Skip to content

Calvaryyy/LANCE

BranchesTags

Repository files navigation

LANCE

Autonomous Penetration Testing Framework Calvary | v0.1

██╗      █████╗ ███╗   ██╗ ██████╗███████╗
██║     ██╔══██╗████╗  ██║██╔════╝██╔════╝
██║     ███████║██╔██╗ ██║██║     █████╗  
██║     ██╔══██║██║╚██╗██║██║     ██╔══╝  
███████╗██║  ██║██║ ╚████║╚██████╗███████╗
╚══════╝╚═╝  ╚═╝╚═╝  ╚═══╝ ╚═════╝╚══════╝
  HILT · EXCALIBUR · AVA · CRUX

LANCE is a modular, AI-powered autonomous penetration testing framework built for offensive security professionals. It chains four engines together — recon, vulnerability detection, AI-driven synthesis, and exploitation — into a single pipeline that takes a target and produces a confirmed, prioritized attack surface report.

Engines

Codename Role Tools
HILT Recon Engine subfinder, amass, httpx, nmap, gobuster
EXCALIBUR Vulnerability Scanner nuclei, wpscan, CMS/API routing
AVA AI Synthesis OpenAI / Gemini / Anthropic / DeepSeek / Ollama
CRUX Exploitation Engine sqlmap, nuclei fuzz, wpscan exploit, metasploit

Pipeline

Target Input
    └─► HILT        — Subdomain enum, port scan, tech fingerprint, dir bruteforce
          └─► EXCALIBUR  — Asset-aware vuln detection (nuclei, wpscan, API/CMS routing)
                └─► AVA       — AI synthesis: ranked findings, chains, remediation
                      └─► CRUX      — AI-orchestrated exploitation, confirmed PoC output

Each engine produces a structured JSON report consumed by the next. The full pipeline can be run end-to-end or each engine can be run independently.

Setup

1. Run the setup script — installs all system tools, Python dependencies, and optionally sets up Ollama for local AI inference:

python3 setup.py

The setup script will:

  • Install nmap, gobuster, subfinder, httpx, nuclei, amass, wpscan
  • Install Python dependencies (requests, flask, flask-socketio)
  • Prompt you to install Ollama and select models to pull locally
  • Initialize lance.conf

2. Configure your AI provider:

python3 lance_config.py --set openai_api_key sk-...
python3 lance_config.py --set default_provider openai

Or use Ollama for fully local inference (no API key needed) — set up during setup.py.

Usage

CLI

# Full pipeline — all four engines
python3 lance.py -d target.com --ai ollama
python3 lance.py -d target.com --ai gemini
python3 lance.py -d target.com --ai anthropic --timeout 120

# Full pipeline, skip exploitation
python3 lance.py -d target.com --ai openai --skip-crux

# Multiple targets from file
python3 lance.py -l targets.txt --ai deepseek

# IP / CIDR range
python3 lance.py -i 192.168.1.0/24 --ai ollama

# Single engine only
python3 lance.py -d target.com --phase hilt
python3 lance.py -d target.com --phase excalibur
python3 lance.py -d target.com --phase ava --ai gemini
python3 lance.py -d target.com --phase crux --ai ollama

# Resume from a specific report
python3 lance.py -d target.com --phase crux -r results/target.com/synthesis_report.json --ai openai

GUI

python3 lance_gui.py

Opens a desktop application on http://localhost:1337. If PyQt5 is not installed, falls back to browser mode automatically.

python3 lance_gui.py --browser   # force browser mode

Install GUI dependencies:

pip install flask flask-socketio PyQt5 PyQtWebEngine --break-system-packages

Flags

Flag Description Default
-d DOMAIN Single target domain
-l FILE File containing list of domains
-i IP/CIDR IP address or CIDR range
--phase Run a single engine: hilt, excalibur, ava, crux all
--ai AI provider: ollama, openai, gemini, anthropic, deepseek
--model Override default model for selected provider provider default
--timeout Per-tool timeout in seconds 300
--skip-crux Run full pipeline but skip CRUX false
-r FILE Path to a specific report (for resuming a phase) auto-detected

AI Providers

Provider Flag Requires
Ollama (local) --ai ollama Ollama installed, model pulled
OpenAI --ai openai openai_api_key in config
Google Gemini --ai gemini gemini_api_key in config
Anthropic --ai anthropic anthropic_api_key in config
DeepSeek --ai deepseek deepseek_api_key in config

Configuration

python3 lance_config.py --show                              # view current config (keys masked)
python3 lance_config.py --set openai_api_key sk-...         # set a value
python3 lance_config.py --set default_provider gemini       # set default provider
python3 lance_config.py --set ollama_model llama3.1:8b      # set default Ollama model
python3 lance_config.py --clear anthropic_api_key           # remove a key
python3 lance_config.py --keys                              # list all available keys

Config is stored in lance.conf in the project root. This file is excluded from version control — never commit it.

Output Structure

All results are written to results/<target>/:

results/
└── target.com/
    ├── recon_report.json        ← HILT output
    ├── subfinder.txt
    ├── amass.txt
    ├── all_subdomains.txt
    ├── httpx.json
    ├── nmap_*.xml
    ├── port_scan_summary.json
    ├── gobuster_*.txt
    ├── vuln_report.json         ← EXCALIBUR output
    ├── vuln/
    │   ├── nuclei_web_*.json
    │   ├── nuclei_api_*.json
    │   ├── nuclei_cms_*.json
    │   └── wpscan_*.json
    ├── synthesis_*.md           ← AVA output
    └── crux_report.json         ← CRUX output
        └── crux/
            ├── sqlmap_*/
            ├── nuclei_fuzz_*.json
            └── wpscan_exploit_*.json

File Structure

LANCE/
├── lance.py           ← unified entry point
├── hilt.py            ← HILT: Recon Engine
├── excalibur.py       ← EXCALIBUR: Vulnerability Scanner
├── ava.py             ← AVA: AI Synthesis
├── crux.py            ← CRUX: Exploitation Engine
├── lance_gui.py       ← GUI launcher
├── gui_server.py      ← Flask/SocketIO backend (port 1337)
├── gui_window.py      ← PyQt5 desktop window
├── lance_config.py    ← config manager
├── setup.py           ← one-time setup script
├── setup.sh           ← legacy shell setup
├── gui/
│   └── templates/
│       └── index.html ← GUI frontend
├── results/           ← scan output (gitignored)
└── lance.conf         ← API keys & config (gitignored)

Tool Dependencies

Tool Required by Install
subfinder HILT go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
amass HILT go install github.com/owasp-amass/amass/v4/...@master
httpx HILT go install github.com/projectdiscovery/httpx/cmd/httpx@latest
nmap HILT sudo apt install nmap
gobuster HILT sudo apt install gobuster
nuclei EXCALIBUR, CRUX go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
wpscan EXCALIBUR, CRUX sudo gem install wpscan
sqlmap CRUX sudo apt install sqlmap
metasploit CRUX (optional) sudo apt install metasploit-framework
ollama AVA, CRUX (optional) ollama.com

Disclaimer

LANCE is built for authorized penetration testing and security research only. Only run it against targets you have explicit written permission to test. The authors take no responsibility for unauthorized or illegal use.

Built by Calvary.

About

AI-Powered Autonomous Penetration Testing Framework

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages