erosolar-cli 1.5.2 → 1.5.4

package/dist/bin/alpha-zero/security/google.js

@@ -0,0 +1,308 @@
+/**
+ * Google Infrastructure Persistence Vector Research
+ *
+ * OPTIONAL MODULE - Only loaded when Google security research is enabled.
+ *
+ * Provides research tools for identifying persistence mechanisms
+ * in Google Cloud Platform and Google Workspace environments.
+ *
+ * AUTHORIZATION: Designed for authorized red team engagements and
+ * penetration testing of Google infrastructure under contract.
+ *
+ * Principal Investigator: Bo Shang
+ * Framework: erosolar-cli
+ */
+import { AuthorizationScope } from './core.js';
+/**
+ * Google services for persistence research
+ */
+export var GoogleService;
+(function (GoogleService) {
+    // Google Cloud Platform
+    GoogleService["GCP_COMPUTE"] = "gcp_compute_engine";
+    GoogleService["GCP_GKE"] = "gcp_kubernetes_engine";
+    GoogleService["GCP_CLOUD_FUNCTIONS"] = "gcp_cloud_functions";
+    GoogleService["GCP_IAM"] = "gcp_iam";
+    GoogleService["GCP_SERVICE_ACCOUNTS"] = "gcp_service_accounts";
+    GoogleService["GCP_CLOUD_STORAGE"] = "gcp_cloud_storage";
+    GoogleService["GCP_SECRETS_MANAGER"] = "gcp_secrets_manager";
+    // Google Workspace
+    GoogleService["WORKSPACE_GMAIL"] = "workspace_gmail";
+    GoogleService["WORKSPACE_DRIVE"] = "workspace_drive";
+    GoogleService["WORKSPACE_ADMIN"] = "workspace_admin";
+    GoogleService["WORKSPACE_APPS_SCRIPT"] = "workspace_apps_script";
+    // Google Identity
+    GoogleService["GOOGLE_OAUTH"] = "google_oauth";
+})(GoogleService || (GoogleService = {}));
+/**
+ * Categories of persistence mechanisms
+ */
+export var PersistenceCategory;
+(function (PersistenceCategory) {
+    PersistenceCategory["SERVICE_ACCOUNT_ABUSE"] = "service_account_abuse";
+    PersistenceCategory["IAM_POLICY_MODIFICATION"] = "iam_policy_modification";
+    PersistenceCategory["OAUTH_APP_CONSENT"] = "oauth_app_consent";
+    PersistenceCategory["API_KEYS"] = "api_keys";
+    PersistenceCategory["CLOUD_FUNCTION_TRIGGER"] = "cloud_function_trigger";
+    PersistenceCategory["APPS_SCRIPT_TRIGGER"] = "apps_script_trigger";
+    PersistenceCategory["DELEGATION_ABUSE"] = "delegation_abuse";
+})(PersistenceCategory || (PersistenceCategory = {}));
+/**
+ * GCP Persistence Vectors
+ */
+export const GCP_PERSISTENCE_VECTORS = {
+    sa_key_creation: {
+        name: 'Service Account Key Creation',
+        service: GoogleService.GCP_SERVICE_ACCOUNTS,
+        category: PersistenceCategory.SERVICE_ACCOUNT_ABUSE,
+        description: 'Create keys for service accounts to maintain API access',
+        techniqueId: 'T1098.001',
+        requiredPermissions: ['iam.serviceAccountKeys.create'],
+        detectionMethods: ['Cloud Audit Logs', 'Security Command Center'],
+        mitigations: ['Use Workload Identity', 'Key rotation policies'],
+        stealthRating: 2,
+    },
+    iam_binding: {
+        name: 'IAM Policy Binding',
+        service: GoogleService.GCP_IAM,
+        category: PersistenceCategory.IAM_POLICY_MODIFICATION,
+        description: 'Add IAM bindings for persistent access',
+        techniqueId: 'T1098.001',
+        requiredPermissions: ['resourcemanager.projects.setIamPolicy'],
+        detectionMethods: ['IAM audit logs', 'Policy monitoring'],
+        mitigations: ['IAM Recommender', 'Least privilege'],
+        stealthRating: 1,
+    },
+    cloud_function_backdoor: {
+        name: 'Cloud Function Backdoor',
+        service: GoogleService.GCP_CLOUD_FUNCTIONS,
+        category: PersistenceCategory.CLOUD_FUNCTION_TRIGGER,
+        description: 'Deploy function as persistent callback',
+        techniqueId: 'T1059',
+        requiredPermissions: ['cloudfunctions.functions.create'],
+        detectionMethods: ['Function deployment logs', 'Network monitoring'],
+        mitigations: ['Function allowlisting', 'Binary authorization'],
+        stealthRating: 3,
+    },
+};
+/**
+ * Workspace Persistence Vectors
+ */
+export const WORKSPACE_PERSISTENCE_VECTORS = {
+    oauth_consent: {
+        name: 'OAuth App Consent Persistence',
+        service: GoogleService.GOOGLE_OAUTH,
+        category: PersistenceCategory.OAUTH_APP_CONSENT,
+        description: 'Persist via OAuth app with broad scope consent',
+        techniqueId: 'T1550.001',
+        requiredPermissions: ['OAuth consent grant'],
+        detectionMethods: ['OAuth audit logs', 'App access reviews'],
+        mitigations: ['OAuth app restrictions', 'Consent monitoring'],
+        stealthRating: 4,
+    },
+    apps_script_trigger: {
+        name: 'Apps Script Trigger Persistence',
+        service: GoogleService.WORKSPACE_APPS_SCRIPT,
+        category: PersistenceCategory.APPS_SCRIPT_TRIGGER,
+        description: 'Create time/event triggers in Apps Script',
+        techniqueId: 'T1053',
+        requiredPermissions: ['Script Editor access'],
+        detectionMethods: ['Apps Script audit logs', 'Trigger inventory'],
+        mitigations: ['Apps Script restrictions', 'Trigger monitoring'],
+        stealthRating: 4,
+    },
+    drive_sharing: {
+        name: 'Drive Sharing Persistence',
+        service: GoogleService.WORKSPACE_DRIVE,
+        category: PersistenceCategory.DELEGATION_ABUSE,
+        description: 'Maintain access via shared drive permissions',
+        techniqueId: 'T1213',
+        requiredPermissions: ['Drive sharing permissions'],
+        detectionMethods: ['Drive audit logs', 'Sharing reports'],
+        mitigations: ['External sharing restrictions', 'DLP policies'],
+        stealthRating: 3,
+    },
+};
+/**
+ * Google Persistence Researcher
+ */
+export class GooglePersistenceResearcher {
+    constructor(authorization, verbose = false) {
+        this.testResults = [];
+        this.authorization = authorization;
+        this.verbose = verbose;
+    }
+    /**
+     * Check authorization
+     */
+    checkAuthorization() {
+        if (!this.authorization) {
+            throw new Error('No authorization record.');
+        }
+        const allowed = [
+            AuthorizationScope.OWNED_SYSTEMS,
+            AuthorizationScope.PENTEST_ENGAGEMENT,
+            AuthorizationScope.RED_TEAM,
+            AuthorizationScope.BUG_BOUNTY,
+        ];
+        if (!allowed.includes(this.authorization.scope)) {
+            throw new Error('Google research requires pentest/red team authorization.');
+        }
+    }
+    /**
+     * Get all Google persistence vectors
+     */
+    getAllVectors() {
+        return { ...GCP_PERSISTENCE_VECTORS, ...WORKSPACE_PERSISTENCE_VECTORS };
+    }
+    /**
+     * Get vectors by service
+     */
+    getVectorsByService(service) {
+        const all = this.getAllVectors();
+        return Object.values(all).filter(v => v.service === service);
+    }
+    /**
+     * Get vectors by category
+     */
+    getVectorsByCategory(category) {
+        const all = this.getAllVectors();
+        return Object.values(all).filter(v => v.category === category);
+    }
+    /**
+     * Get stealthy vectors
+     */
+    getStealthyVectors(minRating = 3) {
+        const all = this.getAllVectors();
+        return Object.values(all).filter(v => v.stealthRating >= minRating);
+    }
+    /**
+     * Analyze a persistence vector
+     */
+    analyzeVector(vectorId, targetProject) {
+        this.checkAuthorization();
+        const allVectors = this.getAllVectors();
+        if (!(vectorId in allVectors)) {
+            throw new Error(`Unknown vector: ${vectorId}`);
+        }
+        const vector = allVectors[vectorId];
+        if (!vector) {
+            throw new Error(`Unknown vector ID: ${vectorId}`);
+        }
+        const result = {
+            vector,
+            targetProject,
+            timestamp: Date.now(),
+            testable: true,
+            permissionsVerified: [],
+            missingPermissions: [],
+            detectionRisk: vector.stealthRating < 3 ? 'medium' : 'low',
+            notes: `Analysis for ${vector.name}`,
+        };
+        if (this.verbose) {
+            console.log(`[Google] Analyzing ${vector.name}`);
+            console.log(`  Service: ${vector.service}`);
+            console.log(`  Stealth: ${vector.stealthRating}/5`);
+        }
+        this.testResults.push(result);
+        return result;
+    }
+    /**
+     * Generate attack playbook
+     */
+    generateAttackPlaybook(targetProject, vectors) {
+        this.checkAuthorization();
+        const useVectors = vectors || Object.values(this.getAllVectors());
+        // Sort by stealth rating (stealthiest first)
+        const sorted = [...useVectors].sort((a, b) => b.stealthRating - a.stealthRating);
+        return {
+            target: targetProject,
+            generated: new Date().toISOString(),
+            authorization: {
+                scope: this.authorization.scope,
+                authorizedBy: this.authorization.authorizedBy,
+            },
+            vectors: sorted.map(v => ({
+                name: v.name,
+                service: v.service,
+                category: v.category,
+                stealthRating: v.stealthRating,
+                requiredPermissions: v.requiredPermissions,
+                detectionMethods: v.detectionMethods,
+            })),
+            recommendedOrder: sorted.map(v => v.name),
+            detectionCoverage: Array.from(new Set(sorted.flatMap(v => v.detectionMethods))),
+        };
+    }
+    /**
+     * Generate detection report (blue team)
+     */
+    generateDetectionReport() {
+        this.checkAuthorization();
+        const allVectors = this.getAllVectors();
+        const lines = [
+            '# Google Infrastructure Detection Guide',
+            '',
+            `Generated: ${new Date().toISOString()}`,
+            '',
+            '## Overview',
+            '',
+            `This guide covers ${Object.keys(allVectors).length} persistence vectors.`,
+            '',
+            '## Detection Methods',
+            '',
+        ];
+        // Group by detection method
+        const detectionMap = {};
+        for (const vector of Object.values(allVectors)) {
+            for (const method of vector.detectionMethods) {
+                if (!detectionMap[method]) {
+                    detectionMap[method] = [];
+                }
+                detectionMap[method].push(vector.name);
+            }
+        }
+        for (const [method, vectorNames] of Object.entries(detectionMap).sort()) {
+            lines.push(`### ${method}`);
+            lines.push('');
+            lines.push('Detects:');
+            for (const name of vectorNames) {
+                lines.push(`- ${name}`);
+            }
+            lines.push('');
+        }
+        lines.push('## Vectors by Stealth Rating');
+        lines.push('');
+        for (let rating = 5; rating >= 1; rating--) {
+            const vectorsAtRating = Object.values(allVectors).filter(v => v.stealthRating === rating);
+            if (vectorsAtRating.length > 0) {
+                lines.push(`### Stealth ${rating}/5`);
+                for (const v of vectorsAtRating) {
+                    lines.push(`- ${v.name} (${v.service})`);
+                }
+                lines.push('');
+            }
+        }
+        return lines.join('\n');
+    }
+}
+/**
+ * Create Google authorization
+ */
+export function createGoogleAuthorization(engagementType, authorizedBy, targetProject = '*', scopeNotes = '') {
+    const scopeMap = {
+        bug_bounty: AuthorizationScope.BUG_BOUNTY,
+        pentest: AuthorizationScope.PENTEST_ENGAGEMENT,
+        red_team: AuthorizationScope.RED_TEAM,
+        owned: AuthorizationScope.OWNED_SYSTEMS,
+    };
+    return {
+        scope: scopeMap[engagementType] || AuthorizationScope.PENTEST_ENGAGEMENT,
+        targetDomain: `*.googleapis.com,${targetProject}.iam.gserviceaccount.com`,
+        authorizedBy,
+        authorizationDate: new Date().toISOString(),
+        scopeLimitations: [],
+        outOfScope: [],
+        notes: scopeNotes || `Google ${engagementType} engagement`,
+    };
+}

package/dist/bin/alpha-zero/security/googleLoader.js

@@ -0,0 +1,40 @@
+/**
+ * Google Security Module Loader
+ *
+ * Provides lazy loading for the optional Google security research module.
+ *
+ * Principal Investigator: Bo Shang
+ * Framework: erosolar-cli
+ */
+let googleModule = null;
+/**
+ * Check if Google security research module is available
+ */
+export function isGoogleEnabled() {
+    if (googleModule !== null) {
+        return true;
+    }
+    try {
+        // Dynamic import check would go here
+        // For now, return true since we're creating the module
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Get the Google security research module (lazy load)
+ */
+export async function getGoogleModule() {
+    if (googleModule === null) {
+        try {
+            googleModule = await import('./google.js');
+        }
+        catch (error) {
+            throw new Error('Google security research module not available. ' +
+                'Ensure google.ts is built and available.');
+        }
+    }
+    return googleModule;
+}

package/dist/bin/alpha-zero/security/index.js

@@ -0,0 +1,31 @@
+/**
+ * Security Research Module for Alpha Zero 2
+ *
+ * OPTIONAL MODULE - Only loaded when security research is enabled.
+ *
+ * A modular security research framework with optional provider-specific extensions.
+ * All capabilities require explicit authorization.
+ *
+ * LEGAL NOTICE:
+ * These tools are intended for:
+ * - Authorized penetration testing engagements
+ * - Bug bounty programs with explicit scope
+ * - CTF competitions and security training
+ * - Red team exercises with written authorization
+ * - Security research on systems you own or have permission to test
+ *
+ * Structure:
+ * - core: Base authorization and reconnaissance (always available)
+ * - simulation: Attack simulation framework (always available)
+ * - google: Google Cloud/Workspace persistence research (optional)
+ *
+ * Principal Investigator: Bo Shang
+ * Framework: erosolar-cli
+ */
+// Re-export core security components
+export { AuthorizationScope, SecurityResearchEngine, createBugBountyAuthorization, createPentestAuthorization, createCtfAuthorization, } from './core.js';
+// Re-export simulation components
+export { AttackCategory, AttackPhase, AttackSimulator, PayloadGenerator, ATTACK_VECTORS, } from './simulation.js';
+// Google module is optional - export checker function
+export { isGoogleEnabled, getGoogleModule } from './googleLoader.js';
+export const SECURITY_VERSION = '1.0.0';

package/dist/bin/alpha-zero/security/simulation.js

@@ -0,0 +1,274 @@
+/**
+ * Attack Simulation Framework
+ *
+ * Provides controlled attack simulations for red team exercises.
+ * All simulations require explicit authorization.
+ *
+ * Principal Investigator: Bo Shang
+ * Framework: erosolar-cli
+ */
+import { AuthorizationScope } from './core.js';
+/**
+ * Categories of attack simulations
+ */
+export var AttackCategory;
+(function (AttackCategory) {
+    AttackCategory["RECONNAISSANCE"] = "reconnaissance";
+    AttackCategory["WEB_APPLICATION"] = "web_application";
+    AttackCategory["AUTHENTICATION"] = "authentication";
+    AttackCategory["INJECTION"] = "injection";
+    AttackCategory["MISCONFIGURATION"] = "misconfiguration";
+    AttackCategory["PRIVILEGE_ESCALATION"] = "privilege_escalation";
+    AttackCategory["DATA_EXFILTRATION"] = "data_exfiltration";
+})(AttackCategory || (AttackCategory = {}));
+/**
+ * MITRE ATT&CK inspired attack phases
+ */
+export var AttackPhase;
+(function (AttackPhase) {
+    AttackPhase["INITIAL_ACCESS"] = "initial_access";
+    AttackPhase["EXECUTION"] = "execution";
+    AttackPhase["PERSISTENCE"] = "persistence";
+    AttackPhase["PRIVILEGE_ESCALATION"] = "privilege_escalation";
+    AttackPhase["DEFENSE_EVASION"] = "defense_evasion";
+    AttackPhase["CREDENTIAL_ACCESS"] = "credential_access";
+    AttackPhase["DISCOVERY"] = "discovery";
+    AttackPhase["LATERAL_MOVEMENT"] = "lateral_movement";
+    AttackPhase["COLLECTION"] = "collection";
+    AttackPhase["EXFILTRATION"] = "exfiltration";
+    AttackPhase["IMPACT"] = "impact";
+})(AttackPhase || (AttackPhase = {}));
+/**
+ * Common attack vectors based on OWASP Top 10 and MITRE ATT&CK
+ */
+export const ATTACK_VECTORS = {
+    sql_injection: {
+        name: 'SQL Injection',
+        category: AttackCategory.INJECTION,
+        phase: AttackPhase.INITIAL_ACCESS,
+        description: 'Inject malicious SQL queries',
+        techniqueId: 'T1190',
+        prerequisites: ['web_application_identified', 'input_field_found'],
+        detectionMethods: ['WAF rules', 'Database monitoring'],
+        mitigations: ['Parameterized queries', 'Input validation'],
+    },
+    xss_reflected: {
+        name: 'Reflected XSS',
+        category: AttackCategory.WEB_APPLICATION,
+        phase: AttackPhase.INITIAL_ACCESS,
+        description: 'Inject scripts reflected to users',
+        techniqueId: 'T1189',
+        prerequisites: ['web_application_identified', 'reflection_point_found'],
+        detectionMethods: ['CSP reports', 'WAF XSS rules'],
+        mitigations: ['CSP', 'Output encoding', 'Input validation'],
+    },
+    ssrf: {
+        name: 'Server-Side Request Forgery',
+        category: AttackCategory.WEB_APPLICATION,
+        phase: AttackPhase.DISCOVERY,
+        description: 'Abuse server to make internal requests',
+        techniqueId: 'T1090',
+        prerequisites: ['url_parameter_found'],
+        detectionMethods: ['Outbound request monitoring'],
+        mitigations: ['URL allowlisting', 'Network segmentation'],
+    },
+    auth_bypass: {
+        name: 'Authentication Bypass',
+        category: AttackCategory.AUTHENTICATION,
+        phase: AttackPhase.INITIAL_ACCESS,
+        description: 'Bypass authentication mechanisms',
+        techniqueId: 'T1078',
+        prerequisites: ['auth_endpoint_identified'],
+        detectionMethods: ['Failed login monitoring', 'Session anomalies'],
+        mitigations: ['MFA', 'Strong session management'],
+    },
+    path_traversal: {
+        name: 'Path Traversal',
+        category: AttackCategory.WEB_APPLICATION,
+        phase: AttackPhase.COLLECTION,
+        description: 'Access files outside webroot',
+        techniqueId: 'T1083',
+        prerequisites: ['file_parameter_found'],
+        detectionMethods: ['Path pattern monitoring', 'WAF rules'],
+        mitigations: ['Input validation', 'Chroot/sandbox'],
+    },
+};
+/**
+ * Payload generator for security testing
+ */
+export class PayloadGenerator {
+    /**
+     * Generate SQL injection test payloads
+     */
+    static sqlInjectionPayloads() {
+        return [
+            "' OR '1'='1",
+            "'; DROP TABLE users--",
+            "1' AND '1'='1",
+            "1 UNION SELECT NULL--",
+            "admin'--",
+        ];
+    }
+    /**
+     * Generate XSS test payloads
+     */
+    static xssPayloads() {
+        return [
+            "<script>alert(1)</script>",
+            "<img src=x onerror=alert(1)>",
+            "javascript:alert(1)",
+            "<svg onload=alert(1)>",
+        ];
+    }
+    /**
+     * Generate path traversal test payloads
+     */
+    static pathTraversalPayloads() {
+        return [
+            "../../../etc/passwd",
+            "..\\..\\..\\windows\\system32\\config\\sam",
+            "....//....//....//etc/passwd",
+            "%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd",
+        ];
+    }
+    /**
+     * Encode payload
+     */
+    static encodePayload(payload, encoding) {
+        switch (encoding) {
+            case 'base64':
+                return Buffer.from(payload).toString('base64');
+            case 'url':
+                return encodeURIComponent(payload);
+            case 'hex':
+                return Buffer.from(payload).toString('hex');
+            default:
+                return payload;
+        }
+    }
+}
+/**
+ * Attack simulator
+ */
+export class AttackSimulator {
+    constructor(authorization, verbose = false) {
+        this.results = [];
+        this.authorization = authorization;
+        this.verbose = verbose;
+    }
+    /**
+     * Check authorization
+     */
+    checkAuthorization(target) {
+        if (!this.authorization) {
+            throw new Error('No authorization record.');
+        }
+        // Attack simulations require stronger authorization
+        const allowed = [
+            AuthorizationScope.OWNED_SYSTEMS,
+            AuthorizationScope.PENTEST_ENGAGEMENT,
+            AuthorizationScope.RED_TEAM,
+            AuthorizationScope.CTF_COMPETITION,
+        ];
+        if (!allowed.includes(this.authorization.scope)) {
+            throw new Error('Simulations require pentest/red team authorization.');
+        }
+        const inScope = this.authorization.targetDomain.includes(target) ||
+            target.endsWith(this.authorization.targetDomain);
+        if (!inScope) {
+            throw new Error(`Target ${target} not in scope.`);
+        }
+    }
+    /**
+     * Simulate an attack vector
+     */
+    async simulateAttack(target, vectorId, dryRun = true) {
+        this.checkAuthorization(target);
+        if (!(vectorId in ATTACK_VECTORS)) {
+            throw new Error(`Unknown attack vector: ${vectorId}`);
+        }
+        const vector = ATTACK_VECTORS[vectorId];
+        if (!vector) {
+            throw new Error(`Unknown attack vector: ${vectorId}`);
+        }
+        const startTime = Date.now();
+        if (this.verbose) {
+            console.log(`[Simulation] ${vector.name} against ${target}`);
+            console.log(`  Technique: ${vector.techniqueId}`);
+            console.log(`  Dry run: ${dryRun}`);
+        }
+        const result = {
+            vector,
+            target,
+            timestamp: startTime,
+            success: false,
+            evidence: [],
+            artifacts: {
+                payloads: this.getPayloadsForVector(vectorId),
+                payloadCount: this.getPayloadsForVector(vectorId).length,
+            },
+            detectionTriggered: false,
+            durationMs: 0,
+            notes: `Dry run: ${dryRun}`,
+        };
+        if (!dryRun) {
+            result.notes = 'Live simulation not implemented for safety';
+        }
+        result.durationMs = Date.now() - startTime;
+        this.results.push(result);
+        return result;
+    }
+    /**
+     * Get payloads for a vector
+     */
+    getPayloadsForVector(vectorId) {
+        if (vectorId.includes('sql')) {
+            return PayloadGenerator.sqlInjectionPayloads();
+        }
+        if (vectorId.includes('xss')) {
+            return PayloadGenerator.xssPayloads();
+        }
+        if (vectorId.includes('path') || vectorId.includes('traversal')) {
+            return PayloadGenerator.pathTraversalPayloads();
+        }
+        return [];
+    }
+    /**
+     * Get vectors by category
+     */
+    getVectorsByCategory(category) {
+        return Object.values(ATTACK_VECTORS).filter(v => v.category === category);
+    }
+    /**
+     * Get vectors by phase
+     */
+    getVectorsByPhase(phase) {
+        return Object.values(ATTACK_VECTORS).filter(v => v.phase === phase);
+    }
+    /**
+     * Generate report
+     */
+    generateReport() {
+        const lines = [
+            '='.repeat(60),
+            'ATTACK SIMULATION REPORT',
+            '='.repeat(60),
+            `Generated: ${new Date().toISOString()}`,
+            `Target: ${this.authorization.targetDomain}`,
+            `Scope: ${this.authorization.scope}`,
+            `Simulations: ${this.results.length}`,
+            '',
+        ];
+        for (let i = 0; i < this.results.length; i++) {
+            const result = this.results[i];
+            if (!result)
+                continue;
+            lines.push(`[${i + 1}] ${result.vector.name}`);
+            lines.push(`    Target: ${result.target}`);
+            lines.push(`    Success: ${result.success}`);
+            lines.push(`    Duration: ${result.durationMs}ms`);
+            lines.push(`    Payloads: ${result.artifacts['payloadCount'] || 0}`);
+        }
+        return lines.join('\n');
+    }
+}