OMNISPLOIT · alpha v0.3 SESSION: guest PHASES: OSINT→REPORT ENGINE: ONLINE
The complete pentest workflow in a single pane of glass.

From OSINT/Recon to Reporting — one tool, one terminal, zero context switching.

Python 3.9+ / Flask Vanilla JS · no build step CRT phosphor UI Docker + Caddy TLS Authorized testing only GPL-3

WHAT IT IS

OmniSploit unifies every phase of an engagement behind one operator console — subprocess orchestration, live SSE terminals, an encrypted credential store, engagement scoping, CVE enrichment, and reporting — so you never leave the tool to change context.

OSINT RECON ENUM VULN EXPLOIT BRUTE PRIVESC LATERAL POST-EX REPORT

CAPABILITIES

RECON // recon

nmap discovery (ping/quick/full), masscan, Shodan, and a full OSINT suite — crt.sh, RDAP, whois, Wayback, GitHub dorks, theHarvester/amass/subfinder.

ENUMERATION // enum

AutoRecon with module toggles, gowitness HTTP screenshots, a live results file tree, and a Next-Steps command parser.

VULNERABILITY // vuln

Nuclei with 20+ profiles (P1–P23 + community), Nikto, WPScan, testssl, SQLMap.

AUTO-PIPELINE // engine

Auto-chained 22-phase web-app pipeline — an Engagement Asset Graph chains tool output → input, with 6-stage approval gates, per-target throttle, scope allowlist, and exploit-verify.

EXPLOIT + BRUTE // exploit

Full impacket suite (secretsdump, psexec, GetUserSPNs…), NetExec across 9 protocols, plus hashcat/john offline cracking with a wordlist manager.

CREDENTIAL STORE // lateral

AES-Fernet SQLite store; key derived from your login password, held in memory only. A picker wires creds into NetExec / impacket / Responder jobs.

BLOODHOUND CE // ad

Connect, collect, run Cypher, and render the graph in Cytoscape — 30+ prebuilt queries across 4 tiers, mark-owned, and PrivHound cross-dataset paths.

CLOUD // entra

ROADtools device-code auth + directory gather, TeamFiltration enum/spray/exfil, native unauthenticated Entra tenant recon, and Nuclei cloud-config review.

DELIVERY PANEL // deliver

Federated omni-xfer goshs stack — TLS-fronted, trust-zone-separated payload delivery, live traffic monitor, SHA256-pinned payload staging, and a firewall allowlist.

ENRICHMENT + REPORT // report

Every CVE enriched from CISA KEV, EPSS, NVD, MSF, ExploitDB. OmniReport renders HTML/PDF with Chart.js severity/EPSS/CVSS visuals + client branding.

UNDER THE HOOD

ACCESS

# deploy the batteries-included stack (Docker, primary path) operator@kali:~$ deploy/install.sh → menu-driven: Docker + TLS (self-signed · Let's Encrypt · Cloudflare) + per-engagement projects operator@kali:~$ docker compose up -d → console live at https://localhost · report service on :5001
operator@omnisploit:~$