exploitgraph 1.0.0__tar.gz → 1.0.2__tar.gz

{exploitgraph-1.0.0/exploitgraph.egg-info → exploitgraph-1.0.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: exploitgraph
-Version: 1.0.0
+Version: 1.0.2
 Summary: Automated attack path discovery and exploitation framework for cloud-native applications
 Author-email: Prajwal Pawar <prajwal@exploitgraph.io>
 License: MIT

exploitgraph-1.0.2/exploitgraph/data/wordlists/backup_files.txt

@@ -0,0 +1,23 @@
+# ExploitGraph - Backup File Paths
+/static/backups/
+/backups/
+/backup/
+/.env
+/.env.backup
+/.env.production
+/.env.local
+/config.json
+/config.yaml
+/app.yaml
+/database.yml
+/Dockerfile
+/docker-compose.yml
+/docker-compose.yaml
+/package.json
+/.git/config
+/wp-config.php
+/web.config
+/settings.py
+/settings.php
+/configuration.php
+/config.php

exploitgraph-1.0.2/exploitgraph/data/wordlists/common_paths.txt

@@ -0,0 +1,149 @@
+# ExploitGraph - Common HTTP Paths Wordlist
+# Generic paths for endpoint enumeration against any web application
+# Format: one path per line, lines starting with # are comments
+
+# Root and API bases
+/
+/api
+/api/v1
+/api/v2
+/api/v3
+/v1
+/v2
+
+# Documentation
+/docs
+/api/docs
+/swagger
+/swagger.json
+/swagger-ui.html
+/swagger-ui/
+/openapi.json
+/openapi.yaml
+/redoc
+/api-docs
+/api/swagger
+/apidocs
+
+# Authentication
+/login
+/auth
+/auth/login
+/api/auth/login
+/api/login
+/api/auth
+/oauth
+/oauth/token
+/token
+/api/token
+/signin
+/api/signin
+
+# User / Account
+/api/users
+/api/user
+/api/me
+/api/account
+/api/profile
+/users
+/account
+
+# Admin
+/admin
+/admin/
+/api/admin
+/api/admin/users
+/api/admin/config
+/dashboard
+/console
+/management
+/api/management
+/panel
+/control
+/backend
+
+# Health / Status
+/health
+/api/health
+/status
+/ping
+/api/status
+/api/ping
+/metrics
+/api/metrics
+/actuator
+/actuator/health
+/actuator/env
+/actuator/beans
+/actuator/mappings
+/actuator/info
+
+# Debug / Config (often left enabled accidentally)
+/debug
+/api/debug
+/api/debug/config
+/config
+/api/config
+/settings
+/api/settings
+/env
+/api/env
+/__debug__
+/api/internal
+
+# Cloud Storage
+/static/
+/static/backups/
+/backups/
+/backup/
+/uploads/
+/files/
+/storage/
+/assets/
+/media/
+
+# Exposed files
+/.env
+/.env.production
+/.env.local
+/.env.backup
+/.env.example
+/config.json
+/config.yaml
+/config.yml
+/app.yaml
+/app.json
+/settings.json
+/secrets.json
+
+# Git exposure
+/.git/config
+/.git/HEAD
+/.git/COMMIT_EDITMSG
+
+# Common backup filenames
+/backup.zip
+/backup.tar.gz
+/backup.sql
+/dump.sql
+/db.sql
+/database.sql
+/site.zip
+/app.zip
+/source.zip
+
+# Web server files
+/robots.txt
+/sitemap.xml
+/.htaccess
+/.htpasswd
+/web.config
+/phpinfo.php
+/server-status
+/server-info
+/info.php
+
+# AWS / Cloud specific
+/latest/meta-data/
+/latest/user-data
+/?list-type=2

exploitgraph-1.0.2/exploitgraph/data/wordlists/s3_buckets.txt

@@ -0,0 +1,38 @@
+# ExploitGraph - S3 Bucket Name Wordlist
+# Common bucket naming patterns used by organizations
+backups
+backup
+assets
+static
+uploads
+files
+data
+logs
+config
+configs
+media
+images
+public
+private
+dev
+staging
+prod
+production
+test
+demo
+archive
+exports
+reports
+documents
+docs
+storage
+cdn
+web
+app
+api
+secrets
+credentials
+keys
+database
+db
+dump

exploitgraph-1.0.2/exploitgraph/data/wordlists/subdomains.txt

@@ -0,0 +1,31 @@
+# ExploitGraph - Common Subdomain Wordlist
+api
+dev
+staging
+test
+admin
+dashboard
+portal
+app
+mobile
+secure
+vpn
+mail
+smtp
+ftp
+cdn
+assets
+static
+backup
+files
+upload
+docs
+wiki
+support
+help
+status
+monitor
+logs
+metrics
+internal
+corp

{exploitgraph-1.0.0 → exploitgraph-1.0.2/exploitgraph.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: exploitgraph
-Version: 1.0.0
+Version: 1.0.2
 Summary: Automated attack path discovery and exploitation framework for cloud-native applications
 Author-email: Prajwal Pawar <prajwal@exploitgraph.io>
 License: MIT

exploitgraph-1.0.2/exploitgraph.egg-info/SOURCES.txt

@@ -0,0 +1,14 @@
+LICENSE
+README.md
+pyproject.toml
+exploitgraph.egg-info/PKG-INFO
+exploitgraph.egg-info/SOURCES.txt
+exploitgraph.egg-info/dependency_links.txt
+exploitgraph.egg-info/entry_points.txt
+exploitgraph.egg-info/requires.txt
+exploitgraph.egg-info/top_level.txt
+exploitgraph/data/wordlists/backup_files.txt
+exploitgraph/data/wordlists/common_paths.txt
+exploitgraph/data/wordlists/s3_buckets.txt
+exploitgraph/data/wordlists/subdomains.txt
+tests/test_exploitgraph.py

exploitgraph-1.0.2/exploitgraph.egg-info/top_level.txt

@@ -0,0 +1 @@
+exploitgraph

{exploitgraph-1.0.0 → exploitgraph-1.0.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "exploitgraph"
-version = "1.0.0"
+version = "1.0.2"
 description = "Automated attack path discovery and exploitation framework for cloud-native applications"
 readme = "README.md"
 license = { text = "MIT" }
@@ -50,9 +50,8 @@ Repository = "https://github.com/prajwalpawar/ExploitGraph"
 "Bug Tracker" = "https://github.com/prajwalpawar/ExploitGraph/issues"
 Documentation = "https://github.com/prajwalpawar/ExploitGraph/wiki"
 
-[tool.setuptools.packages.find]
-where = ["."]
-include = ["exploitgraph*", "core*", "modules*"]
+[tool.setuptools]
+packages = ["exploitgraph"]
 
 [tool.setuptools.package-data]
 "*" = ["data/wordlists/*.txt", "data/templates/*.j2", "*.yaml", "*.yml"]

exploitgraph-1.0.0/core/attack_graph.py

@@ -1,83 +0,0 @@
-"""ExploitGraph - Attack path graph engine (networkx)."""
-from __future__ import annotations
-import json
-from typing import TYPE_CHECKING
-import networkx as nx
-if TYPE_CHECKING:
-    from core.session_manager import Session
-
-SEVERITY_COLOR = {"CRITICAL":"#dc2626","HIGH":"#ea580c","MEDIUM":"#d97706",
-                  "LOW":"#16a34a","INFO":"#2563eb"}
-MITRE_REF = {
-    "T1595":"Active Scanning", "T1595.003":"Wordlist Scanning",
-    "T1580":"Cloud Infrastructure Discovery", "T1530":"Data from Cloud Storage",
-    "T1552.001":"Credentials in Files", "T1552.004":"Private Keys",
-    "T1552.005":"Cloud Instance Metadata API", "T1078":"Valid Accounts",
-    "T1078.004":"Valid Accounts: Cloud Accounts", "T1548":"Abuse Elevation Control",
-    "T1550.001":"Application Access Token", "T1069.003":"Cloud Groups",
-    "T1110.001":"Password Guessing",
-}
-
-
-class AttackGraph:
-    def __init__(self): self.G: nx.DiGraph = nx.DiGraph()
-
-    def build(self, session: "Session"):
-        self.G.clear()
-        for n in session.graph_nodes:
-            self.G.add_node(n["node_id"], label=n.get("label",""),
-                            type=n.get("node_type","asset"),
-                            severity=n.get("severity","INFO"),
-                            details=n.get("details",""),
-                            color=SEVERITY_COLOR.get(n.get("severity","INFO"),"#6b7280"))
-        for e in session.graph_edges:
-            if e["source"] in self.G and e["target"] in self.G:
-                self.G.add_edge(e["source"], e["target"],
-                                label=e.get("label",""), technique=e.get("technique",""))
-
-    def find_paths(self, src="attacker", tgt="compromise") -> list[list[str]]:
-        try:
-            nodes = list(self.G.nodes())
-            src = next((n for n in nodes if src in n), src)
-            tgt = next((n for n in nodes if tgt in n.lower()), tgt)
-            return list(nx.all_simple_paths(self.G, src, tgt))
-        except Exception:
-            return []
-
-    def stats(self) -> dict:
-        techs = set()
-        for _,_,d in self.G.edges(data=True):
-            if d.get("technique"): techs.add(d["technique"])
-        critical = [n for n,d in self.G.nodes(data=True) if d.get("severity") in ("CRITICAL","HIGH")]
-        return dict(nodes=self.G.number_of_nodes(), edges=self.G.number_of_edges(),
-                    critical_nodes=len(critical), mitre_techniques=sorted(techs),
-                    is_connected=nx.is_weakly_connected(self.G) if self.G.nodes() else False)
-
-    def to_json(self) -> dict:
-        nodes = [dict(id=nid, label=d.get("label",nid), type=d.get("type","asset"),
-                      severity=d.get("severity","INFO"), details=d.get("details",""),
-                      color=d.get("color","#6b7280"))
-                 for nid,d in self.G.nodes(data=True)]
-        edges = [dict(source=s, target=t, label=d.get("label",""), technique=d.get("technique",""))
-                 for s,t,d in self.G.edges(data=True)]
-        return dict(nodes=nodes, edges=edges, stats=self.stats(), attack_paths=self.find_paths())
-
-    def print_ascii(self) -> str:
-        paths = self.find_paths()
-        if not paths: return "No complete attack path found."
-        path = max(paths, key=len)
-        lines = []
-        colors = {"CRITICAL":"\033[91m","HIGH":"\033[93m","MEDIUM":"\033[96m","INFO":"\033[97m"}
-        for i, nid in enumerate(path):
-            d = self.G.nodes.get(nid, {})
-            label = d.get("label", nid).split("\n")[0]
-            sev   = d.get("severity","INFO")
-            if i > 0:
-                ed = self.G.edges.get((path[i-1], nid), {})
-                tech = ed.get("technique","")
-                lines.append(f"       ↓  {tech}")
-            lines.append(f"{colors.get(sev,'')}  [{sev}] {label}\033[0m")
-        return "\n".join(lines)
-
-
-attack_graph = AttackGraph()

exploitgraph-1.0.0/core/aws_client.py

@@ -1,284 +0,0 @@
-"""
-ExploitGraph - AWS Client Factory
-Production-grade boto3 session management with:
-  - Automatic retry with exponential backoff
-  - Region fallback (us-east-1 → us-west-2 → eu-west-1)
-  - Credential injection from session secrets
-  - Standardised response parsing
-  - GuardDuty detection-awareness tagging
-
-All modules call get_client() — no per-module boto3 setup needed.
-"""
-from __future__ import annotations
-import time
-import functools
-from typing import TYPE_CHECKING, Any, Optional
-
-if TYPE_CHECKING:
-    from core.session_manager import Session
-
-try:
-    import boto3
-    import botocore.config
-    import botocore.exceptions
-    HAS_BOTO3 = True
-except ImportError:
-    HAS_BOTO3 = False
-
-DEFAULT_REGION   = "us-east-1"
-FALLBACK_REGIONS = ["us-east-1", "us-west-2", "eu-west-1", "ap-southeast-1"]
-
-# Retry config: 3 attempts, exponential backoff
-_RETRY_CONFIG = None
-if HAS_BOTO3:
-    _RETRY_CONFIG = botocore.config.Config(
-        retries={"max_attempts": 3, "mode": "adaptive"},
-        connect_timeout=10,
-        read_timeout=20,
-    )
-
-# GuardDuty-awareness: these API calls are known to trigger alerts
-GUARDDUTY_NOISY_APIS = {
-    "GetCallerIdentity":              "HIGH",    # Recon — always logged
-    "GetAccountAuthorizationDetails": "CRITICAL", # Full IAM dump — very noisy
-    "ListUsers":                      "MEDIUM",
-    "ListRoles":                      "MEDIUM",
-    "CreateAccessKey":                "HIGH",    # Backdoor credential
-    "DeleteTrail":                    "CRITICAL", # Covering tracks
-    "StopLogging":                    "CRITICAL",
-    "PutBucketLogging":               "HIGH",
-    "DescribeInstances":              "LOW",     # Normal ops but logged
-}
-
-GUARDDUTY_STEALTHY_APIS = {
-    "ListBuckets":                    "no-sign-request avoids auth logs",
-    "GetObject":                      "anonymous S3 access not in CloudTrail",
-    "GetBucketAcl":                   "no-sign-request avoids auth logs",
-}
-
-
-def get_client(service: str,
-               session: "Optional[Session]" = None,
-               region:  str = DEFAULT_REGION,
-               profile: str = "",
-               access_key:    str = "",
-               secret_key:    str = "",
-               session_token: str = "") -> Any:
-    """
-    Return a boto3 client. Credential resolution order:
-      1. Explicit access_key/secret_key args
-      2. Session secrets (injected by file_secrets / cloudtrail_analyzer)
-      3. AWS CLI profile
-      4. Default boto3 chain (env vars → ~/.aws → IMDS)
-
-    Includes automatic retry + exponential backoff.
-    Returns None if boto3 unavailable or all credential sources fail.
-    """
-    if not HAS_BOTO3:
-        return None
-
-    if session and not access_key:
-        access_key, secret_key, session_token = _creds_from_session(session)
-
-    return _build_client(service, region, profile,
-                          access_key, secret_key, session_token)
-
-
-def _build_client(service: str, region: str, profile: str,
-                   access_key: str, secret_key: str,
-                   session_token: str) -> Any:
-    """Build boto3 client with retry config and region fallback."""
-    regions_to_try = [region] if region else FALLBACK_REGIONS
-
-    for reg in regions_to_try:
-        try:
-            if access_key and secret_key:
-                client = boto3.client(
-                    service,
-                    region_name=reg,
-                    aws_access_key_id=access_key,
-                    aws_secret_access_key=secret_key,
-                    aws_session_token=session_token or None,
-                    config=_RETRY_CONFIG,
-                )
-            elif profile:
-                boto_session = boto3.Session(profile_name=profile, region_name=reg)
-                client = boto_session.client(service, config=_RETRY_CONFIG)
-            else:
-                client = boto3.client(service, region_name=reg, config=_RETRY_CONFIG)
-            return client
-        except Exception:
-            continue
-
-    return None
-
-
-def get_session(session: "Optional[Session]" = None,
-                region:  str = DEFAULT_REGION,
-                profile: str = "") -> Any:
-    """Return a boto3 Session for multi-service use."""
-    if not HAS_BOTO3:
-        return None
-
-    access_key, secret_key, session_token = "", "", ""
-    if session:
-        access_key, secret_key, session_token = _creds_from_session(session)
-
-    try:
-        if access_key and secret_key:
-            return boto3.Session(
-                region_name=region,
-                aws_access_key_id=access_key,
-                aws_secret_access_key=secret_key,
-                aws_session_token=session_token or None,
-            )
-        elif profile:
-            return boto3.Session(profile_name=profile, region_name=region)
-        else:
-            return boto3.Session(region_name=region)
-    except Exception:
-        return None
-
-
-def safe_call(client: Any, method: str, **kwargs) -> tuple[bool, Any, str]:
-    """
-    Safely call a boto3 client method with retry + error handling.
-
-    Returns: (success, response_or_None, error_message)
-
-    Usage:
-        ok, resp, err = safe_call(iam, 'list_users', MaxItems=5)
-        if ok:
-            users = resp['Users']
-    """
-    if client is None:
-        return False, None, "boto3 client is None"
-
-    max_attempts = 3
-    for attempt in range(max_attempts):
-        try:
-            fn = getattr(client, method)
-            response = fn(**kwargs)
-            return True, response, ""
-        except botocore.exceptions.ClientError as e:
-            code = e.response["Error"]["Code"]
-            msg  = e.response["Error"]["Message"]
-            # Don't retry auth errors
-            if code in ("InvalidClientTokenId", "AuthFailure",
-                        "UnauthorizedAccess", "AccessDenied",
-                        "ExpiredTokenException"):
-                return False, None, f"{code}: {msg}"
-            # Retry throttle errors
-            if code in ("Throttling", "RequestLimitExceeded",
-                        "TooManyRequestsException"):
-                if attempt < max_attempts - 1:
-                    time.sleep(2 ** attempt)
-                    continue
-            return False, None, f"{code}: {msg}"
-        except Exception as e:
-            if attempt < max_attempts - 1:
-                time.sleep(1)
-                continue
-            return False, None, str(e)
-
-    return False, None, "Max retry attempts exceeded"
-
-
-def verify_credentials(access_key: str, secret_key: str,
-                        session_token: str = "",
-                        region: str = DEFAULT_REGION) -> dict:
-    """
-    Verify AWS credentials via STS:GetCallerIdentity.
-    Returns structured result — never raises.
-
-    NOTE: GetCallerIdentity IS logged in CloudTrail and flagged by GuardDuty.
-    Severity: HIGH (known recon indicator).
-    """
-    if not HAS_BOTO3:
-        return {"valid": False, "error": "boto3 not installed",
-                "guardduty_risk": "N/A"}
-
-    result = {
-        "valid":         False,
-        "arn":           "",
-        "account":       "",
-        "user_id":       "",
-        "username":      "",
-        "error":         "",
-        "guardduty_risk": GUARDDUTY_NOISY_APIS.get("GetCallerIdentity", "HIGH"),
-        "guardduty_note": "GetCallerIdentity is always logged and a known recon indicator",
-    }
-
-    client = _build_client("sts", region, "", access_key, secret_key, session_token)
-    if not client:
-        result["error"] = "Could not create STS client"
-        return result
-
-    ok, resp, err = safe_call(client, "get_caller_identity")
-    if ok:
-        result["valid"]    = True
-        result["arn"]      = resp.get("Arn", "")
-        result["account"]  = resp.get("Account", "")
-        result["user_id"]  = resp.get("UserId", "")
-        # Extract username from ARN
-        arn = result["arn"]
-        if "/" in arn:
-            result["username"] = arn.split("/")[-1]
-    else:
-        result["error"] = err
-
-    return result
-
-
-def detect_region(access_key: str, secret_key: str,
-                   session_token: str = "") -> str:
-    """
-    Detect the primary region for these credentials.
-    Falls back to us-east-1 if detection fails.
-    """
-    if not HAS_BOTO3:
-        return DEFAULT_REGION
-
-    for region in FALLBACK_REGIONS:
-        client = _build_client("sts", region, "", access_key, secret_key, session_token)
-        ok, resp, _ = safe_call(client, "get_caller_identity")
-        if ok:
-            return region
-
-    return DEFAULT_REGION
-
-
-def _creds_from_session(session: "Session") -> tuple[str, str, str]:
-    """Extract best available AWS credentials from session secrets."""
-    access_key = secret_key = session_token = ""
-    for s in session.secrets:
-        t = s.get("secret_type", "")
-        v = s.get("value", "")
-        if t == "AWS_ACCESS_KEY" and not access_key:
-            access_key = v
-        elif t == "AWS_SECRET_KEY" and not secret_key:
-            secret_key = v
-        elif t == "AWS_SESSION_TOKEN" and not session_token:
-            session_token = v
-    return access_key, secret_key, session_token
-
-
-def guardduty_risk(api_name: str) -> tuple[str, str]:
-    """
-    Return (risk_level, explanation) for a given API call.
-    Used by modules to annotate findings with detection awareness.
-    """
-    if api_name in GUARDDUTY_NOISY_APIS:
-        return GUARDDUTY_NOISY_APIS[api_name], "GuardDuty: known high-signal event"
-    if api_name in GUARDDUTY_STEALTHY_APIS:
-        return "LOW", GUARDDUTY_STEALTHY_APIS[api_name]
-    return "LOW", "Not a known GuardDuty trigger"
-
-
-def is_available() -> bool:
-    return HAS_BOTO3
-
-
-def has_credentials(session: "Session") -> bool:
-    ak, sk, _ = _creds_from_session(session)
-    return bool(ak and sk)