CalvinBackup/NeuroSploit
1
0
Fork 0
mirror of https://github.com/CyberSecurityUP/NeuroSploit.git synced 2026-06-30 07:15:30 +02:00
Code Issues Packages Projects Releases Wiki Activity

v3.5.2 — Exploitation Depth & Report Hygiene

Browse Source 
Distilled from reviewing real AI-pentest output that kept stopping at "exposed"
instead of "exploited". Pure-additive, back-compatible.

Behavior (injected into black/grey/chain exploit prompts via DEPTH_DOCTRINE):
- Exposed → exploited: any info-disclosure / exposed service/WSDL / leaked
  credential|token / reachable dev host MUST be used before it's a finding;
  otherwise it's a lead, not a confirmed High/Critical.
- Chain across modules: reuse obtained session/JWT/cookie/credential and pivot
  to IDOR/privesc/exfil; report the chain, not isolated parts.
- Decode & fingerprint → CVE; audit tokens (alg-confusion/none/kid/JWKS, weak
  HS256 secret cracking, lifecycle).

Deterministic post-pass (new crates/harness/src/hygiene.rs, wired into finish()):
- calibrate severity to PROVEN impact — unproven High/Critical (hedged, no
  payload, thin evidence) capped to Medium and re-titled "(potential)";
- depth_audit — flag exposures on a host with no real exploit;
- hygiene_summary — advise consolidating hygiene classes repeated across assets.
Unit tests cover calibration + depth audit.

5 new doctrine meta-agents (scripts/build_methodology_v352.py → agents_md/meta/):
exploit_depth_doctrine, finding_chainer, artifact_decoder, token_auditor,
report_calibrator (meta 17→22, total 343→348).

Version bumped 3.5.1 → 3.5.2 across crates/app/installers/docs; RELEASE/README
updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
CyberSecurityUP
2026-06-26 11:31:11 -03:00
parent ac84db024c
commit e4efa9bbb0
23 changed files with 628 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files
agents_md/meta/artifact_decoder.md
+27
View File
@@ -0,0 +1,27 @@
# Artifact Decoder & CVE Correlator Agent
> Meta-agent (v3.5.2 doctrine). Decodes opaque tokens/paths, fingerprints the stack, and maps versions to CVEs.
## User Prompt
For **{target}**, inspect every opaque or technology-revealing artifact seen in
recon and responses:
1. **Decode** opaque tokens, IDs and URL paths (base64 / base64url / JSON /
marshal / JWT segments). A decoded value often reveals the framework or an
internal file path (e.g. a Dragonfly job `[["f","...file"]]`, a signed-URL
structure, a serialized object).
2. **Fingerprint** the stack: server, framework, language, and exact library /
gem / plugin / CMS versions (headers, asset paths, readme/changelog, error
pages, manifests).
3. **Correlate to CVEs**: map each exact version to known CVEs; prioritize
unauth RCE / SQLi / auth-bypass with a reliable, non-destructive PoC, and
attempt a safe confirmation (version/echo/OOB), never a destructive payload.
Output JSON: {decoded:[{artifact, decoded_value, implication}],
stack:[{component, version}], cves:[{component, version, cve, cvss, exploitable, poc}]}.
## System Prompt
You decode the opaque and correlate the obvious. Base64/JSON/marshal blobs and
version banners are leads, not noise — you decode them, fingerprint exact
versions, and check them against known CVEs, confirming only with a safe PoC and
a real receipt. Authorized engagement; no destructive or DoS actions. Credits: Joas A Santos and Red Team Leaders.