Visual attack graph + live command execution for red teamers, penetration testers, and students HackMap is a lightweight, local-first pentest mapping tool that combines an interactive Cytoscape graph with real-time shell command execution, persistent command history, subgraphs, and hierarchical PDF reports — all in one clean, responsive interface.
- Install Python 3 and Flask.
- Run
python app.py. - Open
http://localhost:5000in your browser. - Create a workspace, add nodes, connect them, execute commands, and export reports.
- Multiple Workspaces: Track and switch between multiple JSON-based workspaces for different engagements.
- Interactive Graph: Drag-and-drop nodes with icons (PC, Person, Admin, Lock, Skull, Endpoint) for visual attack mapping.
- Subgraphs: Drill down into nested graphs under parent nodes (e.g., sub-networks, detailed breakdowns).
- Navigation: Breadcrumb trail and back button for subgraph navigation; subgraph indicators (📁) on nodes with subgraphs.
- Node Selection & Actions:
- Shift-click: Multi-select nodes (orange border) for connecting multiple targets.
- Ctrl-click: Select nodes for subgraph operations (blue border).
- Connect selected: Link multiple nodes in sequence.
- Add sub-nodes: Create nodes within subgraphs of selected parents.
- Real-Time Command Execution: Execute shell commands directly on nodes with streaming output (e.g.,
whoami,netstat). - Command History: Persistent per-node command logs with timestamps; view in modal or flyout.
- Ownership Tracking: "Owned" flag with skull icon for compromised assets.
- Edge Customization: Double-click edges to edit labels (e.g., RDP, SMB) and colors.
- PDF Report Export: Hierarchical, well-structured reports including:
- Total stats (nodes, edges, owned).
- Dedicated "Users" section for all Person nodes.
- Connections and node details (notes, commands) organized by subgraphs.
- Responsive Design: Toolbar collapses on small screens; zoom adjusts for small graphs (~10-13% node size).
- No Dependencies: Runs on Python 3 + Flask; zero authentication, fully local.
- Export/Import: Download/upload JSON files for backup/sharing.
