eva-exploit 2.5__py3-none-any.whl

modules/attack_map.py

@@ -0,0 +1,467 @@
+import json
+import os
+import platform
+import re
+import socket
+import webbrowser
+from datetime import datetime, timezone
+from pathlib import Path
+
+
+IP_PATTERN = re.compile(r"\b(?:\d{1,3}\.){3}\d{1,3}\b")
+FQDN_PATTERN = re.compile(r"\b[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+){1,}\b")
+NMAP_SERVICE_PATTERN = re.compile(r"(\d{1,5})/tcp\s+open\s+([^\s]+)", re.IGNORECASE)
+DOMAIN_USER_PATTERN = re.compile(r"\b([A-Za-z0-9_.-]+)\\([A-Za-z0-9_.-]+)\b")
+UID_NAME_PATTERN = re.compile(r"uid=\d+\(([^)]+)\)")
+
+
+def _normalize_ip(ip):
+    parts = ip.split(".")
+    if len(parts) != 4:
+        return None
+    try:
+        nums = [int(x) for x in parts]
+    except ValueError:
+        return None
+    if any(n < 0 or n > 255 for n in nums):
+        return None
+    return ip
+
+
+def _guess_target_os(blob):
+    text = blob.lower()
+    if any(word in text for word in ["windows", "winrm", "active directory", "smb", "kerberos"]):
+        return "Windows"
+    if any(word in text for word in ["linux", "ubuntu", "debian", "centos", "kali", "parrot", "openssh"]):
+        return "Linux"
+    return "Unknown"
+
+
+def _extract_primary_target(user_lines):
+    for line in user_lines:
+        for ip in IP_PATTERN.findall(line):
+            norm = _normalize_ip(ip)
+            if norm:
+                return norm
+    return None
+
+
+def _operator_fingerprint():
+    hostname = socket.gethostname() or "localhost"
+    os_name = platform.system() or "UnknownOS"
+    release = platform.release() or "UnknownRelease"
+    arch = platform.machine() or "UnknownArch"
+    cpu = platform.processor() or platform.uname().processor or "UnknownCPU"
+    cores = os.cpu_count() or 0
+    user = os.getenv("USER") or os.getenv("USERNAME") or "unknown"
+    label = f"Operator ({hostname})"
+    detail = f"User: {user} | OS: {os_name} {release} | Arch: {arch} | CPU: {cpu} | Cores: {cores}"
+    return label, detail
+
+
+def _add_node(nodes, node_id, label, node_type, detail=""):
+    if node_id in nodes:
+        return
+    nodes[node_id] = {
+        "id": node_id,
+        "label": label,
+        "type": node_type,
+        "detail": detail,
+    }
+
+
+def _add_edge(edges, src, dst, label, detail=""):
+    edge_id = f"{src}->{dst}:{label}"
+    if edge_id in edges:
+        return
+    edges[edge_id] = {
+        "id": edge_id,
+        "source": src,
+        "target": dst,
+        "label": label,
+        "detail": detail,
+    }
+
+
+def build_attack_graph(session_name, timeline):
+    nodes = {}
+    edges = {}
+
+    user_lines = [item.get("content", "") for item in timeline if item.get("type") == "user"]
+    analysis_lines = [item.get("content", "") for item in timeline if item.get("type") == "analysis"]
+    command_items = [item for item in timeline if item.get("type") == "command"]
+
+    primary_target = _extract_primary_target(user_lines + analysis_lines)
+    all_analysis = "\n".join(analysis_lines)
+    full_blob = "\n".join(user_lines + analysis_lines + [item.get("cmd", "") + "\n" + item.get("output", "") for item in command_items])
+
+    operator_id = "operator"
+    op_label, op_detail = _operator_fingerprint()
+    _add_node(nodes, operator_id, op_label, "operator", op_detail)
+
+    if primary_target:
+        target_id = f"target:{primary_target}"
+        target_os = _guess_target_os("\n".join(user_lines) + "\n" + all_analysis)
+        _add_node(nodes, target_id, f"Target {primary_target}", "target", f"OS guess: {target_os}")
+        _add_edge(edges, operator_id, target_id, "engages", "Initial assessment scope")
+
+    # Add hosts explicitly observed in session artifacts.
+    for ip in IP_PATTERN.findall(full_blob):
+        norm = _normalize_ip(ip)
+        if not norm:
+            continue
+        if primary_target and norm == primary_target:
+            continue
+        ip_id = f"host:{norm}"
+        _add_node(nodes, ip_id, norm, "host", "Observed in chat/analysis/command artifacts")
+        _add_edge(edges, operator_id, ip_id, "observes", "Seen in session artifacts")
+
+    for fqdn in FQDN_PATTERN.findall("\n".join(user_lines + analysis_lines)):
+        if fqdn.count(".") < 1:
+            continue
+        domain_id = f"domain:{fqdn.lower()}"
+        _add_node(nodes, domain_id, fqdn.lower(), "domain", "Observed DNS/FQDN artifact")
+        if primary_target:
+            _add_edge(edges, f"target:{primary_target}", domain_id, "resolves", "Target/DNS relationship")
+
+    for item in command_items:
+        cmd = item.get("cmd", "")
+        out = item.get("output", "")
+
+        mentioned_ips = []
+        for ip in IP_PATTERN.findall(cmd + "\n" + out):
+            norm = _normalize_ip(ip)
+            if norm:
+                mentioned_ips.append(norm)
+
+        for ip in mentioned_ips:
+            ip_id = f"host:{ip}"
+            _add_node(nodes, ip_id, ip, "host", "Host seen in command/output")
+            _add_edge(edges, operator_id, ip_id, "scans", cmd[:80])
+
+        for port, service in NMAP_SERVICE_PATTERN.findall(out):
+            if mentioned_ips:
+                host = mentioned_ips[0]
+            else:
+                host = primary_target
+            if not host:
+                continue
+
+            host_id = f"host:{host}" if host != primary_target else f"target:{host}"
+            service_id = f"svc:{host}:{port}:{service.lower()}"
+            _add_node(
+                nodes,
+                service_id,
+                f"{service}/{port}",
+                "service",
+                f"Service {service} open on TCP/{port}",
+            )
+            _add_edge(edges, host_id, service_id, "exposes", f"Derived from `{cmd}`")
+
+        for domain, user in DOMAIN_USER_PATTERN.findall(out):
+            domain_id = f"domain:{domain.lower()}"
+            user_id = f"user:{domain.lower()}\\{user.lower()}"
+            _add_node(nodes, domain_id, domain, "domain", "Domain observed in output")
+            _add_node(nodes, user_id, f"{domain}\\{user}", "user", "Domain account observed")
+            _add_edge(edges, domain_id, user_id, "contains", "Domain principal relationship")
+            if primary_target:
+                _add_edge(edges, f"target:{primary_target}", user_id, "auth-context", "Credential/artifact linkage")
+
+        for username in UID_NAME_PATTERN.findall(out):
+            user_id = f"user:local:{username.lower()}"
+            _add_node(nodes, user_id, username, "user", "Linux local account artifact")
+            if primary_target:
+                _add_edge(edges, f"target:{primary_target}", user_id, "local-user", "uid() account extraction")
+
+        whoami = out.strip().splitlines()
+        if len(whoami) == 1 and 0 < len(whoami[0]) <= 32 and " " not in whoami[0]:
+            if re.match(r"^[A-Za-z0-9_.\\$-]+$", whoami[0]):
+                user_text = whoami[0]
+                user_id = f"user:observed:{user_text.lower()}"
+                _add_node(nodes, user_id, user_text, "user", "Observed identity output")
+                if primary_target:
+                    _add_edge(edges, f"target:{primary_target}", user_id, "execution-context", f"From `{cmd}`")
+
+    graph = {
+        "meta": {
+            "session": session_name,
+            "generated_at": datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M UTC"),
+            "node_count": len(nodes),
+            "edge_count": len(edges),
+        },
+        "nodes": list(nodes.values()),
+        "edges": list(edges.values()),
+    }
+    # If no actionable artifact was discovered, keep only the operator node.
+    if len(nodes) == 1:
+        graph["edges"] = []
+        graph["meta"]["edge_count"] = 0
+        graph["meta"]["node_count"] = 1
+    return graph
+
+
+def _html_template(graph_json, version="unknown"):
+    return f"""<!doctype html>
+<html lang=\"en\">
+<head>
+  <meta charset=\"utf-8\" />
+  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />
+  <title>EVA Attack Map</title>
+  <style>
+    :root {{
+      --bg:#0b1324;
+      --panel:#111d34;
+      --panel2:#162645;
+      --line:#2e4167;
+      --text:#e6eefc;
+      --muted:#96a8cc;
+      --operator:#2dd4bf;
+      --target:#f97316;
+      --host:#60a5fa;
+      --service:#c084fc;
+      --user:#22c55e;
+      --domain:#facc15;
+      --other:#94a3b8;
+    }}
+    * {{ box-sizing: border-box; }}
+    body {{ margin:0; font-family:"JetBrains Mono","Consolas",monospace; background:radial-gradient(circle at 20% 0%,#172643,#0b1324 60%); color:var(--text); }}
+    .top {{ display:flex; gap:12px; align-items:center; justify-content:space-between; padding:14px 16px; border-bottom:1px solid var(--line); background:rgba(10,16,31,.8); backdrop-filter: blur(8px); position:sticky; top:0; z-index:3; }}
+    .title {{ font-size:14px; letter-spacing:.08em; text-transform:uppercase; color:#cde0ff; }}
+    .meta {{ color:var(--muted); font-size:12px; }}
+    .layout {{ display:grid; grid-template-columns: 1fr 300px; min-height: calc(100vh - 58px); }}
+    .canvas-wrap {{ position:relative; overflow:hidden; }}
+    svg {{ width:100%; height:100%; display:block; cursor:grab; }}
+    .node {{ cursor:pointer; }}
+    .node text {{ font-size:11px; fill:var(--text); pointer-events:none; }}
+    .node circle {{ stroke:#d9e4ff; stroke-opacity:.35; stroke-width:1.2; }}
+    .edge {{ stroke:#8ba5d9; stroke-opacity:.45; stroke-width:1.1; }}
+    .edge-label {{ fill:#a6bbe4; font-size:10px; }}
+    .side {{ border-left:1px solid var(--line); padding:14px; background:linear-gradient(180deg,var(--panel),var(--panel2)); }}
+    .card {{ border:1px solid #22355a; border-radius:10px; padding:10px; margin-bottom:12px; background:rgba(12,20,37,.6); }}
+    .label {{ font-size:11px; color:var(--muted); text-transform:uppercase; letter-spacing:.08em; margin-bottom:4px; }}
+    .value {{ font-size:13px; line-height:1.4; word-break:break-word; }}
+    .legend-item {{ display:flex; align-items:center; gap:8px; font-size:12px; margin:6px 0; }}
+    .dot {{ width:10px; height:10px; border-radius:999px; border:1px solid rgba(255,255,255,.4); }}
+    .footer {{ color:var(--muted); text-align:center; font-size:12px; padding:10px 14px 16px; border-top:1px solid var(--line); background:rgba(10,16,31,.8); }}
+    @media (max-width:900px) {{ .layout {{ grid-template-columns:1fr; }} .side {{ border-left:none; border-top:1px solid var(--line); }} }}
+  </style>
+</head>
+<body>
+  <div class=\"top\">
+    <div class=\"title\">EVA Visual Attack Map</div>
+    <div class=\"meta\" id=\"meta\"></div>
+  </div>
+  <div class=\"layout\">
+    <div class=\"canvas-wrap\">
+      <svg id=\"map\" viewBox=\"0 0 1280 840\" preserveAspectRatio=\"xMidYMid meet\"></svg>
+    </div>
+    <aside class=\"side\">
+      <div class=\"card\">
+        <div class=\"label\">Selection</div>
+        <div class=\"value\" id=\"sel-title\">None</div>
+        <div class=\"label\" style=\"margin-top:8px;\">Details</div>
+        <div class=\"value\" id=\"sel-detail\">Click a node or edge.</div>
+      </div>
+      <div class=\"card\">
+        <div class=\"label\">Legend</div>
+        <div class=\"legend-item\"><span class=\"dot\" style=\"background:var(--operator)\"></span>Operator</div>
+        <div class=\"legend-item\"><span class=\"dot\" style=\"background:var(--target)\"></span>Target</div>
+        <div class=\"legend-item\"><span class=\"dot\" style=\"background:var(--host)\"></span>Host</div>
+        <div class=\"legend-item\"><span class=\"dot\" style=\"background:var(--service)\"></span>Service</div>
+        <div class=\"legend-item\"><span class=\"dot\" style=\"background:var(--user)\"></span>User</div>
+        <div class=\"legend-item\"><span class=\"dot\" style=\"background:var(--domain)\"></span>Domain</div>
+      </div>
+      <div class=\"card\">
+        <div class=\"label\">Navigation</div>
+        <div class=\"value\">Drag to pan, wheel to zoom, click node for intel.</div>
+      </div>
+    </aside>
+  </div>
+  <div class=\"footer\">EVA v{version}<br/>Made by: Arcangelo</div>
+
+<script>
+const graph = {graph_json};
+const svg = document.getElementById('map');
+const NS = 'http://www.w3.org/2000/svg';
+const meta = document.getElementById('meta');
+const selTitle = document.getElementById('sel-title');
+const selDetail = document.getElementById('sel-detail');
+
+meta.textContent = `${{graph.meta.session}} | ${{graph.meta.generated_at}} | Nodes: ${{graph.meta.node_count}} | Edges: ${{graph.meta.edge_count}} | Made by Arcangelo`;
+
+const typeColor = {{
+  operator: getComputedStyle(document.documentElement).getPropertyValue('--operator').trim(),
+  target: getComputedStyle(document.documentElement).getPropertyValue('--target').trim(),
+  host: getComputedStyle(document.documentElement).getPropertyValue('--host').trim(),
+  service: getComputedStyle(document.documentElement).getPropertyValue('--service').trim(),
+  user: getComputedStyle(document.documentElement).getPropertyValue('--user').trim(),
+  domain: getComputedStyle(document.documentElement).getPropertyValue('--domain').trim(),
+  other: getComputedStyle(document.documentElement).getPropertyValue('--other').trim(),
+}};
+
+const positions = new Map();
+const cx = 640, cy = 420, radius = 300;
+const nodes = graph.nodes;
+nodes.forEach((n, i) => {{
+  const ang = (Math.PI * 2 * i) / Math.max(nodes.length, 1);
+  positions.set(n.id, {{ x: cx + Math.cos(ang) * radius, y: cy + Math.sin(ang) * radius }});
+}});
+
+const gRoot = document.createElementNS(NS, 'g');
+svg.appendChild(gRoot);
+const gEdges = document.createElementNS(NS, 'g');
+const gNodes = document.createElementNS(NS, 'g');
+gRoot.appendChild(gEdges);
+gRoot.appendChild(gNodes);
+
+function edgeMid(a, b) {{
+  return {{ x: (a.x + b.x) / 2, y: (a.y + b.y) / 2 }};
+}}
+
+function draw() {{
+  gEdges.innerHTML = '';
+  gNodes.innerHTML = '';
+
+  graph.edges.forEach(e => {{
+    const a = positions.get(e.source);
+    const b = positions.get(e.target);
+    if (!a || !b) return;
+
+    const line = document.createElementNS(NS, 'line');
+    line.setAttribute('x1', a.x); line.setAttribute('y1', a.y);
+    line.setAttribute('x2', b.x); line.setAttribute('y2', b.y);
+    line.setAttribute('class', 'edge');
+    line.addEventListener('click', () => {{
+      selTitle.textContent = `${{e.label}}`; 
+      selDetail.textContent = e.detail || `${{e.source}} -> ${{e.target}}`;
+    }});
+    gEdges.appendChild(line);
+
+    const mid = edgeMid(a, b);
+    const txt = document.createElementNS(NS, 'text');
+    txt.setAttribute('x', mid.x + 4);
+    txt.setAttribute('y', mid.y - 4);
+    txt.setAttribute('class', 'edge-label');
+    txt.textContent = e.label;
+    gEdges.appendChild(txt);
+  }});
+
+  graph.nodes.forEach(n => {{
+    const p = positions.get(n.id);
+    const group = document.createElementNS(NS, 'g');
+    group.setAttribute('class', 'node');
+
+    const circle = document.createElementNS(NS, 'circle');
+    circle.setAttribute('cx', p.x);
+    circle.setAttribute('cy', p.y);
+    circle.setAttribute('r', n.type === 'target' ? 16 : 13);
+    circle.setAttribute('fill', typeColor[n.type] || typeColor.other);
+    group.appendChild(circle);
+
+    const text = document.createElementNS(NS, 'text');
+    text.setAttribute('x', p.x + 16);
+    text.setAttribute('y', p.y + 4);
+    text.textContent = n.label;
+    group.appendChild(text);
+
+    group.addEventListener('click', () => {{
+      selTitle.textContent = `${{n.label}} [${{n.type}}]`;
+      selDetail.textContent = n.detail || 'No details';
+    }});
+
+    enableDrag(group, n.id);
+    gNodes.appendChild(group);
+  }});
+}}
+
+function svgPoint(clientX, clientY) {{
+  const pt = svg.createSVGPoint();
+  pt.x = clientX;
+  pt.y = clientY;
+  return pt.matrixTransform(svg.getScreenCTM().inverse());
+}}
+
+let dragNode = null;
+function enableDrag(group, nodeId) {{
+  group.addEventListener('mousedown', (ev) => {{
+    dragNode = nodeId;
+    ev.stopPropagation();
+  }});
+}}
+
+window.addEventListener('mousemove', (ev) => {{
+  if (!dragNode) return;
+  const p = svgPoint(ev.clientX, ev.clientY);
+  positions.set(dragNode, {{ x: p.x, y: p.y }});
+  draw();
+}});
+window.addEventListener('mouseup', () => dragNode = null);
+
+let view = {{ x: 0, y: 0, w: 1280, h: 840 }};
+let panning = false;
+let panStart = null;
+svg.addEventListener('mousedown', (ev) => {{
+  if (dragNode) return;
+  if (ev.button !== 0) return;
+  panning = true;
+  panStart = {{ mx: ev.clientX, my: ev.clientY, vx: view.x, vy: view.y, vw: view.w, vh: view.h }};
+  svg.style.cursor = 'grabbing';
+}});
+window.addEventListener('mouseup', () => {{
+  panning = false;
+  svg.style.cursor = 'grab';
+}});
+window.addEventListener('mousemove', (ev) => {{
+  if (!panning) return;
+  const panFactor = 0.35;
+  const dx = (ev.clientX - panStart.mx) * (panStart.vw / svg.clientWidth) * panFactor;
+  const dy = (ev.clientY - panStart.my) * (panStart.vh / svg.clientHeight) * panFactor;
+  view.x = panStart.vx - dx;
+  view.y = panStart.vy - dy;
+  svg.setAttribute('viewBox', `${{view.x}} ${{view.y}} ${{view.w}} ${{view.h}}`);
+}});
+
+svg.addEventListener('wheel', (ev) => {{
+  ev.preventDefault();
+  const scale = ev.deltaY < 0 ? 0.97 : 1.03;
+  const oldW = view.w;
+  const oldH = view.h;
+  const minW = 520, maxW = 4200;
+  const minH = 340, maxH = 2800;
+  view.w = Math.min(maxW, Math.max(minW, view.w * scale));
+  view.h = Math.min(maxH, Math.max(minH, view.h * scale));
+  // Keep zoom centered around current view center to avoid jumps.
+  view.x += (oldW - view.w) / 2;
+  view.y += (oldH - view.h) / 2;
+  svg.setAttribute('viewBox', `${{view.x}} ${{view.y}} ${{view.w}} ${{view.h}}`);
+}}, {{ passive:false }});
+
+draw();
+</script>
+</body>
+</html>
+"""
+
+
+def generate_attack_map_files(session_name, timeline, maps_dir, version="unknown"):
+    maps_dir = Path(maps_dir)
+    maps_dir.mkdir(parents=True, exist_ok=True)
+
+    graph = build_attack_graph(session_name, timeline)
+    ts = datetime.now(timezone.utc).strftime("%Y%m%d_%H%M%S")
+    base = f"{session_name}_attack_map_{ts}"
+
+    json_path = maps_dir / f"{base}.json"
+    html_path = maps_dir / f"{base}.html"
+
+    json_path.write_text(json.dumps(graph, indent=2), encoding="utf-8")
+    html_path.write_text(_html_template(json.dumps(graph), version=version), encoding="utf-8")
+
+    return html_path, json_path, graph
+
+
+def open_attack_map(path):
+    file_path = Path(path).expanduser().resolve()
+    if not file_path.exists():
+        return False
+    return webbrowser.open(file_path.as_uri())