badKarma is a python3 GTK+ network infrastructure penetration testing toolkit.badKarma aim to help the tester in all the penetration testing phases (information gathering, vulnerability assessment,exploitation,post-exploitation and reporting). It allow the tester to save time by having point-and-click access to their toolkit and interacte with them through GUIs or Terminals, also every task is logged under a sqlite database in order to help during the reporting phase or in a incident response scenario.It is also available a proxychains switch that let everything go through proxies, and last but not least, every commands can be adjusted before the execution by disabling the “auto-execute” checkbox.badKarma is licensed under GNU GPL version 3.
DatabaseThe database by default is located inside the “/tmp” directory, this means that you have to save it in a different location before rebooting your computer.It contains all the information gained during the activity, real-time updated, it is used like a session file, and it can be exported or/and imported.
TargetsIt is possible to add target and scan them with nmap or import an nmap XML report, also some defaults scan profiles are already available as well.By defaults all the nmap output are stored inside the “/tmp” directory , then the output is imported in the sqlite database and deleted.
ExtensionsbadKarma is modular, the extensions are full-interactive and they allow the tester to tune tasks options, also every extension output is logged under the database and can be exported as a raw txt from the “Logs” tab.Extensions can be found under the “extension” directory,current available extensions are:

  • Shell: this is the main module of the toolkit since it allow the tester to execute preconfigured shell tasks. Shell commands are located under the “conf” directory.
  • Bruter: as the name says, bruter is the brute-force extension. It allow the tester to send a target directly to Hydra and configure the parameters through a GUI.
  • Screenshot: this extension allow the tester to take a screenshot of possibile web servers, the screenshot will be stored in the log database as base64 and can be normally shown from badKarma.
  • Browser: just an “open in browser” for webservers menu item, take it as an example to build your own extensions.


install Kali linux dependecies:

# apt install python3-pip python3-gi phantomjs gir1.2-gtk-vnc-2.0 ffmpeg `

clone the repository:

$ git clone

install python dependecies:

# cd badKarma
# pip3 install -r requirements.txt


$ chmod +x
$ ./

Download badKarma


This is only an educational purposes only I am not responsible for further activities

Join my forum and learn more ethical hacking and penetration testing

Get me at


Leave a Reply

Your email address will not be published. Required fields are marked *