zilmate 1.3.5 → 1.4.0

package/dist/tools/pentest.tool.js

@@ -0,0 +1,841 @@
+import { mkdir, writeFile, readFile } from 'node:fs/promises';
+import path from 'node:path';
+import { tool } from 'ai';
+import { z } from 'zod';
+import { requestConfirmation } from '../runtime/confirm.js';
+import { emitProgress } from '../runtime/progress.js';
+import { runCliTool } from './cli-runner.js';
+// ─── Constants & helpers ─────────────────────────────────────────────────────
+const IS_WIN = process.platform === 'win32';
+const pentestOutputDir = path.resolve('outputs', 'pentest');
+async function confirmPentestAction(action, details) {
+    return requestConfirmation({
+        toolkitSlug: 'ZILMATE',
+        toolSlug: 'PENTEST',
+        action,
+        access: 'Read-only',
+        targetTools: ['ZILMATE_PENTEST'],
+        details,
+        summary: details.join('; '),
+    });
+}
+async function ensureDir(subdir) {
+    const dir = subdir ? path.join(pentestOutputDir, subdir) : pentestOutputDir;
+    await mkdir(dir, { recursive: true });
+    return dir;
+}
+function ts() {
+    return new Date().toISOString().replace(/[:.]/g, '-');
+}
+function safe(s) {
+    return s.replace(/[^a-z0-9_.-]/gi, '_').slice(0, 60);
+}
+/**
+ * Run a CLI tool and stream stdout+stderr.
+ * Resolves even on non-zero exit — many pentest tools exit 1 on partial results.
+ */
+function runTool(command, args, timeoutMs = 120_000) {
+    return runCliTool(command, args, { timeoutMs });
+}
+async function save(subdir, filename, content) {
+    const dir = await ensureDir(subdir);
+    const p = path.join(dir, filename);
+    await writeFile(p, content, 'utf8');
+    return p;
+}
+// ─── 1. Nmap — Network Scanner & NSE Vulnerability Engine ────────────────────
+export const nmapTool = {
+    /**
+     * nmap [scan type] [timing] [port range] [script] [-oA output] <target>
+     *
+     * Key flags (from nmap.org & offseckit.com cheat sheet):
+     *   -sS          SYN stealth scan (default, requires root/admin)
+     *   -sV          Service/version detection
+     *   -O           OS fingerprinting
+     *   -sC          Default NSE scripts (equiv. --script=default)
+     *   --script     NSE script or category: vuln, safe, default, auth, brute, discovery
+     *   --script-args mincvss=7.0   filter CVE results by minimum CVSS score
+     *   -p-          All 65535 ports
+     *   -F           Fast: top 100 ports
+     *   -T0..T5      Timing: T1=sneaky, T2=polite, T3=normal, T4=aggressive, T5=insane
+     *   -Pn          Skip host discovery (treat all hosts as online)
+     *   -f           Fragment packets (evade some firewalls)
+     *   --open       Show only open ports in output
+     *   -oA <base>   Output all formats: .nmap .xml .gnmap
+     *   -iL <file>   Input target list from file
+     *   -sU          UDP scan
+     *   -sn          Host discovery only (ping sweep), no port scan
+     */
+    runNmap: tool({
+        description: 'Network scanner and vulnerability enumerator. Discovers open ports, services, versions, OS, and runs NSE scripts including vuln category to detect CVEs. The mandatory first recon step for any pentest.',
+        inputSchema: z.object({
+            target: z.string().min(1).describe('IP, hostname, CIDR range (192.168.1.0/24), or file path prefixed with @.'),
+            scanType: z
+                .enum(['quick', 'full', 'udp', 'stealth', 'discovery'])
+                .optional()
+                .default('quick')
+                .describe('quick=top 1000 ports + version (-sS -sV -T4); full=all 65535 ports (-sS -sV -p- -T4); udp=top 100 UDP; stealth=slow fragmented (-sS -T2 -f); discovery=host sweep only (-sn)'),
+            scripts: z
+                .array(z.enum(['vuln', 'safe', 'default', 'auth', 'brute', 'discovery', 'vulners']))
+                .optional()
+                .describe('NSE script categories to run. "vuln" catches Heartbleed, EternalBlue, Shellshock, etc.'),
+            minCvss: z
+                .number()
+                .min(0)
+                .max(10)
+                .optional()
+                .describe('Filter CVE results to this minimum CVSS score when using vulners script. Recommended: 7.0.'),
+            ports: z.string().optional().describe('Specific ports or ranges, e.g. "22,80,443" or "1-1024". Overrides scanType port range.'),
+            osDetect: z.boolean().optional().default(false).describe('Enable OS fingerprinting (-O). Requires root/admin.'),
+            timing: z
+                .number()
+                .int()
+                .min(0)
+                .max(5)
+                .optional()
+                .default(4)
+                .describe('Timing template 0-5. 4=aggressive (fast), 2=polite (quiet), 1=sneaky (IDS evasion).'),
+            skipHostDiscovery: z.boolean().optional().default(false).describe('Add -Pn to treat all hosts as online (useful when ICMP is blocked).'),
+        }),
+        execute: async ({ target, scanType, scripts, minCvss, ports, osDetect, timing, skipHostDiscovery }) => {
+            const approved = await confirmPentestAction('Run Nmap scan', [
+                `Target: ${target}`,
+                `Scan type: ${scanType}`,
+                scripts?.length ? `NSE scripts: ${scripts.join(', ')}` : 'No NSE scripts',
+                osDetect ? 'OS detection enabled (requires root)' : '',
+                `Timing: T${timing}`,
+            ].filter(Boolean));
+            if (!approved)
+                throw new Error('Blocked Nmap scan. Ask user to approve.');
+            emitProgress({ type: 'tool:start', label: 'Nmap scanning', detail: target });
+            const dir = await ensureDir('nmap');
+            const outBase = path.join(dir, `nmap-${safe(target)}-${ts()}`);
+            const args = [];
+            // Scan type → flag bundle
+            switch (scanType) {
+                case 'quick':
+                    args.push('-sS', '-sV', `--open`);
+                    break;
+                case 'full':
+                    args.push('-sS', '-sV', '-p-', '--open');
+                    break;
+                case 'udp':
+                    args.push('-sU', '-sV', '--top-ports', '100');
+                    break;
+                case 'stealth':
+                    args.push('-sS', '-f', '--source-port', '53');
+                    break;
+                case 'discovery':
+                    args.push('-sn');
+                    break;
+            }
+            // Port override
+            if (ports)
+                args.push('-p', ports);
+            // Timing
+            args.push(`-T${timing}`);
+            // NSE scripts
+            if (scripts?.length) {
+                const scriptArg = scripts.join(',');
+                args.push(`--script`, scriptArg);
+                if (minCvss !== undefined && scripts.includes('vulners')) {
+                    args.push('--script-args', `mincvss=${minCvss}`);
+                }
+            }
+            // OS detection
+            if (osDetect)
+                args.push('-O');
+            // Skip host discovery
+            if (skipHostDiscovery)
+                args.push('-Pn');
+            // No color + all output formats
+            args.push('--no-stylesheet', '-oA', outBase);
+            // Target (handle file input)
+            if (target.startsWith('@')) {
+                args.push('-iL', target.slice(1));
+            }
+            else {
+                args.push(target);
+            }
+            const raw = await runTool('nmap', args, scanType === 'full' ? 1_800_000 : 300_000);
+            // Quick parse: open ports from normal output
+            const openPorts = [...raw.matchAll(/(\d+)\/(?:tcp|udp)\s+open\s+(\S+)/g)]
+                .map((m) => ({ port: Number(m[1]), service: m[2] }));
+            // CVEs from vulners script
+            const cves = [...raw.matchAll(/(CVE-\d{4}-\d+)\s+([\d.]+)/g)]
+                .map((m) => ({ cve: m[1], cvss: parseFloat(m[2]) }))
+                .filter((c) => !minCvss || c.cvss >= minCvss)
+                .sort((a, b) => b.cvss - a.cvss);
+            emitProgress({ type: 'tool:end', label: 'Nmap complete', detail: `${openPorts.length} open ports, ${cves.length} CVEs` });
+            return {
+                target,
+                openPorts,
+                cves,
+                outputFiles: { normal: `${outBase}.nmap`, xml: `${outBase}.xml`, grepable: `${outBase}.gnmap` },
+                raw: raw.slice(0, 5000),
+            };
+        },
+    }),
+};
+// ─── 2. Nuclei — Template-Based Vulnerability Scanner ────────────────────────
+export const nucleiTool = {
+    /**
+     * nuclei [flags]
+     *
+     * Key flags (from github.com/projectdiscovery/nuclei README):
+     *   -u <url>          Single target URL/host
+     *   -l <file>         Target list file
+     *   -t <dir/file>     Template path (default: ~/.local/nuclei-templates)
+     *   -tags <csv>       Filter by tag: cve,exposures,misconfigurations,default-logins,kev,vkev
+     *   -severity <csv>   Filter: info,low,medium,high,critical
+     *   -exclude-tags     Tags to skip
+     *   -rl <int>         Rate limit (requests/sec)
+     *   -c <int>          Concurrency
+     *   -o <file>         Output file
+     *   -json             JSON output
+     *   -je <file>        JSON-lines export
+     *   -nc               No colour
+     *   -silent           Only findings
+     *   -update-templates Auto-update community templates
+     *
+     *   Special tag combos:
+     *   -tags kev        CISA Known Exploited Vulnerabilities (1496+ templates)
+     *   -tags vkev       Vendor-confirmed KEV
+     */
+    runNuclei: tool({
+        description: 'Fast, template-based vulnerability scanner covering CVEs, misconfigurations, exposed panels, default logins, and CISA Known Exploited Vulnerabilities (1,496+ KEV templates). Pipe Nmap/subfinder results into it for full-chain recon→scan automation.',
+        inputSchema: z.object({
+            target: z.string().min(1).describe('URL, hostname, IP, CIDR, or @/path/to/list.txt for bulk.'),
+            severity: z
+                .array(z.enum(['info', 'low', 'medium', 'high', 'critical']))
+                .optional()
+                .default(['medium', 'high', 'critical'])
+                .describe('Only run templates matching these severities.'),
+            tags: z
+                .array(z.string())
+                .optional()
+                .describe('Template tags to include. Examples: "cve", "kev" (CISA exploited), "exposures", "misconfigurations", "default-logins", "panel", "takeover".'),
+            excludeTags: z
+                .array(z.string())
+                .optional()
+                .describe('Tags to skip (e.g. "dos", "fuzz" for non-destructive scans).'),
+            rateLimit: z.number().int().min(1).max(500).optional().default(150).describe('Max requests per second.'),
+            concurrency: z.number().int().min(1).max(100).optional().default(25).describe('Concurrent template executions.'),
+            updateTemplates: z.boolean().optional().default(false).describe('Update community templates before scanning (-update-templates).'),
+        }),
+        execute: async ({ target, severity, tags, excludeTags, rateLimit, concurrency, updateTemplates }) => {
+            const approved = await confirmPentestAction('Run Nuclei vulnerability scan', [
+                `Target: ${target}`,
+                `Severity: ${severity.join(', ')}`,
+                tags?.length ? `Tags: ${tags.join(', ')}` : 'No tag filter (all templates for severity)',
+                excludeTags?.length ? `Excluding: ${excludeTags.join(', ')}` : '',
+                `Rate limit: ${rateLimit} req/s`,
+            ].filter(Boolean));
+            if (!approved)
+                throw new Error('Blocked Nuclei scan. Ask user to approve.');
+            // Update templates first if requested
+            if (updateTemplates) {
+                emitProgress({ type: 'tool:start', label: 'Updating Nuclei templates' });
+                await runTool('nuclei', ['-update-templates'], 120_000).catch(() => { });
+                emitProgress({ type: 'tool:end', label: 'Templates updated' });
+            }
+            emitProgress({ type: 'tool:start', label: 'Nuclei scanning', detail: target });
+            const dir = await ensureDir('nuclei');
+            const outFile = path.join(dir, `nuclei-${safe(target)}-${ts()}.jsonl`);
+            const args = ['-nc', '-silent'];
+            // Target
+            if (target.startsWith('@')) {
+                args.push('-l', target.slice(1));
+            }
+            else {
+                args.push('-u', target);
+            }
+            // Severity filter
+            if (severity?.length)
+                args.push('-severity', severity.join(','));
+            // Tag filters
+            if (tags?.length)
+                args.push('-tags', tags.join(','));
+            if (excludeTags?.length)
+                args.push('-exclude-tags', excludeTags.join(','));
+            // Performance
+            args.push('-rl', String(rateLimit), '-c', String(concurrency));
+            // JSON lines output
+            args.push('-je', outFile);
+            const raw = await runTool('nuclei', args, 900_000);
+            // Parse JSONL findings
+            let findings = [];
+            try {
+                const content = await readFile(outFile, 'utf8');
+                findings = content
+                    .split('\n')
+                    .filter(Boolean)
+                    .map((line) => {
+                    const j = JSON.parse(line);
+                    return {
+                        templateId: j['template-id'],
+                        name: j['info']?.name ?? '',
+                        severity: j['info']?.severity ?? '',
+                        host: j['host'],
+                        matched: j['matched-at'],
+                    };
+                });
+            }
+            catch { /* JSONL parse failed — fall through to raw */ }
+            const bySeverity = findings.reduce((acc, f) => {
+                acc[f.severity] = (acc[f.severity] ?? 0) + 1;
+                return acc;
+            }, {});
+            emitProgress({ type: 'tool:end', label: 'Nuclei complete', detail: `${findings.length} findings` });
+            return { target, findingCount: findings.length, bySeverity, findings: findings.slice(0, 50), outputFile: outFile, raw: raw.slice(0, 3000) };
+        },
+    }),
+};
+// ─── 3. Subfinder — Passive Subdomain Enumeration ────────────────────────────
+export const subfinderTool = {
+    /**
+     * subfinder [flags]
+     *
+     * Key flags (docs.projectdiscovery.io/opensource/subfinder/usage):
+     *   -d <domain>        Single domain
+     *   -dL <file>         Domain list file
+     *   -s <csv>           Specific sources: crtsh,github,virustotal,...
+     *   -all               Use all passive sources (slow)
+     *   -recursive         Recursive subdomain resolution
+     *   -o <file>          Output file
+     *   -oJ                JSON lines output
+     *   -silent            Subdomains only (clean output for piping)
+     *   -t <int>           Goroutines for resolution (default 10)
+     *   -rl <int>          Rate limit req/s
+     *
+     * API keys stored in: ~/.config/subfinder/provider-config.yaml
+     * Without keys: crtsh, dnsdumpster, waybackarchive, hackertarget still work.
+     */
+    runSubfinder: tool({
+        description: 'Fast passive subdomain enumeration using Subfinder. Discovers valid subdomains without active scanning. Chain output directly into Nuclei or httpx for full attack surface coverage.',
+        inputSchema: z.object({
+            domain: z.string().min(3).describe('Root domain to enumerate, e.g. example.com.'),
+            allSources: z.boolean().optional().default(false).describe('Use all available passive sources (slower, more thorough).'),
+            sources: z
+                .array(z.string())
+                .optional()
+                .describe('Specific sources: crtsh, github, virustotal, shodan, hackertarget, etc. Omit to use defaults.'),
+            recursive: z.boolean().optional().default(false).describe('Recursively discover subdomains of subdomains.'),
+        }),
+        execute: async ({ domain, allSources, sources, recursive }) => {
+            const approved = await confirmPentestAction('Run Subfinder passive subdomain enumeration', [
+                `Domain: ${domain}`,
+                allSources ? 'Using ALL passive sources' : sources?.length ? `Sources: ${sources.join(', ')}` : 'Using default sources (crtsh, dnsdumpster, hackertarget...)',
+                recursive ? 'Recursive enumeration enabled' : '',
+            ].filter(Boolean));
+            if (!approved)
+                throw new Error('Blocked Subfinder. Ask user to approve.');
+            emitProgress({ type: 'tool:start', label: 'Subfinder enumerating', detail: domain });
+            const dir = await ensureDir('subfinder');
+            const outFile = path.join(dir, `subfinder-${safe(domain)}-${ts()}.txt`);
+            const jsonFile = path.join(dir, `subfinder-${safe(domain)}-${ts()}.json`);
+            // -silent for clean subdomain-only output, -oJ for machine-readable
+            const args = ['-d', domain, '-silent', '-o', outFile, '-oJ'];
+            if (allSources)
+                args.push('-all');
+            if (sources?.length)
+                args.push('-s', sources.join(','));
+            if (recursive)
+                args.push('-recursive');
+            const raw = await runTool('subfinder', args, 300_000);
+            const subdomains = raw
+                .split('\n')
+                .map((l) => l.trim())
+                .filter((l) => l.includes(domain));
+            emitProgress({ type: 'tool:end', label: 'Subfinder complete', detail: `${subdomains.length} subdomains` });
+            return { domain, subdomainCount: subdomains.length, subdomains: subdomains.slice(0, 200), outputFile: outFile };
+        },
+    }),
+};
+// ─── 4. SQLMap — Automated SQL Injection Detection & Exploitation ─────────────
+export const sqlmapTool = {
+    /**
+     * sqlmap [flags]
+     *
+     * Key flags (hacktricks.wiki, stationx.net/sqlmap-cheat-sheet):
+     *   -u <url>           Target URL with injectable parameter (e.g. "http://site/?id=1")
+     *   -r <file>          Load raw HTTP request from file (Burp export)
+     *   --data <str>       POST data string
+     *   --cookie <str>     Session cookies
+     *   -p <param>         Force parameter to test
+     *   --dbms <db>        Hint DBMS type: mysql, postgresql, mssql, oracle, sqlite
+     *   --level <1-5>      Test depth (1=basic, 5=exhaustive); default 1
+     *   --risk <1-3>       Risk level (3 includes heavy queries); default 1
+     *   --technique <str>  Injection technique: B=boolean, E=error, U=union, S=stacked, T=time, Q=inline
+     *   --batch            Non-interactive (auto-accept defaults)
+     *   --threads <n>      Concurrent requests
+     *   --random-agent     Random User-Agent
+     *   --tamper <csv>     WAF bypass scripts: apostrophemask, randomcase, space2comment...
+     *   --dbs              Enumerate databases
+     *   --tables           Enumerate tables (-D <db>)
+     *   --columns          Enumerate columns (-D <db> -T <table>)
+     *   --dump             Dump table data
+     *   --current-user     Get DB user
+     *   --is-dba           Check if user is DBA
+     *   --os-cmd <cmd>     Execute OS command (if stacked injection possible)
+     *   --forms            Auto-detect and test forms on the page
+     *   --crawl <depth>    Crawl site for injectable params
+     */
+    runSqlmap: tool({
+        description: 'Automated SQL injection detection and exploitation. Tests GET/POST params, cookies, headers. Supports WAF bypass tamper scripts, all major DBMS types, and can extract DB contents or run OS commands when injection allows.',
+        inputSchema: z.object({
+            target: z.string().min(1).describe('Target URL with a parameter, e.g. "http://site/page?id=1". Or @/path/to/request.txt to load a raw Burp request.'),
+            postData: z.string().optional().describe('POST body string, e.g. "user=foo&pass=bar". Use for POST endpoints.'),
+            cookie: z.string().optional().describe('Session cookie string, e.g. "PHPSESSID=abc123".'),
+            dbms: z.enum(['mysql', 'postgresql', 'mssql', 'oracle', 'sqlite', 'db2']).optional().describe('DBMS hint — speeds up testing significantly if known.'),
+            level: z.number().int().min(1).max(5).optional().default(1).describe('Test depth 1-5. 3+ tests headers/cookies. 5 is exhaustive.'),
+            risk: z.number().int().min(1).max(3).optional().default(1).describe('Risk 1-3. 2+ adds heavy time-based tests. 3 may modify data.'),
+            techniques: z.string().optional().default('BEUST').describe('Injection techniques: B=boolean, E=error, U=union, S=stacked, T=time. Default: BEUST (all).'),
+            goal: z
+                .enum(['detect', 'enumerate-dbs', 'enumerate-tables', 'dump', 'os-shell'])
+                .optional()
+                .default('detect')
+                .describe('What to do: detect=find injection only; enumerate-dbs=list databases; enumerate-tables=list tables; dump=extract data; os-shell=try OS command execution.'),
+            database: z.string().optional().describe('Target database name (required for enumerate-tables and dump).'),
+            table: z.string().optional().describe('Target table name (required for dump with specific table).'),
+            tamper: z
+                .array(z.string())
+                .optional()
+                .describe('WAF bypass tamper scripts. Common: apostrophemask, randomcase, space2comment, between, charunicodeencode.'),
+            threads: z.number().int().min(1).max(10).optional().default(4),
+            forms: z.boolean().optional().default(false).describe('Auto-detect and test all forms on the target page.'),
+        }),
+        execute: async ({ target, postData, cookie, dbms, level, risk, techniques, goal, database, table, tamper, threads, forms }) => {
+            const approved = await confirmPentestAction('Run SQLMap injection test', [
+                `Target: ${target}`,
+                `Goal: ${goal}`,
+                `Level: ${level}, Risk: ${risk}`,
+                `Techniques: ${techniques}`,
+                dbms ? `DBMS hint: ${dbms}` : '',
+                tamper?.length ? `Tamper scripts: ${tamper.join(', ')}` : '',
+                goal === 'dump' ? '⚠️  Will extract database contents' : '',
+                goal === 'os-shell' ? '⚠️  Will attempt OS command execution' : '',
+            ].filter(Boolean));
+            if (!approved)
+                throw new Error('Blocked SQLMap. Ask user to approve.');
+            emitProgress({ type: 'tool:start', label: 'SQLMap testing', detail: target });
+            const dir = await ensureDir('sqlmap');
+            const outDir = path.join(dir, `sqlmap-${safe(target)}-${ts()}`);
+            const args = ['--batch', '--no-logging', `--output-dir=${outDir}`, '--no-cast'];
+            // Target: file or URL
+            if (target.startsWith('@')) {
+                args.push('-r', target.slice(1));
+            }
+            else {
+                args.push('-u', target);
+            }
+            if (postData)
+                args.push('--data', postData);
+            if (cookie)
+                args.push('--cookie', cookie);
+            if (dbms)
+                args.push('--dbms', dbms);
+            args.push('--level', String(level), '--risk', String(risk));
+            args.push('--technique', techniques);
+            args.push('--threads', String(threads));
+            args.push('--random-agent');
+            if (forms)
+                args.push('--forms');
+            if (tamper?.length)
+                args.push('--tamper', tamper.join(','));
+            // Goal-specific flags
+            switch (goal) {
+                case 'enumerate-dbs':
+                    args.push('--dbs', '--current-user', '--is-dba', '--hostname');
+                    break;
+                case 'enumerate-tables':
+                    if (database)
+                        args.push('-D', database);
+                    args.push('--tables');
+                    break;
+                case 'dump':
+                    if (database)
+                        args.push('-D', database);
+                    if (table)
+                        args.push('-T', table);
+                    args.push('--dump');
+                    break;
+                case 'os-shell':
+                    args.push('--os-cmd', 'whoami');
+                    break;
+                // 'detect' → no extra flags
+            }
+            const raw = await runTool('sqlmap', args, 600_000);
+            // Parse injectable parameters
+            const injectable = [...raw.matchAll(/Parameter:\s+'?([^'\n]+)'?\s+is\s+(?:injectable|vulnerable)/gi)].map((m) => m[1].trim());
+            const isVulnerable = injectable.length > 0 || /\[CRITICAL\].*sql injection/i.test(raw);
+            emitProgress({ type: 'tool:end', label: 'SQLMap complete', detail: isVulnerable ? `VULNERABLE: ${injectable.join(', ')}` : 'No injection found' });
+            return { target, goal, isVulnerable, injectableParams: injectable, outputDir: outDir, raw: raw.slice(0, 5000) };
+        },
+    }),
+};
+// ─── 5. ffuf — Fast Web Fuzzer (Dirs, Vhosts, Parameters) ────────────────────
+export const ffufTool = {
+    /**
+     * ffuf [flags]
+     *
+     * Key flags (github.com/ffuf/ffuf):
+     *   -u <url>           URL with FUZZ keyword, e.g. http://site/FUZZ or http://FUZZ.site.com
+     *   -w <wordlist>      Wordlist path (use - for stdin)
+     *   -H <header>        Additional header, e.g. "Host: FUZZ.site.com"
+     *   -X <method>        HTTP method (default GET)
+     *   -d <data>          POST body
+     *   -mc <csv>          Match HTTP status codes (default: 200,204,301,302,307,401,403,405,500)
+     *   -fc <csv>          Filter out status codes
+     *   -ms <int>          Match response size
+     *   -fs <csv>          Filter out response sizes
+     *   -fw <int>          Filter by word count
+     *   -fl <int>          Filter by line count
+     *   -t <int>           Threads (default 40)
+     *   -rate <int>        Rate limit (req/s)
+     *   -o <file>          Output file
+     *   -of <fmt>          Output format: json, ejson, html, md, csv, ecsv (default json)
+     *   -c                 Colorize output
+     *   -v                 Verbose (show full URLs)
+     *   -s                 Silent (only results)
+     *   -recursion         Recursive directory fuzzing
+     *   -recursion-depth   Max recursion depth
+     *   -e <csv>           Extensions to append: .php,.html,.txt
+     *   -ic                Ignore wordlist comments
+     *
+     * Common wordlists (SecLists):
+     *   /usr/share/seclists/Discovery/Web-Content/common.txt
+     *   /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
+     *   /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
+     */
+    runFfuf: tool({
+        description: 'Fast web fuzzer for directory/file brute-force, vhost discovery, parameter mining, and backup file hunting. Pairs perfectly with Subfinder (feed subdomains) and Nuclei (feed discovered paths).',
+        inputSchema: z.object({
+            url: z.string().url().describe('Target URL with FUZZ keyword, e.g. "https://site.com/FUZZ" or "https://FUZZ.site.com/".'),
+            wordlist: z
+                .string()
+                .optional()
+                .describe('Path to wordlist. Defaults to /usr/share/seclists/Discovery/Web-Content/common.txt. Use /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt for vhost fuzzing.'),
+            mode: z
+                .enum(['directory', 'vhost', 'parameter', 'backup'])
+                .optional()
+                .default('directory')
+                .describe('"directory" = path brute-force; "vhost" = virtual host discovery (set Host header); "parameter" = GET param fuzzing; "backup" = hunt for .bak/.old/.orig/.zip files.'),
+            extensions: z
+                .array(z.string())
+                .optional()
+                .describe('File extensions to append to each word, e.g. ["php","html","txt","bak"]. Most useful in directory mode.'),
+            matchCodes: z
+                .array(z.number().int())
+                .optional()
+                .default([200, 204, 301, 302, 307, 401, 403])
+                .describe('HTTP status codes to show as results.'),
+            filterCodes: z.array(z.number().int()).optional().describe('HTTP status codes to hide.'),
+            filterSize: z.array(z.number().int()).optional().describe('Response sizes (bytes) to filter out — useful to suppress uniform 404 pages.'),
+            threads: z.number().int().min(1).max(200).optional().default(40),
+            rateLimit: z.number().int().min(0).optional().describe('Max requests per second. 0 = unlimited.'),
+            recursive: z.boolean().optional().default(false).describe('Recursively fuzz discovered directories.'),
+            recursionDepth: z.number().int().min(1).max(5).optional().default(2),
+            cookie: z.string().optional().describe('Cookie header value for authenticated fuzzing.'),
+        }),
+        execute: async ({ url, wordlist, mode, extensions, matchCodes, filterCodes, filterSize, threads, rateLimit, recursive, recursionDepth, cookie }) => {
+            const approved = await confirmPentestAction('Run ffuf web fuzzing', [
+                `Target: ${url}`,
+                `Mode: ${mode}`,
+                `Wordlist: ${wordlist ?? 'default (common.txt)'}`,
+                extensions?.length ? `Extensions: ${extensions.join(', ')}` : '',
+                `Threads: ${threads}`,
+                recursive ? `Recursive depth: ${recursionDepth}` : '',
+            ].filter(Boolean));
+            if (!approved)
+                throw new Error('Blocked ffuf. Ask user to approve.');
+            emitProgress({ type: 'tool:start', label: 'ffuf fuzzing', detail: url });
+            const dir = await ensureDir('ffuf');
+            const outFile = path.join(dir, `ffuf-${safe(url)}-${ts()}.json`);
+            // Default wordlists by mode
+            const wl = wordlist ?? (mode === 'vhost'
+                ? '/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt'
+                : mode === 'backup'
+                    ? '/usr/share/seclists/Discovery/Web-Content/common.txt'
+                    : '/usr/share/seclists/Discovery/Web-Content/common.txt');
+            const args = ['-s', '-ic', '-u', url, '-w', wl];
+            // Mode-specific setup
+            if (mode === 'vhost') {
+                // Override Host header for virtual host discovery
+                args.push('-H', `Host: FUZZ.${new URL(url).hostname}`);
+            }
+            else if (mode === 'parameter') {
+                // Fuzz GET param value: assume URL has FUZZ already placed by user
+            }
+            else if (mode === 'backup') {
+                args.push('-e', '.bak,.old,.orig,.backup,.zip,.tar.gz,.sql,.swp,.~');
+            }
+            if (extensions?.length && mode === 'directory') {
+                args.push('-e', extensions.map((e) => (e.startsWith('.') ? e : `.${e}`)).join(','));
+            }
+            // Filters & matches
+            args.push('-mc', matchCodes.join(','));
+            if (filterCodes?.length)
+                args.push('-fc', filterCodes.join(','));
+            if (filterSize?.length)
+                args.push('-fs', filterSize.join(','));
+            // Performance
+            args.push('-t', String(threads));
+            if (rateLimit)
+                args.push('-rate', String(rateLimit));
+            // Recursion
+            if (recursive) {
+                args.push('-recursion', '-recursion-depth', String(recursionDepth));
+            }
+            // Auth
+            if (cookie)
+                args.push('-H', `Cookie: ${cookie}`);
+            // Output
+            args.push('-o', outFile, '-of', 'json');
+            const raw = await runTool('ffuf', args, 900_000);
+            // Parse JSON output
+            let results = [];
+            try {
+                const j = JSON.parse(await readFile(outFile, 'utf8'));
+                results = j.results.map((r) => ({
+                    input: r.input['FUZZ'] ?? '',
+                    status: r.status,
+                    length: r.length,
+                    words: r.words,
+                }));
+            }
+            catch { /* JSON parse failed */ }
+            emitProgress({ type: 'tool:end', label: 'ffuf complete', detail: `${results.length} results` });
+            return { url, mode, resultCount: results.length, results: results.slice(0, 100), outputFile: outFile, raw: raw.slice(0, 2000) };
+        },
+    }),
+};
+// ─── 6. httpx — HTTP Probing & Fingerprinting ────────────────────────────────
+export const httpxTool = {
+    /**
+     * httpx [flags]
+     *
+     * Key flags (github.com/projectdiscovery/httpx):
+     *   -l <file>          Input list of hosts/URLs
+     *   -u <url>           Single target
+     *   -title             Extract page title
+     *   -tech-detect       Technology fingerprinting (Wappalyzer-based)
+     *   -status-code       Show HTTP status codes
+     *   -content-length    Show content length
+     *   -follow-redirects  Follow HTTP redirects
+     *   -tls-probe         Probe TLS info (certs, expiry, SANs)
+     *   -tls-grab          Grab all TLS data
+     *   -web-server        Show web server header
+     *   -ip                Resolve and show IPs
+     *   -cdn               Detect CDN
+     *   -probe             Show probe result
+     *   -threads <n>       Concurrent probers
+     *   -rate-limit <n>    Max requests/second
+     *   -o <file>          Output file
+     *   -json              JSON output
+     *   -silent            Only show live hosts
+     *   -nc                No colour
+     */
+    runHttpx: tool({
+        description: 'HTTP probing and fingerprinting. Feed it a list of subdomains (from Subfinder) to instantly filter live hosts and identify technologies, TLS issues, web servers, and CDN providers. The essential bridge between recon and scanning.',
+        inputSchema: z.object({
+            targets: z.string().describe('Newline-separated list of hosts/URLs, or @/path/to/list.txt for file input.'),
+            techDetect: z.boolean().optional().default(true).describe('Fingerprint technologies using Wappalyzer rules.'),
+            tlsProbe: z.boolean().optional().default(true).describe('Extract TLS certificate info, expiry, and SANs.'),
+            followRedirects: z.boolean().optional().default(true),
+            threads: z.number().int().min(1).max(300).optional().default(50),
+            rateLimit: z.number().int().min(1).max(500).optional().default(100),
+        }),
+        execute: async ({ targets, techDetect, tlsProbe, followRedirects, threads, rateLimit }) => {
+            const approved = await confirmPentestAction('Run httpx HTTP probing', [
+                `Targets: ${targets.startsWith('@') ? targets : `${targets.split('\n').length} hosts`}`,
+                techDetect ? 'Technology detection enabled' : '',
+                tlsProbe ? 'TLS probing enabled' : '',
+                `Threads: ${threads}, Rate: ${rateLimit}/s`,
+            ].filter(Boolean));
+            if (!approved)
+                throw new Error('Blocked httpx. Ask user to approve.');
+            emitProgress({ type: 'tool:start', label: 'httpx probing', detail: `${threads} threads` });
+            const dir = await ensureDir('httpx');
+            const outFile = path.join(dir, `httpx-${ts()}.json`);
+            let inputArg;
+            if (targets.startsWith('@')) {
+                inputArg = ['-l', targets.slice(1)];
+            }
+            else {
+                // Write targets to a temp file
+                const tmpFile = path.join(dir, `httpx-input-${ts()}.txt`);
+                await writeFile(tmpFile, targets, 'utf8');
+                inputArg = ['-l', tmpFile];
+            }
+            const args = [
+                ...inputArg,
+                '-status-code', '-title', '-web-server', '-content-length', '-ip', '-cdn', '-probe',
+                '-nc', '-silent', '-json', '-o', outFile,
+                '-threads', String(threads),
+                '-rate-limit', String(rateLimit),
+            ];
+            if (techDetect)
+                args.push('-tech-detect');
+            if (tlsProbe)
+                args.push('-tls-probe', '-tls-grab');
+            if (followRedirects)
+                args.push('-follow-redirects');
+            const raw = await runTool('httpx', args, 600_000);
+            // Parse JSON lines
+            let probes = [];
+            try {
+                const content = await readFile(outFile, 'utf8');
+                probes = content
+                    .split('\n')
+                    .filter(Boolean)
+                    .map((line) => {
+                    const j = JSON.parse(line);
+                    return {
+                        url: j['url'],
+                        statusCode: j['status-code'],
+                        title: j['title'] ?? '',
+                        tech: j['tech'] ?? [],
+                        webServer: j['webserver'] ?? '',
+                        ip: j['host'] ?? '',
+                    };
+                });
+            }
+            catch { /* JSONL parse failed */ }
+            emitProgress({ type: 'tool:end', label: 'httpx complete', detail: `${probes.length} live hosts` });
+            return { liveHostCount: probes.length, probes: probes.slice(0, 100), outputFile: outFile, raw: raw.slice(0, 2000) };
+        },
+    }),
+};
+// ─── 7. Meta: Full Pentest Chain ──────────────────────────────────────────────
+export const pentestChainTool = {
+    /**
+     * Orchestrates the full kill chain:
+     * 1. Subfinder → passive subdomain discovery
+     * 2. httpx     → probe live hosts, fingerprint tech
+     * 3. Nmap      → port scan live IPs
+     * 4. Nuclei    → template-based vuln scan on live URLs
+     *
+     * Results at each stage feed into the next.
+     */
+    runPentestChain: tool({
+        description: 'Full automated pentest kill chain: Subfinder → httpx → Nmap → Nuclei. Give it a domain and depth level, it discovers subdomains, probes live hosts, port-scans, and runs vulnerability templates. Returns a consolidated findings report.',
+        inputSchema: z.object({
+            domain: z.string().min(3).describe('Root domain to pentest, e.g. example.com.'),
+            depth: z
+                .enum(['surface', 'standard', 'deep'])
+                .optional()
+                .default('standard')
+                .describe('surface=quick Nmap (top 1000 ports) + critical CVEs only; standard=full recon + high/critical; deep=all ports + all severity + vuln NSE scripts.'),
+            includeKev: z.boolean().optional().default(true).describe('Always include CISA Known Exploited Vulnerabilities templates (recommended).'),
+            nmapScripts: z.boolean().optional().default(false).describe('Run Nmap NSE vuln scripts alongside Nuclei (slower, more thorough).'),
+        }),
+        execute: async ({ domain, depth, includeKev, nmapScripts }) => {
+            const approved = await confirmPentestAction('Run full pentest kill chain', [
+                `Target domain: ${domain}`,
+                `Depth: ${depth}`,
+                'Chain: Subfinder → httpx → Nmap → Nuclei',
+                includeKev ? 'CISA KEV templates included' : '',
+                nmapScripts ? 'Nmap NSE vuln scripts enabled' : '',
+                '⚠️  This will make active network connections to the target and its infrastructure',
+            ].filter(Boolean));
+            if (!approved)
+                throw new Error('Blocked pentest chain. Ask user to approve.');
+            const results = { domain, depth, startedAt: new Date().toISOString() };
+            const dir = await ensureDir('chain');
+            const subFile = path.join(dir, `${safe(domain)}-subdomains.txt`);
+            const liveFile = path.join(dir, `${safe(domain)}-live.txt`);
+            // ── Step 1: Subfinder ─────────────────────────────────────────────────
+            emitProgress({ type: 'tool:start', label: 'Step 1/4: Subfinder', detail: domain });
+            try {
+                const subArgs = ['-d', domain, '-silent', '-o', subFile];
+                if (depth === 'deep')
+                    subArgs.push('-all');
+                const subRaw = await runTool('subfinder', subArgs, 300_000);
+                const subdomains = subRaw.split('\n').map((l) => l.trim()).filter(Boolean);
+                results['subfinder'] = { count: subdomains.length, sample: subdomains.slice(0, 20) };
+                emitProgress({ type: 'tool:end', label: `Subfinder: ${subdomains.length} subdomains found` });
+            }
+            catch (err) {
+                results['subfinder'] = { error: err instanceof Error ? err.message : String(err) };
+            }
+            // ── Step 2: httpx ────────────────────────────────────────────────────
+            emitProgress({ type: 'tool:start', label: 'Step 2/4: httpx probing live hosts' });
+            try {
+                const httpxArgs = [
+                    '-l', subFile, '-silent', '-nc', '-json', '-o', liveFile,
+                    '-status-code', '-title', '-tech-detect', '-web-server', '-ip',
+                    '-threads', '50', '-rate-limit', '100', '-follow-redirects',
+                ];
+                const httpxRaw = await runTool('httpx', httpxArgs, 600_000);
+                const liveHosts = httpxRaw.split('\n').filter(Boolean).length;
+                results['httpx'] = { liveHosts };
+                emitProgress({ type: 'tool:end', label: `httpx: ${liveHosts} live hosts` });
+            }
+            catch (err) {
+                results['httpx'] = { error: err instanceof Error ? err.message : String(err) };
+            }
+            // ── Step 3: Nmap ─────────────────────────────────────────────────────
+            emitProgress({ type: 'tool:start', label: 'Step 3/4: Nmap port scanning' });
+            try {
+                const nmapBase = path.join(dir, `nmap-${safe(domain)}`);
+                const nmapArgs = ['-sV', '--open', '-T4', '--no-stylesheet', '-oA', nmapBase];
+                if (depth === 'deep') {
+                    nmapArgs.push('-p-');
+                }
+                if (nmapScripts) {
+                    nmapArgs.push('--script', 'vuln');
+                }
+                nmapArgs.push(domain);
+                const nmapRaw = await runTool('nmap', nmapArgs, depth === 'deep' ? 1_800_000 : 300_000);
+                const openPorts = [...nmapRaw.matchAll(/(\d+)\/tcp\s+open\s+(\S+)/g)].map((m) => ({ port: m[1], service: m[2] }));
+                results['nmap'] = { openPortCount: openPorts.length, ports: openPorts, outputBase: nmapBase };
+                emitProgress({ type: 'tool:end', label: `Nmap: ${openPorts.length} open ports` });
+            }
+            catch (err) {
+                results['nmap'] = { error: err instanceof Error ? err.message : String(err) };
+            }
+            // ── Step 4: Nuclei ───────────────────────────────────────────────────
+            emitProgress({ type: 'tool:start', label: 'Step 4/4: Nuclei vulnerability scan' });
+            try {
+                const nucleiOut = path.join(dir, `nuclei-${safe(domain)}-${ts()}.jsonl`);
+                const severity = depth === 'surface' ? 'critical' : depth === 'deep' ? 'low,medium,high,critical' : 'high,critical';
+                const nucleiArgs = [
+                    '-l', liveFile, '-severity', severity, '-nc', '-silent', '-je', nucleiOut,
+                    '-rl', '150', '-c', '25',
+                ];
+                if (includeKev)
+                    nucleiArgs.push('-tags', 'kev,vkev');
+                const nucleiRaw = await runTool('nuclei', nucleiArgs, 900_000);
+                let findings = [];
+                try {
+                    const content = await readFile(nucleiOut, 'utf8');
+                    findings = content.split('\n').filter(Boolean).map((l) => JSON.parse(l));
+                }
+                catch { /* no-op */ }
+                results['nuclei'] = { findingCount: findings.length, outputFile: nucleiOut };
+                emitProgress({ type: 'tool:end', label: `Nuclei: ${findings.length} findings` });
+            }
+            catch (err) {
+                results['nuclei'] = { error: err instanceof Error ? err.message : String(err) };
+            }
+            // ── Save consolidated report ─────────────────────────────────────────
+            results['completedAt'] = new Date().toISOString();
+            const reportFile = path.join(dir, `pentest-report-${safe(domain)}-${ts()}.json`);
+            await writeFile(reportFile, JSON.stringify(results, null, 2), 'utf8');
+            emitProgress({ type: 'tool:end', label: 'Pentest chain complete', detail: reportFile });
+            return { ...results, reportFile };
+        },
+    }),
+};
+// ─── Barrel export ────────────────────────────────────────────────────────────
+export const pentestTools = {
+    ...nmapTool,
+    ...nucleiTool,
+    ...subfinderTool,
+    ...sqlmapTool,
+    ...ffufTool,
+    ...httpxTool,
+    ...pentestChainTool,
+};
+//# sourceMappingURL=pentest.tool.js.map