souleyez 2.16.0__py3-none-any.whl → 2.26.0__py3-none-any.whl

souleyez/__init__.py

@@ -1 +1 @@
-__version__ = '2.16.0'
+__version__ = '2.26.0'

souleyez/assets/__init__.py

@@ -0,0 +1 @@
+# SoulEyez assets package

souleyez/core/msf_sync_manager.py

@@ -29,15 +29,25 @@ logger = logging.getLogger(__name__)
 
 def get_msf_database_config() -> Optional[Dict[str, Any]]:
     """
-    Get MSF database configuration from ~/.msf4/database.yml
+    Get MSF database configuration from ~/.msf4/database.yml or system-wide config.
+
+    Checks user config first, then falls back to system-wide config (Kali Linux).
 
     Returns:
         Dictionary with database config or None if not found/parseable
     """
-    db_yml_path = Path.home() / ".msf4" / "database.yml"
-
-    if not db_yml_path.exists():
-        logger.debug(f"MSF database.yml not found at {db_yml_path}")
+    # Check user config first, then system-wide config (Kali uses system-wide)
+    user_db_path = Path.home() / ".msf4" / "database.yml"
+    system_db_path = Path('/usr/share/metasploit-framework/config/database.yml')
+
+    db_yml_path = None
+    if user_db_path.exists():
+        db_yml_path = user_db_path
+    elif system_db_path.exists():
+        db_yml_path = system_db_path
+
+    if not db_yml_path:
+        logger.debug("MSF database.yml not found in user or system config")
         return None
 
     try:

souleyez/core/tool_chaining.py

@@ -15,6 +15,17 @@ CATEGORY_CTF = "ctf"           # Lab/learning scenarios - vulnerable by design
 CATEGORY_ENTERPRISE = "enterprise"  # Real-world enterprise testing
 CATEGORY_GENERAL = "general"   # Standard recon that applies everywhere
 
+# Managed hosting platforms - skip CGI enumeration (pointless on these)
+# These are detected from server headers/banners and product names
+MANAGED_HOSTING_PLATFORMS = {
+    'squarespace', 'wix', 'shopify', 'webflow', 'weebly',
+    'wordpress.com', 'ghost.io', 'medium', 'tumblr', 'blogger',
+    'netlify', 'vercel', 'github.io', 'pages.dev', 'cloudflare',
+    'heroku', 'railway', 'render.com', 'fly.io',
+    'aws cloudfront', 'akamai', 'fastly', 'cloudflare',
+    'azure', 'google cloud', 'firebase',
+}
+
 # Category display icons
 CATEGORY_ICONS = {
     CATEGORY_CTF: "🎯",
@@ -140,6 +151,75 @@ def classify_os_device(os_string: str, services: list) -> dict:
     return {'os_family': 'unknown', 'device_type': 'unknown', 'vendor': None}
 
 
+def is_managed_hosting(services: List[Dict[str, Any]], http_fingerprint: Dict[str, Any] = None) -> bool:
+    """
+    Detect if target is a managed hosting platform.
+
+    These platforms don't have CGI directories, so tools like nikto
+    should skip CGI enumeration to avoid long, pointless scans.
+
+    Args:
+        services: List of service dicts from nmap parser
+        http_fingerprint: Optional fingerprint data from http_fingerprint plugin
+
+    Returns:
+        True if managed hosting detected, False otherwise
+    """
+    # Check fingerprint data first (most reliable, comes from actual HTTP headers)
+    if http_fingerprint:
+        managed = http_fingerprint.get('managed_hosting')
+        if managed:
+            return True
+
+    # Fall back to checking services data (less reliable, from nmap banners)
+    for service in services:
+        # Check product field
+        product = (service.get('product') or '').lower()
+        raw_version = (service.get('raw_version') or '').lower()
+        service_name = (service.get('service') or '').lower()
+
+        # Combine all fields for matching
+        combined = f"{product} {raw_version} {service_name}"
+
+        # Check against known managed hosting platforms
+        for platform in MANAGED_HOSTING_PLATFORMS:
+            if platform in combined:
+                return True
+
+    return False
+
+
+def get_managed_hosting_platform(services: List[Dict[str, Any]], http_fingerprint: Dict[str, Any] = None) -> Optional[str]:
+    """
+    Get the name of the managed hosting platform if detected.
+
+    Args:
+        services: List of service dicts from nmap parser
+        http_fingerprint: Optional fingerprint data from http_fingerprint plugin
+
+    Returns:
+        Platform name or None
+    """
+    # Check fingerprint data first
+    if http_fingerprint:
+        managed = http_fingerprint.get('managed_hosting')
+        if managed:
+            return managed
+
+    # Fall back to services check
+    for service in services:
+        product = (service.get('product') or '').lower()
+        raw_version = (service.get('raw_version') or '').lower()
+        service_name = (service.get('service') or '').lower()
+        combined = f"{product} {raw_version} {service_name}"
+
+        for platform in MANAGED_HOSTING_PLATFORMS:
+            if platform in combined:
+                return platform.title()
+
+    return None
+
+
 # Technology to Nuclei tags mapping
 # Maps detected products/technologies to relevant nuclei template tags
 TECH_TO_NUCLEI_TAGS = {
@@ -423,6 +503,21 @@ class ChainRule:
                                     result = True
                                     break
 
+            elif cond_type == 'svc_version':
+                # Simple version string match (e.g., 'svc_version:2.3.4')
+                # Matches if any service has this exact version string
+                # Useful when nmap doesn't detect product name
+                services = context.get('services', [])
+                for service in services:
+                    svc_version = (
+                        service.get('version', '') or
+                        service.get('service_version', '') or
+                        ''
+                    )
+                    if svc_version and cond_value.lower() in svc_version.lower():
+                        result = True
+                        break
+
         # Apply negation if needed
         return not result if negated else result
 
@@ -560,6 +655,25 @@ class ChainRule:
                 new_args.append(arg)
             args = new_args
 
+        # For Nikto: Skip CGI enumeration on managed hosting platforms
+        # This prevents long, pointless scans on Squarespace, Wix, etc.
+        if self.target_tool == 'nikto':
+            services = context.get('services', [])
+            http_fingerprint = context.get('http_fingerprint', {})
+            if is_managed_hosting(services, http_fingerprint):
+                # Add -C none to skip CGI dirs (pointless on managed hosting)
+                if '-C' not in str(args):
+                    args.extend(['-C', 'none'])
+                # Add -Tuning x6 to skip remote file inclusion tests
+                if '-Tuning' not in str(args):
+                    args.extend(['-Tuning', 'x6'])
+                # Log which platform was detected
+                platform = get_managed_hosting_platform(services, http_fingerprint)
+                if platform:
+                    from souleyez.log_config import get_logger
+                    logger = get_logger(__name__)
+                    logger.info(f"[FINGERPRINT] Managed hosting detected ({platform}) - nikto using optimized scan config")
+
         # For SQLMap with POST injections, add --data if we have POST data
         if self.target_tool == 'sqlmap' and post_data and '--data' not in str(args):
             # Insert --data after -u argument
@@ -627,32 +741,42 @@ class ToolChaining:
 
         # Web service discovered → run web scanners
         self.rules.extend([
-            # Modern vulnerability scanner (Nuclei) - PRIORITY
-            # Uses {nuclei_tags} placeholder to auto-detect tech and run relevant templates
+            # HTTP Fingerprinting - runs FIRST to detect WAF/CDN/managed hosting
+            # This enables smarter tool configuration for downstream scanners
             ChainRule(
                 trigger_tool='nmap',
                 trigger_condition='service:http',
+                target_tool='http_fingerprint',
+                priority=11,  # Highest priority - runs before all other web tools
+                args_template=[],
+                description='Web server detected, fingerprinting for WAF/CDN/platform detection'
+            ),
+            # Nikto triggered by http_fingerprint (uses fingerprint data for smart config)
+            ChainRule(
+                trigger_tool='http_fingerprint',
+                trigger_condition='has:services',
+                target_tool='nikto',
+                priority=8,
+                args_template=['-nointeractive', '-timeout', '10'],
+                description='Fingerprinting complete, scanning for server misconfigurations with Nikto'
+            ),
+            # Nuclei triggered by http_fingerprint
+            ChainRule(
+                trigger_tool='http_fingerprint',
+                trigger_condition='has:services',
                 target_tool='nuclei',
                 priority=9,
                 args_template=['-tags', '{nuclei_tags}', '-severity', 'critical,high', '-rate-limit', '50', '-c', '10', '-timeout', '10'],
-                description='Web server detected (HTTP/HTTPS), scanning with Nuclei'
+                description='Fingerprinting complete, scanning with Nuclei'
             ),
+            # Gobuster triggered by http_fingerprint
             ChainRule(
-                trigger_tool='nmap',
-                trigger_condition='service:http',
+                trigger_tool='http_fingerprint',
+                trigger_condition='has:services',
                 target_tool='gobuster',
                 priority=7,
                 args_template=['dir', '-u', 'http://{target}:{port}', '-w', 'data/wordlists/web_dirs_common.txt', '-x', 'js,json,php,asp,aspx,html,txt,bak,old,zip', '--no-error', '--timeout', '30s', '-t', '5', '--delay', '20ms'],
-                description='Web server detected (HTTP/HTTPS), discovering directories and files'
-            ),
-            # Nikto - web server vulnerability scanner (complements nuclei)
-            ChainRule(
-                trigger_tool='nmap',
-                trigger_condition='service:http',
-                target_tool='nikto',
-                priority=8,
-                args_template=['-nointeractive', '-timeout', '10'],
-                description='Web server detected, scanning for server misconfigurations with Nikto'
+                description='Fingerprinting complete, discovering directories and files'
             ),
             # Dalfox - XSS scanner triggered after gobuster finds pages
             ChainRule(
@@ -731,14 +855,8 @@ class ToolChaining:
                 args_template=['-a', '{target}'],
                 description='SMB service detected, enumerating shares and users (runs after CrackMapExec)'
             ),
-            ChainRule(
-                trigger_tool='nmap',
-                trigger_condition='service:smb',
-                target_tool='smbmap',
-                priority=7,
-                args_template=['-H', '{target}'],
-                description='SMB service detected, mapping shares'
-            ),
+            # NOTE: smbmap removed - has upstream impacket pickling bug on Python 3.13+
+            # Use crackmapexec/netexec --shares instead (enum4linux rule above)
         ])
 
         # Active Directory attacks - smart chaining workflow
@@ -1143,13 +1261,16 @@ class ToolChaining:
         #     )
         # )
 
+        # DISABLED: smbmap has upstream pickling bug - won't produce results
         # Writable SMB shares found → check for exploitability
+        # TODO: Add rule triggering from crackmapexec writable shares detection
         self.rules.append(
             ChainRule(
                 trigger_tool='smbmap',
                 trigger_condition='has:writable_shares',
                 target_tool='msf_auxiliary',
                 priority=10,
+                enabled=False,  # Disabled - smbmap broken
                 args_template=['auxiliary/scanner/smb/smb_version'],
                 description='Writable SMB shares found, checking for vulnerabilities'
             )
@@ -1908,28 +2029,42 @@ class ToolChaining:
 
         # vsftpd 2.3.4 backdoor (CVE-2011-2523)
         # Triggers backdoor shell on port 6200 when username contains :)
+        # Match FTP service with version 2.3.4 (nmap often shows just "ftp" + "2.3.4")
         self.rules.append(
             ChainRule(
                 trigger_tool='nmap',
-                trigger_condition='version:vsftpd 2.3.4',
+                trigger_condition='service:ftp & svc_version:2.3.4',
                 target_tool='msf_exploit',
                 priority=10,
                 args_template=['exploit/unix/ftp/vsftpd_234_backdoor'],
-                description='vsftpd 2.3.4 detected - BACKDOOR AVAILABLE (CVE-2011-2523)',
+                description='FTP 2.3.4 detected - checking for vsftpd backdoor (CVE-2011-2523)',
                 category=CATEGORY_CTF
             )
         )
 
         # Samba 3.0.x usermap_script RCE (CVE-2007-2447)
         # Command injection in username field
+        # Match SMB service with version starting with 3 (nmap shows "3.X" or "3.0.x")
+        self.rules.append(
+            ChainRule(
+                trigger_tool='nmap',
+                trigger_condition='service:smb & svc_version:3.',
+                target_tool='msf_exploit',
+                priority=10,
+                args_template=['exploit/multi/samba/usermap_script'],
+                description='Samba 3.x detected - checking for usermap_script RCE (CVE-2007-2447)',
+                category=CATEGORY_CTF
+            )
+        )
+        # Also match netbios-ssn service (common nmap detection for SMB)
         self.rules.append(
             ChainRule(
                 trigger_tool='nmap',
-                trigger_condition='version:Samba 3.0',
+                trigger_condition='service:netbios-ssn & svc_version:3.',
                 target_tool='msf_exploit',
                 priority=10,
                 args_template=['exploit/multi/samba/usermap_script'],
-                description='Samba 3.0.x detected - usermap_script RCE available (CVE-2007-2447)',
+                description='Samba 3.x detected (netbios-ssn) - checking for usermap_script RCE (CVE-2007-2447)',
                 category=CATEGORY_CTF
             )
         )
@@ -2132,14 +2267,15 @@ class ToolChaining:
         )
 
         # ProFTPD mod_copy (CVE-2015-3306) - file copy without auth
+        # Match FTP service with version 1.3.x (common ProFTPD versions)
         self.rules.append(
             ChainRule(
                 trigger_tool='nmap',
-                trigger_condition='version:ProFTPD 1.3',
+                trigger_condition='service:ftp & svc_version:1.3',
                 target_tool='msf_exploit',
                 priority=8,
                 args_template=['exploit/unix/ftp/proftpd_modcopy_exec'],
-                description='ProFTPD 1.3.x detected - checking for mod_copy RCE (CVE-2015-3306)',
+                description='FTP 1.3.x detected - checking for ProFTPD mod_copy RCE (CVE-2015-3306)',
                 category=CATEGORY_CTF
             )
         )
@@ -4160,6 +4296,40 @@ class ToolChaining:
                         if len(app_databases) > db_limit:
                             logger.info(f"SQLMap auto-chaining limited to first {db_limit} of {len(app_databases)} application databases")
 
+                # === Post-exploitation chain rules (is_dba, file_read, os_cmd) ===
+                # Check for post-exploitation flags and fire appropriate chain rules
+                is_dba = parse_results.get('is_dba', False)
+                file_read_success = parse_results.get('file_read_success', False)
+                os_command_success = parse_results.get('os_command_success', False)
+
+                if is_dba or file_read_success or os_command_success:
+                    from souleyez.log_config import get_logger
+                    logger = get_logger(__name__)
+
+                    # Build context with post-exploitation flags using injectable_url
+                    post_exploit_context = {
+                        'target': injectable_url,  # Use the correct injectable URL
+                        'tool': tool,
+                        'is_dba': is_dba,
+                        'file_read_success': file_read_success,
+                        'os_command_success': os_command_success,
+                        'post_data': post_data,  # Preserve POST data for subsequent commands
+                    }
+
+                    if is_dba:
+                        logger.info(f"SQLMap: DBA access confirmed! Evaluating post-exploitation chains...")
+                    if file_read_success:
+                        logger.info(f"SQLMap: File read successful! Evaluating file read chains...")
+                    if os_command_success:
+                        logger.info(f"SQLMap: OS command execution successful!")
+
+                    # Evaluate chain rules - this will fire rules like has:is_dba
+                    commands = self.evaluate_chains(tool, post_exploit_context)
+                    if commands:
+                        logger.info(f"SQLMap: Matched {len(commands)} post-exploitation chain rule(s)")
+                        job_ids.extend(self._enqueue_commands(commands, tool, engagement_id, injectable_url, parent_job_id=job.get('id')))
+                # === END Post-exploitation chain rules ===
+
                 return job_ids
             # === END SQLMap special handling ===
 
@@ -4877,6 +5047,28 @@ class ToolChaining:
                         if not endpoint_url:
                             continue
 
+                        # === Filter out non-injectable files ===
+                        path_lower = endpoint_url.lower()
+                        filename = path_lower.split('/')[-1] if '/' in path_lower else path_lower
+
+                        # Skip Apache/nginx config files
+                        if filename.startswith('.ht') or filename.startswith('.nginx'):
+                            logger.debug(f"Skipping config file: {endpoint_url}")
+                            continue
+
+                        # Skip static files that can't have SQL injection
+                        static_extensions = (
+                            '.html', '.htm', '.txt', '.css', '.js', '.json',
+                            '.xml', '.svg', '.png', '.jpg', '.jpeg', '.gif',
+                            '.ico', '.woff', '.woff2', '.ttf', '.eot',
+                            '.pdf', '.doc', '.docx', '.xls', '.xlsx',
+                            '.bak', '.old', '.backup', '.swp', '.orig',
+                            '.map', '.md', '.rst', '.log'
+                        )
+                        if any(filename.endswith(ext) for ext in static_extensions):
+                            logger.debug(f"Skipping static file: {endpoint_url}")
+                            continue
+
                         # === SQLMap for testable endpoints ===
                         if status_code in testable_statuses and created_sqlmap_jobs < max_sqlmap_jobs:
                             # For API endpoints without parameters, add test parameters

souleyez/detection/validator.py

@@ -156,8 +156,10 @@ class DetectionValidator:
         job_command = _reconstruct_command(job)
         # Use started_at or finished_at for execution time
         executed_at = job.get('started_at') or job.get('finished_at') or job.get('created_at')
-        # Job is successful if status is 'done'
-        success = job.get('status') == 'done'
+        # Job ran successfully if status is done, no_results, or warning
+        # (all of these sent network traffic that should be detectable by SIEM)
+        job_status = job.get('status', '')
+        success = job_status in ('done', 'no_results', 'warning')
 
         # Extract target IP from command (common patterns)
         target_ip = None

souleyez/docs/README.md

@@ -1,7 +1,7 @@
 # SoulEyez Documentation
 
-**Version:** 2.16.0
-**Last Updated:** January 4, 2026
+**Version:** 2.26.0
+**Last Updated:** January 8, 2026
 **Organization:** CyberSoul Security
 
 Welcome to the SoulEyez documentation! This documentation covers architecture, development, user guides, and operational information for the SoulEyez penetration testing platform.

souleyez/docs/user-guide/installation.md

@@ -22,6 +22,17 @@ This guide walks you through installing souleyez on your system. The process tak
 - **RAM Usage**: Running multiple heavy tools (Metasploit, SQLMap, Hashcat) simultaneously requires additional RAM
 - **Disk I/O**: SSD recommended for database operations and log processing
 
+> **🐉 Kali Linux Recommended**
+>
+> SoulEyez performs significantly better on **Kali Linux** than other distributions:
+> - All pentesting tools pre-installed and optimized
+> - Metasploit database and RPC already configured
+> - Security-focused kernel and networking stack
+> - No dependency hunting or version conflicts
+> - Wordlists, databases, and tool configs ready to go
+>
+> While Ubuntu and other Debian-based distros are supported, you may experience slower setup times and occasional tool compatibility issues.
+
 ### Software Requirements
 
 - **Operating System**: Linux (Kali Linux recommended, any Debian-based distro supported)
@@ -40,12 +51,14 @@ pipx is the Python community's recommended way to install CLI applications. It h
 # One-time setup
 sudo apt install pipx
 pipx ensurepath
-source ~/.bashrc
+source ~/.bashrc    # Kali Linux: use 'source ~/.zshrc' instead
 
 # Install SoulEyez
 pipx install souleyez
 ```
 
+> **Kali Linux users:** Kali uses zsh by default. Use `source ~/.zshrc` instead of `source ~/.bashrc`
+
 On first run, SoulEyez will prompt you to install pentesting tools (nmap, sqlmap, gobuster, etc.).
 
 ```bash

souleyez/engine/background.py

@@ -711,7 +711,14 @@ def _run_rpc_exploit(cmd_spec: Dict[str, Any], log_path: str, jid: int = None, p
         )
 
         return 0
+    elif result.get('no_session'):
+        # Exploit ran but no session opened - this is "no results", not an error
+        # Return 1 but let parser set status to no_results
+        reason = result.get('reason', 'No session opened')
+        _append_worker_log(f"job {jid}: exploit completed - {reason}")
+        return 1
     else:
+        # True error (connection failed, RPC error, etc.)
         error = result.get('error', 'Unknown error')
         _append_worker_log(f"job {jid}: RPC exploit failed - {error}")
         return 1
@@ -1031,7 +1038,9 @@ def _is_true_error_exit_code(rc: int, tool: str) -> bool:
 
     # Tools that use non-zero exit codes for non-error conditions
     # Parser will determine the actual status based on output
-    tools_with_nonzero_success = ['gobuster', 'hydra', 'medusa']
+    # msf_exploit returns 1 when no session opened (exploit ran but target not vulnerable)
+    # nikto returns non-zero when it finds vulnerabilities (not an error!)
+    tools_with_nonzero_success = ['gobuster', 'hydra', 'medusa', 'msf_exploit', 'nikto']
 
     if tool.lower() in tools_with_nonzero_success:
         # Let parser determine status
@@ -1425,6 +1434,21 @@ def _detect_and_recover_stale_jobs() -> int:
                                 "status": status,
                                 "parse_result": parse_result
                             })
+
+                            # Mark for auto-chaining if conditions are met
+                            try:
+                                from souleyez.core.tool_chaining import ToolChaining
+                                chaining = ToolChaining()
+                                if chaining.is_enabled() and is_chainable(status):
+                                    _update_job(jid, chainable=True)
+                                    _append_worker_log(f"job {jid} stale recovery marked as chainable")
+                                    logger.info("Stale job marked as chainable", extra={
+                                        "job_id": jid,
+                                        "tool": tool,
+                                        "status": status
+                                    })
+                            except Exception as chain_err:
+                                _append_worker_log(f"job {jid} stale recovery chainable error: {chain_err}")
                 except Exception as parse_err:
                     _append_worker_log(f"job {jid} stale recovery parse exception: {parse_err}")