swarmhack-cli 2.1.0 → 2.3.1

package/README.md

@@ -2,22 +2,47 @@
 
 Neural swarm-based penetration testing framework.
 
-## What's New in v2.0.0
-
-**v2.0.0 -- Major Release**
-
-- **Confidence Calibration System** -- Evidence-based confidence scoring (0.60-1.0) replacing fixed 1.0. Each finding's confidence reflects actual proof quality: heuristic detection (0.60), response pattern match (0.90), marker-based confirmation (0.99), synthesized from confirmed data (1.0).
-- **Full Kill Chain Automation** -- Single command executes: external web scan -> credential extraction -> SSH lateral movement -> privilege escalation -> SSH tunnel -> internal target scanning. Zero human intervention.
-- **Credential Correlation** -- 12 regex patterns extract credentials from HTML response bodies (SSH creds in admin pages, connection strings, API keys, Bearer tokens). Extracted creds automatically propagated via Intelligence Bus to SSH/auth agents.
-- **Privilege Escalation Chain Synthesis (ADR-009)** -- Post-processing creates standalone "www-data -> root" findings from CMDI post-exploitation data (sudo NOPASSWD, SUID binaries, Docker socket).
-- **.env File Deep Extraction** -- CMDI agent reads .env files via command injection, parses SSH/DB/API credentials with category classification (ssh_credential, database_credential, api_key, network_topology).
-- **Internal Tunnel Scanning (ADR-010)** -- After SSH pivot discovers dual-homed hosts, automatically opens SSH tunnel via portable-pty and spawns new kill chain against internal targets.
-- **SSRF CVE Correlation** -- 10-CVE payload map (CVE-2021-44224, ProxyLogon, Log4Shell, etc.). SSRF agent reads vulnerable_components findings and generates CVE-specific exploitation payloads.
-- **SQLi Time-Based Confirmation** -- 3-step verification: retry payload, send SLEEP(0) control, confirm only if retry delayed AND control fast. Eliminates jitter false positives.
-- **XXE Confidence Grading** -- Tiered confidence: heuristic-only (0.60), marker match (0.90), with deep exploitation output (1.0). OOB callback infrastructure ready (callback_url config).
-- **SONA Self-Learning (Phase 1)** -- Optional `--features self-learning` wires ruvector-sona for payload trajectory recording and adaptive recommendations.
-- **32 Exploit Agents** -- Added session_fixation, dangerous_methods, pivot, plus enhanced all ADR-003 agents with memory deduplication and Intelligence Bus integration.
-- **Smart Pivot Optimization** -- Port-scanned reachable hosts tried first, failed hosts skipped after timeout, SSH ConnectTimeout reduced to 3s for fast iteration.
+## What's New in v2.5.0
+
+**v2.5.0 -- Multi-Target Campaign + Network Intelligence + Host Recon**
+
+- **Multi-target campaigns** -- `--target-list` accepts comma-separated IPs, URLs, hostnames, and CIDR ranges. Scan entire networks in one command.
+- **CIDR expansion** -- `--target-list 10.0.0.0/24` expands to 254 hosts automatically.
+- **Campaign intelligence graph** -- Credentials found on Host A are automatically seeded to Host B (petgraph + DashMap property graph).
+- **Unified OCSF report** -- Single `mission-*.json` with all targets' findings combined. Per-target reports moved to `reports/per-target/`.
+- **Network attack path visualization** -- D3.js HTML showing all hosts as topology with device types, findings grouped per host, detail panel on click, intel flow bottom panel.
+- **Host recon** -- Reverse DNS + HTTP banner + MAC vendor lookup. Device type classification: Router, Printer, NAS, IP Camera, Web Server.
+- **Graceful unreachable skip** -- Offline hosts skipped with one-line message instead of verbose error. Prior scan data included in campaign report.
+- **Default credential fallback** -- SMB/WinRM agents try vagrant:vagrant and other defaults when campaign creds fail on non-domain hosts.
+- **Network agent findings fix** -- AD agent findings now included in OCSF report and CLI display (was silently dropped).
+- **Quiet campaign mode** -- Per-target "MISSION COMPLETE" banners suppressed; single campaign summary shown.
+- **49 regression tests** (was 37) across 15 categories.
+- **GOAD assessment** -- Comprehensive mapping of 38 GOAD attack paths vs SwarmHack capabilities.
+- **46 agents total** (23 web + 23 AD/network).
+
+**v2.4.0 -- AD Data Quality + Mandatory Auth + External Tool Documentation**
+
+- Mandatory Prancer Portal authentication (offline mode removed)
+- AD finding categorization (CWE-307/521/522 → "authentication")
+- Dynamic resource type from URL scheme
+- Compliance mappings for AD CWEs
+- LDIF base64 parsing, password policy guard, trust direction decoding
+- Crown jewel dedup across merged findings
+- External tool documentation (38 binaries)
+
+**v2.1.0 -- Quality, OCSF Compliance & Service-Driven Discovery Foundation**
+
+- **Agent Plugin Registry (ADR-011)** -- Scalable plugin system: adding a new agent is one file + one registry line. 26 plugins registered (23 legacy web agents + nmap scanner + FTP probe + SSH probe). Foundation for 100+ agents.
+- **Nmap-First Port Discovery** -- Every mission starts with nmap port/service discovery (canonical entry point). Discovered services route to the correct agents automatically via ServiceRouter. Falls back to URL-based inference when nmap is unavailable.
+- **FTP & SSH Probe Agents** -- New non-HTTP agents: FTP anonymous login + default credential testing, SSH banner analysis + weak version CVE detection. First protocol-aware agents beyond HTTP.
+- **OCSF 1.1.0 Full Compliance** -- `type_uid` corrected to 600105, `severity_id` added at finding level, crown jewel deduplication by (category, value), findings sorted by generation ascending + risk_score descending.
+- **Crown Jewel Sanitization** -- 5-rule system: short values always full, api_key never truncated, credential summaries up to 200 chars, session tokens format-preserving (`PHPSESSID=abcd...wxyz`), fallback 500-char cap.
+- **False Positive Elimination** -- LFI agent filters PHP payloads on ASP.NET/IIS targets, IDOR agent no longer fabricates synthetic parameters, Default Credentials uses discovered form field names, CVE-2021-31166 version rule narrowed.
+- **Risk Score Calibration** -- Info=1.0, Low=3.0, Medium=5.0, High=7.5, Critical=10.0 base scores. robots.txt now scores ~0.2 (was 0.9), SQLi auth bypass scores ~9.0 (was 5.63).
+- **Security Fixes** -- Shell injection in askpass helper patched, TLS verification restored in file_upload/xxe agents, PII redaction in OCSF reports.
+- **CI Pipeline** -- `cargo test` + `cargo clippy` now run on every push/PR (was build-only).
+- **Version Banner** -- Uses `CARGO_PKG_VERSION` (no more hardcoded v1.0.0).
+- **83 new regression tests** -- 46 for v2.1.0 quality fixes + 37 for ADR-011 Phase 1.
 
 ## Installation
 
@@ -51,13 +76,59 @@ SwarmHack includes a default configuration file (`config/swarmhack.yaml`) that i
 
 ## CLI Usage
 
+### Single Target
+
 ```bash
-# Run SQL injection scan (local mode - default)
-swarmhack spawn --agents sqli \
+# Full kill chain scan
+swarmhack spawn \
+  --target "http://example.com" \
+  --customer "your-customer" \
+  --token "your-token"
+
+# Specific agents only
+swarmhack spawn --agents sqli,xss,csrf \
   --target "http://example.com" \
   --customer "your-customer" \
   --token "your-token"
 
+# AD domain controller scan
+swarmhack spawn \
+  --target 192.168.56.10 \
+  --customer "your-customer" \
+  --token "your-token"
+```
+
+### Multi-Target Campaign (NEW in v2.5.0)
+
+```bash
+# Scan multiple targets — credentials from Host A are shared with Host B
+swarmhack spawn \
+  --target-list "192.168.56.10,192.168.56.11,10.0.0.1" \
+  --customer "your-customer" \
+  --token "your-token"
+
+# Scan entire subnet (CIDR)
+swarmhack spawn \
+  --target-list "10.0.0.0/24" \
+  --customer "your-customer" \
+  --token "your-token"
+
+# Mixed targets: IPs + URLs + hostnames + CIDR
+swarmhack spawn \
+  --target-list "192.168.56.10,https://app.corp.local,10.0.0.0/24" \
+  --customer "your-customer" \
+  --token "your-token"
+```
+
+Campaign output:
+- Unified `mission-*.json` with all findings across all targets
+- `mission-*-attack-path.html` showing network topology with all hosts
+- Per-target reports in `reports/per-target/`
+- Unreachable hosts gracefully skipped
+
+### Docker Mode
+
+```bash
 # Run in Docker mode (isolated execution)
 swarmhack spawn --agents sqli \
   --target "http://example.com" \
@@ -161,7 +232,7 @@ If npm installation fails, use Docker:
 docker run --rm \
   -v /var/run/docker.sock:/var/run/docker.sock \
   -v $(pwd)/reports:/app/reports \
-  prancer/swarmhack:2.0.0 \
+  prancer/swarmhack:2.5.0 \
   spawn --agents sqli --target "http://example.com" \
   --customer "your-customer" --token "your-token"
 ```
@@ -221,7 +292,7 @@ swarmhack spawn \
 - The `--header` flag is repeatable -- add as many custom headers as needed
 - All agents (SQLi, XSS, CSRF, etc.) automatically include your custom headers in every request
 
-## Available Agents (32)
+## Available Agents (46)
 
 | Agent | CWE | Description |
 |-------|-----|-------------|
@@ -250,26 +321,72 @@ swarmhack spawn \
 | `vulnerable_components` | CWE-1035 | Version fingerprinting + CVE lookup (30 CVEs) |
 | `pivot` | — | SSH lateral movement, tunnel scanning, credential reuse |
 | `idor` (enhanced) | CWE-639 | Object reference enumeration with credential correlation |
+| `nmap_scanner` | — | Port discovery, service detection, NSE vulnerability scanning |
+| `ftp_probe` | CWE-287 | FTP anonymous login, default credentials, banner analysis |
+| `ssh_probe` | CWE-327 | SSH banner analysis, weak version CVE detection |
+| `ldap_enum` | CWE-284 | AD enumeration (10 categories: users, SPNs, delegation, trusts, policy) |
+| `ldap_spray` | CWE-307 | LDAP password spray with lockout-safe threshold detection |
+| `kerberos_attack` | CWE-522 | AS-REP roasting + Kerberoasting (TGS hash extraction) |
+| `smb_enum` | CWE-200 | SMB null session, signing check, GPP password scraping |
+| `mssql_probe` | CWE-798 | MSSQL default credentials, linked servers, xp_cmdshell |
+| `dcsync` | CWE-522 | DCSync credential extraction via secretsdump |
+| `winrm_probe` | CWE-287 | WinRM lateral movement via evil-winrm/crackmapexec |
+| `ntlm_capture` | CWE-522 | NTLM hash capture via Responder (opt-in) |
+| `acl_abuse` | CWE-284 | BloodHound-style ACL path discovery and exploitation |
+| `hash_crack` | CWE-521 | Offline hash cracking with feedback loop |
+| `pth_agent` | CWE-522 | Pass-the-Hash lateral movement via impacket |
+| `cred_dump` | CWE-522 | SAM/LSA credential dumping |
+| `adcs_exploit` | CWE-295 | ADCS ESC1-ESC15 certificate abuse via certipy |
+| `delegation_exploit` | CWE-284 | Constrained/RBCD/unconstrained Kerberos delegation |
+| `laps_reader` | CWE-522 | LAPS local admin password extraction |
+| `shadow_creds` | CWE-284 | Shadow credentials via pywhisker/certipy |
+| `gpo_abuse` | CWE-284 | GPO modification for scheduled task deployment |
+| `trust_exploit` | CWE-200 | Cross-forest SID History exploitation |
+| `gmsa_reader` | CWE-522 | gMSA service account password reading |
+| `auth_coercion` | CWE-287 | PrinterBug/PetitPotam authentication coercion |
 
 ## OCSF Reports
 
-SwarmHack generates reports in [OCSF 1.1.0](https://schema.ocsf.io/) format, the industry standard for security findings:
+SwarmHack generates reports in [OCSF 1.1.0](https://schema.ocsf.io/) format, the industry standard for security findings.
 
+**Single target:**
 ```json
 {
   "scan_info": {
     "scanner": { "name": "SwarmHack", "vendor": "Prancer" },
     "customer": "your-customer",
     "target": "http://example.com",
-    "duration_formatted": "3m 11s",
-    "summary": { "findings_count": 5, "crown_jewels_count": 12 }
+    "summary": { "findings_count": 9, "crown_jewels_count": 23 }
   },
-  "class_name": "Vulnerability Finding",
-  "class_uid": 6001,
+  "compliance_summary": { "frameworks_covered": ["PCI-DSS 4.0", "OWASP Top 10", "NIST CSF 2.0", ...] },
   "findings": [...]
 }
 ```
 
+**Multi-target campaign:**
+```json
+{
+  "scan_info": {
+    "mission_type": "multi-target",
+    "targets_scanned": 4,
+    "targets_total": 5,
+    "summary": { "findings_count": 20, "crown_jewels_count": 28 },
+    "per_target": [
+      { "target": "http://192.168.56.10/", "findings_count": 6, "crown_jewels_count": 4 },
+      { "target": "https://demo.testfire.net/", "findings_count": 7, "crown_jewels_count": 22 }
+    ]
+  },
+  "findings": [/* all findings from all targets combined */]
+}
+```
+
+Each finding includes:
+- Severity + risk score + confidence
+- CWE classification + MITRE ATT&CK mapping
+- Compliance mappings (PCI-DSS, OWASP, NIST, SOC2, HIPAA, ISO 27001, DORA, NIS2)
+- Crown jewels (extracted credentials, hashes, sensitive data)
+- Device type identification (Router, Printer, NAS, etc.)
+
 ## Authentication
 
 SwarmHack requires Prancer Portal authentication:
@@ -291,6 +408,57 @@ Get your token from [Prancer Portal](https://portal.prancer.io) → Settings →
 
 ## Changelog
 
+### v2.5.0
+- **Multi-target campaigns**: `--target-list` with comma-separated IPs, URLs, hostnames, CIDR ranges
+- **CIDR expansion**: `10.0.0.0/24` → 254 hosts, up to /16 supported
+- **Campaign intelligence graph**: credentials from Host A seed Host B (petgraph + DashMap)
+- **Unified OCSF report**: single mission-*.json with all targets combined
+- **Network attack path visualization**: D3.js HTML with host topology, device types, detail panel, intel flow
+- **Host recon**: reverse DNS + HTTP banner + MAC vendor → device type classification
+- **Graceful unreachable skip**: offline hosts skipped cleanly, prior scan data included
+- **Default credential fallback**: SMB/WinRM try vagrant:vagrant when null session/campaign creds fail
+- **Network agent findings fix**: AD findings now in report + CLI display (was silently dropped)
+- **Quiet campaign mode**: per-target banners suppressed, single summary shown
+- 49 regression tests across 15 categories
+- GOAD lab assessment: 38 attack paths mapped vs SwarmHack capabilities
+- Validated: 5-target campaign = 20 findings, 28 crown jewels
+
+### v2.4.0
+- **BREAKING**: Mandatory Prancer Portal authentication — offline mode removed
+- AD finding category mapping: CWE-307/521/522 → "authentication", CWE-200 → "reconnaissance"
+- Dynamic affected_resource.type from URL scheme (Directory Service, Kerberos KDC, SMB File Share)
+- Compliance mappings for AD CWEs (OWASP A07:2021, PCI-DSS 8.3.6, NIST PR.AA-01)
+- LDIF base64 attribute parsing, empty password policy guard, trust direction decoding
+- Crown jewel dedup across merged findings, masked value filtering
+- 37 quality regression tests (was 25)
+- External tool documentation: 38 binaries fully documented with install instructions
+
+### v2.3.0
+- Full AD exploitation pipeline: 23 new network/AD agents (LDAP, Kerberos, SMB, MSSQL, DCSync, WinRM, NTLM, ACL, ADCS, delegation, LAPS, shadow creds, GPO, trust)
+- 6-pass AD kill chain: Discovery → Spray → Kerberoast → Exploit → Lateral → Dominate
+- Credential chaining via shared memory (spray → Kerberoast → lateral movement)
+- Blackbox DC discovery: rootDSE + DNS reverse + NetBIOS
+- OCSF compliance mapping for 8 frameworks (ADR-012)
+- D3.js attack path visualization (ADR-013)
+- GOAD lab validated: hodor:hodor credential + tyron.lannister TGS hash extracted
+- Agent plugin registry with define_plugin! macro (46 plugins total)
+- Bare IP/hostname target support (auto-prepend http://)
+- TCP connectivity fallback for non-HTTP targets
+
+### v2.1.0
+- Agent plugin registry (ADR-011): scalable plugin system for 100+ agents (one file + one registry line per agent)
+- Nmap-first port discovery: canonical entry point, automatic service-to-agent routing
+- FTP probe agent: anonymous login, default credential testing, banner analysis
+- SSH probe agent: banner analysis, weak version CVE detection
+- OCSF 1.1.0 compliance: type_uid=600105, severity_id at finding level, crown jewel dedup, finding sort order
+- Crown jewel sanitization: 5-rule system (api_key never truncated, format-preserving session tokens)
+- False positive elimination: LFI tech-stack filter, IDOR no synthetic params, default creds uses discovered form fields, CVE-2021-31166 narrowed
+- Risk score calibration: Info=1.0, Low=3.0, Medium=5.0, High=7.5, Critical=10.0
+- Security fixes: shell injection in askpass, TLS verification restored, PII redaction in reports
+- CI pipeline: cargo test + cargo clippy (was build-only)
+- 83 new regression tests (46 quality fixes + 37 ADR-011 Phase 1)
+- 35 exploit agents (was 32): added nmap_scanner, ftp_probe, ssh_probe
+
 ### v2.0.0
 - Confidence calibration system: evidence-based scoring (0.60-1.0) replacing fixed 1.0
 - Full kill chain automation: web scan -> credential extraction -> SSH pivot -> privilege escalation -> internal scanning

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "swarmhack-cli",
-  "version": "2.1.0",
+  "version": "2.3.1",
   "description": "SwarmHack - Neural swarm-based penetration testing framework",
   "author": "Prancer <support@prancer.io>",
   "license": "MIT",