souleyez 2.43.2__tar.gz → 2.43.16__tar.gz

{souleyez-2.43.2/souleyez.egg-info → souleyez-2.43.16}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: souleyez
-Version: 2.43.2
+Version: 2.43.16
 Summary: AI-Powered Penetration Testing Platform with 40+ integrated tools
 Author-email: CyberSoul Security <contact@cybersoulsecurity.com>
 Maintainer-email: CyberSoul Security <contact@cybersoulsecurity.com>

{souleyez-2.43.2 → souleyez-2.43.16}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "souleyez"
-version = "2.43.2"
+version = "2.43.16"
 description = "AI-Powered Penetration Testing Platform with 40+ integrated tools"
 readme = "README.md"
 license = {text = "MIT"}

souleyez-2.43.16/souleyez/__init__.py

@@ -0,0 +1,2 @@
+__version__ = '2.43.16'
+

{souleyez-2.43.2 → souleyez-2.43.16}/souleyez/core/tool_chaining.py

@@ -4451,6 +4451,58 @@ class ToolChaining:
                         return job_ids
                 # === END Wildcard Auto-Retry ===
 
+                # === Host Redirect Auto-Retry Logic ===
+                # If gobuster detected a host-level redirect (e.g., non-www to www), auto-retry with corrected target
+                if parse_results.get('host_redirect_detected') and parse_results.get('redirect_target'):
+                    # Check if this is already a retry attempt (prevent loops)
+                    is_retry = job.get('metadata', {}).get('redirect_retry', False)
+
+                    if not is_retry:
+                        redirect_target = parse_results['redirect_target']
+                        original_target = target
+                        logger.info(f"🔄 Host redirect detected ({original_target} → {redirect_target}), creating auto-retry with corrected target")
+
+                        # Get original args and update the -u parameter with new target
+                        args = job.get('args', [])
+                        retry_args = []
+                        for i, arg in enumerate(args):
+                            if arg == '-u' and i + 1 < len(args):
+                                # Next arg is the URL, replace it
+                                retry_args.append(arg)
+                                retry_args.append(redirect_target)
+                                # Skip the next iteration since we handled it
+                            elif i > 0 and args[i - 1] == '-u':
+                                # This is the URL after -u, skip it (already handled)
+                                continue
+                            else:
+                                # Replace <target> placeholder if present
+                                retry_args.append(arg.replace(original_target, redirect_target) if original_target in arg else arg)
+
+                        # Build retry job command with corrected target
+                        retry_command = {
+                            'tool': 'gobuster',
+                            'target': redirect_target,
+                            'args': retry_args,
+                            'reason': f'Auto-retry: gobuster (host redirect detected: {original_target} → {redirect_target})',
+                            'metadata': {
+                                'redirect_retry': True,
+                                'retry_parent_job_id': job.get('id'),
+                                'original_target': original_target,
+                                'redirect_target': redirect_target
+                            }
+                        }
+
+                        # Enqueue the retry job
+                        retry_job_ids = self._enqueue_commands([retry_command], tool, engagement_id, redirect_target, parent_job_id=job.get('id'))
+                        if retry_job_ids:
+                            job_ids.extend(retry_job_ids)
+                            logger.info(f"✓ Retry job created with corrected target: {redirect_target}")
+
+                        # Skip further processing of this redirect scan
+                        # Let the retry job complete and process properly
+                        return job_ids
+                # === END Host Redirect Auto-Retry ===
+
                 # PHP/ASP files found → trigger SQLMap intelligently
                 # High-value targets get direct testing, others get base URL crawl
                 php_files = parse_results.get('php_files', [])
@@ -5041,6 +5093,57 @@ class ToolChaining:
                 return job_ids
             # === END Gobuster wildcard retry ===
 
+            # === Special handling for Gobuster host redirect retry ===
+            if tool == 'gobuster' and parse_results.get('host_redirect_detected'):
+                # Gobuster detected host-level redirect, auto-retry with corrected target
+                from souleyez.engine.background import enqueue_job
+                from souleyez.log_config import get_logger
+                logger = get_logger(__name__)
+
+                # Check if this is already a redirect retry (prevent loops)
+                is_redirect_retry = job.get('metadata', {}).get('redirect_retry', False)
+                if is_redirect_retry:
+                    logger.info(f"Gobuster host redirect: Already attempted redirect retry, skipping")
+                    return job_ids
+
+                # Get the redirect target
+                redirect_target = parse_results.get('redirect_target')
+                if not redirect_target:
+                    logger.warning(f"Gobuster host redirect detected but no redirect_target found")
+                    return job_ids
+
+                original_target = target
+                logger.info(f"Gobuster host redirect: Auto-retrying with corrected target {redirect_target}")
+
+                # Get original args and update the -u parameter with new target
+                job_args = job.get('args', [])
+                retry_args = []
+                for i, arg in enumerate(job_args):
+                    if arg == '-u' and i + 1 < len(job_args):
+                        retry_args.append(arg)
+                        retry_args.append(redirect_target)
+                    elif i > 0 and job_args[i - 1] == '-u':
+                        continue
+                    else:
+                        retry_args.append(arg.replace(original_target, redirect_target) if original_target in arg else arg)
+
+                retry_job_id = enqueue_job(
+                    tool='gobuster',
+                    target=redirect_target,
+                    args=retry_args,
+                    label=f"Auto-retry: gobuster (redirect → {redirect_target})",
+                    engagement_id=engagement_id,
+                    parent_id=job.get('id'),
+                    reason=f"Auto-triggered by gobuster: Host redirect detected ({original_target} → {redirect_target})",
+                    metadata={'redirect_retry': True, 'retry_parent_job_id': job.get('id'), 'original_target': original_target}
+                )
+
+                job_ids.append(retry_job_id)
+                logger.info(f"Created gobuster redirect retry job #{retry_job_id}")
+
+                return job_ids
+            # === END Gobuster host redirect retry ===
+
             # === Special handling for ffuf: Create SQLMap jobs and recursive ffuf scans ===
             if tool == 'ffuf':
                 from souleyez.engine.background import enqueue_job

{souleyez-2.43.2 → souleyez-2.43.16}/souleyez/docs/README.md

@@ -1,7 +1,7 @@
 # SoulEyez Documentation
 
-**Version:** 2.43.2
-**Last Updated:** January 11, 2026
+**Version:** 2.43.16
+**Last Updated:** January 12, 2026
 **Organization:** CyberSoul Security
 
 Welcome to the SoulEyez documentation! This documentation covers architecture, development, user guides, and operational information for the SoulEyez penetration testing platform.

{souleyez-2.43.2 → souleyez-2.43.16}/souleyez/engine/background.py

@@ -1395,7 +1395,8 @@ def _is_true_error_exit_code(rc: int, tool: str) -> bool:
     # Parser will determine the actual status based on output
     # msf_exploit returns 1 when no session opened (exploit ran but target not vulnerable)
     # nikto returns non-zero when it finds vulnerabilities (not an error!)
-    tools_with_nonzero_success = ['gobuster', 'hydra', 'medusa', 'msf_exploit', 'nikto']
+    # dnsrecon returns 1 when crt.sh lookup fails (known bug) but still collects valid DNS data
+    tools_with_nonzero_success = ['gobuster', 'hydra', 'medusa', 'msf_exploit', 'nikto', 'dnsrecon']
 
     if tool.lower() in tools_with_nonzero_success:
         # Let parser determine status

{souleyez-2.43.2 → souleyez-2.43.16}/souleyez/engine/result_handler.py

@@ -1218,12 +1218,27 @@ def parse_gobuster_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -
                 exclude_length = length_match.group(1)
                 logger.info(f"Gobuster wildcard detected: Length {exclude_length}b")
 
+        # Check for host-level redirect (for auto-retry with corrected target)
+        host_redirect_detected = False
+        redirect_target = None
+
+        if "HOST_REDIRECT_TARGET:" in log_content:
+            host_redirect_detected = True
+            import re
+            redirect_match = re.search(r'HOST_REDIRECT_TARGET:\s*(\S+)', log_content)
+            if redirect_match:
+                redirect_target = redirect_match.group(1)
+                logger.info(f"Gobuster host redirect detected: {redirect_target}")
+
         # Check for gobuster errors
         gobuster_error = detect_tool_error(log_content, 'gobuster')
 
         # Determine status based on results
         if gobuster_error:
             status = STATUS_ERROR  # Tool failed to connect
+        elif host_redirect_detected:
+            # Host redirect detected - warning status (triggers auto-retry with corrected target)
+            status = STATUS_WARNING
         elif wildcard_detected:
             # Wildcard detected - warning status (triggers auto-retry)
             status = STATUS_WARNING
@@ -1255,6 +1270,12 @@ def parse_gobuster_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -
             if exclude_length:
                 result['exclude_length'] = exclude_length
 
+        # Add host redirect info if detected
+        if host_redirect_detected:
+            result['host_redirect_detected'] = True
+            if redirect_target:
+                result['redirect_target'] = redirect_target
+
         return result
     except Exception as e:
         return {'error': str(e)}
@@ -2643,6 +2664,12 @@ def parse_nuclei_job(engagement_id: int, log_path: str, job: Dict[str, Any]) ->
             'info': parsed.get('info', 0)
         }
     except Exception as e:
+        logger.error("parse_nuclei_job exception", extra={
+            "error": str(e),
+            "error_type": type(e).__name__,
+            "target": job.get('target', ''),
+            "job_id": job.get('id')
+        })
         return {'error': str(e)}
 
 
@@ -3285,9 +3312,12 @@ def parse_http_fingerprint_job(engagement_id: int, log_path: str, job: Dict[str,
         # Get tool recommendations
         recommendations = get_tool_recommendations(parsed)
 
-        # Determine status
+        # Determine status and build summary
+        summary_parts = []
+
         if parsed.get('error'):
             status = STATUS_ERROR
+            summary_parts.append(f"Error: {parsed.get('error')}")
         elif parsed.get('managed_hosting') or parsed.get('waf') or parsed.get('cdn'):
             status = STATUS_DONE  # Found useful info
         elif parsed.get('server'):
@@ -3295,11 +3325,31 @@ def parse_http_fingerprint_job(engagement_id: int, log_path: str, job: Dict[str,
         else:
             status = STATUS_NO_RESULTS
 
+        # Build summary for successful scans
+        if not parsed.get('error'):
+            if parsed.get('server'):
+                summary_parts.append(f"Server: {parsed.get('server')}")
+            if parsed.get('managed_hosting'):
+                summary_parts.append(f"Platform: {parsed.get('managed_hosting')}")
+            if parsed.get('waf'):
+                summary_parts.append(f"WAF: {', '.join(parsed.get('waf', []))}")
+            if parsed.get('cdn'):
+                summary_parts.append(f"CDN: {', '.join(parsed.get('cdn', []))}")
+            if parsed.get('technologies'):
+                techs = parsed.get('technologies', [])
+                if len(techs) <= 3:
+                    summary_parts.append(f"Tech: {', '.join(techs)}")
+                else:
+                    summary_parts.append(f"Tech: {', '.join(techs[:3])} +{len(techs)-3} more")
+
+        summary = ' | '.join(summary_parts) if summary_parts else 'No fingerprint data detected'
+
         return {
             'tool': 'http_fingerprint',
             'status': status,
             'target': target,
             'target_host': target_host,
+            'summary': summary,
             # Core fingerprint data
             'server': parsed.get('server'),
             'managed_hosting': parsed.get('managed_hosting'),

{souleyez-2.43.2 → souleyez-2.43.16}/souleyez/main.py

@@ -173,7 +173,7 @@ def _check_privileged_tools():
 
 
 @click.group()
-@click.version_option(version='2.43.2')
+@click.version_option(version='2.43.16')
 def cli():
     """SoulEyez - AI-Powered Pentesting Platform by CyberSoul Security"""
     from souleyez.log_config import init_logging

{souleyez-2.43.2 → souleyez-2.43.16}/souleyez/parsers/dnsrecon_parser.py

@@ -57,7 +57,8 @@ def parse_dnsrecon_output(output: str, target: str = "") -> Dict[str, Any]:
             continue
 
         # Parse DNS records from dnsrecon output
-        # Old format: [*]   A cybersoulsecurity.com 198.185.159.144
+        # Format: [*]   A cybersoulsecurity.com 198.185.159.144 (info)
+        # Format: [+]   A www.vulnweb.com 44.228.249.3 (found records)
         # New format: 2026-01-08T13:50:16.302153-1000 INFO      SOA dns1.p01.nsone.net 198.51.44.1
         # New format: 2026-01-08T13:50:17.112742-1000 INFO      NS dns4.p01.nsone.net 198.51.45.65
 
@@ -65,8 +66,9 @@ def parse_dnsrecon_output(output: str, target: str = "") -> Dict[str, Any]:
         hostname = None
         ip = None
 
-        if line_stripped.startswith('[*]'):
-            # Old format: [*] <type> <hostname> <ip>
+        if line_stripped.startswith('[*]') or line_stripped.startswith('[+]'):
+            # Format: [*] or [+] <type> <hostname> <ip>
+            # [*] = informational, [+] = found/success
             parts = line_stripped.split()
             if len(parts) >= 4:
                 record_type = parts[1]

{souleyez-2.43.2 → souleyez-2.43.16}/souleyez/plugins/gobuster.py

@@ -239,18 +239,25 @@ class GobusterPlugin(PluginBase):
         This causes gobuster to fail or produce false positives. We detect this
         upfront and auto-add --exclude-length to filter them out.
 
+        Also detects host-level redirects (e.g., non-www to www) and warns the user.
+
         Returns:
             dict with keys:
                 - exclude_length: str or None (response length to exclude)
                 - exclude_status: str or None (status code detected)
                 - reason: str or None (explanation)
+                - redirect_host: str or None (suggested target if host redirect detected)
         """
-        result = {'exclude_length': None, 'exclude_status': None, 'reason': None}
+        result = {'exclude_length': None, 'exclude_status': None, 'reason': None, 'redirect_host': None}
 
         # Generate random UUID path that definitely doesn't exist
         test_path = str(uuid.uuid4())
         test_url = f"{base_url.rstrip('/')}/{test_path}"
 
+        # Parse the original target host for comparison
+        original_parsed = urlparse(base_url)
+        original_host = original_parsed.netloc.lower()
+
         try:
             resp = requests.get(
                 test_url,
@@ -263,6 +270,46 @@ class GobusterPlugin(PluginBase):
             if resp.status_code == 404:
                 return result
 
+            # Check for host-level redirects (301/302/307/308)
+            if resp.status_code in [301, 302, 307, 308]:
+                location = resp.headers.get('Location', '')
+                if location:
+                    # Parse the redirect location
+                    redirect_parsed = urlparse(location)
+                    redirect_host = redirect_parsed.netloc.lower()
+
+                    # If Location is relative, it's not a host redirect
+                    if redirect_host and redirect_host != original_host:
+                        # This is a host-level redirect (e.g., non-www to www)
+                        suggested_url = f"{redirect_parsed.scheme or original_parsed.scheme}://{redirect_host}"
+                        result['redirect_host'] = suggested_url
+                        result['exclude_status'] = str(resp.status_code)
+                        result['reason'] = (
+                            f"Host redirect detected: {original_host} → {redirect_host}"
+                        )
+
+                        if log_path:
+                            with open(log_path, 'a') as f:
+                                f.write(f"\n{'=' * 70}\n")
+                                f.write("⚠️  HOST-LEVEL REDIRECT DETECTED\n")
+                                f.write(f"{'=' * 70}\n")
+                                f.write(f"Target: {base_url}\n")
+                                f.write(f"Redirects to: {redirect_host}\n")
+                                f.write(f"Status: {resp.status_code}\n\n")
+                                f.write("The server redirects ALL requests to a different host.\n")
+                                f.write("This causes unreliable results because:\n")
+                                f.write("  - Response sizes vary based on path length in redirect URL\n")
+                                f.write("  - Gobuster may report false positives or miss real paths\n\n")
+                                # Parseable marker for auto-retry
+                                f.write(f"HOST_REDIRECT_TARGET: {suggested_url}\n\n")
+                                f.write("Auto-retrying with corrected target...\n")
+                                f.write(f"{'=' * 70}\n\n")
+
+                        # Still try to exclude the response length for this scan
+                        content_length = len(resp.content)
+                        result['exclude_length'] = str(content_length)
+                        return result
+
             # Any other status for a random UUID = false positive indicator
             # Common: 403 (blocked), 401 (auth required), 200 (catch-all), 500 (error page)
             if resp.status_code in [200, 301, 302, 400, 401, 403, 500, 503]:

{souleyez-2.43.2 → souleyez-2.43.16}/souleyez/plugins/http_fingerprint.py

@@ -334,6 +334,10 @@ class HttpFingerprintPlugin(PluginBase):
 
         is_https = parsed.scheme == 'https'
 
+        # Check if target is an IP address (for special handling)
+        import re
+        is_ip_target = bool(re.match(r'^(\d{1,3}\.){3}\d{1,3}$', parsed.hostname or ''))
+
         # Create request with common browser headers
         req = urllib.request.Request(
             url,
@@ -346,14 +350,15 @@ class HttpFingerprintPlugin(PluginBase):
             }
         )
 
+        # Always create SSL context with verification disabled
+        # This handles: 1) HTTPS targets, 2) HTTP->HTTPS redirects, 3) IP targets with invalid certs
+        ctx = ssl.create_default_context()
+        ctx.check_hostname = False
+        ctx.verify_mode = ssl.CERT_NONE
+
         try:
-            # Create SSL context for HTTPS
+            # Get TLS info for HTTPS targets
             if is_https:
-                ctx = ssl.create_default_context()
-                ctx.check_hostname = False
-                ctx.verify_mode = ssl.CERT_NONE
-
-                # Get TLS info
                 try:
                     with socket.create_connection((parsed.hostname, parsed.port or 443), timeout=timeout) as sock:
                         with ctx.wrap_socket(sock, server_hostname=parsed.hostname) as ssock:
@@ -368,9 +373,8 @@ class HttpFingerprintPlugin(PluginBase):
                 except Exception:
                     pass  # TLS info is optional
 
-                response = urllib.request.urlopen(req, timeout=timeout, context=ctx)  # nosec B310 - scheme validated above
-            else:
-                response = urllib.request.urlopen(req, timeout=timeout)  # nosec B310 - scheme validated above
+            # Always pass SSL context (handles HTTP->HTTPS redirects)
+            response = urllib.request.urlopen(req, timeout=timeout, context=ctx)  # nosec B310 - scheme validated above
 
             result['status_code'] = response.getcode()
 

{souleyez-2.43.2 → souleyez-2.43.16}/souleyez/storage/engagements.py

@@ -125,8 +125,12 @@ class EngagementManager:
             # File contains invalid data, reset to default
             pass
 
-        # Reset to default engagement
-        default_id = self.create("default", "Default engagement")
+        # Reset to default engagement - use existing or create new
+        default_eng = self.get("default")
+        if default_eng:
+            default_id = default_eng['id']
+        else:
+            default_id = self.create("default", "Default engagement")
         self.set_current("default")
         return self.get_by_id(default_id)
 

{souleyez-2.43.2 → souleyez-2.43.16}/souleyez/ui/dashboard.py

@@ -1392,9 +1392,20 @@ def render_active_jobs(width: int, engagement_id: Optional[int] = None):
             if engagement_id is not None and job_eng_id != engagement_id:
                 warning = click.style(" [!other]", fg='red')
 
-            job_line = f"  [{jid:>3}] {tool:<10} {target:<30} {status_str:<18} {elapsed}{warning}"
+            # Check for scope warnings
+            job_warnings = job.get('metadata', {}).get('warnings', [])
+            scope_warning = any('SCOPE' in w for w in job_warnings)
+            scope_indicator = click.style("⚠ ", fg='yellow') if scope_warning else ""
+
+            job_line = f"  [{jid:>3}] {scope_indicator}{tool:<10} {target:<30} {status_str:<18} {elapsed}{warning}"
             lines.append(job_line)
 
+            # Show scope warning details on next line if present
+            if scope_warning:
+                for w in job_warnings:
+                    if 'SCOPE' in w:
+                        lines.append(click.style(f"        └─ {w}", fg='yellow'))
+
     return lines
 
 
@@ -3333,14 +3344,14 @@ def _show_dashboard_menu(engagement_id: int) -> str:
         click.echo(click.style("  📋 DOCUMENTATION", bold=True, fg='yellow'))
         click.echo("  " + "─" * 76)
         click.echo("    " + click.style("[e]", fg='yellow', bold=True) + " or " +
-                   click.style("[6]", fg='yellow') + "  📦 Evidence & Artifacts  - Screenshots, files, exports")
+                   click.style("[5]", fg='yellow') + "  📦 Evidence & Artifacts  - Screenshots, files, exports")
         click.echo("    " + click.style("[d]", fg='yellow', bold=True) + " or " +
-                   click.style("[7]", fg='yellow') + "  ✅ Deliverables          - Progress tracking, checklists")
+                   click.style("[6]", fg='yellow') + "  ✅ Deliverables          - Progress tracking, checklists")
 
         # Reports - Pro feature (show to all with appropriate badge)
         pro_badge_yellow = click.style("💎", fg='yellow') if is_pro_user else click.style("🔒 PRO", fg='yellow')
         click.echo("    " + click.style("[r]", fg='yellow', bold=True) + " or " +
-                   click.style("[8]", fg='yellow') + "  📄 Reports               " +
+                   click.style("[7]", fg='yellow') + "  📄 Reports               " +
                    pro_badge_yellow + " - Generate & export reports")
         click.echo()
 
@@ -3348,30 +3359,30 @@ def _show_dashboard_menu(engagement_id: int) -> str:
         click.echo(click.style("  📊 DATA MANAGEMENT (Deep Dive)", bold=True, fg='green'))
         click.echo("  " + "─" * 76)
         click.echo("    " + click.style("[h]", fg='cyan', bold=True) + " or " +
-                   click.style("[9]", fg='cyan') + "   🎯 Hosts             - Discovered hosts, tags, filtering")
+                   click.style("[8]", fg='cyan') + "   🎯 Hosts             - Discovered hosts, tags, filtering")
         click.echo("    " + click.style("[v]", fg='cyan', bold=True) + " or " +
-                   click.style("[10]", fg='cyan') + "  🔌 Services          - Open ports, service enumeration")
+                   click.style("[9]", fg='cyan') + "   🔌 Services          - Open ports, service enumeration")
         click.echo("    " + click.style("[f]", fg='cyan', bold=True) + " or " +
-                   click.style("[11]", fg='cyan') + "  🔍 Findings          - All vulnerabilities (detailed view)")
+                   click.style("[10]", fg='cyan') + "  🔍 Findings          - All vulnerabilities (detailed view)")
         click.echo("    " + click.style("[c]", fg='cyan', bold=True) + " or " +
-                   click.style("[12]", fg='cyan') + "  🔑 Credentials       - Discovered users, passwords, hashes")
+                   click.style("[11]", fg='cyan') + "  🔑 Credentials       - Discovered users, passwords, hashes")
         click.echo()
         click.echo("    " + click.style("[b]", fg='cyan', bold=True) + " or " +
-                   click.style("[13]", fg='cyan') + "  🌐 Web Paths         - Directory enumeration results")
+                   click.style("[12]", fg='cyan') + "  🌐 Web Paths         - Directory enumeration results")
         click.echo("    " + click.style("[n]", fg='cyan', bold=True) + " or " +
-                   click.style("[14]", fg='cyan') + "  📁 SMB Shares        - SMB enumeration, accessible shares")
+                   click.style("[13]", fg='cyan') + "  📁 SMB Shares        - SMB enumeration, accessible shares")
         click.echo("    " + click.style("[l]", fg='cyan', bold=True) + " or " +
-                   click.style("[15]", fg='cyan') + "  💉 SQLMap Intelligence - Deduplicated injections, high-value tables")
+                   click.style("[14]", fg='cyan') + "  💉 SQLMap Intelligence - Deduplicated injections, high-value tables")
         click.echo("    " + click.style("[p]", fg='cyan', bold=True) + " or " +
-                   click.style("[16]", fg='cyan') + "  🔌 WordPress Data     - WPScan vulnerabilities")
+                   click.style("[15]", fg='cyan') + "  🔌 WordPress Data     - WPScan vulnerabilities")
         click.echo("    " + click.style("[o]", fg='cyan', bold=True) + " or " +
-                   click.style("[17]", fg='cyan') + "  💣 Exploits           - SearchSploit exploit database")
+                   click.style("[16]", fg='cyan') + "  💣 Exploits           - SearchSploit exploit database")
         click.echo("    " + click.style("[t]", fg='cyan', bold=True) + " or " +
-                   click.style("[18]", fg='cyan') + "  🔍 OSINT/Discovery    - DNS, WHOIS, emails, infrastructure")
+                   click.style("[17]", fg='cyan') + "  🔍 OSINT/Discovery    - DNS, WHOIS, emails, infrastructure")
         click.echo()
 
         click.echo("    " + click.style("[q]", fg='red', bold=True) + " or " +
-                   click.style("[19]", fg='red') + "  ← Return to Command Center")
+                   click.style("[18]", fg='red') + "  ← Return to Command Center")
         click.echo()
 
         # Footer instructions
@@ -3414,6 +3425,11 @@ def _show_dashboard_menu(engagement_id: int) -> str:
 
             # Intelligence Section (Consolidated - 3 items)
             elif action == 'intelligence_hub':
+                # Pro feature - check tier
+                if not is_pro_user:
+                    from souleyez.ui.interactive import _show_upgrade_prompt
+                    _show_upgrade_prompt("Intelligence Hub")
+                    continue
                 # Unified Intelligence Hub (was Attack Correlation)
                 from souleyez.ui.attack_surface import view_attack_surface
                 view_attack_surface(engagement_id)