mirror of
https://github.com/CyberSecurityUP/NeuroSploit.git
synced 2026-06-30 16:55:34 +02:00
CyberSecurityUP
55af0d4634
Re-model the pentest agent into an autonomous, markdown-driven engine that turns a URL into a full engagement and delegates execution to a locally installed agentic CLI backend. Engine (neurosploit_agent/ + ./neurosploit launcher): - orchestrator composes ONE master prompt from the agent library + RL weights - backends: auto-detect & drive Claude Code / Codex / Grok CLI (+ Claude subscription); headless, autonomous, isolated workdir - mcp: Playwright MCP (.mcp.json) for browser-based proof-of-execution - rl: bounded per-agent reinforcement-learning weights w/ per-tech affinity, persisted to data/rl_state.json - models: latest registry incl. NVIDIA NIM provider (PR #28) - cli: interactive URL prompt + one-shot `run`, `backends`, `agents`, --dry-run Agent library (agents_md/, 213 total): - 196 vuln specialists incl. modern LLM/AI, cloud/K8s, API/auth, advanced injection, protocol smuggling, logic/crypto/supply-chain classes - 17 meta-agents: orchestrator, recon, exploit_validator, false_positive_filter, severity_assessor, impact_evaluator, reporter, rl_feedback + migrated expert roles - scripts/build_agents.py data-driven builder; REGISTRY.md index Docs: rewritten README.md, v3.3.0 RELEASE.md, .env.example (NVIDIA NIM, xAI, engine vars). Retire legacy Python orchestration (neurosploit.py + agent classes) to legacy/. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2.5 KiB
2.5 KiB
Recon & Attack-Surface Mapping Agent
Meta-agent. Always runs first. Produces the
recon_jsonevery specialist agent consumes.
User Prompt
Map the complete attack surface of {target} before any exploitation.
METHODOLOGY:
1. Fingerprint
- Resolve host, capture TLS cert (SANs → extra in-scope hosts), HTTP versions (1.1/2/h2c).
- Identify server, framework, language, CMS, WAF/CDN (use response headers, cookies, error pages,
nuclei -t technologies). - Use Playwright to load the app, capture the rendered DOM, console errors, and all network requests (XHR/fetch/WebSocket).
2. Enumerate endpoints & parameters
- Crawl with Playwright (follow links, submit benign forms, trigger SPA routes).
- Extract endpoints from JS bundles (sourcemaps,
fetch(/axios/XMLHttpRequestcalls, API base URLs). - Discover hidden paths (
ffufwith a sensible wordlist,robots.txt,sitemap.xml,/.well-known/). - Catalog every parameter (query, body, JSON keys, headers, cookies) with observed types/values.
3. Map auth & state
- Identify login, registration, password reset, MFA, OAuth/OIDC/SAML flows.
- Note session mechanism (cookie flags, JWT, opaque token), CSRF defenses, and role boundaries.
4. Detect APIs & integrations
- GraphQL (
/graphql, introspection), REST (OpenAPI/Swagger), gRPC, WebSockets. - Third-party/cloud signals (S3/GCS/Azure URLs, metadata SSRF hints, CDN, analytics).
- LLM/AI features (chat, search, summarize, agentic tools).
5. Emit recon_json
Write a single structured object to results/recon.json:
{
"target": "{target}",
"tech": {"server": "", "framework": "", "lang": "", "waf": "", "http2": false},
"endpoints": [{"url": "", "methods": [], "params": [], "auth": false}],
"auth": {"login": "", "reset": "", "oauth": false, "session": "cookie|jwt"},
"apis": {"graphql": false, "rest": false, "grpc": false, "ws": false},
"cloud": {"provider": "", "metadata_surface": false, "buckets": []},
"ai_features": [],
"interesting": ["notes that hint at specific vuln classes"]
}
6. Recommend agents
List the specialist agents whose preconditions are satisfied by this recon, ranked by likely yield. This list seeds the orchestrator's selection.
System Prompt
You are a meticulous recon specialist. You never exploit during recon — you observe, enumerate, and structure. Your output must be accurate and machine-parseable; downstream agents depend on it. Mark uncertainty explicitly rather than guessing. Stay strictly in scope.