Show HN: Mazinger – AI that tries to break into your web app

Mazinger is a professional-grade AI penetration testing assistant that speaks like a seasoned ethical hacker. Unlike automated scanners, Mazinger works collaboratively with you - executing one command at a time, explaining findings in technical detail, and suggesting tactical next steps.

Think of it as having an elite pentester sitting next to you, guiding you through security assessments with real-time analysis and expert recommendations.

Mazinger v1.0 currently specializes in:

• ✅ Websites and Web Applications - The primary focus
• ✅ Web APIs (REST, GraphQL, SOAP)
• ✅ Web Services and cloud-accessible platforms
• ✅ Network Services accessible over the internet
• ✅ Server Infrastructure and configurations

⏳ Coming Soon (See Roadmap):

• 📱 Mobile App Pentesting (iOS/Android)
• 💻 Desktop Application Security
• 🎣 Phishing Campaign Management
• 📡 Wireless Security (WiFi/Bluetooth)
• 🔓 Binary Analysis & Reverse Engineering
• ☁️ Cloud Security Testing
• 🌐 IoT Device Testing
• And everything else needed for comprehensive penetration testing!

• 🧠 AI-Powered Intelligence - GPT-5 integration with professional hacker personality
• ⚡ Interactive Command Execution - Real-time terminal integration with live output streaming
• 🔐 Domain Verification System - Prove ownership before testing (DNS, file upload, or manual verification)
• 🎭 Professional Pentester Tone - Uses proper security terminology (recon, enum, privesc, RCE, SQLi)
• 🛠️ Self-Healing Capabilities - Automatically installs missing tools and handles errors
• 📊 Session Statistics - Track commands executed, session duration, and verified domains
• 📄 PDF Report Generation - Comprehensive penetration test reports with AI analysis
• 🎨 Beautiful CLI Design - Animated spinners, progress bars, and typewriter effects
• 🔄 Auto-Response Prompts - Handles interactive commands (passwords, yes/no questions)

Mazinger executes ONE command at a time, analyzes results, and asks for your approval before proceeding - giving you full control over the engagement.

Before testing any domain, Mazinger requires proof of ownership through:

• DNS TXT Record - Add a verification token to your DNS
• File Upload - Upload verification file to web root
• Manual Confirmation - Type 'verified' to confirm ownership
• Auto-Approved Targets - localhost, demo.owasp-juice.shop, testphp.vulnweb.com

• ⏱️ Animated Loaders - Multiple spinner styles with live timers
• 📊 Progress Bars - Visual feedback for long operations
• ⌨️ Typewriter Effects - Cinematic startup and shutdown sequences
• 📈 Live Statistics - Session duration, command count, verified domains
• 🎯 Command Counter - Track each executed command (#1, #2, #3...)

Full access to professional web pentesting tools:

• Python 3.8+ (Python 3.12 recommended)
• OpenAI API Key (Get one here)
• macOS/Linux (Windows WSL supported)

1️⃣ Clone the repository

2️⃣ Install dependencies

3️⃣ Configure API Key

Option 1: Environment Variable (Recommended)

Option 2: Config File

Get your API key from: OpenAI API Keys

4️⃣ Run Mazinger

Simply describe what you want to do:

Prefix with / to run shell commands directly:

Before testing your own website:

Type stats to view:

• ⏱️ Session duration
• ⚡ Commands executed
• 🎯 Current target
• 💬 Conversation length
• 🔐 Verified domains

Type report to generate a comprehensive penetration test report including:

• Executive summary
• Methodology
• Detailed findings
• Successful attacks
• Recommendations
• Command execution log

Mazinger automatically handles interactive prompts:

• Password prompts → Auto-responds
• Yes/No questions → Auto-responds with 'yes'
• FTP login → Anonymous login
• Confirmation dialogs → Auto-confirms

IMPORTANT: Only test systems you own or have explicit written authorization to test.

Unauthorized access to computer systems is illegal under:

• Computer Fraud and Abuse Act (CFAA) - United States
• Computer Misuse Act - United Kingdom
• European Cybercrime Convention
• Local laws in your jurisdiction

Practice your skills legally on these platforms:

• 🧃 OWASP Juice Shop - Intentionally vulnerable web app
• 🔬 testphp.vulnweb.com - Legal testing target
• 📦 HackTheBox - Ethical hacking labs
• 🎮 TryHackMe - Cybersecurity training
• 🐐 DVWA - Damn Vulnerable Web Application
• 🔓 VulnHub - Vulnerable VMs

If you find vulnerabilities:

1. Do NOT exploit them maliciously
2. Report to the organization privately
3. Wait for them to patch before public disclosure
4. Follow responsible disclosure guidelines

Note: Mazinger currently focuses on web application security (v1.0). The features below are planned additions to create a comprehensive penetration testing platform covering ALL attack vectors.

Our goal is to make Mazinger the ultimate AI pentesting assistant for everything - not just websites. Here's what's being added:

🚀 Upcoming Attack Vectors:

• 📱 Mobile App Pentesting (iOS & Android)
• 🎣 Phishing & Social Engineering campaigns
• 💻 Desktop Application Security (Windows/macOS/Linux)
• 📡 Wireless Testing (WiFi/Bluetooth/RFID)
• ☁️ Cloud Security (AWS/Azure/GCP)
• 🔓 Binary Analysis & Reverse Engineering
• 🌐 IoT & Embedded Systems
• 🛡️ Physical Security testing
• 📞 VoIP & Telephony security
• 🎮 Gaming Platform exploitation
• And literally everything else used to compromise systems!

• Multiple AI model support (Claude, Gemini, local LLMs)
• Web UI dashboard for remote access
• Team collaboration features
• Vulnerability database integration (CVE, NVD)
• Automated exploit chaining
• Cloud deployment (Docker/Kubernetes)
• Plugin system for custom tools
• Multi-target concurrent scanning
• Real-time collaboration mode
• Built-in note taking and reporting

• iOS App Penetration Testing

  • IPA file analysis and reverse engineering
  • Runtime manipulation with Frida/Objection
  • SSL pinning bypass
  • Jailbreak detection bypass
  • Binary analysis and class dumping
  • API endpoint extraction
  • Keychain data extraction

• Android App Penetration Testing

  • APK decompilation and analysis
  • Smali code analysis
  • Runtime hooking with Frida
  • Root detection bypass
  • SSL certificate pinning bypass
  • Intent fuzzing and activity testing
  • SharedPreferences and database extraction
  • Native library analysis

• Desktop Application Testing

  • Windows PE analysis (.exe, .dll)
  • macOS binary analysis (Mach-O)
  • Linux ELF binary analysis
  • Debugger integration (gdb, lldb, WinDbg)
  • Memory corruption detection
  • Reverse engineering automation

• Thick Client Testing

  • .NET application analysis
  • Java desktop app testing
  • Electron app security testing
  • Protocol analysis (TCP/UDP)
  • Local storage inspection

• Wireless Security

  • WiFi penetration testing (WPA/WPA2/WPA3)
  • Bluetooth security assessment
  • RFID/NFC analysis

• Cloud Security

  • AWS/Azure/GCP misconfigurations
  • S3 bucket enumeration
  • Container escape techniques
  • Kubernetes security testing

• IoT Device Testing

  • Firmware extraction and analysis
  • Hardware interface testing (UART, JTAG)
  • Embedded system exploitation

• API Security

  • GraphQL testing
  • REST API fuzzing
  • OAuth/JWT exploitation
  • API rate limit bypass

• Phishing Campaign Management

  • Email template creation and customization
  • Phishing website cloning and hosting
  • Link tracking and analytics
  • Credential harvesting (for authorized tests)
  • SMS phishing (smishing) capabilities
  • Voice phishing (vishing) script generation
  • QR code phishing attacks

• OSINT (Open Source Intelligence)

  • Automated information gathering
  • Social media reconnaissance
  • Email enumeration and validation
  • Username harvesting across platforms
  • Leaked credential database searches
  • Employee information gathering
  • Domain and subdomain discovery

• Pretexting & Impersonation

  • Fake identity creation
  • LinkedIn/social media profiling
  • Spear phishing automation
  • Business Email Compromise (BEC) testing

Contributions are highly welcome! We're building the ultimate AI-powered hacking assistant and need help in these areas:

1. Mobile App Security Features

   • iOS app pentesting integration (Frida, Objection)
   • Android APK analysis and decompilation
   • Mobile runtime hooking frameworks
   • SSL pinning bypass automation

2. Binary & Software Analysis

   • Desktop application testing (Windows/macOS/Linux)
   • Reverse engineering tools integration
   • Debugger automation (gdb, lldb, WinDbg)
   • Malware analysis capabilities

3. Cloud & Infrastructure

   • AWS/Azure/GCP security scanning
   • Container security testing
   • Kubernetes penetration testing
   • Cloud misconfiguration detection

4. Advanced Protocols

   • Bluetooth/WiFi testing
   • IoT firmware analysis
   • Hardware hacking tools
   • Custom protocol fuzzing

1. 🍴 Fork the repository
2. 🔨 Create a feature branch (git checkout -b feature/MobileAppTesting)
3. 💾 Commit your changes (git commit -m 'Add iOS app analysis with Frida')
4. 📤 Push to the branch (git push origin feature/MobileAppTesting)
5. 🎉 Open a Pull Request

• Code Style: Follow PEP 8 for Python
• Documentation: Add clear comments and update README
• Testing: Test thoroughly on different platforms
• AI Prompts: Update system prompts for new capabilities
• Tools: Ensure new tools are auto-installable
• Security: All contributions must be for ethical/legal use

Easy (Good First Issues)

• Add new security tool integrations
• Improve error handling and logging
• Add more spinner animations
• Enhance PDF report generation

Medium

• Mobile app decompilation support
• Bluetooth/WiFi testing modules
• Cloud security scanners
• API fuzzing frameworks

Hard

• Binary analysis and reverse engineering
• Custom exploit development framework
• Multi-target orchestration
• Machine learning for vulnerability detection

Contributors will be:

• Listed in the README acknowledgments
• Credited in release notes
• Given contributor badge on GitHub
• Invited to core team for significant contributions

This project is licensed under the MIT License - see the LICENSE file for details.

Ayman Jebari (Zero)

• 🐙 GitHub: @ayman8jebari
• 💼 LinkedIn: Ahmed Ayman Eljebari

• 🤖 OpenAI for GPT-5 API
• 🔓 OWASP for security resources and vulnerable applications
• 🛡️ Security tools community for amazing open-source tools
• 💻 All contributors and testers

Found a bug? Have a feature request?

• 🐛 Open an Issue
• 💬 Start a Discussion
• ⭐ Star this repo if you find it useful!