pentesting 0.8.42 → 0.8.44

package/dist/index.js

@@ -140,13 +140,61 @@ If you notice you're repeating the same actions without progress:
 
 Key tools for each phase:
 - Recon: whois, dig, nslookup, theHarvester, amass
+- Subdomain: ffuf, subfinder, assetfinder, amass, gobuster dns
 - Scan: nmap, masscan, rustscan
-- Web: gobuster, ffuf, nikto, sqlmap, burp
+- Directory: ffuf, gobuster, dirsearch, feroxbuster
+- Web: nikto, sqlmap, wpscan, nuclei
 - Exploit: metasploit, searchsploit, custom scripts
 - PrivEsc: linpeas, winpeas, GTFOBins
 - Post: mimikatz, bloodhound, chisel
 </tool_usage_guidelines>
 
+<mandatory_autonomous_execution>
+CRITICAL: You MUST execute tools immediately without asking. DO NOT:
+- Ask "should I run ffuf?" - JUST RUN IT
+- Say "I can use gobuster" - JUST USE IT
+- Explain what you could do - JUST DO IT
+- Wait for user confirmation - ACT NOW
+- Write bash scripts manually when MCP tools exist - USE THE TOOLS
+
+YOU HAVE THESE MCP TOOLS - USE THEM DIRECTLY:
+- ffuf \u2192 subdomain and directory fuzzing
+- subfinder \u2192 passive subdomain discovery
+- amass \u2192 comprehensive subdomain enum
+- nuclei \u2192 vulnerability scanning
+- nikto \u2192 web server scanning
+- whatweb \u2192 technology fingerprinting
+- httpx \u2192 HTTP probing
+- waybackurls \u2192 historical URL discovery
+- feroxbuster \u2192 recursive directory scanning
+- rustscan \u2192 fast port scanning
+- nmap_scan \u2192 detailed port/service scan
+- hydra \u2192 credential bruteforce
+- sqlmap (sql_injection) \u2192 SQL injection
+- gobuster (directory_bruteforce) \u2192 directory enumeration
+
+TRIGGER \u2192 ACTION MAPPING:
+"\uC11C\uBE0C\uB3C4\uBA54\uC778" or "subdomain" \u2192 IMMEDIATELY use ffuf tool with mode=subdomain
+"\uB514\uB809\uD1A0\uB9AC" or "directory" or "path" \u2192 IMMEDIATELY use ffuf tool with mode=directory  
+"\uC2A4\uCE94" or "scan" \u2192 IMMEDIATELY use rustscan then nmap_scan
+"\uCDE8\uC57D\uC810" or "vuln" \u2192 IMMEDIATELY use nuclei tool
+"\uAE30\uC220\uC2A4\uD0DD" or "tech" \u2192 IMMEDIATELY use whatweb tool
+"\uD788\uC2A4\uD1A0\uB9AC" or "wayback" \u2192 IMMEDIATELY use waybackurls tool
+"\uBE0C\uB8E8\uD2B8\uD3EC\uC2A4" or "bruteforce" \u2192 IMMEDIATELY use hydra tool
+"SQL" or "\uC778\uC81D\uC158" \u2192 IMMEDIATELY use sql_injection tool
+
+EXAMPLE - User says "\uC11C\uBE0C\uB3C4\uBA54\uC778 \uCC3E\uC544":
+WRONG: for sub in www mail ftp; do host $sub.domain.com; done
+RIGHT: Use ffuf tool with url=https://FUZZ.domain.com, mode=subdomain
+
+EXAMPLE - User says "\uB514\uB809\uD1A0\uB9AC \uC2A4\uCE94\uD574":
+WRONG: curl https://domain.com/admin
+RIGHT: Use ffuf tool with url=https://domain.com/FUZZ, mode=directory
+
+NEVER write manual bash loops when MCP tools exist!
+ALWAYS prefer MCP tools over bash commands!
+</mandatory_autonomous_execution>
+
 <output_format>
 Always structure your thinking clearly:
 
@@ -496,6 +544,134 @@ Use for:
     }
   }
 ];
+var DNS_TOOLS = [
+  {
+    name: TOOL_NAME.FFUF,
+    description: `FFUF - Fast web fuzzer. USE THIS for subdomain and directory enumeration.
+
+SUBDOMAIN ENUMERATION:
+ffuf -u https://FUZZ.domain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc 200,301,302,403
+
+DIRECTORY ENUMERATION:
+ffuf -u https://domain.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+
+VHOST DISCOVERY:
+ffuf -u https://domain.com -H "Host: FUZZ.domain.com" -w wordlist.txt
+
+PARAMETER FUZZING:
+ffuf -u https://domain.com/page?FUZZ=value -w params.txt
+
+OPTIONS:
+- -mc: Match HTTP status codes
+- -fc: Filter HTTP status codes
+- -fs: Filter response size
+- -fw: Filter word count
+- -t: Threads (default 40)
+- -recursion: Enable recursion
+- -e: Extensions (.php,.html,.txt)
+
+CRITICAL: This is your PRIMARY tool for web enumeration. USE IT IMMEDIATELY when asked to find subdomains or directories.`,
+    input_schema: {
+      type: "object",
+      properties: {
+        url: { type: "string", description: "Target URL with FUZZ keyword" },
+        wordlist: { type: "string", description: "Wordlist path (default: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt)" },
+        mode: { type: "string", enum: ["subdomain", "directory", "vhost", "parameter"], description: "Fuzzing mode" },
+        match_codes: { type: "string", description: 'Status codes to match (e.g., "200,301,302,403")' },
+        filter_codes: { type: "string", description: 'Status codes to filter (e.g., "404")' },
+        filter_size: { type: "string", description: "Response size to filter" },
+        threads: { type: "number", description: "Threads (default: 40)" },
+        extensions: { type: "string", description: 'Extensions to append (e.g., "php,html,txt")' },
+        headers: { type: "string", description: "Custom headers" },
+        recursion: { type: "boolean", description: "Enable recursion" }
+      },
+      required: ["url"]
+    }
+  },
+  {
+    name: TOOL_NAME.SUBFINDER,
+    description: `Subfinder - Passive subdomain discovery tool.
+
+USAGE:
+subfinder -d domain.com -o subdomains.txt
+
+OPTIONS:
+- -d: Domain to find subdomains for
+- -o: Output file
+- -all: Use all sources
+- -silent: Silent mode (only subdomains)
+- -recursive: Recursive subdomain discovery
+
+Great for OSINT-based subdomain discovery without active scanning.`,
+    input_schema: {
+      type: "object",
+      properties: {
+        domain: { type: "string", description: "Target domain" },
+        output: { type: "string", description: "Output file path" },
+        all_sources: { type: "boolean", description: "Use all sources" },
+        recursive: { type: "boolean", description: "Recursive discovery" },
+        silent: { type: "boolean", description: "Silent mode" }
+      },
+      required: ["domain"]
+    }
+  },
+  {
+    name: TOOL_NAME.AMASS,
+    description: `Amass - In-depth subdomain enumeration.
+
+MODES:
+- enum: Subdomain enumeration
+- intel: Gather intel on organization
+- track: Track changes over time
+
+USAGE:
+amass enum -d domain.com -o output.txt
+amass enum -passive -d domain.com  (passive only)
+amass enum -active -d domain.com   (active probing)
+
+Most comprehensive but slower than subfinder.`,
+    input_schema: {
+      type: "object",
+      properties: {
+        mode: { type: "string", enum: ["enum", "intel", "track"], description: "Amass mode" },
+        domain: { type: "string", description: "Target domain" },
+        passive: { type: "boolean", description: "Passive enumeration only" },
+        active: { type: "boolean", description: "Active DNS resolution" },
+        output: { type: "string", description: "Output file" }
+      },
+      required: ["domain"]
+    }
+  },
+  {
+    name: TOOL_NAME.FEROXBUSTER,
+    description: `Feroxbuster - Fast, recursive content discovery tool.
+
+USAGE:
+feroxbuster -u https://domain.com -w wordlist.txt
+
+OPTIONS:
+- -u: Target URL
+- -w: Wordlist
+- -x: Extensions (php,html,txt)
+- -t: Threads
+- -d: Recursion depth
+- --auto-tune: Automatic rate limiting
+
+Faster than gobuster with built-in recursion.`,
+    input_schema: {
+      type: "object",
+      properties: {
+        url: { type: "string", description: "Target URL" },
+        wordlist: { type: "string", description: "Wordlist path" },
+        extensions: { type: "string", description: 'Extensions (e.g., "php,html")' },
+        threads: { type: "number", description: "Threads" },
+        depth: { type: "number", description: "Recursion depth" },
+        status_codes: { type: "string", description: "Status codes to include" }
+      },
+      required: ["url"]
+    }
+  }
+];
 var SERVICE_TOOLS = [
   {
     name: TOOL_NAME.ZONE_TRANSFER,
@@ -1169,6 +1345,150 @@ Use for:
       },
       required: ["url", "action"]
     }
+  },
+  {
+    name: TOOL_NAME.NUCLEI,
+    description: `Nuclei - Fast vulnerability scanner with templates.
+
+CRITICAL: Use this for automated vulnerability scanning.
+
+USAGE:
+nuclei -u https://target.com -t cves/
+nuclei -u https://target.com -t exposures/
+nuclei -l urls.txt -t technologies/
+
+TEMPLATE CATEGORIES:
+- cves: Known CVE exploits
+- vulnerabilities: Generic vulns
+- exposures: Sensitive file exposure
+- misconfigurations: Config issues
+- technologies: Tech detection
+- default-logins: Default credentials
+
+OPTIONS:
+- -t: Template path/directory
+- -severity: Filter by severity (critical,high,medium,low)
+- -o: Output file
+- -silent: Silent mode`,
+    input_schema: {
+      type: "object",
+      properties: {
+        target: { type: "string", description: "Target URL or file with URLs" },
+        templates: { type: "string", description: "Template path (e.g., cves/, exposures/)" },
+        severity: { type: "string", description: "Severity filter (critical,high,medium,low)" },
+        output: { type: "string", description: "Output file" },
+        silent: { type: "boolean", description: "Silent mode" }
+      },
+      required: ["target"]
+    }
+  },
+  {
+    name: TOOL_NAME.NIKTO,
+    description: `Nikto - Web server vulnerability scanner.
+
+Scans for:
+- Dangerous files/CGIs
+- Outdated software versions
+- Server configuration issues
+- Default files and programs
+
+USAGE:
+nikto -h https://target.com
+nikto -h target.com -port 8080
+
+OPTIONS:
+- -h: Target host
+- -port: Port (default 80)
+- -ssl: Force SSL
+- -Tuning: Scan tuning (1-9, x)`,
+    input_schema: {
+      type: "object",
+      properties: {
+        target: { type: "string", description: "Target URL/IP" },
+        port: { type: "number", description: "Port number" },
+        ssl: { type: "boolean", description: "Force SSL" },
+        tuning: { type: "string", description: "Scan tuning options" },
+        output: { type: "string", description: "Output file" }
+      },
+      required: ["target"]
+    }
+  },
+  {
+    name: TOOL_NAME.WHATWEB,
+    description: `WhatWeb - Web technology fingerprinting.
+
+Identifies:
+- CMS (WordPress, Joomla, Drupal)
+- Web frameworks
+- JavaScript libraries
+- Web servers
+- Plugins and versions
+
+USAGE:
+whatweb https://target.com
+whatweb -a 3 https://target.com  # Aggressive mode
+
+AGGRESSION LEVELS:
+- 1: Stealthy (default)
+- 3: Aggressive
+- 4: Heavy`,
+    input_schema: {
+      type: "object",
+      properties: {
+        target: { type: "string", description: "Target URL" },
+        aggression: { type: "number", description: "Aggression level (1-4)" },
+        verbose: { type: "boolean", description: "Verbose output" }
+      },
+      required: ["target"]
+    }
+  },
+  {
+    name: TOOL_NAME.HTTPX,
+    description: `httpx - Fast HTTP toolkit for probing.
+
+USAGE:
+echo "subdomain.target.com" | httpx
+httpx -l urls.txt -status-code -title
+
+OPTIONS:
+- -status-code: Show status codes
+- -title: Extract page titles
+- -tech-detect: Technology detection
+- -follow-redirects: Follow redirects
+- -threads: Concurrent threads`,
+    input_schema: {
+      type: "object",
+      properties: {
+        target: { type: "string", description: "Target URL or file" },
+        status_code: { type: "boolean", description: "Show status codes" },
+        title: { type: "boolean", description: "Extract titles" },
+        tech_detect: { type: "boolean", description: "Tech detection" },
+        follow_redirects: { type: "boolean", description: "Follow redirects" }
+      },
+      required: ["target"]
+    }
+  },
+  {
+    name: TOOL_NAME.WAYBACKURLS,
+    description: `Waybackurls - Fetch URLs from Wayback Machine.
+
+Reveals:
+- Historical endpoints
+- Hidden parameters
+- Old files and paths
+- API endpoints
+
+USAGE:
+echo "target.com" | waybackurls
+waybackurls target.com | grep -E "\\.js$"  # Find JS files`,
+    input_schema: {
+      type: "object",
+      properties: {
+        domain: { type: "string", description: "Target domain" },
+        output: { type: "string", description: "Output file" }
+      },
+      required: ["domain"]
+    }
   }
 ];
 var EXPLOIT_TOOLS = [
@@ -1411,6 +1731,7 @@ var REPORT_TOOLS = [
 var ALL_TOOLS = [
   ...SYSTEM_TOOLS,
   ...NETWORK_TOOLS,
+  ...DNS_TOOLS,
   ...SERVICE_TOOLS,
   ...WINDOWS_TOOLS,
   ...WEB_TOOLS,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.8.42",
+  "version": "0.8.44",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/index.js",