npm - swarmhack-cli - Versions diffs - 2.3.0 → 2.3.1 - Mend

swarmhack-cli 2.3.0 → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md +162 -10
package/native/linux-x64/swarmhack +0 -0
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -2,7 +2,33 @@
 Neural swarm-based penetration testing framework.
-## What's New in v2.1.0
+## What's New in v2.5.0
+**v2.5.0 -- Multi-Target Campaign + Network Intelligence + Host Recon**
+- **Multi-target campaigns** -- `--target-list` accepts comma-separated IPs, URLs, hostnames, and CIDR ranges. Scan entire networks in one command.
+- **CIDR expansion** -- `--target-list 10.0.0.0/24` expands to 254 hosts automatically.
+- **Campaign intelligence graph** -- Credentials found on Host A are automatically seeded to Host B (petgraph + DashMap property graph).
+- **Unified OCSF report** -- Single `mission-*.json` with all targets' findings combined. Per-target reports moved to `reports/per-target/`.
+- **Network attack path visualization** -- D3.js HTML showing all hosts as topology with device types, findings grouped per host, detail panel on click, intel flow bottom panel.
+- **Host recon** -- Reverse DNS + HTTP banner + MAC vendor lookup. Device type classification: Router, Printer, NAS, IP Camera, Web Server.
+- **Graceful unreachable skip** -- Offline hosts skipped with one-line message instead of verbose error. Prior scan data included in campaign report.
+- **Default credential fallback** -- SMB/WinRM agents try vagrant:vagrant and other defaults when campaign creds fail on non-domain hosts.
+- **Network agent findings fix** -- AD agent findings now included in OCSF report and CLI display (was silently dropped).
+- **Quiet campaign mode** -- Per-target "MISSION COMPLETE" banners suppressed; single campaign summary shown.
+- **49 regression tests** (was 37) across 15 categories.
+- **GOAD assessment** -- Comprehensive mapping of 38 GOAD attack paths vs SwarmHack capabilities.
+- **46 agents total** (23 web + 23 AD/network).
+**v2.4.0 -- AD Data Quality + Mandatory Auth + External Tool Documentation**
+- Mandatory Prancer Portal authentication (offline mode removed)
+- AD finding categorization (CWE-307/521/522 → "authentication")
+- Dynamic resource type from URL scheme
+- Compliance mappings for AD CWEs
+- LDIF base64 parsing, password policy guard, trust direction decoding
+- Crown jewel dedup across merged findings
+- External tool documentation (38 binaries)
 **v2.1.0 -- Quality, OCSF Compliance & Service-Driven Discovery Foundation**
@@ -50,13 +76,59 @@ SwarmHack includes a default configuration file (`config/swarmhack.yaml`) that i
 ## CLI Usage
+### Single Target
 ```bash
-# Run SQL injection scan (local mode - default)
-swarmhack spawn --agents sqli \
+# Full kill chain scan
+swarmhack spawn \
+  --target "http://example.com" \
+  --customer "your-customer" \
+  --token "your-token"
+# Specific agents only
+swarmhack spawn --agents sqli,xss,csrf \
   --target "http://example.com" \
   --customer "your-customer" \
   --token "your-token"
+# AD domain controller scan
+swarmhack spawn \
+  --target 192.168.56.10 \
+  --customer "your-customer" \
+  --token "your-token"
+```
+### Multi-Target Campaign (NEW in v2.5.0)
+```bash
+# Scan multiple targets — credentials from Host A are shared with Host B
+swarmhack spawn \
+  --target-list "192.168.56.10,192.168.56.11,10.0.0.1" \
+  --customer "your-customer" \
+  --token "your-token"
+# Scan entire subnet (CIDR)
+swarmhack spawn \
+  --target-list "10.0.0.0/24" \
+  --customer "your-customer" \
+  --token "your-token"
+# Mixed targets: IPs + URLs + hostnames + CIDR
+swarmhack spawn \
+  --target-list "192.168.56.10,https://app.corp.local,10.0.0.0/24" \
+  --customer "your-customer" \
+  --token "your-token"
+```
+Campaign output:
+- Unified `mission-*.json` with all findings across all targets
+- `mission-*-attack-path.html` showing network topology with all hosts
+- Per-target reports in `reports/per-target/`
+- Unreachable hosts gracefully skipped
+### Docker Mode
+```bash
 # Run in Docker mode (isolated execution)
 swarmhack spawn --agents sqli \
   --target "http://example.com" \
@@ -160,7 +232,7 @@ If npm installation fails, use Docker:
 docker run --rm \
   -v /var/run/docker.sock:/var/run/docker.sock \
   -v $(pwd)/reports:/app/reports \
-  prancer/swarmhack:2.1.0 \
+  prancer/swarmhack:2.5.0 \
   spawn --agents sqli --target "http://example.com" \
   --customer "your-customer" --token "your-token"
 ```
@@ -220,7 +292,7 @@ swarmhack spawn \
 - The `--header` flag is repeatable -- add as many custom headers as needed
 - All agents (SQLi, XSS, CSRF, etc.) automatically include your custom headers in every request
-## Available Agents (35)
+## Available Agents (46)
 | Agent | CWE | Description |
 |-------|-----|-------------|
@@ -252,26 +324,69 @@ swarmhack spawn \
 | `nmap_scanner` | — | Port discovery, service detection, NSE vulnerability scanning |
 | `ftp_probe` | CWE-287 | FTP anonymous login, default credentials, banner analysis |
 | `ssh_probe` | CWE-327 | SSH banner analysis, weak version CVE detection |
+| `ldap_enum` | CWE-284 | AD enumeration (10 categories: users, SPNs, delegation, trusts, policy) |
+| `ldap_spray` | CWE-307 | LDAP password spray with lockout-safe threshold detection |
+| `kerberos_attack` | CWE-522 | AS-REP roasting + Kerberoasting (TGS hash extraction) |
+| `smb_enum` | CWE-200 | SMB null session, signing check, GPP password scraping |
+| `mssql_probe` | CWE-798 | MSSQL default credentials, linked servers, xp_cmdshell |
+| `dcsync` | CWE-522 | DCSync credential extraction via secretsdump |
+| `winrm_probe` | CWE-287 | WinRM lateral movement via evil-winrm/crackmapexec |
+| `ntlm_capture` | CWE-522 | NTLM hash capture via Responder (opt-in) |
+| `acl_abuse` | CWE-284 | BloodHound-style ACL path discovery and exploitation |
+| `hash_crack` | CWE-521 | Offline hash cracking with feedback loop |
+| `pth_agent` | CWE-522 | Pass-the-Hash lateral movement via impacket |
+| `cred_dump` | CWE-522 | SAM/LSA credential dumping |
+| `adcs_exploit` | CWE-295 | ADCS ESC1-ESC15 certificate abuse via certipy |
+| `delegation_exploit` | CWE-284 | Constrained/RBCD/unconstrained Kerberos delegation |
+| `laps_reader` | CWE-522 | LAPS local admin password extraction |
+| `shadow_creds` | CWE-284 | Shadow credentials via pywhisker/certipy |
+| `gpo_abuse` | CWE-284 | GPO modification for scheduled task deployment |
+| `trust_exploit` | CWE-200 | Cross-forest SID History exploitation |
+| `gmsa_reader` | CWE-522 | gMSA service account password reading |
+| `auth_coercion` | CWE-287 | PrinterBug/PetitPotam authentication coercion |
 ## OCSF Reports
-SwarmHack generates reports in [OCSF 1.1.0](https://schema.ocsf.io/) format, the industry standard for security findings:
+SwarmHack generates reports in [OCSF 1.1.0](https://schema.ocsf.io/) format, the industry standard for security findings.
+**Single target:**
 ```json
 {
   "scan_info": {
     "scanner": { "name": "SwarmHack", "vendor": "Prancer" },
     "customer": "your-customer",
     "target": "http://example.com",
-    "duration_formatted": "3m 11s",
-    "summary": { "findings_count": 5, "crown_jewels_count": 12 }
+    "summary": { "findings_count": 9, "crown_jewels_count": 23 }
   },
-  "class_name": "Vulnerability Finding",
-  "class_uid": 6001,
+  "compliance_summary": { "frameworks_covered": ["PCI-DSS 4.0", "OWASP Top 10", "NIST CSF 2.0", ...] },
   "findings": [...]
 }
 ```
+**Multi-target campaign:**
+```json
+{
+  "scan_info": {
+    "mission_type": "multi-target",
+    "targets_scanned": 4,
+    "targets_total": 5,
+    "summary": { "findings_count": 20, "crown_jewels_count": 28 },
+    "per_target": [
+      { "target": "http://192.168.56.10/", "findings_count": 6, "crown_jewels_count": 4 },
+      { "target": "https://demo.testfire.net/", "findings_count": 7, "crown_jewels_count": 22 }
+    ]
+  },
+  "findings": [/* all findings from all targets combined */]
+}
+```
+Each finding includes:
+- Severity + risk score + confidence
+- CWE classification + MITRE ATT&CK mapping
+- Compliance mappings (PCI-DSS, OWASP, NIST, SOC2, HIPAA, ISO 27001, DORA, NIS2)
+- Crown jewels (extracted credentials, hashes, sensitive data)
+- Device type identification (Router, Printer, NAS, etc.)
 ## Authentication
 SwarmHack requires Prancer Portal authentication:
@@ -293,6 +408,43 @@ Get your token from [Prancer Portal](https://portal.prancer.io) → Settings →
 ## Changelog
+### v2.5.0
+- **Multi-target campaigns**: `--target-list` with comma-separated IPs, URLs, hostnames, CIDR ranges
+- **CIDR expansion**: `10.0.0.0/24` → 254 hosts, up to /16 supported
+- **Campaign intelligence graph**: credentials from Host A seed Host B (petgraph + DashMap)
+- **Unified OCSF report**: single mission-*.json with all targets combined
+- **Network attack path visualization**: D3.js HTML with host topology, device types, detail panel, intel flow
+- **Host recon**: reverse DNS + HTTP banner + MAC vendor → device type classification
+- **Graceful unreachable skip**: offline hosts skipped cleanly, prior scan data included
+- **Default credential fallback**: SMB/WinRM try vagrant:vagrant when null session/campaign creds fail
+- **Network agent findings fix**: AD findings now in report + CLI display (was silently dropped)
+- **Quiet campaign mode**: per-target banners suppressed, single summary shown
+- 49 regression tests across 15 categories
+- GOAD lab assessment: 38 attack paths mapped vs SwarmHack capabilities
+- Validated: 5-target campaign = 20 findings, 28 crown jewels
+### v2.4.0
+- **BREAKING**: Mandatory Prancer Portal authentication — offline mode removed
+- AD finding category mapping: CWE-307/521/522 → "authentication", CWE-200 → "reconnaissance"
+- Dynamic affected_resource.type from URL scheme (Directory Service, Kerberos KDC, SMB File Share)
+- Compliance mappings for AD CWEs (OWASP A07:2021, PCI-DSS 8.3.6, NIST PR.AA-01)
+- LDIF base64 attribute parsing, empty password policy guard, trust direction decoding
+- Crown jewel dedup across merged findings, masked value filtering
+- 37 quality regression tests (was 25)
+- External tool documentation: 38 binaries fully documented with install instructions
+### v2.3.0
+- Full AD exploitation pipeline: 23 new network/AD agents (LDAP, Kerberos, SMB, MSSQL, DCSync, WinRM, NTLM, ACL, ADCS, delegation, LAPS, shadow creds, GPO, trust)
+- 6-pass AD kill chain: Discovery → Spray → Kerberoast → Exploit → Lateral → Dominate
+- Credential chaining via shared memory (spray → Kerberoast → lateral movement)
+- Blackbox DC discovery: rootDSE + DNS reverse + NetBIOS
+- OCSF compliance mapping for 8 frameworks (ADR-012)
+- D3.js attack path visualization (ADR-013)
+- GOAD lab validated: hodor:hodor credential + tyron.lannister TGS hash extracted
+- Agent plugin registry with define_plugin! macro (46 plugins total)
+- Bare IP/hostname target support (auto-prepend http://)
+- TCP connectivity fallback for non-HTTP targets
 ### v2.1.0
 - Agent plugin registry (ADR-011): scalable plugin system for 100+ agents (one file + one registry line per agent)
 - Nmap-first port discovery: canonical entry point, automatic service-to-agent routing

package/native/linux-x64/swarmhack CHANGED Viewed

Binary file

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "swarmhack-cli",
-  "version": "2.3.0",
+  "version": "2.3.1",
   "description": "SwarmHack - Neural swarm-based penetration testing framework",
   "author": "Prancer <support@prancer.io>",
   "license": "MIT",