souleyez 2.25.0__tar.gz → 2.26.0__tar.gz

{souleyez-2.25.0 → souleyez-2.26.0}/BETA_README.md

@@ -21,7 +21,7 @@ Welcome to the SoulEyez beta! Thank you for helping us test and improve this pen
 
 > ⚠️ **Important**: Only use SoulEyez on systems you have explicit authorization to test.
 
-## Version: 2.25.0
+## Version: 2.26.0
 
 ### What's Included
 

{souleyez-2.25.0/souleyez.egg-info → souleyez-2.26.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: souleyez
-Version: 2.25.0
+Version: 2.26.0
 Summary: AI-Powered Penetration Testing Platform with 40+ integrated tools
 Author-email: CyberSoul Security <contact@cybersoulsecurity.com>
 Maintainer-email: CyberSoul Security <contact@cybersoulsecurity.com>
@@ -72,7 +72,7 @@ Welcome to the SoulEyez beta! Thank you for helping us test and improve this pen
 
 > ⚠️ **Important**: Only use SoulEyez on systems you have explicit authorization to test.
 
-## Version: 2.25.0
+## Version: 2.26.0
 
 ### What's Included
 

{souleyez-2.25.0 → souleyez-2.26.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "souleyez"
-version = "2.25.0"
+version = "2.26.0"
 description = "AI-Powered Penetration Testing Platform with 40+ integrated tools"
 readme = "BETA_README.md"
 license = {text = "MIT"}
@@ -71,7 +71,7 @@ include = ["souleyez*"]
 exclude = ["tests*", "scripts*", "reports*", "venv*", "debian*"]
 
 [tool.setuptools.package-data]
-souleyez = ["docs/**/*.md", "data/wordlists/*.txt", "data/wordlists/*.md", "data/templates/*.json", "data/templates/*.md"]
+souleyez = ["docs/**/*.md", "data/wordlists/*.txt", "data/wordlists/*.md", "data/templates/*.json", "data/templates/*.md", "assets/*.png"]
 
 [tool.pytest.ini_options]
 testpaths = ["tests"]

souleyez-2.26.0/souleyez/__init__.py

@@ -0,0 +1 @@
+__version__ = '2.26.0'

souleyez-2.26.0/souleyez/assets/__init__.py

@@ -0,0 +1 @@
+# SoulEyez assets package

{souleyez-2.25.0 → souleyez-2.26.0}/souleyez/core/tool_chaining.py

@@ -15,6 +15,17 @@ CATEGORY_CTF = "ctf"           # Lab/learning scenarios - vulnerable by design
 CATEGORY_ENTERPRISE = "enterprise"  # Real-world enterprise testing
 CATEGORY_GENERAL = "general"   # Standard recon that applies everywhere
 
+# Managed hosting platforms - skip CGI enumeration (pointless on these)
+# These are detected from server headers/banners and product names
+MANAGED_HOSTING_PLATFORMS = {
+    'squarespace', 'wix', 'shopify', 'webflow', 'weebly',
+    'wordpress.com', 'ghost.io', 'medium', 'tumblr', 'blogger',
+    'netlify', 'vercel', 'github.io', 'pages.dev', 'cloudflare',
+    'heroku', 'railway', 'render.com', 'fly.io',
+    'aws cloudfront', 'akamai', 'fastly', 'cloudflare',
+    'azure', 'google cloud', 'firebase',
+}
+
 # Category display icons
 CATEGORY_ICONS = {
     CATEGORY_CTF: "🎯",
@@ -140,6 +151,75 @@ def classify_os_device(os_string: str, services: list) -> dict:
     return {'os_family': 'unknown', 'device_type': 'unknown', 'vendor': None}
 
 
+def is_managed_hosting(services: List[Dict[str, Any]], http_fingerprint: Dict[str, Any] = None) -> bool:
+    """
+    Detect if target is a managed hosting platform.
+
+    These platforms don't have CGI directories, so tools like nikto
+    should skip CGI enumeration to avoid long, pointless scans.
+
+    Args:
+        services: List of service dicts from nmap parser
+        http_fingerprint: Optional fingerprint data from http_fingerprint plugin
+
+    Returns:
+        True if managed hosting detected, False otherwise
+    """
+    # Check fingerprint data first (most reliable, comes from actual HTTP headers)
+    if http_fingerprint:
+        managed = http_fingerprint.get('managed_hosting')
+        if managed:
+            return True
+
+    # Fall back to checking services data (less reliable, from nmap banners)
+    for service in services:
+        # Check product field
+        product = (service.get('product') or '').lower()
+        raw_version = (service.get('raw_version') or '').lower()
+        service_name = (service.get('service') or '').lower()
+
+        # Combine all fields for matching
+        combined = f"{product} {raw_version} {service_name}"
+
+        # Check against known managed hosting platforms
+        for platform in MANAGED_HOSTING_PLATFORMS:
+            if platform in combined:
+                return True
+
+    return False
+
+
+def get_managed_hosting_platform(services: List[Dict[str, Any]], http_fingerprint: Dict[str, Any] = None) -> Optional[str]:
+    """
+    Get the name of the managed hosting platform if detected.
+
+    Args:
+        services: List of service dicts from nmap parser
+        http_fingerprint: Optional fingerprint data from http_fingerprint plugin
+
+    Returns:
+        Platform name or None
+    """
+    # Check fingerprint data first
+    if http_fingerprint:
+        managed = http_fingerprint.get('managed_hosting')
+        if managed:
+            return managed
+
+    # Fall back to services check
+    for service in services:
+        product = (service.get('product') or '').lower()
+        raw_version = (service.get('raw_version') or '').lower()
+        service_name = (service.get('service') or '').lower()
+        combined = f"{product} {raw_version} {service_name}"
+
+        for platform in MANAGED_HOSTING_PLATFORMS:
+            if platform in combined:
+                return platform.title()
+
+    return None
+
+
 # Technology to Nuclei tags mapping
 # Maps detected products/technologies to relevant nuclei template tags
 TECH_TO_NUCLEI_TAGS = {
@@ -575,6 +655,25 @@ class ChainRule:
                 new_args.append(arg)
             args = new_args
 
+        # For Nikto: Skip CGI enumeration on managed hosting platforms
+        # This prevents long, pointless scans on Squarespace, Wix, etc.
+        if self.target_tool == 'nikto':
+            services = context.get('services', [])
+            http_fingerprint = context.get('http_fingerprint', {})
+            if is_managed_hosting(services, http_fingerprint):
+                # Add -C none to skip CGI dirs (pointless on managed hosting)
+                if '-C' not in str(args):
+                    args.extend(['-C', 'none'])
+                # Add -Tuning x6 to skip remote file inclusion tests
+                if '-Tuning' not in str(args):
+                    args.extend(['-Tuning', 'x6'])
+                # Log which platform was detected
+                platform = get_managed_hosting_platform(services, http_fingerprint)
+                if platform:
+                    from souleyez.log_config import get_logger
+                    logger = get_logger(__name__)
+                    logger.info(f"[FINGERPRINT] Managed hosting detected ({platform}) - nikto using optimized scan config")
+
         # For SQLMap with POST injections, add --data if we have POST data
         if self.target_tool == 'sqlmap' and post_data and '--data' not in str(args):
             # Insert --data after -u argument
@@ -642,32 +741,42 @@ class ToolChaining:
 
         # Web service discovered → run web scanners
         self.rules.extend([
-            # Modern vulnerability scanner (Nuclei) - PRIORITY
-            # Uses {nuclei_tags} placeholder to auto-detect tech and run relevant templates
+            # HTTP Fingerprinting - runs FIRST to detect WAF/CDN/managed hosting
+            # This enables smarter tool configuration for downstream scanners
             ChainRule(
                 trigger_tool='nmap',
                 trigger_condition='service:http',
+                target_tool='http_fingerprint',
+                priority=11,  # Highest priority - runs before all other web tools
+                args_template=[],
+                description='Web server detected, fingerprinting for WAF/CDN/platform detection'
+            ),
+            # Nikto triggered by http_fingerprint (uses fingerprint data for smart config)
+            ChainRule(
+                trigger_tool='http_fingerprint',
+                trigger_condition='has:services',
+                target_tool='nikto',
+                priority=8,
+                args_template=['-nointeractive', '-timeout', '10'],
+                description='Fingerprinting complete, scanning for server misconfigurations with Nikto'
+            ),
+            # Nuclei triggered by http_fingerprint
+            ChainRule(
+                trigger_tool='http_fingerprint',
+                trigger_condition='has:services',
                 target_tool='nuclei',
                 priority=9,
                 args_template=['-tags', '{nuclei_tags}', '-severity', 'critical,high', '-rate-limit', '50', '-c', '10', '-timeout', '10'],
-                description='Web server detected (HTTP/HTTPS), scanning with Nuclei'
+                description='Fingerprinting complete, scanning with Nuclei'
             ),
+            # Gobuster triggered by http_fingerprint
             ChainRule(
-                trigger_tool='nmap',
-                trigger_condition='service:http',
+                trigger_tool='http_fingerprint',
+                trigger_condition='has:services',
                 target_tool='gobuster',
                 priority=7,
                 args_template=['dir', '-u', 'http://{target}:{port}', '-w', 'data/wordlists/web_dirs_common.txt', '-x', 'js,json,php,asp,aspx,html,txt,bak,old,zip', '--no-error', '--timeout', '30s', '-t', '5', '--delay', '20ms'],
-                description='Web server detected (HTTP/HTTPS), discovering directories and files'
-            ),
-            # Nikto - web server vulnerability scanner (complements nuclei)
-            ChainRule(
-                trigger_tool='nmap',
-                trigger_condition='service:http',
-                target_tool='nikto',
-                priority=8,
-                args_template=['-nointeractive', '-timeout', '10'],
-                description='Web server detected, scanning for server misconfigurations with Nikto'
+                description='Fingerprinting complete, discovering directories and files'
             ),
             # Dalfox - XSS scanner triggered after gobuster finds pages
             ChainRule(

{souleyez-2.25.0 → souleyez-2.26.0}/souleyez/docs/README.md

@@ -1,6 +1,6 @@
 # SoulEyez Documentation
 
-**Version:** 2.25.0
+**Version:** 2.26.0
 **Last Updated:** January 8, 2026
 **Organization:** CyberSoul Security
 

{souleyez-2.25.0 → souleyez-2.26.0}/souleyez/engine/result_handler.py

@@ -108,6 +108,8 @@ def handle_job_result(job: Dict[str, Any]) -> Optional[Dict[str, Any]]:
         parse_result = parse_nikto_job(engagement_id, log_path, job)
     elif tool == 'dalfox':
         parse_result = parse_dalfox_job(engagement_id, log_path, job)
+    elif tool == 'http_fingerprint':
+        parse_result = parse_http_fingerprint_job(engagement_id, log_path, job)
 
     # NOTE: Auto-chaining is now handled in background.py after parsing completes
     # This avoids duplicate job creation and gives better control over timing
@@ -204,6 +206,8 @@ def reparse_job(job_id: int) -> Dict[str, Any]:
             parse_result = parse_nikto_job(engagement_id, log_path, job)
         elif tool == 'dalfox':
             parse_result = parse_dalfox_job(engagement_id, log_path, job)
+        elif tool == 'http_fingerprint':
+            parse_result = parse_http_fingerprint_job(engagement_id, log_path, job)
         else:
             return {'success': False, 'message': f'No parser available for tool: {tool}'}
 
@@ -3068,6 +3072,91 @@ def parse_nikto_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> D
         return {'error': str(e)}
 
 
+def parse_http_fingerprint_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> Dict[str, Any]:
+    """
+    Parse HTTP fingerprint results.
+
+    Returns fingerprint data for use in auto-chaining context.
+    This enables downstream tools (nikto, nuclei, etc.) to make smarter decisions
+    based on detected WAF, CDN, or managed hosting platform.
+    """
+    try:
+        from souleyez.parsers.http_fingerprint_parser import (
+            parse_http_fingerprint_output,
+            build_fingerprint_context,
+            get_tool_recommendations
+        )
+        from souleyez.storage.hosts import HostManager
+        from urllib.parse import urlparse
+
+        target = job.get('target', '')
+
+        # Read log file
+        with open(log_path, 'r', encoding='utf-8', errors='replace') as f:
+            output = f.read()
+
+        parsed = parse_http_fingerprint_output(output, target)
+
+        # Extract host from target URL
+        parsed_url = urlparse(target)
+        target_host = parsed_url.hostname or target
+
+        # Update host with fingerprint info if we have useful data
+        if target_host and (parsed.get('server') or parsed.get('managed_hosting')):
+            hm = HostManager()
+            host_data = {
+                'ip': target_host,
+                'status': 'up'
+            }
+            # Store server info in notes or a dedicated field
+            # For now, we just ensure the host exists
+            hm.add_or_update_host(engagement_id, host_data)
+
+        # Build fingerprint context for chaining
+        fingerprint_context = build_fingerprint_context(parsed)
+
+        # Get tool recommendations
+        recommendations = get_tool_recommendations(parsed)
+
+        # Determine status
+        if parsed.get('error'):
+            status = STATUS_ERROR
+        elif parsed.get('managed_hosting') or parsed.get('waf') or parsed.get('cdn'):
+            status = STATUS_DONE  # Found useful info
+        elif parsed.get('server'):
+            status = STATUS_DONE
+        else:
+            status = STATUS_NO_RESULTS
+
+        return {
+            'tool': 'http_fingerprint',
+            'status': status,
+            'target': target,
+            'target_host': target_host,
+            # Core fingerprint data
+            'server': parsed.get('server'),
+            'managed_hosting': parsed.get('managed_hosting'),
+            'waf': parsed.get('waf', []),
+            'cdn': parsed.get('cdn', []),
+            'technologies': parsed.get('technologies', []),
+            'status_code': parsed.get('status_code'),
+            # For auto-chaining context
+            'http_fingerprint': fingerprint_context.get('http_fingerprint', {}),
+            'recommendations': recommendations,
+            # Pass through for downstream chains
+            'services': [{
+                'ip': target_host,
+                'port': parsed_url.port or (443 if parsed_url.scheme == 'https' else 80),
+                'service_name': 'https' if parsed_url.scheme == 'https' else 'http',
+                'product': parsed.get('server', ''),
+            }],
+        }
+
+    except Exception as e:
+        logger.error(f"Error parsing http_fingerprint job: {e}")
+        return {'error': str(e)}
+
+
 def parse_dalfox_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> Dict[str, Any]:
     """Parse Dalfox XSS scanner results."""
     try:

{souleyez-2.25.0 → souleyez-2.26.0}/souleyez/main.py

@@ -173,7 +173,7 @@ def _check_privileged_tools():
 
 
 @click.group()
-@click.version_option(version='2.25.0')
+@click.version_option(version='2.26.0')
 def cli():
     """SoulEyez - AI-Powered Pentesting Platform by CyberSoul Security"""
     from souleyez.log_config import init_logging
@@ -1520,6 +1520,98 @@ def tutorial():
     run_tutorial()
 
 
+@cli.command('install-desktop')
+@click.option('--remove', is_flag=True, help='Remove the desktop shortcut')
+def install_desktop(remove):
+    """Install SoulEyez desktop shortcut in Applications menu.
+
+    Creates a .desktop file so SoulEyez appears in your
+    Applications > Security menu with its icon.
+    """
+    import shutil
+    from importlib import resources
+
+    applications_dir = Path.home() / '.local' / 'share' / 'applications'
+    icons_dir = Path.home() / '.local' / 'share' / 'icons'
+    desktop_file = applications_dir / 'souleyez.desktop'
+    icon_dest = icons_dir / 'souleyez.png'
+
+    if remove:
+        # Remove desktop shortcut
+        removed = False
+        if desktop_file.exists():
+            desktop_file.unlink()
+            click.echo(click.style("  Removed desktop shortcut", fg='green'))
+            removed = True
+        if icon_dest.exists():
+            icon_dest.unlink()
+            click.echo(click.style("  Removed icon", fg='green'))
+            removed = True
+        if removed:
+            click.echo(click.style("\nSoulEyez removed from Applications menu.", fg='cyan'))
+        else:
+            click.echo(click.style("No desktop shortcut found.", fg='yellow'))
+        return
+
+    click.echo(click.style("\nInstalling SoulEyez desktop shortcut...\n", fg='cyan', bold=True))
+
+    # Create directories
+    applications_dir.mkdir(parents=True, exist_ok=True)
+    icons_dir.mkdir(parents=True, exist_ok=True)
+
+    # Find and copy icon
+    try:
+        # Try importlib.resources first (Python 3.9+)
+        try:
+            from importlib.resources import files
+            icon_source = files('souleyez.assets').joinpath('souleyez-icon.png')
+            with open(icon_source, 'rb') as src:
+                icon_data = src.read()
+        except (ImportError, TypeError, FileNotFoundError):
+            # Fallback: find icon relative to this file
+            icon_source = Path(__file__).parent / 'assets' / 'souleyez-icon.png'
+            with open(icon_source, 'rb') as src:
+                icon_data = src.read()
+
+        with open(icon_dest, 'wb') as dst:
+            dst.write(icon_data)
+        click.echo(click.style("  Installed icon", fg='green'))
+    except Exception as e:
+        click.echo(click.style(f"  Warning: Could not copy icon: {e}", fg='yellow'))
+        icon_dest = "utilities-terminal"  # Fallback to system icon
+
+    # Create .desktop file
+    desktop_content = f"""[Desktop Entry]
+Name=SoulEyez
+Comment=AI-Powered Penetration Testing Platform
+Exec=souleyez interactive
+Icon={icon_dest}
+Terminal=true
+Type=Application
+Categories=Security;System;Network;
+Keywords=pentest;security;hacking;nmap;metasploit;
+"""
+
+    desktop_file.write_text(desktop_content)
+    click.echo(click.style("  Created desktop entry", fg='green'))
+
+    # Update desktop database (optional, may not be available)
+    try:
+        import subprocess
+        subprocess.run(['update-desktop-database', str(applications_dir)],
+                      capture_output=True, check=False)
+    except Exception:
+        pass  # Not critical if this fails
+
+    click.echo()
+    click.echo(click.style("SoulEyez added to Applications menu!", fg='green', bold=True))
+    click.echo()
+    click.echo("You can find it under:")
+    click.echo(click.style("  Applications > Security > SoulEyez", fg='cyan'))
+    click.echo()
+    click.echo("To remove: souleyez install-desktop --remove")
+
+
 def main():
     """Main entry point."""
     cli()

{souleyez-2.25.0 → souleyez-2.26.0}/souleyez/parsers/crackmapexec_parser.py

@@ -72,42 +72,61 @@ def _parse_content(content: str, target: str) -> Dict[str, Any]:
         'auth_info': {}
     }
 
+    # Remove ANSI color codes first
+    content = re.sub(r'\x1b\[[0-9;]*m', '', content)
+
     for line in content.split('\n'):
         # Parse host information (Windows OR Unix/Samba)
-        # Format: SMB  10.0.0.88  445  HOSTNAME  [*] Windows/Unix ... (name:HOSTNAME) (domain:DOMAIN) ...
-        if 'SMB' in line and ('[*]' in line) and ('Windows' in line or 'Unix' in line or 'Samba' in line):
-            host_match = re.search(r'(\d+\.\d+\.\d+\.\d+)\s+(\d+)\s+(\S+)\s+\[\*\]\s+(.+)', line)
+        # Format variations:
+        # SMB  10.0.0.88  445  HOSTNAME  [*] Windows/Unix ... (name:HOSTNAME) (domain:DOMAIN) ...
+        # SMB         10.0.0.88    445    HOSTNAME [*] Windows Server 2016 ...
+        # WINRM  10.0.0.88  5985  HOSTNAME  [*] http://10.0.0.88:5985/wsman
+
+        os_keywords = ['Windows', 'Unix', 'Samba', 'Linux', 'Server', 'Microsoft']
+        if any(proto in line for proto in ['SMB', 'WINRM', 'SSH', 'RDP']) and '[*]' in line:
+            # Try multiple patterns for host info
+            host_match = None
+
+            # Pattern 1: Standard format with flexible whitespace
+            host_match = re.search(r'(\d+\.\d+\.\d+\.\d+)\s+(\d+)\s+(\S+)\s+\[\*\]\s*(.+)', line)
+
+            # Pattern 2: Protocol prefix format
+            if not host_match:
+                host_match = re.search(r'(?:SMB|WINRM|SSH|RDP)\s+(\d+\.\d+\.\d+\.\d+)\s+(\d+)\s+(\S+)\s+\[\*\]\s*(.+)', line)
+
             if host_match:
                 ip = host_match.group(1)
                 port = int(host_match.group(2))
                 hostname = host_match.group(3)
                 details = host_match.group(4).strip()
 
-                # Extract domain from (domain:DOMAIN) pattern
-                domain_match = re.search(r'\(domain:([^)]+)\)', details)
-                domain = domain_match.group(1) if domain_match else None
-
-                # Extract OS info (everything before the first parenthesis)
-                os_match = re.match(r'([^(]+)', details)
-                os_info = os_match.group(1).strip() if os_match else details
-
-                # Extract SMB signing status
-                signing_match = re.search(r'\(signing:(\w+)\)', details)
-                signing = signing_match.group(1) if signing_match else None
-
-                # Extract SMBv1 status
-                smbv1_match = re.search(r'\(SMBv1:(\w+)\)', details)
-                smbv1 = smbv1_match.group(1) if smbv1_match else None
-
-                findings['hosts'].append({
-                    'ip': ip,
-                    'port': port,
-                    'hostname': hostname,
-                    'domain': domain,
-                    'os': os_info,
-                    'signing': signing,
-                    'smbv1': smbv1
-                })
+                # Only process as host info if it looks like OS/version info
+                if any(kw in details for kw in os_keywords) or '(domain:' in details:
+                    # Extract domain from (domain:DOMAIN) or domain: pattern
+                    domain_match = re.search(r'\(?domain:?\s*([^)\s]+)\)?', details, re.IGNORECASE)
+                    domain = domain_match.group(1) if domain_match else None
+
+                    # Extract OS info (everything before the first parenthesis)
+                    os_match = re.match(r'([^(]+)', details)
+                    os_info = os_match.group(1).strip() if os_match else details
+
+                    # Extract SMB signing status (multiple formats)
+                    signing_match = re.search(r'\(?signing:?\s*(\w+)\)?', details, re.IGNORECASE)
+                    signing = signing_match.group(1) if signing_match else None
+
+                    # Extract SMBv1 status
+                    smbv1_match = re.search(r'\(?SMBv1:?\s*(\w+)\)?', details, re.IGNORECASE)
+                    smbv1 = smbv1_match.group(1) if smbv1_match else None
+
+                    findings['hosts'].append({
+                        'ip': ip,
+                        'port': port,
+                        'hostname': hostname,
+                        'domain': domain,
+                        'os': os_info,
+                        'signing': signing,
+                        'smbv1': smbv1
+                    })
 
         # Parse authentication status
         # Format: SMB  10.0.0.14  445  HOSTNAME  [+] \: (Guest)
@@ -122,13 +141,23 @@ def _parse_content(content: str, target: str) -> Dict[str, Any]:
                 }
 
         # Parse share enumeration (shares WITH permissions)
-        share_perm_match = re.search(r'SMB.*\s+(\S+)\s+(READ|WRITE|READ,WRITE|NO ACCESS)\s+(.+)?$', line)
-        if share_perm_match and '$' in share_perm_match.group(1):
-            findings['shares'].append({
-                'name': share_perm_match.group(1),
-                'permissions': share_perm_match.group(2),
-                'comment': share_perm_match.group(3).strip() if share_perm_match.group(3) else ''
-            })
+        # Format variations:
+        # SMB ... ADMIN$  READ,WRITE  Remote Admin
+        # SMB ... ADMIN$  READ, WRITE  Remote Admin (with space)
+        # SMB ... C$  READ ONLY  Default share
+        share_perm_match = re.search(
+            r'SMB.*\s+(\S+\$?)\s+(READ,?\s*WRITE|READ\s*ONLY|WRITE\s*ONLY|READ|WRITE|NO\s*ACCESS)\s*(.*)$',
+            line, re.IGNORECASE
+        )
+        if share_perm_match:
+            share_name = share_perm_match.group(1)
+            # Skip if it looks like a header or status line
+            if share_name not in ['Share', 'Permissions', 'shares']:
+                findings['shares'].append({
+                    'name': share_name,
+                    'permissions': share_perm_match.group(2).upper().replace(' ', ''),
+                    'comment': share_perm_match.group(3).strip() if share_perm_match.group(3) else ''
+                })
         # Parse share enumeration (shares WITHOUT explicit permissions - just listed)
         elif 'SMB' in line and not ('Share' in line and 'Permissions' in line) and not '-----' in line:
             # Look for lines with share names (ending with $, or common names like print$, public, IPC$)
@@ -146,9 +175,16 @@ def _parse_content(content: str, target: str) -> Dict[str, Any]:
                             'comment': remark
                         })
 
-        # Parse user enumeration
-        if 'badpwdcount' in line.lower():
-            user_match = re.search(r'(\S+)\s+badpwdcount:\s*(\d+)\s+desc:\s*(.+)?', line)
+        # Parse user enumeration with flexible format
+        # Format variations:
+        # username badpwdcount: 0 desc: Description
+        # username  badpwdcount:0  desc:Description
+        # username baddpwdcount: 0 description: Description
+        if 'badpwdcount' in line.lower() or 'baddpwdcount' in line.lower():
+            user_match = re.search(
+                r'(\S+)\s+bad+pwdcount:?\s*(\d+)\s+(?:desc(?:ription)?:?\s*)?(.+)?',
+                line, re.IGNORECASE
+            )
             if user_match:
                 findings['users'].append({
                     'username': user_match.group(1),
@@ -165,15 +201,37 @@ def _parse_content(content: str, target: str) -> Dict[str, Any]:
                 })
 
         # Parse valid credentials (but not Guest authentication)
-        if '[+]' in line and 'Pwn3d!' in line:
-            cred_match = re.search(r'\[\+\]\s+([^\\]+)\\(\S+):(\S+)\s*(\(Pwn3d!\))?', line)
+        # Format variations:
+        # [+] DOMAIN\username:password (Pwn3d!)
+        # [+] DOMAIN\\username:password (Pwn3d!)
+        # [+] username:password (Pwn3d!)
+        # [+] DOMAIN/username:password (Pwn3d!)
+        if '[+]' in line and ('Pwn3d' in line or ':' in line):
+            # Try domain\user:pass format first
+            cred_match = re.search(
+                r'\[\+\]\s*([^\\/:]+)[\\\/]+([^:]+):([^\s(]+)\s*(\(Pwn3d!?\))?',
+                line, re.IGNORECASE
+            )
             if cred_match:
                 findings['credentials'].append({
-                    'domain': cred_match.group(1),
-                    'username': cred_match.group(2),
-                    'password': cred_match.group(3),
+                    'domain': cred_match.group(1).strip(),
+                    'username': cred_match.group(2).strip(),
+                    'password': cred_match.group(3).strip(),
                     'admin': bool(cred_match.group(4))
                 })
+            else:
+                # Try user:pass format (no domain)
+                cred_match = re.search(
+                    r'\[\+\]\s*([^:@\s]+):([^\s(]+)\s*(\(Pwn3d!?\))?',
+                    line, re.IGNORECASE
+                )
+                if cred_match and '@' not in cred_match.group(1):
+                    findings['credentials'].append({
+                        'domain': '',
+                        'username': cred_match.group(1).strip(),
+                        'password': cred_match.group(2).strip(),
+                        'admin': bool(cred_match.group(3))
+                    })
 
     # Extract admin credentials for auto-chaining
     admin_creds = [c for c in findings['credentials'] if c.get('admin')]