pentesting 0.40.6 → 0.41.0

package/dist/prompts/recon.md

@@ -16,6 +16,91 @@ Quickly, systematically, and thoroughly. Information is firepower.
 
 ## Reconnaissance Pipeline
 
+### Phase 0: OSINT — External Intelligence Gathering (BEFORE touching the target)
+
+> **Principle**: Data can come from ANYWHERE. A Docker image, a GitHub commit, a LinkedIn profile, a certificate log — every piece of information is ammunition. Cast the widest net possible.
+
+```bash
+# ── 0-1. Domain/IP Intelligence ──
+# WHOIS — registrant, contact, name servers, creation/expiry dates
+whois <target_domain>
+# Reverse DNS — find other domains on the same IP
+dig -x <target_ip>
+host <target_ip>
+# DNS records — all types (MX, TXT, NS, SOA, CNAME, AAAA)
+dig any <target_domain>
+dig txt <target_domain>     # SPF, DKIM, DMARC → email infrastructure
+dig mx <target_domain>      # mail servers → potential attack surface
+# DNS zone transfer attempt
+dig axfr @<ns_server> <target_domain>
+
+# ── 0-2. Subdomain & Related Asset Discovery ──
+# Certificate Transparency logs — discover subdomains via SSL certs
+web_search("site:crt.sh <target_domain>")
+curl -s "https://crt.sh/?q=%25.<target_domain>&output=json" | jq '.[].name_value' | sort -u
+# Passive subdomain enumeration
+subfinder -d <target_domain> -silent
+amass enum -passive -d <target_domain>
+
+# ── 0-3. Shodan/Censys — Internet-wide scan data ──
+web_search("<target_ip> site:shodan.io")
+web_search("<target_domain> site:censys.io")
+web_search("<target_ip> site:zoomeye.org")
+# → Reveals: open ports, banners, SSL certs, technologies, historical data
+
+# ── 0-4. Docker Hub / Container Registry Search ──
+# Many organizations accidentally publish internal tools, configs, or vulnerable images
+web_search("<company_name> site:hub.docker.com")
+web_search("<target_domain> docker image")
+web_search("<company_name> docker registry")
+# Check for exposed Docker registries
+curl -s http://<target>:5000/v2/_catalog 2>/dev/null
+curl -s http://<target>:5000/v2/<image>/tags/list 2>/dev/null
+# → Docker images may contain: hardcoded credentials, internal configs, source code
+
+# ── 0-5. GitHub/GitLab/Bitbucket — Source Code Intelligence ──
+web_search("<company_name> site:github.com")
+web_search("<target_domain> site:github.com password OR secret OR token OR key")
+web_search("<company_name> site:gitlab.com")
+# Search for leaked credentials, API keys, internal URLs
+web_search("<target_domain> \"password\" OR \"apikey\" OR \"secret\" site:github.com")
+web_search("<target_domain> filetype:env OR filetype:yml OR filetype:json site:github.com")
+# Check GitHub repos of discovered employees
+# → Repos may contain: .env files, config files, internal documentation, API specs
+
+# ── 0-6. Company OSINT — People & Organization ──
+web_search("<company_name> employees site:linkedin.com")      # → usernames, email format
+web_search("<company_name> technology stack")                   # → tech stack intel
+web_search("<company_name> careers developer")                  # → tech stack from job postings
+web_search("<target_domain> email format")                      # → firstname.lastname@domain
+# Email harvesting
+web_search("<target_domain> site:hunter.io")
+theHarvester -d <target_domain> -b all
+
+# ── 0-7. Historical & Cached Data ──
+web_search("<target_domain> site:web.archive.org")              # Wayback Machine snapshots
+# → Reveals: old endpoints, removed pages, config files, previous tech stack
+web_search("cache:<target_domain>")
+# Google dorking
+web_search("site:<target_domain> inurl:admin OR inurl:login OR inurl:dashboard")
+web_search("site:<target_domain> filetype:pdf OR filetype:doc OR filetype:xls")
+web_search("site:<target_domain> intitle:index.of")
+web_search("<target_domain> \"Not for public release\" OR \"internal use only\"")
+
+# ── 0-8. Paste Sites & Breach Data ──
+web_search("<target_domain> site:pastebin.com")
+web_search("<target_domain> breach OR leak OR dump")
+# → Leaked credentials can be sprayed against discovered services
+```
+
+**CRITICAL**: Record EVERY piece of intelligence found:
+- Company name, employees → potential usernames for brute force
+- Tech stack → targeted vulnerability research
+- Docker images → pull and analyze for hardcoded secrets
+- GitHub repos → clone and grep for credentials
+- Email format → build username lists
+- Old endpoints → test if still accessible
+
 ### Phase 1: Host Discovery
 ```bash
 # Quick ping sweep
@@ -110,6 +195,51 @@ browse_url(url, { extract_forms: true, extract_links: true })
 mitm_proxy({ target_host: "<target>", mode: "capture", duration: 30 })
 ```
 
+### Phase 5.5: Container / Cloud / Infrastructure Reconnaissance
+```bash
+# ── Detect Container Environment ──
+# Am I inside a container?
+cat /proc/1/cgroup 2>/dev/null | grep -i docker
+ls /.dockerenv 2>/dev/null
+cat /proc/self/mountinfo 2>/dev/null | grep -i overlay
+
+# ── Docker Reconnaissance (if Docker socket accessible) ──
+# Check for Docker socket (potential container escape!)
+ls -la /var/run/docker.sock 2>/dev/null
+curl -s --unix-socket /var/run/docker.sock http://localhost/version 2>/dev/null
+curl -s --unix-socket /var/run/docker.sock http://localhost/containers/json 2>/dev/null
+curl -s --unix-socket /var/run/docker.sock http://localhost/images/json 2>/dev/null
+# → Accessible Docker socket = likely container escape path
+
+# ── Kubernetes Reconnaissance ──
+# Check for K8s environment indicators
+env | grep -i kube
+cat /var/run/secrets/kubernetes.io/serviceaccount/token 2>/dev/null
+cat /var/run/secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null
+# K8s API from within pod
+curl -sk https://kubernetes.default.svc/api/v1/namespaces/ \
+  -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" 2>/dev/null
+
+# ── Cloud Metadata (SSRF or direct access) ──
+# AWS
+curl -s http://169.254.169.254/latest/meta-data/ 2>/dev/null
+curl -s http://169.254.169.254/latest/user-data/ 2>/dev/null
+# GCP
+curl -s -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/ 2>/dev/null
+# Azure
+curl -s -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" 2>/dev/null
+
+# ── Exposed Docker Registries (external ports) ──
+nmap -Pn -p 5000,5001 --script http-title <target>
+curl -s http://<target>:5000/v2/_catalog 2>/dev/null
+# → List all images, then pull and analyze for secrets
+
+# ── CI/CD Environment Detection ──
+env | grep -iE "jenkins|gitlab|github|circleci|travis|buildkite|drone" 2>/dev/null
+ls -la /opt/jenkins /var/lib/jenkins 2>/dev/null
+# Jenkins exposed → web_search("Jenkins <version> exploit")
+```
+
 ### Phase 6: Version-Based CVE Search
 ```
 After confirming service version, immediately:

package/dist/prompts/strategy.md

@@ -19,7 +19,10 @@ PARALLEL:
 1. run_cmd({ command: "nmap -sV -sC -T4 --min-rate=1000 -p- <target>", background: true })
 2. run_cmd({ command: "nmap -sU --top-ports=100 -T4 <target>", background: true })
 3. web_search({ query: "<target_hostname_or_ip> site:shodan.io OR site:censys.io" })
-4. update_mission({ summary: "Black-box pentest: <target>. Phase: initial recon" })
+4. web_search({ query: "<company_or_domain> site:hub.docker.com OR site:github.com" })
+5. web_search({ query: "<target_domain> site:crt.sh" })     # Certificate Transparency
+6. run_cmd({ command: "whois <target_domain>", background: false })
+7. update_mission({ summary: "Black-box pentest: <target>. Phase: initial recon + OSINT" })
 ```
 Do NOT spend the first turn "planning." Start scanning and search simultaneously.
 When port scan completes, IMMEDIATELY for each open service:
@@ -101,11 +104,22 @@ Before deep-diving into any single vulnerability, MAXIMIZE your attack surface.
 ```
 Initial Discovery (broad)
 │
+├── OSINT → Company intel → Tech stack → Docker images → GitHub repos → Employee names
+│   ├── Docker Hub images → pull → grep for secrets, configs, internal URLs
+│   ├── GitHub repos → clone → search for .env, API keys, internal endpoints
+│   ├── Employee names + email format → username list → password spray
+│   ├── Job postings → technology stack → targeted exploit research
+│   ├── Certificate Transparency → subdomains → expand attack surface
+│   └── Wayback Machine → old endpoints, removed admin panels, config leaks
 ├── Port scan → Service fingerprint → Version → IMMEDIATE CVE search (per service)
 │   └── For EACH open service: web_search("{service} {version} exploit hacktricks")
 ├── Web: Content discovery (dirs, files, APIs, vhosts, JS analysis, source maps)
 ├── Web: Form/parameter enumeration → injection test candidates
 ├── Network: Internal services, routing tables, ARP tables
+├── Container/Cloud: Docker socket, K8s tokens, cloud metadata
+│   ├── Docker socket accessible → container escape → host access
+│   ├── K8s service account → cluster enumeration → lateral movement
+│   └── Cloud metadata → IAM credentials → cloud infrastructure access
 └── Every finding → does this OPEN a new attack surface?
     ├── Credentials → try on ALL other services (SSH, DB, RDP, web admin, FTP)
     ├── New subdomain/vhost → full recon on that too

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.40.6",
+  "version": "0.41.0",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/main.js",
@@ -23,7 +23,7 @@
     "test:watch": "vitest",
     "lint": "tsc --noEmit",
     "prepublishOnly": "npm run build",
-    "release": "npm run release:patch",
+    "release": "npm run release:patch && npm run release:docker",
     "publish:token": "npm publish --access public",
     "release:patch": "npm version patch && npm run build && npm run publish:token",
     "release:minor": "npm version minor && npm run build && npm run publish:token",