diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index 8e3a7e2..d3af6d1 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -122,13 +122,17 @@ impact faster: should assume it will run concurrently per-host and per-service. No shared mutable state outside `KnowledgeBase` / `AuditLog`, both of which must stay thread-safe. -- **Wider enumeration surface.** Roadmap scanners to implement - aggressively: SMB (shares, sessions, OS), FTP (anon + banner), SSH - (algos, host keys, user enum), SNMP (community brute + walk), LDAP - (anon bind, naming contexts, user/group enum), RPC (endpoint mapper - + null session), Kerberos (SPN listing, AS-REP roast, kerberoast - where in scope), HTTP content-discovery (wordlist-driven), TLS - cipher enumeration, DNS AXFR. Each re-checks scope inside the tool. +- **Wider enumeration surface.** The shipped scanner set already + covers SMB (shares, sessions, OS), FTP (anon + banner), SSH (algos, + host keys), SNMP (community brute + walk), LDAP (anon bind, naming + contexts), RPC (endpoint mapper + null session via + `Recon/Ad/SmbNullSessionTool`), Kerberos (SPN listing, + delegation/AS-REP/kerberoast helpers under `DelegationEnumTool` / + `DcSyncDetectionTool`), HTTP content-discovery + (`HttpContentDiscoveryTool`), TLS cipher enumeration + (`TlsCipherEnumTool`), and DNS AXFR (`DnsZoneTransferTool`). Each + re-checks scope inside the tool. New scanners should match this + bar — wider surface, scope-checked, audit-recorded. - **Full NSE surface inside scope.** `safe,default,discovery,version, auth,exploit,intrusive,vuln` are all available in lab mode. `dos` and `malware` are opt-in per run. In strict mode the defaults are diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md index 373a546..0e00a1f 100644 --- a/docs/ARCHITECTURE.md +++ b/docs/ARCHITECTURE.md @@ -437,7 +437,8 @@ network; downstream tools enforce scope per Append-only JSONL log (`out/audit.jsonl`) capturing every tool call, scope decision, doctor detection/install, and session event. Used by tests, -forensics, and the planned live UI stream. +forensics, and the live UI stream surfaced via the `Drederick.Web` +SignalR `EventsHub`. ## Thread-safety {#thread-safety} diff --git a/docs/EMPIRE.md b/docs/EMPIRE.md index d7230ad..263e4ac 100644 --- a/docs/EMPIRE.md +++ b/docs/EMPIRE.md @@ -497,6 +497,6 @@ drederick --scope lab.txt --target 10.0.0.0/8 --autopilot --out out/ - **Listener orchestration:** Auto-start Empire server, return listener URL to stager - **Module API integration:** Query `empire/handlers` for available modules, match against findings - **Callback tunneling:** Route agent callbacks through Drederick's network isolation layer -- **OPSEC profiles:** Template stagers with obfuscation, certificate pinning, jitter +- **OPSEC profile auto-rotation:** Per-stage profile rotation and certificate pinning on top of the bundled Malleable C2 corpus already shipped via [`MalleableProfileLibrary`](../src/Drederick/Exploit/Empire/MalleableProfileLibrary.cs). - **Lateral move simulation:** Pre-flight test lateral movement paths before execution diff --git a/docs/UI_GUIDE.md b/docs/UI_GUIDE.md index d925c7c..8691867 100644 --- a/docs/UI_GUIDE.md +++ b/docs/UI_GUIDE.md @@ -57,11 +57,13 @@ loaded (the `scope-file-read-only` invariant). **Findings → Open in Datasette** button launches `drederick serve` against the currently selected output directory. -## What's still CLI-only +## What's still Avalonia-CLI-only The offensive engine (`ExploitRunner`, `MsfDriver`, `CredRunner`, -`PayloadStager`, session tracking) and the Jeopardy CTF subsystem ship -today as CLI features. Run them with the per-category opt-in flags +`PayloadStager`, session tracking) and the Jeopardy CTF subsystem are +exposed by the CLI and by the **Web UI** (see [`WEB_UI.md`](./WEB_UI.md) +— Offensive and Jeopardy pages). They are not yet surfaced in the +Avalonia console. Run them with the per-category opt-in flags (`--allow-exec-pocs`, `--allow-cred-attacks`, `--allow-payloads`, `--allow-destructive`, `--allow-dos`, `--acknowledge-lockout-risk`). Surfacing them in the Avalonia console is tracked in [`UI.md`