PAQMAN is a command line companion tool to improve your pentesting experience. It provides you with copy-pastable commands depending on the information you collect or already have to transform them into a successfull attack.
PAQMAN comes without a database as it is intended to be filled by the user to be as flexible as possible.
You can test PAQMAN by yourself in our staging environment at https://paqman.leon.wtf. This instance follows PAQMANs main branch, so be advised that there may occure some errors.
Paqman is being developed as part of a project at the Offenburg University of Applied Sciences by Nadine Weber (MI7), Nicola Jäger (UN6) and Leon Schmidt (UN6).
- Backend: Go v1.16
- Frontend: React JS v17.0.1 (via
create-react-app)- CSS framework: Tailwind CSS
- Backend (inside
server/)- Install Go dependencies:
$ go get -d -v ./... - Build Go binary:
$ CGO_ENABLED=1 go install -a -ldflags '-linkmode external -extldflags "-static"' .
- Install Go dependencies:
- Frontend (inside
frontend/)- Install NPM dependencies:
$ npm install - Build React frontend:
$ npm run build→ Static files inbuild/
- Install NPM dependencies:
- Run backend with
./paqman-backendinsideserver/ - Frontend: http://localhost:3002; API: http://localhost:3002/api
- Build image:
$ docker build -t <your-tag> . - Start a container:
$ docker run --name paqman -p "<external-port>:3002" [-v "<your-config>:/config.json:ro"] <your-tag> [<options>]- Make sure, your
"bind_address"is set to0.0.0.0:3002or omitted - otherwise, the service would not be reachable from outside the docker container! - Make sure to have a mongo db container running with a hostname of
mongoon port27017(ideally use a docker-compose file)!
- Make sure, your
- Stop and delete the container:
$ docker stop paqman && docker rm paqman - Frontend: http://localhost:3002; API: http://localhost:3002/api
There is a pre-built docker image at registry.git.leon.wtf/paqman/paqman:dev and a prewritten docker-compose.yml file in the repositories root directory.
- Install dependencies (as described in Manual Build)
- Start the mongodb database with
$ docker-compose up [-d]withindev_environment/- Database listens on
0.0.0.0:27017 - DB web frontend available at http://localhost:8081
- Database listens on
- Start the backend with
$ go run .withinserver/→ listens on0.0.0.0:3002 - Start the frontend with
$ npm run startwithinfrontend/→ available at http://localhost:3000 with hot-reloading
In production, the frontend is served by the Go backend, but it doesn't support Reacts hot-reloading feature as it only serves the build/ folder. Therefore the frontend is served on it's own port in development but can use the backend to do fetch calls. Adjust the "proxy" setting in frontend/package.json to point to the backend, if needed.