Integrating HexStrike AI with Local Ollama for Privacy-Focused Pentesting (WSL + Kali)
What Is HexStrike AI?
HexStrike AI is an MCP (Model Context Protocol) server that bridges AI agents with 150+ cybersecurity tools through both MCP protocol and REST API interfaces. While it’s commonly used with cloud-based AI agents like Claude and GPT via the MCP protocol, this article demonstrates an alternative approach: directly integrating HexStrike’s REST API with Ollama, a local LLM running on WSL. This setup creates a fully privacy-focused, AI-assisted pentesting workflow where a local language model orchestrates reconnaissance, analyzes results, and makes intelligent testing decisions , all without sending sensitive data to external services. By combining HexStrike’s tool execution capabilities with local AI intelligence, this approach provides the automation benefits of AI-assisted security testing while maintaining complete operational security and data privacy.
HexStrike AI project repository:
https://github.com/0x4m4/hexstrike-ai
Why HexStrike + Local LLMs Matter
Modern penetration testing generates high-risk data by default: internal hostnames, API tokens, session cookies, source code paths, exploit primitives, and client-specific business logic.
Sending this information to cloud-hosted LLMs introduces unnecessary risk, even when vendors claim data isolation.
Running HexStrike AI with a fully local LLM changes the trust model entirely:
- Zero data exfiltration — prompts and responses never leave your infrastructure
- Regulatory compatibility — suitable for internal testing and restricted environments
- Deterministic behavior — no silent model changes, throttling, or quotas
- Operational realism — mirrors how serious offensive tooling is deployed in practice.
This setup is not about novelty or hype. It is about control, auditability, and trust.
Architecture Overview
- Windows 11 host
- NVIDIA GPU + WSL2
- Acts as the controlled network boundary
- WSL2 (Ubuntu)
- Ollama runs here and exposes an OpenAI-compatible API
- Kali Linux (VM or bare metal)
- Hexstrike AI consumes Ollama API
Traffic flow:
Hexstrike (Kali) → Windows Host IP:11434 → Port Proxy → WSL Ollama :11434
No cloud LLMs. No external data exposure.
Install WSL + NVIDIA GPU Support
Enable WSL + Virtual Machine Platform (Windows PowerShell Admin)
(Right-click PowerShell → Run as Administrator)
dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all
dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /allReboot your PC.
Install WSL (latest version)
After reboot, open PowerShell (normal):
wsl --installThis will automatically:
install WSL2
install Ubuntu (default)
configure the Linux kernel
set WSL2 as the default backend
Reboot your system again after this step.
Set the username and strong password for your new WSL user. Switch to your home directory by cd ~
Inside Ubuntu run:
sudo apt update && sudo apt upgrade -yInstall Required Tools (Git, Build Tools, etc.)
sudo apt install -y git curl wget build-essential
Before proceeding, enable GPU support in WSL. This requires having the correct Windows GPU driver installed so your Ubuntu environment can access the GPU for local LLM inference.
Optional: Install NVIDIA CUDA Toolkit
sudo apt install -y nvidia-cuda-toolkit
Verify GPU Support in WSL (Optional but Recommended)
On Windows, ensure you have a recent NVIDIA driver with WSL support.
Inside WSL, verify GPU visibility:
nvidia-smi
Install and Run Ollama in WSL
Install Ollama inside WSL (Ubuntu)
curl -fsSL https://ollama.com/install.sh | sh
Note: Do not rely solely on systemctl to start Ollama, unless you explicitly enabled systemd in WSL. The secondary approach is to run Ollama manually. If systemctl fails in WSL, use ollama serve instead.
Start Ollama service
sudo systemctl enable ollama
sudo systemctl start ollamaVerify it’s running:
systemctl status ollama
Alternatively, you can start Ollama by running the command below and keep this terminal open.
ollama serve
Pull Required Models
ollama pull qwen2.5:7b
ollama pull llama3.1:8b
I am using llama3.1:8b — Meta’s 8-billion parameter model that balances
performance with efficiency. It offers strong reasoning capabilities
perfect for AI-powered security tools. You can also try llama3.2:3b
(faster, lighter) or qwen2.5:7b (better for complex coding tasks).
Verify models are available:
ollama list
Verify Ollama API (Local):
Open another WSL tab and run a quick check by running the following command to verify that your Ollama API is running and to confirm which local LLM models are installed.
curl http://localhost:11434/api/tagsThis endpoint is used to validate that Ollama is running and reachable. Hexstrike itself communicates with Ollama via the OpenAI-compatible /v1 API.
Get Mukarram Ali’s stories in your inbox
Join Medium for free to get updates from this writer.
This API endpoint returns a JSON response that shows your installed models, their quantization levels, model sizes, modified dates, and file formats (such as GGUF). Seeing this output confirms that the Ollama service is running correctly, the API port 11434 is reachable, your models were downloaded successfully, and WSL is correctly using your local LLM models.
Expose Ollama to the Windows Host
Ollama binds to WSL only by default. We expose it safely using Windows port forwarding.
Get the WSL IP by running the hostname -I command(run inside WSL)
hostname -I
Example: 172.26.245.138Note: The WSL IP address changes on reboot. You’ll need to update the port proxy rules if your WSL IP changes.
Configure Windows Port Proxy (Run PowerShell as Administrator)
netsh interface portproxy add v4tov4 `
listenaddress=0.0.0.0 `
listenport=11434 `
connectaddress=172.26.245.138 `
connectport=11434Configure Windows Firewall
Allow inbound TCP traffic on port 11434:
New-NetFirewallRule `
-DisplayName "Allow Ollama 11434" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 11434 `
-Action AllowVerify:
netsh interface portproxy show all
netstat -ano | findstr 11434
(Optional) Restrict to Kali IP later if desired.
Verify Access from Kali
curl [http://192.168.2.151:11434/api/tags](http://192.168.2.151:11434/api/tags)
If models are returned, networking is correct.
Configure Hexstrike AI
Prepare Kali dependencies
sudo apt update -y
sudo apt install -y git python3 python3-venv python3-pip
Then inside the Hexstrike virtual environment:
python3 -m venv hexstrike-env
source hexstrike-env/bin/activate
pip install selenium beautifulsoup4 mitmproxy aiohttp requests psutil
Hexstrike AI relies on several Python libraries that must be installed inside a virtual environment. Installing dependencies in a virtual environment avoids polluting the system Python and prevents version conflicts. Depending on enabled features, some modules (e.g., Selenium or mitmproxy) may be optional.
Clone and install Hexstrike AI on Kali:
git clone https://github.com/0x4m4/Hexstrike-ai.git
cd Hexstrike-ai
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
Create a .env file in the Hexstrike directory:
nano .envPaste the following
OPENAI_API_BASE=http://<WINDOWS-HOST-IP>:11434/v1
OPENAI_API_KEY=ollama
OPENAI_MODEL=qwen2.5:7bNotes:
/v1 is Ollama’s OpenAI-compatible API.
The API key is a placeholder (Ollama does not require authentication).
Create a Simple Start Script (Recommended) to start the Hexstrike
This step avoids forgetting to export variables.
Create the script:
nano start_Hexstrike.sh#!/usr/bin/env bash
set -euo pipefail
cd "$(dirname "$0")"
# Load .env into environment
set -a
source .env
set +a
echo "[+] Starting Hexstrike with:"
echo " OPENAI_API_BASE=$OPENAI_API_BASE"
echo " OPENAI_API_KEY=$OPENAI_API_KEY"
echo " OPENAI_MODEL=$OPENAI_MODEL"
exec python3 Hexstrike_server.py --port 8888Make it executable and start Hexstrike
chmod +x start_Hexstrike.sh
./start_Hexstrike.sh
If Hexstrike starts successfully, it will bind locally on Kali at port 8888 (as configured above).
Notes:
/v1 is Ollama’s OpenAI‑compatible API
The API key is a placeholder (Ollama does not require authentication)
Proving Hexstrike Is Actually Using the LLM (Critical)
create a small script test_Hexstrike_ollama.py
#!/usr/bin/env python3
"""
Hexstrike-Ollama Connection Test
"""
import requests
import json
import sys
# Configuration
Hexstrike_URL = "http://192.168.2.154:8888" # Change if needed
OLLAMA_URL = "http://192.168.2.151:11434" # Ollama on same machine or WSL
def test_Hexstrike():
"""Test Hexstrike server connection"""
print("\n[*] Testing Hexstrike connection...")
try:
response = requests.get(f"{Hexstrike_URL}/health", timeout=5)
if response.status_code == 200:
print("✓ Hexstrike is running!")
print(f" Response: {response.json()}")
return True
else:
print(f"✗ Hexstrike returned status: {response.status_code}")
return False
except requests.exceptions.ConnectionError:
print("✗ Cannot connect to Hexstrike")
print(" Make sure it's running: python3 Hexstrike_server.py")
return False
except Exception as e:
print(f"✗ Error: {e}")
return False
def test_ollama():
"""Test Ollama connection"""
print("\n[*] Testing Ollama connection...")
try:
response = requests.get(f"{OLLAMA_URL}/api/tags", timeout=5)
if response.status_code == 200:
models = response.json().get('models', [])
print("✓ Ollama is running!")
print(f" Available models: {[m['name'] for m in models]}")
return True
else:
print(f"✗ Ollama returned status: {response.status_code}")
return False
except requests.exceptions.ConnectionError:
print("✗ Cannot connect to Ollama")
print(" Make sure it's running: ollama serve")
return False
except Exception as e:
print(f"✗ Error: {e}")
return False
def test_Hexstrike_tools():
"""Test Hexstrike tool listing"""
print("\n[*] Testing Hexstrike tools...")
try:
response = requests.get(f"{Hexstrike_URL}/api/tools/list", timeout=10)
if response.status_code == 200:
tools = response.json()
print(f"✓ Found {len(tools)} tools")
print(f" Sample tools: {tools[:5]}")
return True
else:
print(f"✗ Failed to get tools: {response.status_code}")
return False
except Exception as e:
print(f"✗ Error: {e}")
return False
def main():
print("="*60)
print("Hexstrike + Ollama Connection Test")
print("="*60)
Hexstrike_ok = test_Hexstrike()
ollama_ok = test_ollama()
if Hexstrike_ok:
test_Hexstrike_tools()
print("\n" + "="*60)
print("Summary:")
print(f" Hexstrike: {'✓ Ready' if Hexstrike_ok else '✗ Not running'}")
print(f" Ollama: {'✓ Ready' if ollama_ok else '✗ Not running'}")
print("="*60)
if Hexstrike_ok and ollama_ok:
print("\n✓ Both systems are ready! You can start pentesting.")
return 0
else:
print("\n✗ Fix the issues above before proceeding.")
return 1
if __name__ == "__main__":
sys.exit(main())Make it executable and run the script
chmod +x test_Hexstrike_ollama.py
python3 test_Hexstrike_ollama.py
Optional — AI‑Guided Pentest Script
This script demonstrates the real power of combining HexStrike
with a local LLM: autonomous, AI-driven penetration testing. Instead of
manually running commands, the AI analyzes results in real-time, decides
the next testing steps, and adapts its strategy based on findings.
The script includes:
- Built-in scope management to prevent testing out-of-scope targets
- AI-powered decision making for test strategy and tool selection
- Automatic vulnerability prioritization and remediation recommendations
- JSON report generation for documentation
This is where local LLMs shine in security work — your sensitive recon data
and findings never leave your infrastructure, while still benefiting from
AI-assisted analysis and decision-making.
Create an AI-Guided Pentest script ai_pentest_scoped.py to use with
HexStrike AI, and define your scope inside the file:
nano ai_pentest_scoped.pyPaste the following script
#!/usr/bin/env python3
"""
AI-Guided Penetration Testing with Scope Management
Combines Ollama AI decision-making with Hexstrike tools
"""
import requests
import json
import time
from datetime import datetime
# Configuration
Hexstrike = "http://192.168.2.154:8888"
OLLAMA = "http://192.168.2.151:11434"
OLLAMA_MODEL = "llama3.1:8b" # or "qwen2.5:7b"
# ============= SCOPE DEFINITION =============
SCOPE = {
"target": "example.com", # Main target
"target_type": "web_application", # Options: web_application, network, api, mobile
# In-scope items
"in_scope": [
"example.com",
"*.example.com", # All subdomains
# Add more in-scope targets
],
# Out-of-scope items (will be blocked)
"out_of_scope": [
"admin.example.com", # Example: admin panel
# Add sensitive areas
],
# Testing constraints
"constraints": {
"max_threads": 10,
"rate_limit": "100/minute", # Requests per minute
"time_limit": 3600, # Max test duration in seconds (1 hour)
"allowed_tools": [ # Restrict which tools can be used
"nmap", "subfinder", "whatweb", "nuclei",
"httpx", "nikto", "sqlmap", "gobuster"
],
"forbidden_tools": [ # Never use these
"metasploit", "hydra", "medusa" # No brute forcing
]
},
# Test objectives
"objectives": [
"subdomain_discovery",
"technology_detection",
"vulnerability_scanning",
"security_headers_check"
],
# Sensitivity level
"sensitivity": "moderate", # Options: passive, moderate, aggressive
# Authorization details
"authorization": {
"authorized_by": "Security Team",
"authorization_date": "2024-01-15",
"engagement_type": "authorized_pentest" # or "bug_bounty", "ctf"
}
}
# ============================================
def check_scope(target):
"""Verify target is within scope"""
# Check if target is in out_of_scope
for out in SCOPE['out_of_scope']:
if out in target:
return False, f"Target '{target}' is OUT OF SCOPE"
# Check if target matches in_scope patterns
for in_scope in SCOPE['in_scope']:
if '*' in in_scope:
# Wildcard matching
pattern = in_scope.replace('*.', '')
if pattern in target:
return True, f"Target '{target}' is IN SCOPE"
elif in_scope in target:
return True, f"Target '{target}' is IN SCOPE"
return False, f"Target '{target}' not found in scope definition"
def check_tool_allowed(tool):
"""Check if tool is allowed in scope"""
if tool in SCOPE['constraints']['forbidden_tools']:
return False, f"Tool '{tool}' is FORBIDDEN by scope"
if SCOPE['constraints']['allowed_tools'] and \
tool not in SCOPE['constraints']['allowed_tools']:
return False, f"Tool '{tool}' is NOT in allowed list"
return True, f"Tool '{tool}' is allowed"
def ask_ollama(question, context=""):
"""Ask Ollama for pentesting advice"""
full_prompt = f"""{context}
{question}
Remember: You are a professional penetration tester. Be specific and technical."""
try:
response = requests.post(f"{OLLAMA}/api/generate", json={
"model": OLLAMA_MODEL,
"prompt": full_prompt,
"stream": False,
"options": {
"temperature": 0.7,
"top_p": 0.9
}
}, timeout=60)
if response.status_code == 200:
return response.json()['response']
else:
return f"Error: Ollama returned {response.status_code}"
except Exception as e:
return f"Error communicating with Ollama: {e}"
def execute_Hexstrike_command(cmd, description=""):
"""Execute command via Hexstrike with error handling"""
print(f"[+] {description}")
print(f" Command: {cmd}")
try:
response = requests.post(f"{Hexstrike}/api/command",
json={"command": cmd},
timeout=300) # 5 min timeout
if response.status_code == 200:
result = response.json()
output = result.get('output', 'No output')
return True, output
else:
return False, f"HTTP Error {response.status_code}"
except Exception as e:
return False, f"Error: {e}"
def print_scope_summary():
"""Display scope information"""
print("\n" + "="*70)
print("PENETRATION TEST SCOPE")
print("="*70)
print(f"Target: {SCOPE['target']}")
print(f"Type: {SCOPE['target_type']}")
print(f"Sensitivity: {SCOPE['sensitivity']}")
print(f"Authorized by: {SCOPE['authorization']['authorized_by']}")
print(f"Date: {SCOPE['authorization']['authorization_date']}")
print(f"\nIn Scope:")
for item in SCOPE['in_scope']:
print(f" ✓ {item}")
print(f"\nOut of Scope:")
for item in SCOPE['out_of_scope']:
print(f" ✗ {item}")
print(f"\nObjectives:")
for obj in SCOPE['objectives']:
print(f" → {obj}")
print("="*70 + "\n")
def ai_guided_pentest():
"""Main AI-guided penetration testing function"""
# Display scope
print_scope_summary()
# Verify scope
in_scope, msg = check_scope(SCOPE['target'])
if not in_scope:
print(f"❌ {msg}")
print("Aborting test - target not in scope!")
return
print(f"✓ {msg}\n")
# Initialize report
report = {
"target": SCOPE['target'],
"start_time": datetime.now().isoformat(),
"scope": SCOPE,
"phases": []
}
target = SCOPE['target']
# Phase 1: AI Strategy Planning
print("\n" + "="*70)
print("PHASE 1: AI STRATEGY PLANNING")
print("="*70 + "\n")
planning_prompt = f"""As a penetration testing expert, create a testing strategy for:
Target: {target}
Type: {SCOPE['target_type']}
Sensitivity: {SCOPE['sensitivity']}
Available tools: {', '.join(SCOPE['constraints']['allowed_tools'])}
Objectives:
{chr(10).join('- ' + obj for obj in SCOPE['objectives'])}
Provide EXACTLY 4 specific testing steps. Format each as:
Step X: [tool_name] - [specific_command_flags] - [reason]
Example:
Step 1: whatweb - -a 3 {target} - Identify web technologies and frameworks
Step 2: subfinder - -d {target} -silent - Discover subdomains
Be concise and specific."""
print("[AI] 🤖 Planning reconnaissance strategy...")
strategy = ask_ollama(planning_prompt)
print(f"\n[AI] Strategy:\n{'-'*70}\n{strategy}\n{'-'*70}\n")
report['phases'].append({
"phase": "planning",
"strategy": strategy,
"timestamp": datetime.now().isoformat()
})
# Parse strategy to extract steps
steps = []
for line in strategy.split('\n'):
if line.strip().startswith(('Step', '1.', '2.', '3.', '4.')):
steps.append(line.strip())
print(f"[*] Identified {len(steps)} testing steps\n")
# Phase 2: Execute Reconnaissance
print("\n" + "="*70)
print("PHASE 2: RECONNAISSANCE")
print("="*70 + "\n")
phase_results = []
# Execute first few commands
commands_to_run = [
("whatweb", f"whatweb https://{target} -a 3", "Technology Detection"),
("httpx", f"echo https://{target} | httpx -status-code -tech-detect -title", "HTTP Probe"),
("subfinder", f"subfinder -d {target} -silent", "Subdomain Discovery"),
]
for tool, cmd, desc in commands_to_run:
# Check if tool is allowed
allowed, msg = check_tool_allowed(tool)
if not allowed:
print(f"⚠️ Skipping: {msg}\n")
continue
success, output = execute_Hexstrike_command(cmd, desc)
if success:
print(f"✓ Success (first 500 chars):")
print(f"{output[:500]}\n")
phase_results.append({
"tool": tool,
"command": cmd,
"success": True,
"output": output[:1000] # Store first 1000 chars
})
else:
print(f"✗ Failed: {output}\n")
phase_results.append({
"tool": tool,
"command": cmd,
"success": False,
"error": output
})
time.sleep(2) # Rate limiting
report['phases'].append({
"phase": "reconnaissance",
"results": phase_results,
"timestamp": datetime.now().isoformat()
})
# Phase 3: AI Analysis & Recommendations
print("\n" + "="*70)
print("PHASE 3: AI ANALYSIS")
print("="*70 + "\n")
# Combine results for AI analysis
results_summary = "\n".join([
f"{r['tool']}: {'Success' if r['success'] else 'Failed'}\n{r.get('output', r.get('error', ''))[:300]}"
for r in phase_results
])
analysis_prompt = f"""Analyze these penetration test results:
{results_summary}
Based on the findings:
1. Identify 2-3 key security findings
2. Recommend the next 2 testing actions (be specific with tools and targets)
3. Rate overall security posture (Low/Medium/High risk)
Be concise and actionable."""
print("[AI] 🤖 Analyzing results...")
analysis = ask_ollama(analysis_prompt, context="You are analyzing real penetration test results.")
print(f"\n[AI] Analysis:\n{'-'*70}\n{analysis}\n{'-'*70}\n")
report['phases'].append({
"phase": "analysis",
"analysis": analysis,
"timestamp": datetime.now().isoformat()
})
# Phase 4: Vulnerability Scanning (if in objectives)
if "vulnerability_scanning" in SCOPE['objectives']:
print("\n" + "="*70)
print("PHASE 4: VULNERABILITY SCANNING")
print("="*70 + "\n")
vuln_cmd = f"nuclei -u https://{target} -severity critical,high,medium -silent"
success, output = execute_Hexstrike_command(vuln_cmd, "Nuclei Vulnerability Scan")
if success and output.strip():
print(f"⚠️ Vulnerabilities Found:\n{output[:800]}\n")
# Ask AI to prioritize vulnerabilities
vuln_analysis_prompt = f"""Analyze these vulnerability scan results:
{output[:1000]}
Provide:
1. Top 3 most critical findings
2. Exploitation difficulty for each
3. Recommended remediation priority
Be specific and practical."""
print("[AI] 🤖 Prioritizing vulnerabilities...")
vuln_analysis = ask_ollama(vuln_analysis_prompt)
print(f"\n[AI] Vulnerability Analysis:\n{'-'*70}\n{vuln_analysis}\n{'-'*70}\n")
report['phases'].append({
"phase": "vulnerability_scanning",
"raw_output": output[:2000],
"ai_analysis": vuln_analysis,
"timestamp": datetime.now().isoformat()
})
else:
print("✓ No critical/high/medium vulnerabilities detected\n")
# Final Report
report['end_time'] = datetime.now().isoformat()
report['status'] = 'completed'
# Save report
filename = f"pentest_report_{SCOPE['target'].replace('.', '_')}_{datetime.now().strftime('%Y%m%d_%H%M%S')}.json"
with open(filename, 'w') as f:
json.dump(report, f, indent=2)
print("\n" + "="*70)
print("PENETRATION TEST COMPLETE")
print("="*70)
print(f"✓ Report saved: {filename}")
print(f"✓ Duration: {report['end_time']}")
print("\nAI-powered penetration test completed successfully! 🎉")
if __name__ == "__main__":
try:
ai_guided_pentest()
except KeyboardInterrupt:
print("\n\n⚠️ Test interrupted by user")
except Exception as e:
print(f"\n❌ Error: {e}")
import traceback
traceback.print_exc()Understanding the Script Flow:
1. Scope Validation: Checks target against defined in-scope/out-of-scope lists
2. AI Planning: LLM creates a custom testing strategy based on target type
3. Tool Execution: Runs reconnaissance tools (whatweb, subfinder, httpx)
4. Real-time Analysis: AI interprets results and identifies security findings
5. Adaptive Actions: Based on findings, AI recommends next testing phases
6. Vulnerability Scanning: Executes nuclei with AI-powered prioritization
7. Report Generation: Saves comprehensive JSON report with AI analysis
The script includes extensive safety controls , forbidden tools, rate
limiting, and authorization tracking, demonstrating production-ready
AI-assisted security automation.
Now, first run the Hexstrike:
./start_Hexstrike.sh
Open another tab on your Kali and run the script we created earlier
python3 ai_pentest_scoped.py You can rename the script whatever you want, and this is just a test/sample pentest script. You have open choices on how you want to proceed.
Ollama/WSL screenshot
Common Issues & Solutions:
1. Ollama won’t start in WSL
→ Try: ollama serve instead of systemctl
2. Can’t connect from Kali to Windows
→ Verify: Windows Firewall rule is active
→ Check: WSL IP hasn’t changed (reboot changes it)
3. Model download is slow
→ This is normal — the 8B model is ~4.7GB
4. “Connection refused” errors
→ Ensure: Port 11434 is open on both systems
→ Verify: Port proxy is configured correctly
Disclaimer
This article is published for educational and research purposes only. All examples, targets, and configurations are intended for authorized testing environments such as labs, deliberately vulnerable applications, or systems you explicitly own or have permission to assess.
Do not use the techniques described here against systems without proper authorization. The author assumes no responsibility for misuse.
Write a response
