Legion

Installation

From GitHub

git clone https://github.com/erev0s/legion.git
cd legion
python3 setup.py install

Using pip

pip install legion-pentest

Dependencies

Legion requires Python 3, PyQt5 (GUI), and common pentesting tools:

# Ubuntu/Debian
sudo apt-get install python3-pyqt5 nmap hydra medusa patator
sudo apt-get install smtp-user-enum nikto masscan

# Install required Python packages
pip install -r requirements.txt

Post-Installation

Ensure nmap and exploitation tools are in PATH:

which nmap hydra medusa patator

Starting Legion

Launch GUI

legion

or

python3 -m legion

With Custom Config

legion --config /path/to/config.conf

Verbose Logging

legion --verbose

GUI Interface Overview

Main Window Layout

Section	Purpose
Host List	Displays all scanned hosts with services and vulnerabilities
Service Pane	Shows services running on selected host
Nmap Output	Raw nmap command output and XML data
Tool Output	Results from automatic tool exploitation
Notes	Saved observations and findings for current host

Key Windows

File → New Project          # Create new assessment project
File → Open Project         # Load saved project
Tools → Settings            # Configure tool paths and behavior
Tools → Console             # View raw command execution logs
Edit → Preferences          # Customize Legion behavior

Adding Hosts

Single Host

In the Host List panel:

# Right-click → Add Host
# Enter: 192.168.1.100

Or via menu:

Hosts → Add Host → 192.168.1.100

Multiple Hosts (Import)

# File → Import Hosts from File
# Accepts: one IP per line, CIDR notation

CIDR Network

# Legion expands CIDR automatically
192.168.1.0/24
10.0.0.0/16

Service Scanning with Nmap

Run Nmap on Host

# Select host → Right-click → Run Nmap
# or: Tools → Nmap → Scan Selected Hosts

Nmap Scan Profiles

Legion includes preset profiles in Tools → Nmap Settings:

Profile	Scan Type	Use Case
Quick	-sV -p- —top-ports 1000	Fast service discovery
Standard	-sV -sC -p-	Default comprehensive scan
Aggressive	-sV -sC -sS -A -p-	Full feature enumeration
UDP	-sU -p 53,161,162	UDP services (DNS, SNMP)
All Ports	-sV -p-	All 65535 ports

Run Custom Nmap Scan

# Tools → Nmap → Custom Scan
# Command: -sV -p 20-443 192.168.1.100

View Nmap XML Output

# Tools → Nmap → View Nmap Output
# Select host and view raw XML data

Automatic Tool Launching

Supported Tools

Tool	Service	Usage
hydra	SSH, FTP, SMB	Brute-force passwords
medusa	SSH, FTP, Telnet	Credential testing
patator	HTTP, SNMP, IMAP	Multi-protocol attack
nikto	HTTP, HTTPS	Web vulnerability scan
masscan	Port scanning	Fast large-scale scanning
smtp-user-enum	SMTP	Enumerate SMTP users
onesixtyone	SNMP	SNMP device enumeration

Configure Tool Paths

Tools → Settings → Tool Paths

# Specify location of each tool
Nmap: /usr/bin/nmap
Hydra: /usr/bin/hydra
Nikto: /usr/bin/nikto.pl
Medusa: /usr/bin/medusa

Auto-Launch Tools on Service Discovery

Tools → Settings → Auto-Launch Rules

# Enable: Run hydra on SSH when detected
# Enable: Run nikto on HTTP:80 when detected
# Enable: Run masscan on new IP blocks

Manually Launch Tool on Service

# Select host → Select service in Service Pane
# Right-click → Launch Tool
# Choose: Hydra, Nikto, Medusa, etc.

Credential Brute Forcing

Hydra Brute Force via GUI

# Select host → Select SSH service (port 22)
# Tools → Launch Tool → Hydra
# Or: Right-click service → Brute Force Credentials

Configure Hydra Wordlists

Tools → Settings → Wordlist Paths

/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/common.txt

Command-Line Hydra (via Console)

# For SSH
hydra -L users.txt -P passwords.txt ssh://192.168.1.100

# For HTTP POST
hydra -L users.txt -P passwords.txt http-post-form://192.168.1.100/login:user=^USER^&pass=^PASS^:F=Invalid

# For FTP
hydra -L users.txt -P passwords.txt ftp://192.168.1.100

View Hydra Results in Legion

# Tools → Console → View Last Hydra Run
# Or check Tool Output pane for credentials found

Screenshot Capture

Take Screenshot of Web Service

# Select host with HTTP service
# Tools → Screenshot → Capture Web Service
# Saves to: ./screenshots/ or configured location

Configure Screenshot Settings

Tools → Settings → Screenshots

Screenshot Path: /home/user/legion-screenshots/
Auto-capture on HTTP discovery: Enabled
Resolution: 1280x1024

Batch Screenshot Capture

# Select multiple hosts
# Tools → Screenshot → Batch Capture All Hosts
# Creates timestamped screenshot directory

Note-Taking and Documentation

Add Notes to Host

# Select host in Host List
# Notes tab (bottom right) → Type findings
# Automatically saved with project

Add Service-Specific Notes

# Select host → Select service
# Right-click service → Add Note
# "SSH brute force successful with admin:password123"

Export Notes

# File → Export → Export Notes to Text
# or: File → Export → Export Full Report (HTML)

Project Comments

# At top of main window: Project notes section
# Track scope changes, important findings, next steps

Custom Scripts and Plugins

Run Custom Script on Host

Tools → Custom Scripts → Add Script

# Script location: /path/to/script.sh
# Arguments: {HOST} {PORT} {SERVICE}
# Runs on: All hosts with specific service

Example Custom Script

#!/bin/bash
# /usr/local/legion/scripts/check-ssl.sh

HOST=$1
PORT=$2
SERVICE=$3

# Only run on HTTPS services
if [[ "$SERVICE" == "https" ]]; then
    openssl s_client -connect $HOST:$PORT < /dev/null 2>/dev/null | openssl x509 -noout -text
fi

Script Variables

Variable	Value	Example
{HOST}	Target IP address	192.168.1.100
{PORT}	Service port	22, 80, 443
{SERVICE}	Service name	ssh, http, https
{PROJECT}	Project directory	/home/user/.legion/project1

Register Custom Tool

Tools → Settings → Custom Tools

Tool Name: MyHTTPScanner
Command: /usr/local/scripts/http-enum.sh {HOST} {PORT}
Services: http,https
Output Format: Text

Output Management

View All Tool Output

Tools → Console → Display All Output

# Shows complete execution logs from all launched tools
# Timestamp, command, exit code, stderr/stdout

Export Results

File → Export
  → Export to CSV (hosts, services, ports)
  → Export Nmap XML (raw nmap output)
  → Export HTML Report (formatted assessment)
  → Export as JSON (programmatic access)

Save Project

File → Save Project

# Saved to: ~/.legion/projects/[ProjectName]/
# Contains: hosts, services, scan results, notes, screenshots

Load Previous Project

File → Open Project → Select from list

# Reload all data from previous assessment
# Continue testing where you left off

Common Workflows

Network Assessment Workflow

# 1. Create new project
File → New Project → "Internal Network Q1"

# 2. Add target network
Hosts → Add Host → 192.168.0.0/24

# 3. Run initial ping sweep
Tools → Masscan → Ping Sweep on CIDR

# 4. Run nmap on discovered hosts
Select all hosts → Tools → Nmap → Run

# 5. Review discovered services
View Host List → Services column

# 6. Launch automatic tool exploitation
Tools → Auto-Launch → Enable all

# 7. Document findings
Select each host → Notes tab → Record findings

# 8. Export report
File → Export → Export HTML Report

SSH Brute Force + Exploitation

# 1. Identify SSH service (port 22)
Select host → Service Pane shows "ssh 22/tcp"

# 2. Launch Hydra credential testing
Right-click SSH service → Brute Force

# 3. Configure wordlists
Select: /usr/share/wordlists/rockyou.txt (passwords)
Select: common-users.txt (usernames)

# 4. Run attack
Start → Monitor results in Tool Output pane

# 5. Test successful credentials
Tools → Console → ssh user@192.168.1.100 -p 22

# 6. Document access
Notes tab → "SSH access: user/password123"

Web Service Enumeration

# 1. Identify HTTP/HTTPS service
Host List shows "http 80/tcp" and "https 443/tcp"

# 2. Auto-capture web interface
Tools → Screenshot → Capture Service

# 3. Launch web scanner
Select HTTP service → Right-click → Nikto Scan

# 4. Review vulnerabilities
Tool Output pane shows Nikto results

# 5. Manual testing (if needed)
Tools → Console → nikto -h 192.168.1.100

# 6. Document web findings
Notes → "Outdated Apache 2.2.15, CVE-XXXX-XXXX potential"

Multi-Service Exploitation

# 1. Run comprehensive nmap
Tools → Nmap → Aggressive profile on all hosts

# 2. Enable auto-launch for all services
Tools → Settings → Auto-Launch Rules
  → Enable Hydra for SSH/FTP
  → Enable Nikto for HTTP
  → Enable SNMP enumeration

# 3. Monitor execution
Tools → Console → Watch real-time execution

# 4. Review results by service type
Host List → Filter by service
  → View all SSH services
  → View all HTTP services

# 5. Compile findings
File → Export HTML → Generates full assessment report

Advanced Usage

Configuring Wordlists

Tools → Settings → Wordlist Management

Default Username List: /usr/share/wordlists/users.txt
Default Password List: /usr/share/wordlists/passwords.txt
Custom Wordlists: Add path for domain-specific lists

Rate Limiting

Tools → Settings → Performance

Threads per tool: 4
Connection timeout: 10s
Max simultaneous tools: 2

Proxy Configuration

Tools → Settings → Network

HTTP Proxy: http://127.0.0.1:8080
SOCKS5 Proxy: 127.0.0.1:9050
Authentication: Enabled (user:pass)

Logging and Debugging

Tools → Settings → Logging

Log Level: DEBUG
Log File: /home/user/.legion/legion.log
Keep logs: 30 days

Troubleshooting

Tool Not Found Error

# Check if tool is installed
which nmap hydra nikto

# Update tool path in Legion
Tools → Settings → Tool Paths → Verify each path

# Install missing tool
sudo apt-get install nikto
sudo apt-get install hydra

Nmap Fails on Selected Hosts

# Verify hosts are reachable
ping 192.168.1.100

# Check nmap permissions (may need sudo)
sudo legion

# Or configure sudo passwordless for nmap
sudo visudo
# Add: username ALL=(ALL) NOPASSWD: /usr/bin/nmap

Tool Output Not Showing

# Check Tool Output pane is visible
View → Tool Output

# Check Tool Paths are configured
Tools → Settings → Tool Paths

# View raw logs
Tools → Console → Check for errors

Project Won’t Save

# Verify project directory permissions
ls -la ~/.legion/projects/

# Ensure write access
chmod 755 ~/.legion/projects/

# Try saving to different location
File → Save Project As → Choose new path

Tips and Best Practices

• Run Quick Scan First: Use “Quick” nmap profile on initial assessment to identify services faster
• Document as You Go: Add notes immediately after finding issues, don’t rely on memory
• Organize by Service: Filter Host List by service type to focus exploitation efforts
• Auto-Launch Selectively: Enable only tools relevant to your targets to avoid noise
• Review Tool Output: Always check Tool Output pane for credential discoveries and vulnerabilities
• Export Early: Save project frequently and export results incrementally
• Custom Scripts: Create reusable scripts for your organization’s specific testing procedures
• Batch Operations: Use multi-host selection to run same scan/tool on multiple targets efficiently