PyPI - souleyez - Versions diffs - 2.17.0__tar.gz → 2.23.0__tar.gz - Mend

souleyez 2.17.0tar.gz → 2.23.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

{souleyez-2.17.0 → souleyez-2.23.0}/BETA_README.md RENAMED Viewed

@@ -21,7 +21,7 @@ Welcome to the SoulEyez beta! Thank you for helping us test and improve this pen
 > ⚠️ **Important**: Only use SoulEyez on systems you have explicit authorization to test.
-## Version: 2.17.0
+## Version: 2.23.0
 ### What's Included
@@ -76,6 +76,8 @@ pipx ensurepath          # Add pipx apps to your PATH
 source ~/.bashrc         # Reload your shell (or close and reopen terminal)
 ```
+> **Kali Linux users:** Kali uses zsh by default. Use `source ~/.zshrc` instead of `source ~/.bashrc`
 > 💡 **What's pipx?** It's like `apt` but for Python command-line tools. It keeps each tool isolated so they don't conflict with each other.
 ### Step 2: Install SoulEyez
@@ -246,4 +248,4 @@ Happy hacking! 🛡️
 ---
-**Version**: 2.17.0 | **Release Date**: January 2026 | **Maintainer**: CyberSoul Security
+**Version**: 2.23.0 | **Release Date**: January 2026 | **Maintainer**: CyberSoul Security

{souleyez-2.17.0/souleyez.egg-info → souleyez-2.23.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: souleyez
-Version: 2.17.0
+Version: 2.23.0
 Summary: AI-Powered Penetration Testing Platform with 40+ integrated tools
 Author-email: CyberSoul Security <contact@cybersoulsecurity.com>
 Maintainer-email: CyberSoul Security <contact@cybersoulsecurity.com>
@@ -72,7 +72,7 @@ Welcome to the SoulEyez beta! Thank you for helping us test and improve this pen
 > ⚠️ **Important**: Only use SoulEyez on systems you have explicit authorization to test.
-## Version: 2.17.0
+## Version: 2.23.0
 ### What's Included
@@ -127,6 +127,8 @@ pipx ensurepath          # Add pipx apps to your PATH
 source ~/.bashrc         # Reload your shell (or close and reopen terminal)
 ```
+> **Kali Linux users:** Kali uses zsh by default. Use `source ~/.zshrc` instead of `source ~/.bashrc`
 > 💡 **What's pipx?** It's like `apt` but for Python command-line tools. It keeps each tool isolated so they don't conflict with each other.
 ### Step 2: Install SoulEyez
@@ -297,4 +299,4 @@ Happy hacking! 🛡️
 ---
-**Version**: 2.17.0 | **Release Date**: January 2026 | **Maintainer**: CyberSoul Security
+**Version**: 2.23.0 | **Release Date**: January 2026 | **Maintainer**: CyberSoul Security

{souleyez-2.17.0 → souleyez-2.23.0}/README.md RENAMED Viewed

@@ -133,7 +133,7 @@ See [docs/CONFIG.md](souleyez/docs/CONFIG.md) for complete configuration options
 # Install pipx if needed
 sudo apt install pipx
 pipx ensurepath
-source ~/.bashrc
+source ~/.bashrc    # Kali Linux: use 'source ~/.zshrc' instead
 # Install SoulEyez
 pipx install souleyez
@@ -142,6 +142,8 @@ pipx install souleyez
 souleyez setup
 ```
+> **Kali Linux users:** Kali uses zsh by default. Use `source ~/.zshrc` instead of `source ~/.bashrc`
 See [docs/user-guide/installation.md](souleyez/docs/user-guide/installation.md) for detailed instructions.
 ---

{souleyez-2.17.0 → souleyez-2.23.0}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "souleyez"
-version = "2.17.0"
+version = "2.23.0"
 description = "AI-Powered Penetration Testing Platform with 40+ integrated tools"
 readme = "BETA_README.md"
 license = {text = "MIT"}

souleyez-2.23.0/souleyez/__init__.py ADDED Viewed

	@@ -0,0 +1 @@
1	+ __version__ = '2.23.0'

{souleyez-2.17.0 → souleyez-2.23.0}/souleyez/core/tool_chaining.py RENAMED Viewed

@@ -423,6 +423,21 @@ class ChainRule:
                                     result = True
                                     break
+            elif cond_type == 'svc_version':
+                # Simple version string match (e.g., 'svc_version:2.3.4')
+                # Matches if any service has this exact version string
+                # Useful when nmap doesn't detect product name
+                services = context.get('services', [])
+                for service in services:
+                    svc_version = (
+                        service.get('version', '') or
+                        service.get('service_version', '') or
+                        ''
+                    )
+                    if svc_version and cond_value.lower() in svc_version.lower():
+                        result = True
+                        break
         # Apply negation if needed
         return not result if negated else result
@@ -731,13 +746,16 @@ class ToolChaining:
                 args_template=['-a', '{target}'],
                 description='SMB service detected, enumerating shares and users (runs after CrackMapExec)'
             ),
+            # DISABLED: smbmap has upstream pickling bug with impacket (affects all versions)
+            # Use crackmapexec/netexec --shares instead (rule #10 above)
             ChainRule(
                 trigger_tool='nmap',
                 trigger_condition='service:smb',
                 target_tool='smbmap',
                 priority=7,
+                enabled=False,  # Disabled due to impacket pickling bug
                 args_template=['-H', '{target}'],
-                description='SMB service detected, mapping shares'
+                description='SMB service detected, mapping shares (DISABLED - use netexec)'
             ),
         ])
@@ -1143,13 +1161,16 @@ class ToolChaining:
         #     )
         # )
+        # DISABLED: smbmap has upstream pickling bug - won't produce results
         # Writable SMB shares found → check for exploitability
+        # TODO: Add rule triggering from crackmapexec writable shares detection
         self.rules.append(
             ChainRule(
                 trigger_tool='smbmap',
                 trigger_condition='has:writable_shares',
                 target_tool='msf_auxiliary',
                 priority=10,
+                enabled=False,  # Disabled - smbmap broken
                 args_template=['auxiliary/scanner/smb/smb_version'],
                 description='Writable SMB shares found, checking for vulnerabilities'
             )
@@ -1908,28 +1929,42 @@ class ToolChaining:
         # vsftpd 2.3.4 backdoor (CVE-2011-2523)
         # Triggers backdoor shell on port 6200 when username contains :)
+        # Match FTP service with version 2.3.4 (nmap often shows just "ftp" + "2.3.4")
         self.rules.append(
             ChainRule(
                 trigger_tool='nmap',
-                trigger_condition='version:vsftpd 2.3.4',
+                trigger_condition='service:ftp & svc_version:2.3.4',
                 target_tool='msf_exploit',
                 priority=10,
                 args_template=['exploit/unix/ftp/vsftpd_234_backdoor'],
-                description='vsftpd 2.3.4 detected - BACKDOOR AVAILABLE (CVE-2011-2523)',
+                description='FTP 2.3.4 detected - checking for vsftpd backdoor (CVE-2011-2523)',
                 category=CATEGORY_CTF
             )
         )
         # Samba 3.0.x usermap_script RCE (CVE-2007-2447)
         # Command injection in username field
+        # Match SMB service with version starting with 3 (nmap shows "3.X" or "3.0.x")
+        self.rules.append(
+            ChainRule(
+                trigger_tool='nmap',
+                trigger_condition='service:smb & svc_version:3.',
+                target_tool='msf_exploit',
+                priority=10,
+                args_template=['exploit/multi/samba/usermap_script'],
+                description='Samba 3.x detected - checking for usermap_script RCE (CVE-2007-2447)',
+                category=CATEGORY_CTF
+            )
+        )
+        # Also match netbios-ssn service (common nmap detection for SMB)
         self.rules.append(
             ChainRule(
                 trigger_tool='nmap',
-                trigger_condition='version:Samba 3.0',
+                trigger_condition='service:netbios-ssn & svc_version:3.',
                 target_tool='msf_exploit',
                 priority=10,
                 args_template=['exploit/multi/samba/usermap_script'],
-                description='Samba 3.0.x detected - usermap_script RCE available (CVE-2007-2447)',
+                description='Samba 3.x detected (netbios-ssn) - checking for usermap_script RCE (CVE-2007-2447)',
                 category=CATEGORY_CTF
             )
         )
@@ -2132,14 +2167,15 @@ class ToolChaining:
         )
         # ProFTPD mod_copy (CVE-2015-3306) - file copy without auth
+        # Match FTP service with version 1.3.x (common ProFTPD versions)
         self.rules.append(
             ChainRule(
                 trigger_tool='nmap',
-                trigger_condition='version:ProFTPD 1.3',
+                trigger_condition='service:ftp & svc_version:1.3',
                 target_tool='msf_exploit',
                 priority=8,
                 args_template=['exploit/unix/ftp/proftpd_modcopy_exec'],
-                description='ProFTPD 1.3.x detected - checking for mod_copy RCE (CVE-2015-3306)',
+                description='FTP 1.3.x detected - checking for ProFTPD mod_copy RCE (CVE-2015-3306)',
                 category=CATEGORY_CTF
             )
         )
@@ -4160,6 +4196,40 @@ class ToolChaining:
                         if len(app_databases) > db_limit:
                             logger.info(f"SQLMap auto-chaining limited to first {db_limit} of {len(app_databases)} application databases")
+                # === Post-exploitation chain rules (is_dba, file_read, os_cmd) ===
+                # Check for post-exploitation flags and fire appropriate chain rules
+                is_dba = parse_results.get('is_dba', False)
+                file_read_success = parse_results.get('file_read_success', False)
+                os_command_success = parse_results.get('os_command_success', False)
+                if is_dba or file_read_success or os_command_success:
+                    from souleyez.log_config import get_logger
+                    logger = get_logger(__name__)
+                    # Build context with post-exploitation flags using injectable_url
+                    post_exploit_context = {
+                        'target': injectable_url,  # Use the correct injectable URL
+                        'tool': tool,
+                        'is_dba': is_dba,
+                        'file_read_success': file_read_success,
+                        'os_command_success': os_command_success,
+                        'post_data': post_data,  # Preserve POST data for subsequent commands
+                    }
+                    if is_dba:
+                        logger.info(f"SQLMap: DBA access confirmed! Evaluating post-exploitation chains...")
+                    if file_read_success:
+                        logger.info(f"SQLMap: File read successful! Evaluating file read chains...")
+                    if os_command_success:
+                        logger.info(f"SQLMap: OS command execution successful!")
+                    # Evaluate chain rules - this will fire rules like has:is_dba
+                    commands = self.evaluate_chains(tool, post_exploit_context)
+                    if commands:
+                        logger.info(f"SQLMap: Matched {len(commands)} post-exploitation chain rule(s)")
+                        job_ids.extend(self._enqueue_commands(commands, tool, engagement_id, injectable_url, parent_job_id=job.get('id')))
+                # === END Post-exploitation chain rules ===
                 return job_ids
             # === END SQLMap special handling ===
@@ -4877,6 +4947,28 @@ class ToolChaining:
                         if not endpoint_url:
                             continue
+                        # === Filter out non-injectable files ===
+                        path_lower = endpoint_url.lower()
+                        filename = path_lower.split('/')[-1] if '/' in path_lower else path_lower
+                        # Skip Apache/nginx config files
+                        if filename.startswith('.ht') or filename.startswith('.nginx'):
+                            logger.debug(f"Skipping config file: {endpoint_url}")
+                            continue
+                        # Skip static files that can't have SQL injection
+                        static_extensions = (
+                            '.html', '.htm', '.txt', '.css', '.js', '.json',
+                            '.xml', '.svg', '.png', '.jpg', '.jpeg', '.gif',
+                            '.ico', '.woff', '.woff2', '.ttf', '.eot',
+                            '.pdf', '.doc', '.docx', '.xls', '.xlsx',
+                            '.bak', '.old', '.backup', '.swp', '.orig',
+                            '.map', '.md', '.rst', '.log'
+                        )
+                        if any(filename.endswith(ext) for ext in static_extensions):
+                            logger.debug(f"Skipping static file: {endpoint_url}")
+                            continue
                         # === SQLMap for testable endpoints ===
                         if status_code in testable_statuses and created_sqlmap_jobs < max_sqlmap_jobs:
                             # For API endpoints without parameters, add test parameters

{souleyez-2.17.0 → souleyez-2.23.0}/souleyez/detection/validator.py RENAMED Viewed

@@ -156,8 +156,10 @@ class DetectionValidator:
         job_command = _reconstruct_command(job)
         # Use started_at or finished_at for execution time
         executed_at = job.get('started_at') or job.get('finished_at') or job.get('created_at')
-        # Job is successful if status is 'done'
-        success = job.get('status') == 'done'
+        # Job ran successfully if status is done, no_results, or warning
+        # (all of these sent network traffic that should be detectable by SIEM)
+        job_status = job.get('status', '')
+        success = job_status in ('done', 'no_results', 'warning')
         # Extract target IP from command (common patterns)
         target_ip = None

{souleyez-2.17.0 → souleyez-2.23.0}/souleyez/docs/README.md RENAMED Viewed

@@ -1,7 +1,7 @@
 # SoulEyez Documentation
-**Version:** 2.17.0
-**Last Updated:** January 4, 2026
+**Version:** 2.23.0
+**Last Updated:** January 7, 2026
 **Organization:** CyberSoul Security
 Welcome to the SoulEyez documentation! This documentation covers architecture, development, user guides, and operational information for the SoulEyez penetration testing platform.

{souleyez-2.17.0 → souleyez-2.23.0}/souleyez/docs/user-guide/installation.md RENAMED Viewed

@@ -40,12 +40,14 @@ pipx is the Python community's recommended way to install CLI applications. It h
 # One-time setup
 sudo apt install pipx
 pipx ensurepath
-source ~/.bashrc
+source ~/.bashrc    # Kali Linux: use 'source ~/.zshrc' instead
 # Install SoulEyez
 pipx install souleyez
 ```
+> **Kali Linux users:** Kali uses zsh by default. Use `source ~/.zshrc` instead of `source ~/.bashrc`
 On first run, SoulEyez will prompt you to install pentesting tools (nmap, sqlmap, gobuster, etc.).
 ```bash

{souleyez-2.17.0 → souleyez-2.23.0}/souleyez/engine/background.py RENAMED Viewed

@@ -711,7 +711,14 @@ def _run_rpc_exploit(cmd_spec: Dict[str, Any], log_path: str, jid: int = None, p
         )
         return 0
+    elif result.get('no_session'):
+        # Exploit ran but no session opened - this is "no results", not an error
+        # Return 1 but let parser set status to no_results
+        reason = result.get('reason', 'No session opened')
+        _append_worker_log(f"job {jid}: exploit completed - {reason}")
+        return 1
     else:
+        # True error (connection failed, RPC error, etc.)
         error = result.get('error', 'Unknown error')
         _append_worker_log(f"job {jid}: RPC exploit failed - {error}")
         return 1
@@ -1031,7 +1038,8 @@ def _is_true_error_exit_code(rc: int, tool: str) -> bool:
     # Tools that use non-zero exit codes for non-error conditions
     # Parser will determine the actual status based on output
-    tools_with_nonzero_success = ['gobuster', 'hydra', 'medusa']
+    # msf_exploit returns 1 when no session opened (exploit ran but target not vulnerable)
+    tools_with_nonzero_success = ['gobuster', 'hydra', 'medusa', 'msf_exploit']
     if tool.lower() in tools_with_nonzero_success:
         # Let parser determine status

{souleyez-2.17.0 → souleyez-2.23.0}/souleyez/engine/result_handler.py RENAMED Viewed

@@ -305,6 +305,8 @@ def parse_nmap_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> Di
         # Import into database
         hm = HostManager()
         result = hm.import_nmap_results(engagement_id, parsed)
+        logger.info(f"Nmap import: {result['hosts_added']} hosts, {result['services_added']} services in engagement {engagement_id}")
+        logger.debug(f"Info scripts to process: {len(parsed.get('info_scripts', []))}")
         # Check for CVEs and common issues
         fm = FindingsManager()
@@ -436,11 +438,13 @@ def parse_nmap_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> Di
         for info in parsed.get('info_scripts', []):
             host_ip = info.get('host_ip')
             if not host_ip:
+                logger.warning(f"Info script missing host_ip: {info.get('script')}")
                 continue
             # Find host ID
             host = hm.get_host_by_ip(engagement_id, host_ip)
             if not host:
+                logger.warning(f"Host not found for info script: {host_ip} in engagement {engagement_id}")
                 continue
             host_id = host['id']

{souleyez-2.17.0 → souleyez-2.23.0}/souleyez/integrations/siem/splunk.py RENAMED Viewed

@@ -348,7 +348,15 @@ class SplunkSIEMClient(SIEMClient):
                 # HEC wraps in 'event' key, or data might be at top level
                 event_data = parsed.get('event', parsed) if isinstance(parsed, dict) else {}
             except (json_lib.JSONDecodeError, TypeError):
-                pass
+                # Try to extract embedded JSON from syslog lines
+                # Format: "Jan  7 14:23:38 host program {json...}"
+                import re
+                json_match = re.search(r'\{.*\}', raw_str)
+                if json_match:
+                    try:
+                        event_data = json_lib.loads(json_match.group())
+                    except (json_lib.JSONDecodeError, TypeError):
+                        pass
         # Helper to get field from event_data first, then raw_result
         def get_field(*keys, default=''):
@@ -370,10 +378,15 @@ class SplunkSIEMClient(SIEMClient):
         rule_id = get_field('rule_id', 'rule_name', 'savedsearch_name', 'alert')
         rule_name = get_field('rule_name', 'search_name') or rule_id
-        # For plain log events (no alert fields), use sourcetype as category
+        # For plain log events (no alert fields), use event_type or sourcetype
         if not rule_id:
+            # Prefer Suricata event_type over generic sourcetype
+            event_type = get_field('event_type')
             sourcetype = raw_result.get('sourcetype', '')
-            if sourcetype:
+            if event_type:
+                rule_id = event_type
+                rule_name = f"Suricata: {event_type}"
+            elif sourcetype:
                 rule_id = sourcetype
                 rule_name = f"Log: {sourcetype}"
@@ -389,19 +402,53 @@ class SplunkSIEMClient(SIEMClient):
         if not source_ip:
             source_ip = raw_result.get('host', '')
-        # Extract description
+        # Extract description - try multiple sources
         description = get_field('description', 'signature', 'message')
+        # Suricata-specific: check nested alert object
+        if not description and event_data.get('alert'):
+            alert_obj = event_data['alert']
+            if isinstance(alert_obj, dict):
+                description = alert_obj.get('signature', alert_obj.get('category', ''))
+        # Suricata event_type with context
         if not description:
-            # Fallback: use event_type as description
             event_type = get_field('event_type', 'category')
             if event_type:
-                description = f"{event_type}: {get_field('action', default='detected')}"
-        # For plain log events, use snippet of _raw as description
+                # Add context based on event type
+                if event_type == 'dns' and event_data.get('dns'):
+                    dns = event_data['dns']
+                    rrname = dns.get('rrname', '') if isinstance(dns, dict) else ''
+                    description = f"DNS: {rrname}" if rrname else f"DNS query"
+                elif event_type == 'http' and event_data.get('http'):
+                    http = event_data['http']
+                    hostname = http.get('hostname', '') if isinstance(http, dict) else ''
+                    description = f"HTTP: {hostname}" if hostname else "HTTP request"
+                elif event_type == 'flow':
+                    app_proto = get_field('app_proto', default='')
+                    description = f"Flow: {app_proto}" if app_proto else "Network flow"
+                elif event_type == 'alert':
+                    description = "Suricata alert"
+                else:
+                    description = f"{event_type}: {get_field('action', default='detected')}"
+        # For plain log events, try to extract something useful from _raw
         if not description and raw_str:
-            # Clean up raw log and take first 150 chars
-            clean_raw = raw_str.replace('\n', ' ').strip()
-            description = clean_raw[:150] + ('...' if len(clean_raw) > 150 else '')
+            # Skip syslog header to get actual message
+            # Format: "Mon DD HH:MM:SS hostname program: message"
+            import re
+            # Try to extract message after "program:" or "program["
+            msg_match = re.search(r'^\w+\s+\d+\s+[\d:]+\s+\S+\s+\S+[:\[]\s*(.+)', raw_str)
+            if msg_match:
+                description = msg_match.group(1).strip()[:150]
+            else:
+                # Fallback: clean up raw log
+                clean_raw = raw_str.replace('\n', ' ').strip()
+                # Skip if it's just timestamps/IPs with no real content
+                if len(clean_raw) > 50:
+                    description = clean_raw[:150] + ('...' if len(clean_raw) > 150 else '')
+                else:
+                    description = clean_raw if clean_raw else 'No details available'
         # Extract MITRE info - check event_data first
         mitre_tactics = []

{souleyez-2.17.0 → souleyez-2.23.0}/souleyez/main.py RENAMED Viewed

@@ -173,7 +173,7 @@ def _check_privileged_tools():
 @click.group()
-@click.version_option(version='2.17.0')
+@click.version_option(version='2.23.0')
 def cli():
     """SoulEyez - AI-Powered Pentesting Platform by CyberSoul Security"""
     from souleyez.log_config import init_logging

{souleyez-2.17.0 → souleyez-2.23.0}/souleyez/parsers/smbmap_parser.py RENAMED Viewed

@@ -49,16 +49,44 @@ def parse_smbmap_output(output: str, target: str = "") -> Dict[str, Any]:
                     'timestamp': str
                 },
                 ...
-            ]
+            ],
+            'smb_detected': bool,  # True if SMB service was detected
+            'hosts_count': int,    # Number of hosts serving SMB
+            'error': str           # Error message if tool crashed
         }
     """
     result = {
         'target': target,
         'status': None,
         'shares': [],
-        'files': []
+        'files': [],
+        'smb_detected': False,
+        'hosts_count': 0,
+        'error': None
     }
+    # Check for SMB detection (even if tool crashes later)
+    # [*] Detected 1 hosts serving SMB
+    smb_detected_match = re.search(r'\[\*\]\s*Detected\s+(\d+)\s+hosts?\s+serving\s+SMB', output)
+    if smb_detected_match:
+        result['smb_detected'] = True
+        result['hosts_count'] = int(smb_detected_match.group(1))
+    # Check for Python traceback (tool crash)
+    if 'Traceback (most recent call last):' in output:
+        # Extract error message from traceback
+        error_match = re.search(r'(?:Error|Exception).*?[\'"]([^\'"]+)[\'"]', output, re.DOTALL)
+        if error_match:
+            result['error'] = error_match.group(1)
+        else:
+            # Try to get the last line of the traceback
+            traceback_lines = output.split('Traceback (most recent call last):')[-1].strip().split('\n')
+            for line in reversed(traceback_lines):
+                line = line.strip()
+                if line and not line.startswith('File') and not line.startswith('raise'):
+                    result['error'] = line[:200]  # Limit length
+                    break
     lines = output.split('\n')
     in_share_table = False
     current_share = None

souleyez 2.17.0__tar.gz → 2.23.0__tar.gz

souleyez 2.17.0tar.gz → 2.23.0tar.gz