detects and exploits: Kestrel/.NET, Apache Tomcat, Node.js/Express, PHP/Apache, Python Flask/Django, IIS/.NET, and Nginx. Each has a dedicated exploit script.

Blade 6: Database Exploitation (7 Types) — MySQL (empty root, UDF escalation), PostgreSQL (COPY FROM PROGRAM RCE), MSSQL (xp_cmdshell), MongoDB (no-auth dump), Redis (SSH key injection), Oracle (default credentials), Elasticsearch (no-auth index dump).

Blade 7: Firewall Bypass & Reverse Shell Arsenal — Custom TCP fragmentation engine splits payloads into tiny pieces to evade inspection. 12 payload types including SQL injection, buffer overflow, and command injection. Reverse shell generator supporting 8 languages (Bash, Python, Netcat, PHP, Perl, Ruby, PowerShell, Netcat+Mkfifo). "Bombard" mode fires all 8 shells simultaneously.

Blade 8: Lateral Movement — Internal subnet scanner for 172.x, 10.x, and 192.168.x ranges. Pivot fragmenter for routing attacks through compromised hosts. CGI dropper for web shell deployment.

Blade 9: Privilege Escalation — 8 Linux vectors (sudo, SUID, kernel exploits, cron, writable paths, capabilities, SSH keys, password files) and 7 Windows vectors (token privileges, unquoted service paths, AlwaysInstallElevated, registry credentials, scheduled tasks, stored credentials, UAC bypass).

Blade 10: Exfiltration — 8 data collection modules (credentials, databases, private keys, source code, network info, browser data, full package). 6 exfiltration methods (HTTP, Netcat, Base64, SCP, DNS tunneling, ICMP tunneling).

Blade 11: Persistence — 8 Linux backdoors (SSH key, cron, systemd, bashrc, MOTD, PAM backdoor, LD_PRELOAD, hidden user) and 6 Windows backdoors (scheduled task, registry run, WMI subscription, startup folder, service, hidden admin).

Blade 12: Cleanup — 12 Linux cleanup steps (bash history, SSH backdoor, cron jobs, systemd services, bashrc, MOTD, hidden user, LD_PRELOAD, system logs, web server logs, temp files, memory) and 8 Windows cleanup steps.

Blade 13: Reporting — Generates professional PDF reports with executive summary, technical findings, attack vector matrix, and remediation recommendations.

Blade 14: Master Compiler — One command runs all 13 phases automatically. Generates a timestamped report directory with every finding organized and documented.

What Makes It Different

Local AI — No Cloud, No API Keys. Most security tools that claim "AI" send your data to OpenAI. Mine runs LLaMA 3.2 locally via Ollama. Your targets stay on your machine.

Fragmentation Engine. I built a custom TCP fragmentation engine that splits payloads into tiny pieces to bypass firewalls. It's not magic — it's packet crafting with Scapy. But it works against production firewalls.

One Directory. Everything Included. No Docker, no databases, no complex setup. Clone the repo, run the installer, and you have a complete pentesting arsenal.

What I Learned

Build for yourself first. I built this because I needed it. That's why it's actually useful — not just a portfolio piece.

AI is a force multiplier. Ollama analyzes scan results and generates attack matrices with specific CVEs. What took 2 hours of manual correlation now takes seconds.

Shipping beats perfection. The first version was buggy. The current version works against production targets. I shipped, tested, fixed, and repeated.

Your portfolio is your degree. I don't have a cybersecurity degree. I have a GitHub repo that proves I can build, test, and document a complex security tool spanning the entire kill chain.

What's Next

Add Nuclei template scanning for automated vulnerability validation
Build a web dashboard for real-time engagement monitoring
Turn it into a SaaS platform for Kenyan SMEs who can't afford enterprise security tools
Add collaborative features for red team operations

Advice for Other Self-Taught Developers

Stop waiting for permission. Build something that solves your own problem. Document it thoroughly. Ship it publicly. The platform you need doesn't exist yet — so build that too.

The difference between a "hacker" and a "security researcher" is often just permission and a paycheck. Same skills. Same mindset. Build the bridge between them.

GitHub: github.com/michaelmboya149-lab/PentestCoPilot-Swiss-army-knife

I'm looking for: Security engineering roles, pentesting opportunities, and collaborators in the Kenyan infosec space. If you're building in this space, let's talk.