mirror of
https://github.com/CyberSecurityUP/NeuroSploit.git
synced 2026-07-03 18:07:51 +02:00
misconfig/CVE/PoC/rate-limit agents, data-safety guardrail, Burp proxy, PoC dir
Agents (+10 → library 375): absurd-misconfig hunters (exposed .git/.env/backups, debug/actuator, default creds, dir listing, ops dashboards, permissive CORS, verbose errors), a CVE Hunter (fingerprint → correlate → safe PoC), a PoC Developer (writes runnable scripts to the run's pocs/), and a Rate-Limit tester. Doctrine (pipeline): - SAFETY_DOCTRINE injected into every exploit/chain/host prompt: no modify/delete/ exfiltrate/state-change without permission; on PII prove with a masked sample + count, never dump. - tool_doctrine adds: smart targeted nuclei (fingerprint-first, -tags/-id, rate/ timeouts), misconfig hunting, rate-limit control checks, authorized tool download (git clone PoC repos / fetch scanners), Burp/ZAP proxy routing, and a per-run PoC workspace. Harness/CLI/REPL: - RunConfig.proxy; spawn_engagement creates <workdir>/pocs and exports NEUROSPLOIT_POCS + NEUROSPLOIT_PROXY (proxy from cfg or the env var). - REPL /proxy <url> and /burp (Session.proxy); /show shows proxy. Docs: README highlights + Cloud/counts (375), RELEASE v3.5.5 sections.
This commit is contained in:
@@ -0,0 +1,136 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
NeuroSploit v3.5.5 — misconfiguration, CVE-hunting, PoC-development & rate-limit
|
||||
exploitation agents. Written to agents_md/vulns/. Read-only-first, non-destructive,
|
||||
authorized only; PII must be handled per the data-safety guardrail.
|
||||
Credits: Joas A Santos & Red Team Leaders.
|
||||
"""
|
||||
import os
|
||||
|
||||
ROOT = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
|
||||
OUT = os.path.join(ROOT, "agents_md", "vulns")
|
||||
|
||||
|
||||
def render(a):
|
||||
L = [f"# {a['title']} Agent\n", "## User Prompt",
|
||||
f"You are testing **{{target}}** for {a['for']}.\n",
|
||||
"**Recon Context:**\n{recon_json}\n", "**METHODOLOGY:**\n"]
|
||||
for i, (s, bs) in enumerate(a["steps"], 1):
|
||||
L.append(f"### {i}. {s}")
|
||||
L += [f"- {b}" for b in bs]
|
||||
L.append("")
|
||||
n = len(a["steps"]) + 1
|
||||
L += [f"### {n}. Report Format", "For each CONFIRMED finding:", "```", "FINDING:",
|
||||
f"- Title: {a['title']} at [endpoint]", f"- Severity: {a['sev']}", f"- CWE: {a['cwe']}",
|
||||
"- Endpoint: [full URL/resource]", "- Vector: [what/where]", "- Payload: [exact request/command]",
|
||||
"- Evidence: [raw tool output proving it]", f"- Impact: {a['impact']}",
|
||||
f"- Remediation: {a['fix']}", "```\n", "## System Prompt", a["system"]]
|
||||
return "\n".join(L) + "\n"
|
||||
|
||||
|
||||
def A(name, title, vc, cwe, sev, steps, fix, impact):
|
||||
return {"name": name, "title": title, "for": vc, "sev": sev, "cwe": cwe, "impact": impact,
|
||||
"fix": fix, "steps": steps,
|
||||
"system": (f"You are a specialist in {vc}. AUTHORIZED engagement. Report ONLY what you proved with a "
|
||||
"real tool receipt (raw output) — never a paraphrase or assumption. DATA SAFETY: read-only; "
|
||||
"never modify/delete/exfiltrate data or change state without explicit permission; on PII, "
|
||||
"prove with a single masked sample + a count, never dump. No destructive/DoS actions. "
|
||||
"Credits: Joas A Santos and Red Team Leaders.")}
|
||||
|
||||
|
||||
AGENTS = [
|
||||
# ---------- absurd misconfigurations ----------
|
||||
A("misconfig_exposed_files", "Exposed Sensitive Files & Backups", "absurd misconfigurations exposing sensitive files",
|
||||
"CWE-538", "High",
|
||||
[("Probe", ["Request common leaks: `/.env`, `/.git/config`, `/.git/HEAD`, `/config.php~`, `/wp-config.php.bak`, "
|
||||
"`/backup.zip`, `/db.sql`, `/.htpasswd`, `/docker-compose.yml`, `/.aws/credentials`, `/id_rsa`"]),
|
||||
("Confirm", ["Show a 200 returning real secret/config/source content (differentiate from soft-404 with a random path)"]),
|
||||
("Loot", ["Extract secrets/creds and hand them to the chainer for reuse — do not exfiltrate beyond proof"])],
|
||||
"Block dotfiles/backups at the web server/WAF; remove them from webroot; rotate leaked secrets",
|
||||
"Source/secret disclosure → credential reuse / RCE"),
|
||||
A("misconfig_debug_endpoints", "Debug / Management Endpoints Exposed", "exposed debug and management endpoints",
|
||||
"CWE-489", "High",
|
||||
[("Probe", ["Check `/actuator/*` (env,heapdump,mappings), `/debug`, `/trace`, `/phpinfo.php`, `/server-status`, "
|
||||
"`/metrics`, `/__debug__/`, `/console`, framework debug panels"]),
|
||||
("Assess", ["Harvest env vars/secrets, internal routes, heap/thread dumps, config"]),
|
||||
("Confirm", ["Show sensitive runtime data or an actionable management action reachable unauthenticated"])],
|
||||
"Disable debug/management in prod; authenticate & network-restrict them", "Info disclosure → RCE/takeover"),
|
||||
A("misconfig_default_creds", "Default / Weak Credentials on Panels", "default or weak credentials on exposed panels",
|
||||
"CWE-1392", "High",
|
||||
[("Locate", ["Find admin/login panels (`/admin`, `/manager/html`, `/wp-login.php`, `/user/login`, device panels)"]),
|
||||
("Test (in scope)", ["Try vendor defaults & the supplied test creds; respect lockout/ROE — no out-of-scope brute force"]),
|
||||
("Confirm", ["Show authenticated access with a benign read"])],
|
||||
"Remove defaults; enforce strong creds + MFA; restrict panel exposure", "Full component/app compromise"),
|
||||
A("misconfig_dir_listing", "Directory Listing Enabled", "directory listing / index-of exposure",
|
||||
"CWE-548", "Medium",
|
||||
[("Probe", ["Request likely dirs (`/uploads/`, `/backup/`, `/files/`, `/.well-known/`, `/static/`) looking for `Index of /`"]),
|
||||
("Confirm", ["Show a listing revealing sensitive files; fetch one to prove readability"])],
|
||||
"Disable autoindex (Options -Indexes / autoindex off); restrict access", "Information disclosure"),
|
||||
A("misconfig_exposed_dashboards", "Exposed Ops Dashboards", "unauthenticated ops dashboards & consoles",
|
||||
"CWE-1188", "High",
|
||||
[("Discover", ["Probe Kibana/Elasticsearch (`/_cat/indices`), Grafana, Jenkins (`/script`), phpMyAdmin, RabbitMQ, "
|
||||
"Prometheus, Consul, Swagger UI, GraphQL playground"]),
|
||||
("Assess", ["Determine unauthenticated access & sensitivity (data, RCE via Jenkins script console, etc.)"]),
|
||||
("Confirm", ["Demonstrate a read proving exposure (→ often data leak or RCE)"])],
|
||||
"Authenticate & network-restrict all ops UIs; least privilege", "Data leak / RCE / takeover"),
|
||||
A("misconfig_permissive_cors", "Permissive CORS Misconfiguration", "insecure CORS allowing cross-origin credentialed reads",
|
||||
"CWE-942", "High",
|
||||
[("Test reflection", ["Send `Origin: https://evil.example` and a `null` origin; inspect `Access-Control-Allow-Origin` "
|
||||
"and `Access-Control-Allow-Credentials`"]),
|
||||
("Classify", ["Reflected arbitrary origin + credentials = exploitable; literal `*` without creds = low"]),
|
||||
("Confirm", ["On authenticated endpoints, show a cross-origin credentialed read returning the victim's data"])],
|
||||
"Allowlist origins server-side; never reflect Origin with credentials", "Cross-origin data theft"),
|
||||
A("misconfig_verbose_errors", "Verbose Errors / Stack Traces", "verbose error handling leaking internals",
|
||||
"CWE-209", "Low",
|
||||
[("Trigger", ["Send malformed input / bad methods / type confusion to force errors"]),
|
||||
("Assess", ["Capture stack traces, framework/class names, file paths, SQL, versions, tokens in errors"]),
|
||||
("Confirm", ["Show a response leaking internal implementation detail"])],
|
||||
"Generic error pages in prod; log details server-side only", "Info disclosure aiding targeted attacks"),
|
||||
|
||||
# ---------- CVE hunting ----------
|
||||
A("cve_hunter", "CVE Hunter", "known CVEs affecting the detected components",
|
||||
"CWE-1395", "Critical",
|
||||
[("Fingerprint", ["From recon, list each component with its EXACT version (server, framework, CMS, plugins, JS libs)"]),
|
||||
("Correlate", ["Map versions to known CVEs; prioritise unauth RCE / SQLi / auth-bypass. Use `nuclei` with TARGETED "
|
||||
"templates/tags for the detected tech & CVE ids (fast, not a blind full scan), plus `searchsploit` "
|
||||
"and the NVD; note CVE id + CVSS"]),
|
||||
("Reproduce safely", ["Run a benign, non-destructive PoC (version/echo/OOB) to confirm the CVE is actually present; "
|
||||
"if a working public PoC exists you MAY clone it (git clone) and adapt — never a destructive payload"]),
|
||||
("Confirm", ["Report the CVE ONLY with concrete proof; otherwise 'potentially vulnerable (version match, unconfirmed)'"])],
|
||||
"Patch/upgrade affected components; apply vendor advisories", "Depends on CVE — up to full compromise"),
|
||||
|
||||
# ---------- PoC development ----------
|
||||
A("poc_developer", "Exploit PoC Developer", "issues that require a custom multi-step exploit or script to prove",
|
||||
"CWE-1395", "High",
|
||||
[("Decide", ["When a candidate issue can't be shown with a single curl (multi-step, timing, encoding, chaining, "
|
||||
"or a public CVE PoC is needed), develop a proof-of-concept script"]),
|
||||
("Build", ["Write a runnable PoC (bash/python/curl) to the run's `$NEUROSPLOIT_POCS` directory with a header comment "
|
||||
"(target, what it proves, usage). Reuse a reputable public PoC via `git clone` when one exists — review it first"]),
|
||||
("Run & confirm", ["Execute the PoC against the authorized target with benign/non-destructive payloads; capture output"]),
|
||||
("Report", ["Reference the PoC file path in the finding evidence; keep it reproducible and safe (no data destruction)"])],
|
||||
"N/A (methodology agent) — remediation follows the underlying issue", "Reproducible proof of the underlying vulnerability"),
|
||||
|
||||
# ---------- rate limiting / anti-automation ----------
|
||||
A("rate_limit_abuse", "Rate Limiting & Anti-Automation", "missing rate limiting / anti-automation on sensitive flows",
|
||||
"CWE-307", "Medium",
|
||||
[("Target the right endpoints", ["Login, password-reset/forgot, OTP/2FA verify, registration, token/refresh, and any "
|
||||
"expensive or messaging endpoint"]),
|
||||
("Controlled burst", ["Send a small controlled burst (~20-30 requests) and watch for 429, temporary lockout, "
|
||||
"Retry-After, progressive delay, or captcha — keep it non-disruptive (a control check, not DoS)"]),
|
||||
("Check headers", ["Inspect for `RateLimit-*` / `Retry-After`; note their absence"]),
|
||||
("Confirm", ["Report absence of throttling with the observed status distribution; chain with user-enumeration "
|
||||
"for password-spraying feasibility (do not actually brute-force out of scope)"])],
|
||||
"Rate limit per IP/account/session; lockout + backoff; captcha; 429 + Retry-After; MFA",
|
||||
"Brute force / credential stuffing / password spraying / resource abuse"),
|
||||
]
|
||||
|
||||
|
||||
def main():
|
||||
os.makedirs(OUT, exist_ok=True)
|
||||
for a in AGENTS:
|
||||
open(os.path.join(OUT, a["name"] + ".md"), "w").write(render(a))
|
||||
print(f"wrote {len(AGENTS)} exploit/misconfig/CVE/poc/rate-limit agents to {OUT}")
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user