zen-ai-pentest 2.0.0__py3-none-any.whl

modules/cve_database.py

@@ -0,0 +1,362 @@
+#!/usr/bin/env python3
+"""
+CVE Database Module
+Comprehensive CVE database with ransomware and exploit information
+Author: SHAdd0WTAka
+"""
+
+import json
+import logging
+import os
+from dataclasses import dataclass
+from datetime import datetime
+from typing import Any, Dict, List, Optional
+
+logger = logging.getLogger("ZenAI")
+
+
+@dataclass
+class CVEEntry:
+    """CVE Entry data class"""
+
+    cve_id: str
+    name: str
+    cvss_score: float
+    severity: str
+    description: str
+    affected_products: List[str]
+    exploits: List[str]
+    patches: List[str]
+    mitigations: List[str]
+    detection_methods: List[str]
+    ransomware_used_by: List[str] = None
+    ioc: Dict = None
+
+
+@dataclass
+class RansomwareEntry:
+    """Ransomware entry"""
+
+    name: str
+    first_seen: str
+    type: str
+    description: str
+    cves: List[str]
+    file_extensions: List[str]
+    ransom_note: str
+    ioc: Dict
+    mitigation: List[str]
+    detection: List[str]
+    decryptable: bool
+    estimated_damage: int = 0
+
+
+class CVEDatabase:
+    """
+    Comprehensive CVE and Ransomware Database
+    """
+
+    def __init__(self, orchestrator=None):
+        self.orchestrator = orchestrator
+        self.db_path = "data/cve_db"
+        self.ransomware_data = {}
+        self.cve_data = {}
+        self.exploit_chains = {}
+
+        self._load_databases()
+
+    def _load_databases(self):
+        """Load all database files"""
+        # Load ransomware database
+        ransomware_file = os.path.join(self.db_path, "ransomware_cves.json")
+        if os.path.exists(ransomware_file):
+            try:
+                with open(ransomware_file, "r") as f:
+                    data = json.load(f)
+                    self.ransomware_data = data.get("ransomware_campaigns", {})
+                    self.cve_data = data.get("critical_historical_cves", {})
+                    self.exploit_chains = data.get("common_exploit_chains", {})
+                logger.info(
+                    f"[CVE DB] Loaded {len(self.ransomware_data)} ransomware entries, {len(self.cve_data)} CVEs"
+                )
+            except Exception as e:
+                logger.error(f"[CVE DB] Error loading database: {e}")
+
+    def search_cve(self, cve_id: str) -> Optional[CVEEntry]:
+        """Search for a specific CVE"""
+        cve_id = cve_id.upper()
+
+        if cve_id in self.cve_data:
+            data = self.cve_data[cve_id]
+            return CVEEntry(
+                cve_id=cve_id,
+                name=data.get("name", ""),
+                cvss_score=data.get("cvss", 0.0),
+                severity=data.get("severity", "Unknown"),
+                description=data.get("description", ""),
+                affected_products=data.get("affected_products", []),
+                exploits=data.get("exploits", []),
+                patches=[data.get("patch", "")] if data.get("patch") else [],
+                mitigations=data.get("mitigation", []),
+                detection_methods=data.get("detection", []),
+                ransomware_used_by=data.get("ransomware_used_by", []),
+            )
+        return None
+
+    def search_ransomware(self, name: str) -> Optional[RansomwareEntry]:
+        """Search for ransomware by name"""
+        name_lower = name.lower()
+
+        for key, data in self.ransomware_data.items():
+            if name_lower in key.lower() or name_lower in data.get("name", "").lower():
+                return RansomwareEntry(
+                    name=data.get("name", key),
+                    first_seen=data.get("first_seen", ""),
+                    type=data.get("type", ""),
+                    description=data.get("description", ""),
+                    cves=data.get("cves", []),
+                    file_extensions=data.get("file_extensions", []),
+                    ransom_note=data.get("ransom_note", ""),
+                    ioc=data.get("ioc", {}),
+                    mitigation=data.get("mitigation", []),
+                    detection=data.get("detection", []),
+                    decryptable=data.get("decryptable", False),
+                    estimated_damage=data.get("estimated_damage_usd", 0),
+                )
+        return None
+
+    def get_ransomware_by_cve(self, cve_id: str) -> List[str]:
+        """Find ransomware that uses a specific CVE"""
+        cve_id = cve_id.upper()
+        results = []
+
+        for key, data in self.ransomware_data.items():
+            if cve_id in data.get("cves", []):
+                results.append(data.get("name", key))
+
+        return results
+
+    def get_cves_by_severity(self, severity: str) -> List[CVEEntry]:
+        """Get all CVEs by severity level"""
+        results = []
+        severity = severity.capitalize()
+
+        for cve_id, data in self.cve_data.items():
+            if data.get("severity") == severity:
+                entry = self.search_cve(cve_id)
+                if entry:
+                    results.append(entry)
+
+        return results
+
+    def get_critical_cves(self) -> List[CVEEntry]:
+        """Get all critical CVEs"""
+        return self.get_cves_by_severity("Critical")
+
+    def get_ransomware_iocs(self, ransomware_name: str) -> Dict:
+        """Get IOCs for a specific ransomware"""
+        entry = self.search_ransomware(ransomware_name)
+        if entry:
+            return entry.ioc
+        return {}
+
+    def check_system_for_ransomware(self, indicators: Dict) -> List[Dict]:
+        """
+        Check system indicators against ransomware IOCs
+        indicators: dict with keys like 'files', 'registry', 'hashes', 'processes'
+        """
+        matches = []
+
+        for key, data in self.ransomware_data.items():
+            ransomware_name = data.get("name", key)
+            ioc = data.get("ioc", {})
+
+            match_score = 0
+            match_details = []
+
+            # Check file indicators
+            if "files" in indicators and "files" in ioc:
+                for file in indicators["files"]:
+                    for ioc_file in ioc["files"]:
+                        if (
+                            file.lower() in ioc_file.lower()
+                            or ioc_file.lower() in file.lower()
+                        ):
+                            match_score += 10
+                            match_details.append(f"File match: {file}")
+
+            # Check registry indicators
+            if "registry" in indicators and "registry" in ioc:
+                for reg in indicators["registry"]:
+                    for ioc_reg in ioc["registry"]:
+                        if reg.lower() in ioc_reg.lower():
+                            match_score += 10
+                            match_details.append(f"Registry match: {reg}")
+
+            # Check hashes
+            if "hashes" in indicators and "hashes" in ioc:
+                for hash_val in indicators["hashes"]:
+                    if hash_val.lower() in [h.lower() for h in ioc["hashes"]]:
+                        match_score += 50  # Hash match is strong indicator
+                        match_details.append(f"Hash match: {hash_val}")
+
+            # Check processes
+            if "processes" in indicators and "processes" in ioc:
+                for proc in indicators["processes"]:
+                    for ioc_proc in ioc["processes"]:
+                        if proc.lower() in ioc_proc.lower():
+                            match_score += 15
+                            match_details.append(f"Process match: {proc}")
+
+            if match_score >= 20:
+                matches.append(
+                    {
+                        "ransomware": ransomware_name,
+                        "confidence": min(match_score, 100),
+                        "indicators": match_details,
+                        "recommendation": "Isolate system immediately and initiate incident response",
+                    }
+                )
+
+        return sorted(matches, key=lambda x: x["confidence"], reverse=True)
+
+    async def analyze_vulnerability_for_ransomware_risk(self, cve_id: str) -> Dict:
+        """Analyze if a CVE is commonly used by ransomware"""
+        cve_id = cve_id.upper()
+        entry = self.search_cve(cve_id)
+
+        if not entry:
+            return {"error": f"CVE {cve_id} not found"}
+
+        ransomware_list = entry.ransomware_used_by or []
+        risk_level = "High" if len(ransomware_list) > 0 else entry.severity
+
+        analysis = {
+            "cve_id": cve_id,
+            "cvss_score": entry.cvss_score,
+            "severity": entry.severity,
+            "ransomware_associated": ransomware_list,
+            "ransomware_risk": risk_level,
+            "mitigation_priority": "Critical" if ransomware_list else entry.severity,
+            "recommended_actions": entry.mitigations,
+        }
+
+        # Add LLM analysis if orchestrator available
+        if self.orchestrator and ransomware_list:
+            prompt = f"""
+Analyze CVE {cve_id} which is used by ransomware: {', '.join(ransomware_list)}
+
+Provide:
+1. Why this CVE is attractive to ransomware operators
+2. Historical context of attacks
+3. Specific recommendations for ransomware prevention
+4. Detection strategies beyond patching
+"""
+            llm_response = await self.orchestrator.process(prompt)
+            analysis["ai_analysis"] = llm_response.content
+
+        return analysis
+
+    def get_exploit_chain(self, chain_name: str) -> Optional[Dict]:
+        """Get a specific exploit chain"""
+        for key, data in self.exploit_chains.items():
+            if (
+                chain_name.lower() in key.lower()
+                or chain_name.lower() in data.get("name", "").lower()
+            ):
+                return data
+        return None
+
+    def list_all_ransomware(self) -> List[Dict]:
+        """List all ransomware in database"""
+        results = []
+        for key, data in self.ransomware_data.items():
+            results.append(
+                {
+                    "key": key,
+                    "name": data.get("name", key),
+                    "first_seen": data.get("first_seen", ""),
+                    "type": data.get("type", ""),
+                    "decryptable": data.get("decryptable", False),
+                    "cves": data.get("cves", []),
+                }
+            )
+        return results
+
+    def list_all_cves(self) -> List[Dict]:
+        """List all CVEs in database"""
+        results = []
+        for cve_id, data in self.cve_data.items():
+            results.append(
+                {
+                    "cve_id": cve_id,
+                    "name": data.get("name", ""),
+                    "cvss": data.get("cvss", 0),
+                    "severity": data.get("severity", "Unknown"),
+                    "ransomware_used_by": data.get("ransomware_used_by", []),
+                }
+            )
+        return sorted(results, key=lambda x: x["cvss"], reverse=True)
+
+    def get_latest_threats(self, limit: int = 10) -> List[Dict]:
+        """Get latest critical threats"""
+        all_cves = self.list_all_cves()
+        critical = [c for c in all_cves if c["severity"] == "Critical"]
+        return critical[:limit]
+
+    def generate_vulnerability_report(self, cve_list: List[str]) -> str:
+        """Generate a report for a list of CVEs"""
+        report_lines = [
+            "# Vulnerability Analysis Report",
+            f"Generated: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}",
+            "",
+            "## CVE Details",
+            "",
+        ]
+
+        for cve_id in cve_list:
+            entry = self.search_cve(cve_id.upper())
+            if entry:
+                report_lines.extend(
+                    [
+                        f"### {entry.cve_id}: {entry.name}",
+                        f"**Severity:** {entry.severity} (CVSS: {entry.cvss_score})",
+                        f"**Description:** {entry.description}",
+                        "",
+                        "**Affected Products:**",
+                        "",
+                    ]
+                )
+                for product in entry.affected_products[:5]:
+                    report_lines.append(f"- {product}")
+
+                if entry.ransomware_used_by:
+                    report_lines.extend(
+                        ["", "⚠️ **Ransomware Alert:** This CVE is used by:", ""]
+                    )
+                    for rw in entry.ransomware_used_by:
+                        report_lines.append(f"- {rw}")
+
+                report_lines.extend(["", "**Mitigation:**", ""])
+                for mit in entry.mitigations[:3]:
+                    report_lines.append(f"- {mit}")
+
+                report_lines.append("")
+            else:
+                report_lines.append(f"### {cve_id}: Not found in database\n")
+
+        return "\n".join(report_lines)
+
+    def get_mitigation_for_cve(self, cve_id: str) -> List[str]:
+        """Get mitigation steps for a CVE"""
+        entry = self.search_cve(cve_id.upper())
+        if entry:
+            return entry.mitigations
+        return []
+
+    def get_detection_for_ransomware(self, ransomware_name: str) -> List[str]:
+        """Get detection methods for ransomware"""
+        entry = self.search_ransomware(ransomware_name)
+        if entry:
+            return entry.detection
+        return []

modules/exploit_assist.py

@@ -0,0 +1,330 @@
+#!/usr/bin/env python3
+"""
+Exploit Assistance Module
+AI-powered exploit suggestion and payload generation
+Author: SHAdd0WTAka
+
+FOR AUTHORIZED SECURITY TESTING ONLY
+"""
+
+import asyncio
+import logging
+from dataclasses import dataclass
+from typing import Dict, List, Optional
+
+logger = logging.getLogger("ZenAI")
+
+
+@dataclass
+class ExploitSuggestion:
+    name: str
+    exploit_type: str
+    description: str
+    prerequisites: List[str]
+    steps: List[str]
+    payload_example: str
+    mitigation: str
+    risk_level: str
+
+
+class ExploitAssistModule:
+    """
+    Intelligent exploit assistance and payload generation
+    FOR AUTHORIZED TESTING ONLY
+    """
+
+    def __init__(self, orchestrator):
+        self.orchestrator = orchestrator
+
+    async def suggest_exploits(
+        self, vuln_name: str, service: str, version: str = ""
+    ) -> List[ExploitSuggestion]:
+        """
+        Suggest exploits for a specific vulnerability
+        """
+        prompt = f"""
+Suggest exploits for the following vulnerability:
+- Vulnerability: {vuln_name}
+- Service: {service}
+- Version: {version or "Unknown"}
+
+For educational and authorized penetration testing purposes only.
+
+Provide for each exploit:
+1. Name/Technique
+2. Prerequisites
+3. Step-by-step approach
+4. Example payload (if applicable)
+5. Detection/prevention methods
+
+Format:
+[EXPLOIT]
+Name: <name>
+Type: <type>
+Prerequisites: <list>
+Steps: <numbered steps>
+Payload Example: <example>
+Mitigation: <how to prevent>
+Risk: <Critical/High/Medium/Low>
+[/EXPLOIT]
+"""
+
+        response = await self.orchestrator.process(prompt)
+        return self._parse_exploit_suggestions(response.content)
+
+    async def generate_payload(
+        self, vuln_type: str, target_info: Dict, encoding: str = "raw"
+    ) -> str:
+        """
+        Generate proof-of-concept payloads
+        """
+        prompt = f"""
+Generate a proof-of-concept payload for authorized security testing:
+
+Vulnerability Type: {vuln_type}
+Target: {target_info.get('target', 'Unknown')}
+Context: {target_info.get('context', 'Web application')}
+Encoding: {encoding}
+
+Requirements:
+- Safe for testing (non-destructive where possible)
+- Clearly demonstrates the vulnerability
+- Includes detection string
+- Explain what the payload does
+
+DO NOT generate malicious payloads for actual attacks.
+This is for security research and authorized testing only.
+"""
+
+        response = await self.orchestrator.process(prompt)
+        return response.content
+
+    async def craft_sql_injection_payload(
+        self, db_type: str = "mysql", technique: str = "union"
+    ) -> Dict:
+        """
+        Generate SQL injection test payloads
+        """
+        prompt = f"""
+Generate SQL injection proof-of-concept payloads for authorized testing:
+
+Database: {db_type}
+Technique: {technique}
+
+Provide:
+1. Basic detection payload
+2. Database version extraction
+3. Table enumeration payload
+4. Safe SELECT-only data extraction
+
+All payloads should use 'AND 1=1' or similar safe constructs that don't modify data.
+Include comments explaining what each payload does.
+"""
+
+        response = await self.orchestrator.process(prompt)
+
+        return {
+            "detection": self._extract_payload(response.content, "detection"),
+            "version": self._extract_payload(response.content, "version"),
+            "tables": self._extract_payload(response.content, "tables"),
+            "full_response": response.content,
+        }
+
+    async def craft_xss_payload(
+        self, context: str = "html", waf: str = "none"
+    ) -> List[str]:
+        """
+        Generate XSS proof-of-concept payloads
+        """
+        prompt = f"""
+Generate XSS proof-of-concept payloads for authorized security testing:
+
+Context: {context} (html, attribute, javascript, url)
+WAF: {waf}
+
+Requirements:
+- Use alert(1) or console.log('XSS') for demonstration
+- Include polyglot payloads
+- Provide bypass techniques if WAF is specified
+- Explain the context where each works
+
+Payloads should be safe for testing and clearly demonstrate the vulnerability.
+"""
+
+        response = await self.orchestrator.process(prompt)
+
+        # Extract payloads (lines that look like XSS)
+        payloads = []
+        for line in response.content.split("\n"):
+            line = line.strip()
+            if any(
+                indicator in line
+                for indicator in [
+                    "<script",
+                    "javascript:",
+                    "onerror",
+                    "onload",
+                    "<img",
+                    "<svg",
+                ]
+            ):
+                payloads.append(line)
+
+        return payloads[:10]  # Limit results
+
+    async def post_exploitation(self, access_level: str, target_type: str) -> Dict:
+        """
+        Suggest post-exploitation steps
+        """
+        prompt = f"""
+Suggest post-exploitation activities for authorized penetration testing:
+
+Current Access: {access_level} (user/root/web shell)
+Target Type: {target_type} (linux/windows/web)
+
+Focus areas:
+1. Privilege escalation vectors
+2. Lateral movement possibilities
+3. Persistence mechanisms (for testing detection)
+4. Data exfiltration paths (document only)
+5. Cleanup procedures
+
+This is for improving security defenses through authorized testing.
+Provide detection methods for each activity.
+"""
+
+        response = await self.orchestrator.process(prompt)
+
+        return {
+            "privilege_escalation": self._extract_section(
+                response.content, "privilege"
+            ),
+            "lateral_movement": self._extract_section(response.content, "lateral"),
+            "persistence": self._extract_section(response.content, "persistence"),
+            "cleanup": self._extract_section(response.content, "cleanup"),
+            "full_response": response.content,
+        }
+
+    async def bypass_techniques(self, security_control: str) -> List[str]:
+        """
+        Get bypass techniques for security controls
+        """
+        prompt = f"""
+Suggest bypass techniques for authorized security testing:
+
+Security Control: {security_control}
+(WAF, Antivirus, EDR, Application Whitelist, etc.)
+
+Provide:
+1. Common bypass methods
+2. Encoding/obfuscation techniques
+3. Alternative execution methods
+4. Detection recommendations for defenders
+
+For red team exercises and security validation only.
+Include how blue teams can detect these attempts.
+"""
+
+        response = await self.orchestrator.process(prompt)
+
+        # Parse techniques
+        techniques = []
+        for line in response.content.split("\n"):
+            line = line.strip()
+            if line and (
+                line[0].isdigit() or line.startswith("-") or line.startswith("*")
+            ):
+                techniques.append(line.lstrip("- *").strip())
+
+        return techniques[:15]
+
+    def _parse_exploit_suggestions(self, content: str) -> List[ExploitSuggestion]:
+        """Parse exploit blocks from response"""
+        suggestions = []
+
+        # Split by [EXPLOIT] blocks
+        import re
+
+        blocks = re.findall(r"\[EXPLOIT\](.*?)\[/EXPLOIT\]", content, re.DOTALL)
+
+        if not blocks:
+            # Try alternative parsing
+            sections = content.split("\n\n")
+            for section in sections:
+                if "prerequisites" in section.lower() or "steps" in section.lower():
+                    suggestions.append(self._create_exploit_from_text(section))
+        else:
+            for block in blocks:
+                suggestions.append(self._create_exploit_from_text(block))
+
+        return suggestions
+
+    def _create_exploit_from_text(self, text: str) -> ExploitSuggestion:
+        """Create ExploitSuggestion from text"""
+        import re
+
+        name_match = re.search(r"Name:\s*(.+?)(?:\n|$)", text, re.IGNORECASE)
+        type_match = re.search(r"Type:\s*(.+?)(?:\n|$)", text, re.IGNORECASE)
+        risk_match = re.search(r"Risk:\s*(\w+)", text, re.IGNORECASE)
+
+        # Extract lists
+        prereqs = re.findall(
+            r"[\*\-]\s*(.+?)(?:\n|$)",
+            (
+                re.search(
+                    r"Prerequisites:(.+?)(?:Steps|Payload|Mitigation|$)",
+                    text,
+                    re.DOTALL | re.IGNORECASE,
+                ).group(1)
+                if re.search(
+                    r"Prerequisites:(.+?)(?:Steps|Payload|Mitigation|$)",
+                    text,
+                    re.DOTALL | re.IGNORECASE,
+                )
+                else ""
+            ),
+        )
+
+        steps = re.findall(r"\d+\.\s*(.+?)(?:\n|$)", text)
+
+        payload_match = re.search(
+            r"Payload\s*(?:Example)?:\s*(.+?)(?:\n\w+:|$)",
+            text,
+            re.DOTALL | re.IGNORECASE,
+        )
+        mitigation_match = re.search(
+            r"Mitigation:\s*(.+?)(?:\n\w+:|$)", text, re.DOTALL | re.IGNORECASE
+        )
+
+        return ExploitSuggestion(
+            name=name_match.group(1).strip() if name_match else "Unknown",
+            exploit_type=type_match.group(1).strip() if type_match else "Unknown",
+            description=text[:200],
+            prerequisites=prereqs if prereqs else ["Unknown"],
+            steps=steps if steps else ["See description"],
+            payload_example=(
+                payload_match.group(1).strip()[:500] if payload_match else "N/A"
+            ),
+            mitigation=(
+                mitigation_match.group(1).strip()[:300]
+                if mitigation_match
+                else "Review security controls"
+            ),
+            risk_level=risk_match.group(1).capitalize() if risk_match else "Medium",
+        )
+
+    def _extract_payload(self, content: str, payload_type: str) -> str:
+        """Extract specific payload from content"""
+        import re
+
+        pattern = rf"{payload_type}[:\s]+(.+?)(?:\n\n|\n[A-Z]|$)"
+        match = re.search(pattern, content, re.IGNORECASE | re.DOTALL)
+        return match.group(1).strip()[:500] if match else "Not found"
+
+    def _extract_section(self, content: str, section_name: str) -> str:
+        """Extract a section from content"""
+        import re
+
+        pattern = rf"{section_name}[\s\w]*[:\s]+(.+?)(?:\n\n[A-Z]|\n\d+\.|$)"
+        match = re.search(pattern, content, re.IGNORECASE | re.DOTALL)
+        return match.group(1).strip()[:500] if match else ""