All No Hat Hacker tools use a unified 3-factor authentication flow. No passwords — ever.

On your very first login, after the email code step you will be shown a QR code to scan with Google Authenticator. Scan it once and confirm with the first 6-digit code. From that point on, step 3 is just entering the rotating code from the app.

Session data is stored locally at ~/.config/eps/session.json. It contains your session token and the database decryption key. The file is set to 0600 permissions automatically.

Manage your license, download binaries, and view invoices at nohathacker.com/portal. Same 3FA login applies.

CS ships a lightweight project management framework built around five plain-text Markdown files. Every worker — human or AI — reads and writes the same files. Git keeps everyone in sync. The LOCKED pattern prevents drift: once an item moves forward in the pipeline, it is frozen and future changes go through the proper channel.

When an item is processed into the next layer of the pipeline, it receives a LOCKED marker and must never be modified again. To change it, open a new entry in the appropriate upstream register.

This rule is absolute: locked = frozen. The pipeline that follows it is already built from that snapshot.

CS includes built-in rsync-based file sync between mesh nodes. Push PM files and the almanac to a peer, or pull from one — no manual rsync commands needed.

Not every worker needs a git account. One node holds the credentials and acts as the vault. All others sync through it using cs mesh push-files / pull-files.

Tor + WireGuard Machine Mesh

Infrastructure guide · Linux · Leave machines at the office, orchestrate from anywhere

This guide builds a private mesh network that lets you reach every machine you own — regardless of NAT, corporate firewalls, or dynamic IPs. WireGuard carries the fast day-to-day traffic. Tor hidden services act as an always-on fallback for SSH when the office firewall blocks UDP or the WireGuard connection drops. Together they give you a resilient, authenticated, zero-trust tunnel to any machine in your fleet.

Hub-and-spoke, not full mesh. The VPS is the single WireGuard endpoint every spoke dials. Office machines never need an open inbound port — they initiate outbound UDP to the VPS on port 51820. From home you reach any office machine by routing through the VPS subnet (10.99.0.0/24). Tor is a parallel channel you fall back to when WireGuard is unavailable.

Run these commands once on your public VPS. This machine becomes the hub every spoke dials in to.

Create /etc/wireguard/wg0.conf on the VPS. Add a [Peer] block for every machine in the mesh.

Repeat on every machine you want in the mesh. Change Address to the unique IP for that machine (home = 10.99.0.2, office-1 = 10.99.0.10, office-2 = 10.99.0.11, etc.).

Install Tor on each office machine and expose its SSH port as a hidden service. This gives every machine a stable .onion address that works even behind the strictest corporate firewall — no port forwarding, no dynamic DNS needed.

The hidden service key lives at /var/lib/tor/ssh_hs/hs_ed25519_secret_key. Back it up — if you lose it, the onion address changes.

Set up SSH aliases so you can type ssh office1 for the fast WireGuard path and ssh office1-tor when WireGuard is down. Tor requires a local Tor instance running at 127.0.0.1:9050.

WireGuard reconnects automatically after a reboot — systemctl enable wg-quick@wg0 handles that. Office machines behind NAT need PersistentKeepalive = 25 (already in the config above) so the NAT mapping stays alive even when idle.

Document the mesh in your project's TEAM.md so every CSK worker knows which machine does what. The deployer worker can then SSH into any mesh machine by name.

HawkEye

HawkEye is a professional-grade, all-in-one vulnerability assessment platform built as a native desktop application. It covers every stage of a modern pentest or red-team engagement — from raw network discovery to exploit chaining, PDF report generation, and one-click push to your ticketing system.

What Makes HawkEye Different

Most scanners are single-purpose: Nmap enumerates, Nuclei templates scan, ZAP fuzzes. HawkEye chains all of those engines together in a single workflow and adds capabilities found nowhere else at this price point:

The Seven Phases

Every scan runs a configurable pipeline of up to seven phases. Each phase feeds findings into the next.

Core Design Principles

• Native desktop, zero cloud dependency — all processing is local. Credentials never leave your machine.
• Parallel work-stealing engine — up to 10 concurrent scan workers with automatic load balancing.
• Scan history & delta diffing — compare any two scans to track remediation progress or detect regressions.
• Pluggable integrations — push findings directly to Jira, Linear, Slack, or any webhook endpoint.
• Report-grade output — one-click HTML and PDF reports suitable for client delivery.

Installation & Setup

System Requirements

Build from Source

HawkEye uses the Rust toolchain. Install Rust via rustup, then:

git clone https://github.com/mradamantware/HawkEye
cd HawkEye
cargo build --release
# Binary at: ./target/release/hawk_eye

On Linux you may need system libraries for the GUI backend:

# Ubuntu / Debian
sudo apt install libxcb-render0-dev libxcb-shape0-dev libxcb-xfixes0-dev \
                 libspeechd-dev libxkbcommon-dev libssl-dev

# Fedora / RHEL
sudo dnf install libxcb-devel libxkbcommon-devel openssl-devel

Optional External Tools

HawkEye can run without any of these, but each unlocks additional scan phases. Install only what you need.

First Launch

Run the binary directly — no install step required:

./target/release/hawk_eye

HawkEye creates its data directory at ~/.hawkeye/ on first launch. Scan history is stored at ~/.hawkeye/history/ as individual JSON files.

NVD API Key (Optional but Recommended)

Phase 2 queries the National Vulnerability Database. Without a key, requests are rate-limited to ~5/min. With a free NVD API key the limit is 50/min.

1. Register at nvd.nist.gov/developers/request-an-api-key
2. Paste the key into the API Keys panel in the Scan tab → Advanced → NVD API Key field

Running a Scan

The Scan Tab

When HawkEye launches it opens on the Scan tab. Everything needed to start a scan lives here, organized into collapsible panels.

Step 1 — Set Your Target

Enter a target in the Target field. Accepted formats:

Step 2 — Choose a Scan Profile

Profiles set the Nmap flags and enable/disable internal scanner modules. Select from the Profile dropdown:

Step 3 — Select the Scan Engine

The Engine toggle controls how Phase 1 finds services:

• Nmap NSE — delegates entirely to Nmap with NSE scripts. Most compatible, produces detailed banners.
• Internal — HawkEye's built-in TCP prober + banner grabber. No Nmap required.
• Both — runs both in sequence and deduplicates findings. Most thorough.

Step 4 — Configure Parallel Workers

The Workers slider (1–10) sets how many hosts are scanned in parallel. Workers use a work-stealing queue — fast hosts free up workers immediately for the next host, avoiding the idle time of static batching.

Step 5 — Start the Scan

Click ▶ Start Scan. The scan log panel below shows real-time output from all workers. A progress bar tracks hosts completed / total hosts. Findings appear in the Findings tab as they are discovered, without waiting for the scan to finish.

Click ⏹ Stop at any time — workers finish their current host then exit cleanly. All findings up to that point are preserved.

Advanced Panels

Expand the Advanced Scanning accordion for additional capabilities:

• Subdomain Enumeration — passive + active subdomain discovery for a domain target.
• Authentication — provide credentials (HTTP Basic, form login, token, cookie) so authenticated pages are scanned.
• OpenVAS — import a GVM XML report to merge third-party findings into the same scan session.
• OOB Listener — starts a local out-of-band callback server. Detected when Phase 4 injects OOB payloads.
• API Spec — upload an OpenAPI / Swagger JSON spec to guide Phase 4 web enumeration.
• API Keys — NVD API key for higher Phase 2 rate limits.

Phase Guide (1–7)

Phases run sequentially per host. Each phase receives the port/service data produced by the previous phase and adds new findings. You can enable or disable phases per profile.

Phase 1 — Network Discovery & Nmap NSE

The entry point for every scan. HawkEye first determines which hosts are alive (ICMP ping + TCP ACK on port 443), then scans open ports and optionally runs Nmap NSE scripts.

What it does

• TCP SYN/connect scan across the configured port range
• Service version detection (-sV)
• OS fingerprinting (when run as root)
• NSE script categories: vuln,safe,default
• Banner grabbing on all open ports

Findings produced

Phase 1 findings include: open port disclosures, service version exposures, Nmap NSE vulnerability matches (e.g. EternalBlue, Heartbleed, ShellShock via dedicated scripts), and weak SSH algorithms.

Phase 2 — Internal CVE Scanner + NVD Enrichment

Using the service name and version strings collected in Phase 1, HawkEye queries the NVD API for known CVEs and matches them against its internal rule set.

What it does

• Version-to-CVE matching via CPE strings
• CVSS v3 score fetched per CVE
• EPSS probability score fetched (daily exploit likelihood)
• CISA KEV (Known Exploited Vulnerabilities) flag checked
• Internal rules for common misconfigurations (anonymous FTP, weak SNMP community, default credentials)

EPSS & KEV Badges

Findings with a KEV flag are marked with a red KEV badge in the Findings tab — these are actively exploited in the wild and should be prioritised. EPSS scores above 10% appear as an orange badge showing the probability.

Phase 3 — Nuclei Templates

HawkEye invokes the Nuclei binary against every HTTP/HTTPS endpoint discovered in Phase 1. The community template library contains 9,000+ checks covering CVEs, misconfigurations, default credentials, exposed panels, and more.

Template categories run

By default HawkEye runs: cves, exposed-panels, misconfiguration, default-logins, technologies. Informational-only templates are filtered unless the profile includes them.

Rate limiting

Nuclei is invoked with -rate-limit 100 by default. Stealth profile reduces this to -rate-limit 10. You can override via the custom Nmap flags field (flags are forwarded to Nuclei as well).

Phase 4 — Web Attack Surface

Phase 4 maps the web attack surface of every HTTP endpoint. It combines five sub-engines:

API Specification scanning

If an OpenAPI or Swagger JSON spec is provided, Katana seeds its crawl from every endpoint defined in the spec. This ensures 100% endpoint coverage even for SPAs with no anchor links.

Phase 5 — Deep DAST

Phase 5 applies an internal HTTP fuzzer to every parameter and input discovered in Phase 4. It tests for injection classes that require crafted payloads and response analysis.

Phase 6 — Browser-Engine DAST

Phase 6 launches a headless Chromium instance controlled via the Chrome DevTools Protocol (CDP) to find vulnerabilities that only manifest in a fully rendered browser context — JavaScript-heavy SPAs, DOM manipulation, and browser-specific security controls.

Phase 7 — Kill Chain Engine & Report Engine

Phase 7 runs automatically after all hosts complete. It does not send new network traffic — it analyses the full findings corpus collected in Phases 1–6.

Kill Chain Pattern Engine

The engine applies 15 MITRE ATT&CK-mapped patterns to the finding set. Each pattern defines:

• require_all — all of these finding types must be present
• require_any — at least one of these must be present
• bonus — these increase confidence if present

When a pattern matches, HawkEye builds a kill-chain narrative: a step-by-step description of how a real attacker would chain those specific findings into a full compromise path. Each chain includes MITRE technique IDs, suggested next steps, and a combined remediation strategy.

Remediation Roadmap

All findings are scored using the priority formula:

priority = (CVSS × 0.4) + KEV_bonus(2.0) + EPSS_bonus(1.5 if >10%) + severity_bonus
           clamped to [0, 10]

The roadmap sorts findings by priority and groups them by owner (Security team, DevOps, Development, Network team) with effort estimates (Quick Win / 1 sprint / Quarter).

Kill Chains Tab

After a scan, open the Kill Chains tab to view matched chains. Each chain card is expandable and shows:

• Chain name and severity
• Narrative description of the attack path
• Step-by-step attack flow with MITRE technique IDs
• Finding IDs that triggered the pattern
• Suggested next steps for an attacker (useful for validating the finding)
• Combined remediation recommendation

Scroll down in the Kill Chains tab to see the Remediation Roadmap — a prioritised table of all findings sorted by risk.

History Tab

Every completed scan is automatically saved to ~/.hawkeye/history/. The History tab lists all past scans. Select any two to generate a delta diff:

• New findings — appeared in current scan, not in baseline
• Regressions — previously fixed, now back
• Persisted findings — still present in both scans
• Fixed findings — in baseline but gone from current scan

Findings & Reports

Findings Tab

The Findings tab is your central workspace for reviewing, filtering, and acting on discovered vulnerabilities.

Finding Cards

Each finding shows:

Filters

Use the filter bar at the top of the Findings tab to narrow the list:

• Severity filter — multi-select checkboxes (Critical, High, Medium, Low, Info)
• Status filter — Open, Acknowledged, Fixed, All
• Search box — full-text match against title, description, CVE, and host

Detail Panel

Click any finding to expand the detail panel. It shows:

• Description — what the vulnerability is and why it matters
• Evidence — raw proof: HTTP response excerpt, banner, payload that triggered the finding
• Remediation — concrete fix guidance
• References — CVE links, OWASP pages, vendor advisories

Report Tab

The Report tab generates client-ready output from the current scan session.

HTML Report

Click Generate HTML Report to produce a self-contained HTML file at ~/.hawkeye/reports/<scan-id>.html. The report includes:

• Executive summary with finding counts by severity
• Target scope and scan metadata (date, profile, engine)
• Complete finding table with all fields
• Kill chain narratives (if Phase 7 matched patterns)
• Remediation roadmap sorted by priority
• Classification footer (Confidential / Internal / Public)

PDF Export

With Chromium installed, click Export PDF to convert the HTML report to PDF using headless Chromium. The PDF is saved alongside the HTML file with a .pdf extension.

# HawkEye runs this internally:
chromium --headless --disable-gpu --no-sandbox \
         --print-to-pdf=report.pdf \
         --print-to-pdf-no-header \
         file:///path/to/report.html

Report Classification

Select a classification level from the dropdown before generating: Confidential (default), Internal, or Public. The classification banner appears on every page of the PDF and in the HTML header/footer.

CVE Lookup Tab

Use the CVE Lookup tab to search the NVD directly without running a scan. Enter a CVE ID (e.g. CVE-2021-44228) to fetch:

• Full description and CVSS v3 vector
• Affected CPE configurations
• EPSS score
• CISA KEV status
• Published and last-modified dates

MITRE ATT&CK Tab

The MITRE tab renders a heatmap overlay of the ATT&CK Enterprise matrix. Techniques covered by findings from the current scan are highlighted. Hover a cell to see which findings map to that technique.

Scenarios Tab

The Scenarios tab lists pre-built attack scenarios for the most common vulnerability classes. Each scenario provides:

• Prerequisite findings required
• Manual exploitation steps
• Metasploit module reference (if applicable)
• Proof-of-concept code snippet
• Estimated CVSS impact if exploited

Scenarios are matched to the current scan — only scenarios relevant to what was found are shown.

Integrations

HawkEye can push findings directly to your team's issue tracker, messaging platform, or any custom webhook endpoint. All integration configuration is stored locally and never leaves your machine.

Find the integration settings in Report tab → Push Integrations. Configure one or more targets, then click Push Findings to send all current findings.

Jira

Creates one Jira issue per finding using the Jira REST API v3.

Issue description is formatted as Atlassian Document Format (ADF) with sections for Description, Evidence, Remediation, CVE, CVSS, OWASP, and Host. Severity maps to Jira priority: Critical → Highest, High → High, Medium → Medium, Low → Low.

# HawkEye calls:
POST https://yourcompany.atlassian.net/rest/api/3/issue
Authorization: Basic base64(email:token)
Content-Type: application/json

Linear

Creates one Linear issue per finding using the Linear GraphQL API.

HawkEye uses the issueCreate mutation. Title, description (Markdown), and priority are set per finding. Labels are not set automatically — add them via Linear's API if needed.

# HawkEye calls:
POST https://api.linear.app/graphql
Authorization: Bearer <api_key>

Slack

Posts a colour-coded message attachment per finding to a Slack channel via an Incoming Webhook.

Create a webhook at api.slack.com/apps → Incoming Webhooks. Each finding is a separate attachment. Attachment colour maps to severity: Critical/High → red, Medium → amber, Low/Info → good (green).

Generic Webhook

POSTs each finding as a JSON object to any HTTP endpoint. Suitable for SIEM ingestion (Splunk HEC, Elastic, Wazuh), custom dashboards, or in-house tooling.

Each request body is a JSON object with the following fields:

{
  "id":          42,
  "title":       "Apache Log4Shell (CVE-2021-44228)",
  "severity":    "Critical",
  "host":        "10.0.1.15",
  "port":        8080,
  "service":     "http",
  "cve":         "CVE-2021-44228",
  "cvss":        10.0,
  "owasp":       "A06:2021 – Vulnerable Components",
  "description": "...",
  "evidence":    "...",
  "remediation": "..."
}

Push Behaviour

All enabled integrations are pushed simultaneously when you click Push Findings. HawkEye shows a per-integration status log — green for success, red for failure with the HTTP status code and error message.

Troubleshooting