souleyez 2.16.0__py3-none-any.whl → 2.26.0__py3-none-any.whl

souleyez/engine/result_handler.py

@@ -108,6 +108,8 @@ def handle_job_result(job: Dict[str, Any]) -> Optional[Dict[str, Any]]:
         parse_result = parse_nikto_job(engagement_id, log_path, job)
     elif tool == 'dalfox':
         parse_result = parse_dalfox_job(engagement_id, log_path, job)
+    elif tool == 'http_fingerprint':
+        parse_result = parse_http_fingerprint_job(engagement_id, log_path, job)
 
     # NOTE: Auto-chaining is now handled in background.py after parsing completes
     # This avoids duplicate job creation and gives better control over timing
@@ -204,6 +206,8 @@ def reparse_job(job_id: int) -> Dict[str, Any]:
             parse_result = parse_nikto_job(engagement_id, log_path, job)
         elif tool == 'dalfox':
             parse_result = parse_dalfox_job(engagement_id, log_path, job)
+        elif tool == 'http_fingerprint':
+            parse_result = parse_http_fingerprint_job(engagement_id, log_path, job)
         else:
             return {'success': False, 'message': f'No parser available for tool: {tool}'}
 
@@ -305,6 +309,8 @@ def parse_nmap_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> Di
         # Import into database
         hm = HostManager()
         result = hm.import_nmap_results(engagement_id, parsed)
+        logger.info(f"Nmap import: {result['hosts_added']} hosts, {result['services_added']} services in engagement {engagement_id}")
+        logger.debug(f"Info scripts to process: {len(parsed.get('info_scripts', []))}")
 
         # Check for CVEs and common issues
         fm = FindingsManager()
@@ -432,6 +438,44 @@ def parse_nmap_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> Di
                         )
                         findings_added += 1
 
+        # Store info script findings (vnc-info, ssh-hostkey, etc.)
+        for info in parsed.get('info_scripts', []):
+            host_ip = info.get('host_ip')
+            if not host_ip:
+                logger.warning(f"Info script missing host_ip: {info.get('script')}")
+                continue
+
+            # Find host ID
+            host = hm.get_host_by_ip(engagement_id, host_ip)
+            if not host:
+                logger.warning(f"Host not found for info script: {host_ip} in engagement {engagement_id}")
+                continue
+
+            host_id = host['id']
+
+            # Build finding title and description
+            script_name = info.get('script', 'unknown')
+            title = info.get('title', script_name)
+            description = info.get('description', '')
+
+            # Add port to title if available
+            port = info.get('port')
+            if port:
+                title = f"{title} (port {port})"
+
+            fm.add_finding(
+                engagement_id=engagement_id,
+                host_id=host_id,
+                title=title,
+                finding_type='info',
+                severity='info',
+                description=description,
+                port=port,
+                tool='nmap',
+                evidence=f"Host: {host_ip}:{port if port else 'N/A'}\nScript: {script_name}"
+            )
+            findings_added += 1
+
         # Build host details list for summary
         host_details = []
         for host_data in parsed.get('hosts', []):
@@ -3028,6 +3072,91 @@ def parse_nikto_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> D
         return {'error': str(e)}
 
 
+def parse_http_fingerprint_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> Dict[str, Any]:
+    """
+    Parse HTTP fingerprint results.
+
+    Returns fingerprint data for use in auto-chaining context.
+    This enables downstream tools (nikto, nuclei, etc.) to make smarter decisions
+    based on detected WAF, CDN, or managed hosting platform.
+    """
+    try:
+        from souleyez.parsers.http_fingerprint_parser import (
+            parse_http_fingerprint_output,
+            build_fingerprint_context,
+            get_tool_recommendations
+        )
+        from souleyez.storage.hosts import HostManager
+        from urllib.parse import urlparse
+
+        target = job.get('target', '')
+
+        # Read log file
+        with open(log_path, 'r', encoding='utf-8', errors='replace') as f:
+            output = f.read()
+
+        parsed = parse_http_fingerprint_output(output, target)
+
+        # Extract host from target URL
+        parsed_url = urlparse(target)
+        target_host = parsed_url.hostname or target
+
+        # Update host with fingerprint info if we have useful data
+        if target_host and (parsed.get('server') or parsed.get('managed_hosting')):
+            hm = HostManager()
+            host_data = {
+                'ip': target_host,
+                'status': 'up'
+            }
+            # Store server info in notes or a dedicated field
+            # For now, we just ensure the host exists
+            hm.add_or_update_host(engagement_id, host_data)
+
+        # Build fingerprint context for chaining
+        fingerprint_context = build_fingerprint_context(parsed)
+
+        # Get tool recommendations
+        recommendations = get_tool_recommendations(parsed)
+
+        # Determine status
+        if parsed.get('error'):
+            status = STATUS_ERROR
+        elif parsed.get('managed_hosting') or parsed.get('waf') or parsed.get('cdn'):
+            status = STATUS_DONE  # Found useful info
+        elif parsed.get('server'):
+            status = STATUS_DONE
+        else:
+            status = STATUS_NO_RESULTS
+
+        return {
+            'tool': 'http_fingerprint',
+            'status': status,
+            'target': target,
+            'target_host': target_host,
+            # Core fingerprint data
+            'server': parsed.get('server'),
+            'managed_hosting': parsed.get('managed_hosting'),
+            'waf': parsed.get('waf', []),
+            'cdn': parsed.get('cdn', []),
+            'technologies': parsed.get('technologies', []),
+            'status_code': parsed.get('status_code'),
+            # For auto-chaining context
+            'http_fingerprint': fingerprint_context.get('http_fingerprint', {}),
+            'recommendations': recommendations,
+            # Pass through for downstream chains
+            'services': [{
+                'ip': target_host,
+                'port': parsed_url.port or (443 if parsed_url.scheme == 'https' else 80),
+                'service_name': 'https' if parsed_url.scheme == 'https' else 'http',
+                'product': parsed.get('server', ''),
+            }],
+        }
+
+    except Exception as e:
+        logger.error(f"Error parsing http_fingerprint job: {e}")
+        return {'error': str(e)}
+
+
 def parse_dalfox_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> Dict[str, Any]:
     """Parse Dalfox XSS scanner results."""
     try:

souleyez/integrations/siem/splunk.py

@@ -348,7 +348,15 @@ class SplunkSIEMClient(SIEMClient):
                 # HEC wraps in 'event' key, or data might be at top level
                 event_data = parsed.get('event', parsed) if isinstance(parsed, dict) else {}
             except (json_lib.JSONDecodeError, TypeError):
-                pass
+                # Try to extract embedded JSON from syslog lines
+                # Format: "Jan  7 14:23:38 host program {json...}"
+                import re
+                json_match = re.search(r'\{.*\}', raw_str)
+                if json_match:
+                    try:
+                        event_data = json_lib.loads(json_match.group())
+                    except (json_lib.JSONDecodeError, TypeError):
+                        pass
 
         # Helper to get field from event_data first, then raw_result
         def get_field(*keys, default=''):
@@ -370,10 +378,15 @@ class SplunkSIEMClient(SIEMClient):
         rule_id = get_field('rule_id', 'rule_name', 'savedsearch_name', 'alert')
         rule_name = get_field('rule_name', 'search_name') or rule_id
 
-        # For plain log events (no alert fields), use sourcetype as category
+        # For plain log events (no alert fields), use event_type or sourcetype
         if not rule_id:
+            # Prefer Suricata event_type over generic sourcetype
+            event_type = get_field('event_type')
             sourcetype = raw_result.get('sourcetype', '')
-            if sourcetype:
+            if event_type:
+                rule_id = event_type
+                rule_name = f"Suricata: {event_type}"
+            elif sourcetype:
                 rule_id = sourcetype
                 rule_name = f"Log: {sourcetype}"
 
@@ -389,19 +402,53 @@ class SplunkSIEMClient(SIEMClient):
         if not source_ip:
             source_ip = raw_result.get('host', '')
 
-        # Extract description
+        # Extract description - try multiple sources
         description = get_field('description', 'signature', 'message')
+
+        # Suricata-specific: check nested alert object
+        if not description and event_data.get('alert'):
+            alert_obj = event_data['alert']
+            if isinstance(alert_obj, dict):
+                description = alert_obj.get('signature', alert_obj.get('category', ''))
+
+        # Suricata event_type with context
         if not description:
-            # Fallback: use event_type as description
             event_type = get_field('event_type', 'category')
             if event_type:
-                description = f"{event_type}: {get_field('action', default='detected')}"
-
-        # For plain log events, use snippet of _raw as description
+                # Add context based on event type
+                if event_type == 'dns' and event_data.get('dns'):
+                    dns = event_data['dns']
+                    rrname = dns.get('rrname', '') if isinstance(dns, dict) else ''
+                    description = f"DNS: {rrname}" if rrname else f"DNS query"
+                elif event_type == 'http' and event_data.get('http'):
+                    http = event_data['http']
+                    hostname = http.get('hostname', '') if isinstance(http, dict) else ''
+                    description = f"HTTP: {hostname}" if hostname else "HTTP request"
+                elif event_type == 'flow':
+                    app_proto = get_field('app_proto', default='')
+                    description = f"Flow: {app_proto}" if app_proto else "Network flow"
+                elif event_type == 'alert':
+                    description = "Suricata alert"
+                else:
+                    description = f"{event_type}: {get_field('action', default='detected')}"
+
+        # For plain log events, try to extract something useful from _raw
         if not description and raw_str:
-            # Clean up raw log and take first 150 chars
-            clean_raw = raw_str.replace('\n', ' ').strip()
-            description = clean_raw[:150] + ('...' if len(clean_raw) > 150 else '')
+            # Skip syslog header to get actual message
+            # Format: "Mon DD HH:MM:SS hostname program: message"
+            import re
+            # Try to extract message after "program:" or "program["
+            msg_match = re.search(r'^\w+\s+\d+\s+[\d:]+\s+\S+\s+\S+[:\[]\s*(.+)', raw_str)
+            if msg_match:
+                description = msg_match.group(1).strip()[:150]
+            else:
+                # Fallback: clean up raw log
+                clean_raw = raw_str.replace('\n', ' ').strip()
+                # Skip if it's just timestamps/IPs with no real content
+                if len(clean_raw) > 50:
+                    description = clean_raw[:150] + ('...' if len(clean_raw) > 150 else '')
+                else:
+                    description = clean_raw if clean_raw else 'No details available'
 
         # Extract MITRE info - check event_data first
         mitre_tactics = []

souleyez/main.py

@@ -173,7 +173,7 @@ def _check_privileged_tools():
 
 
 @click.group()
-@click.version_option(version='2.16.0')
+@click.version_option(version='2.26.0')
 def cli():
     """SoulEyez - AI-Powered Pentesting Platform by CyberSoul Security"""
     from souleyez.log_config import init_logging
@@ -1388,19 +1388,24 @@ def _run_doctor(fix=False, verbose=False):
     path_dirs = os.environ.get('PATH', '').split(':')
     pipx_bin = str(Path.home() / '.local' / 'bin')
     go_bin = str(Path.home() / 'go' / 'bin')
+
+    # Detect shell config file (zsh for Kali, bash for others)
+    shell = os.environ.get('SHELL', '/bin/bash')
+    shell_rc = '~/.zshrc' if 'zsh' in shell else '~/.bashrc'
+
     if pipx_bin in path_dirs:
         if verbose:
             check_pass("PATH includes ~/.local/bin (pipx)")
     else:
         if Path(pipx_bin).exists() and any(Path(pipx_bin).iterdir()):
-            check_warn("~/.local/bin not in PATH", "Add to ~/.bashrc: export PATH=\"$HOME/.local/bin:$PATH\"")
+            check_warn("~/.local/bin not in PATH", f"Add to {shell_rc}: export PATH=\"$HOME/.local/bin:$PATH\"")
 
     if go_bin in path_dirs:
         if verbose:
             check_pass("PATH includes ~/go/bin")
     else:
         if Path(go_bin).exists() and any(Path(go_bin).iterdir()):
-            check_warn("~/go/bin not in PATH", "Add to ~/.bashrc: export PATH=\"$HOME/go/bin:$PATH\"")
+            check_warn("~/go/bin not in PATH", f"Add to {shell_rc}: export PATH=\"$HOME/go/bin:$PATH\"")
 
     # Check database is writable
     if db_path.exists():
@@ -1430,8 +1435,10 @@ def _run_doctor(fix=False, verbose=False):
     # Section 7: MSF Database (if msfconsole available)
     if shutil.which('msfconsole'):
         click.echo(click.style("Metasploit", bold=True))
+        # Check user config first, then system-wide config (Kali uses system-wide)
         msf_db = Path.home() / '.msf4' / 'database.yml'
-        if msf_db.exists():
+        system_msf_db = Path('/usr/share/metasploit-framework/config/database.yml')
+        if msf_db.exists() or system_msf_db.exists():
             check_pass("MSF database configured")
         else:
             check_fail("MSF database not initialized", "msfdb init")
@@ -1513,6 +1520,98 @@ def tutorial():
     run_tutorial()
 
 
+@cli.command('install-desktop')
+@click.option('--remove', is_flag=True, help='Remove the desktop shortcut')
+def install_desktop(remove):
+    """Install SoulEyez desktop shortcut in Applications menu.
+
+    Creates a .desktop file so SoulEyez appears in your
+    Applications > Security menu with its icon.
+    """
+    import shutil
+    from importlib import resources
+
+    applications_dir = Path.home() / '.local' / 'share' / 'applications'
+    icons_dir = Path.home() / '.local' / 'share' / 'icons'
+    desktop_file = applications_dir / 'souleyez.desktop'
+    icon_dest = icons_dir / 'souleyez.png'
+
+    if remove:
+        # Remove desktop shortcut
+        removed = False
+        if desktop_file.exists():
+            desktop_file.unlink()
+            click.echo(click.style("  Removed desktop shortcut", fg='green'))
+            removed = True
+        if icon_dest.exists():
+            icon_dest.unlink()
+            click.echo(click.style("  Removed icon", fg='green'))
+            removed = True
+        if removed:
+            click.echo(click.style("\nSoulEyez removed from Applications menu.", fg='cyan'))
+        else:
+            click.echo(click.style("No desktop shortcut found.", fg='yellow'))
+        return
+
+    click.echo(click.style("\nInstalling SoulEyez desktop shortcut...\n", fg='cyan', bold=True))
+
+    # Create directories
+    applications_dir.mkdir(parents=True, exist_ok=True)
+    icons_dir.mkdir(parents=True, exist_ok=True)
+
+    # Find and copy icon
+    try:
+        # Try importlib.resources first (Python 3.9+)
+        try:
+            from importlib.resources import files
+            icon_source = files('souleyez.assets').joinpath('souleyez-icon.png')
+            with open(icon_source, 'rb') as src:
+                icon_data = src.read()
+        except (ImportError, TypeError, FileNotFoundError):
+            # Fallback: find icon relative to this file
+            icon_source = Path(__file__).parent / 'assets' / 'souleyez-icon.png'
+            with open(icon_source, 'rb') as src:
+                icon_data = src.read()
+
+        with open(icon_dest, 'wb') as dst:
+            dst.write(icon_data)
+        click.echo(click.style("  Installed icon", fg='green'))
+    except Exception as e:
+        click.echo(click.style(f"  Warning: Could not copy icon: {e}", fg='yellow'))
+        icon_dest = "utilities-terminal"  # Fallback to system icon
+
+    # Create .desktop file
+    desktop_content = f"""[Desktop Entry]
+Name=SoulEyez
+Comment=AI-Powered Penetration Testing Platform
+Exec=souleyez interactive
+Icon={icon_dest}
+Terminal=true
+Type=Application
+Categories=Security;System;Network;
+Keywords=pentest;security;hacking;nmap;metasploit;
+"""
+
+    desktop_file.write_text(desktop_content)
+    click.echo(click.style("  Created desktop entry", fg='green'))
+
+    # Update desktop database (optional, may not be available)
+    try:
+        import subprocess
+        subprocess.run(['update-desktop-database', str(applications_dir)],
+                      capture_output=True, check=False)
+    except Exception:
+        pass  # Not critical if this fails
+
+    click.echo()
+    click.echo(click.style("SoulEyez added to Applications menu!", fg='green', bold=True))
+    click.echo()
+    click.echo("You can find it under:")
+    click.echo(click.style("  Applications > Security > SoulEyez", fg='cyan'))
+    click.echo()
+    click.echo("To remove: souleyez install-desktop --remove")
+
+
 def main():
     """Main entry point."""
     cli()

souleyez/parsers/crackmapexec_parser.py

@@ -72,42 +72,61 @@ def _parse_content(content: str, target: str) -> Dict[str, Any]:
         'auth_info': {}
     }
 
+    # Remove ANSI color codes first
+    content = re.sub(r'\x1b\[[0-9;]*m', '', content)
+
     for line in content.split('\n'):
         # Parse host information (Windows OR Unix/Samba)
-        # Format: SMB  10.0.0.88  445  HOSTNAME  [*] Windows/Unix ... (name:HOSTNAME) (domain:DOMAIN) ...
-        if 'SMB' in line and ('[*]' in line) and ('Windows' in line or 'Unix' in line or 'Samba' in line):
-            host_match = re.search(r'(\d+\.\d+\.\d+\.\d+)\s+(\d+)\s+(\S+)\s+\[\*\]\s+(.+)', line)
+        # Format variations:
+        # SMB  10.0.0.88  445  HOSTNAME  [*] Windows/Unix ... (name:HOSTNAME) (domain:DOMAIN) ...
+        # SMB         10.0.0.88    445    HOSTNAME [*] Windows Server 2016 ...
+        # WINRM  10.0.0.88  5985  HOSTNAME  [*] http://10.0.0.88:5985/wsman
+
+        os_keywords = ['Windows', 'Unix', 'Samba', 'Linux', 'Server', 'Microsoft']
+        if any(proto in line for proto in ['SMB', 'WINRM', 'SSH', 'RDP']) and '[*]' in line:
+            # Try multiple patterns for host info
+            host_match = None
+
+            # Pattern 1: Standard format with flexible whitespace
+            host_match = re.search(r'(\d+\.\d+\.\d+\.\d+)\s+(\d+)\s+(\S+)\s+\[\*\]\s*(.+)', line)
+
+            # Pattern 2: Protocol prefix format
+            if not host_match:
+                host_match = re.search(r'(?:SMB|WINRM|SSH|RDP)\s+(\d+\.\d+\.\d+\.\d+)\s+(\d+)\s+(\S+)\s+\[\*\]\s*(.+)', line)
+
             if host_match:
                 ip = host_match.group(1)
                 port = int(host_match.group(2))
                 hostname = host_match.group(3)
                 details = host_match.group(4).strip()
 
-                # Extract domain from (domain:DOMAIN) pattern
-                domain_match = re.search(r'\(domain:([^)]+)\)', details)
-                domain = domain_match.group(1) if domain_match else None
-
-                # Extract OS info (everything before the first parenthesis)
-                os_match = re.match(r'([^(]+)', details)
-                os_info = os_match.group(1).strip() if os_match else details
-
-                # Extract SMB signing status
-                signing_match = re.search(r'\(signing:(\w+)\)', details)
-                signing = signing_match.group(1) if signing_match else None
-
-                # Extract SMBv1 status
-                smbv1_match = re.search(r'\(SMBv1:(\w+)\)', details)
-                smbv1 = smbv1_match.group(1) if smbv1_match else None
-
-                findings['hosts'].append({
-                    'ip': ip,
-                    'port': port,
-                    'hostname': hostname,
-                    'domain': domain,
-                    'os': os_info,
-                    'signing': signing,
-                    'smbv1': smbv1
-                })
+                # Only process as host info if it looks like OS/version info
+                if any(kw in details for kw in os_keywords) or '(domain:' in details:
+                    # Extract domain from (domain:DOMAIN) or domain: pattern
+                    domain_match = re.search(r'\(?domain:?\s*([^)\s]+)\)?', details, re.IGNORECASE)
+                    domain = domain_match.group(1) if domain_match else None
+
+                    # Extract OS info (everything before the first parenthesis)
+                    os_match = re.match(r'([^(]+)', details)
+                    os_info = os_match.group(1).strip() if os_match else details
+
+                    # Extract SMB signing status (multiple formats)
+                    signing_match = re.search(r'\(?signing:?\s*(\w+)\)?', details, re.IGNORECASE)
+                    signing = signing_match.group(1) if signing_match else None
+
+                    # Extract SMBv1 status
+                    smbv1_match = re.search(r'\(?SMBv1:?\s*(\w+)\)?', details, re.IGNORECASE)
+                    smbv1 = smbv1_match.group(1) if smbv1_match else None
+
+                    findings['hosts'].append({
+                        'ip': ip,
+                        'port': port,
+                        'hostname': hostname,
+                        'domain': domain,
+                        'os': os_info,
+                        'signing': signing,
+                        'smbv1': smbv1
+                    })
 
         # Parse authentication status
         # Format: SMB  10.0.0.14  445  HOSTNAME  [+] \: (Guest)
@@ -122,13 +141,23 @@ def _parse_content(content: str, target: str) -> Dict[str, Any]:
                 }
 
         # Parse share enumeration (shares WITH permissions)
-        share_perm_match = re.search(r'SMB.*\s+(\S+)\s+(READ|WRITE|READ,WRITE|NO ACCESS)\s+(.+)?$', line)
-        if share_perm_match and '$' in share_perm_match.group(1):
-            findings['shares'].append({
-                'name': share_perm_match.group(1),
-                'permissions': share_perm_match.group(2),
-                'comment': share_perm_match.group(3).strip() if share_perm_match.group(3) else ''
-            })
+        # Format variations:
+        # SMB ... ADMIN$  READ,WRITE  Remote Admin
+        # SMB ... ADMIN$  READ, WRITE  Remote Admin (with space)
+        # SMB ... C$  READ ONLY  Default share
+        share_perm_match = re.search(
+            r'SMB.*\s+(\S+\$?)\s+(READ,?\s*WRITE|READ\s*ONLY|WRITE\s*ONLY|READ|WRITE|NO\s*ACCESS)\s*(.*)$',
+            line, re.IGNORECASE
+        )
+        if share_perm_match:
+            share_name = share_perm_match.group(1)
+            # Skip if it looks like a header or status line
+            if share_name not in ['Share', 'Permissions', 'shares']:
+                findings['shares'].append({
+                    'name': share_name,
+                    'permissions': share_perm_match.group(2).upper().replace(' ', ''),
+                    'comment': share_perm_match.group(3).strip() if share_perm_match.group(3) else ''
+                })
         # Parse share enumeration (shares WITHOUT explicit permissions - just listed)
         elif 'SMB' in line and not ('Share' in line and 'Permissions' in line) and not '-----' in line:
             # Look for lines with share names (ending with $, or common names like print$, public, IPC$)
@@ -146,9 +175,16 @@ def _parse_content(content: str, target: str) -> Dict[str, Any]:
                             'comment': remark
                         })
 
-        # Parse user enumeration
-        if 'badpwdcount' in line.lower():
-            user_match = re.search(r'(\S+)\s+badpwdcount:\s*(\d+)\s+desc:\s*(.+)?', line)
+        # Parse user enumeration with flexible format
+        # Format variations:
+        # username badpwdcount: 0 desc: Description
+        # username  badpwdcount:0  desc:Description
+        # username baddpwdcount: 0 description: Description
+        if 'badpwdcount' in line.lower() or 'baddpwdcount' in line.lower():
+            user_match = re.search(
+                r'(\S+)\s+bad+pwdcount:?\s*(\d+)\s+(?:desc(?:ription)?:?\s*)?(.+)?',
+                line, re.IGNORECASE
+            )
             if user_match:
                 findings['users'].append({
                     'username': user_match.group(1),
@@ -165,15 +201,37 @@ def _parse_content(content: str, target: str) -> Dict[str, Any]:
                 })
 
         # Parse valid credentials (but not Guest authentication)
-        if '[+]' in line and 'Pwn3d!' in line:
-            cred_match = re.search(r'\[\+\]\s+([^\\]+)\\(\S+):(\S+)\s*(\(Pwn3d!\))?', line)
+        # Format variations:
+        # [+] DOMAIN\username:password (Pwn3d!)
+        # [+] DOMAIN\\username:password (Pwn3d!)
+        # [+] username:password (Pwn3d!)
+        # [+] DOMAIN/username:password (Pwn3d!)
+        if '[+]' in line and ('Pwn3d' in line or ':' in line):
+            # Try domain\user:pass format first
+            cred_match = re.search(
+                r'\[\+\]\s*([^\\/:]+)[\\\/]+([^:]+):([^\s(]+)\s*(\(Pwn3d!?\))?',
+                line, re.IGNORECASE
+            )
             if cred_match:
                 findings['credentials'].append({
-                    'domain': cred_match.group(1),
-                    'username': cred_match.group(2),
-                    'password': cred_match.group(3),
+                    'domain': cred_match.group(1).strip(),
+                    'username': cred_match.group(2).strip(),
+                    'password': cred_match.group(3).strip(),
                     'admin': bool(cred_match.group(4))
                 })
+            else:
+                # Try user:pass format (no domain)
+                cred_match = re.search(
+                    r'\[\+\]\s*([^:@\s]+):([^\s(]+)\s*(\(Pwn3d!?\))?',
+                    line, re.IGNORECASE
+                )
+                if cred_match and '@' not in cred_match.group(1):
+                    findings['credentials'].append({
+                        'domain': '',
+                        'username': cred_match.group(1).strip(),
+                        'password': cred_match.group(2).strip(),
+                        'admin': bool(cred_match.group(3))
+                    })
 
     # Extract admin credentials for auto-chaining
     admin_creds = [c for c in findings['credentials'] if c.get('admin')]