#!/usr/bin/env python3 """ NeuroSploit v3.5.5 — misconfiguration, CVE-hunting, PoC-development & rate-limit exploitation agents. Written to agents_md/vulns/. Read-only-first, non-destructive, authorized only; PII must be handled per the data-safety guardrail. Credits: Joas A Santos & Red Team Leaders. """ import os ROOT = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) OUT = os.path.join(ROOT, "agents_md", "vulns") def render(a): L = [f"# {a['title']} Agent\n", "## User Prompt", f"You are testing **{{target}}** for {a['for']}.\n", "**Recon Context:**\n{recon_json}\n", "**METHODOLOGY:**\n"] for i, (s, bs) in enumerate(a["steps"], 1): L.append(f"### {i}. {s}") L += [f"- {b}" for b in bs] L.append("") n = len(a["steps"]) + 1 L += [f"### {n}. Report Format", "For each CONFIRMED finding:", "```", "FINDING:", f"- Title: {a['title']} at [endpoint]", f"- Severity: {a['sev']}", f"- CWE: {a['cwe']}", "- Endpoint: [full URL/resource]", "- Vector: [what/where]", "- Payload: [exact request/command]", "- Evidence: [raw tool output proving it]", f"- Impact: {a['impact']}", f"- Remediation: {a['fix']}", "```\n", "## System Prompt", a["system"]] return "\n".join(L) + "\n" def A(name, title, vc, cwe, sev, steps, fix, impact): return {"name": name, "title": title, "for": vc, "sev": sev, "cwe": cwe, "impact": impact, "fix": fix, "steps": steps, "system": (f"You are a specialist in {vc}. AUTHORIZED engagement. Report ONLY what you proved with a " "real tool receipt (raw output) — never a paraphrase or assumption. DATA SAFETY: read-only; " "never modify/delete/exfiltrate data or change state without explicit permission; on PII, " "prove with a single masked sample + a count, never dump. No destructive/DoS actions. " "Credits: Joas A Santos and Red Team Leaders.")} AGENTS = [ # ---------- absurd misconfigurations ---------- A("misconfig_exposed_files", "Exposed Sensitive Files & Backups", "absurd misconfigurations exposing sensitive files", "CWE-538", "High", [("Probe", ["Request common leaks: `/.env`, `/.git/config`, `/.git/HEAD`, `/config.php~`, `/wp-config.php.bak`, " "`/backup.zip`, `/db.sql`, `/.htpasswd`, `/docker-compose.yml`, `/.aws/credentials`, `/id_rsa`"]), ("Confirm", ["Show a 200 returning real secret/config/source content (differentiate from soft-404 with a random path)"]), ("Loot", ["Extract secrets/creds and hand them to the chainer for reuse — do not exfiltrate beyond proof"])], "Block dotfiles/backups at the web server/WAF; remove them from webroot; rotate leaked secrets", "Source/secret disclosure → credential reuse / RCE"), A("misconfig_debug_endpoints", "Debug / Management Endpoints Exposed", "exposed debug and management endpoints", "CWE-489", "High", [("Probe", ["Check `/actuator/*` (env,heapdump,mappings), `/debug`, `/trace`, `/phpinfo.php`, `/server-status`, " "`/metrics`, `/__debug__/`, `/console`, framework debug panels"]), ("Assess", ["Harvest env vars/secrets, internal routes, heap/thread dumps, config"]), ("Confirm", ["Show sensitive runtime data or an actionable management action reachable unauthenticated"])], "Disable debug/management in prod; authenticate & network-restrict them", "Info disclosure → RCE/takeover"), A("misconfig_default_creds", "Default / Weak Credentials on Panels", "default or weak credentials on exposed panels", "CWE-1392", "High", [("Locate", ["Find admin/login panels (`/admin`, `/manager/html`, `/wp-login.php`, `/user/login`, device panels)"]), ("Test (in scope)", ["Try vendor defaults & the supplied test creds; respect lockout/ROE — no out-of-scope brute force"]), ("Confirm", ["Show authenticated access with a benign read"])], "Remove defaults; enforce strong creds + MFA; restrict panel exposure", "Full component/app compromise"), A("misconfig_dir_listing", "Directory Listing Enabled", "directory listing / index-of exposure", "CWE-548", "Medium", [("Probe", ["Request likely dirs (`/uploads/`, `/backup/`, `/files/`, `/.well-known/`, `/static/`) looking for `Index of /`"]), ("Confirm", ["Show a listing revealing sensitive files; fetch one to prove readability"])], "Disable autoindex (Options -Indexes / autoindex off); restrict access", "Information disclosure"), A("misconfig_exposed_dashboards", "Exposed Ops Dashboards", "unauthenticated ops dashboards & consoles", "CWE-1188", "High", [("Discover", ["Probe Kibana/Elasticsearch (`/_cat/indices`), Grafana, Jenkins (`/script`), phpMyAdmin, RabbitMQ, " "Prometheus, Consul, Swagger UI, GraphQL playground"]), ("Assess", ["Determine unauthenticated access & sensitivity (data, RCE via Jenkins script console, etc.)"]), ("Confirm", ["Demonstrate a read proving exposure (→ often data leak or RCE)"])], "Authenticate & network-restrict all ops UIs; least privilege", "Data leak / RCE / takeover"), A("misconfig_permissive_cors", "Permissive CORS Misconfiguration", "insecure CORS allowing cross-origin credentialed reads", "CWE-942", "High", [("Test reflection", ["Send `Origin: https://evil.example` and a `null` origin; inspect `Access-Control-Allow-Origin` " "and `Access-Control-Allow-Credentials`"]), ("Classify", ["Reflected arbitrary origin + credentials = exploitable; literal `*` without creds = low"]), ("Confirm", ["On authenticated endpoints, show a cross-origin credentialed read returning the victim's data"])], "Allowlist origins server-side; never reflect Origin with credentials", "Cross-origin data theft"), A("misconfig_verbose_errors", "Verbose Errors / Stack Traces", "verbose error handling leaking internals", "CWE-209", "Low", [("Trigger", ["Send malformed input / bad methods / type confusion to force errors"]), ("Assess", ["Capture stack traces, framework/class names, file paths, SQL, versions, tokens in errors"]), ("Confirm", ["Show a response leaking internal implementation detail"])], "Generic error pages in prod; log details server-side only", "Info disclosure aiding targeted attacks"), # ---------- CVE hunting ---------- A("cve_hunter", "CVE Hunter", "known CVEs affecting the detected components", "CWE-1395", "Critical", [("Fingerprint", ["From recon, list each component with its EXACT version (server, framework, CMS, plugins, JS libs)"]), ("Correlate", ["Map versions to known CVEs; prioritise unauth RCE / SQLi / auth-bypass. Use `nuclei` with TARGETED " "templates/tags for the detected tech & CVE ids (fast, not a blind full scan), plus `searchsploit` " "and the NVD; note CVE id + CVSS"]), ("Reproduce safely", ["Run a benign, non-destructive PoC (version/echo/OOB) to confirm the CVE is actually present; " "if a working public PoC exists you MAY clone it (git clone) and adapt — never a destructive payload"]), ("Confirm", ["Report the CVE ONLY with concrete proof; otherwise 'potentially vulnerable (version match, unconfirmed)'"])], "Patch/upgrade affected components; apply vendor advisories", "Depends on CVE — up to full compromise"), # ---------- PoC development ---------- A("poc_developer", "Exploit PoC Developer", "issues that require a custom multi-step exploit or script to prove", "CWE-1395", "High", [("Decide", ["When a candidate issue can't be shown with a single curl (multi-step, timing, encoding, chaining, " "or a public CVE PoC is needed), develop a proof-of-concept script"]), ("Build", ["Write a runnable PoC (bash/python/curl) to the run's `$NEUROSPLOIT_POCS` directory with a header comment " "(target, what it proves, usage). Reuse a reputable public PoC via `git clone` when one exists — review it first"]), ("Run & confirm", ["Execute the PoC against the authorized target with benign/non-destructive payloads; capture output"]), ("Report", ["Reference the PoC file path in the finding evidence; keep it reproducible and safe (no data destruction)"])], "N/A (methodology agent) — remediation follows the underlying issue", "Reproducible proof of the underlying vulnerability"), # ---------- rate limiting / anti-automation ---------- A("rate_limit_abuse", "Rate Limiting & Anti-Automation", "missing rate limiting / anti-automation on sensitive flows", "CWE-307", "Medium", [("Target the right endpoints", ["Login, password-reset/forgot, OTP/2FA verify, registration, token/refresh, and any " "expensive or messaging endpoint"]), ("Controlled burst", ["Send a small controlled burst (~20-30 requests) and watch for 429, temporary lockout, " "Retry-After, progressive delay, or captcha — keep it non-disruptive (a control check, not DoS)"]), ("Check headers", ["Inspect for `RateLimit-*` / `Retry-After`; note their absence"]), ("Confirm", ["Report absence of throttling with the observed status distribution; chain with user-enumeration " "for password-spraying feasibility (do not actually brute-force out of scope)"])], "Rate limit per IP/account/session; lockout + backoff; captcha; 429 + Retry-After; MFA", "Brute force / credential stuffing / password spraying / resource abuse"), ] def main(): os.makedirs(OUT, exist_ok=True) for a in AGENTS: open(os.path.join(OUT, a["name"] + ".md"), "w").write(render(a)) print(f"wrote {len(AGENTS)} exploit/misconfig/CVE/poc/rate-limit agents to {OUT}") if __name__ == "__main__": main()