Pentest Suite

The pentest suite lives under /admin/pentest/* and provides a full penetration testing workflow from the browser. It spans eight pages: Dashboard, Assessment, Console, Recon, Exploit, WebApp, Reports, and Targets. Scans run on one of three nodes — Sentinel VPS (default, external perspective), Tarn-Host (Kali VM on Proxmox Tarn-Host), or Izar-Host (Kali VM on Proxmox Izar-Host) — with automatic failover if the selected node is offline. Node selection is handled via the ?node= query parameter and persisted in localStorage.

Dashboard (/admin/pentest)

The pentest dashboard is the landing page for the suite. It aggregates tri-node health, active scan status, and quick-launch shortcuts into a single view.

Node Health

The dashboard polls two endpoints on a 5-second interval:

• /api/admin/pentest/nodes — returns the status of all three pentest nodes: Sentinel VPS (external, 178.156.247.186), Tarn-Host (Kali VM at 192.168.20.229), and Izar-Host (Kali VM at 10.42.0.203). Each node reports uptime, version, active scan count, and connectivity latency.
• /api/admin/pentest/scans — returns all active and recently completed scans for the selected node(s). Each scan entry includes the tool name, target, node, start time, current status (running, completed, failed), and a truncated output preview.

Mode Selector

Four buttons control which node receives scan requests:

• Sentinel (default) — External VPS, clean public IP, recon-focused toolset
• Tarn-Host — Kali VM on Proxmox Tarn-Host (Andromeda network), full toolset
• Izar-Host — Kali VM on Proxmox Izar-Host (Milky Way network), full toolset
• All — Fan out to all three nodes in parallel

Selection persists in localStorage('pentest-mode'). Legacy both values auto-migrate to all.

Automatic Failover

If the selected node is offline, requests automatically route to the next healthy node in the failover chain: sentinel → Tarn-Host → Izar-Host. A warning banner appears: “Sentinel is offline — routing to Tarn-Host”. Failover is both server-side (API proxy) and client-side (dashboard health check).

Statistics Panel

The stats bar shows aggregate numbers: total scans run (lifetime), scans today, active scans, findings count by severity (critical, high, medium, low, info). These numbers pull from the scan history stored server-side.

Scan History (Live/History Toggle)

The “Recent Scans” table has a Live | History toggle:

• Live (default) — polls the daemon nodes for currently running and recently completed scans. Updates in real-time.
• History — fetches persisted scan records from Cloudflare D1 via GET /api/admin/pentest/scans?source=saved&limit=50. Shows all historically saved scans with tool, target, node, status, findings count, and date.

When the History tab loads and D1 returns zero results, an auto-sync triggers: the API fetches scan data from all three daemon nodes, persists completed scans to D1, then re-queries. This bootstraps the history on first use without manual intervention.

Quick Launch

Six quick-launch buttons provide one-click access to common scan types: Nmap Quick Scan, Full Recon, Nikto Scan, SSL Check, DNS Enumeration, and Directory Brute Force. Each button pre-populates the relevant tool page with a default preset and the last-used target.

Sentinel Terminal Card

A “Sentinel Terminal” card on the dashboard links directly to /admin/pentest/console?node=sentinel, providing one-click access to the VPS web shell without navigating through the console page’s node selector.

Assessment (/admin/pentest/assessment)

The vulnerability assessment page provides one-click, multi-phase security assessments that chain together multiple scanning tools into a single workflow. Assessments run entirely on the daemon — the browser can be closed and results persist.

Assessment Profiles

Three pre-built profiles cover different depth levels:

Profile	Duration	Tools	Scope
Quick	~5 min	nmap, whatweb, testssl, wafw00f	Port scan, tech fingerprint, SSL audit, WAF detection
Standard (recommended)	~15 min	nmap, whatweb, wafw00f, subfinder, testssl + sslscan, nuclei, nikto	Recon + subdomain enum + SSL audit + vulnerability scanning
Comprehensive	~45+ min	14 phases: nmap, whatweb, wafw00f, subfinder, dnsrecon, testssl, sslscan, nuclei, nikto, ffuf, gobuster, XSS, SSRF, LFI, CSRF	Full commercial-grade assessment covering recon, SSL, vuln scanning, content discovery, and injection testing

How Assessments Work

• Daemon-side execution — assessments run on the selected pentest node’s daemon process. Closing the browser does not stop the scan.
• SQLite persistence — scan data is stored in SQLite on the daemon host. Results survive frontend outages and sync when the page is revisited.
• Sequential phases — tools execute one after another in order. Each phase shows status (waiting → scanning → done/failed) with finding counts.
• Live output — clicking a phase expands the ScanOutput component showing real-time terminal output for the currently running tool.
• Node perspective — Sentinel runs from a public VPS (external attacker view), Tarn-Host and Izar-Host from internal Kali VMs (LAN perspective).

Target Bar

Same sticky target bar as the Recon page: target input, internal toggle, and preset selector (Arcturus-Prime External, Arcturus-Prime Internal, Custom).

Progress Tracker

During execution, a progress section replaces the profile selector showing:

• Assessment title with profile and target
• Overall progress bar (percentage of phases completed)
• Phase list with per-tool status: icon, tool name, status badge (waiting/scanning/done/failed), finding count
• Live scan output panel for the currently active phase
• Cancel button to abort the assessment
• Recent assessments list below showing previous runs with status

Findings Display

When an assessment completes, the detail view shows structured findings from all phases. Each phase’s scan is fetched from the daemon, parsed via tool-specific parsers (nmap XML, nuclei JSON, testssl JSON, nikto XML, sslscan XML, etc.), and findings are aggregated.

Summary Stats

The detail overlay header initially shows generic stat cards (total findings, completed phases, failed phases, total phases). Once findings load and severity counts are computed, the summary row replaces itself with severity-colored stat cards — each card has a colored top border accent matching its severity (red for critical, amber for high, yellow for medium, cyan for low, slate for info) and shows the count for that severity level.

Severity Breakdown Bar

A proportional stacked bar (10px tall) below the summary shows the severity distribution at a glance. A legend row below the bar labels each severity with a colored dot and count. A bottom border separates the bar section from findings.

Severity	Color
Critical	#ef4444 (red)
High	#f59e0b (amber)
Medium	#eab308 (yellow)
Low	#22d3ee (cyan)
Info	#64748b (slate)

Finding Cards

Findings are grouped by severity (critical → high → medium → low → info). Each group is collapsible — critical through low are expanded by default, info is collapsed to reduce noise. Each finding card has a 2px left border colored by its severity for instant visual scanning. Cards show:

• Title (0.75rem, bold) + tool badge (which scanner found it) + CVSS score badge (color-coded)
• Description text (truncated at 300 chars)
• Affected component with monospace code tag
• Evidence block (monospace, collapsible toggle with icon)
• Remediation text (green accent with left border)
• CVE pills (purple badges, e.g., CVE-2024-xxxx)

Scan Phases List

Below the findings section, a “Scan Phases” header introduces the per-tool phase rows. Each row shows:

• Status icon (green check, red X, orange spinner, gray circle) in a circular badge
• Tool name (bold, 0.8rem)
• Status text (completed/failed/pending)
• Findings count as a pill badge (orange background for >0, muted for 0)
• “View Output” button (opens terminal-style scan output viewer)
• Duration in a subtle badge (e.g., “2m 12s”)

Rows are separated by subtle bottom borders. Section borders separate summary, severity bar, findings, and phases for clear visual hierarchy.

Data Flow

• Live assessments: Frontend fetches from daemon via SSR proxy → daemon parses structured file on demand → returns findings in response → proxy persists to D1
• Historical assessments: scans.ts reads findings from D1 directly (no daemon needed)

Node Diagnostics Panel

A collapsible “Node Diagnostics” panel sits between the info panel and the start button. It provides real-time health checks and troubleshooting guidance for all three pentest nodes.

Running Diagnostics

Click “Run Diagnostics” to check all nodes in parallel. The panel shows:

• Context banner — Detects whether the site is running on Cloudflare Pages or a local dev server. On CF Pages, a warning explains that internal nodes (Tarn-Host, Izar-Host) are unreachable by design.
• Per-node results — Each node gets a section showing reachable/unreachable status, followed by individual check rows:
  • Proxy-side checks (run by Arcturus-Prime): environment config, network reachability, JSON response validity, Cloudflare context
  • Daemon-side checks (run by the daemon itself): daemon health, database access, tool availability, disk space, zombie scans, scan capacity
• Issue badge — After running, the panel summary shows a badge with the total issue count (e.g., “3 issues”) or “all pass”.

Each check shows a pass/warn/fail icon, one-line detail, and (where applicable) a fix command in monospace with a copy-to-clipboard button.

Quick Reference Guide

A nested collapsible “Quick Reference” section contains six cards:

Card	Content
Sentinel	External VPS on public internet. Only node reachable from production.
Tarn-Host	Kali VM on Andromeda (192.168.20.x). Full toolkit. Internal only.
Izar-Host	Kali LXC on Milky Way (10.42.0.x). Full toolkit. Internal only.
Why Tarn-Host/Izar-Host Don’t Work from Production	CF Pages runs on Cloudflare edge — can’t reach private IPs. Use local dev server or Sentinel.
Assessment Profiles	Quick (~5 min, 4 tools), Standard (~15 min, 8 tools), Comprehensive (~45+ min, 15 tools).
Common Errors	”Invalid JSON from daemon” (nginx HTML error page), “All nodes unreachable” (daemons down), “Assessment stuck” (scan tool hung).

Console (/admin/pentest/console)

The console page provides direct access to pentest nodes via embedded terminal and VNC interfaces. A node selector pill bar at the top switches between Tarn (Kali VM on Proxmox Tarn-Host) and Sentinel VPS, with the available tabs changing based on the selected node.

Node Selector

Two pills at the top of the page control which node is active:

• Tarn (Kali) — connects to the Kali Linux VM (VMID 150) on Proxmox Tarn-Host. Shows three tabs: Desktop (VNC), Terminal, and Web Shell.
• Sentinel VPS — connects to the Hetzner VPS. Shows only the Web Shell tab (ttyd at sentinel.Arcturus-Prime.com/terminal/). VNC and Terminal tabs are hidden since Sentinel has no Proxmox VM.

The ?node=sentinel or ?node=Tarn-Host query parameter selects the initial node. The default is Tarn (Kali) when no parameter is provided.

VNC Embed (Tarn only)

The VNCEmbed component connects to the Kali VM’s graphical desktop via noVNC. The VNC connection routes through the Proxmox VNC websocket proxy at Tarn-Host (wss://192.168.20.100:8006). Full keyboard, mouse, and clipboard passthrough are supported. Fullscreen mode is available via button, double-click, or F11. The VNC tab loads immediately when the console page mounts with Tarn selected.

Terminal Embed (Tarn only)

The TerminalEmbed component provides an xterm.js terminal connected to the Kali VM’s shell via WebSocket. This tab is lazy-loaded — the terminal connection does not initialize until the user switches to the Terminal tab. The terminal supports ANSI colors, resize events, fullscreen mode (button, double-click), and a 5,000-line scrollback buffer.

Web Shell (Both nodes)

The Web Shell tab embeds a ttyd instance via iframe. For Tarn, it loads http://192.168.20.229:7681/terminal/. For Sentinel, it loads https://sentinel.Arcturus-Prime.com/terminal/. The ttyd instances provide full SSH shell access in the browser.

Recon (/admin/pentest/recon)

The recon page is the primary reconnaissance interface. It provides access to seven scanning tools, all called through /api/admin/pentest/scan/{tool}:

Tool	Purpose	Default Options
nmap	Port scanning and service detection	-sV -sC, top 1000 ports
whatweb	Web technology fingerprinting	Aggression level 3
subfinder	Subdomain enumeration	Passive sources only
amass	Advanced subdomain discovery	Passive enum mode
testssl	SSL/TLS configuration testing	Full checks, JSON output
whois	Domain registration lookup	Standard query
dns	DNS record enumeration	A, AAAA, MX, TXT, NS, CNAME

Sticky Target Bar

A sticky bar at the top of the recon page persists across tool switches. It contains three controls:

• Target input — the hostname, IP, or URL to scan. Supports single targets and CIDR ranges for nmap.
• Node selector — toggle between Izar-Host and Tarn-Host. The selector shows a green/red dot for each node based on the last health check.
• Preset selector — dropdown with saved target presets (Arcturus-Prime External, Arcturus-Prime Internal, Custom). Selecting a preset populates the target field.

Switching between tools preserves the current target and node selection. Each tool section renders tool-specific options below the sticky bar (port range for nmap, aggression level for whatweb, source selection for subfinder, etc.).

Exploit (/admin/pentest/exploit)

The exploit page provides active exploitation tools. A permanent disclaimer banner at the top warns that these tools perform active exploitation and should only be used against authorized targets.

Available Tools

• XSS Scanner — tests for reflected, stored, and DOM-based cross-site scripting vulnerabilities. Supports custom payloads and encoding options.
• CSRF Tester — generates CSRF proof-of-concept forms and tests for token validation weaknesses.
• SSRF Scanner — probes for server-side request forgery by testing internal URL access from the target’s perspective.
• LFI/RFI Scanner — tests for local and remote file inclusion vulnerabilities with path traversal payloads.
• Prompt Injection — tests AI-powered endpoints for prompt injection vulnerabilities using a library of injection payloads.

Each tool accepts a target URL, optional authentication credentials, and tool-specific parameters. Results are streamed through the ScanOutput component and can be exported to the Reports page.

WebApp (/admin/pentest/webapp)

The web application scanning page provides access to eight web-focused scanning tools:

Tool	Focus	Key Options
nikto	Web server misconfiguration	Tuning options, plugin selection
nuclei	Template-based vulnerability scanning	Template tags, severity filter
ZAP	OWASP ZAP active/passive scanning	Scan policy, spider depth
sqlmap	SQL injection detection and exploitation	Injection technique, risk/level
ffuf	Web fuzzing (directories, parameters)	Wordlist selection, match/filter codes
gobuster	Directory and DNS brute forcing	Mode (dir/dns/vhost), wordlist
wfuzz	Advanced web fuzzing	Payload position, encoders
wpscan	WordPress vulnerability scanning	Enumerate plugins/themes/users

Each tool renders a dedicated options panel with controls specific to that tool’s capabilities. For example, sqlmap shows injection technique checkboxes (boolean, time, union, error, stacked), risk level slider (1-3), and level slider (1-5). Nuclei shows template tag filters and severity checkboxes. All tools share the target input from the sticky bar and route to the selected pentest node.

Reports (/admin/pentest/reports)

The reports page manages scan reports generated from completed scans. Reports are fetched from /api/admin/pentest/reports.

Report Format

Reports support two format modes, toggled with a button in the report viewer:

• Markdown — rendered Markdown with syntax highlighting for code blocks and findings tables. Suitable for copying into documentation or Gitea issues.
• HTML — fully styled HTML report with severity-colored finding cards, expandable evidence sections, and a table of contents. Suitable for sharing with stakeholders.

Frontmatter Generation

Each report includes generated frontmatter with metadata: scan date, target, tools used, finding counts by severity, node used, and scan duration. This frontmatter follows the Arcturus-Prime docs collection schema so reports can optionally be saved as documentation entries.

Report Management

The reports list shows all generated reports sorted by date. Each entry displays the target, scan type, finding count, and severity breakdown. Reports can be downloaded, deleted, or opened in the viewer. Completed scans from the Recon, Exploit, and WebApp pages have a “Generate Report” button that creates a report from the scan results.

Targets (/admin/pentest/targets)

The targets page manages scan target presets and custom target definitions.

Preset Targets

Two built-in presets ship by default:

• Arcturus-Prime External — targets the public-facing Arcturus-Prime infrastructure: Arcturus-Prime.com, gitea.Arcturus-Prime.com, and all Cloudflare-fronted subdomains. This preset includes a Cloudflare bypass toggle that routes scans through the origin IP on Altair-Link (10.42.0.199) instead of through Cloudflare’s CDN.
• Arcturus-Prime Internal — targets the internal homelab network: Altair-Link (10.42.0.199), Proxmox Izar-Host (10.42.0.2), Proxmox Tarn-Host (192.168.20.100), Meridian-Host (192.168.20.50), and all known internal services.

Custom Targets

Users can create custom target definitions with:

• Name — descriptive identifier
• Scope — list of hostnames, IPs, and/or CIDR ranges
• Notes — freeform notes about the target (authorization scope, known services, etc.)
• Cloudflare bypass — toggle to route through origin IP for Cloudflare-protected targets

Custom targets are stored server-side and appear in the preset selector dropdown on all scan pages.

ScanOutput Component

The ScanOutput component is shared across the Recon, Exploit, and WebApp pages. It renders a terminal-style output viewer for scan results with the following features:

Streaming Output

ScanOutput uses a dual transport strategy for real-time output:

1. WebSocket streaming (primary) — connects to a WebSocket endpoint that streams scan output as it is generated. Provides true real-time output with minimal latency.
2. Polling fallback — if the WebSocket connection fails or is unavailable, the component falls back to polling the scan status endpoint at 2-second intervals. This handles cases where WebSocket connections are blocked by proxies or firewalls.

Viewer Features

• Auto-scroll — output automatically scrolls to the bottom as new lines arrive. A manual scroll override pauses auto-scroll (detected by scrolling up), and a “Jump to bottom” button re-enables it.
• Copy — copies the full scan output to the clipboard.
• Clear — clears the output viewer (does not stop the scan).
• ANSI color rendering — scan output preserves terminal colors from tools like nmap and nuclei that use colored output for severity and categorization.

Multi-Node Architecture

All scan pages support routing to Sentinel VPS, Tarn-Host, or Izar-Host via the ?node= query parameter. The parameter accepts sentinel, Tarn-Host, Izar-Host, or all and defaults to sentinel when omitted.

Three Nodes, Three Perspectives

Node	Location	Network	Perspective	Toolset
Sentinel (default)	Hetzner VPS, Ashburn VA	Public internet	External — same view as an attacker	Recon-focused (nmap, nikto, nuclei, testssl, subfinder)
Tarn-Host	Proxmox Tarn-Host, Andromeda	192.168.20.0/24	Internal — remote site LAN	Full Kali (20+ tools including sqlmap, hydra, ffuf)
Izar-Host	Proxmox Izar-Host, Milky Way	10.42.0.0/24	Internal — local site LAN	Full Kali (20+ tools)

Node selection affects:

• Which daemon executes the scan
• Which Proxmox host the Console page connects to (Tarn-Host/Izar-Host only — VPS has no VNC)
• Which network perspective the scan runs from

Failover Chain

sentinel → Tarn-Host → Izar-Host

If the selected node is unreachable (5xx or timeout), the API proxy (/api/admin/pentest/[...path]) automatically tries the next node. Response headers indicate when failover occurred:

• X-Pentest-Node: Tarn-Host — which node actually handled the request
• X-Pentest-Failover: true — failover was used

Environment Variables (CF Pages)

Variable	Node	Value
PENTEST_VPS_DAEMON_URL	Sentinel	https://sentinel.Arcturus-Prime.com/pentest-api
PENTEST_VPS_API_KEY	Sentinel	(secret)
PENTEST_DAEMON_URL	Tarn-Host	http://100.70.89.105:8095
PENTEST_API_KEY	Tarn-Host	(secret)
PENTEST_IO_DAEMON_URL	Izar-Host	http://10.42.0.203:8095
PENTEST_IO_API_KEY	Izar-Host	(secret)

Running scans from all three nodes provides coverage from three different network vantage points — useful for testing firewall rules, Cloudflare protection, Tailscale ACLs, and routing behavior from external and internal perspectives.