[pull] main from JoasASantos:main#11
Open
pull[bot] wants to merge 37 commits into
Open
Conversation
Updated methodology section for DNS reconnaissance.
Revise DNS reconnaissance methodology details.
`whitebox <arg>`, `greybox --repo <arg>`, `tui --repo`, and the REPL `/repo` now accept a git URL (https://github.com/owner/repo[.git], git@…, ssh://, *.git) or an `owner/repo` shorthand. A new resolve_source() shallow-clones it into <base>/repos/<name> (cached, .gitignored) and reviews it; existing local paths are used unchanged. Works identically with API-key (--model) and --subscription. Verified: `neurosploit whitebox https://github.com/digininja/DVWA --offline` clones DVWA and runs the 78 code agents over 120KB of source. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…mini Resolves the only two open issues that still apply to the Rust build: - #21 Azure OpenAI: new `azure` provider (OpenAI-compatible). Endpoint comes from AZURE_OPENAI_ENDPOINT, api-version from AZURE_OPENAI_API_VERSION (default 2024-10-21); the model name is the Azure deployment; auth uses the `api-key` header instead of Bearer. Use `--model azure:<deployment>`. - #25 Gemini key confusion: GEMINI_API_KEY now also accepts GOOGLE_API_KEY (Google's standard env var) as an alias; local providers (ollama/litellm) require no key. .env.example documents both. Kept under the v3.5.2 line (additive provider support). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…windows) GitHub Actions workflow that, on a pushed v* tag (or manual dispatch), builds a self-contained NeuroSploit (binary + agents_md/) for every OS/arch and uploads the archives to the matching release. macOS builds are also attached manually. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
New harness module `integrations` (+ app commands) wiring NeuroSploit into the SDLC. Config persists per-project to .neurosploit/integrations.json; secrets are NEVER stored — only the env-var name is saved, values read from the environment. GitHub: - private-repo clone (token injected into the clone URL for whitebox/greybox/tui) - `neurosploit pr <owner/repo> <n>`: clone the PR head (refs/pull/N/head), white-box review, optional `--comment` (PR summary) and `--jira` (cards) - `neurosploit watch <owner/repo> --branch --interval`: re-review on each new commit GitLab: - private-repo clone (oauth2 token) for whitebox/greybox (gitlab.com or self-hosted) Jira: - `--jira` on any engagement opens one card per finding (REST /issue, basic auth) Control: - `/integrations` (REPL): show · enable/disable · setup jira|gitlab|github - `neurosploit integrations [show|enable|disable] [github|gitlab|jira]` (CLI) Docs: README "Integrations" section + new TUTORIAL-INTEGRATION.md (per-tool setup, scopes, recipes, troubleshooting). Version bumped 3.5.2 → 3.5.3. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-13) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Credits: Joas A Santos & Red Team Leaders. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…fute pass) - Robust verdict parsing (pool::parse_verdict): whitespace-insensitive, checks explicit rejection first, counts only explicit confirmations; ambiguous → Unclear (not confirmed). Replaces the fragile exact-JSON / loose "yes" match. - Severity-aware quorum (pool::quorum_confirmed): High/Critical now need ≥2 validators AND ≥2/3 agreement (a single vote can no longer confirm a Critical); lower severities need a strict majority (>half, was ≥half). Single- model panels fall back to majority so they aren't nuked. - Adversarial refute pass (REFUTE_SYS): every confirmed High/Critical is re-examined by a skeptical panel that assumes false-positive; findings that can't withstand a majority of skeptics are dropped. Survives on infra failure. - Strengthened VOTE_SYS with an explicit false-positive checklist (reflected-not- executed, version/banner guesses, self-XSS, error-as-injection, thin evidence, inflated severity); validator query now also includes impact. - Unit tests for parse_verdict + quorum_confirmed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…loitation)
Replaces the single-shot chain_round with attack_chain(): an iterative,
per-foothold pivot engine.
- Each round takes the newest confirmed footholds (best-first, capped) and, for
EACH one, an agent DECIDES which directions to expand — post-exploitation
(loot creds/keys/config/source), credential reuse, horizontal+vertical
privesc, lateral movement to adjacent services/hosts, data exfiltration, and
new attack surface the foothold exposes — proving each step with a receipt.
- LOOT (creds/tokens/hosts/endpoints) discovered in one round is carried forward
and reused by later rounds (parsed from a {"findings":[...],"loot":[...]} reply).
- New findings are validated each round (never pivot off a false positive) and
become the next round's footholds. Loop-until-dry or chain_depth rounds.
- New RunConfig.chain_depth (default 2) + --chain-depth flag on all engagement
commands (0 disables). CHAIN_SYS rewritten for decision/post-ex framing.
Bundles the multi-round post-exploitation attack-chaining engine (attack_chain: per-foothold decisions, loot carried forward, validate-before-pivot, loop-until- dry, --chain-depth) and the false-positive controls (robust verdict parsing, severity-aware quorum, adversarial refute pass, stronger validator prompt). Version bumped 3.5.3 -> 3.5.4; README/RELEASE updated.
Cloud testing: - +17 cloud agents (agents_md/infra/) for AWS/GCP/Azure: IAM/RBAC privesc, storage exposure (S3/GCS/Blob), compute & network exposure + IMDS, secrets (Secrets Manager / Secret Manager / Key Vault), SA/SP key abuse, Entra ID enum, and a multi-cloud footprint/identity recon agent. Library 348 -> 365. - creds.yaml gains aws:/gcp:/azure: blocks (Creds::cloud). The harness exports provider env vars (AWS_*, GOOGLE_APPLICATION_CREDENTIALS, AZURE_* SP) so aws/gcloud/az authenticate automatically, and injects a cloud directive. GCP inline JSON is written to a temp file. Best-practice auth per provider. REPL polish: - /chain <n> (attack-chain depth, wired to Session.chain_depth), /agents list (library category counts incl. infra/cloud); /show now shows chain-depth and enabled integrations. Tab-completion + help updated. Docs: README badges (365 agents / 14 providers), new "Cloud credentials" section; RELEASE notes. Version 3.5.4 -> 3.5.5.
The prompt passed to rustyline embedded ANSI escapes AND a newline (dim context line + colored `neurosploit›`), so rustyline mis-measured the prompt width and cursor position — typing/backspace/history/cursor got garbled in a real terminal (fine when piped, which has no line editor). Now: the dim context line is printed with println!() ABOVE the prompt, the readline prompt is plain "neurosploit› " (correct width), and the magenta color is applied via Highlighter::highlight_prompt (display-only, doesn't affect width).
…prompts REPL (v3.5.5): - /timeout <min>: idle guardrail — if no NEW finding lands within the window the run soft-stops and validates what was found (default 5 min; 0 disables). - /target accepts a comma-separated list; /run tests them SEQUENTIALLY (a queue auto-advances to the next target when the current run finishes; one report each). - /results (no arg, interactive): navigation browser — pick target/run → pick vulnerability → full detail; Esc steps back a level (vuln → target → session). - /report (no arg, multiple runs): pick which report to open from a menu. - /show now shows idle-stop; help updated. Agent prompts: - RECON_SYS deepened: crawl + params/headers/cookies, DOWNLOAD & analyze linked JS (endpoints, hidden params, GraphQL, secrets, sourceMappingURL), fingerprint exact versions, response-differential analysis; richer JSON schema. - tool_doctrine adds JS-analysis and request/response-analysis guidance (linkfinder/gau/katana, header/cookie/timing/length differentials).
…y, PoC dir Agents (+10 → library 375): absurd-misconfig hunters (exposed .git/.env/backups, debug/actuator, default creds, dir listing, ops dashboards, permissive CORS, verbose errors), a CVE Hunter (fingerprint → correlate → safe PoC), a PoC Developer (writes runnable scripts to the run's pocs/), and a Rate-Limit tester. Doctrine (pipeline): - SAFETY_DOCTRINE injected into every exploit/chain/host prompt: no modify/delete/ exfiltrate/state-change without permission; on PII prove with a masked sample + count, never dump. - tool_doctrine adds: smart targeted nuclei (fingerprint-first, -tags/-id, rate/ timeouts), misconfig hunting, rate-limit control checks, authorized tool download (git clone PoC repos / fetch scanners), Burp/ZAP proxy routing, and a per-run PoC workspace. Harness/CLI/REPL: - RunConfig.proxy; spawn_engagement creates <workdir>/pocs and exports NEUROSPLOIT_POCS + NEUROSPLOIT_PROXY (proxy from cfg or the env var). - REPL /proxy <url> and /burp (Session.proxy); /show shows proxy. Docs: README highlights + Cloud/counts (375), RELEASE v3.5.5 sections.
The OPTIONS/RUN sections crammed a second command into the description column (/clear, /quit, /offline, /chain, /theme appeared as loose text), which was confusing. Every command now has its own aligned row; split /attach+/context and /diff+/retest; added /results, /finding, /report, /offline, /theme rows; added /finding and /expand to Tab-completion.
Attribution (anti-plagiarism), multiple layers: - Identifying User-Agent on every request (default NeuroSploit/<ver> + an X-NeuroSploit-Scan header), overridable via /ua or NEUROSPLOIT_UA env; shown in the run banner. RunConfig.user_agent + Session.user_agent wired through. - Every finding is stamped "Identified and validated by NeuroSploit …" (in finish() and the raw-report path) so provenance travels in the finding text, findings.json and the report. Multi-role authentication for access-control testing (IDOR/BOLA/BFLA/privesc): - creds.yaml gains named identity blocks (admin:/user:/victim:/…), each with jwt | header | cookie | apikey | login+username+password. With >=2 roles the harness injects a cross-role access-control directive (authorized-vs-unauthorized proof) and defaults the primary auth to the first role. Also: /help now lists one command per line (fixes smushed OPTIONS/RUN columns); /ua command + Session field; docs (README + RELEASE) updated.
… TUTORIAL + example file
…ust) New harness::probe runs a real request/response analysis of the target BEFORE the model recon and injects the observed facts into recon, so agent-selection and exploitation decisions are grounded in evidence (robust even when model recon is weak): - status & redirect, Server/X-Powered-By/content-type, 6 security headers, cookie flags (HttpOnly/Secure/SameSite), CORS reflection test (arbitrary Origin + credentials), tech fingerprint, linked scripts, form count, a 404 baseline for soft-404 differentials, and high-signal paths (/robots.txt, /.git/config, /.env, /sitemap.xml, /.well-known/security.txt). - Best-effort (never fatal — degrades to a note on network failure), honors the identifying User-Agent and the Burp/ZAP proxy. Wired into black-box run() and greybox recon. A one-line probe summary streams to the live feed.
… codex wiring) Why runs came back empty / "MCP didn't execute": - Not logged in: a subscription CLI that isn't authenticated returns empty instantly (the Juice Shop symptom — every agent 0 candidates, no tool activity). Added models::cli_login_status + subscription_preflight(): before a run we check the primary provider's CLI is installed AND logged in and warn clearly if not (CLI run_mode + REPL start_background). - Missing browser: ensure_playwright_mcp now also runs `npx playwright install chromium` (best-effort; NEUROSPLOIT_SKIP_BROWSER_INSTALL=1 to skip) so the first browser action doesn't fail/hang. - Codex MCP was mis-wired (`--config mcp_config_file=` is not a codex key). Now injects our .mcp.json servers via `-c mcp_servers.<name>.command/.args` TOML overrides — MCP works on Codex, not only Claude. gemini/grok remain built-in-tools only (no MCP flag). - REPL diagnostic: subscription+MCP run with zero tool/browser events warns the CLI likely isn't logged in / MCP didn't start.
- tool_doctrine: agents now actively DRIVE the browser on JS/SPA targets — use the Playwright MCP (render, read live DOM, click client-side routes, watch the network to find the real API, screenshot proof); when no MCP, use the Playwright CLI (write+run a small script / npx playwright screenshot) to render and capture XHR/fetch traffic — complementing curl (which only sees the empty shell). - probe: detect SPAs (<app-root>, ng-version, near-empty body + linked scripts → Angular/React/Vue/SPA) and note in recon that the browser is required, so the SPA agents get selected. - +8 SPA/API agents (library 383): spa_api_discovery, spa_hidden_admin, login_sqli_bypass, dom_xss_spa, api_bola_numeric_ids, register_privilege_mass_assign, jwt_forgery_spa, spa_business_logic. - Docs: README/RELEASE/TUTORIAL counts + notes.
…; Ctrl-C confirm - /results (interactive, no arg) now ALWAYS opens the run/test picker (target → vuln → detail, Esc back) instead of jumping straight to the current run's vulns. The live run (if any) appears at the top, past runs newest-first — so you can browse every test, not only the active one. - /validate [n]: re-run false-positive validation (N-model voting + adversarial refute) on a recovered/past run's findings WITHOUT re-testing the target, then rewrite that run's findings + report. Backed by new harness::pipeline::revalidate. Use this after a crash/quit recovered raw findings into /runs. - Ctrl-C at the prompt now CONFIRMS instead of silently cancelling: with a live run it offers [s]top&validate / [q]uit(keep findings) / keep-running; otherwise asks "exit? [y/N]" — so a stray Ctrl-C can't lose a running test.
…run from anywhere - setup.sh: downloads the prebuilt release asset for the detected OS/arch (no Rust needed; latest release auto-resolved), installs binary + agents_md to ~/.neurosploit-app, symlinks into ~/.local/bin, and PERSISTS PATH + NEUROSPLOIT_BASE into the shell rc (bash/zsh/fish). Falls back to a source build (NEUROSPLOIT_BUILD=1 to force). Idempotent. - install.ps1: same for Windows — downloads windows-x64 zip, installs to %LOCALAPPDATA%\NeuroSploit, sets User PATH + NEUROSPLOIT_BASE (setx), source-build fallback (incl. arm64). - find_base(): auto-discovers agents_md/ NEXT TO THE EXECUTABLE (resolves the PATH symlink via current_exe) and at common install dirs — so `neurosploit` runs from ANY folder even without the env var. Env override still takes precedence. Verified: symlinked binary run from /tmp with no env finds all 383 agents.
…h, +6 agents - DECISION_DOCTRINE injected into exploit/grey/chain prompts: analyse responses to pick the technique; map & connect routes (endpoint output → next endpoint input); hunt sensitive flows; mine parameters (incl. hidden from JS/source maps) and test per-param; mock realistic (non-PII) data to reach deeper logic; exploit the authenticated surface after login and compare roles; build PoCs when a proof needs an artifact; bypass 401/403/redirect controls. - REPL /auth now supports multiple named identities (/auth admin <hdr>, /auth user <hdr>; bare token → Bearer). With >=2 roles the run gets the access-control directive (IDOR/BOLA/BFLA/privesc, authorized-vs-unauthorized) and tests both. - +6 decision agents (library 389): param_miner, endpoint_flow_linker, authenticated_surface_exploit, clickjacking_poc (HTML PoC), csrf_poc (HTML PoC), access_control_bypass. - Docs: counts 383->389, RELEASE + /auth help updated.
Detect components past their vendor end-of-life/end-of-support window and exploit the accumulated, unpatched CVEs (pin exact version → check endoflife.date + CVE feeds → safe PoC): - vulns: eol_stack_detection, eol_runtime_exploitation, eol_framework_exploitation, eol_cms_exploitation, eol_client_library - infra: eol_webserver_exploitation, eol_os_service, eol_tls_protocol Docs: counts 389->397, RELEASE note.
…n tricks - New meta/bugbounty_methodology.md (library 398): distilled high-signal techniques from public writeups (HackerOne Hacktivity, KingOfBugBounty, Awesome-Bugbounty- Writeups, bug-bounty-reference, top hunters) — hunter mindset + per-class tricks (IDOR/BOLA, 403 bypass, account takeover, SSRF->cloud, business logic/race, cache poisoning, subdomain takeover, GraphQL), chaining and reporting. - RECON_SYS gains KingOfBugBounty-style recon: subdomain enum (crt.sh/subfinder/ amass->httpx), historical URLs (gau/waybackurls/katana), gf patterns, param mining (arjun+JS/wayback), content discovery (ffuf/feroxbuster), classic exposure checks (.git/.env/swagger/actuator, dangling CNAMEs). Degrades to installed tools. - Docs: counts 397->398, RELEASE note.
…adge - Fetched & analysed real public writeup corpora (Awesome-Bugbounty-Writeups, bug-bounty-reference); the technique distribution (XSS/RCE/CSRF/SSRF/2FA/…) validates the methodology agent's priorities. Added explicit 2FA/MFA bypass and SAML/SSO sections to bugbounty_methodology. - New agent twofa_bypass_techniques (library 399): full 2FA-bypass playbook (rate-limit brute, reuse, response manipulation, step skip, null/default, backup/remember-me, race, disable-2FA IDOR, SSO side door). - README: Trendshift badge. - Version bumped 3.5.5 -> 3.5.6 across crates/app/installers/docs; RELEASE section.
- New `ai` agent category (agents_md/ai/, +18): OWASP LLM Top 10 (2025) — prompt injection (direct+indirect), jailbreak, system-prompt leak, sensitive-info disclosure, improper output handling, excessive agency, RAG/embedding, unbounded consumption, supply chain, misinformation — plus MCP risks (tool poisoning, excessive permissions/confused-deputy, unsafe tool execution) and Skills/plugin + n8n workflow audits (incl. an AI/LLM-node audit). Library 417. - Pipeline: run_ai (live AI/LLM/MCP red-team) + run_skills_audit (white-box .md/ .json/folder for skills & exported n8n flows), AI_DOCTRINE + AI_RECON_SYS. Mode enum gains Ai/Skills; wired in CLI + TUI. - CLI: `aitest <url>` and `skills <path>` subcommands. `agents` JSON now reports ai. - REPL onboarding wizard (/onboard, auto on first launch): pick scope — web / infra / cloud / ai / skills — then guided setup; Session.scope drives dispatch; shown in /show. - Models: +claude-sonnet-5, +grok-4.5. - Version 3.5.6 -> 3.6.0; docs/counts (417) + RELEASE section.
…nstall Recon was a single quick model pass — now it's deep and iterative: - deep_recon(): an initial deep enumeration pass then follow-up EXPANSION rounds that chase discovered subdomains/hosts/endpoints/params, converging when a round finds nothing new. Rounds scale with intensity. - recon_intensity_directive(): tells the agent HOW hard to recon and to INSTALL the tools it needs (apt/pip/go/npm/cargo) — subfinder/amass/httpx/gau/katana/ gf/arjun/ffuf/nuclei/nmap/dnsx/linkfinder/whatweb/nikto/testssl — chained (subfinder->httpx->katana/gau->gf->ffuf); covers subdomains, crawl+wayback, JS, content/param discovery, ports, versions, API, exposures, TLS/headers. - RunConfig.recon_intensity (default 3) + REPL /recon <1-4> + CLI --recon <1-4> (1 quick .. 4 exhaustive); shown in /show.
Added the OpenAI GPT-5.6 line to the provider pool: gpt-5.6-sol (frontier/default), gpt-5.6-terra (balanced), gpt-5.6-luna (fast/affordable). Version 3.6.0 -> 3.6.1.
…sult
`codex exec` in --dangerously-bypass-approvals-and-sandbox mode exits non-zero
when a tool/command it ran internally (curl/nmap/etc.) returned non-zero — even
though it produced a valid final answer. chat_cli treated any non-zero exit as a
hard failure and dropped the output ("recon round 1 failed ... exit 1"). Now, on
non-zero exit WITH usable stdout and no auth/rate/quota keyword, we use the
output; only genuine auth/rate/quota errors (or empty output) fail hard.
…ill recon
Symptom: with a non-streaming subscription CLI (codex), a long/intense recon
showed nothing in the feed ("phase starting") and the 5-min idle guardrail killed
the run before any agent ran.
- render_compact now SHOWS recon/probe/ai-recon/skills-audit/loaded/running lines
(were dropped) so a long recon no longer looks frozen.
- Idle guardrail reworked: resets on ANY streamed activity (not only new
findings) and only ARMS after exploitation starts (agent launch / vote) — recon
can never trip it. Message: "no activity in N min".
- RunLive.ingest sets phase=recon on recon/probe lines (was stuck at "starting").
- /status now shows progress in EVERY phase: a real bar once agents are selected, otherwise the current pre-exploit phase + counters (cmds, activity lines), plus a "last:" sign-of-life line (the latest activity) and the actual full findings. Before, the bar only appeared after agent selection, so a long recon looked frozen. Findings count now uses the full list. - New /logs [n] — dump the recent activity feed (recon/tools/findings) of the running test; useful with non-streaming CLIs (codex) or after scrolling. Backed by a capped feed ring buffer + last/lines counters in RunLive.
… /status - Drive `codex exec --json` and parse its JSONL event stream into the same categorized live feed as Claude Code (exec/edit/tool/net/tokens), so recon and exploitation are visible as each command runs instead of a silent black box. - Fix the activity feed to keep per-agent tool events (commands, network, files, findings) and only filter model reasoning + token telemetry, so /logs shows the real command trail and /status 'last:' is a true sign-of-life. - Surface failed internal commands as 'exec: (exit N)'; keep Codex auth/rate detection from stderr.
…download A missing or un-downloadable recon tool must never block the run. Both the recon intensity directive and the general tool doctrine now instruct agents to: - wrap every install in `timeout 90 <install> || echo skip` and run non-interactively - try each tool install at most once; on failure/no-package/no-network/hang, skip immediately and fall back to an installed alternative or curl/nc/dig/python3 - never wait on, retry, or block the whole recon for a single tool download
- /continue (and /resume) now relaunch a recovered interrupted run on the same target, carrying its findings forward and steering agents to widen coverage / chain from them instead of re-reporting. Offer shown at launch; a fresh /run supersedes it. Findings merge (dedup by title+endpoint) across both runs. - Opening /results, /finding or /report while a run streams no longer corrupts the terminal: live background output is paused for the picker (still captured in /logs) and restored on exit, so Ctrl-C in a picker can't take the process down mid-run.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )