aiptx 2.0.7__py3-none-any.whl

aipt_v2/recon/subdomain.py

@@ -0,0 +1,372 @@
+"""
+AIPT Subdomain Enumeration
+
+Subdomain discovery using multiple sources and tools.
+"""
+from __future__ import annotations
+
+import asyncio
+import logging
+import re
+import socket
+from dataclasses import dataclass, field
+from datetime import datetime
+from typing import Optional, Set
+
+import httpx
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class Subdomain:
+    """Discovered subdomain"""
+    domain: str
+    ip: str = ""
+    status: str = "unknown"  # alive, dead, unknown
+    http_status: int = 0
+    https_status: int = 0
+    title: str = ""
+    source: str = ""
+    discovered_at: datetime = field(default_factory=datetime.utcnow)
+
+    def to_dict(self) -> dict:
+        return {
+            "domain": self.domain,
+            "ip": self.ip,
+            "status": self.status,
+            "http_status": self.http_status,
+            "https_status": self.https_status,
+            "title": self.title,
+            "source": self.source,
+        }
+
+
+@dataclass
+class SubdomainConfig:
+    """Subdomain enumeration configuration"""
+    # Tools to use
+    use_subfinder: bool = True
+    use_amass: bool = False
+    use_crtsh: bool = True
+    use_dns_bruteforce: bool = False
+
+    # Verification
+    resolve_dns: bool = True
+    check_http: bool = True
+    timeout: float = 5.0
+    concurrent_requests: int = 50
+
+    # Wordlist for bruteforce
+    wordlist: list[str] = field(default_factory=lambda: [
+        "www", "mail", "ftp", "localhost", "webmail", "smtp", "pop", "ns1", "ns2",
+        "dns", "dns1", "dns2", "vpn", "gateway", "router", "admin", "administrator",
+        "api", "app", "apps", "dev", "development", "staging", "test", "testing",
+        "prod", "production", "web", "portal", "secure", "ssl", "cdn", "static",
+        "assets", "img", "images", "media", "files", "download", "downloads",
+        "blog", "forum", "shop", "store", "support", "help", "docs", "wiki",
+        "git", "svn", "repo", "repository", "jenkins", "ci", "build",
+        "monitor", "status", "health", "metrics", "grafana", "kibana",
+        "db", "database", "mysql", "postgres", "redis", "elastic", "elasticsearch",
+        "auth", "login", "sso", "oauth", "identity",
+    ])
+
+
+@dataclass
+class SubdomainResult:
+    """Subdomain enumeration results"""
+    target: str
+    subdomains: list[Subdomain] = field(default_factory=list)
+    alive_count: int = 0
+    total_found: int = 0
+    sources_used: list[str] = field(default_factory=list)
+    start_time: Optional[datetime] = None
+    end_time: Optional[datetime] = None
+    duration_seconds: float = 0.0
+
+    def get_alive(self) -> list[Subdomain]:
+        """Get only alive subdomains"""
+        return [s for s in self.subdomains if s.status == "alive"]
+
+    def get_by_source(self, source: str) -> list[Subdomain]:
+        """Get subdomains from specific source"""
+        return [s for s in self.subdomains if s.source == source]
+
+    def to_dict(self) -> dict:
+        return {
+            "target": self.target,
+            "total_found": self.total_found,
+            "alive_count": self.alive_count,
+            "sources_used": self.sources_used,
+            "duration_seconds": self.duration_seconds,
+            "subdomains": [s.to_dict() for s in self.subdomains],
+        }
+
+
+class SubdomainEnumerator:
+    """
+    Subdomain enumeration from multiple sources.
+
+    Sources:
+    - Subfinder (if installed)
+    - Amass (if installed)
+    - crt.sh (Certificate Transparency)
+    - DNS bruteforce (optional)
+
+    Example:
+        enumerator = SubdomainEnumerator(SubdomainConfig(
+            use_crtsh=True,
+            check_http=True,
+        ))
+        result = await enumerator.enumerate("example.com")
+
+        for subdomain in result.get_alive():
+            print(f"{subdomain.domain} -> {subdomain.ip}")
+    """
+
+    def __init__(self, config: Optional[SubdomainConfig] = None):
+        self.config = config or SubdomainConfig()
+        self._found: Set[str] = set()
+
+    async def enumerate(self, domain: str) -> SubdomainResult:
+        """
+        Enumerate subdomains for a domain.
+
+        Args:
+            domain: Target domain (e.g., example.com)
+
+        Returns:
+            SubdomainResult with discovered subdomains
+        """
+        result = SubdomainResult(target=domain)
+        result.start_time = datetime.utcnow()
+        self._found.clear()
+
+        # Collect from all sources
+        tasks = []
+
+        if self.config.use_crtsh:
+            tasks.append(self._from_crtsh(domain))
+            result.sources_used.append("crt.sh")
+
+        if self.config.use_subfinder and self._tool_available("subfinder"):
+            tasks.append(self._from_subfinder(domain))
+            result.sources_used.append("subfinder")
+
+        if self.config.use_amass and self._tool_available("amass"):
+            tasks.append(self._from_amass(domain))
+            result.sources_used.append("amass")
+
+        if self.config.use_dns_bruteforce:
+            tasks.append(self._dns_bruteforce(domain))
+            result.sources_used.append("dns_bruteforce")
+
+        # Gather results
+        results = await asyncio.gather(*tasks, return_exceptions=True)
+
+        for source_result in results:
+            if isinstance(source_result, list):
+                for subdomain in source_result:
+                    if subdomain.domain not in self._found:
+                        self._found.add(subdomain.domain)
+                        result.subdomains.append(subdomain)
+
+        result.total_found = len(result.subdomains)
+
+        # Verify subdomains
+        if self.config.resolve_dns or self.config.check_http:
+            await self._verify_subdomains(result.subdomains)
+
+        result.alive_count = len([s for s in result.subdomains if s.status == "alive"])
+        result.end_time = datetime.utcnow()
+        result.duration_seconds = (result.end_time - result.start_time).total_seconds()
+
+        logger.info(
+            f"Enumeration complete: {result.total_found} found, {result.alive_count} alive"
+        )
+
+        return result
+
+    async def _from_crtsh(self, domain: str) -> list[Subdomain]:
+        """Query crt.sh certificate transparency logs"""
+        subdomains = []
+
+        try:
+            async with httpx.AsyncClient(timeout=30.0) as client:
+                response = await client.get(
+                    f"https://crt.sh/?q=%.{domain}&output=json"
+                )
+
+                if response.status_code == 200:
+                    data = response.json()
+
+                    for entry in data:
+                        name = entry.get("name_value", "")
+                        # Split by newlines (can have multiple names)
+                        for sub in name.split("\n"):
+                            sub = sub.strip().lower()
+                            # Clean wildcards
+                            sub = sub.replace("*.", "")
+                            if sub and sub.endswith(domain) and sub not in self._found:
+                                subdomains.append(Subdomain(
+                                    domain=sub,
+                                    source="crt.sh",
+                                ))
+
+        except Exception as e:
+            logger.debug(f"crt.sh error: {e}")
+
+        return subdomains
+
+    async def _from_subfinder(self, domain: str) -> list[Subdomain]:
+        """Run subfinder"""
+        subdomains = []
+
+        try:
+            process = await asyncio.create_subprocess_exec(
+                "subfinder", "-d", domain, "-silent",
+                stdout=asyncio.subprocess.PIPE,
+                stderr=asyncio.subprocess.PIPE,
+            )
+            stdout, _ = await asyncio.wait_for(process.communicate(), timeout=120.0)
+
+            for line in stdout.decode().strip().split("\n"):
+                sub = line.strip().lower()
+                if sub and sub not in self._found:
+                    subdomains.append(Subdomain(
+                        domain=sub,
+                        source="subfinder",
+                    ))
+
+        except Exception as e:
+            logger.debug(f"subfinder error: {e}")
+
+        return subdomains
+
+    async def _from_amass(self, domain: str) -> list[Subdomain]:
+        """Run amass"""
+        subdomains = []
+
+        try:
+            process = await asyncio.create_subprocess_exec(
+                "amass", "enum", "-passive", "-d", domain,
+                stdout=asyncio.subprocess.PIPE,
+                stderr=asyncio.subprocess.PIPE,
+            )
+            stdout, _ = await asyncio.wait_for(process.communicate(), timeout=300.0)
+
+            for line in stdout.decode().strip().split("\n"):
+                sub = line.strip().lower()
+                if sub and sub not in self._found:
+                    subdomains.append(Subdomain(
+                        domain=sub,
+                        source="amass",
+                    ))
+
+        except Exception as e:
+            logger.debug(f"amass error: {e}")
+
+        return subdomains
+
+    async def _dns_bruteforce(self, domain: str) -> list[Subdomain]:
+        """Bruteforce subdomains using wordlist"""
+        subdomains = []
+        semaphore = asyncio.Semaphore(self.config.concurrent_requests)
+
+        async def check_subdomain(word: str) -> Optional[Subdomain]:
+            async with semaphore:
+                subdomain = f"{word}.{domain}"
+                try:
+                    socket.setdefaulttimeout(self.config.timeout)
+                    ip = socket.gethostbyname(subdomain)
+                    return Subdomain(
+                        domain=subdomain,
+                        ip=ip,
+                        status="alive",
+                        source="dns_bruteforce",
+                    )
+                except socket.gaierror:
+                    return None
+
+        tasks = [check_subdomain(word) for word in self.config.wordlist]
+        results = await asyncio.gather(*tasks)
+
+        for result in results:
+            if result and result.domain not in self._found:
+                subdomains.append(result)
+
+        return subdomains
+
+    async def _verify_subdomains(self, subdomains: list[Subdomain]) -> None:
+        """Verify subdomains are alive"""
+        semaphore = asyncio.Semaphore(self.config.concurrent_requests)
+
+        async def verify(subdomain: Subdomain) -> None:
+            async with semaphore:
+                # DNS resolution
+                if self.config.resolve_dns and not subdomain.ip:
+                    try:
+                        subdomain.ip = socket.gethostbyname(subdomain.domain)
+                    except socket.gaierror:
+                        subdomain.status = "dead"
+                        return
+
+                # HTTP check
+                if self.config.check_http:
+                    try:
+                        async with httpx.AsyncClient(
+                            timeout=self.config.timeout,
+                            follow_redirects=True,
+                            verify=False,
+                        ) as client:
+                            # Try HTTPS first
+                            try:
+                                response = await client.get(f"https://{subdomain.domain}")
+                                subdomain.https_status = response.status_code
+                                subdomain.status = "alive"
+
+                                # Extract title
+                                title_match = re.search(
+                                    r"<title[^>]*>([^<]+)</title>",
+                                    response.text,
+                                    re.IGNORECASE,
+                                )
+                                if title_match:
+                                    subdomain.title = title_match.group(1).strip()[:100]
+
+                            except Exception:
+                                # Try HTTP
+                                try:
+                                    response = await client.get(f"http://{subdomain.domain}")
+                                    subdomain.http_status = response.status_code
+                                    subdomain.status = "alive"
+                                except Exception:
+                                    pass
+
+                    except Exception:
+                        pass
+
+                # Mark as alive if we got an IP
+                if subdomain.ip and subdomain.status == "unknown":
+                    subdomain.status = "alive"
+
+        await asyncio.gather(*[verify(s) for s in subdomains])
+
+    def _tool_available(self, tool: str) -> bool:
+        """Check if tool is available"""
+        import shutil
+        return shutil.which(tool) is not None
+
+
+# Convenience function
+async def enumerate_subdomains(domain: str, quick: bool = True) -> SubdomainResult:
+    """Quick subdomain enumeration"""
+    config = SubdomainConfig(
+        use_subfinder=not quick,
+        use_amass=False,
+        use_crtsh=True,
+        use_dns_bruteforce=not quick,
+        check_http=True,
+    )
+    enumerator = SubdomainEnumerator(config)
+    return await enumerator.enumerate(domain)

aipt_v2/recon/tech_detect.py

@@ -0,0 +1,311 @@
+"""
+AIPT Technology Detection
+
+Web technology fingerprinting and stack detection.
+"""
+from __future__ import annotations
+
+import logging
+import re
+from dataclasses import dataclass, field
+from datetime import datetime
+from typing import Optional
+
+import httpx
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class Technology:
+    """Detected technology"""
+    name: str
+    category: str  # frontend, backend, framework, cms, server, etc.
+    version: str = ""
+    confidence: int = 100  # 0-100
+    evidence: str = ""
+
+    def to_dict(self) -> dict:
+        return {
+            "name": self.name,
+            "category": self.category,
+            "version": self.version,
+            "confidence": self.confidence,
+        }
+
+
+@dataclass
+class TechStack:
+    """Complete technology stack"""
+    url: str
+    technologies: list[Technology] = field(default_factory=list)
+    headers: dict[str, str] = field(default_factory=dict)
+    cookies: list[str] = field(default_factory=list)
+    detected_at: datetime = field(default_factory=datetime.utcnow)
+
+    def get_by_category(self, category: str) -> list[Technology]:
+        """Get technologies by category"""
+        return [t for t in self.technologies if t.category == category]
+
+    def has_tech(self, name: str) -> bool:
+        """Check if specific technology is present"""
+        return any(t.name.lower() == name.lower() for t in self.technologies)
+
+    def to_dict(self) -> dict:
+        return {
+            "url": self.url,
+            "technologies": [t.to_dict() for t in self.technologies],
+            "categories": list(set(t.category for t in self.technologies)),
+        }
+
+
+class TechDetector:
+    """
+    Web technology fingerprinting.
+
+    Detects:
+    - Web servers (nginx, Apache, IIS)
+    - Frameworks (React, Vue, Angular, Django, Rails)
+    - CMS (WordPress, Drupal, Joomla)
+    - JavaScript libraries
+    - Security tools (WAF, CDN)
+
+    Example:
+        detector = TechDetector()
+        stack = await detector.detect("https://example.com")
+
+        for tech in stack.technologies:
+            print(f"{tech.category}: {tech.name} {tech.version}")
+    """
+
+    # Technology fingerprints
+    FINGERPRINTS = {
+        # Headers
+        "headers": {
+            "Server": {
+                "nginx": ("nginx", "server"),
+                "Apache": ("Apache", "server"),
+                "Microsoft-IIS": ("IIS", "server"),
+                "cloudflare": ("Cloudflare", "cdn"),
+                "AmazonS3": ("Amazon S3", "storage"),
+                "Varnish": ("Varnish", "cache"),
+                "gunicorn": ("Gunicorn", "server"),
+                "uvicorn": ("Uvicorn", "server"),
+            },
+            "X-Powered-By": {
+                "PHP": ("PHP", "language"),
+                "ASP.NET": ("ASP.NET", "framework"),
+                "Express": ("Express.js", "framework"),
+                "Next.js": ("Next.js", "framework"),
+                "Nuxt": ("Nuxt.js", "framework"),
+            },
+            "X-Generator": {
+                "WordPress": ("WordPress", "cms"),
+                "Drupal": ("Drupal", "cms"),
+                "Joomla": ("Joomla", "cms"),
+            },
+        },
+        # HTML patterns
+        "html": [
+            # Frameworks
+            (r"react", "React", "frontend"),
+            (r"ng-app|angular", "Angular", "frontend"),
+            (r"vue\.js|v-cloak|v-bind", "Vue.js", "frontend"),
+            (r"svelte", "Svelte", "frontend"),
+            (r"ember", "Ember.js", "frontend"),
+
+            # CMS
+            (r"wp-content|wp-includes", "WordPress", "cms"),
+            (r"drupal\.js|drupal\.settings", "Drupal", "cms"),
+            (r"joomla", "Joomla", "cms"),
+            (r"shopify", "Shopify", "ecommerce"),
+            (r"magento", "Magento", "ecommerce"),
+            (r"woocommerce", "WooCommerce", "ecommerce"),
+
+            # JavaScript libraries
+            (r"jquery[\.-]?\d|jquery\.min\.js", "jQuery", "javascript"),
+            (r"bootstrap[\.-]?\d|bootstrap\.min", "Bootstrap", "css"),
+            (r"tailwind", "Tailwind CSS", "css"),
+            (r"lodash", "Lodash", "javascript"),
+            (r"moment\.js|moment\.min", "Moment.js", "javascript"),
+            (r"axios", "Axios", "javascript"),
+
+            # Analytics
+            (r"google-analytics|gtag|ga\.js", "Google Analytics", "analytics"),
+            (r"googletagmanager", "Google Tag Manager", "analytics"),
+            (r"facebook.*pixel|fbq\(", "Facebook Pixel", "analytics"),
+            (r"hotjar", "Hotjar", "analytics"),
+            (r"segment\.io|analytics\.js", "Segment", "analytics"),
+
+            # Security
+            (r"recaptcha", "reCAPTCHA", "security"),
+            (r"hcaptcha", "hCaptcha", "security"),
+            (r"cloudflare", "Cloudflare", "cdn"),
+            (r"akamai", "Akamai", "cdn"),
+            (r"fastly", "Fastly", "cdn"),
+
+            # Other
+            (r"webpack", "Webpack", "build"),
+            (r"vite", "Vite", "build"),
+            (r"graphql", "GraphQL", "api"),
+            (r"socket\.io", "Socket.IO", "websocket"),
+        ],
+        # Cookie patterns
+        "cookies": {
+            "PHPSESSID": ("PHP", "language"),
+            "ASP.NET_SessionId": ("ASP.NET", "framework"),
+            "JSESSIONID": ("Java", "language"),
+            "rack.session": ("Ruby/Rack", "framework"),
+            "express.sid": ("Express.js", "framework"),
+            "connect.sid": ("Connect.js", "framework"),
+            "laravel_session": ("Laravel", "framework"),
+            "django": ("Django", "framework"),
+            "wordpress": ("WordPress", "cms"),
+            "wp-settings": ("WordPress", "cms"),
+            "__cf_bm": ("Cloudflare", "cdn"),
+        },
+    }
+
+    def __init__(self, timeout: float = 10.0):
+        self.timeout = timeout
+
+    async def detect(self, url: str) -> TechStack:
+        """
+        Detect technologies used by a website.
+
+        Args:
+            url: Target URL
+
+        Returns:
+            TechStack with detected technologies
+        """
+        stack = TechStack(url=url)
+
+        try:
+            async with httpx.AsyncClient(
+                timeout=self.timeout,
+                follow_redirects=True,
+                verify=False,
+            ) as client:
+                response = await client.get(url)
+
+                # Store headers
+                stack.headers = dict(response.headers)
+
+                # Store cookies
+                stack.cookies = [c for c in response.cookies.keys()]
+
+                # Detect from headers
+                self._detect_from_headers(response.headers, stack)
+
+                # Detect from cookies
+                self._detect_from_cookies(response.cookies, stack)
+
+                # Detect from HTML
+                self._detect_from_html(response.text, stack)
+
+                # Extract versions where possible
+                self._extract_versions(response.text, stack)
+
+        except Exception as e:
+            logger.error(f"Tech detection error: {e}")
+
+        # Deduplicate
+        seen = set()
+        unique = []
+        for tech in stack.technologies:
+            key = (tech.name, tech.category)
+            if key not in seen:
+                seen.add(key)
+                unique.append(tech)
+        stack.technologies = unique
+
+        logger.info(f"Detected {len(stack.technologies)} technologies")
+        return stack
+
+    def _detect_from_headers(self, headers: httpx.Headers, stack: TechStack) -> None:
+        """Detect technologies from HTTP headers"""
+        for header, patterns in self.FINGERPRINTS["headers"].items():
+            value = headers.get(header, "")
+            if value:
+                for pattern, (name, category) in patterns.items():
+                    if pattern.lower() in value.lower():
+                        # Extract version if present
+                        version = ""
+                        version_match = re.search(rf"{pattern}[/\s]*([\d.]+)", value, re.I)
+                        if version_match:
+                            version = version_match.group(1)
+
+                        stack.technologies.append(Technology(
+                            name=name,
+                            category=category,
+                            version=version,
+                            confidence=100,
+                            evidence=f"Header: {header}: {value}",
+                        ))
+
+    def _detect_from_cookies(self, cookies: httpx.Cookies, stack: TechStack) -> None:
+        """Detect technologies from cookies"""
+        for cookie_name in cookies.keys():
+            for pattern, (name, category) in self.FINGERPRINTS["cookies"].items():
+                if pattern.lower() in cookie_name.lower():
+                    stack.technologies.append(Technology(
+                        name=name,
+                        category=category,
+                        confidence=90,
+                        evidence=f"Cookie: {cookie_name}",
+                    ))
+
+    def _detect_from_html(self, html: str, stack: TechStack) -> None:
+        """Detect technologies from HTML content"""
+        html_lower = html.lower()
+
+        for pattern, name, category in self.FINGERPRINTS["html"]:
+            if re.search(pattern, html_lower):
+                stack.technologies.append(Technology(
+                    name=name,
+                    category=category,
+                    confidence=80,
+                    evidence=f"HTML pattern: {pattern}",
+                ))
+
+        # Check meta generator
+        generator_match = re.search(
+            r'<meta[^>]*name=["\']generator["\'][^>]*content=["\']([^"\']+)["\']',
+            html,
+            re.I,
+        )
+        if generator_match:
+            generator = generator_match.group(1)
+            stack.technologies.append(Technology(
+                name=generator.split()[0],
+                category="cms",
+                version=generator.split()[1] if len(generator.split()) > 1 else "",
+                confidence=100,
+                evidence=f"Meta generator: {generator}",
+            ))
+
+    def _extract_versions(self, html: str, stack: TechStack) -> None:
+        """Try to extract version numbers"""
+        # Version patterns for common technologies
+        version_patterns = {
+            "jQuery": r"jquery[.-]?(\d+\.\d+(?:\.\d+)?)",
+            "Bootstrap": r"bootstrap[.-]?(\d+\.\d+(?:\.\d+)?)",
+            "React": r"react[.-]?(\d+\.\d+(?:\.\d+)?)",
+            "Vue.js": r"vue[.-]?(\d+\.\d+(?:\.\d+)?)",
+            "Angular": r"angular[.-]?(\d+\.\d+(?:\.\d+)?)",
+        }
+
+        for tech in stack.technologies:
+            if not tech.version and tech.name in version_patterns:
+                pattern = version_patterns[tech.name]
+                match = re.search(pattern, html, re.I)
+                if match:
+                    tech.version = match.group(1)
+
+
+# Convenience function
+async def detect_tech(url: str) -> TechStack:
+    """Quick technology detection"""
+    detector = TechDetector()
+    return await detector.detect(url)

aipt_v2/reports/__init__.py

@@ -0,0 +1,17 @@
+"""
+AIPT Report Generation
+
+Generates professional pentest reports in multiple formats:
+- HTML (standalone, styled)
+- Markdown (for documentation)
+- JSON (for integration)
+"""
+
+from .generator import ReportGenerator, ReportConfig
+from .html_report import generate_html_report
+
+__all__ = [
+    "ReportGenerator",
+    "ReportConfig",
+    "generate_html_report",
+]