sssnake/autarch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

AUTARCH v1.9 — remote monitoring, SSH manager, daemon, vault, cleanup

Browse Source 
- Add Remote Monitoring Station with PIAP device profile system
- Add SSH/SSHD manager with fail2ban integration
- Add privileged daemon architecture for safe root operations
- Add encrypted vault, HAL memory, HAL auto-analyst
- Add network security suite, module creator, codex training
- Add start.sh launcher script and GTK3 desktop launcher
- Remove Output/ build artifacts, installer files, loose docs
- Update .gitignore for runtime data and build artifacts
- Update README for v1.9 with new launch method, screenshots, and features

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
SsSnake
2026-03-24 06:59:06 -07:00
parent 1092689f45
commit da53899f66
382 changed files with 15277 additions and 493964 deletions
Download Patch File Download Diff File Expand all files Collapse all files

356
README.md
View File

@@ -1,13 +1,3 @@
Note: Do to server issues, we had to perform an emergency restore on everything. This has delayed the public release of Autarch 2.0 by a few days, however the release is coming.
In version 2.0 we have made even more modules available to the public, including our proprietary CVE scanner powered by a SLM for realtime analysis and detection. We are also adding a IoC uplink to add what you find to a public database so others can learn and help.
The site will be cve.seteclabs.io
```
/\
/ \
@@ -20,7 +10,7 @@ The site will be cve.seteclabs.io
\_/ \_/\______| |_|/_/ \_\_| \_\ANARCHY IS LIFE
``` LIFE IS ANARCHY
# AUTARCH
# AUTARCH v1.9
**Autonomous Tactical Agent for Reconnaissance, Counterintelligence, and Hacking**
@@ -30,77 +20,318 @@ By **darkHal Security Group** & **Setec Security Labs**
## Overview
AUTARCH is a modular security platform combining defensive hardening, offensive testing, forensic analysis, OSINT reconnaissance, and attack simulation into a single web-based dashboard. It features local and cloud LLM integration, an autonomous AI agent, hardware device management over WebUSB, and a companion Android application.
AUTARCH is a modular security platform that unifies defensive hardening, offensive testing, forensic analysis, network security monitoring, OSINT reconnaissance, and attack simulation into a single web-based dashboard. It ships with **1,130+ web routes** across **67 route files**, **79 HTML templates**, **73 CLI modules**, and **40+ core framework files**. The platform integrates local and cloud LLM backends (llama.cpp, Claude, OpenAI, HuggingFace), an autonomous AI agent, an MCP server for external AI tool use, a privileged daemon architecture for safe root operations, an encrypted vault for secrets, hardware device management over WebUSB, and a companion Android application.
AUTARCH indexes **25,475 OSINT sites** for reconnaissance and provides real-time AI-powered analysis of every defensive scan through the HAL auto-analyst system.
![AUTARCH Demo 1](assets/demo1.png)
![AUTARCH Demo 2](assets/demo2.png)
![AUTARCH Demo 3](assets/demo3.png)
---
## New in v1.9
- **Remote Monitoring Station** — PIAP (Platform Integration & Access Profile) system for managing remote devices (routers, adapters, pineapples). Drop a `.piap` config file in `data/piap/` and it auto-appears in the UI with full radio control, monitor mode, channel hopping, and remote capture
- **SSH / SSHD Manager** — Full SSH configuration management: edit sshd_config, manage keys, fail2ban integration, connection testing
- **Network Security Suite** — 8-tab network defense dashboard: connections, IDS, rogue device detection, real-time monitor, WiFi scanner, attack detection, ARP spoof detection, SSID mapper
- **HAL Auto-Analyst** — Every defensive tool automatically sends output to the loaded LLM for real-time analysis, risk scoring, and remediation suggestions
- **Privileged Daemon Architecture** — Flask runs as a normal user; a root daemon handles privileged operations over a Unix socket with HMAC-SHA256 authentication and a strict command whitelist (68 whitelisted commands plus 2 built-in Python actions, 45 blocked)
- **Encrypted Vault** — AES-encrypted storage for API keys and secrets, replacing plaintext config entries
- **MCP Server** — Expose AUTARCH tools to Claude Desktop, Claude Code, and other MCP clients via SSE transport
- **Module Creator** — Build new AUTARCH modules from the web UI with template scaffolding
- **GTK Desktop Launcher** — Native GTK3 launcher for starting/stopping the web server and daemon, managing settings, viewing logs
- **SSID Mapper** — Scan and map nearby wireless networks with signal strength, encryption type, and channel info
- **ARP Spoof Detection** — Real-time detection of ARP poisoning attacks on your network
- **WiFi Attack Detection** — Detect deauthentication floods, evil twin APs, and other wireless attacks
- **HAL Memory** — Persistent encrypted memory for the HAL AI agent across sessions
- **Codex Training System** — Build training datasets from AUTARCH's own codebase for fine-tuning
---
## Features
- **Defense** — System hardening audits, firewall checks, permission analysis, security scoring
- **Offense** — Metasploit & RouterSploit integration, module execution with live SSE streaming
- **Counter** — Threat detection, suspicious process analysis, rootkit checks, network monitoring
- **Analyze** — File forensics, hash toolkit (43 algorithm patterns), hex dumps, string extraction, log analysis
- **OSINT** — Email/username/phone/domain/IP reconnaissance, 7,287+ indexed sites
- **Simulate** — Attack simulation, port scanning, password auditing, payload generation
- **Hardware** — ADB/Fastboot over WebUSB, ESP32 flashing via Web Serial, dual-mode (server + direct)
- **Android Protection** — Anti-stalkerware/spyware shield, signature-based scanning, permission auditing
- **Agent Hal** — Autonomous AI agent with tool use, available as a global chat panel
- **Hash Toolkit** — Hash algorithm identification (hashid-style), file/text hashing, hash mutation, threat intel lookups
- **Enc Modules** — Encrypted module system for sensitive payloads
- **Reverse Shell** — Multi-language reverse shell generator
- **WireGuard VPN** — Tunnel management and remote device access
- **UPnP** — Automated port forwarding
- **Wireshark** — Packet capture and analysis via tshark/pyshark
- **MSF Console** — Web-based Metasploit console with live terminal
- **Debug Console** — Real-time Python logging output with 5 filter modes
### Defense & Monitoring
- System hardening audits (Linux + Windows), firewall checks, permission analysis, security scoring
- Network Security suite with 8 specialized tabs
- Intrusion detection, rogue device scanning, real-time packet monitoring
- Log correlation and SIEM-style analysis
- Incident response playbooks and forensic acquisition
- Container security auditing (Docker, Podman)
- Email security analysis (SPF, DKIM, DMARC, header forensics)
### Offense & Simulation
- Metasploit & RouterSploit integration with live SSE streaming
- Attack simulation, port scanning, password auditing, payload generation
- C2 framework, reverse shell generator (multi-language)
- WiFi deauthentication, MITM proxy, load testing
- Exploit development workspace
- Phishing simulation, social engineering toolkit
### Analysis & Forensics
- File forensics, hex dumps, string extraction, entropy analysis
- Malware sandbox with behavioral analysis
- Reverse engineering workspace
- Steganography detection and embedding
- Anti-forensics toolkit
- Log correlation engine
### OSINT & Reconnaissance
- Email, username, phone, domain, IP reconnaissance across **25,475 indexed sites**
- Network mapper with topology visualization
- Threat intelligence feeds and IoC lookups
- GeoIP resolution, DNS enumeration, WHOIS
### Hardware & Mobile
- ADB/Fastboot over WebUSB, ESP32 flashing via Web Serial
- Android anti-stalkerware/spyware shield with signature-based scanning
- BLE scanner, RFID tools, SDR tools
- Pineapple integration, Starlink research tools
### AI & Automation
- **Agent HAL** — Autonomous AI agent with tool use, available as a global chat panel
- **HAL Auto-Analyst** — Automatic LLM analysis of all defensive tool output
- **MCP Server** — Expose tools to external AI clients
- **Autonomy Engine** — Rule-based autonomous threat response
- 4 LLM backends: llama.cpp (GGUF), HuggingFace Transformers, Claude API, OpenAI-compatible API
- Multi-model routing (SLM, SAM, LAM tiers)
### Infrastructure
- Privileged daemon for safe root operations
- Encrypted vault for API keys and credentials
- WireGuard VPN tunnel management
- UPnP automated port forwarding
- DNS nameserver with custom zone management
- Web-based Metasploit console with live terminal
- Debug console with 5 filter modes
- Report engine with PDF/HTML export
- Encrypted module system for sensitive payloads
---
## Architecture
```
autarch.py # Main entry point (CLI + web server)
core/ # 25+ Python modules (agent, config, hardware, llm, msf, etc.)
modules/ # 26 loadable modules (defense, offense, counter, analyze, osint, simulate)
start.sh # Launch script (detects venv, starts launcher)
autarch.py # CLI entry point (73 modules)
launcher.py # GTK3 desktop launcher
core/ # 40+ core framework files
agent.py # Autonomous AI agent
config.py # Configuration management
daemon.py # Privileged root daemon (shell, packet capture, WiFi scan)
hal_analyst.py # HAL auto-analysis engine
hal_memory.py # Persistent encrypted AI memory
llm.py # LLM backend router
mcp_server.py # MCP protocol server
vault.py # Encrypted secret storage
wireguard.py # VPN management
msf.py # Metasploit interface
discovery.py # Network/BT/mDNS discovery
...
modules/ # 73 loadable modules
defender.py # Linux defense
defender_windows.py # Windows defense
forensics.py # File forensics
net_mapper.py # Network topology
threat_intel.py # Threat intelligence
...
web/
app.py # Flask app factory (16 blueprints)
routes/ # 15 route files
templates/ # 16 Jinja2 templates
app.py # Flask app factory
routes/ # 67 route files (1,130+ routes)
remote_monitor.py # PIAP remote device management
ssh_manager.py # SSH/SSHD configuration & fail2ban
network.py # Network security suite (8 tabs)
module_creator.py # Web-based module builder
...
templates/ # 79 Jinja2 templates
static/ # JS, CSS, WebUSB bundles
autarch_companion/ # Archon Android app (Kotlin)
data/ # SQLite DBs, JSON configs, stalkerware signatures
scripts/ # Systemd services, build scripts, polkit policy
data/
piap/ # Device profiles (.piap files)
codex/ # Training data and codex
... # SQLite DBs, JSON configs, OSINT site database
autarch_settings.conf # Master configuration file
```
---
## Quick Start
### From Source
### Quick Launch
```bash
# Clone
git clone https://github.com/digijeth/autarch.git
cd autarch
# Install dependencies
pip install -r requirements.txt
# Run
python autarch.py
bash scripts/setup-venv.sh
./start.sh
```
`start.sh` launches the GTK desktop launcher which manages the daemon and web server — venv detection, daemon status, and pkexec elevation are handled automatically.
The web dashboard starts at `https://localhost:8080` (self-signed cert).
### Windows Installer
### Manual Start
Download `autarch_public.msi` or `autarch_public.exe` from the [Releases](https://github.com/digijeth/autarch/releases) page.
```bash
# Start the daemon (handles privileged operations)
sudo python3 core/daemon.py &
# Start the web dashboard
python autarch.py
```
### Systemd Services (Headless / Server)
```bash
sudo cp scripts/autarch-web.service /etc/systemd/system/
sudo cp scripts/autarch-daemon.service /etc/systemd/system/
sudo systemctl enable --now autarch-daemon
sudo systemctl enable --now autarch-web
```
---
## The Daemon
AUTARCH uses a split-privilege architecture. The Flask web server runs as a normal user — it never has root access. A separate daemon process runs as root and is the single privileged process that handles ALL root operations: shell commands (`iptables`, `sysctl`, `systemctl`, etc.), packet capture (scapy sniff), and WiFi scanning (`iw scan`).
**Why?** Running a web server as root is a terrible idea. But security tools need root to do their job. The daemon solves this by acting as a controlled gateway.
**How it works:**
1. The daemon listens on a Unix domain socket at `/var/run/autarch-daemon.sock`
2. Every request is signed with **HMAC-SHA256** using a shared secret generated at daemon startup
3. Requests include a nonce for replay protection (30-second expiry window)
4. The daemon enforces a strict **command whitelist** — 68 pre-approved shell commands can be executed, plus 2 built-in Python actions:
- `__capture__` — runs scapy packet capture as root, writes pcap files
- `__wifi_scan__` — runs `iw` WiFi scanning as root
5. **45 commands are explicitly blocked** (rm, mkfs, dd, shutdown, etc.) as a safety net
6. The shared secret is readable only by the daemon (root) and the autarch user's group
**Starting the daemon:**
```bash
# Direct
sudo python3 core/daemon.py
# Via systemd
sudo systemctl start autarch-daemon
# Via the GTK launcher (uses pkexec for elevation)
python launcher.py
```
---
## HAL AI Analyst
Every defensive and analysis tool in AUTARCH can automatically send its output to HAL — the built-in AI analyst powered by whatever LLM backend you have configured.
When you run a scan, check logs, or analyze a file, HAL:
1. Receives the raw tool output
2. Analyzes it in context (what tool produced it, what was being scanned)
3. Returns a structured assessment: **Summary**, **Findings**, **Risk Level** (CLEAN/LOW/MEDIUM/HIGH/CRITICAL), and **Recommendation**
4. Can suggest specific fixes or commands to remediate issues
5. Experimental: can auto-apply fixes with user confirmation
Offensive tools (exploit dev, C2, social engineering, etc.) are excluded from auto-analysis by design — HAL only analyzes defensive output.
---
## MCP Server
AUTARCH exposes its tools via the **Model Context Protocol** for use with Claude Desktop, Claude Code, and other MCP-compatible clients.
**Configuration** (in `autarch_settings.conf`):
```ini
[mcp]
enabled = true
transport = sse
host = 0.0.0.0
port = 8081
```
**Connecting Claude Desktop:**
Add to your Claude Desktop MCP config:
```json
{
"mcpServers": {
"autarch": {
"url": "http://localhost:8081/sse"
}
}
}
```
**Connecting Claude Code:**
```bash
claude mcp add autarch http://localhost:8081/sse
```
This gives Claude direct access to AUTARCH's security tools — network scanning, WHOIS lookups, DNS enumeration, GeoIP resolution, packet capture, and more.
---
## Network Security
The Network Security module provides 8 specialized tabs for monitoring and defending your network:
| Tab | Function |
|-----|----------|
| **Connections** | Active connection analysis, ARP table inspection, interface enumeration |
| **Intrusion Detection** | IDS rule scanning, anomaly detection, alert management |
| **Rogue Devices** | Scan for unknown/unauthorized devices on your network, maintain a known-device whitelist |
| **Monitor** | Real-time packet capture and connection monitoring with live streaming |
| **WiFi Scanner** | Enumerate nearby wireless networks with signal strength, encryption, and channel data |
| **Attack Detection** | Detect deauthentication floods, evil twin APs, beacon anomalies, and other wireless attacks |
| **ARP Spoof** | Real-time ARP poisoning detection — alerts when MAC/IP mappings change unexpectedly |
| **SSID Map** | Map and track wireless networks over time, identify hidden networks and rogue APs |
All network operations that require root (interface scanning, packet capture, ARP manipulation) are handled through the privileged daemon — the web server itself never runs as root.
---
## Configuration
Settings are managed via `autarch_settings.conf` (auto-generated on first run) and the web UI Settings page.
All settings live in `autarch_settings.conf`, auto-generated on first run. Key sections:
Key sections: `[server]`, `[llm]`, `[msf]`, `[wireguard]`, `[upnp]`, `[hardware]`
| Section | Purpose |
|---------|---------|
| `[autarch]` | Core settings: module path, LLM backend selection, verbosity |
| `[web]` | Web server: host, port, secret key, MCP port |
| `[llama]` | llama.cpp settings: model path, context size, GPU layers, sampling |
| `[claude]` | Anthropic API: key, model, max tokens |
| `[huggingface]` | HuggingFace: API key, model, endpoint, provider |
| `[transformers]` | Local transformers: model path, device, quantization |
| `[msf]` | Metasploit RPC: host, port, credentials |
| `[rsf]` | RouterSploit: install path, defaults |
| `[wireguard]` | VPN: config path, interface, subnet, DNS |
| `[upnp]` | Port forwarding: internal IP, refresh interval, mappings |
| `[osint]` | Recon: thread count, timeout, NSFW toggle |
| `[pentest]` | Pipeline: max steps, chunk size, auto-execute |
| `[autonomy]` | Autonomous response: intervals, threat threshold, agent limits |
| `[agents]` | AI agents: backend, model selection, step limits per provider |
| `[mcp]` | MCP server: transport, auth, rate limits, SSL, tool timeouts |
| `[discovery]` | Device discovery: mDNS, Bluetooth |
| `[revshell]` | Reverse shell listener: host, port, auto-start |
| `[slm]` / `[sam]` / `[lam]` | Multi-tier model routing (small, standard, large) |
### LLM Backends
### Encrypted Vault
- **Local** — llama-cpp-python (GGUF models) or HuggingFace Transformers (SafeTensors)
- **Claude** — Anthropic Claude API
- **OpenAI** — OpenAI-compatible API (custom endpoint support)
- **HuggingFace** — HuggingFace Inference API (8 provider options)
API keys and sensitive credentials can be stored in the encrypted vault instead of plaintext config:
```
data/vault.enc
```
The vault uses AES encryption and is unlocked at runtime. Manage vault entries through the web UI Settings page or the CLI.
---
## Ports
@@ -112,11 +343,16 @@ Key sections: `[server]`, `[llm]`, `[msf]`, `[wireguard]`, `[upnp]`, `[hardware]
| 17322 | Reverse Shell Listener |
| 51820 | WireGuard VPN |
---
## Platform Support
- **Primary:** Linux (Orange Pi 5 Plus, RK3588 ARM64)
- **Supported:** Windows 10/11 (x86_64)
- **WebUSB:** Chromium-based browsers required for Direct mode hardware access
- **Primary:** Linux (Orange Pi 5 Plus, RK3588 ARM64) — all features supported
- **Supported:** Windows 10/11 (x86_64) — daemon features require WSL or are unavailable
- **WebUSB:** Chromium-based browsers required for direct-mode hardware access
- **Android:** Companion app (Archon) for remote management
---
## License
@@ -189,7 +425,7 @@ No, we are not legion. And some of us are getting old, so we might forget. But i
This is not some manifesto, its just a lesson in history and a plea to other hackers. If we don't want history to repeat at the dawn of this new computing era we just entered, we need hackers on the side of....well chaotic good. If you want to join us, find us (we really are not hiding).
*Note: While we try to stay away from politics, this has to be said because no one is saying it. Everyone rather cower to someone who thinks they can do whatever they hell they want. People are f\*cking tired of it, and tired of the people we elected to represent us to scared to say what everyone is thinking.*
*Note: While we try to stay away from politics, this has to be said because no one is saying it. Everyone rather cower to someone who thinks they can do whatever they hell they want. People are f*cking tired of it, and tired of the people we elected to represent us to scared to say what everyone is thinking.*
*Links to our github and automated pentesting and offensive models will be re-added once our website resigned is complete. For now, find them on Huggingface.*
@@ -287,6 +523,7 @@ AUTARCH builds on the work of many outstanding open-source projects. We thank an
- [llama-cpp-python](https://github.com/abetlen/llama-cpp-python) — Python bindings for llama.cpp
- [HuggingFace Transformers](https://github.com/huggingface/transformers) — ML model library
- [Anthropic Claude API](https://docs.anthropic.com/) — Cloud LLM backend
- [OpenAI API](https://platform.openai.com/docs/) — OpenAI-compatible LLM backend
- [FastMCP](https://github.com/jlowin/fastmcp) — Model Context Protocol server
### Security Tools
@@ -312,6 +549,9 @@ AUTARCH builds on the work of many outstanding open-source projects. We thank an
### Python Libraries
- [anthropic](https://github.com/anthropics/anthropic-sdk-python) — Anthropic Python SDK
- [openai](https://github.com/openai/openai-python) — OpenAI Python SDK
- [scapy](https://github.com/secdev/scapy) — Network packet manipulation
- [bcrypt](https://github.com/pyca/bcrypt) — Password hashing
- [requests](https://github.com/psf/requests) — HTTP client
- [msgpack](https://github.com/msgpack/msgpack-python) — Serialization (Metasploit RPC)