souleyez 2.22.0__py3-none-any.whl → 2.26.0__py3-none-any.whl

souleyez/parsers/crackmapexec_parser.py

@@ -72,42 +72,61 @@ def _parse_content(content: str, target: str) -> Dict[str, Any]:
         'auth_info': {}
     }
 
+    # Remove ANSI color codes first
+    content = re.sub(r'\x1b\[[0-9;]*m', '', content)
+
     for line in content.split('\n'):
         # Parse host information (Windows OR Unix/Samba)
-        # Format: SMB  10.0.0.88  445  HOSTNAME  [*] Windows/Unix ... (name:HOSTNAME) (domain:DOMAIN) ...
-        if 'SMB' in line and ('[*]' in line) and ('Windows' in line or 'Unix' in line or 'Samba' in line):
-            host_match = re.search(r'(\d+\.\d+\.\d+\.\d+)\s+(\d+)\s+(\S+)\s+\[\*\]\s+(.+)', line)
+        # Format variations:
+        # SMB  10.0.0.88  445  HOSTNAME  [*] Windows/Unix ... (name:HOSTNAME) (domain:DOMAIN) ...
+        # SMB         10.0.0.88    445    HOSTNAME [*] Windows Server 2016 ...
+        # WINRM  10.0.0.88  5985  HOSTNAME  [*] http://10.0.0.88:5985/wsman
+
+        os_keywords = ['Windows', 'Unix', 'Samba', 'Linux', 'Server', 'Microsoft']
+        if any(proto in line for proto in ['SMB', 'WINRM', 'SSH', 'RDP']) and '[*]' in line:
+            # Try multiple patterns for host info
+            host_match = None
+
+            # Pattern 1: Standard format with flexible whitespace
+            host_match = re.search(r'(\d+\.\d+\.\d+\.\d+)\s+(\d+)\s+(\S+)\s+\[\*\]\s*(.+)', line)
+
+            # Pattern 2: Protocol prefix format
+            if not host_match:
+                host_match = re.search(r'(?:SMB|WINRM|SSH|RDP)\s+(\d+\.\d+\.\d+\.\d+)\s+(\d+)\s+(\S+)\s+\[\*\]\s*(.+)', line)
+
             if host_match:
                 ip = host_match.group(1)
                 port = int(host_match.group(2))
                 hostname = host_match.group(3)
                 details = host_match.group(4).strip()
 
-                # Extract domain from (domain:DOMAIN) pattern
-                domain_match = re.search(r'\(domain:([^)]+)\)', details)
-                domain = domain_match.group(1) if domain_match else None
-
-                # Extract OS info (everything before the first parenthesis)
-                os_match = re.match(r'([^(]+)', details)
-                os_info = os_match.group(1).strip() if os_match else details
-
-                # Extract SMB signing status
-                signing_match = re.search(r'\(signing:(\w+)\)', details)
-                signing = signing_match.group(1) if signing_match else None
-
-                # Extract SMBv1 status
-                smbv1_match = re.search(r'\(SMBv1:(\w+)\)', details)
-                smbv1 = smbv1_match.group(1) if smbv1_match else None
-
-                findings['hosts'].append({
-                    'ip': ip,
-                    'port': port,
-                    'hostname': hostname,
-                    'domain': domain,
-                    'os': os_info,
-                    'signing': signing,
-                    'smbv1': smbv1
-                })
+                # Only process as host info if it looks like OS/version info
+                if any(kw in details for kw in os_keywords) or '(domain:' in details:
+                    # Extract domain from (domain:DOMAIN) or domain: pattern
+                    domain_match = re.search(r'\(?domain:?\s*([^)\s]+)\)?', details, re.IGNORECASE)
+                    domain = domain_match.group(1) if domain_match else None
+
+                    # Extract OS info (everything before the first parenthesis)
+                    os_match = re.match(r'([^(]+)', details)
+                    os_info = os_match.group(1).strip() if os_match else details
+
+                    # Extract SMB signing status (multiple formats)
+                    signing_match = re.search(r'\(?signing:?\s*(\w+)\)?', details, re.IGNORECASE)
+                    signing = signing_match.group(1) if signing_match else None
+
+                    # Extract SMBv1 status
+                    smbv1_match = re.search(r'\(?SMBv1:?\s*(\w+)\)?', details, re.IGNORECASE)
+                    smbv1 = smbv1_match.group(1) if smbv1_match else None
+
+                    findings['hosts'].append({
+                        'ip': ip,
+                        'port': port,
+                        'hostname': hostname,
+                        'domain': domain,
+                        'os': os_info,
+                        'signing': signing,
+                        'smbv1': smbv1
+                    })
 
         # Parse authentication status
         # Format: SMB  10.0.0.14  445  HOSTNAME  [+] \: (Guest)
@@ -122,13 +141,23 @@ def _parse_content(content: str, target: str) -> Dict[str, Any]:
                 }
 
         # Parse share enumeration (shares WITH permissions)
-        share_perm_match = re.search(r'SMB.*\s+(\S+)\s+(READ|WRITE|READ,WRITE|NO ACCESS)\s+(.+)?$', line)
-        if share_perm_match and '$' in share_perm_match.group(1):
-            findings['shares'].append({
-                'name': share_perm_match.group(1),
-                'permissions': share_perm_match.group(2),
-                'comment': share_perm_match.group(3).strip() if share_perm_match.group(3) else ''
-            })
+        # Format variations:
+        # SMB ... ADMIN$  READ,WRITE  Remote Admin
+        # SMB ... ADMIN$  READ, WRITE  Remote Admin (with space)
+        # SMB ... C$  READ ONLY  Default share
+        share_perm_match = re.search(
+            r'SMB.*\s+(\S+\$?)\s+(READ,?\s*WRITE|READ\s*ONLY|WRITE\s*ONLY|READ|WRITE|NO\s*ACCESS)\s*(.*)$',
+            line, re.IGNORECASE
+        )
+        if share_perm_match:
+            share_name = share_perm_match.group(1)
+            # Skip if it looks like a header or status line
+            if share_name not in ['Share', 'Permissions', 'shares']:
+                findings['shares'].append({
+                    'name': share_name,
+                    'permissions': share_perm_match.group(2).upper().replace(' ', ''),
+                    'comment': share_perm_match.group(3).strip() if share_perm_match.group(3) else ''
+                })
         # Parse share enumeration (shares WITHOUT explicit permissions - just listed)
         elif 'SMB' in line and not ('Share' in line and 'Permissions' in line) and not '-----' in line:
             # Look for lines with share names (ending with $, or common names like print$, public, IPC$)
@@ -146,9 +175,16 @@ def _parse_content(content: str, target: str) -> Dict[str, Any]:
                             'comment': remark
                         })
 
-        # Parse user enumeration
-        if 'badpwdcount' in line.lower():
-            user_match = re.search(r'(\S+)\s+badpwdcount:\s*(\d+)\s+desc:\s*(.+)?', line)
+        # Parse user enumeration with flexible format
+        # Format variations:
+        # username badpwdcount: 0 desc: Description
+        # username  badpwdcount:0  desc:Description
+        # username baddpwdcount: 0 description: Description
+        if 'badpwdcount' in line.lower() or 'baddpwdcount' in line.lower():
+            user_match = re.search(
+                r'(\S+)\s+bad+pwdcount:?\s*(\d+)\s+(?:desc(?:ription)?:?\s*)?(.+)?',
+                line, re.IGNORECASE
+            )
             if user_match:
                 findings['users'].append({
                     'username': user_match.group(1),
@@ -165,15 +201,37 @@ def _parse_content(content: str, target: str) -> Dict[str, Any]:
                 })
 
         # Parse valid credentials (but not Guest authentication)
-        if '[+]' in line and 'Pwn3d!' in line:
-            cred_match = re.search(r'\[\+\]\s+([^\\]+)\\(\S+):(\S+)\s*(\(Pwn3d!\))?', line)
+        # Format variations:
+        # [+] DOMAIN\username:password (Pwn3d!)
+        # [+] DOMAIN\\username:password (Pwn3d!)
+        # [+] username:password (Pwn3d!)
+        # [+] DOMAIN/username:password (Pwn3d!)
+        if '[+]' in line and ('Pwn3d' in line or ':' in line):
+            # Try domain\user:pass format first
+            cred_match = re.search(
+                r'\[\+\]\s*([^\\/:]+)[\\\/]+([^:]+):([^\s(]+)\s*(\(Pwn3d!?\))?',
+                line, re.IGNORECASE
+            )
             if cred_match:
                 findings['credentials'].append({
-                    'domain': cred_match.group(1),
-                    'username': cred_match.group(2),
-                    'password': cred_match.group(3),
+                    'domain': cred_match.group(1).strip(),
+                    'username': cred_match.group(2).strip(),
+                    'password': cred_match.group(3).strip(),
                     'admin': bool(cred_match.group(4))
                 })
+            else:
+                # Try user:pass format (no domain)
+                cred_match = re.search(
+                    r'\[\+\]\s*([^:@\s]+):([^\s(]+)\s*(\(Pwn3d!?\))?',
+                    line, re.IGNORECASE
+                )
+                if cred_match and '@' not in cred_match.group(1):
+                    findings['credentials'].append({
+                        'domain': '',
+                        'username': cred_match.group(1).strip(),
+                        'password': cred_match.group(2).strip(),
+                        'admin': bool(cred_match.group(3))
+                    })
 
     # Extract admin credentials for auto-chaining
     admin_creds = [c for c in findings['credentials'] if c.get('admin')]

souleyez/parsers/dnsrecon_parser.py

@@ -56,47 +56,62 @@ def parse_dnsrecon_output(output: str, target: str = "") -> Dict[str, Any]:
         if not line_stripped or line_stripped.startswith('[-]'):
             continue
 
-        # Parse lines starting with [*] - these contain DNS records
-        # Format: [*] 	 A cybersoulsecurity.com 198.185.159.144
-        # Format: [*] 	 NS ns04.squarespacedns.com 45.54.22.193
-        # Format: [*] 	 MX alt1.aspmx.l.google.com 192.178.164.26
-        # Format: [*] 	 SOA dns1.p01.nsone.net 198.51.44.1
+        # Parse DNS records from dnsrecon output
+        # Old format: [*]   A cybersoulsecurity.com 198.185.159.144
+        # New format: 2026-01-08T13:50:16.302153-1000 INFO      SOA dns1.p01.nsone.net 198.51.44.1
+        # New format: 2026-01-08T13:50:17.112742-1000 INFO      NS dns4.p01.nsone.net 198.51.45.65
+
+        record_type = None
+        hostname = None
+        ip = None
 
         if line_stripped.startswith('[*]'):
+            # Old format: [*] <type> <hostname> <ip>
             parts = line_stripped.split()
-            if len(parts) >= 4:  # [*] <type> <hostname> <ip>
+            if len(parts) >= 4:
                 record_type = parts[1]
                 hostname = parts[2].lower()
                 ip = parts[3] if len(parts) > 3 else ''
-
-                # Validate IP (both IPv4 and basic IPv6)
-                is_ipv4 = re.match(r'^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$', ip)
-                # is_ipv6 = ':' in ip  # not used currently
-
-                if record_type == 'A' and is_ipv4:
-                    if hostname not in seen_hosts:
-                        seen_hosts.add(hostname)
-                        result['hosts'].append({
-                            'hostname': hostname,
-                            'ip': ip,
-                            'type': 'A'
-                        })
-                        if hostname != target and hostname not in seen_subdomains:
-                            seen_subdomains.add(hostname)
-                            result['subdomains'].append(hostname)
-
-                elif record_type == 'NS':
-                    if hostname not in result['nameservers']:
-                        result['nameservers'].append(hostname)
-
-                elif record_type == 'MX':
-                    if hostname not in result['mail_servers']:
-                        result['mail_servers'].append(hostname)
-
-                elif record_type == 'SOA':
-                    # SOA records can also be nameservers
-                    if hostname not in result['nameservers']:
-                        result['nameservers'].append(hostname)
+        elif ' INFO ' in line_stripped:
+            # New format: TIMESTAMP INFO <type> <hostname> <ip>
+            # Split on INFO and parse the rest
+            info_idx = line_stripped.find(' INFO ')
+            if info_idx != -1:
+                record_part = line_stripped[info_idx + 6:].strip()
+                parts = record_part.split()
+                if len(parts) >= 3:
+                    record_type = parts[0]
+                    hostname = parts[1].lower()
+                    ip = parts[2] if len(parts) > 2 else ''
+
+        if record_type and hostname:
+            # Validate IP (both IPv4 and basic IPv6)
+            is_ipv4 = re.match(r'^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$', ip) if ip else False
+
+            if record_type == 'A' and is_ipv4:
+                if hostname not in seen_hosts:
+                    seen_hosts.add(hostname)
+                    result['hosts'].append({
+                        'hostname': hostname,
+                        'ip': ip,
+                        'type': 'A'
+                    })
+                    if hostname != target and hostname not in seen_subdomains:
+                        seen_subdomains.add(hostname)
+                        result['subdomains'].append(hostname)
+
+            elif record_type == 'NS':
+                if hostname not in result['nameservers']:
+                    result['nameservers'].append(hostname)
+
+            elif record_type == 'MX':
+                if hostname not in result['mail_servers']:
+                    result['mail_servers'].append(hostname)
+
+            elif record_type == 'SOA':
+                # SOA records can also be nameservers
+                if hostname not in result['nameservers']:
+                    result['nameservers'].append(hostname)
 
         # Parse subdomain brute force results: [*] Subdomain: api.example.com IP: 1.2.3.4
         subdomain_match = re.search(r'Subdomain:\s+(\S+)\s+IP:\s+(\d+\.\d+\.\d+\.\d+)', line_stripped)

souleyez/parsers/enum4linux_parser.py

@@ -51,16 +51,38 @@ def parse_enum4linux_output(output: str, target: str = "") -> Dict[str, Any]:
 
 def _is_enum4linux_ng_output(output: str) -> bool:
     """Detect if output is from enum4linux-ng (YAML-style format)."""
-    # enum4linux-ng indicators - look for its specific patterns
+    # Primary indicator - explicit version string (most reliable)
+    if re.search(r'ENUM4LINUX\s*-\s*next\s*generation', output, re.IGNORECASE):
+        return True
+    if re.search(r'enum4linux-ng', output, re.IGNORECASE):
+        return True
+
+    # Secondary indicators - look for YAML-style patterns unique to ng
     ng_indicators = [
-        re.search(r'ENUM4LINUX - next generation', output),
-        re.search(r'After merging user results', output),
-        re.search(r'After merging share results', output),
-        re.search(r'^\s+username:\s+', output, re.MULTILINE),
-        re.search(r"^'\d+':\s*$", output, re.MULTILINE),  # RID entries like '1000':
+        re.search(r'After merging (user|share|group) results', output, re.IGNORECASE),
+        re.search(r'^\s{2,}username:\s+', output, re.MULTILINE),  # Indented YAML-style
+        re.search(r"^'?\d+'?:\s*$", output, re.MULTILINE),  # RID entries: '1000': or 1000:
+        re.search(r'^\s{2,}(groupname|name|type|comment):\s+', output, re.MULTILINE),
+        re.search(r'Trying to get SID from lsaquery', output, re.IGNORECASE),
+    ]
+
+    # Classic enum4linux indicators (to confirm it's NOT ng)
+    classic_indicators = [
+        re.search(r'enum4linux v\d', output, re.IGNORECASE),
+        re.search(r'Starting enum4linux v', output, re.IGNORECASE),
+        re.search(r'Sharename\s+Type\s+Comment', output),  # Table header
+        re.search(r'\|\s+Users on', output),
     ]
-    # If we find at least 2 indicators, it's probably enum4linux-ng
-    return sum(1 for ind in ng_indicators if ind) >= 2
+
+    ng_count = sum(1 for ind in ng_indicators if ind)
+    classic_count = sum(1 for ind in classic_indicators if ind)
+
+    # If we have classic indicators and no/few ng indicators, it's classic
+    if classic_count >= 2 and ng_count < 2:
+        return False
+
+    # If we find at least 2 ng indicators, it's probably enum4linux-ng
+    return ng_count >= 2
 
 
 def _parse_enum4linux_ng_output(output: str, target: str = "") -> Dict[str, Any]:
@@ -297,21 +319,41 @@ def _parse_enum4linux_classic_output(output: str, target: str = "") -> Dict[str,
 
         # Parse user lines from RID cycling output (Local User or Domain User)
         elif current_section == 'users' and line and not line.startswith('='):
-            # Format: "S-1-5-21-...-RID DOMAIN\username (Local User)"
-            user_match = re.match(r'S-1-5-21-[0-9-]+ \S+\\(\S+) \((Local User|Domain User)\)', line)
+            # Format variations:
+            # "S-1-5-21-...-RID DOMAIN\username (Local User)"
+            # "S-1-5-21-...-RID DOMAIN\\username (Local User)"
+            # "username (Local User)" - simplified format
+            # "[+] DOMAIN\username" - alternate prefix
+
+            # Try full SID format first (flexible escaping)
+            user_match = re.search(r'S-1-5-21-[\d-]+\s+\S+[\\]+(\S+)\s+\((Local|Domain)\s*User\)', line, re.IGNORECASE)
             if user_match:
                 username = user_match.group(1)
-                if username not in result['users']:
+                if username and username not in result['users']:
                     result['users'].append(username)
-
-        # Also parse group lines from RID cycling (Domain Group)
+            else:
+                # Try simpler DOMAIN\username format
+                user_match = re.search(r'[\[\+\]\s]*\S+[\\]+(\S+)\s+\((Local|Domain)\s*User\)', line, re.IGNORECASE)
+                if user_match:
+                    username = user_match.group(1)
+                    if username and username not in result['users']:
+                        result['users'].append(username)
+
+        # Also parse group lines from RID cycling (Domain Group, Local Group)
         elif current_section == 'groups' and line and not line.startswith('='):
-            # Format: "S-1-5-21-...-RID DOMAIN\groupname (Domain Group)"
-            group_match = re.match(r'S-1-5-21-[0-9-]+ \S+\\(\S+) \(Domain Group\)', line)
+            # Format variations similar to users
+            group_match = re.search(r'S-1-5-21-[\d-]+\s+\S+[\\]+(\S+)\s+\((Domain|Local)\s*Group\)', line, re.IGNORECASE)
             if group_match:
                 groupname = group_match.group(1)
-                if groupname not in result['groups']:
+                if groupname and groupname not in result['groups']:
                     result['groups'].append(groupname)
+            else:
+                # Try simpler format
+                group_match = re.search(r'[\[\+\]\s]*\S+[\\]+(\S+)\s+\((Domain|Local)\s*Group\)', line, re.IGNORECASE)
+                if group_match:
+                    groupname = group_match.group(1)
+                    if groupname and groupname not in result['groups']:
+                        result['groups'].append(groupname)
 
     return result
 
@@ -322,23 +364,61 @@ def _parse_share_line(line: str) -> Dict[str, Any]:
 
     Example: "print$          Disk      Printer Drivers"
     Example: "tmp             Disk      oh noes!"
+    Example: "IPC$    IPC       IPC Service (Samba)"
     """
-    # Split on multiple whitespace
-    parts = re.split(r'\s{2,}', line.strip())
+    line = line.strip()
+    if not line:
+        return None
 
+    # Try multiple parsing strategies for different formats
+
+    # Strategy 1: Split on 2+ whitespace (most common)
+    parts = re.split(r'\s{2,}', line)
+    if len(parts) >= 2:
+        share_name = parts[0].strip()
+        share_type = parts[1].strip()
+        comment = parts[2].strip() if len(parts) > 2 else ''
+
+        # Validate share type is a known type
+        if share_type.upper() in ['DISK', 'IPC', 'PRINT', 'PRINTER', 'COMM', 'DEVICE']:
+            return {
+                'name': share_name,
+                'type': share_type,
+                'comment': comment,
+                'mapping': None,
+                'listing': None,
+                'writing': None
+            }
+
+    # Strategy 2: Tab-separated
+    parts = line.split('\t')
     if len(parts) >= 2:
         share_name = parts[0].strip()
         share_type = parts[1].strip()
         comment = parts[2].strip() if len(parts) > 2 else ''
 
+        if share_type.upper() in ['DISK', 'IPC', 'PRINT', 'PRINTER', 'COMM', 'DEVICE']:
+            return {
+                'name': share_name,
+                'type': share_type,
+                'comment': comment,
+                'mapping': None,
+                'listing': None,
+                'writing': None
+            }
+
+    # Strategy 3: Regex for flexible whitespace (single space minimum)
+    match = re.match(r'^(\S+)\s+(Disk|IPC|Print|Printer|Comm|Device)\s*(.*)?$', line, re.IGNORECASE)
+    if match:
         return {
-            'name': share_name,
-            'type': share_type,
-            'comment': comment,
+            'name': match.group(1),
+            'type': match.group(2),
+            'comment': match.group(3).strip() if match.group(3) else '',
             'mapping': None,
             'listing': None,
             'writing': None
         }
+
     return None