Pākiki is an intercepting proxy, allowing you to view and manipulate network requests between your web browser and the servers its communicating with. It is designed for web application penetration testing, but could be used for general debugging of applications, etc. It is similar in principle to mitmproxy or ZAP.
It takes the philosophy of do one thing, and do it well. The intent is not to pack in features which are rarely, if ever, used in practice. This is especially true where good quality standalone tools already exist.
This repository contains the core which proxies traffic, and exposes an API to interact with the captured traffic and perform other key functions. When compiled, it includes a web interface. The web interface is intended to be used for forward deployments, quick testing, or where the desktop interfaces won't otherwise run. It's not as polished as or as featureful as the dedicated desktop interface(s).
While this is tested periodically on Windows and MacOS, the majority of building/testing takes place on Kali. Builds are provided as part of the GUI release and can be downloaded at https://github.com/forensant/pakiki-frontend-gtk/releases
One of the reasons for developing this is to give back to the community. I want to help people who are new to pentesting, while still having 99% of what experienced pentesters need day to day.
Please only use this against applications that you have permission to test.
Feedback would be greatly appreciated.
Ensure dependencies (below) have been met.
After checking out the repository, you'll need to retrieve the code for the HTML frontend with:
git submodule init
git submodule update
You can then cd into the www/html_frontend/ directory and run ./build.sh
to build the frontend.
Then to build the main core, from the root directory of the project run ./scripts/build.sh
If you're going to be running a development build, then will also need to copy the pythoninterpreter executable and the python310 dependency directory (generated as part of the build script) into the working directory.
go install github.com/swaggo/swag/cmd/swag
)
You may need to ensure that the go bin directory is in your path. On Unix, you can add
export PATH=$PATH:~/go/bin
to your .bashrc or similar.
Make sure that a gcc environment is present and in the path (for example mingw) Prior to building, go into the tools directory and compile the PythonInterpreter. Then copy the output to build\pakikipythoninterpreter.exe. For commands below, use the .ps1 scripts rather than the bash scripts.
HomeBrew will need to be installed with python3.10, with both x86_64 and arm64 support:
For arm64 on an M1 Mac, run:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
brew install python@3.10
For x86_64 support, run:
arch --x86_64 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
arch --x86_64 /usr/local/bin/brew install python@3.10
At this point, Python is only compiled with x86_64 support, so that we're only bundling one set of libraries
Linux requires the following dependencies to build Pākiki:
The installation will depend on your particular distribution.
sudo apt install build-essential python3.11-dev ruby npm
Ensure you have built the project using the build script at least once to create the necessary dependencies.
To launch the development version, from the build directory run: go run ../cmd/pakikicore/main.go -project sample_project.prx
To run the HTML frontend go into that directory and run npm run serve
Contributions, issues and feature requests are welcome.
Feel free to check issues page if you want to contribute.
Check the contributing guide.
While this core will remain free and open source, there will be commercial frontends built on top in the future with further features which are designed to help professional pentesters.
This project is MIT licensed.