mirror of
https://github.com/Ed1s0nZ/CyberStrikeAI.git
synced 2026-07-18 18:07:32 +02:00
Add files via upload
This commit is contained in:
@@ -133,6 +133,7 @@ CyberStrikeAI connects planning, execution, human oversight, evidence, and repla
|
||||
|
||||
- 📁 **Conversation management** provides grouping, pinning, renaming, and batch organization.
|
||||
- 📂 **Projects and attack chains** connect cross-session facts, risk scoring, graph views, and step-by-step replay.
|
||||
- 🗂️ **Asset management** normalizes and deduplicates domains, IP addresses, ports, and services while tracking scan coverage, linked vulnerabilities, and risk state. See the [Asset Management guide](docs/en-US/asset-management.md).
|
||||
- 🛡️ **Vulnerability management** provides severity classification, lifecycle tracking, filtering, and statistics.
|
||||
- 📋 **Batch tasks** provide queued execution, editing, status tracking, and retained results.
|
||||
- 📱 **Chatbots** connect Personal WeChat, WeCom, DingTalk, Lark, Telegram, Slack, Discord, and QQ Bot.
|
||||
|
||||
@@ -132,6 +132,7 @@ CyberStrikeAI 将规划、执行、人工监督、证据与复盘连接在同一
|
||||
|
||||
- 📁 **对话管理**:支持分组、置顶、重命名和批量管理。
|
||||
- 📂 **项目与攻击链**:关联跨会话事实、风险评分、图谱视图和步骤回放。
|
||||
- 🗂️ **资产管理**:统一归档和去重域名、IP、端口与服务,跟踪扫描覆盖、关联漏洞和风险状态。详见[资产管理指南](docs/zh-CN/asset-management.md)。
|
||||
- 🛡️ **漏洞管理**:支持严重程度分级、状态流转、过滤和统计看板。
|
||||
- 📋 **批量任务**:支持任务队列、编辑、状态跟踪和结果留存。
|
||||
- 📱 **机器人接入**:支持个人微信、企业微信、钉钉、飞书、Telegram、Slack、Discord 和 QQ。
|
||||
|
||||
@@ -17,7 +17,7 @@
|
||||
|
||||
## Feature guides
|
||||
|
||||
- [Knowledge Base](knowledge-base.md) · [Robot / Chatbot](robot.md) · [Vision](VISION.md)
|
||||
- [Asset Management](asset-management.md) · [Knowledge Base](knowledge-base.md) · [Robot / Chatbot](robot.md) · [Vision](VISION.md)
|
||||
- [WebShell](webshell.md) · [C2](c2.md) · [MCP Federation](mcp-federation.md)
|
||||
|
||||
## Operations and reference
|
||||
|
||||
@@ -0,0 +1,151 @@
|
||||
# Asset Management
|
||||
|
||||
[中文](../zh-CN/asset-management.md)
|
||||
|
||||
Asset management consolidates domains, IP addresses, ports, and services discovered through manual entry, FOFA, HTTP APIs, and Agent tasks into a maintainable baseline. It answers three questions: what assets exist, which assets have been assessed, and where risk is concentrated.
|
||||
|
||||
> This feature is designed for security testing and attack-surface governance. It is not a replacement for a full enterprise CMDB. Add and scan only systems you own or are explicitly authorized to test.
|
||||
|
||||
## Overview
|
||||
|
||||
Asset management provides three main views:
|
||||
|
||||
- **Overview**: asset totals, IPs, domains, ports, recent changes, scan coverage, and protocol distribution.
|
||||
- **Asset inventory**: identity, service details, source, tags, project ownership, scan history, and risk state.
|
||||
- **Reconnaissance**: search FOFA and save confirmed results individually or in batches.
|
||||
|
||||
Assets can launch single-target analysis or batch scans. After an Agent records findings and completes the scan callback, the inventory displays related vulnerability counts, risk level, and latest scan time.
|
||||
|
||||
## Asset fields
|
||||
|
||||
An asset can include:
|
||||
|
||||
- host, IP address, domain, port, and protocol;
|
||||
- page title and service or product fingerprint;
|
||||
- country/region, state/province, and city;
|
||||
- source, source query, and tags;
|
||||
- active or inactive status;
|
||||
- project and owner;
|
||||
- first seen, last seen, created, and updated timestamps;
|
||||
- latest scan time and linked conversation, task queue, and subtask;
|
||||
- related vulnerability count and current risk level.
|
||||
|
||||
At least one of `host`, `ip`, or `domain` is required.
|
||||
|
||||
## Build an asset baseline
|
||||
|
||||
### Add an asset manually
|
||||
|
||||
Go to **Asset Management → Asset Inventory** and select **Add Asset**. Supported target forms include:
|
||||
|
||||
```text
|
||||
https://example.com:8443
|
||||
example.com
|
||||
192.0.2.10:443
|
||||
[2001:db8::1]:443
|
||||
```
|
||||
|
||||
The system attempts to identify the URL, domain, IP address, port, and protocol. You can then add a project, tags, title, service fingerprint, location, and status.
|
||||
|
||||
### Import from FOFA
|
||||
|
||||
1. Configure the FOFA email and API key in settings or the configuration file. You can also use the `FOFA_EMAIL` and `FOFA_API_KEY` environment variables.
|
||||
2. Open **Asset Management → Reconnaissance**.
|
||||
3. Enter or generate a FOFA query and confirm its scope.
|
||||
4. Run the query, select results whose ownership has been verified, and choose **Save Selected**.
|
||||
5. Review the created, updated, and skipped counts.
|
||||
|
||||
Internet search results are not automatically your assets. Narrow the query with organization domains, certificates, network ranges, or product fingerprints, then verify authorization before saving results.
|
||||
|
||||
## Normalization and deduplication
|
||||
|
||||
Different sources may describe the same target in different forms. The system:
|
||||
|
||||
- trims surrounding whitespace;
|
||||
- normalizes IP addresses, domains, and protocols to lowercase;
|
||||
- extracts hostname, protocol, and port from URL-like hosts;
|
||||
- fills default HTTP/HTTPS ports when omitted;
|
||||
- converts internationalized domains to ASCII/Punycode;
|
||||
- removes empty or duplicate tags;
|
||||
- supplies default source and status values.
|
||||
|
||||
Assets use “target + port + protocol” as the service-level deduplication key. The preferred target is the domain, followed by the IP address, then the host. As a result, `80/http` and `443/https` on the same host remain separate assets.
|
||||
|
||||
When an existing asset is imported again, non-empty incoming fields and the last-seen time are updated. Existing fields omitted by the new record and the original first-seen time are preserved.
|
||||
|
||||
## Search and filters
|
||||
|
||||
The Web UI searches hosts, IP addresses, domains, titles, services, and tags, with status and project filters. The backend and Agent tools additionally support:
|
||||
|
||||
- source, tags, port, and protocol;
|
||||
- scanned and never-scanned states;
|
||||
- first-seen, last-seen, and latest-scan time ranges;
|
||||
- allowlisted sort fields such as latest scan time;
|
||||
- paginated queries.
|
||||
|
||||
Sorting by latest scan time in ascending order places never-scanned assets first, making coverage gaps visible.
|
||||
|
||||
## Scanning and risk updates
|
||||
|
||||
### Scan one asset
|
||||
|
||||
Select **Scan** from the asset inventory. The system:
|
||||
|
||||
1. creates a conversation containing the target and asset ID;
|
||||
2. links the conversation to the asset;
|
||||
3. prompts the Agent to inspect exposed services and authorized risks;
|
||||
4. stores confirmed findings with `record_vulnerability`;
|
||||
5. updates scan state with `complete_asset_scan`.
|
||||
|
||||
Scan prompts support `{{asset_id}}`, `{{target}}`, `{{host}}`, `{{ip}}`, `{{domain}}`, and `{{port}}`. Adjust scope, ports, test intensity, and validation methods to match the authorization before starting.
|
||||
|
||||
### Batch scans
|
||||
|
||||
Select multiple assets and choose **Create Scan Task**. The system creates one subtask per asset and links each asset to its queue and subtask.
|
||||
|
||||
The current defaults use manual scheduling, one concurrent task, and Eino single-Agent mode to limit load on targets and the local host. You must still confirm the test window, request rate, permitted validation methods, and approval requirements.
|
||||
|
||||
### Risk calculation
|
||||
|
||||
Asset risk is calculated dynamically from open vulnerabilities in the latest linked scan:
|
||||
|
||||
- `critical`, `high`, `medium`, `low`, or `info`: an open finding at that level exists;
|
||||
- `normal`: the asset was scanned and has no open risk;
|
||||
- `unassessed`: no scan has completed.
|
||||
|
||||
Resolved, false-positive, and ignored findings remain in historical counts but no longer increase the current risk level.
|
||||
|
||||
## Agent tools
|
||||
|
||||
Six built-in tools expose asset operations to Agents:
|
||||
|
||||
- `create_asset`: create or deduplicate and update an asset;
|
||||
- `get_asset`: retrieve full details by ID;
|
||||
- `query_assets`: filter, sort, and paginate assets;
|
||||
- `update_asset`: partially update an asset;
|
||||
- `delete_asset`: delete an asset;
|
||||
- `complete_asset_scan`: record scan completion.
|
||||
|
||||
`query_assets` returns 20 summaries by default and allows at most 50 per page. Use `get_asset` for full details so large inventories do not consume the model context.
|
||||
|
||||
## Access control
|
||||
|
||||
Asset permissions are separated into:
|
||||
|
||||
- `asset:read`: view assets and statistics;
|
||||
- `asset:write`: create, import, edit, and update scan state;
|
||||
- `asset:delete`: delete assets.
|
||||
|
||||
Server-side authorization considers the asset owner, explicit resource assignments, the linked project, and permission scope (`all`, `assigned`, or `own`). When a conversation is linked to a project, Agent asset queries are restricted to that project and tool arguments cannot widen the boundary.
|
||||
|
||||
## Recommended workflow
|
||||
|
||||
1. Define an explicitly authorized set of domains, IP addresses, or network ranges.
|
||||
2. Add a few critical targets manually and verify normalization and deduplication.
|
||||
3. Use tags to separate production, testing, critical-business, and internet-facing scopes.
|
||||
4. Configure FOFA, begin with narrow queries, and verify ownership.
|
||||
5. Test scanning and vulnerability callbacks on one low-risk target.
|
||||
6. Use never-scanned and over-30-day filters to identify coverage gaps.
|
||||
7. After validating the workflow, expand gradually with small batch tasks.
|
||||
|
||||
A small, verified baseline is usually more valuable than a large inventory with unclear ownership and inconsistent sources.
|
||||
@@ -17,7 +17,7 @@
|
||||
|
||||
## 功能指南
|
||||
|
||||
- [知识库](knowledge-base.md) · [机器人接入](robot.md) · [视觉分析](VISION.md)
|
||||
- [资产管理](asset-management.md) · [知识库](knowledge-base.md) · [机器人接入](robot.md) · [视觉分析](VISION.md)
|
||||
- [WebShell](webshell.md) · [C2](c2.md) · [MCP 联邦](mcp-federation.md)
|
||||
|
||||
## 运维与参考
|
||||
|
||||
@@ -0,0 +1,151 @@
|
||||
# 资产管理
|
||||
|
||||
[English](../en-US/asset-management.md)
|
||||
|
||||
资产管理用于将手工录入、FOFA、HTTP API 和 Agent 任务中发现的域名、IP、端口与服务统一归档,形成可持续维护的资产基线。它关注三个问题:当前拥有哪些资产、哪些资产已经检查、风险集中在哪里。
|
||||
|
||||
> 资产管理面向安全测试和攻击面治理,不替代完整的企业 CMDB。仅可录入和扫描自有系统或已获得明确授权的目标。
|
||||
|
||||
## 功能概览
|
||||
|
||||
资产管理包含三个主要入口:
|
||||
|
||||
- **资产概览**:统计资产总量、IP、域名、端口、近期变化、扫描覆盖率和协议分布。
|
||||
- **资产库**:维护资产身份、服务信息、来源、标签、项目归属、扫描记录和风险状态。
|
||||
- **信息收集**:查询 FOFA,并将确认归属的结果单条或批量写入资产库。
|
||||
|
||||
资产可以进一步发起单目标分析或批量扫描。Agent 保存漏洞并完成扫描回写后,资产列表会同步展示相关漏洞数量、风险等级和最近扫描时间。
|
||||
|
||||
## 资产字段
|
||||
|
||||
每条资产可记录:
|
||||
|
||||
- Host、IP、域名、端口和协议;
|
||||
- 页面标题、服务或产品指纹;
|
||||
- 国家/地区、省份/州和城市;
|
||||
- 来源、来源查询条件和标签;
|
||||
- 活跃或停用状态;
|
||||
- 所属项目和所有者;
|
||||
- 首次发现、最近发现、创建和更新时间;
|
||||
- 最近扫描时间及关联的对话、任务队列和子任务;
|
||||
- 相关漏洞数量和当前风险等级。
|
||||
|
||||
至少需要提供 `host`、`ip` 或 `domain` 中的一项。
|
||||
|
||||
## 建立资产基线
|
||||
|
||||
### 手工新增
|
||||
|
||||
进入 **资产管理 → 资产库**,点击 **新增资产**。常见目标格式包括:
|
||||
|
||||
```text
|
||||
https://example.com:8443
|
||||
example.com
|
||||
192.0.2.10:443
|
||||
[2001:db8::1]:443
|
||||
```
|
||||
|
||||
系统会尽量识别 URL、域名、IP、端口和协议。保存前可继续补充项目、标签、标题、服务指纹、地理位置和状态。
|
||||
|
||||
### 从 FOFA 导入
|
||||
|
||||
1. 在配置文件或系统设置中填写 FOFA 邮箱和 API Key,也可使用 `FOFA_EMAIL`、`FOFA_API_KEY` 环境变量。
|
||||
2. 进入 **资产管理 → 信息收集**。
|
||||
3. 输入或生成 FOFA 查询语句,并确认查询范围。
|
||||
4. 执行查询,选择确认归属的结果后点击 **入库所选**。
|
||||
5. 根据返回的新增、更新和跳过数量检查导入结果。
|
||||
|
||||
外部搜索结果不等同于自有资产。建议先通过组织域名、证书、网段或产品指纹缩小范围,确认授权后再入库。
|
||||
|
||||
## 规范化与去重
|
||||
|
||||
不同入口可能使用不同形式描述同一目标。系统会执行以下处理:
|
||||
|
||||
- 去除字段首尾空白;
|
||||
- IP、域名和协议转为小写;
|
||||
- 从 URL 型 Host 提取 hostname、协议和端口;
|
||||
- 为未显式指定端口的 HTTP/HTTPS 补充默认端口;
|
||||
- 将国际化域名转换为 ASCII/Punycode;
|
||||
- 清理并去重标签;
|
||||
- 为缺失的状态和来源补充默认值。
|
||||
|
||||
资产以“目标 + 端口 + 协议”作为服务级去重依据。目标优先采用域名,其次为 IP,最后为 Host。因此,同一主机的 `80/http` 和 `443/https` 会被视为不同资产。
|
||||
|
||||
重复资产再次入库时,系统会更新本次提供的非空字段和最近发现时间,保留未提供的原有信息,不会重置首次发现时间。
|
||||
|
||||
## 查询与筛选
|
||||
|
||||
Web 端支持搜索 Host、IP、域名、标题、服务和标签,并按状态或项目筛选。后端和 Agent 工具还支持:
|
||||
|
||||
- 来源、标签、端口和协议;
|
||||
- 已扫描、从未扫描等扫描状态;
|
||||
- 首次发现、最近发现和最近扫描时间范围;
|
||||
- 按最近扫描时间等白名单字段排序;
|
||||
- 分页查询。
|
||||
|
||||
按最近扫描时间升序排列时,从未扫描的资产优先显示,便于识别覆盖盲区。
|
||||
|
||||
## 扫描与风险回写
|
||||
|
||||
### 单资产扫描
|
||||
|
||||
在资产列表中点击 **扫描**。系统会:
|
||||
|
||||
1. 创建新对话并注入资产目标和资产 ID;
|
||||
2. 将对话与资产关联;
|
||||
3. 引导 Agent 检查暴露服务和授权范围内的安全风险;
|
||||
4. 使用 `record_vulnerability` 保存确认的问题;
|
||||
5. 使用 `complete_asset_scan` 回写扫描状态。
|
||||
|
||||
扫描提示词支持 `{{asset_id}}`、`{{target}}`、`{{host}}`、`{{ip}}`、`{{domain}}` 和 `{{port}}` 变量。发起前应按授权范围调整测试强度、端口和验证方式。
|
||||
|
||||
### 批量扫描
|
||||
|
||||
在资产库中选择多个目标后,点击 **创建扫描任务**。系统会为每个资产创建独立子任务,并建立资产、队列和子任务之间的关联。
|
||||
|
||||
当前默认使用手动调度、单并发和 Eino 单 Agent 模式,以减少对目标和本机资源的瞬时压力。执行前仍需确认测试窗口、请求频率、允许的验证方式和审批要求。
|
||||
|
||||
### 风险计算
|
||||
|
||||
资产风险根据最近一次关联扫描中的未关闭漏洞动态计算:
|
||||
|
||||
- `critical`、`high`、`medium`、`low`、`info`:存在对应等级的未关闭漏洞;
|
||||
- `normal`:已扫描且没有开放风险;
|
||||
- `unassessed`:尚未完成扫描。
|
||||
|
||||
已修复、误报或忽略的漏洞仍保留在历史数量中,但不会继续提高当前风险等级。
|
||||
|
||||
## Agent 工具
|
||||
|
||||
系统向 Agent 提供六个内置资产工具:
|
||||
|
||||
- `create_asset`:新增资产或去重更新;
|
||||
- `get_asset`:按 ID 获取完整详情;
|
||||
- `query_assets`:分页、筛选和排序;
|
||||
- `update_asset`:局部更新;
|
||||
- `delete_asset`:删除资产;
|
||||
- `complete_asset_scan`:扫描完成后回写状态。
|
||||
|
||||
`query_assets` 默认每页返回 20 条、最多 50 条摘要。需要完整信息时使用 `get_asset`,避免大量资产数据占用模型上下文。
|
||||
|
||||
## 权限控制
|
||||
|
||||
资产权限分为:
|
||||
|
||||
- `asset:read`:查看资产和统计数据;
|
||||
- `asset:write`:创建、导入、修改和回写扫描;
|
||||
- `asset:delete`:删除资产。
|
||||
|
||||
服务端会同时检查资产所有者、显式资源授权、所属项目及权限 Scope(`all`、`assigned`、`own`)。当对话绑定项目后,Agent 的资产查询会被限制在该项目内,工具参数不能扩大访问范围。
|
||||
|
||||
## 推荐使用流程
|
||||
|
||||
1. 划定一组明确授权的域名、IP 或网段。
|
||||
2. 手工加入少量核心目标,验证识别和去重结果。
|
||||
3. 使用标签区分生产、测试、核心业务和外网范围。
|
||||
4. 配置 FOFA,从窄查询开始并确认资产归属。
|
||||
5. 对单个低风险目标测试扫描和漏洞回写流程。
|
||||
6. 使用“从未扫描”和“超过 30 天未扫描”筛选覆盖盲区。
|
||||
7. 确认流程稳定后,再逐步创建小规模批量任务。
|
||||
|
||||
经过确认的小规模资产基线通常比来源混乱的全量清单更有价值。
|
||||
Reference in New Issue
Block a user