swarmhack-cli 1.5.0 → 2.1.0

package/README.md

@@ -2,16 +2,22 @@
 
 Neural swarm-based penetration testing framework.
 
-## What's New in v1.5.0
-
-- **23 Exploit Agents**: Full OWASP Top 10 coverage with 6 new agents (SessionFixation, DangerousMethods, DefaultCredentials, PrivilegeEscalation, MassAssignment, VulnerableComponents)
-- **Intelligence Bus**: 7 typed intel categories shared across all 23 agents (TargetProfile, WafProfile, CredentialIntel, NetworkIntel, FileSystemIntel, AuthStateIntel, ExploitPathIntel)
-- **Runtime Vulnerability Chaining**: Credentials/sessions from SQLi/AuthBypass automatically feed IDOR/PrivEsc/CSRF agents in a live chaining phase
-- **VulnerableComponents Agent (OWASP A06)**: 30 built-in CVE entries — fingerprints server versions from headers and matches against known vulnerabilities
-- **CVSS Score Fix**: Severity scores now correctly computed (was always 0.0 due to case mismatch)
-- **Performance**: SwarmHackConfig wrapped in Arc — eliminates deep clones on every agent spawn
-- **Agent Pool**: Increased to 25 concurrent slots for 23 agent types
-- **Live Validated**: 16 findings across 3 targets (demo.testfire.net, ginandjuice.shop, testasp.vulnweb.com) with 0 false positives
+## What's New in v2.0.0
+
+**v2.0.0 -- Major Release**
+
+- **Confidence Calibration System** -- Evidence-based confidence scoring (0.60-1.0) replacing fixed 1.0. Each finding's confidence reflects actual proof quality: heuristic detection (0.60), response pattern match (0.90), marker-based confirmation (0.99), synthesized from confirmed data (1.0).
+- **Full Kill Chain Automation** -- Single command executes: external web scan -> credential extraction -> SSH lateral movement -> privilege escalation -> SSH tunnel -> internal target scanning. Zero human intervention.
+- **Credential Correlation** -- 12 regex patterns extract credentials from HTML response bodies (SSH creds in admin pages, connection strings, API keys, Bearer tokens). Extracted creds automatically propagated via Intelligence Bus to SSH/auth agents.
+- **Privilege Escalation Chain Synthesis (ADR-009)** -- Post-processing creates standalone "www-data -> root" findings from CMDI post-exploitation data (sudo NOPASSWD, SUID binaries, Docker socket).
+- **.env File Deep Extraction** -- CMDI agent reads .env files via command injection, parses SSH/DB/API credentials with category classification (ssh_credential, database_credential, api_key, network_topology).
+- **Internal Tunnel Scanning (ADR-010)** -- After SSH pivot discovers dual-homed hosts, automatically opens SSH tunnel via portable-pty and spawns new kill chain against internal targets.
+- **SSRF CVE Correlation** -- 10-CVE payload map (CVE-2021-44224, ProxyLogon, Log4Shell, etc.). SSRF agent reads vulnerable_components findings and generates CVE-specific exploitation payloads.
+- **SQLi Time-Based Confirmation** -- 3-step verification: retry payload, send SLEEP(0) control, confirm only if retry delayed AND control fast. Eliminates jitter false positives.
+- **XXE Confidence Grading** -- Tiered confidence: heuristic-only (0.60), marker match (0.90), with deep exploitation output (1.0). OOB callback infrastructure ready (callback_url config).
+- **SONA Self-Learning (Phase 1)** -- Optional `--features self-learning` wires ruvector-sona for payload trajectory recording and adaptive recommendations.
+- **32 Exploit Agents** -- Added session_fixation, dangerous_methods, pivot, plus enhanced all ADR-003 agents with memory deduplication and Intelligence Bus integration.
+- **Smart Pivot Optimization** -- Port-scanned reachable hosts tried first, failed hosts skipped after timeout, SSH ConnectTimeout reduced to 3s for fast iteration.
 
 ## Installation
 
@@ -155,12 +161,67 @@ If npm installation fails, use Docker:
 docker run --rm \
   -v /var/run/docker.sock:/var/run/docker.sock \
   -v $(pwd)/reports:/app/reports \
-  prancer/swarmhack:0.1.0 \
+  prancer/swarmhack:2.0.0 \
   spawn --agents sqli --target "http://example.com" \
   --customer "your-customer" --token "your-token"
 ```
 
-## Available Agents (23)
+## Authenticated Scanning
+
+SwarmHack supports authenticated scanning using custom HTTP headers. This enables testing of post-authentication attack surfaces that are invisible to unauthenticated scans.
+
+### Using Session Cookies
+
+```bash
+swarmhack spawn \
+  --target "https://your-app.com" \
+  --header "Cookie: session=abc123def456" \
+  --token "$PRANCER_TOKEN" \
+  --customer "$PRANCER_CUSTOMER"
+```
+
+### Using Bearer Tokens
+
+```bash
+swarmhack spawn \
+  --target "https://api.your-app.com" \
+  --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
+  --token "$PRANCER_TOKEN" \
+  --customer "$PRANCER_CUSTOMER"
+```
+
+### Using Multiple Headers
+
+```bash
+swarmhack spawn \
+  --target "https://your-app.com" \
+  --header "Cookie: session=abc123" \
+  --header "X-API-Key: your-api-key-here" \
+  --header "X-Tenant-ID: customer-123" \
+  --token "$PRANCER_TOKEN" \
+  --customer "$PRANCER_CUSTOMER"
+```
+
+### Using Basic Auth
+
+```bash
+swarmhack spawn \
+  --target "https://your-app.com" \
+  --header "Authorization: Basic YWRtaW46cGFzc3dvcmQ=" \
+  --token "$PRANCER_TOKEN" \
+  --customer "$PRANCER_CUSTOMER"
+```
+
+### Tips for Authenticated Scanning
+
+- **Get a fresh session token** before scanning -- expired sessions produce false negatives
+- **Use a test account** with appropriate permissions -- avoid scanning with admin credentials unless testing privilege escalation
+- **Set appropriate timeout** -- authenticated scans discover more endpoints, so allow more time: `--timeout 1200`
+- **Monitor session validity** -- some apps invalidate sessions after unusual activity patterns
+- The `--header` flag is repeatable -- add as many custom headers as needed
+- All agents (SQLi, XSS, CSRF, etc.) automatically include your custom headers in every request
+
+## Available Agents (32)
 
 | Agent | CWE | Description |
 |-------|-----|-------------|
@@ -187,6 +248,8 @@ docker run --rm \
 | `privilege_escalation` | CWE-862 | Function-level access control testing |
 | `mass_assignment` | CWE-915 | Mass assignment / parameter injection |
 | `vulnerable_components` | CWE-1035 | Version fingerprinting + CVE lookup (30 CVEs) |
+| `pivot` | — | SSH lateral movement, tunnel scanning, credential reuse |
+| `idor` (enhanced) | CWE-639 | Object reference enumeration with credential correlation |
 
 ## OCSF Reports
 
@@ -228,13 +291,28 @@ Get your token from [Prancer Portal](https://portal.prancer.io) → Settings →
 
 ## Changelog
 
+### v2.0.0
+- Confidence calibration system: evidence-based scoring (0.60-1.0) replacing fixed 1.0
+- Full kill chain automation: web scan -> credential extraction -> SSH pivot -> privilege escalation -> internal scanning
+- Credential correlation: 12 regex patterns, auto-propagation via Intelligence Bus
+- Privilege escalation chain synthesis (ADR-009): standalone www-data -> root findings
+- .env file deep extraction: SSH/DB/API credential parsing from command injection
+- Internal tunnel scanning (ADR-010): SSH tunnel via portable-pty for internal targets
+- SSRF CVE correlation: 10-CVE payload map (ProxyLogon, Log4Shell, etc.)
+- SQLi time-based confirmation: 3-step verification eliminates jitter false positives
+- XXE confidence grading: tiered 0.60/0.90/1.0 with OOB callback ready
+- SONA self-learning (Phase 1): ruvector-sona payload trajectory recording
+- 32 exploit agents (was 23): added pivot, enhanced all ADR-003 agents
+- Smart pivot optimization: port-scan prioritization, 3s SSH ConnectTimeout
+- Authenticated scanning: `--header` flag for session cookies, Bearer tokens, API keys
+
 ### v1.5.0
-- ADR-006: OWASP Top 10 full coverage — 6 new agents (SessionFixation, DangerousMethods, DefaultCredentials, PrivilegeEscalation, MassAssignment, VulnerableComponents)
+- ADR-006: OWASP Top 10 full coverage -- 6 new agents (SessionFixation, DangerousMethods, DefaultCredentials, PrivilegeEscalation, MassAssignment, VulnerableComponents)
 - Intelligence Bus: 7 typed intel categories shared across all 23 agents
 - Runtime vulnerability chaining: credentials/sessions feed consumer agents live
 - VulnerableComponents agent (OWASP A06): 30 built-in CVE entries
 - CVSS score fix (was always 0.0), GOAP precondition key unification
-- SwarmHackConfig wrapped in Arc (performance), agent pool 20→25
+- SwarmHackConfig wrapped in Arc (performance), agent pool 20->25
 - Live validated: 16 findings, 67 crown jewels, 0 false positives across 3 targets
 
 ### v1.4.0

package/config/swarmhack.yaml

@@ -193,6 +193,10 @@ agents:
     enabled: true
     max_candidates: 5
     pentest_mode: true
+    # ADR-010 Gap 2: OOB callback URL for XXE confirmation.
+    # Empty = OOB disabled, heuristic-only confidence capped at 0.70.
+    # Example: "https://your-interactsh-server.com"
+    callback_url: ""
   file_upload:
     enabled: true
     max_candidates: 5
@@ -229,6 +233,18 @@ agents:
     enabled: true
     max_candidates: 5
     pentest_mode: true
+  pivot:
+    enabled: true
+    max_candidates: 5
+    pentest_mode: true
+
+# ADR-010 Gap 5: Internal target scanning via SSH tunnel
+# After SSH pivot discovers internal hosts, automatically tunnel and scan them
+pivot_scan:
+  max_pivot_depth: 2          # Maximum tunnel hops (prevents infinite recursion)
+  auto_internal_scan: true    # Automatically scan internal targets after pivot
+  internal_scan_timeout_secs: 300  # Timeout for the entire internal scan
+  tunnel_base_port: 8881      # Base port for SSH tunnel local binding
 
 memory:
   agentdb:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "swarmhack-cli",
-  "version": "1.5.0",
+  "version": "2.1.0",
   "description": "SwarmHack - Neural swarm-based penetration testing framework",
   "author": "Prancer <support@prancer.io>",
   "license": "MIT",