Vanquish: The OSCP-Era Orchestrator That Chains Kali's Arsenal Into Attack Pipelines

Hook

Most penetration testers spend 60-70% of their time manually chaining reconnaissance tools together—running nmap, parsing output, feeding results to specialized scanners, then repeating. Vanquish automates this tedium, but its decade-old design reveals uncomfortable truths about tool orchestration.

Context

Penetration testing has always suffered from a tooling problem: we have dozens of excellent specialized scanners (nmap for ports, nikto for web vulnerabilities, enum4linux for SMB), but no standardized way to chain them together. Experienced pentesters develop muscle memory—run nmap, grep for port 80, launch gobuster and nikto against those targets, check for default credentials with hydra. Junior testers following OSCP training materials manually execute this dance across spreadsheets and terminal windows, often missing targets or redundantly scanning the same services.

Vanquish emerged around 2017 to solve this orchestration gap for the OSCP crowd. Rather than replacing Kali's tools, it acts as a conductor—parsing attack plan configurations, executing tools in logical phases, and feeding results downstream. When port scanning discovers HTTP on port 8080, Vanquish automatically queues web enumeration tools against that specific target and port. When SSH appears, credential attacks launch. This mimics how veteran pentesters think: early reconnaissance informs targeted attacks. The tool gained traction in the OSCP community because it automated the repetitive enumeration patterns that certification candidates execute against practice lab machines.

Technical Insight

Vanquish's architecture centers on three components: attack plan parsers, a multi-threaded execution engine, and a file-based state manager. Attack plans are INI files defining tool commands organized by phase numbers. Lower-numbered phases (nmap scans) execute first, creating output files that higher-numbered phases parse to extract targets and parameters.

Here's a simplified attack plan showing the phase-based dependency chain:

[NMAPQuick]
command = nmap -Pn -sV -oA [OUTPUT_DIR]/nmap-quick [TARGET]
port = 80,443,445,22
phase = 1

[GoBuster]
command = gobuster dir -u http://[TARGET]:[PORT] -w /usr/share/wordlists/dirb/common.txt -o [OUTPUT_DIR]/gobuster-[PORT].txt
phase = 2
require = NMAPQuick
port = 80,443,8080,8443

When you execute Vanquish against target 10.10.10.5, it first runs the phase 1 nmap scan. The orchestrator then parses nmap's output file to extract discovered open ports. If port 80 exists, Vanquish expands the GoBuster command template—replacing [TARGET] with 10.10.10.5, [PORT] with 80, and [OUTPUT_DIR] with the organized results directory—then queues execution.

The execution engine uses Python's ThreadPoolExecutor to run multiple scans concurrently:

from concurrent.futures import ThreadPoolExecutor
import subprocess

def execute_command(cmd, output_file):
    # Check if output already exists (resume functionality)
    if os.path.exists(output_file):
        return "SKIPPED"
    
    result = subprocess.Popen(
        cmd,
        shell=True,
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE
    )
    result.wait()
    return result.returncode

with ThreadPoolExecutor(max_workers=10) as executor:
    futures = []
    for task in phase_tasks:
        future = executor.submit(execute_command, task['cmd'], task['output'])
        futures.append(future)

This threading model allows Vanquish to run gobuster against port 80, nikto against port 443, and enum4linux against port 445 simultaneously across multiple target hosts. The file-based resume logic is pragmatic—if gobuster-80.txt already exists, skip re-running that scan. This matters during 8-hour enumeration runs against OSCP lab networks where network interruptions are common.

The output parser for nmap results uses regex patterns to extract service information:

import re

def parse_nmap_output(nmap_file):
    services = []
    with open(nmap_file, 'r') as f:
        for line in f:
            # Match lines like: 80/tcp open http Apache 2.4.29
            match = re.search(r'(\d+)/tcp\s+open\s+(\w+)', line)
            if match:
                port = match.group(1)
                service = match.group(2)
                services.append({'port': port, 'service': service})
    return services

This parsed data drives phase 2+ tool selection. If service equals 'http', queue web tools. If 'smb', queue SMB enumeration. The intelligence is crude but effective—it mirrors the decision tree in a pentester's head.

Vanquish also implements Metasploit workspace integration. After enumeration completes, it imports scan results into a Metasploit database workspace, allowing smooth transition from reconnaissance to exploitation frameworks. This was crucial in 2017-2019 when Metasploit remained the dominant exploitation framework for OSCP candidates.

The file organization strategy deserves mention. Vanquish creates directory hierarchies like results/10.10.10.5/nmap/, results/10.10.10.5/web/, separating output by target IP and tool category. This mirrors how pentesters manually organize engagement data and makes report writing tractable when you've scanned 50 machines.

Gotcha

Vanquish's tight coupling to Kali Linux becomes painful in practice. It assumes specific tool paths (/usr/bin/gobuster), wordlist locations (/usr/share/wordlists/), and even specific tool versions. Run it on Ubuntu or inside a Docker container without perfectly replicating Kali's filesystem, and commands fail silently. The error handling is essentially absent—if gobuster crashes because the wordlist is missing, Vanquish logs a generic error and continues. You won't know the scan failed until you manually inspect empty output files.

The project's maintenance status is concerning. The last significant commit was years ago, and newer tool versions (Gobuster v3+, updated Nikto) changed command-line flags that break Vanquish's templated commands. The codebase uses Python 2 patterns in places, though it technically runs on Python 3. Threading via ThreadPoolExecutor without rate limiting can overwhelm networks or trigger IDS alerts—there's no configurable backoff or respectful scanning mode.

File-based state management seems elegant until it isn't. Vanquish determines phase completion by checking if output files exist, not by validating their contents. If a tool crashes halfway through writing output, Vanquish considers it complete and never re-runs it. The resume functionality becomes a liability when you need to force re-scans. You'll find yourself manually deleting output files to trigger re-execution, defeating the automation purpose.

For modern penetration tests requiring detailed logging, compliance evidence, or integration with vulnerability management platforms, Vanquish's stdout-heavy approach and minimal structured output are inadequate. There's no JSON export, no API for programmatic access, and no way to query scan status without parsing log files.

Verdict

Use if: You're preparing for OSCP or similar certifications and need to automate the repetitive enumeration patterns against practice lab machines. You work exclusively in Kali Linux environments, don't need production-grade error handling, and want something that mirrors the manual tool-chaining workflow you're learning. You're scanning 10-50 hosts where resume functionality matters more than real-time progress visibility. Skip if: You need maintained tooling that keeps pace with scanner updates, require detailed error reporting and scan validation, work in containerized or CI/CD environments, need compliance documentation or structured output formats, or are conducting professional engagements where client reporting demands more than raw tool output organized in directories. For active projects, AutoRecon provides similar orchestration with better maintenance and output parsing.