aiptx 2.0.7__py3-none-any.whl

aipt_v2/terminal/sandbox.py

@@ -0,0 +1,350 @@
+"""
+AIPT Docker Sandbox
+
+Isolated command execution in Docker containers for safety.
+"""
+from __future__ import annotations
+
+import asyncio
+import logging
+import os
+import tempfile
+from dataclasses import dataclass, field
+from datetime import datetime
+from typing import Optional
+
+from .executor import CommandResult, ExecutionStatus
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class SandboxConfig:
+    """Docker sandbox configuration"""
+    image: str = "python:3.11-slim"  # Base image
+    network_mode: str = "bridge"  # none, bridge, host
+    memory_limit: str = "512m"
+    cpu_limit: float = 1.0
+    timeout: float = 300.0
+
+    # Volume mounts
+    mount_workspace: bool = True
+    workspace_path: str = "/workspace"
+    read_only_root: bool = True
+
+    # Security
+    no_new_privileges: bool = True
+    drop_capabilities: list[str] = field(default_factory=lambda: ["ALL"])
+    add_capabilities: list[str] = field(default_factory=list)
+
+    # Cleanup
+    auto_remove: bool = True
+
+
+class DockerSandbox:
+    """
+    Docker-based sandbox for isolated command execution.
+
+    Provides secure execution environment with:
+    - Network isolation
+    - Resource limits
+    - Filesystem isolation
+    - Capability dropping
+
+    Example:
+        sandbox = DockerSandbox()
+        await sandbox.start()
+        result = await sandbox.execute("python exploit.py")
+        await sandbox.stop()
+
+        # Or use context manager
+        async with DockerSandbox() as sandbox:
+            result = await sandbox.execute("nmap -sV target.com")
+    """
+
+    def __init__(self, config: Optional[SandboxConfig] = None):
+        self.config = config or SandboxConfig()
+        self._container_id: Optional[str] = None
+        self._temp_dir: Optional[str] = None
+        self._is_running = False
+
+    async def __aenter__(self) -> "DockerSandbox":
+        await self.start()
+        return self
+
+    async def __aexit__(self, exc_type, exc_val, exc_tb):
+        await self.stop()
+
+    async def start(self) -> bool:
+        """Start the sandbox container"""
+        if self._is_running:
+            return True
+
+        # Check Docker availability
+        if not await self._check_docker():
+            logger.error("Docker is not available")
+            return False
+
+        # Create temp directory for workspace
+        self._temp_dir = tempfile.mkdtemp(prefix="aipt_sandbox_")
+
+        # Build docker run command
+        cmd_parts = ["docker", "run", "-d"]
+
+        # Resource limits
+        cmd_parts.extend(["--memory", self.config.memory_limit])
+        cmd_parts.extend(["--cpus", str(self.config.cpu_limit)])
+
+        # Network
+        cmd_parts.extend(["--network", self.config.network_mode])
+
+        # Security
+        if self.config.no_new_privileges:
+            cmd_parts.append("--security-opt=no-new-privileges")
+
+        for cap in self.config.drop_capabilities:
+            cmd_parts.extend(["--cap-drop", cap])
+        for cap in self.config.add_capabilities:
+            cmd_parts.extend(["--cap-add", cap])
+
+        if self.config.read_only_root:
+            cmd_parts.append("--read-only")
+            cmd_parts.extend(["--tmpfs", "/tmp:rw,noexec,nosuid,size=100m"])
+
+        # Workspace mount
+        if self.config.mount_workspace:
+            cmd_parts.extend([
+                "-v", f"{self._temp_dir}:{self.config.workspace_path}:rw"
+            ])
+            cmd_parts.extend(["-w", self.config.workspace_path])
+
+        # Auto-remove
+        if self.config.auto_remove:
+            cmd_parts.append("--rm")
+
+        # Image and keep alive command
+        cmd_parts.extend([self.config.image, "tail", "-f", "/dev/null"])
+
+        # Start container
+        try:
+            process = await asyncio.create_subprocess_exec(
+                *cmd_parts,
+                stdout=asyncio.subprocess.PIPE,
+                stderr=asyncio.subprocess.PIPE,
+            )
+            stdout, stderr = await process.communicate()
+
+            if process.returncode != 0:
+                logger.error(f"Failed to start container: {stderr.decode()}")
+                return False
+
+            self._container_id = stdout.decode().strip()[:12]
+            self._is_running = True
+            logger.info(f"Sandbox started: {self._container_id}")
+            return True
+
+        except Exception as e:
+            logger.error(f"Error starting sandbox: {e}")
+            return False
+
+    async def stop(self) -> bool:
+        """Stop and cleanup the sandbox"""
+        if not self._is_running or not self._container_id:
+            return True
+
+        try:
+            process = await asyncio.create_subprocess_exec(
+                "docker", "stop", "-t", "5", self._container_id,
+                stdout=asyncio.subprocess.PIPE,
+                stderr=asyncio.subprocess.PIPE,
+            )
+            await process.communicate()
+
+            self._is_running = False
+            self._container_id = None
+
+            # Cleanup temp dir
+            if self._temp_dir and os.path.exists(self._temp_dir):
+                import shutil
+                shutil.rmtree(self._temp_dir, ignore_errors=True)
+                self._temp_dir = None
+
+            logger.info("Sandbox stopped")
+            return True
+
+        except Exception as e:
+            logger.error(f"Error stopping sandbox: {e}")
+            return False
+
+    async def execute(
+        self,
+        command: str,
+        timeout: Optional[float] = None,
+        user: str = "root",
+    ) -> CommandResult:
+        """
+        Execute command inside the sandbox.
+
+        Args:
+            command: Command to execute
+            timeout: Override timeout
+            user: User to run as
+
+        Returns:
+            CommandResult
+        """
+        if not self._is_running:
+            return CommandResult(
+                command=command,
+                status=ExecutionStatus.FAILED,
+                stderr="Sandbox not running",
+            )
+
+        timeout = timeout or self.config.timeout
+        result = CommandResult(
+            command=command,
+            status=ExecutionStatus.RUNNING,
+            start_time=datetime.utcnow(),
+        )
+
+        try:
+            # Docker exec command
+            exec_cmd = [
+                "docker", "exec",
+                "-u", user,
+                self._container_id,
+                "sh", "-c", command,
+            ]
+
+            process = await asyncio.create_subprocess_exec(
+                *exec_cmd,
+                stdout=asyncio.subprocess.PIPE,
+                stderr=asyncio.subprocess.PIPE,
+            )
+
+            try:
+                stdout, stderr = await asyncio.wait_for(
+                    process.communicate(),
+                    timeout=timeout,
+                )
+
+                result.exit_code = process.returncode
+                result.status = (
+                    ExecutionStatus.SUCCESS
+                    if process.returncode == 0
+                    else ExecutionStatus.FAILED
+                )
+                result.stdout = stdout.decode("utf-8", errors="replace")
+                result.stderr = stderr.decode("utf-8", errors="replace")
+
+            except asyncio.TimeoutError:
+                process.kill()
+                result.status = ExecutionStatus.TIMEOUT
+                result.stderr = f"Command timed out after {timeout}s"
+
+        except Exception as e:
+            result.status = ExecutionStatus.FAILED
+            result.stderr = str(e)
+        finally:
+            result.end_time = datetime.utcnow()
+            if result.start_time:
+                result.duration_seconds = (result.end_time - result.start_time).total_seconds()
+
+        return result
+
+    async def copy_to(self, local_path: str, container_path: str) -> bool:
+        """Copy file into sandbox"""
+        if not self._is_running:
+            return False
+
+        try:
+            process = await asyncio.create_subprocess_exec(
+                "docker", "cp", local_path, f"{self._container_id}:{container_path}",
+                stdout=asyncio.subprocess.PIPE,
+                stderr=asyncio.subprocess.PIPE,
+            )
+            _, stderr = await process.communicate()
+            return process.returncode == 0
+        except Exception:
+            return False
+
+    async def copy_from(self, container_path: str, local_path: str) -> bool:
+        """Copy file from sandbox"""
+        if not self._is_running:
+            return False
+
+        try:
+            process = await asyncio.create_subprocess_exec(
+                "docker", "cp", f"{self._container_id}:{container_path}", local_path,
+                stdout=asyncio.subprocess.PIPE,
+                stderr=asyncio.subprocess.PIPE,
+            )
+            _, stderr = await process.communicate()
+            return process.returncode == 0
+        except Exception:
+            return False
+
+    def write_to_workspace(self, filename: str, content: str) -> Optional[str]:
+        """Write file to workspace directory"""
+        if not self._temp_dir:
+            return None
+        filepath = os.path.join(self._temp_dir, filename)
+        with open(filepath, "w") as f:
+            f.write(content)
+        return os.path.join(self.config.workspace_path, filename)
+
+    async def _check_docker(self) -> bool:
+        """Check if Docker is available"""
+        try:
+            process = await asyncio.create_subprocess_exec(
+                "docker", "info",
+                stdout=asyncio.subprocess.PIPE,
+                stderr=asyncio.subprocess.PIPE,
+            )
+            await process.communicate()
+            return process.returncode == 0
+        except FileNotFoundError:
+            return False
+
+    @property
+    def is_running(self) -> bool:
+        return self._is_running
+
+    @property
+    def container_id(self) -> Optional[str]:
+        return self._container_id
+
+
+# Security-focused sandbox presets
+def create_network_scanner_sandbox() -> DockerSandbox:
+    """Sandbox configured for network scanning tools"""
+    return DockerSandbox(SandboxConfig(
+        image="instrumentisto/nmap:latest",
+        network_mode="host",  # Need host networking for scanning
+        memory_limit="1g",
+        timeout=600.0,
+        add_capabilities=["NET_RAW", "NET_ADMIN"],
+    ))
+
+
+def create_web_scanner_sandbox() -> DockerSandbox:
+    """Sandbox configured for web scanning"""
+    return DockerSandbox(SandboxConfig(
+        image="python:3.11-slim",
+        network_mode="bridge",
+        memory_limit="512m",
+        timeout=300.0,
+    ))
+
+
+def create_exploit_sandbox() -> DockerSandbox:
+    """Highly isolated sandbox for running exploits"""
+    return DockerSandbox(SandboxConfig(
+        image="python:3.11-slim",
+        network_mode="none",  # No network access
+        memory_limit="256m",
+        cpu_limit=0.5,
+        timeout=60.0,
+        read_only_root=True,
+        drop_capabilities=["ALL"],
+    ))

aipt_v2/tools/__init__.py

@@ -0,0 +1,44 @@
+"""
+AIPT Tools Module - Terminal, Browser, Proxy, and Output Parsing
+"""
+
+from aipt_v2.tools.parser import OutputParser, Finding
+from aipt_v2.tools.tool_processing import process_tool_invocations
+
+
+def get_tools_prompt() -> str:
+    """Get the tools prompt for the agent."""
+    return """
+You have access to the following security tools:
+
+## Terminal Tools
+- execute_command: Run shell commands in isolated Docker sandbox
+- terminal_session: Manage persistent terminal sessions
+
+## Browser Tools
+- browser_navigate: Navigate to URLs
+- browser_click: Click elements
+- browser_type: Type text into inputs
+- browser_screenshot: Take screenshots
+
+## Proxy Tools
+- proxy_intercept: Intercept HTTP traffic
+- proxy_modify: Modify requests/responses
+
+## Security Tools
+- nmap: Port scanning and service detection
+- gobuster: Directory brute-forcing
+- nuclei: Vulnerability scanning
+- hydra: Credential brute-forcing
+- sqlmap: SQL injection testing
+
+Use these tools to accomplish your penetration testing objectives.
+"""
+
+
+__all__ = [
+    "OutputParser",
+    "Finding",
+    "process_tool_invocations",
+    "get_tools_prompt",
+]

aipt_v2/tools/active_directory/__init__.py

@@ -0,0 +1,78 @@
+"""
+AIPT Active Directory Security Module
+
+Comprehensive Active Directory penetration testing:
+- BloodHound integration for attack path mapping
+- Kerberos attacks (Kerberoasting, AS-REP roasting)
+- LDAP enumeration (users, groups, computers, GPOs)
+- SMB attacks (relay, pass-the-hash, PsExec)
+- Domain trust enumeration and abuse
+
+Usage:
+    from aipt_v2.tools.active_directory import (
+        ADScanner,
+        BloodHoundWrapper,
+        KerberosAttacks,
+        LDAPEnum,
+        SMBAttacks
+    )
+
+    # Run full AD assessment
+    scanner = ADScanner(domain="corp.local", dc_ip="10.0.0.1")
+    findings = await scanner.scan(username="user", password="pass")
+"""
+
+from aipt_v2.tools.active_directory.ad_config import (
+    ADConfig,
+    ADCredentials,
+    get_ad_config,
+)
+
+from aipt_v2.tools.active_directory.ldap_enum import (
+    LDAPEnum,
+    LDAPFinding,
+    enumerate_ldap,
+)
+
+from aipt_v2.tools.active_directory.kerberos_attacks import (
+    KerberosAttacks,
+    KerberosFinding,
+    run_kerberoast,
+    run_asreproast,
+)
+
+from aipt_v2.tools.active_directory.smb_attacks import (
+    SMBAttacks,
+    SMBFinding,
+    enumerate_smb,
+)
+
+from aipt_v2.tools.active_directory.bloodhound_wrapper import (
+    BloodHoundWrapper,
+    BloodHoundResult,
+    run_bloodhound,
+)
+
+__all__ = [
+    # Config
+    "ADConfig",
+    "ADCredentials",
+    "get_ad_config",
+    # LDAP
+    "LDAPEnum",
+    "LDAPFinding",
+    "enumerate_ldap",
+    # Kerberos
+    "KerberosAttacks",
+    "KerberosFinding",
+    "run_kerberoast",
+    "run_asreproast",
+    # SMB
+    "SMBAttacks",
+    "SMBFinding",
+    "enumerate_smb",
+    # BloodHound
+    "BloodHoundWrapper",
+    "BloodHoundResult",
+    "run_bloodhound",
+]

aipt_v2/tools/active_directory/ad_config.py

@@ -0,0 +1,238 @@
+"""
+Active Directory Configuration
+
+Handles credentials and configuration for AD penetration testing.
+Supports multiple authentication methods:
+- Password authentication
+- NTLM hash authentication (pass-the-hash)
+- Kerberos ticket authentication
+
+Usage:
+    from aipt_v2.tools.active_directory import ADConfig, get_ad_config
+
+    config = get_ad_config(
+        domain="corp.local",
+        dc_ip="10.0.0.1",
+        username="admin",
+        password="secret"
+    )
+"""
+
+import os
+from dataclasses import dataclass, field
+from typing import Optional, List
+
+
+@dataclass
+class ADCredentials:
+    """Active Directory credentials."""
+    username: str = ""
+    password: str = ""
+    domain: str = ""
+
+    # Alternative auth methods
+    ntlm_hash: str = ""  # Format: LMHASH:NTHASH or just NTHASH
+    aes_key: str = ""    # Kerberos AES key
+    ccache_file: str = ""  # Kerberos ticket cache
+
+    # Kerberos options
+    use_kerberos: bool = False
+    kdcHost: str = ""
+
+    def __post_init__(self):
+        """Load from environment if not provided."""
+        if not self.username:
+            self.username = os.getenv("AD_USERNAME", "")
+        if not self.password:
+            self.password = os.getenv("AD_PASSWORD", "")
+        if not self.domain:
+            self.domain = os.getenv("AD_DOMAIN", "")
+        if not self.ntlm_hash:
+            self.ntlm_hash = os.getenv("AD_NTLM_HASH", "")
+        if not self.ccache_file:
+            self.ccache_file = os.getenv("KRB5CCNAME", "")
+
+    def get_auth_string(self) -> str:
+        """Get authentication string for tools."""
+        if self.domain and self.username:
+            return f"{self.domain}\\{self.username}"
+        return self.username
+
+    def has_credentials(self) -> bool:
+        """Check if valid credentials are available."""
+        return bool(
+            (self.username and self.password) or
+            (self.username and self.ntlm_hash) or
+            self.ccache_file
+        )
+
+    def is_hash_auth(self) -> bool:
+        """Check if using hash-based authentication."""
+        return bool(self.ntlm_hash and not self.password)
+
+    def get_password_or_hash(self) -> str:
+        """Get password or hash for authentication."""
+        return self.password if self.password else self.ntlm_hash
+
+
+@dataclass
+class ADConfig:
+    """Active Directory scanning configuration."""
+    # Domain settings
+    domain: str = ""
+    dc_ip: str = ""
+    dc_hostname: str = ""
+
+    # Credentials
+    credentials: ADCredentials = field(default_factory=ADCredentials)
+
+    # Target settings
+    target_users: List[str] = field(default_factory=list)
+    target_groups: List[str] = field(default_factory=list)
+    target_computers: List[str] = field(default_factory=list)
+
+    # Scanning options
+    enum_users: bool = True
+    enum_groups: bool = True
+    enum_computers: bool = True
+    enum_gpos: bool = True
+    enum_trusts: bool = True
+
+    # Attack options
+    run_kerberoast: bool = False
+    run_asreproast: bool = False
+    run_bloodhound: bool = False
+
+    # Output
+    output_dir: str = "./ad_results"
+
+    # LDAP settings
+    ldap_port: int = 389
+    ldaps_port: int = 636
+    use_ssl: bool = False
+    use_gc: bool = False  # Global Catalog (port 3268/3269)
+
+    # Timeouts
+    timeout: int = 30
+
+    def __post_init__(self):
+        """Initialize from environment."""
+        if not self.domain:
+            self.domain = os.getenv("AD_DOMAIN", "")
+        if not self.dc_ip:
+            self.dc_ip = os.getenv("AD_DC_IP", os.getenv("DC_IP", ""))
+
+        # Ensure credentials have domain
+        if self.domain and not self.credentials.domain:
+            self.credentials.domain = self.domain
+
+    def get_ldap_uri(self) -> str:
+        """Get LDAP connection URI."""
+        protocol = "ldaps" if self.use_ssl else "ldap"
+        port = self.ldaps_port if self.use_ssl else self.ldap_port
+
+        if self.use_gc:
+            port = 3269 if self.use_ssl else 3268
+
+        host = self.dc_ip or self.dc_hostname
+        return f"{protocol}://{host}:{port}"
+
+    def get_base_dn(self) -> str:
+        """Get LDAP base DN from domain."""
+        if not self.domain:
+            return ""
+        parts = self.domain.split(".")
+        return ",".join([f"DC={part}" for part in parts])
+
+    def is_configured(self) -> bool:
+        """Check if AD is properly configured."""
+        return bool(
+            self.domain and
+            (self.dc_ip or self.dc_hostname) and
+            self.credentials.has_credentials()
+        )
+
+
+def get_ad_config(
+    domain: Optional[str] = None,
+    dc_ip: Optional[str] = None,
+    username: Optional[str] = None,
+    password: Optional[str] = None,
+    ntlm_hash: Optional[str] = None,
+    **kwargs
+) -> ADConfig:
+    """
+    Create ADConfig from parameters and environment.
+
+    Args:
+        domain: AD domain name (e.g., "corp.local")
+        dc_ip: Domain Controller IP address
+        username: AD username
+        password: AD password
+        ntlm_hash: NTLM hash for pass-the-hash
+        **kwargs: Additional configuration options
+
+    Returns:
+        ADConfig instance
+    """
+    credentials = ADCredentials(
+        username=username or os.getenv("AD_USERNAME", ""),
+        password=password or os.getenv("AD_PASSWORD", ""),
+        domain=domain or os.getenv("AD_DOMAIN", ""),
+        ntlm_hash=ntlm_hash or os.getenv("AD_NTLM_HASH", "")
+    )
+
+    return ADConfig(
+        domain=domain or os.getenv("AD_DOMAIN", ""),
+        dc_ip=dc_ip or os.getenv("AD_DC_IP", ""),
+        credentials=credentials,
+        output_dir=kwargs.get("output_dir", "./ad_results"),
+        use_ssl=kwargs.get("use_ssl", False),
+        timeout=kwargs.get("timeout", 30),
+        run_kerberoast=kwargs.get("run_kerberoast", False),
+        run_asreproast=kwargs.get("run_asreproast", False),
+        run_bloodhound=kwargs.get("run_bloodhound", False)
+    )
+
+
+def validate_ad_config(config: ADConfig) -> dict:
+    """
+    Validate AD configuration.
+
+    Args:
+        config: ADConfig to validate
+
+    Returns:
+        Dict with validation results
+    """
+    results = {
+        "valid": False,
+        "errors": [],
+        "warnings": []
+    }
+
+    # Check required fields
+    if not config.domain:
+        results["errors"].append("Domain not specified")
+
+    if not config.dc_ip and not config.dc_hostname:
+        results["errors"].append("Domain Controller not specified")
+
+    if not config.credentials.has_credentials():
+        results["errors"].append("No valid credentials provided")
+
+    # Check credential format
+    if config.credentials.ntlm_hash:
+        hash_parts = config.credentials.ntlm_hash.split(":")
+        if len(hash_parts) == 2:
+            if len(hash_parts[0]) != 32 or len(hash_parts[1]) != 32:
+                results["warnings"].append("NTLM hash format may be incorrect")
+        elif len(hash_parts) == 1:
+            if len(hash_parts[0]) != 32:
+                results["warnings"].append("NT hash length should be 32 characters")
+
+    # All good
+    if not results["errors"]:
+        results["valid"] = True
+
+    return results