Legion
Installation
From GitHub
git clone https://github.com/erev0s/legion.git
cd legion
python3 setup.py installUsing pip
pip install legion-pentestDependencies
Legion requires Python 3, PyQt5 (GUI), and common pentesting tools:
# Ubuntu/Debian
sudo apt-get install python3-pyqt5 nmap hydra medusa patator
sudo apt-get install smtp-user-enum nikto masscan
# Install required Python packages
pip install -r requirements.txtPost-Installation
Ensure nmap and exploitation tools are in PATH:
which nmap hydra medusa patatorStarting Legion
Launch GUI
legionor
python3 -m legionWith Custom Config
legion --config /path/to/config.confVerbose Logging
legion --verboseGUI Interface Overview
Main Window Layout
| Section | Purpose |
|---|---|
| Host List | Displays all scanned hosts with services and vulnerabilities |
| Service Pane | Shows services running on selected host |
| Nmap Output | Raw nmap command output and XML data |
| Tool Output | Results from automatic tool exploitation |
| Notes | Saved observations and findings for current host |
Key Windows
File → New Project # Create new assessment project
File → Open Project # Load saved project
Tools → Settings # Configure tool paths and behavior
Tools → Console # View raw command execution logs
Edit → Preferences # Customize Legion behaviorAdding Hosts
Single Host
In the Host List panel:
# Right-click → Add Host
# Enter: 192.168.1.100Or via menu:
Hosts → Add Host → 192.168.1.100Multiple Hosts (Import)
# File → Import Hosts from File
# Accepts: one IP per line, CIDR notationCIDR Network
# Legion expands CIDR automatically
192.168.1.0/24
10.0.0.0/16Service Scanning with Nmap
Run Nmap on Host
# Select host → Right-click → Run Nmap
# or: Tools → Nmap → Scan Selected HostsNmap Scan Profiles
Legion includes preset profiles in Tools → Nmap Settings:
| Profile | Scan Type | Use Case |
|---|---|---|
| Quick | -sV -p- —top-ports 1000 | Fast service discovery |
| Standard | -sV -sC -p- | Default comprehensive scan |
| Aggressive | -sV -sC -sS -A -p- | Full feature enumeration |
| UDP | -sU -p 53,161,162 | UDP services (DNS, SNMP) |
| All Ports | -sV -p- | All 65535 ports |
Run Custom Nmap Scan
# Tools → Nmap → Custom Scan
# Command: -sV -p 20-443 192.168.1.100View Nmap XML Output
# Tools → Nmap → View Nmap Output
# Select host and view raw XML dataAutomatic Tool Launching
Supported Tools
| Tool | Service | Usage |
|---|---|---|
| hydra | SSH, FTP, SMB | Brute-force passwords |
| medusa | SSH, FTP, Telnet | Credential testing |
| patator | HTTP, SNMP, IMAP | Multi-protocol attack |
| nikto | HTTP, HTTPS | Web vulnerability scan |
| masscan | Port scanning | Fast large-scale scanning |
| smtp-user-enum | SMTP | Enumerate SMTP users |
| onesixtyone | SNMP | SNMP device enumeration |
Configure Tool Paths
Tools → Settings → Tool Paths
# Specify location of each tool
Nmap: /usr/bin/nmap
Hydra: /usr/bin/hydra
Nikto: /usr/bin/nikto.pl
Medusa: /usr/bin/medusaAuto-Launch Tools on Service Discovery
Tools → Settings → Auto-Launch Rules
# Enable: Run hydra on SSH when detected
# Enable: Run nikto on HTTP:80 when detected
# Enable: Run masscan on new IP blocksManually Launch Tool on Service
# Select host → Select service in Service Pane
# Right-click → Launch Tool
# Choose: Hydra, Nikto, Medusa, etc.Credential Brute Forcing
Hydra Brute Force via GUI
# Select host → Select SSH service (port 22)
# Tools → Launch Tool → Hydra
# Or: Right-click service → Brute Force CredentialsConfigure Hydra Wordlists
Tools → Settings → Wordlist Paths
/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/common.txtCommand-Line Hydra (via Console)
# For SSH
hydra -L users.txt -P passwords.txt ssh://192.168.1.100
# For HTTP POST
hydra -L users.txt -P passwords.txt http-post-form://192.168.1.100/login:user=^USER^&pass=^PASS^:F=Invalid
# For FTP
hydra -L users.txt -P passwords.txt ftp://192.168.1.100View Hydra Results in Legion
# Tools → Console → View Last Hydra Run
# Or check Tool Output pane for credentials foundScreenshot Capture
Take Screenshot of Web Service
# Select host with HTTP service
# Tools → Screenshot → Capture Web Service
# Saves to: ./screenshots/ or configured locationConfigure Screenshot Settings
Tools → Settings → Screenshots
Screenshot Path: /home/user/legion-screenshots/
Auto-capture on HTTP discovery: Enabled
Resolution: 1280x1024Batch Screenshot Capture
# Select multiple hosts
# Tools → Screenshot → Batch Capture All Hosts
# Creates timestamped screenshot directoryNote-Taking and Documentation
Add Notes to Host
# Select host in Host List
# Notes tab (bottom right) → Type findings
# Automatically saved with projectAdd Service-Specific Notes
# Select host → Select service
# Right-click service → Add Note
# "SSH brute force successful with admin:password123"Export Notes
# File → Export → Export Notes to Text
# or: File → Export → Export Full Report (HTML)Project Comments
# At top of main window: Project notes section
# Track scope changes, important findings, next stepsCustom Scripts and Plugins
Run Custom Script on Host
Tools → Custom Scripts → Add Script
# Script location: /path/to/script.sh
# Arguments: {HOST} {PORT} {SERVICE}
# Runs on: All hosts with specific serviceExample Custom Script
#!/bin/bash
# /usr/local/legion/scripts/check-ssl.sh
HOST=$1
PORT=$2
SERVICE=$3
# Only run on HTTPS services
if [[ "$SERVICE" == "https" ]]; then
openssl s_client -connect $HOST:$PORT < /dev/null 2>/dev/null | openssl x509 -noout -text
fiScript Variables
| Variable | Value | Example |
|---|---|---|
| {HOST} | Target IP address | 192.168.1.100 |
| {PORT} | Service port | 22, 80, 443 |
| {SERVICE} | Service name | ssh, http, https |
| {PROJECT} | Project directory | /home/user/.legion/project1 |
Register Custom Tool
Tools → Settings → Custom Tools
Tool Name: MyHTTPScanner
Command: /usr/local/scripts/http-enum.sh {HOST} {PORT}
Services: http,https
Output Format: TextOutput Management
View All Tool Output
Tools → Console → Display All Output
# Shows complete execution logs from all launched tools
# Timestamp, command, exit code, stderr/stdoutExport Results
File → Export
→ Export to CSV (hosts, services, ports)
→ Export Nmap XML (raw nmap output)
→ Export HTML Report (formatted assessment)
→ Export as JSON (programmatic access)Save Project
File → Save Project
# Saved to: ~/.legion/projects/[ProjectName]/
# Contains: hosts, services, scan results, notes, screenshotsLoad Previous Project
File → Open Project → Select from list
# Reload all data from previous assessment
# Continue testing where you left offCommon Workflows
Network Assessment Workflow
# 1. Create new project
File → New Project → "Internal Network Q1"
# 2. Add target network
Hosts → Add Host → 192.168.0.0/24
# 3. Run initial ping sweep
Tools → Masscan → Ping Sweep on CIDR
# 4. Run nmap on discovered hosts
Select all hosts → Tools → Nmap → Run
# 5. Review discovered services
View Host List → Services column
# 6. Launch automatic tool exploitation
Tools → Auto-Launch → Enable all
# 7. Document findings
Select each host → Notes tab → Record findings
# 8. Export report
File → Export → Export HTML ReportSSH Brute Force + Exploitation
# 1. Identify SSH service (port 22)
Select host → Service Pane shows "ssh 22/tcp"
# 2. Launch Hydra credential testing
Right-click SSH service → Brute Force
# 3. Configure wordlists
Select: /usr/share/wordlists/rockyou.txt (passwords)
Select: common-users.txt (usernames)
# 4. Run attack
Start → Monitor results in Tool Output pane
# 5. Test successful credentials
Tools → Console → ssh user@192.168.1.100 -p 22
# 6. Document access
Notes tab → "SSH access: user/password123"Web Service Enumeration
# 1. Identify HTTP/HTTPS service
Host List shows "http 80/tcp" and "https 443/tcp"
# 2. Auto-capture web interface
Tools → Screenshot → Capture Service
# 3. Launch web scanner
Select HTTP service → Right-click → Nikto Scan
# 4. Review vulnerabilities
Tool Output pane shows Nikto results
# 5. Manual testing (if needed)
Tools → Console → nikto -h 192.168.1.100
# 6. Document web findings
Notes → "Outdated Apache 2.2.15, CVE-XXXX-XXXX potential"Multi-Service Exploitation
# 1. Run comprehensive nmap
Tools → Nmap → Aggressive profile on all hosts
# 2. Enable auto-launch for all services
Tools → Settings → Auto-Launch Rules
→ Enable Hydra for SSH/FTP
→ Enable Nikto for HTTP
→ Enable SNMP enumeration
# 3. Monitor execution
Tools → Console → Watch real-time execution
# 4. Review results by service type
Host List → Filter by service
→ View all SSH services
→ View all HTTP services
# 5. Compile findings
File → Export HTML → Generates full assessment reportAdvanced Usage
Configuring Wordlists
Tools → Settings → Wordlist Management
Default Username List: /usr/share/wordlists/users.txt
Default Password List: /usr/share/wordlists/passwords.txt
Custom Wordlists: Add path for domain-specific listsRate Limiting
Tools → Settings → Performance
Threads per tool: 4
Connection timeout: 10s
Max simultaneous tools: 2Proxy Configuration
Tools → Settings → Network
HTTP Proxy: http://127.0.0.1:8080
SOCKS5 Proxy: 127.0.0.1:9050
Authentication: Enabled (user:pass)Logging and Debugging
Tools → Settings → Logging
Log Level: DEBUG
Log File: /home/user/.legion/legion.log
Keep logs: 30 daysTroubleshooting
Tool Not Found Error
# Check if tool is installed
which nmap hydra nikto
# Update tool path in Legion
Tools → Settings → Tool Paths → Verify each path
# Install missing tool
sudo apt-get install nikto
sudo apt-get install hydraNmap Fails on Selected Hosts
# Verify hosts are reachable
ping 192.168.1.100
# Check nmap permissions (may need sudo)
sudo legion
# Or configure sudo passwordless for nmap
sudo visudo
# Add: username ALL=(ALL) NOPASSWD: /usr/bin/nmapTool Output Not Showing
# Check Tool Output pane is visible
View → Tool Output
# Check Tool Paths are configured
Tools → Settings → Tool Paths
# View raw logs
Tools → Console → Check for errorsProject Won’t Save
# Verify project directory permissions
ls -la ~/.legion/projects/
# Ensure write access
chmod 755 ~/.legion/projects/
# Try saving to different location
File → Save Project As → Choose new pathTips and Best Practices
- Run Quick Scan First: Use “Quick” nmap profile on initial assessment to identify services faster
- Document as You Go: Add notes immediately after finding issues, don’t rely on memory
- Organize by Service: Filter Host List by service type to focus exploitation efforts
- Auto-Launch Selectively: Enable only tools relevant to your targets to avoid noise
- Review Tool Output: Always check Tool Output pane for credential discoveries and vulnerabilities
- Export Early: Save project frequently and export results incrementally
- Custom Scripts: Create reusable scripts for your organization’s specific testing procedures
- Batch Operations: Use multi-host selection to run same scan/tool on multiple targets efficiently