souleyez 2.22.0__py3-none-any.whl → 2.26.0__py3-none-any.whl

souleyez/parsers/http_fingerprint_parser.py

@@ -0,0 +1,319 @@
+#!/usr/bin/env python3
+"""
+souleyez.parsers.http_fingerprint_parser
+
+Parses HTTP fingerprint output to extract WAF, CDN, managed hosting,
+and technology information.
+"""
+import json
+import re
+from typing import Dict, Any, List, Optional
+
+
+def parse_http_fingerprint_output(output: str, target: str = "") -> Dict[str, Any]:
+    """
+    Parse HTTP fingerprint output and extract detection results.
+
+    Args:
+        output: Raw output from http_fingerprint plugin
+        target: Target URL from job
+
+    Returns:
+        Dict with structure:
+        {
+            'target': str,
+            'status_code': int,
+            'server': str,
+            'server_version': str,
+            'waf': [str],
+            'cdn': [str],
+            'managed_hosting': str or None,
+            'technologies': [str],
+            'tls': {'version': str, 'cipher': str, 'bits': int},
+            'headers': {str: str},
+            'redirect_url': str or None,
+            'error': str or None,
+        }
+    """
+    result = {
+        'target': target,
+        'status_code': None,
+        'server': None,
+        'server_version': None,
+        'waf': [],
+        'cdn': [],
+        'managed_hosting': None,
+        'technologies': [],
+        'tls': None,
+        'headers': {},
+        'redirect_url': None,
+        'error': None,
+    }
+
+    # Try to extract JSON result first (most reliable)
+    json_match = re.search(r'=== JSON_RESULT ===\n(.+?)\n=== END_JSON_RESULT ===', output, re.DOTALL)
+    if json_match:
+        try:
+            json_result = json.loads(json_match.group(1))
+            result.update(json_result)
+            result['target'] = target or result.get('target', '')
+            return result
+        except json.JSONDecodeError:
+            pass
+
+    # Fall back to parsing text output
+    lines = output.split('\n')
+
+    for line in lines:
+        line = line.strip()
+
+        # Parse HTTP status
+        if line.startswith('HTTP Status:'):
+            match = re.search(r'HTTP Status:\s+(\d+)', line)
+            if match:
+                result['status_code'] = int(match.group(1))
+
+        # Parse server
+        elif line.startswith('Server:'):
+            result['server'] = line.replace('Server:', '').strip()
+
+        # Parse redirect
+        elif line.startswith('Redirected to:'):
+            result['redirect_url'] = line.replace('Redirected to:', '').strip()
+
+        # Parse TLS
+        elif line.startswith('TLS:'):
+            match = re.search(r'TLS:\s+(\S+)\s+\((.+?)\)', line)
+            if match:
+                result['tls'] = {
+                    'version': match.group(1),
+                    'cipher': match.group(2),
+                }
+
+        # Parse managed hosting
+        elif line.startswith('MANAGED HOSTING DETECTED:'):
+            result['managed_hosting'] = line.replace('MANAGED HOSTING DETECTED:', '').strip()
+
+        # Parse WAF (multi-line section)
+        elif line.startswith('WAF/Protection Detected:'):
+            continue  # Header line, actual entries follow
+
+        # Parse CDN (multi-line section)
+        elif line.startswith('CDN Detected:'):
+            continue  # Header line, actual entries follow
+
+        # Parse technologies (multi-line section)
+        elif line.startswith('Technologies:'):
+            continue  # Header line, actual entries follow
+
+        # Parse list items (WAF, CDN, Technologies)
+        elif line.startswith('- '):
+            item = line[2:].strip()
+            # Determine which list this belongs to based on context
+            # This is a simple heuristic - JSON parsing is more reliable
+            if any(waf_keyword in item.lower() for waf_keyword in ['waf', 'cloudflare', 'akamai', 'imperva', 'sucuri', 'f5']):
+                if item not in result['waf']:
+                    result['waf'].append(item)
+            elif any(cdn_keyword in item.lower() for cdn_keyword in ['cdn', 'cloudfront', 'fastly', 'varnish', 'edge']):
+                if item not in result['cdn']:
+                    result['cdn'].append(item)
+            else:
+                if item not in result['technologies']:
+                    result['technologies'].append(item)
+
+        # Parse error
+        elif line.startswith('ERROR:'):
+            result['error'] = line.replace('ERROR:', '').strip()
+
+    return result
+
+
+def is_managed_hosting(parsed_data: Dict[str, Any]) -> bool:
+    """
+    Check if target is a managed hosting platform.
+
+    Args:
+        parsed_data: Output from parse_http_fingerprint_output()
+
+    Returns:
+        True if managed hosting platform detected
+    """
+    return parsed_data.get('managed_hosting') is not None
+
+
+def get_managed_hosting_platform(parsed_data: Dict[str, Any]) -> Optional[str]:
+    """
+    Get the name of the managed hosting platform.
+
+    Args:
+        parsed_data: Output from parse_http_fingerprint_output()
+
+    Returns:
+        Platform name or None
+    """
+    return parsed_data.get('managed_hosting')
+
+
+def has_waf(parsed_data: Dict[str, Any]) -> bool:
+    """
+    Check if WAF is detected.
+
+    Args:
+        parsed_data: Output from parse_http_fingerprint_output()
+
+    Returns:
+        True if WAF detected
+    """
+    return len(parsed_data.get('waf', [])) > 0
+
+
+def get_wafs(parsed_data: Dict[str, Any]) -> List[str]:
+    """
+    Get list of detected WAFs.
+
+    Args:
+        parsed_data: Output from parse_http_fingerprint_output()
+
+    Returns:
+        List of WAF names
+    """
+    return parsed_data.get('waf', [])
+
+
+def has_cdn(parsed_data: Dict[str, Any]) -> bool:
+    """
+    Check if CDN is detected.
+
+    Args:
+        parsed_data: Output from parse_http_fingerprint_output()
+
+    Returns:
+        True if CDN detected
+    """
+    return len(parsed_data.get('cdn', [])) > 0
+
+
+def get_cdns(parsed_data: Dict[str, Any]) -> List[str]:
+    """
+    Get list of detected CDNs.
+
+    Args:
+        parsed_data: Output from parse_http_fingerprint_output()
+
+    Returns:
+        List of CDN names
+    """
+    return parsed_data.get('cdn', [])
+
+
+def build_fingerprint_context(parsed_data: Dict[str, Any]) -> Dict[str, Any]:
+    """
+    Build context dict for use in tool chaining.
+
+    This is used to pass fingerprint data to downstream tools
+    so they can make smarter decisions.
+
+    Args:
+        parsed_data: Output from parse_http_fingerprint_output()
+
+    Returns:
+        Context dict for tool chaining
+    """
+    return {
+        'http_fingerprint': {
+            'managed_hosting': parsed_data.get('managed_hosting'),
+            'waf': parsed_data.get('waf', []),
+            'cdn': parsed_data.get('cdn', []),
+            'server': parsed_data.get('server'),
+            'technologies': parsed_data.get('technologies', []),
+            'status_code': parsed_data.get('status_code'),
+        }
+    }
+
+
+def get_tool_recommendations(parsed_data: Dict[str, Any]) -> Dict[str, Any]:
+    """
+    Get recommendations for tool configuration based on fingerprint.
+
+    Args:
+        parsed_data: Output from parse_http_fingerprint_output()
+
+    Returns:
+        Dict with tool-specific recommendations
+    """
+    recommendations = {
+        'nikto': {
+            'skip_cgi': False,
+            'extra_args': [],
+            'reason': None,
+        },
+        'nuclei': {
+            'extra_args': [],
+            'skip_tags': [],
+            'reason': None,
+        },
+        'sqlmap': {
+            'tamper_scripts': [],
+            'extra_args': [],
+            'reason': None,
+        },
+        'general': {
+            'notes': [],
+        }
+    }
+
+    # Managed hosting recommendations
+    if parsed_data.get('managed_hosting'):
+        platform = parsed_data['managed_hosting']
+        recommendations['nikto']['skip_cgi'] = True
+        recommendations['nikto']['extra_args'] = ['-C', 'none', '-Tuning', 'x6']
+        recommendations['nikto']['reason'] = f"Managed hosting ({platform}) - CGI enumeration skipped"
+
+        recommendations['general']['notes'].append(
+            f"Target is hosted on {platform} - limited vulnerability surface expected"
+        )
+
+    # WAF recommendations
+    wafs = parsed_data.get('waf', [])
+    if wafs:
+        waf_list = ', '.join(wafs)
+        recommendations['general']['notes'].append(f"WAF detected: {waf_list}")
+
+        # SQLMap tamper scripts for common WAFs
+        for waf in wafs:
+            waf_lower = waf.lower()
+            if 'cloudflare' in waf_lower:
+                recommendations['sqlmap']['tamper_scripts'].extend(['between', 'randomcase', 'space2comment'])
+            elif 'akamai' in waf_lower:
+                recommendations['sqlmap']['tamper_scripts'].extend(['charencode', 'space2plus'])
+            elif 'imperva' in waf_lower or 'incapsula' in waf_lower:
+                recommendations['sqlmap']['tamper_scripts'].extend(['randomcase', 'between'])
+
+        if recommendations['sqlmap']['tamper_scripts']:
+            # Dedupe
+            recommendations['sqlmap']['tamper_scripts'] = list(set(recommendations['sqlmap']['tamper_scripts']))
+            recommendations['sqlmap']['reason'] = f"WAF bypass tamper scripts for {waf_list}"
+
+    # CDN recommendations
+    cdns = parsed_data.get('cdn', [])
+    if cdns:
+        cdn_list = ', '.join(cdns)
+        recommendations['general']['notes'].append(
+            f"CDN detected: {cdn_list} - responses may be cached, hitting edge not origin"
+        )
+
+    return recommendations
+
+
+# Export the main functions
+__all__ = [
+    'parse_http_fingerprint_output',
+    'is_managed_hosting',
+    'get_managed_hosting_platform',
+    'has_waf',
+    'get_wafs',
+    'has_cdn',
+    'get_cdns',
+    'build_fingerprint_context',
+    'get_tool_recommendations',
+]

souleyez/parsers/hydra_parser.py

@@ -85,13 +85,24 @@ def parse_hydra_output(output: str, target: str = "") -> Dict[str, Any]:
                 'password': attempt_match.group(3)
             }
 
-        # Parse successful login lines
-        # Format: [PORT][SERVICE] host: HOST   login: USER   password: PASS
+        # Parse successful login lines with multiple format support
+        # Format 1: [PORT][SERVICE] host: HOST   login: USER   password: PASS
+        # Format 2: [PORT][SERVICE] host: HOST  login: USER  password: PASS (single space)
+        # Format 3: [SERVICE][PORT] host: HOST login: USER password: PASS (swapped)
+        # Format 4: [PORT][SERVICE] HOST login: USER password: PASS (no "host:")
+
+        login_match = None
+        port = None
+        service = None
+        host = None
+        username = None
+        password = None
+
+        # Try standard format: [PORT][SERVICE] host: HOST login: USER password: PASS
         login_match = re.search(
-            r'\[(\d+)\]\[([\w-]+)\]\s+host:\s+(\S+)\s+login:\s+(\S+)\s+password:\s+(.+)',
-            line_stripped
+            r'\[(\d+)\]\[([\w-]+)\]\s+host:\s*(\S+)\s+login:\s*(\S+)\s+password:\s*(.+)',
+            line_stripped, re.IGNORECASE
         )
-
         if login_match:
             port = int(login_match.group(1))
             service = login_match.group(2).lower()
@@ -99,6 +110,46 @@ def parse_hydra_output(output: str, target: str = "") -> Dict[str, Any]:
             username = login_match.group(4)
             password = login_match.group(5).strip()
 
+        # Try swapped format: [SERVICE][PORT]
+        if not login_match:
+            login_match = re.search(
+                r'\[([\w-]+)\]\[(\d+)\]\s+host:\s*(\S+)\s+login:\s*(\S+)\s+password:\s*(.+)',
+                line_stripped, re.IGNORECASE
+            )
+            if login_match:
+                service = login_match.group(1).lower()
+                port = int(login_match.group(2))
+                host = login_match.group(3)
+                username = login_match.group(4)
+                password = login_match.group(5).strip()
+
+        # Try format without "host:" label
+        if not login_match:
+            login_match = re.search(
+                r'\[(\d+)\]\[([\w-]+)\]\s+(\d+\.\d+\.\d+\.\d+|\S+)\s+login:\s*(\S+)\s+password:\s*(.+)',
+                line_stripped, re.IGNORECASE
+            )
+            if login_match:
+                port = int(login_match.group(1))
+                service = login_match.group(2).lower()
+                host = login_match.group(3)
+                username = login_match.group(4)
+                password = login_match.group(5).strip()
+
+        # Try flexible format with any whitespace between fields
+        if not login_match:
+            login_match = re.search(
+                r'\[(\d+)\]\[([\w-]+)\].*?(?:host:?\s*)?(\d+\.\d+\.\d+\.\d+|\S+\.\S+).*?login:?\s*(\S+).*?password:?\s*(.+)',
+                line_stripped, re.IGNORECASE
+            )
+            if login_match:
+                port = int(login_match.group(1))
+                service = login_match.group(2).lower()
+                host = login_match.group(3)
+                username = login_match.group(4)
+                password = login_match.group(5).strip()
+
+        if login_match and port and service and username:
             # Store service info if not already set
             if not result['service']:
                 result['service'] = service

souleyez/parsers/impacket_parser.py

@@ -30,35 +30,80 @@ def parse_secretsdump(log_path: str, target: str) -> Dict[str, Any]:
         with open(log_path, 'r', encoding='utf-8') as f:
             content = f.read()
             
-        # Parse NTLM hashes (format: username:RID:LM:NT:::)
-        hash_pattern = r'([^:\s]+):(\d+):([0-9a-fA-F]{32}):([0-9a-fA-F]{32}):::'
-        for match in re.finditer(hash_pattern, content):
-            username, rid, lm_hash, nt_hash = match.groups()
-            
-            # Skip empty hashes
-            if nt_hash.lower() == '31d6cfe0d16ae931b73c59d7e0c089c0':
-                continue
-                
-            hashes.append({
-                'username': username,
-                'rid': rid,
-                'lm_hash': lm_hash,
-                'nt_hash': nt_hash,
-                'hash_type': 'NTLM'
-            })
-            
-        # Parse plaintext passwords (format: DOMAIN\username:password)
-        plaintext_pattern = r'([^\\:\s]+)\\([^:\s]+):(.+?)(?:\n|$)'
-        for match in re.finditer(plaintext_pattern, content):
-            domain, username, password = match.groups()
-            
-            if password and not password.startswith('(null)'):
-                credentials.append({
-                    'domain': domain,
+        # Parse NTLM hashes with multiple format support
+        # Format 1: username:RID:LM:NT::: (standard secretsdump)
+        # Format 2: username:RID:LM:NT:: (without trailing colon)
+        # Format 3: DOMAIN\username:RID:LM:NT::: (with domain prefix)
+        # Format 4: username:$NT$hash (simplified format)
+
+        # Standard format with 32-char hashes and trailing colons
+        hash_patterns = [
+            r'([^:\s\\]+):(\d+):([0-9a-fA-F]{32}):([0-9a-fA-F]{32}):::?',  # Standard
+            r'([^:\s]+)\\([^:\s]+):(\d+):([0-9a-fA-F]{32}):([0-9a-fA-F]{32}):::?',  # Domain\user
+        ]
+
+        for pattern in hash_patterns:
+            for match in re.finditer(pattern, content):
+                groups = match.groups()
+                if len(groups) == 4:
+                    username, rid, lm_hash, nt_hash = groups
+                elif len(groups) == 5:
+                    # Domain\username format
+                    domain, username, rid, lm_hash, nt_hash = groups
+                    username = f"{domain}\\{username}"
+                else:
+                    continue
+
+                # Skip empty hashes (blank password indicator)
+                if nt_hash.lower() == '31d6cfe0d16ae931b73c59d7e0c089c0':
+                    continue
+
+                hashes.append({
                     'username': username,
-                    'password': password,
-                    'credential_type': 'plaintext'
+                    'rid': rid,
+                    'lm_hash': lm_hash,
+                    'nt_hash': nt_hash,
+                    'hash_type': 'NTLM'
                 })
+            
+        # Parse plaintext passwords with multiple format support
+        # Format 1: DOMAIN\username:password
+        # Format 2: DOMAIN\\username:password (escaped backslash)
+        # Format 3: username@DOMAIN:password
+        # Format 4: [*] DOMAIN\username:password (with prefix)
+
+        plaintext_patterns = [
+            r'([^\\:\s]+)[\\]+([^:\s]+):([^\n\r]+)',  # DOMAIN\user:pass
+            r'([^@:\s]+)@([^:\s]+):([^\n\r]+)',  # user@DOMAIN:pass
+            r'\[\*\]\s*([^\\:\s]+)[\\]+([^:\s]+):([^\n\r]+)',  # [*] DOMAIN\user:pass
+        ]
+
+        for pattern in plaintext_patterns:
+            for match in re.finditer(pattern, content):
+                groups = match.groups()
+                if len(groups) == 3:
+                    part1, part2, password = groups
+                    password = password.strip()
+
+                    # Skip null/empty passwords and hash-like values
+                    if not password or password.startswith('(null)'):
+                        continue
+                    # Skip if password looks like a hash (32+ hex chars)
+                    if re.match(r'^[0-9a-fA-F]{32,}$', password):
+                        continue
+
+                    # Determine domain/username based on pattern
+                    if '@' in match.group(0):
+                        username, domain = part1, part2
+                    else:
+                        domain, username = part1, part2
+
+                    credentials.append({
+                        'domain': domain,
+                        'username': username,
+                        'password': password,
+                        'credential_type': 'plaintext'
+                    })
                 
         # Parse Kerberos keys (format: username:$krb5...)
         krb_pattern = r'([^:\s]+):(\$krb5[^\s]+)'
@@ -113,25 +158,46 @@ def parse_getnpusers(log_path: str, target: str) -> Dict[str, Any]:
         with open(log_path, 'r', encoding='utf-8') as f:
             content = f.read()
             
-        # Parse AS-REP hashes (format: $krb5asrep$...)
-        hash_pattern = r'\$krb5asrep\$23\$([^@]+)@([^:]+):([^\s]+)'
-        for match in re.finditer(hash_pattern, content):
-            username, domain, hash_value = match.groups()
-            
-            hashes.append({
-                'username': username,
-                'domain': domain,
-                'hash': f'$krb5asrep$23${username}@{domain}:{hash_value}',
-                'hash_type': 'AS-REP',
-                'crackable': True
-            })
-            
+        # Parse AS-REP hashes with multiple format support
+        # Format 1: $krb5asrep$23$user@DOMAIN:hash (etype 23)
+        # Format 2: $krb5asrep$18$user@DOMAIN:hash (etype 18)
+        # Format 3: $krb5asrep$user@DOMAIN:hash (no etype)
+        # Format 4: username:$krb5asrep... (username:hash format)
+
+        # Full format with etype: $krb5asrep$ETYPE$user@DOMAIN:hash
+        hash_patterns = [
+            r'\$krb5asrep\$(\d+)\$([^@]+)@([^:]+):([^\s]+)',  # With etype
+            r'\$krb5asrep\$([^@$]+)@([^:]+):([^\s]+)',  # Without etype
+        ]
+
+        for pattern in hash_patterns:
+            for match in re.finditer(pattern, content):
+                groups = match.groups()
+                if len(groups) == 4:
+                    etype, username, domain, hash_value = groups
+                    full_hash = f'$krb5asrep${etype}${username}@{domain}:{hash_value}'
+                elif len(groups) == 3:
+                    username, domain, hash_value = groups
+                    etype = '23'  # Default etype
+                    full_hash = f'$krb5asrep${username}@{domain}:{hash_value}'
+                else:
+                    continue
+
+                hashes.append({
+                    'username': username,
+                    'domain': domain,
+                    'hash': full_hash,
+                    'hash_type': 'AS-REP',
+                    'etype': etype,
+                    'crackable': True
+                })
+
         # Also check for simple format (username:hash)
         if not hashes:
             simple_pattern = r'^([^:\s]+):(\$krb5asrep[^\s]+)'
             for match in re.finditer(simple_pattern, content, re.MULTILINE):
                 username, hash_value = match.groups()
-                
+
                 hashes.append({
                     'username': username,
                     'hash': hash_value,
@@ -174,9 +240,22 @@ def parse_psexec(log_path: str, target: str) -> Dict[str, Any]:
         with open(log_path, 'r', encoding='utf-8') as f:
             content = f.read()
             
-        # Check for successful connection
-        if '[*] Requesting shares on' in content or 'C:\\Windows\\system32>' in content:
-            success = True
+        # Check for successful connection with multiple indicators
+        success_indicators = [
+            '[*] Requesting shares on',
+            'C:\\Windows\\system32>',
+            'C:\\WINDOWS\\system32>',
+            '[*] Uploading',
+            '[*] Opening SVCManager',
+            'Microsoft Windows',  # Version banner
+            '[*] Starting service',
+            'Process .+ created',  # Process creation message
+        ]
+
+        for indicator in success_indicators:
+            if re.search(indicator, content, re.IGNORECASE):
+                success = True
+                break
             
         # Extract command output (everything after the prompt)
         output_lines = [line for line in content.split('\n') if line.strip()]

souleyez/parsers/john_parser.py

@@ -32,11 +32,18 @@ def parse_john_output(output: str, hash_file: str = None) -> Dict:
     if loaded_match:
         results['total_loaded'] = int(loaded_match.group(1))
     
-    # Parse cracked passwords from live output
-    # Format: "password         (username)"
+    # Parse cracked passwords from live output with multiple format support
+    # Format 1: "password         (username)"
+    # Format 2: "password (username)"
+    # Format 3: "username:password"
+    # Format 4: "password          (username) [hash_type]"
     for line in output.split('\n'):
-        # Look for cracked passwords in format: password (username)
-        match = re.match(r'^(\S+)\s+\((\S+)\)\s*$', line.strip())
+        line = line.strip()
+        if not line or line.startswith('#') or line.startswith('['):
+            continue
+
+        # Try format: password (username) with optional hash type
+        match = re.match(r'^(\S+)\s+\(([^)]+)\)(?:\s+\[.+\])?\s*$', line)
         if match:
             password = match.group(1)
             username = match.group(2)
@@ -45,18 +52,44 @@ def parse_john_output(output: str, hash_file: str = None) -> Dict:
                 'password': password,
                 'source': 'john_live'
             })
-    
-    # Check session status
-    if 'Session completed' in output:
+            continue
+
+        # Try format: username:password (from --show output)
+        if ':' in line and not line.startswith('Loaded'):
+            parts = line.split(':')
+            if len(parts) >= 2 and len(parts[0]) > 0 and len(parts[-1]) > 0:
+                # Skip if it looks like a hash (32+ hex chars)
+                if not re.match(r'^[0-9a-fA-F]{32,}$', parts[-1]):
+                    username = parts[0]
+                    password = parts[-1]
+                    results['cracked'].append({
+                        'username': username,
+                        'password': password,
+                        'source': 'john_live'
+                    })
+
+    # Check session status with multiple format support
+    if any(x in output for x in ['Session completed', 'session completed', 'Proceeding with next']):
         results['session_status'] = 'completed'
-    elif 'Session aborted' in output:
+    elif any(x in output for x in ['Session aborted', 'session aborted', 'Interrupted']):
         results['session_status'] = 'aborted'
-    
-    # Parse summary line
-    # Format: "2g 0:00:00:01 DONE..."
-    summary_match = re.search(r'(\d+)g\s+[\d:]+\s+(DONE|Session)', output)
-    if summary_match:
-        results['total_cracked'] = int(summary_match.group(1))
+    elif 'No password hashes left to crack' in output:
+        results['session_status'] = 'completed'
+
+    # Parse summary line with multiple formats
+    # Format 1: "2g 0:00:00:01 DONE..."
+    # Format 2: "2g 0:00:00:01 100% DONE..."
+    # Format 3: "Session completed, 2g"
+    summary_patterns = [
+        r'(\d+)g\s+[\d:]+\s+(?:\d+%\s+)?(DONE|Session)',
+        r'Session completed[,\s]+(\d+)g',
+        r'(\d+)\s+password hashes? cracked',
+    ]
+    for pattern in summary_patterns:
+        summary_match = re.search(pattern, output, re.IGNORECASE)
+        if summary_match:
+            results['total_cracked'] = int(summary_match.group(1))
+            break
     
     # If hash_file provided, also parse john.pot or run --show
     if hash_file and os.path.isfile(hash_file):