swarmhack-cli 1.4.0 → 2.0.0

package/README.md

@@ -2,18 +2,22 @@
 
 Neural swarm-based penetration testing framework.
 
-## What's New in v1.3.0
-
-- **17 Exploit Agents**: SQLi, XSS, CMDI, CSRF, IDOR, AuthBypass, SSRF, LFI, SSTI, OpenRedirect, CORS, JWT, XXE, FileUpload, Deserialization, HTTPSmuggling + WebCrawler
-- **Recursive Swarm (ADR-004)**: Generation-based re-scanning with 6 trigger types — automatically re-scans with discovered credentials
-- **Pre-flight Authentication**: 5 auth methods (FormBased, JWT, Cookie, JSON, Custom) via `--auth config.json`
-- **Self-Learning Intelligence (ADR-005)**: SONA-backed payload learning, adaptive WAF evasion, rate limiting optimization
-- **Semantic Deduplication**: Two-level dedup (canonical key + HNSW vector similarity) catches near-duplicate findings
-- **Crown Jewel ML Matching**: Learns new crown jewel patterns beyond the 18 built-in regexes
-- **Real HNSW Index**: Replaced HashMap stub with actual approximate nearest neighbor search
-- **Checkpoint-on-Detection**: All 17 agents preserve findings before deep exploitation — no data loss on timeout
-- **UTF-8 Safety**: Fixed byte-slicing panics across 20 files (28 sites)
-- **OCSF 1.1.0 Reports**: Industry-standard vulnerability reports with generation lineage tracking
+## What's New in v2.0.0
+
+**v2.0.0 -- Major Release**
+
+- **Confidence Calibration System** -- Evidence-based confidence scoring (0.60-1.0) replacing fixed 1.0. Each finding's confidence reflects actual proof quality: heuristic detection (0.60), response pattern match (0.90), marker-based confirmation (0.99), synthesized from confirmed data (1.0).
+- **Full Kill Chain Automation** -- Single command executes: external web scan -> credential extraction -> SSH lateral movement -> privilege escalation -> SSH tunnel -> internal target scanning. Zero human intervention.
+- **Credential Correlation** -- 12 regex patterns extract credentials from HTML response bodies (SSH creds in admin pages, connection strings, API keys, Bearer tokens). Extracted creds automatically propagated via Intelligence Bus to SSH/auth agents.
+- **Privilege Escalation Chain Synthesis (ADR-009)** -- Post-processing creates standalone "www-data -> root" findings from CMDI post-exploitation data (sudo NOPASSWD, SUID binaries, Docker socket).
+- **.env File Deep Extraction** -- CMDI agent reads .env files via command injection, parses SSH/DB/API credentials with category classification (ssh_credential, database_credential, api_key, network_topology).
+- **Internal Tunnel Scanning (ADR-010)** -- After SSH pivot discovers dual-homed hosts, automatically opens SSH tunnel via portable-pty and spawns new kill chain against internal targets.
+- **SSRF CVE Correlation** -- 10-CVE payload map (CVE-2021-44224, ProxyLogon, Log4Shell, etc.). SSRF agent reads vulnerable_components findings and generates CVE-specific exploitation payloads.
+- **SQLi Time-Based Confirmation** -- 3-step verification: retry payload, send SLEEP(0) control, confirm only if retry delayed AND control fast. Eliminates jitter false positives.
+- **XXE Confidence Grading** -- Tiered confidence: heuristic-only (0.60), marker match (0.90), with deep exploitation output (1.0). OOB callback infrastructure ready (callback_url config).
+- **SONA Self-Learning (Phase 1)** -- Optional `--features self-learning` wires ruvector-sona for payload trajectory recording and adaptive recommendations.
+- **32 Exploit Agents** -- Added session_fixation, dangerous_methods, pivot, plus enhanced all ADR-003 agents with memory deduplication and Intelligence Bus integration.
+- **Smart Pivot Optimization** -- Port-scanned reachable hosts tried first, failed hosts skipped after timeout, SSH ConnectTimeout reduced to 3s for fast iteration.
 
 ## Installation
 
@@ -157,12 +161,67 @@ If npm installation fails, use Docker:
 docker run --rm \
   -v /var/run/docker.sock:/var/run/docker.sock \
   -v $(pwd)/reports:/app/reports \
-  prancer/swarmhack:0.1.0 \
+  prancer/swarmhack:2.0.0 \
   spawn --agents sqli --target "http://example.com" \
   --customer "your-customer" --token "your-token"
 ```
 
-## Available Agents (17)
+## Authenticated Scanning
+
+SwarmHack supports authenticated scanning using custom HTTP headers. This enables testing of post-authentication attack surfaces that are invisible to unauthenticated scans.
+
+### Using Session Cookies
+
+```bash
+swarmhack spawn \
+  --target "https://your-app.com" \
+  --header "Cookie: session=abc123def456" \
+  --token "$PRANCER_TOKEN" \
+  --customer "$PRANCER_CUSTOMER"
+```
+
+### Using Bearer Tokens
+
+```bash
+swarmhack spawn \
+  --target "https://api.your-app.com" \
+  --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
+  --token "$PRANCER_TOKEN" \
+  --customer "$PRANCER_CUSTOMER"
+```
+
+### Using Multiple Headers
+
+```bash
+swarmhack spawn \
+  --target "https://your-app.com" \
+  --header "Cookie: session=abc123" \
+  --header "X-API-Key: your-api-key-here" \
+  --header "X-Tenant-ID: customer-123" \
+  --token "$PRANCER_TOKEN" \
+  --customer "$PRANCER_CUSTOMER"
+```
+
+### Using Basic Auth
+
+```bash
+swarmhack spawn \
+  --target "https://your-app.com" \
+  --header "Authorization: Basic YWRtaW46cGFzc3dvcmQ=" \
+  --token "$PRANCER_TOKEN" \
+  --customer "$PRANCER_CUSTOMER"
+```
+
+### Tips for Authenticated Scanning
+
+- **Get a fresh session token** before scanning -- expired sessions produce false negatives
+- **Use a test account** with appropriate permissions -- avoid scanning with admin credentials unless testing privilege escalation
+- **Set appropriate timeout** -- authenticated scans discover more endpoints, so allow more time: `--timeout 1200`
+- **Monitor session validity** -- some apps invalidate sessions after unusual activity patterns
+- The `--header` flag is repeatable -- add as many custom headers as needed
+- All agents (SQLi, XSS, CSRF, etc.) automatically include your custom headers in every request
+
+## Available Agents (32)
 
 | Agent | CWE | Description |
 |-------|-----|-------------|
@@ -183,6 +242,14 @@ docker run --rm \
 | `file_upload` | CWE-434 | File upload vulnerabilities |
 | `deserialization` | CWE-502 | Insecure deserialization |
 | `http_smuggling` | CWE-444 | HTTP request smuggling (CL.TE/TE.CL) |
+| `session_fixation` | CWE-384 | Session fixation and invalidation testing |
+| `dangerous_methods` | CWE-16 | Dangerous HTTP methods (TRACE/XST, PUT upload) |
+| `default_credentials` | CWE-798 | Default credential scanning (20 pairs) |
+| `privilege_escalation` | CWE-862 | Function-level access control testing |
+| `mass_assignment` | CWE-915 | Mass assignment / parameter injection |
+| `vulnerable_components` | CWE-1035 | Version fingerprinting + CVE lookup (30 CVEs) |
+| `pivot` | — | SSH lateral movement, tunnel scanning, credential reuse |
+| `idor` (enhanced) | CWE-639 | Object reference enumeration with credential correlation |
 
 ## OCSF Reports
 
@@ -224,6 +291,37 @@ Get your token from [Prancer Portal](https://portal.prancer.io) → Settings →
 
 ## Changelog
 
+### v2.0.0
+- Confidence calibration system: evidence-based scoring (0.60-1.0) replacing fixed 1.0
+- Full kill chain automation: web scan -> credential extraction -> SSH pivot -> privilege escalation -> internal scanning
+- Credential correlation: 12 regex patterns, auto-propagation via Intelligence Bus
+- Privilege escalation chain synthesis (ADR-009): standalone www-data -> root findings
+- .env file deep extraction: SSH/DB/API credential parsing from command injection
+- Internal tunnel scanning (ADR-010): SSH tunnel via portable-pty for internal targets
+- SSRF CVE correlation: 10-CVE payload map (ProxyLogon, Log4Shell, etc.)
+- SQLi time-based confirmation: 3-step verification eliminates jitter false positives
+- XXE confidence grading: tiered 0.60/0.90/1.0 with OOB callback ready
+- SONA self-learning (Phase 1): ruvector-sona payload trajectory recording
+- 32 exploit agents (was 23): added pivot, enhanced all ADR-003 agents
+- Smart pivot optimization: port-scan prioritization, 3s SSH ConnectTimeout
+- Authenticated scanning: `--header` flag for session cookies, Bearer tokens, API keys
+
+### v1.5.0
+- ADR-006: OWASP Top 10 full coverage -- 6 new agents (SessionFixation, DangerousMethods, DefaultCredentials, PrivilegeEscalation, MassAssignment, VulnerableComponents)
+- Intelligence Bus: 7 typed intel categories shared across all 23 agents
+- Runtime vulnerability chaining: credentials/sessions feed consumer agents live
+- VulnerableComponents agent (OWASP A06): 30 built-in CVE entries
+- CVSS score fix (was always 0.0), GOAP precondition key unification
+- SwarmHackConfig wrapped in Arc (performance), agent pool 20->25
+- Live validated: 16 findings, 67 crown jewels, 0 false positives across 3 targets
+
+### v1.4.0
+- Hybrid execution mode (Kill Chain + AEL amplification)
+- SPA false positive elimination
+- Auth crawling and OCSF auth tracking
+- Common endpoint discovery (107 paths)
+- Version bump and CI adjustments
+
 ### v1.3.0
 - ADR-005: Self-learning intelligence layer (SONA, WAF evasion learning, adaptive rate limiting)
 - ADR-005: Semantic deduplication + crown jewel ML matching

package/config/swarmhack.yaml

@@ -193,6 +193,10 @@ agents:
     enabled: true
     max_candidates: 5
     pentest_mode: true
+    # ADR-010 Gap 2: OOB callback URL for XXE confirmation.
+    # Empty = OOB disabled, heuristic-only confidence capped at 0.70.
+    # Example: "https://your-interactsh-server.com"
+    callback_url: ""
   file_upload:
     enabled: true
     max_candidates: 5
@@ -205,6 +209,42 @@ agents:
     enabled: true
     max_candidates: 5
     pentest_mode: true
+  session_fixation:
+    enabled: true
+    max_candidates: 3
+    pentest_mode: true
+  dangerous_methods:
+    enabled: true
+    max_candidates: 5
+    pentest_mode: true
+  default_credentials:
+    enabled: true
+    max_candidates: 3
+    pentest_mode: true
+  privilege_escalation:
+    enabled: true
+    max_candidates: 5
+    pentest_mode: true
+  mass_assignment:
+    enabled: true
+    max_candidates: 5
+    pentest_mode: true
+  vulnerable_components:
+    enabled: true
+    max_candidates: 5
+    pentest_mode: true
+  pivot:
+    enabled: true
+    max_candidates: 5
+    pentest_mode: true
+
+# ADR-010 Gap 5: Internal target scanning via SSH tunnel
+# After SSH pivot discovers internal hosts, automatically tunnel and scan them
+pivot_scan:
+  max_pivot_depth: 2          # Maximum tunnel hops (prevents infinite recursion)
+  auto_internal_scan: true    # Automatically scan internal targets after pivot
+  internal_scan_timeout_secs: 300  # Timeout for the entire internal scan
+  tunnel_base_port: 8881      # Base port for SSH tunnel local binding
 
 memory:
   agentdb:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "swarmhack-cli",
-  "version": "1.4.0",
+  "version": "2.0.0",
   "description": "SwarmHack - Neural swarm-based penetration testing framework",
   "author": "Prancer <support@prancer.io>",
   "license": "MIT",