GooseStrike
GooseStrike is an AI-assisted, Canadian-themed offensive security and CTF operations toolkit. It blends subnet discovery, CVE/exploit correlation, task orchestration, and agent-driven planning into one cohesive platform designed only for authorized lab environments.
Features
- Scanner – wraps
nmap, preserves MAC/OUI data, captures timestamps/notes, and automatically ingests results with a scan UUID for replay-grade history. - Indexer – parses NVD + Exploit-DB + PacketStorm data into
db/exploits.db, ensuring CVEs, severities, and exploit metadata always live in SQLite for offline ops. - FastAPI backend – tracks assets, services, CVEs, scan runs, MITRE ATT&CK suggestions, and alerts while exposing webhook hooks for n8n automations.
- Task queue + runners – enqueue work for Metasploit, SQLMap, Hydra, OWASP ZAP, the password cracking helper, and now manage every job directly from the dashboard.
- Password cracking automation – orchestrate Hashcat, John the Ripper, or rainbow-table (
rcrack) jobs with consistent logging. - LLM agents – structured recon / CVE / exploit / privilege escalation / planning agents for high-level guidance.
- Claude + HackGPT + Ollama fallback – the LLM router cycles through Claude, HackGPT, then your local Ollama node so targeting recommendations keep flowing even offline.
- Local CVE API server – a standalone FastAPI microservice (
cve_api.py) serves CVE + exploit matches for air-gapped use. - Web UI – Canadian-themed dashboard that now shows assets, scan history, MITRE recommendations, the task queue, and inline forms to submit tool runs or password-cracking jobs inspired by OWASP Nettacker & Exploitivator playbooks.
- Roadmap + mock data –
/core_snapshot,/roadmap, and/mock/dashboard-datafeed both the live UI and a static mock dashboard so you can preview GooseStrike with fake sample data (served at/mockup). - Armitage-style frontend –
/armitagerenders a radial host/service/CVE graph with mock or live data for briefing-style screenshots. - Integration health checks –
/integrations/test/n8nand/integrations/test/ollamaverify automation + AI endpoints from the backend without leaving the UI.
Delivery status
The table below summarizes what has landed versus what remains from the running request list.
| Area | Status | Notes |
|---|---|---|
| Core scanner + history | ✅ Complete | CIDR scanning with MAC/OUI capture, scan UUIDs, and /scans history APIs are live. |
| CVE / exploit indexer | ✅ Complete | indexer.py hydrates db/exploits.db from NVD, Exploit-DB, and PacketStorm mirrors. |
| FastAPI backend + web UI | ✅ Complete | Canadian-themed dashboard, /assets, /roadmap, /mock/dashboard-data, /mockup, webhook, and task endpoints shipped. |
| Task queue + tool runners | ✅ Complete | SQLite-backed queue plus Metasploit, SQLMap, Hydra, ZAP, and password-cracking runners. |
| MITRE/ATT&CK suggestions | ✅ Complete | mitre_mapping.py drives /attack_suggestions and the UI cards. |
| Password cracking helper | ✅ Complete | password_cracker_runner.py supports Hashcat, John, and rainbow tables with log capture. |
| Mock dashboard data | ✅ Complete | GET /mock/dashboard-data and /mockup render the full interface with sample data for demos. |
| Roadmap + core snapshot APIs | ✅ Complete | /core_snapshot + /roadmap expose the same copy used in the UI. |
| docker-compose goosestrike full stack | ✅ Complete | docker-compose.goosestrike-full.yml now launches API, scanner, indexer, CVE API, HackGPT relay, and n8n together. |
| HackGPT API container | ✅ Complete | hackgpt_api.py relays prompts to n8n webhooks and ships as its own container. |
| Local CVE API server | ✅ Complete | cve_api.py exposes the offline CVE mirror over FastAPI/uvicorn. |
| Claude + HackGPT fallback system | ✅ Complete | app/agents/llm_router.py automatically fails over between providers. |
n8n workflow .json import |
✅ Complete | /n8n/workflows/import persists exports and /n8n/workflows lists them. |
| Target prioritizer AI agent | ✅ Complete | app/agents/prioritizer_agent.py powers the /agents/prioritize endpoint. |
| SVG architecture diagram | ✅ Complete | web/static/architecture.svg is linked below. |
| Armitage-style dashboard view | ✅ Complete | /armitage renders the radial host/service/CVE graph with live data. |
| Mythic/Sliver C2 bridge | 🔸 Optional | C2 integration untouched pending scoping. |
GooseStrike Core snapshot
| Highlight | Details |
|---|---|
| 🔧 Stack | Nmap, Metasploit, SQLMap, Hydra, OWASP ZAP (all wired into runners) |
| 🧠 AI-ready | External LLM exploit assistant hooks for Claude / HackGPT / Ollama |
| 📚 Offline CVE mirroring | update_cve.sh keeps the SQLite CVE/exploit mirror fresh when air-gapped |
| 🗂 Branding kit | ASCII banner, official crest, and PDF-ready branding pack for your ops briefings |
| 📜 CVE helpers | Scan-to-CVE JSON matching scripts pulled from Nettacker / Exploitivator inspirations |
| 📦 Artifact drops | goosestrike-cve-enabled.zip & hackgpt-ai-stack.zip ship with READMEs + architecture notes |
Coming next (roadmap you requested)
| Task | Status |
|---|---|
🐳 Build docker-compose.goosestrike-full.yml |
✅ Complete |
| 🧠 HackGPT API container (linked to n8n) | ✅ Complete |
| 🌐 Local CVE API server | ✅ Complete |
| 🧬 Claude + HackGPT fallback system | ✅ Complete |
🔄 n8n workflow .json import |
✅ Complete |
| 🎯 Target "prioritizer" AI agent | ✅ Complete |
| 🧭 SVG architecture diagram | ✅ Complete |
| 🖥 Dashboard frontend (Armitage-style) | ✅ Complete |
| 🔐 C2 bridging to Mythic/Sliver | Optional |
You can query the same table programmatically at GET /roadmap or fetch the bullet list at GET /core_snapshot.
Architecture Overview
scanner.py -> /ingest/scan ---->
FastAPI (api.py) ---> db/goosestrike.db
| ├─ assets / services / service_cves
| ├─ scan_runs + scan_services (historical state)
| └─ attack_suggestions + alerts
indexer.py -> db/exploits.db --/ |
REST/JSON + Web UI (assets, scans, MITRE)
|
+-> task_queue.py -> runners (metasploit/sqlmap/hydra/zap) -> logs/
+-> app/agents/* (LLM guidance)
+-> n8n webhooks (/webhook/n8n/*)
Quickstart
-
Clone & install dependencies
git clone <repo> cd GooseStrike pip install -r requirements.txt # create your own env if desired -
Run the API + UI
uvicorn api:app --reloadVisit http://localhost:8000/ for the themed dashboard.
-
Index CVEs & exploits (required for CVE severity + MITRE context)
python indexer.py --nvd data/nvd --exploitdb data/exploitdb --packetstorm data/packetstorm.xml -
Scan a subnet
python scanner.py 192.168.1.0/24 --fast --api http://localhost:8000 --notes "Lab validation"Every run stores MAC/OUI data, timestamps, the CLI metadata, and the raw payload so
/scanskeeps a tamper-evident trail. -
Enqueue tool runs
python task_queue.py enqueue sqlmap "http://example" '{"level": 2}'Then invoke the appropriate runner (e.g.,
python sqlmap_runner.py) inside your own automation glue. -
Crack passwords (hashcat / John / rainbow tables)
python task_queue.py enqueue password_cracker hashes '{"crack_tool": "hashcat", "hash_file": "hashes.txt", "wordlist": "/wordlists/rockyou.txt", "mode": 0}' python password_cracker_runner.pyAdjust the JSON for
crack_tool(hashcat,john, orrainbow) plus specific options like masks, rules, or rainbow-table paths. Prefer the dashboard forms if you want to queue these jobs without hand-writing JSON.
Customizing the dashboard logo
Drop the exact artwork you want to display into web/static/uploads/ (PNG/SVG/JPG/WebP). The UI auto-loads the first supported file it finds at startup, so the logo you uploaded appears at the top-right of the header instead of the default crest. If you need to host the logo elsewhere, set GOOSESTRIKE_LOGO to a reachable URL (or another /static/... path) before launching uvicorn.
API Examples
-
Ingest a host
curl -X POST http://localhost:8000/ingest/scan \ -H 'Content-Type: application/json' \ -d '{ "ip": "10.0.0.5", "mac_address": "00:11:22:33:44:55", "mac_vendor": "Acme Labs", "scan": {"scan_id": "demo-001", "scanner": "GooseStrike", "mode": "fast"}, "services": [ {"port": 80, "proto": "tcp", "product": "nginx", "version": "1.23", "cves": ["CVE-2023-12345"]} ] }' -
List assets
curl http://localhost:8000/assets -
Get CVE + exploit context
curl http://localhost:8000/cve/CVE-2023-12345 -
Review scan history + MITRE suggestions
curl http://localhost:8000/scans curl http://localhost:8000/attack_suggestions -
Roadmap + mock data
curl http://localhost:8000/core_snapshot curl http://localhost:8000/roadmap curl http://localhost:8000/mock/dashboard-dataPreview the populated UI without touching production data at http://localhost:8000/mockup .
-
Import + list n8n workflows
curl -X POST http://localhost:8000/n8n/workflows/import \ -H 'Content-Type: application/json' \ -d '{"name": "drop-scan", "workflow": {"nodes": ["scan", "notify"]}}' curl http://localhost:8000/n8n/workflows -
Queue & review tasks
curl -X POST http://localhost:8000/tasks \ -H 'Content-Type: application/json' \ -d '{ "tool": "password_cracker", "target": "lab-hash", "params": {"crack_tool": "hashcat", "hash_file": "hashes.txt", "wordlist": "rockyou.txt"} }' curl http://localhost:8000/tasksWorkers can update entries through
POST /tasks/{task_id}/statusonce a run completes. -
n8n webhook
curl -X POST http://localhost:8000/webhook/n8n/new_cve \ -H 'Content-Type: application/json' \ -d '{"cve_id": "CVE-2023-12345", "critical": true}' -
Armitage data + prioritizer agent
curl http://localhost:8000/armitage/data curl -X POST http://localhost:8000/agents/prioritize \ -H 'Content-Type: application/json' \ -d '{"assets": [{"ip": "10.0.0.21", "services": []}]}'
Full-stack Docker Compose
Bring everything (API, scanner, indexer, HackGPT relay, CVE API, and n8n) up in one go:
docker compose -f docker-compose.goosestrike-full.yml build
docker compose -f docker-compose.goosestrike-full.yml up -d api hackgpt cve-api n8n
# open http://localhost:8000 for the UI and http://localhost:8500/prompt for the HackGPT relay
Use docker compose ... run --rm scanner python scanner.py ... or ... run --rm indexer python indexer.py to execute jobs from dedicated containers.
HackGPT relay + Claude / HackGPT / Ollama fallback
hackgpt_api.pyexposesPOST /prompt(default on port 8500) and forwards every call toN8N_WEBHOOK_URLso your automation workflows can react instantly.- Set any combination of
CLAUDE_API_URL,HACKGPT_API_URL, andOLLAMA_BASE_URL/OLLAMA_API_URL(with optionalCLAUDE_API_KEY,HACKGPT_API_KEY, andOLLAMA_MODEL). The router inapp/agents/llm_router.pywill try Claude first, then HackGPT, and finally fall back to the local Ollama instance. - The new
/integrations/test/ollamaroute helps you confirm GooseStrike can reach your Ollama node before relying on it for agent prompts.
Local CVE API server
Run uvicorn cve_api:app --host 0.0.0.0 --port 8600 (or use the compose file) to offer offline CVE lookups:
curl http://localhost:8600/cve/CVE-2023-12345
curl "http://localhost:8600/search?q=openssl"
The service reads the same db/exploits.db populated by indexer.py.
Armitage-style dashboard + mock graph
- Browse
http://localhost:8000/armitagefor the live radial graph. GET /armitage/datareturns the same JSON used by the view, whileGET /mock/armitage-dataexposes the sample payload for demos.
Target prioritizer agent
Send any subset of AssetOut structures to POST /agents/prioritize to receive ranked notes backed by the LLM fallback path. Use it in tandem with the MITRE cards to plan next actions.
Password cracking runner
password_cracker_runner.py centralizes cracking workflows:
- Hashcat – supply
hash_file,wordlistormask, and optionalmode,attack_mode,rules,workload, or arbitraryextra_args. - John the Ripper – provide
hash_fileplus switches likewordlist,format,rules,incremental, orpotfile. - Rainbow tables – call
rcrackby specifyingtables_pathalong with eitherhash_valueorhash_fileand optional thread counts.
All runs land in logs/ with timestamped records so you can prove what was attempted during an engagement.
Kali Linux Docker stack
Need everything preloaded inside Kali? Use the included Dockerfile.kali and docker-compose.kali.yml:
docker compose -f docker-compose.kali.yml build
docker compose -f docker-compose.kali.yml up -d api
# run scanners or runners inside dedicated containers
docker compose -f docker-compose.kali.yml run --rm scanner python scanner.py 10.0.0.0/24 --fast --api http://api:8000
docker compose -f docker-compose.kali.yml run --rm worker python password_cracker_runner.py
The image layers the GooseStrike codebase on top of kalilinux/kali-rolling, installs nmap, masscan, sqlmap, hydra, metasploit-framework, hashcat, john, and rainbowcrack, and exposes persistent db/, logs/, and data/ volumes so scan history and cracking outputs survive container restarts.
Extending GooseStrike
- Add a new runner by following the
runner_utils.run_subprocesspattern and placing a<tool>_runner.pyfile that interprets task dictionaries safely. - Add more agents by subclassing
app.agents.base_agent.BaseAgentand exposing a simplerun(context)helper similar to the existing agents. - Enhance the UI by editing
web/templates/index.html+web/static/styles.cssand creating dedicated JS components that consume/assets,/scans, and/attack_suggestions. - Integrate orchestration tools (n8n, Celery, etc.) by interacting with
task_queue.pyand the FastAPI webhook endpoints.
Safety & Legal Notice
GooseStrike is intended for authorized security assessments, CTF competitions, and lab research only. You are responsible for obtaining written permission before scanning, exploiting, or otherwise interacting with any system. The maintainers provide no warranty, and misuse may be illegal.
- Test n8n & Ollama integrations
Both endpoints accept optional overrides and default to the
curl -X POST http://localhost:8000/integrations/test/n8n \ -H 'Content-Type: application/json' \ -d '{"url": "http://n8n.local/webhook/goose", "payload": {"ping": "demo"}}' curl -X POST http://localhost:8000/integrations/test/ollama \ -H 'Content-Type: application/json' \ -d '{"url": "http://localhost:11434", "model": "llama3", "prompt": "ping"}'N8N_WEBHOOK_TEST_URL,OLLAMA_BASE_URL, andOLLAMA_MODELenvironment variables so you can store safe defaults in compose files.