souleyez 2.43.28__py3-none-any.whl → 2.43.32__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- souleyez/__init__.py +1 -2
- souleyez/ai/__init__.py +21 -15
- souleyez/ai/action_mapper.py +249 -150
- souleyez/ai/chain_advisor.py +116 -100
- souleyez/ai/claude_provider.py +29 -28
- souleyez/ai/context_builder.py +80 -62
- souleyez/ai/executor.py +158 -117
- souleyez/ai/feedback_handler.py +136 -121
- souleyez/ai/llm_factory.py +27 -20
- souleyez/ai/llm_provider.py +4 -2
- souleyez/ai/ollama_provider.py +6 -9
- souleyez/ai/ollama_service.py +44 -37
- souleyez/ai/path_scorer.py +91 -76
- souleyez/ai/recommender.py +176 -144
- souleyez/ai/report_context.py +74 -73
- souleyez/ai/report_service.py +84 -66
- souleyez/ai/result_parser.py +222 -229
- souleyez/ai/safety.py +67 -44
- souleyez/auth/__init__.py +23 -22
- souleyez/auth/audit.py +36 -26
- souleyez/auth/engagement_access.py +65 -48
- souleyez/auth/permissions.py +14 -3
- souleyez/auth/session_manager.py +54 -37
- souleyez/auth/user_manager.py +109 -64
- souleyez/commands/audit.py +40 -43
- souleyez/commands/auth.py +35 -15
- souleyez/commands/deliverables.py +55 -50
- souleyez/commands/engagement.py +47 -28
- souleyez/commands/license.py +32 -23
- souleyez/commands/screenshots.py +36 -32
- souleyez/commands/user.py +82 -36
- souleyez/config.py +52 -44
- souleyez/core/credential_tester.py +87 -81
- souleyez/core/cve_mappings.py +179 -192
- souleyez/core/cve_matcher.py +162 -148
- souleyez/core/msf_auto_mapper.py +100 -83
- souleyez/core/msf_chain_engine.py +294 -256
- souleyez/core/msf_database.py +153 -70
- souleyez/core/msf_integration.py +679 -673
- souleyez/core/msf_rpc_client.py +40 -42
- souleyez/core/msf_rpc_manager.py +77 -79
- souleyez/core/msf_sync_manager.py +241 -181
- souleyez/core/network_utils.py +22 -15
- souleyez/core/parser_handler.py +34 -25
- souleyez/core/pending_chains.py +114 -63
- souleyez/core/templates.py +158 -107
- souleyez/core/tool_chaining.py +9592 -2879
- souleyez/core/version_utils.py +79 -94
- souleyez/core/vuln_correlation.py +136 -89
- souleyez/core/web_utils.py +33 -32
- souleyez/data/wordlists/ad_users.txt +378 -0
- souleyez/data/wordlists/api_endpoints_large.txt +769 -0
- souleyez/data/wordlists/home_dir_sensitive.txt +39 -0
- souleyez/data/wordlists/lfi_payloads.txt +82 -0
- souleyez/data/wordlists/passwords_brute.txt +1548 -0
- souleyez/data/wordlists/passwords_crack.txt +2479 -0
- souleyez/data/wordlists/passwords_spray.txt +386 -0
- souleyez/data/wordlists/subdomains_large.txt +5057 -0
- souleyez/data/wordlists/usernames_common.txt +694 -0
- souleyez/data/wordlists/web_dirs_large.txt +4769 -0
- souleyez/detection/__init__.py +1 -1
- souleyez/detection/attack_signatures.py +12 -17
- souleyez/detection/mitre_mappings.py +61 -55
- souleyez/detection/validator.py +97 -86
- souleyez/devtools.py +23 -10
- souleyez/docs/README.md +4 -4
- souleyez/docs/api-reference/cli-commands.md +2 -2
- souleyez/docs/developer-guide/adding-new-tools.md +562 -0
- souleyez/docs/user-guide/auto-chaining.md +30 -8
- souleyez/docs/user-guide/getting-started.md +1 -1
- souleyez/docs/user-guide/installation.md +26 -3
- souleyez/docs/user-guide/metasploit-integration.md +2 -2
- souleyez/docs/user-guide/rbac.md +1 -1
- souleyez/docs/user-guide/scope-management.md +1 -1
- souleyez/docs/user-guide/siem-integration.md +1 -1
- souleyez/docs/user-guide/tools-reference.md +1 -8
- souleyez/docs/user-guide/worker-management.md +1 -1
- souleyez/engine/background.py +1238 -535
- souleyez/engine/base.py +4 -1
- souleyez/engine/job_status.py +17 -49
- souleyez/engine/log_sanitizer.py +103 -77
- souleyez/engine/manager.py +38 -7
- souleyez/engine/result_handler.py +2198 -1550
- souleyez/engine/worker_manager.py +50 -41
- souleyez/export/evidence_bundle.py +72 -62
- souleyez/feature_flags/features.py +16 -20
- souleyez/feature_flags.py +5 -9
- souleyez/handlers/__init__.py +11 -0
- souleyez/handlers/base.py +188 -0
- souleyez/handlers/bash_handler.py +277 -0
- souleyez/handlers/bloodhound_handler.py +243 -0
- souleyez/handlers/certipy_handler.py +311 -0
- souleyez/handlers/crackmapexec_handler.py +486 -0
- souleyez/handlers/dnsrecon_handler.py +344 -0
- souleyez/handlers/enum4linux_handler.py +400 -0
- souleyez/handlers/evil_winrm_handler.py +493 -0
- souleyez/handlers/ffuf_handler.py +815 -0
- souleyez/handlers/gobuster_handler.py +1114 -0
- souleyez/handlers/gpp_extract_handler.py +334 -0
- souleyez/handlers/hashcat_handler.py +444 -0
- souleyez/handlers/hydra_handler.py +563 -0
- souleyez/handlers/impacket_getuserspns_handler.py +343 -0
- souleyez/handlers/impacket_psexec_handler.py +222 -0
- souleyez/handlers/impacket_secretsdump_handler.py +426 -0
- souleyez/handlers/john_handler.py +286 -0
- souleyez/handlers/katana_handler.py +425 -0
- souleyez/handlers/kerbrute_handler.py +298 -0
- souleyez/handlers/ldapsearch_handler.py +636 -0
- souleyez/handlers/lfi_extract_handler.py +464 -0
- souleyez/handlers/msf_auxiliary_handler.py +408 -0
- souleyez/handlers/msf_exploit_handler.py +380 -0
- souleyez/handlers/nikto_handler.py +413 -0
- souleyez/handlers/nmap_handler.py +821 -0
- souleyez/handlers/nuclei_handler.py +359 -0
- souleyez/handlers/nxc_handler.py +371 -0
- souleyez/handlers/rdp_sec_check_handler.py +353 -0
- souleyez/handlers/registry.py +288 -0
- souleyez/handlers/responder_handler.py +232 -0
- souleyez/handlers/service_explorer_handler.py +434 -0
- souleyez/handlers/smbclient_handler.py +344 -0
- souleyez/handlers/smbmap_handler.py +510 -0
- souleyez/handlers/smbpasswd_handler.py +296 -0
- souleyez/handlers/sqlmap_handler.py +1116 -0
- souleyez/handlers/theharvester_handler.py +601 -0
- souleyez/handlers/whois_handler.py +277 -0
- souleyez/handlers/wpscan_handler.py +554 -0
- souleyez/history.py +32 -16
- souleyez/importers/msf_importer.py +106 -75
- souleyez/importers/smart_importer.py +208 -147
- souleyez/integrations/siem/__init__.py +10 -10
- souleyez/integrations/siem/base.py +17 -18
- souleyez/integrations/siem/elastic.py +108 -122
- souleyez/integrations/siem/factory.py +207 -80
- souleyez/integrations/siem/googlesecops.py +146 -154
- souleyez/integrations/siem/rule_mappings/__init__.py +1 -1
- souleyez/integrations/siem/rule_mappings/wazuh_rules.py +8 -5
- souleyez/integrations/siem/sentinel.py +107 -109
- souleyez/integrations/siem/splunk.py +246 -212
- souleyez/integrations/siem/wazuh.py +65 -71
- souleyez/integrations/wazuh/__init__.py +5 -5
- souleyez/integrations/wazuh/client.py +70 -93
- souleyez/integrations/wazuh/config.py +85 -57
- souleyez/integrations/wazuh/host_mapper.py +28 -36
- souleyez/integrations/wazuh/sync.py +78 -68
- souleyez/intelligence/__init__.py +4 -5
- souleyez/intelligence/correlation_analyzer.py +309 -295
- souleyez/intelligence/exploit_knowledge.py +661 -623
- souleyez/intelligence/exploit_suggestions.py +159 -139
- souleyez/intelligence/gap_analyzer.py +132 -97
- souleyez/intelligence/gap_detector.py +251 -214
- souleyez/intelligence/sensitive_tables.py +266 -129
- souleyez/intelligence/service_parser.py +137 -123
- souleyez/intelligence/surface_analyzer.py +407 -268
- souleyez/intelligence/target_parser.py +159 -162
- souleyez/licensing/__init__.py +6 -6
- souleyez/licensing/validator.py +17 -19
- souleyez/log_config.py +79 -54
- souleyez/main.py +1505 -687
- souleyez/migrations/fix_job_counter.py +16 -14
- souleyez/parsers/bloodhound_parser.py +41 -39
- souleyez/parsers/crackmapexec_parser.py +178 -111
- souleyez/parsers/dalfox_parser.py +72 -77
- souleyez/parsers/dnsrecon_parser.py +103 -91
- souleyez/parsers/enum4linux_parser.py +183 -153
- souleyez/parsers/ffuf_parser.py +29 -25
- souleyez/parsers/gobuster_parser.py +301 -41
- souleyez/parsers/hashcat_parser.py +324 -79
- souleyez/parsers/http_fingerprint_parser.py +350 -103
- souleyez/parsers/hydra_parser.py +131 -111
- souleyez/parsers/impacket_parser.py +231 -178
- souleyez/parsers/john_parser.py +98 -86
- souleyez/parsers/katana_parser.py +316 -0
- souleyez/parsers/msf_parser.py +943 -498
- souleyez/parsers/nikto_parser.py +346 -65
- souleyez/parsers/nmap_parser.py +262 -174
- souleyez/parsers/nuclei_parser.py +40 -44
- souleyez/parsers/responder_parser.py +26 -26
- souleyez/parsers/searchsploit_parser.py +74 -74
- souleyez/parsers/service_explorer_parser.py +279 -0
- souleyez/parsers/smbmap_parser.py +180 -124
- souleyez/parsers/sqlmap_parser.py +434 -308
- souleyez/parsers/theharvester_parser.py +75 -57
- souleyez/parsers/whois_parser.py +135 -94
- souleyez/parsers/wpscan_parser.py +278 -190
- souleyez/plugins/afp.py +44 -36
- souleyez/plugins/afp_brute.py +114 -46
- souleyez/plugins/ard.py +48 -37
- souleyez/plugins/bloodhound.py +95 -61
- souleyez/plugins/certipy.py +303 -0
- souleyez/plugins/crackmapexec.py +186 -85
- souleyez/plugins/dalfox.py +120 -59
- souleyez/plugins/dns_hijack.py +146 -41
- souleyez/plugins/dnsrecon.py +97 -61
- souleyez/plugins/enum4linux.py +91 -66
- souleyez/plugins/evil_winrm.py +291 -0
- souleyez/plugins/ffuf.py +166 -90
- souleyez/plugins/firmware_extract.py +133 -29
- souleyez/plugins/gobuster.py +387 -190
- souleyez/plugins/gpp_extract.py +393 -0
- souleyez/plugins/hashcat.py +100 -73
- souleyez/plugins/http_fingerprint.py +854 -267
- souleyez/plugins/hydra.py +566 -200
- souleyez/plugins/impacket_getnpusers.py +117 -69
- souleyez/plugins/impacket_psexec.py +84 -64
- souleyez/plugins/impacket_secretsdump.py +103 -69
- souleyez/plugins/impacket_smbclient.py +89 -75
- souleyez/plugins/john.py +86 -69
- souleyez/plugins/katana.py +313 -0
- souleyez/plugins/kerbrute.py +237 -0
- souleyez/plugins/lfi_extract.py +541 -0
- souleyez/plugins/macos_ssh.py +117 -48
- souleyez/plugins/mdns.py +35 -30
- souleyez/plugins/msf_auxiliary.py +253 -130
- souleyez/plugins/msf_exploit.py +239 -161
- souleyez/plugins/nikto.py +134 -78
- souleyez/plugins/nmap.py +275 -91
- souleyez/plugins/nuclei.py +180 -89
- souleyez/plugins/nxc.py +285 -0
- souleyez/plugins/plugin_base.py +35 -36
- souleyez/plugins/plugin_template.py +13 -5
- souleyez/plugins/rdp_sec_check.py +130 -0
- souleyez/plugins/responder.py +112 -71
- souleyez/plugins/router_http_brute.py +76 -65
- souleyez/plugins/router_ssh_brute.py +118 -41
- souleyez/plugins/router_telnet_brute.py +124 -42
- souleyez/plugins/routersploit.py +91 -59
- souleyez/plugins/routersploit_exploit.py +77 -55
- souleyez/plugins/searchsploit.py +91 -77
- souleyez/plugins/service_explorer.py +1160 -0
- souleyez/plugins/smbmap.py +122 -72
- souleyez/plugins/smbpasswd.py +215 -0
- souleyez/plugins/sqlmap.py +301 -113
- souleyez/plugins/theharvester.py +127 -75
- souleyez/plugins/tr069.py +79 -57
- souleyez/plugins/upnp.py +65 -47
- souleyez/plugins/upnp_abuse.py +73 -55
- souleyez/plugins/vnc_access.py +129 -42
- souleyez/plugins/vnc_brute.py +109 -38
- souleyez/plugins/whois.py +77 -58
- souleyez/plugins/wpscan.py +173 -69
- souleyez/reporting/__init__.py +2 -1
- souleyez/reporting/attack_chain.py +411 -346
- souleyez/reporting/charts.py +436 -501
- souleyez/reporting/compliance_mappings.py +334 -201
- souleyez/reporting/detection_report.py +126 -125
- souleyez/reporting/formatters.py +828 -591
- souleyez/reporting/generator.py +386 -302
- souleyez/reporting/metrics.py +72 -75
- souleyez/scanner.py +35 -29
- souleyez/security/__init__.py +37 -11
- souleyez/security/scope_validator.py +175 -106
- souleyez/security/validation.py +223 -149
- souleyez/security.py +22 -6
- souleyez/storage/credentials.py +247 -186
- souleyez/storage/crypto.py +296 -129
- souleyez/storage/database.py +73 -50
- souleyez/storage/db.py +58 -36
- souleyez/storage/deliverable_evidence.py +177 -128
- souleyez/storage/deliverable_exporter.py +282 -246
- souleyez/storage/deliverable_templates.py +134 -116
- souleyez/storage/deliverables.py +135 -130
- souleyez/storage/engagements.py +109 -56
- souleyez/storage/evidence.py +181 -152
- souleyez/storage/execution_log.py +31 -17
- souleyez/storage/exploit_attempts.py +93 -57
- souleyez/storage/exploits.py +67 -36
- souleyez/storage/findings.py +48 -61
- souleyez/storage/hosts.py +176 -144
- souleyez/storage/migrate_to_engagements.py +43 -19
- souleyez/storage/migrations/_001_add_credential_enhancements.py +22 -12
- souleyez/storage/migrations/_002_add_status_tracking.py +10 -7
- souleyez/storage/migrations/_003_add_execution_log.py +14 -8
- souleyez/storage/migrations/_005_screenshots.py +13 -5
- souleyez/storage/migrations/_006_deliverables.py +13 -5
- souleyez/storage/migrations/_007_deliverable_templates.py +12 -7
- souleyez/storage/migrations/_008_add_nuclei_table.py +10 -4
- souleyez/storage/migrations/_010_evidence_linking.py +17 -10
- souleyez/storage/migrations/_011_timeline_tracking.py +20 -13
- souleyez/storage/migrations/_012_team_collaboration.py +34 -21
- souleyez/storage/migrations/_013_add_host_tags.py +12 -6
- souleyez/storage/migrations/_014_exploit_attempts.py +22 -10
- souleyez/storage/migrations/_015_add_mac_os_fields.py +15 -7
- souleyez/storage/migrations/_016_add_domain_field.py +10 -4
- souleyez/storage/migrations/_017_msf_sessions.py +16 -8
- souleyez/storage/migrations/_018_add_osint_target.py +10 -6
- souleyez/storage/migrations/_019_add_engagement_type.py +10 -6
- souleyez/storage/migrations/_020_add_rbac.py +36 -15
- souleyez/storage/migrations/_021_wazuh_integration.py +20 -8
- souleyez/storage/migrations/_022_wazuh_indexer_columns.py +6 -4
- souleyez/storage/migrations/_023_fix_detection_results_fk.py +16 -6
- souleyez/storage/migrations/_024_wazuh_vulnerabilities.py +26 -10
- souleyez/storage/migrations/_025_multi_siem_support.py +3 -5
- souleyez/storage/migrations/_026_add_engagement_scope.py +31 -12
- souleyez/storage/migrations/_027_multi_siem_persistence.py +32 -15
- souleyez/storage/migrations/__init__.py +26 -26
- souleyez/storage/migrations/migration_manager.py +19 -19
- souleyez/storage/msf_sessions.py +100 -65
- souleyez/storage/osint.py +17 -24
- souleyez/storage/recommendation_engine.py +269 -235
- souleyez/storage/screenshots.py +33 -32
- souleyez/storage/smb_shares.py +136 -92
- souleyez/storage/sqlmap_data.py +183 -128
- souleyez/storage/team_collaboration.py +135 -141
- souleyez/storage/timeline_tracker.py +122 -94
- souleyez/storage/wazuh_vulns.py +64 -66
- souleyez/storage/web_paths.py +33 -37
- souleyez/testing/credential_tester.py +221 -205
- souleyez/ui/__init__.py +1 -1
- souleyez/ui/ai_quotes.py +12 -12
- souleyez/ui/attack_surface.py +2439 -1516
- souleyez/ui/chain_rules_view.py +914 -382
- souleyez/ui/correlation_view.py +312 -230
- souleyez/ui/dashboard.py +2382 -1130
- souleyez/ui/deliverables_view.py +148 -62
- souleyez/ui/design_system.py +13 -13
- souleyez/ui/errors.py +49 -49
- souleyez/ui/evidence_linking_view.py +284 -179
- souleyez/ui/evidence_vault.py +393 -285
- souleyez/ui/exploit_suggestions_view.py +555 -349
- souleyez/ui/export_view.py +100 -66
- souleyez/ui/gap_analysis_view.py +315 -171
- souleyez/ui/help_system.py +105 -97
- souleyez/ui/intelligence_view.py +436 -293
- souleyez/ui/interactive.py +23142 -10430
- souleyez/ui/interactive_selector.py +75 -68
- souleyez/ui/log_formatter.py +47 -39
- souleyez/ui/menu_components.py +22 -13
- souleyez/ui/msf_auxiliary_menu.py +184 -133
- souleyez/ui/pending_chains_view.py +336 -172
- souleyez/ui/progress_indicators.py +5 -3
- souleyez/ui/recommendations_view.py +195 -137
- souleyez/ui/rule_builder.py +343 -225
- souleyez/ui/setup_wizard.py +678 -284
- souleyez/ui/shortcuts.py +217 -165
- souleyez/ui/splunk_gap_analysis_view.py +452 -270
- souleyez/ui/splunk_vulns_view.py +139 -86
- souleyez/ui/team_dashboard.py +498 -335
- souleyez/ui/template_selector.py +196 -105
- souleyez/ui/terminal.py +6 -6
- souleyez/ui/timeline_view.py +198 -127
- souleyez/ui/tool_setup.py +264 -164
- souleyez/ui/tutorial.py +202 -72
- souleyez/ui/tutorial_state.py +40 -40
- souleyez/ui/wazuh_vulns_view.py +235 -141
- souleyez/ui/wordlist_browser.py +260 -107
- souleyez/ui.py +464 -312
- souleyez/utils/tool_checker.py +427 -367
- souleyez/utils.py +33 -29
- souleyez/wordlists.py +134 -167
- {souleyez-2.43.28.dist-info → souleyez-2.43.32.dist-info}/METADATA +1 -1
- souleyez-2.43.32.dist-info/RECORD +441 -0
- {souleyez-2.43.28.dist-info → souleyez-2.43.32.dist-info}/WHEEL +1 -1
- souleyez-2.43.28.dist-info/RECORD +0 -379
- {souleyez-2.43.28.dist-info → souleyez-2.43.32.dist-info}/entry_points.txt +0 -0
- {souleyez-2.43.28.dist-info → souleyez-2.43.32.dist-info}/licenses/LICENSE +0 -0
- {souleyez-2.43.28.dist-info → souleyez-2.43.32.dist-info}/top_level.txt +0 -0
|
@@ -20,7 +20,7 @@ class MSFChainEngine:
|
|
|
20
20
|
self,
|
|
21
21
|
target_hosts: List[int],
|
|
22
22
|
objectives: List[str] = None,
|
|
23
|
-
risk_tolerance: str =
|
|
23
|
+
risk_tolerance: str = "moderate",
|
|
24
24
|
) -> Dict:
|
|
25
25
|
"""
|
|
26
26
|
Build progressive attack chain.
|
|
@@ -34,42 +34,44 @@ class MSFChainEngine:
|
|
|
34
34
|
Chain definition with phases and modules
|
|
35
35
|
"""
|
|
36
36
|
if objectives is None:
|
|
37
|
-
objectives = [
|
|
37
|
+
objectives = ["recon", "exploit", "escalate"]
|
|
38
38
|
|
|
39
39
|
# Map risk tolerance to risk levels
|
|
40
40
|
risk_map = {
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
41
|
+
"safe": ["safe"],
|
|
42
|
+
"moderate": ["safe", "noisy", "moderate"],
|
|
43
|
+
"aggressive": ["safe", "noisy", "moderate", "dangerous"],
|
|
44
44
|
}
|
|
45
|
-
risk_levels = risk_map.get(risk_tolerance, [
|
|
45
|
+
risk_levels = risk_map.get(risk_tolerance, ["safe", "noisy"])
|
|
46
46
|
|
|
47
47
|
chain = {
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
48
|
+
"chain_id": f"attack_chain_{self.engagement_id}",
|
|
49
|
+
"engagement_id": self.engagement_id,
|
|
50
|
+
"target_hosts": target_hosts,
|
|
51
|
+
"objectives": objectives,
|
|
52
|
+
"risk_tolerance": risk_tolerance,
|
|
53
|
+
"phases": [],
|
|
54
54
|
}
|
|
55
55
|
|
|
56
56
|
# Build phases based on objectives
|
|
57
|
-
if
|
|
58
|
-
chain[
|
|
57
|
+
if "recon" in objectives:
|
|
58
|
+
chain["phases"].append(self._build_recon_phase(target_hosts))
|
|
59
59
|
|
|
60
|
-
if
|
|
61
|
-
chain[
|
|
60
|
+
if "exploit" in objectives:
|
|
61
|
+
chain["phases"].append(
|
|
62
|
+
self._build_exploitation_phase(target_hosts, risk_levels)
|
|
63
|
+
)
|
|
62
64
|
|
|
63
|
-
if
|
|
65
|
+
if "escalate" in objectives or "pivot" in objectives or "persist" in objectives:
|
|
64
66
|
post_objectives = []
|
|
65
|
-
if
|
|
66
|
-
post_objectives.append(
|
|
67
|
-
if
|
|
68
|
-
post_objectives.append(
|
|
69
|
-
if
|
|
70
|
-
post_objectives.append(
|
|
67
|
+
if "escalate" in objectives:
|
|
68
|
+
post_objectives.append("escalate")
|
|
69
|
+
if "pivot" in objectives:
|
|
70
|
+
post_objectives.append("pivot")
|
|
71
|
+
if "persist" in objectives:
|
|
72
|
+
post_objectives.append("persist")
|
|
71
73
|
|
|
72
|
-
chain[
|
|
74
|
+
chain["phases"].append(self._build_post_exploitation_phase(post_objectives))
|
|
73
75
|
|
|
74
76
|
return chain
|
|
75
77
|
|
|
@@ -77,6 +79,7 @@ class MSFChainEngine:
|
|
|
77
79
|
"""Build reconnaissance phase."""
|
|
78
80
|
try:
|
|
79
81
|
from souleyez.storage.hosts import HostManager
|
|
82
|
+
|
|
80
83
|
hm = HostManager()
|
|
81
84
|
|
|
82
85
|
modules = []
|
|
@@ -85,44 +88,52 @@ class MSFChainEngine:
|
|
|
85
88
|
services = hm.get_host_services(host_id)
|
|
86
89
|
|
|
87
90
|
for service in services:
|
|
88
|
-
service_name = service.get(
|
|
91
|
+
service_name = service.get("service_name", "").lower()
|
|
89
92
|
|
|
90
93
|
# Get version scanners
|
|
91
94
|
recommendations = self.module_selector.get_recommendations(
|
|
92
|
-
service=service_name,
|
|
93
|
-
include_risk=['safe']
|
|
95
|
+
service=service_name, include_risk=["safe"]
|
|
94
96
|
)
|
|
95
97
|
|
|
96
98
|
# Filter to version scanners
|
|
97
|
-
scanners = [
|
|
99
|
+
scanners = [
|
|
100
|
+
r
|
|
101
|
+
for r in recommendations
|
|
102
|
+
if "version" in r.get("name", "").lower()
|
|
103
|
+
]
|
|
98
104
|
|
|
99
105
|
for scanner in scanners:
|
|
100
|
-
modules.append(
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
+
modules.append(
|
|
107
|
+
{
|
|
108
|
+
"module": scanner.get("path"),
|
|
109
|
+
"target_host": hm.get_host(host_id).get("ip_address"),
|
|
110
|
+
"target_service": service_name,
|
|
111
|
+
"risk": "safe",
|
|
112
|
+
}
|
|
113
|
+
)
|
|
106
114
|
|
|
107
115
|
return {
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
116
|
+
"name": "reconnaissance",
|
|
117
|
+
"modules": modules,
|
|
118
|
+
"auto_advance": True,
|
|
119
|
+
"success_criteria": "all_services_fingerprinted",
|
|
120
|
+
"expected_duration": f"{len(modules) * 30} seconds",
|
|
113
121
|
}
|
|
114
122
|
except:
|
|
115
123
|
return {
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
124
|
+
"name": "reconnaissance",
|
|
125
|
+
"modules": [],
|
|
126
|
+
"auto_advance": True,
|
|
127
|
+
"success_criteria": "all_services_fingerprinted",
|
|
120
128
|
}
|
|
121
129
|
|
|
122
|
-
def _build_exploitation_phase(
|
|
130
|
+
def _build_exploitation_phase(
|
|
131
|
+
self, target_hosts: List[int], risk_levels: List[str]
|
|
132
|
+
) -> Dict:
|
|
123
133
|
"""Build exploitation phase with ranked targets."""
|
|
124
134
|
try:
|
|
125
135
|
from souleyez.storage.hosts import HostManager
|
|
136
|
+
|
|
126
137
|
hm = HostManager()
|
|
127
138
|
|
|
128
139
|
exploits = []
|
|
@@ -131,49 +142,55 @@ class MSFChainEngine:
|
|
|
131
142
|
services = hm.get_host_services(host_id)
|
|
132
143
|
|
|
133
144
|
for service in services:
|
|
134
|
-
service_name = service.get(
|
|
135
|
-
version = service.get(
|
|
145
|
+
service_name = service.get("service_name", "")
|
|
146
|
+
version = service.get("service_version", "")
|
|
136
147
|
|
|
137
148
|
# Get exploit recommendations
|
|
138
|
-
recommendations =
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
149
|
+
recommendations = (
|
|
150
|
+
self.module_selector.get_recommendations_for_service(
|
|
151
|
+
service=service_name,
|
|
152
|
+
version=version,
|
|
153
|
+
engagement_id=self.engagement_id,
|
|
154
|
+
risk_levels=risk_levels,
|
|
155
|
+
include_cve_matches=True,
|
|
156
|
+
)
|
|
144
157
|
)
|
|
145
158
|
|
|
146
159
|
# Filter to exploits only
|
|
147
|
-
exploit_mods = [
|
|
160
|
+
exploit_mods = [
|
|
161
|
+
r for r in recommendations if r.get("category") == "exploit"
|
|
162
|
+
]
|
|
148
163
|
|
|
149
164
|
for exploit in exploit_mods:
|
|
150
|
-
exploits.append(
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
165
|
+
exploits.append(
|
|
166
|
+
{
|
|
167
|
+
"module": exploit.get("path"),
|
|
168
|
+
"target_host": hm.get_host(host_id).get("ip_address"),
|
|
169
|
+
"target_service": service_name,
|
|
170
|
+
"score": exploit.get("score", 0),
|
|
171
|
+
"cves": exploit.get("cve", []),
|
|
172
|
+
"reliability": exploit.get("reliability", "unknown"),
|
|
173
|
+
"risk": exploit.get("risk", "moderate"),
|
|
174
|
+
}
|
|
175
|
+
)
|
|
159
176
|
|
|
160
177
|
# Sort by score descending
|
|
161
|
-
exploits.sort(key=lambda x: x.get(
|
|
178
|
+
exploits.sort(key=lambda x: x.get("score", 0), reverse=True)
|
|
162
179
|
|
|
163
180
|
return {
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
181
|
+
"name": "exploitation",
|
|
182
|
+
"modules": exploits[:20], # Top 20 exploits
|
|
183
|
+
"auto_advance": False,
|
|
184
|
+
"success_criteria": "session_obtained",
|
|
185
|
+
"fallback": "brute_force_authentication",
|
|
186
|
+
"expected_duration": f"{len(exploits[:20]) * 120} seconds",
|
|
170
187
|
}
|
|
171
188
|
except:
|
|
172
189
|
return {
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
190
|
+
"name": "exploitation",
|
|
191
|
+
"modules": [],
|
|
192
|
+
"auto_advance": False,
|
|
193
|
+
"success_criteria": "session_obtained",
|
|
177
194
|
}
|
|
178
195
|
|
|
179
196
|
def _build_post_exploitation_phase(self, objectives: List[str]) -> Dict:
|
|
@@ -183,44 +200,44 @@ class MSFChainEngine:
|
|
|
183
200
|
# Common post-exploitation modules
|
|
184
201
|
common_modules = [
|
|
185
202
|
{
|
|
186
|
-
|
|
187
|
-
|
|
188
|
-
|
|
203
|
+
"module": "post/multi/recon/local_exploit_suggester",
|
|
204
|
+
"description": "Suggest local privilege escalation exploits",
|
|
205
|
+
"objective": "escalate",
|
|
189
206
|
},
|
|
190
207
|
{
|
|
191
|
-
|
|
192
|
-
|
|
193
|
-
|
|
208
|
+
"module": "post/windows/gather/hashdump",
|
|
209
|
+
"description": "Dump password hashes (Windows)",
|
|
210
|
+
"objective": "escalate",
|
|
194
211
|
},
|
|
195
212
|
{
|
|
196
|
-
|
|
197
|
-
|
|
198
|
-
|
|
213
|
+
"module": "post/linux/gather/hashdump",
|
|
214
|
+
"description": "Dump password hashes (Linux)",
|
|
215
|
+
"objective": "escalate",
|
|
199
216
|
},
|
|
200
217
|
{
|
|
201
|
-
|
|
202
|
-
|
|
203
|
-
|
|
218
|
+
"module": "post/multi/manage/autoroute",
|
|
219
|
+
"description": "Setup routing for pivoting",
|
|
220
|
+
"objective": "pivot",
|
|
204
221
|
},
|
|
205
222
|
{
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
}
|
|
223
|
+
"module": "post/windows/manage/persistence_exe",
|
|
224
|
+
"description": "Install persistent backdoor (Windows)",
|
|
225
|
+
"objective": "persist",
|
|
226
|
+
},
|
|
210
227
|
]
|
|
211
228
|
|
|
212
229
|
# Filter by objectives
|
|
213
230
|
for module in common_modules:
|
|
214
|
-
if module[
|
|
231
|
+
if module["objective"] in objectives:
|
|
215
232
|
modules.append(module)
|
|
216
233
|
|
|
217
234
|
return {
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
235
|
+
"name": "post_exploitation",
|
|
236
|
+
"modules": modules,
|
|
237
|
+
"triggers": ["session_obtained"],
|
|
238
|
+
"auto_advance": False,
|
|
239
|
+
"success_criteria": "credentials_dumped or persistence_established",
|
|
240
|
+
"expected_duration": f"{len(modules) * 60} seconds",
|
|
224
241
|
}
|
|
225
242
|
|
|
226
243
|
def generate_progressive_chain(self, host_id: int) -> Dict:
|
|
@@ -235,88 +252,101 @@ class MSFChainEngine:
|
|
|
235
252
|
"""
|
|
236
253
|
try:
|
|
237
254
|
from souleyez.storage.hosts import HostManager
|
|
255
|
+
|
|
238
256
|
hm = HostManager()
|
|
239
257
|
|
|
240
258
|
host = hm.get_host(host_id)
|
|
241
259
|
services = hm.get_host_services(host_id)
|
|
242
260
|
|
|
243
261
|
chain = {
|
|
244
|
-
|
|
245
|
-
|
|
246
|
-
|
|
262
|
+
"target": host.get("ip_address", "Unknown"),
|
|
263
|
+
"host_id": host_id,
|
|
264
|
+
"phases": [],
|
|
247
265
|
}
|
|
248
266
|
|
|
249
267
|
# Phase 1: Reconnaissance
|
|
250
268
|
recon_modules = self._build_recon_phase_for_host(host_id, services)
|
|
251
|
-
chain[
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
|
|
255
|
-
|
|
256
|
-
|
|
269
|
+
chain["phases"].append(
|
|
270
|
+
{
|
|
271
|
+
"name": "reconnaissance",
|
|
272
|
+
"modules": recon_modules,
|
|
273
|
+
"auto_advance": True,
|
|
274
|
+
"success_criteria": "all_services_fingerprinted",
|
|
275
|
+
}
|
|
276
|
+
)
|
|
257
277
|
|
|
258
278
|
# Phase 2: Vulnerability Assessment
|
|
259
279
|
vuln_modules = self._build_vuln_assessment_phase(services)
|
|
260
|
-
chain[
|
|
261
|
-
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
|
|
280
|
+
chain["phases"].append(
|
|
281
|
+
{
|
|
282
|
+
"name": "vulnerability_assessment",
|
|
283
|
+
"modules": vuln_modules,
|
|
284
|
+
"auto_advance": False,
|
|
285
|
+
"success_criteria": "vulnerabilities_confirmed",
|
|
286
|
+
}
|
|
287
|
+
)
|
|
266
288
|
|
|
267
289
|
# Phase 3: Exploitation
|
|
268
290
|
exploit_modules = self._build_exploitation_phase_for_host(host_id, services)
|
|
269
|
-
chain[
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
|
|
274
|
-
|
|
275
|
-
|
|
291
|
+
chain["phases"].append(
|
|
292
|
+
{
|
|
293
|
+
"name": "exploitation",
|
|
294
|
+
"modules": exploit_modules,
|
|
295
|
+
"auto_advance": False,
|
|
296
|
+
"success_criteria": "session_obtained",
|
|
297
|
+
"fallback": "brute_force_authentication",
|
|
298
|
+
}
|
|
299
|
+
)
|
|
276
300
|
|
|
277
301
|
# Phase 4: Post-Exploitation
|
|
278
302
|
post_modules = self._build_post_exploitation_phase_for_host(host)
|
|
279
|
-
chain[
|
|
280
|
-
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
|
|
284
|
-
|
|
285
|
-
|
|
303
|
+
chain["phases"].append(
|
|
304
|
+
{
|
|
305
|
+
"name": "post_exploitation",
|
|
306
|
+
"modules": post_modules,
|
|
307
|
+
"triggers": ["session_obtained"],
|
|
308
|
+
"auto_advance": False,
|
|
309
|
+
"success_criteria": "credentials_dumped",
|
|
310
|
+
}
|
|
311
|
+
)
|
|
286
312
|
|
|
287
313
|
return chain
|
|
288
314
|
except Exception as e:
|
|
289
|
-
return {
|
|
315
|
+
return {"target": "Unknown", "phases": [], "error": str(e)}
|
|
290
316
|
|
|
291
|
-
def _build_recon_phase_for_host(
|
|
317
|
+
def _build_recon_phase_for_host(
|
|
318
|
+
self, host_id: int, services: List[Dict]
|
|
319
|
+
) -> List[Dict]:
|
|
292
320
|
"""Build recon modules for a specific host."""
|
|
293
321
|
modules = []
|
|
294
322
|
|
|
295
323
|
for service in services:
|
|
296
|
-
service_name = service.get(
|
|
324
|
+
service_name = service.get("service_name", "").lower()
|
|
297
325
|
|
|
298
326
|
# Get version scanner
|
|
299
327
|
version_module = self._get_version_scanner(service_name)
|
|
300
328
|
if version_module:
|
|
301
|
-
modules.append(
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
329
|
+
modules.append(
|
|
330
|
+
{
|
|
331
|
+
"module": version_module,
|
|
332
|
+
"target_service": service_name,
|
|
333
|
+
"risk": "safe",
|
|
334
|
+
}
|
|
335
|
+
)
|
|
306
336
|
|
|
307
337
|
return modules
|
|
308
338
|
|
|
309
339
|
def _get_version_scanner(self, service_name: str) -> str:
|
|
310
340
|
"""Get version scanner module for service."""
|
|
311
341
|
scanner_map = {
|
|
312
|
-
|
|
313
|
-
|
|
314
|
-
|
|
315
|
-
|
|
316
|
-
|
|
317
|
-
|
|
318
|
-
|
|
319
|
-
|
|
342
|
+
"ssh": "auxiliary/scanner/ssh/ssh_version",
|
|
343
|
+
"smb": "auxiliary/scanner/smb/smb_version",
|
|
344
|
+
"http": "auxiliary/scanner/http/http_version",
|
|
345
|
+
"https": "auxiliary/scanner/http/http_version",
|
|
346
|
+
"ftp": "auxiliary/scanner/ftp/ftp_version",
|
|
347
|
+
"mysql": "auxiliary/scanner/mysql/mysql_version",
|
|
348
|
+
"postgresql": "auxiliary/scanner/postgres/postgres_version",
|
|
349
|
+
"mssql": "auxiliary/scanner/mssql/mssql_ping",
|
|
320
350
|
}
|
|
321
351
|
|
|
322
352
|
return scanner_map.get(service_name)
|
|
@@ -326,48 +356,56 @@ class MSFChainEngine:
|
|
|
326
356
|
modules = []
|
|
327
357
|
|
|
328
358
|
for service in services:
|
|
329
|
-
service_name = service.get(
|
|
359
|
+
service_name = service.get("service_name", "").lower()
|
|
330
360
|
|
|
331
361
|
# Add service-specific vuln scanners
|
|
332
|
-
if service_name ==
|
|
333
|
-
modules.append(
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
|
|
362
|
+
if service_name == "smb":
|
|
363
|
+
modules.append(
|
|
364
|
+
{
|
|
365
|
+
"module": "auxiliary/scanner/smb/smb_ms17_010",
|
|
366
|
+
"description": "Check for MS17-010 (EternalBlue)",
|
|
367
|
+
"risk": "safe",
|
|
368
|
+
}
|
|
369
|
+
)
|
|
338
370
|
|
|
339
371
|
return modules
|
|
340
372
|
|
|
341
|
-
def _build_exploitation_phase_for_host(
|
|
373
|
+
def _build_exploitation_phase_for_host(
|
|
374
|
+
self, host_id: int, services: List[Dict]
|
|
375
|
+
) -> List[Dict]:
|
|
342
376
|
"""Build exploitation modules for a specific host."""
|
|
343
377
|
exploits = []
|
|
344
378
|
|
|
345
379
|
for service in services:
|
|
346
|
-
service_id = service.get(
|
|
347
|
-
service_name = service.get(
|
|
348
|
-
version = service.get(
|
|
380
|
+
service_id = service.get("id")
|
|
381
|
+
service_name = service.get("service_name", "")
|
|
382
|
+
version = service.get("service_version", "")
|
|
349
383
|
|
|
350
384
|
# Get exploit recommendations
|
|
351
385
|
recommendations = self.module_selector.get_recommendations_for_service(
|
|
352
386
|
service=service_name,
|
|
353
387
|
version=version,
|
|
354
388
|
engagement_id=self.engagement_id,
|
|
355
|
-
include_cve_matches=True
|
|
389
|
+
include_cve_matches=True,
|
|
356
390
|
)
|
|
357
391
|
|
|
358
392
|
# Filter to exploits
|
|
359
|
-
exploit_mods = [
|
|
393
|
+
exploit_mods = [
|
|
394
|
+
r for r in recommendations if r.get("category") == "exploit"
|
|
395
|
+
]
|
|
360
396
|
|
|
361
397
|
for exploit in exploit_mods:
|
|
362
|
-
exploits.append(
|
|
363
|
-
|
|
364
|
-
|
|
365
|
-
|
|
366
|
-
|
|
367
|
-
|
|
398
|
+
exploits.append(
|
|
399
|
+
{
|
|
400
|
+
"module": exploit.get("path"),
|
|
401
|
+
"score": exploit.get("score", 0),
|
|
402
|
+
"cves": exploit.get("cve", []),
|
|
403
|
+
"reliability": exploit.get("reliability", "unknown"),
|
|
404
|
+
}
|
|
405
|
+
)
|
|
368
406
|
|
|
369
407
|
# Sort by score
|
|
370
|
-
exploits.sort(key=lambda x: x.get(
|
|
408
|
+
exploits.sort(key=lambda x: x.get("score", 0), reverse=True)
|
|
371
409
|
|
|
372
410
|
return exploits
|
|
373
411
|
|
|
@@ -376,36 +414,42 @@ class MSFChainEngine:
|
|
|
376
414
|
modules = []
|
|
377
415
|
|
|
378
416
|
# OS-specific modules
|
|
379
|
-
os_type = host.get(
|
|
380
|
-
|
|
381
|
-
if
|
|
382
|
-
modules.extend(
|
|
383
|
-
|
|
384
|
-
|
|
385
|
-
|
|
386
|
-
|
|
387
|
-
|
|
388
|
-
|
|
389
|
-
|
|
390
|
-
|
|
391
|
-
|
|
392
|
-
|
|
393
|
-
|
|
394
|
-
|
|
395
|
-
|
|
396
|
-
|
|
397
|
-
|
|
398
|
-
|
|
399
|
-
|
|
400
|
-
|
|
401
|
-
|
|
402
|
-
|
|
417
|
+
os_type = host.get("os", "unknown").lower()
|
|
418
|
+
|
|
419
|
+
if "windows" in os_type:
|
|
420
|
+
modules.extend(
|
|
421
|
+
[
|
|
422
|
+
{
|
|
423
|
+
"module": "post/windows/gather/hashdump",
|
|
424
|
+
"description": "Dump password hashes",
|
|
425
|
+
},
|
|
426
|
+
{
|
|
427
|
+
"module": "post/windows/gather/enum_patches",
|
|
428
|
+
"description": "Enumerate installed patches",
|
|
429
|
+
},
|
|
430
|
+
]
|
|
431
|
+
)
|
|
432
|
+
elif "linux" in os_type:
|
|
433
|
+
modules.extend(
|
|
434
|
+
[
|
|
435
|
+
{
|
|
436
|
+
"module": "post/linux/gather/hashdump",
|
|
437
|
+
"description": "Dump password hashes",
|
|
438
|
+
},
|
|
439
|
+
{
|
|
440
|
+
"module": "post/linux/gather/enum_system",
|
|
441
|
+
"description": "Enumerate system information",
|
|
442
|
+
},
|
|
443
|
+
]
|
|
444
|
+
)
|
|
403
445
|
|
|
404
446
|
# Universal modules
|
|
405
|
-
modules.append(
|
|
406
|
-
|
|
407
|
-
|
|
408
|
-
|
|
447
|
+
modules.append(
|
|
448
|
+
{
|
|
449
|
+
"module": "post/multi/recon/local_exploit_suggester",
|
|
450
|
+
"description": "Suggest privilege escalation exploits",
|
|
451
|
+
}
|
|
452
|
+
)
|
|
409
453
|
|
|
410
454
|
return modules
|
|
411
455
|
|
|
@@ -414,94 +458,88 @@ class MSFChainTemplates:
|
|
|
414
458
|
"""Pre-built attack chain templates for common scenarios."""
|
|
415
459
|
|
|
416
460
|
TEMPLATES = {
|
|
417
|
-
|
|
418
|
-
|
|
419
|
-
|
|
420
|
-
|
|
461
|
+
"windows_domain_takeover": {
|
|
462
|
+
"name": "Windows Domain Takeover",
|
|
463
|
+
"description": "Progressive attack to compromise AD domain",
|
|
464
|
+
"phases": [
|
|
421
465
|
{
|
|
422
|
-
|
|
423
|
-
|
|
424
|
-
|
|
425
|
-
|
|
426
|
-
|
|
427
|
-
]
|
|
466
|
+
"name": "Initial Foothold",
|
|
467
|
+
"modules": [
|
|
468
|
+
"auxiliary/scanner/smb/smb_ms17_010",
|
|
469
|
+
"exploit/windows/smb/ms17_010_eternalblue",
|
|
470
|
+
"auxiliary/scanner/smb/smb_enumshares",
|
|
471
|
+
],
|
|
428
472
|
},
|
|
429
473
|
{
|
|
430
|
-
|
|
431
|
-
|
|
432
|
-
|
|
433
|
-
|
|
434
|
-
|
|
474
|
+
"name": "Credential Harvesting",
|
|
475
|
+
"modules": [
|
|
476
|
+
"post/windows/gather/hashdump",
|
|
477
|
+
"post/windows/gather/credentials/credential_collector",
|
|
478
|
+
"post/windows/gather/cachedump",
|
|
435
479
|
],
|
|
436
|
-
|
|
480
|
+
"triggers": ["session_obtained"],
|
|
437
481
|
},
|
|
438
482
|
{
|
|
439
|
-
|
|
440
|
-
|
|
441
|
-
|
|
442
|
-
|
|
483
|
+
"name": "Lateral Movement",
|
|
484
|
+
"modules": [
|
|
485
|
+
"exploit/windows/smb/psexec",
|
|
486
|
+
"exploit/windows/local/bypassuac",
|
|
443
487
|
],
|
|
444
|
-
|
|
445
|
-
}
|
|
446
|
-
]
|
|
488
|
+
"triggers": ["credentials_obtained"],
|
|
489
|
+
},
|
|
490
|
+
],
|
|
447
491
|
},
|
|
448
|
-
|
|
449
|
-
|
|
450
|
-
|
|
451
|
-
|
|
492
|
+
"linux_privilege_escalation": {
|
|
493
|
+
"name": "Linux Privilege Escalation Chain",
|
|
494
|
+
"description": "Escalate from user to root on Linux",
|
|
495
|
+
"phases": [
|
|
452
496
|
{
|
|
453
|
-
|
|
454
|
-
|
|
455
|
-
'auxiliary/scanner/ssh/ssh_login'
|
|
456
|
-
]
|
|
497
|
+
"name": "Initial Access",
|
|
498
|
+
"modules": ["auxiliary/scanner/ssh/ssh_login"],
|
|
457
499
|
},
|
|
458
500
|
{
|
|
459
|
-
|
|
460
|
-
|
|
461
|
-
|
|
462
|
-
|
|
463
|
-
|
|
501
|
+
"name": "Enumeration",
|
|
502
|
+
"modules": [
|
|
503
|
+
"post/linux/gather/enum_system",
|
|
504
|
+
"post/linux/gather/checkvm",
|
|
505
|
+
"post/linux/gather/enum_configs",
|
|
464
506
|
],
|
|
465
|
-
|
|
507
|
+
"triggers": ["session_obtained"],
|
|
466
508
|
},
|
|
467
509
|
{
|
|
468
|
-
|
|
469
|
-
|
|
470
|
-
|
|
471
|
-
|
|
472
|
-
|
|
510
|
+
"name": "Privilege Escalation",
|
|
511
|
+
"modules": [
|
|
512
|
+
"exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec",
|
|
513
|
+
"exploit/linux/local/sudo_baron_samedit",
|
|
514
|
+
"post/multi/recon/local_exploit_suggester",
|
|
473
515
|
],
|
|
474
|
-
|
|
475
|
-
}
|
|
476
|
-
]
|
|
516
|
+
"triggers": ["user_session_obtained"],
|
|
517
|
+
},
|
|
518
|
+
],
|
|
477
519
|
},
|
|
478
|
-
|
|
479
|
-
|
|
480
|
-
|
|
481
|
-
|
|
520
|
+
"web_app_to_system": {
|
|
521
|
+
"name": "Web Application to System Access",
|
|
522
|
+
"description": "From web vuln to full system compromise",
|
|
523
|
+
"phases": [
|
|
482
524
|
{
|
|
483
|
-
|
|
484
|
-
|
|
485
|
-
|
|
486
|
-
|
|
487
|
-
]
|
|
525
|
+
"name": "Web Exploitation",
|
|
526
|
+
"modules": [
|
|
527
|
+
"auxiliary/scanner/http/dir_scanner",
|
|
528
|
+
"exploit/multi/http/php_cgi_arg_injection",
|
|
529
|
+
],
|
|
488
530
|
},
|
|
489
531
|
{
|
|
490
|
-
|
|
491
|
-
|
|
492
|
-
|
|
493
|
-
],
|
|
494
|
-
'triggers': ['web_access_obtained']
|
|
532
|
+
"name": "Reverse Shell",
|
|
533
|
+
"modules": ["payload/php/meterpreter/reverse_tcp"],
|
|
534
|
+
"triggers": ["web_access_obtained"],
|
|
495
535
|
},
|
|
496
536
|
{
|
|
497
|
-
|
|
498
|
-
|
|
499
|
-
|
|
500
|
-
|
|
501
|
-
|
|
502
|
-
|
|
503
|
-
]
|
|
504
|
-
}
|
|
537
|
+
"name": "Privilege Escalation",
|
|
538
|
+
"modules": ["post/multi/recon/local_exploit_suggester"],
|
|
539
|
+
"triggers": ["shell_obtained"],
|
|
540
|
+
},
|
|
541
|
+
],
|
|
542
|
+
},
|
|
505
543
|
}
|
|
506
544
|
|
|
507
545
|
@classmethod
|