-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.py
221 lines (188 loc) · 17.2 KB
/
main.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
import os, tempfile
from openai import AzureOpenAI
from azure.identity import DefaultAzureCredential, get_bearer_token_provider
import autogen
import os
from CVE_searching_tool import fetch_cves_by_keyword
from Reading_function import read_file
from website_request import fetch_webpage_content
from report_save import save_report
from web_interaction import credentials, click, fill
from autogen.agentchat import AssistantAgent, ConversableAgent, UserProxyAgent, GroupChat, GroupChatManager
from autogen.coding.local_commandline_code_executor import LocalCommandLineCodeExecutor
from vulnaribility_list import add_to_file
from Vulnerability_list_out import output_list
interaction_mode = "ALWAYS"
config_list = [
{
"api_type": "azure",
"base_url": "xxxx",
"api_key": "xxxx",
"model": "xxxx",
"api_version": "2024-02-15-preview"
}
]
llm_config = {
"seed": 30,
"config_list": config_list,
"temperature": 0.4,
}
vulnerabilites = ConversableAgent(
name= "Vulanaribilities-Searcher-CVEs",
system_message= "You're a cybersecurity professional, part of the vulnaribility team, whose job is to find vulnaribilities based on scan reports given to you. You should be researching and scanning database such as CVEs, CAPEC and such for known vulnaribilities on the OS, versions, software that the webpage use and that were discovered. To do so you can use a tool and look for CVEs based on keyword.",
llm_config=llm_config,
human_input_mode=interaction_mode,
)
vulnerabilites_1 = ConversableAgent(
name= "Vulanaribilities-Searcher-Nuclei",
system_message= """You're a cybersecurity professional, part of the vulnaribility team, whose job is to find vulnaribilities based on scan reports given to you. You're the one taking care of Nuclei (other programs are taken care of by other people) so you should use Nuclei and only nuclei (already installed) and and its commands to scan for vulnaribilities, when using nuclei use all the templates by not specifying any path to them. When performing a vulnaribility scan, redirect the ouput to a file so we have a record of it. If the job requires other type of scans, it will be taken care of by another person of the team. The commands you create should have this format:
```language
command
```
""",
llm_config=llm_config,
human_input_mode=interaction_mode,
)
vulnerabilites_2 = ConversableAgent(
name= "Vulanaribilities-Searcher-Nikto",
system_message= """You're a cybersecurity professional, part of the vulnaribility team, whose job is to find vulnaribilities based on scan reports given to you. You're the one taking care of Nikto (other programs are taken care of by other people) so you should use Nikto and only Nikto (already installed) and and its commands to scan for vulnaribilities. When performing a vulnaribility scan, redirect the ouput to a file so we have a record of it. If the job requires other type of scans, it will be taken care of by another person of the team. The commands you create should have this format:
```language
command
```
""",
llm_config=llm_config,
human_input_mode=interaction_mode,
)
vulnerabilites_3 = ConversableAgent(
name= "Vulanaribilities-Searcher-Wapiti",
system_message= """You're a cybersecurity professional, part of the vulnaribility team, whose job is to find vulnaribilities based on scan reports given to you. You're the one taking care of Nuclei (other programs are taken care of by other people) so you should use Wapiti and only Wapiti (already installed) and and its commands to scan for vulnaribilities. When performing a vulnaribility scan, redirect the ouput to a file so we have a record of it and make sure the result of the command is in a txt format and not html. If the job requires other type of scans, it will be taken care of by another person of the team. The commands you create should have this format:
```language
command
```
""",
llm_config=llm_config,
human_input_mode=interaction_mode,
)
web_fetch = AssistantAgent(
name= "Webpage-fetcher",
system_message= "You're part of a pentesting cybersecurity team specialized in webpage pentesting. To help your team, you perform request to the targeted website, and fetch their html code so that your team understand better the layout of the website",
llm_config=llm_config,
human_input_mode="NEVER",
)
writer = AssistantAgent(
name= "Report-Writer",
system_message= "You're a professional writer, whose job is contruct a report in a bullet point format summarizing what was found during any process conneceted. YOU SHOULD NOT BE SUGGESTING ANY COMMAND. Just some general next step to take. And after creating a report you should ALWAYS SAVE IT",
llm_config=llm_config,
human_input_mode="ALWAYS",
)
checker = ConversableAgent(
name= "Code-Checker",
system_message= """You're a professional code checker, whose job is whenever a command or code is created before its run you should first, checking if the code is correct. if there is a typing mistake, an argument mistake, a language mistake, etc you should say something so that the code is rewritten by the agent who produced this code. Also check if the command was generated in the right format, with the specified language. The format should be:
```language
command
```
If you don't see anything, you can give the green light for the command to be executed. """,
llm_config=llm_config,
human_input_mode=interaction_mode,
)
web_interaction = ConversableAgent(
name= "Webpage-communicator",
system_message= "You're a professional web communicator, you're job is to interact and communicate with the webpage based on html reports provided to you. You can click and fill in user and password boxes or any input box. You should call the web-fetcher after clicking or entering something knew to get info on it as it is new information",
llm_config=llm_config,
human_input_mode=interaction_mode,
)
exploit = ConversableAgent(
name= "Pentester-exploiter",
system_message= """You're part of a pentesting cybersecurity team specialized in webpage pentesting. You're the vulnaribilities expert of the team. Your job is to create commands to exploit vulnaribilities based on the findings of your colleagues. The code you produced should just be for exploiting purposes. These commands will be executed by someone else. If the user asked about outputing the result of the command you should save the command ouput to a file. DO NOT CODE COMMAND TO FORMAT OUTPUTS. ALWAYS INFER WHAT LANGUAGE YOU'RE USING, I REPEAT ALWAYS SAY WHAT LANGUAGE YOU ARE USING (it should mostly be bash). DO NOT WRITE MULTIPLE LINE OF CODE, instead write one, wait for its execution, analyze it and write another command that follows up on the last command result. When creating code that could have very large output (like bruteforce attack, enumaration, or any code that requires trying a number of possible options in any way), save it to a file and redirect the output with "> /dev/null 2>&1" to avoid overwhelming the system, the file can be read later which will avoid unsuported output size. The commands you create should have this format:
```language
command
```
You have access to a number of tools in kali linux, here is the list, you can use any of them to perform your reconnaissance job:
apache-users, apache2, beef-xss, burpsuite, cadaver, commix, cutycapt, davtest, default-mysql-server, dirbuster, dotdotpwn, eyewitness, ferret-sidejack, ftester, gobuster, hakrawler, hamster-sidejack, heartleech, httprint, httrack, hydra, hydra-gtk, jboss-autopwn, joomscan, jsql-injection, laudanum, lbd, maltego, medusa, mitmproxy, ncrack, nishang, nmap, oscanner, owasp-mantra-ff, padbuster, paros, patator, php, php-mysql, proxychains4, proxytunnel, qsslcaudit, redsocks, sidguesser, siege, skipfish, slowhttptest, sqldict, sqlitebrowser, sqlmap, sqlninja, sqlsus, ssldump, sslh, sslscan, sslsniff, sslsplit, sslyze, stunnel4, thc-ssl-dos, tlssled, tnscmd10g, uniscan, wafw00f, wapiti, watobo, webacoo, webscarab, webshells, weevely, wfuzz, whatweb, wireshark, wpscan, xsser, zaproxy, aircrack-ng, burpsuite, john, crackmapexec, metasploit-framework, responder
You also have accesss to these word list:
/usr/share/wordlists
|-- amass -> /usr/share/amass/wordlists
|-- brutespray -> /usr/share/brutespray/wordlist
|-- dirb -> /usr/share/dirb/wordlists
|-- dirbuster -> /usr/share/dirbuster/wordlists
|-- dnsmap.txt -> /usr/share/dnsmap/wordlist_TLAs.txt
|-- fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
|-- fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
|-- john.lst -> /usr/share/john/password.lst
|-- legion -> /usr/share/legion/wordlists
|-- metasploit -> /usr/share/metasploit-framework/data/wordlists
|-- nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
|-- rockyou.txt.gz
|-- seclists -> /usr/share/seclists
|-- sqlmap.txt -> /usr/share/sqlmap/data/txt/wordlist.txt
|-- wfuzz -> /usr/share/wfuzz/wordlist
`-- wifite.txt -> /usr/share/dict/wordlist-probable.txt""",
llm_config=llm_config,
human_input_mode=interaction_mode,
)
info_gather = ConversableAgent(
name= "Pentester-Scanner",
system_message= """You're part of a pentesting cybersecurity team specialized in webpage pentesting. You're the info gathering expert in the team. Your job is to create commands for the first phase of pentesting, reconnaissance and nothing else (you shouldnt try to create vulnerability scans etc). The code you produced should just be for scanning purposes in the early phase of a pentesting to try and find potential vulnaribilities, or any promising leads on the webpage. These commands will be executed by someone else. If the user asked about outputing the result of the command you should save the command ouput to a file. DO NOT CODE COMMAND TO FORMAT OUTPUTS. Anytime you're called you should output ONLY ONE COMMAND AND NOT A LIST. The commands you create should have this format:
```language
command
```
You should be using nmap to do you reconnaissance job.
""",
llm_config=llm_config,
human_input_mode=interaction_mode,
)
temp_dir = tempfile.TemporaryDirectory()
executor = LocalCommandLineCodeExecutor(
timeout=3600,
work_dir="groupchat/Outputs",
)
code_executor_agent = AssistantAgent(
"code_executor_agent",
llm_config=False,
code_execution_config={"executor": executor},
human_input_mode="NEVER",
)
file_reader_agent = AssistantAgent(
name="File-Reader",
system_message="You're a file reading assistant. Your job is to output the content of files to the user when needed",
llm_config=llm_config,
human_input_mode="NEVER",
)
comparater = ConversableAgent(
name = "Vulnaribility-comparater",
system_message= "You're a vulnaribility analist, whose objective is to analyse multiple output from different vulnaribility scanners and compare their result to figure out false positives using cross comparasion and the frequency of the vulnaribilities in the scans, and moreover critical thinkinng and analysis to determine real threat (think about known vulnerabilities on ditribution version, if an attack would atctually be possible and not just a fake positive). A false positives is something revealed by the vulnerability scanner but that doesn't actually have any real threat to it. To be able to compare the multiple outputs, they need to be on the same file, so you should save the output of every scanner on a single file that's called Vuln_list.txt using your saving tool thats takes in the name of the scanner called, and the file where the output was saved (the vulnaribility scanners will always save the output to a file for efficiency). Please do this after each execution of vulnerability scan even if the scan resulted in an error (it might show an error but the scan worked and is on the output file specified in the scan's command). When all vulnerability scanners have been ran, use your reading tool that specifically made to read the vulnerability list file (only this file) and start assessing false positives. ",
llm_config=llm_config,
human_input_mode="ALWAYS"
)
comparater.register_for_llm(name="Output_vulnerability_list", description="read the vulnerability list and output it")(output_list)
comparater.register_for_llm(name="vulnarinility_save_to_list", description="A tool that append the ouput of a vulnaribility scans to the Vulnaribility List file given the name of the file where the output is, and the name of the vulnaribility scanner that produced the output")(add_to_file)
web_interaction.register_for_llm(name= "webpage-click", description="a tool for clicking on something given the website and the html button href id that needs to be clicked")(click)
web_interaction.register_for_llm(name= "webpage-password-fill", description="a tool for filling a username and password input boxes, given the username, the password, the username input box html name, not the id of the element, the password input box html name, and the website")(credentials)
web_interaction.register_for_llm(name= "webpage-fill", description="a tool to fill with text some input box and entering, given the text, website, and input box html name")(fill)
writer.register_for_llm(name = "saving-report", description="A tool to save reports created to the appropriate folder")(save_report)
web_fetch.register_for_llm(name="website-fetcher", description="A website request tool that allow you to access and fetch all the html code using the url of the website")(fetch_webpage_content)
vulnerabilites.register_for_llm(name="CVE_searcher", description="A CVE searching tool that searches for every CVE based on the a keyword/sentence")(fetch_cves_by_keyword)
file_reader_agent.register_for_llm(name="read_file", description="Read the contents of a specified file based on its path, this tool should not be used to read the vulnerability list ")(read_file)
user_proxy = UserProxyAgent(
name="User_proxy",
system_message="A human admin.",
is_termination_msg=lambda msg: "TERMINATE" in msg["content"],
code_execution_config={"work_dir": "/mnt/c/Users/lstalet/Documents/autogen/WSL - pentest/groupchat/Outputs", "use_docker" :False},
human_input_mode=interaction_mode,
llm_config=llm_config
)
user_proxy.register_for_execution(name="Output_vulnerability_list")(output_list)
user_proxy.register_for_execution(name="CVE_searcher")(fetch_cves_by_keyword)
user_proxy.register_for_execution(name="read_file")(read_file)
user_proxy.register_for_execution(name="website-fetcher")(fetch_webpage_content)
user_proxy.register_for_execution(name = "saving-report")(save_report)
user_proxy.register_for_execution(name= "webpage-click")(click)
user_proxy.register_for_execution(name= "webpage-password-fill")(credentials)
user_proxy.register_for_execution(name= "webpage-fill")(fill)
user_proxy.register_for_execution(name="vulnarinility_save_to_list")(add_to_file)
task= """You're a collective of pentester in a cybersecurity firm specialized in web page testing practising for future jobs, you have a training website situated at http://terratest.earth.local/. Your goal is to first perform reconnaissance, then scanning the website for vulnerabilities using each of your vulnerability scanners (nikto, nuclei and wapiti), compare their result and try to minimize the number of false positives in these findings"""
'''"""You're a collective of pentester in a cybersecurity firm specialized in web page testing practising for future jobs, you have a training website situated at http://terratest.earth.local/. Right now we have done 4 vulnerability scans one with nikto, one with nuclei, one with wapiti and one with uniscan. They are all on the vulnerability list file, so read the file and try to find false positives using the comparater"""'''
''''''
gc = GroupChat(agents=[user_proxy, writer, comparater, info_gather,vulnerabilites, vulnerabilites_1, vulnerabilites_2, vulnerabilites_3, exploit, code_executor_agent, file_reader_agent, web_fetch, web_interaction, checker], messages=[], max_round=300)
manager = GroupChatManager(name= "Boss", groupchat=gc, llm_config=llm_config, system_message="You're the manager of this pentesting team. You should be synchronizing everybody so that they work in unison without any hiccup. The structure of the pentesting team work should be reconnaissance, dig into a potential weakness of the website, if if doesn't lead anywhere go back and keep searching for a weakness. If you're having issues on a command that's taking too long, try to find some alternatives or go dig somewhere elese, don't get stuck. Remember that after a report is created (writer is called) YOU SHOULD ALWAYS SAVE THE REPORT BY CALLING THE SAVING-REPORT TOOL! In addition to that if you're executing a command that was generated by one of the vulnerability professional, YOU SHOULD ALWAYS SAVE THE OUTPUT OF THE EXECUTED COMMAND TO THE VULN_LIST USING THE add_to_file TOOL (EVEN IF IT RESULTED IN AN ERROR !!!!) BEFORE CREATING THE REPORTS ON THE OUTPUT.")
user_proxy.initiate_chat(manager, message=task)