bingook/bingo: open-source project for self-hosters

Hacker-style AI Red Team Terminal — Multi-Model · Multi-Language · Full Automation

DeepSeek · Claude · GPT · GLM · Qwen · Ollama · Custom

Installation

macOS / Linux

curl -fsSL https://raw.githubusercontent.com/bingook/bingo/main/install.sh | bash

Or clone and install:

git clone https://github.com/bingook/bingo.git
cd bingo
bash install.sh

Windows

⚠️ 반드시 PowerShell에서 실행 (CMD 불가) 시작 → PowerShell 검색 → 우클릭 → 관리자 권한으로 실행

방법 1 — 자동 설치 (권장):

irm https://raw.githubusercontent.com/bingook/bingo/main/install.ps1 | iex

방법 2 — 실행 정책 오류 시:

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
irm https://raw.githubusercontent.com/bingook/bingo/main/install.ps1 | iex

방법 3 — 수동 설치 (스크립트 없이, 가장 확실):

git clone https://github.com/bingook/bingo.git $env:USERPROFILE\bingo
cd $env:USERPROFILE\bingo
python -m pip install -e .
python -m bingo

방법 4 — git 없을 때:

Invoke-WebRequest "https://github.com/bingook/bingo/archive/main.zip" -OutFile "$env:TEMP\bingo.zip" -UseBasicParsing
Expand-Archive "$env:TEMP\bingo.zip" "$env:USERPROFILE" -Force
Rename-Item "$env:USERPROFILE\bingo-main" "$env:USERPROFILE\bingo"
cd "$env:USERPROFILE\bingo"
python -m pip install -e .
python -m bingo

Requirements: Python 3.10+, PowerShell 5.1+

Usage

bingo                  # Start interactive chat
bingo scan <url>       # Full automated red team scan
bingo --reset          # Reset settings
bingo --version        # Show version

On first run: select language → enter AI model API key → start chatting. Settings are saved automatically.

Core Features

Automated WAF Detection & Bypass

When a URL is mentioned in chat, bingo automatically:

1. AI writes Python code to detect WAF from HTTP headers and response patterns
2. Identifies WAF type (Cloudflare, AWS WAF, ModSecurity, Wordfence, etc.)
3. Adapts injection payloads with encoding/obfuscation to bypass the WAF
4. All steps are executed as real Python scripts — no external tool required

Hash Cracking — Fully Automated

When password hashes appear in AI responses, bingo automatically:

Step 1 — Online Lookup (fast, no GPU needed):

Step 2 — Offline Crack (if online fails):

• john (John the Ripper)
• hashcat (GPU-accelerated, bcrypt)
• Python wordlist engine (rockyou.txt auto-detected)

Supported hash types: bcrypt, MD5, SHA-1, SHA-256, SHA-512, NTLM, MySQL41

Stop anytime: type /stop in chat.

External Tool Auto-Install & Python Fallback

bingo manages all external tools automatically — no manual setup required.

Tool execution priority:

Go binary tools (auto-downloaded from GitHub Releases → ~/.bingo/tools/):

Package manager tools (brew / apt / yum auto-install):

AI-generated Python tools run directly — no external binary required.

Session Auto-Save

Every chat session is automatically saved to:

~/.config/bingo/sessions/session_YYYYMMDD_HHMMSS.md

Full AI responses, commands, and crack results are logged in real time.

Skill Engine

220+ red team skills auto-injected into AI context based on your input.

AI Refusal Bypass

All models (DeepSeek, Claude, GPT, GLM) are guided by a proprietary universal system prompt that enforces:

• Structured task execution with semantic delimiters
• OODA-loop based decision making (Observe → Orient → Decide → Act)
• Anti-laziness enforcement — explicit evidence required for every step
• 5-phase red team pipeline with intel accumulation and coverage tracking

Commands

Type / in chat to see an interactive command menu (arrow keys to navigate).

/tools Usage

/tools                       # Show all tools — installed / missing / type
/tools install nmap          # Auto-install nmap via brew/apt
/tools install nuclei ffuf   # Auto-install multiple tools from GitHub Releases
/tools install all           # Auto-install every missing tool

When running /tools, bingo also asks interactively:

지금 없는 도구를 모두 설치할까요? (y/N)

/crack Usage

/crack                             # Auto-extract hashes from last AI response
/crack $2y$10$Eix...               # Crack a specific hash
/crack -w ~/Downloads/rockyou.txt  # Use custom wordlist

bingo scan Full Pipeline

bingo scan https://target.com

Runs the full 5-phase red team pipeline:

1. Recon — tech fingerprint, WAF detection, endpoint mapping
2. Collect — sensitive files, admin panels, parameter discovery
3. Test — SQLi, LFI, XSS, SSRF probing (AI writes Python probes)
4. Exploit — WAF bypass + data extraction + credential dump
5. Report — auto-generated markdown report in targets/

Supported Models

Switch models anytime with /model.

Languages

Data Storage

Config File

Project Structure

bingo/
├── bingo/
│   ├── cli.py              # Entry point + onboarding
│   ├── config.py           # Settings (cross-platform)
│   ├── models/
│   │   ├── base.py         # Streaming HTTP (OpenAI-compatible + Claude)
│   │   ├── registry.py     # Provider registry
│   │   └── system_prompt.py # Universal pentest prompt (all models)
│   ├── tools/
│   │   ├── registry.py     # Tool detection (~/.bingo/tools/ + PATH + vendor)
│   │   ├── executor.py     # 4-step: vendor → PATH → auto-install → Python fallback
│   │   ├── downloader.py   # Go binary auto-download from GitHub Releases
│   │   ├── installer.py    # brew / apt / pip auto-install
│   │   ├── http_probe.py   # HTTP fingerprinting
│   │   ├── hash_crack.py   # Offline hash cracker (bcrypt/MD5/SHA/NTLM)
│   │   └── hash_lookup.py  # Online hash lookup (CrackStation, hashes.com, etc.)
│   ├── redteam/
│   │   └── phases/         # 5-phase pipeline (recon → report)
│   ├── skills/
│   │   └── engine.py       # 220+ skill knowledge base
│   ├── ui/
│   │   └── terminal.py     # Interactive terminal (slash autocomplete, auto-crack, /tools)
│   └── lang/
│       └── strings.py      # Multi-language strings
├── install.sh              # macOS/Linux installer
├── install.ps1             # Windows installer
└── pyproject.toml