Share
## https://sploitus.com/exploit?id=64A0063B-D028-5EBD-A31B-D00549476DA5
# ๐ฅ The Exploit Foundry
[](https://www.python.org/)
[](https://github.com/m46-coder/exploit-foundry)
[](https://github.com/m46-coder/exploit-foundry)
## Development Setup
```bash
python3 -m pip install -e .
python3 -m pip install pytest pytest-cov
pytest
pytest --cov=arsenal --cov-report=html
```
## An Automated, Intelligent Purple-Team Hacking Framework
> *"Give me a target I have permission to test. I'll break it, document it, and report it."*
---
## ๐ฏ What Is This?
**The Exploit Foundry** is not just a folder structure. It's an **automated framework** that:
1. Takes a target (IP or domain) you have **permission** to test
2. Runs **intelligent reconnaissance** to discover attack surfaces
3. **Matches** findings against known attack patterns
4. **Executes** prioritized exploits automatically or with approval
5. **Documents** every finding with severity ratings
6. **Generates** professional reports (technical + executive)
You bring the **permission**. The Foundry brings the **power**.
---
## โ๏ธ Legal & Ethics
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ ๏ธ YOU MUST HAVE WRITTEN PERMISSION TO TEST ANY TARGET โ
โ โ
โ โข Your own systems? โ
Yes โ
โ โข Systems you have written authorization for? โ
Yes โ
โ โข Bug bounty programs within scope? โ
Yes โ
โ โข Random systems on the internet? โ NO (illegal) โ
โ โข Employer systems without permission? โ NO (fireable) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
**Every engagement folder contains `01_permission.email.eml` โ proof of authorization. No permission = no test.**
---
## ๐ Structure
```
The-Exploit-Foundry/
โ
โโโ arsenal/ # The engine
โ โโโ recon/ # Scanner scripts
โ โโโ exploitation/
โ โ โโโ rules/ # Match recon โ attacks (includes SSH brute force)
โ โ โโโ executors/ # Run the attacks (SSH brute force, WordPress exploit, SQLi, XSS, file upload, Joomla, etc.)
โ โ โโโ orchestrator.py # Main controller
โ โโโ post-exploitation/ # After initial access
โ โโโ reporting/ # Report generator
โ
โโโ engagements/ # YOUR tests live here
โ โโโ template/ # Copy this for new targets
โ โ โโโ config.json # {{target_ip}}, {{target_domain}}
โ โ โโโ recon/ # AUTO-POPULATED from scans
โ โ โโโ attack-plan/ # GENERATED from recon
โ โ โโโ exploits/ # AUTO-UPDATED during execution
โ โ โโโ findings/ # AUTO-POPULATED by severity
โ โ โโโ logs/ # Everything captured
โ โ โโโ report/ # GENERATED at end
โ โ
โ โโโ 2025-04-08_target-name/ # YOUR actual engagement
โ
โโโ wordlists/ # Password lists, directories, etc.
โโโ payloads/ # Reverse shells, bind shells
โโโ README.md # This file
---
## ๐ท๏ธ Web Exploitation Arsenal
The framework includes comprehensive web vulnerability detection and exploitation:
### ๐ **Reconnaissance & Detection**
- **Technology Fingerprinting**: Detects WordPress, Joomla, Drupal, Laravel, Django, Java, .NET, PHP, and more
- **Directory Brute Forcing**: Uses `gobuster` for efficient directory enumeration
- **CMS Version Detection**: Identifies vulnerable versions of popular CMS platforms
### ๐ฅ **Vulnerability Scanners**
- **SQL Injection**: Automated testing with `sqlmap` integration
- **Cross-Site Scripting (XSS)**: Reflected and stored XSS detection
- **File Upload Vulnerabilities**: Tests for unrestricted uploads and remote code execution
- **WordPress Exploitation**: Full `wpscan` integration with plugin/theme scanning
- **Joomla Exploitation**: Version detection, component vulnerabilities, and admin exposure
- **SMB Vulnerabilities**: EternalBlue, anonymous access, and misconfigurations
- **RDP Security**: BlueKeep detection, NLA checking, and weak configurations
- **VNC Vulnerabilities**: Authentication bypass and weak password detection
- **Database Attacks**: MongoDB, Redis, and Elasticsearch unauthorized access
- **Web Attacks**: CSRF, command injection, XXE, SSRF, directory traversal, deserialization
- **Backup File Detection**: Finds exposed configuration and source code backups
### ๐ฏ **Attack Execution**
- **Intelligent Rule Matching**: Automatically matches recon findings to appropriate exploits
- **Prioritized Execution**: Runs attacks based on severity and success probability
- **Safe Exploitation**: Includes timeouts, error handling, and scope validation
- **Evidence Collection**: Captures all findings with detailed technical evidence
---
## ๐ Quick Start
### Option 1: Web UI (Easiest - Recommended)
**Modern web-based interface for the complete framework experience.**
```bash
# Install web dependencies
pip3 install flask
# Start the web interface
python web_ui_launcher.py
# Open your browser to: http://localhost:5000
```
**Features:**
- ๐ **Dashboard**: Statistics and engagement overview
- ๐ฏ **Engagement Management**: Create and manage assessments
- ๐ **Interactive Scanning**: Run recon and exploitation with live progress
- ๐ **Report Generation**: Generate comprehensive reports
- ๐ก๏ธ **Safety First**: Permission validation and approval workflows
### Option 2: Native Installation (Recommended for Kali Linux)
```bash
# Clone the repository
git clone https://github.com/yourname/the-exploit-foundry.git
cd the-exploit-foundry
# Install Python dependencies (minimal - most tools are system packages)
pip3 install -r requirements.txt
# Make orchestrator executable
chmod +x arsenal/orchestrator.py
# Verify installation
./arsenal/orchestrator.py --help
```
**System Requirements:** The framework uses these external tools (pre-installed on Kali Linux):
- Reconnaissance: `nmap`, `whatweb`, `gobuster`, `dirb`, `nikto`
- Exploitation: `sqlmap`, `wpscan`, `hydra`, `medusa`
- Utilities: `jq`, `tree`, `curl`, `wget`
Install on Ubuntu/Debian: `sudo apt install nmap whatweb gobuster dirb nikto sqlmap wpscan hydra medusa jq tree`
---
### Option 2: Docker (Recommended for Other Systems)
**Prerequisites:** Docker and Docker Compose installed
```bash
# Build the image (one-time setup)
docker build -t exploit-foundry:latest .
# Run a quick test
docker run --rm -it \
-v $(pwd)/engagements:/app/engagements \
--network host \
exploit-foundry:latest --help
# Start your first engagement
docker run --rm -it \
-v $(pwd)/engagements:/app/engagements \
--network host \
exploit-foundry:latest --new --target 192.168.1.100 --name "my-first-test"
```
**Using Docker Compose (Easiest):**
```bash
# Set API keys in environment (optional)
export SHODAN_API_KEY="your_key_here"
export VIRUSTOTAL_API_KEY="your_key_here"
# Run with docker-compose
docker-compose run --rm exploit-foundry --new --target 10.0.0.1 --name "docker-engagement"
```
๐ **See [docker-usage.md](docker-usage.md) for complete Docker documentation.**
---
### Start Your First Engagement
```bash
cd The-Exploit-Foundry
# Run against a target you OWN or have PERMISSION for
./arsenal/orchestrator.py --new --target 192.168.1.100 --name "internal-server"
# Or with a domain
./arsenal/orchestrator.py --new --target blog.example.com --name "wordpress-audit"
```
### 3. What Happens Automatically
| Phase | Action |
|-------|--------|
| **Setup** | Creates `engagements/YYYY-MM-DD_name/` from template |
| **Recon** | Runs nmap, whatweb, gobuster, subfinder โ populates `recon/` |
| **Planning** | Matches findings against rules โ generates `attack-plan/` |
| **Execution** | Runs exploits in priority order โ populates `exploits/` |
| **Findings** | Successful exploits โ auto-categorized into `findings/[severity]/` |
| **Reporting** | Generates `report/technical-report.md` and `executive-summary.md` |
---
## ๐ Manual Engagement (If You Prefer)
Not everything can be automated. For manual testing:
```bash
# Copy template
cp -r engagements/template engagements/2025-04-08_manual-test/
# Edit config.json with your target
vim engagements/2025-04-08_manual-test/config.json
# Run recon manually
nmap -sV -oA engagements/2025-04-08_manual-test/recon/nmap $TARGET
# Document findings in the appropriate severity folder
vim engagements/2025-04-08_manual-test/findings/critical/01_sql-injection.md
# Generate report
./arsenal/reporting/generate_report.py --engagement engagements/2025-04-08_manual-test/
```
---
## ๐ฎ Example: Full Automated Run
```bash
$ ./arsenal/orchestrator.py --new --target blog.example.com --name "client-wp"
๐ The Exploit Foundry - Starting new engagement
๐ Created: engagements/2025-04-08_client-wp/
๐ Running reconnaissance...
โ nmap - 2 open ports (80, 443)
โ whatweb - WordPress 5.8, nginx 1.18, PHP 7.4
โ gobuster - Found 12 directories
โ subfinder - Found 3 subdomains
๐ Tech stack: WordPress 5.8 on nginx/PHP 7.4
๐ฏ Generating attack plan...
โ WordPress 5.8 โ CVE-2021-29447 (XML-RPC)
โ /backup.zip exposed โ potential credentials
โ wp-admin accessible โ brute force possible
โ๏ธ Executing attacks...
[1/3] /backup.zip...
โ Downloaded
โ Credentials found in wp-config.php
๐ CRITICAL finding saved
[2/3] XML-RPC exploitation...
โ User enumeration successful
๐ MEDIUM finding saved
[3/3] Brute force (optional, requires approval)...
โ Skipped (requires --aggressive flag)
๐ Generating report...
โ 1 CRITICAL, 0 HIGH, 1 MEDIUM, 0 LOW
โ Report: engagements/2025-04-08_client-wp/report/
โ
Complete!
```
---
## ๐ The Engagement Folder (Populated Example)
```
engagements/2025-04-08_client-wp/
โ
โโโ config.json
โ โโโ {"target_ip": "192.168.1.100", "target_domain": "blog.example.com"}
โ
โโโ recon/
โ โโโ ports.json # {80, 443, 22}
โ โโโ services.json # {80: "nginx", 443: "WordPress 5.8"}
โ โโโ directories.json # {"/wp-admin": 200, "/backup.zip": 200}
โ โโโ tech-stack.json # {"cms": "WordPress", "version": "5.8"}
โ
โโโ attack-plan/
โ โโโ possible-attacks.json # 3 attacks identified
โ โโโ priority.md # Ordered by severity/confidence
โ
โโโ exploits/
โ โโโ completed/
โ โ โโโ backup-creds.txt # Successful exploit output
โ โโโ failed/
โ โโโ sqli-attempt.log # Tried, didn't work
โ
โโโ findings/
โ โโโ critical/
โ โ โโโ 01_backup-credentials.md
โ โโโ medium/
โ โโโ 02_user-enumeration.md
โ
โโโ logs/
โ โโโ scan.log
โ โโโ attack.log
โ โโโ timeline.json
โ
โโโ report/
โโโ executive-summary.md # For non-technical stakeholders
โโโ technical-report.md # Full details with evidence
โโโ findings.csv # Spreadsheet of all findings
```
---
## ๐ ๏ธ Adding Your Own Rules & Exploits
### Adding a Detection Rule
Create `arsenal/exploitation/rules/my-rule.json`:
```json
{
"name": "Custom MySQL Detection",
"condition": {
"ports": [3306],
"service": "mysql"
},
"attack": "try-mysql-default-creds",
"severity": "high",
"confidence": 0.8
}
```
### Adding a Custom Exploit Executor
Create `arsenal/exploitation/executors/my-exploit.py`:
```python
#!/usr/bin/env python3
# Must accept --target and --output arguments
import argparse
def exploit(target, output_path):
# Your exploit logic here
result = run_attack(target)
with open(output_path, 'w') as f:
f.write(result)
return {"success": True, "finding": "Critical SQL injection"}
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True)
parser.add_argument("--output", required=True)
args = parser.parse_args()
exploit(args.target, args.output)
```
---
## ๐ง Requirements
| Tool | Purpose | Installation |
|------|---------|--------------|
| Python 3.8+ | Orchestrator | `apt install python3` |
| nmap | Port scanning | `apt install nmap` |
| whatweb | Web tech detection | `gem install whatweb` |
| gobuster | Directory brute force | `apt install gobuster` |
| subfinder | Subdomain discovery | `go install` |
| wpscan | WordPress scanning | `gem install wpscan` |
| nuclei | CVE scanning | `go install` |
Optional but recommended:
- Metasploit
- Burp Suite (manual testing)
- SQLmap
- Hydra / John / Hashcat
---
## ๐ Environment Variables
Create `.env` in the root directory:
```bash
# Required for reporting (optional)
REPORT_NAME="Your Name"
REPORT_COMPANY="Your Company"
# API keys (for threat intel)
SECURITYTRAILS_API_KEY="your-key"
VIRUSTOTAL_API_KEY="your-key"
SHODAN_API_KEY="your-key"
# Aggressive mode (auto-executes all attacks)
AGGRESSIVE_MODE=false
```
---
## ๐ง Philosophy
| Principle | Explanation |
|-----------|-------------|
| **Permission First** | No target is tested without written authorization |
| **Automate the Boring** | Scanning, enumeration, and reporting are automated |
| **You Decide the Attack** | Framework suggests, you approve (or auto with flag) |
| **Evidence Always** | Every finding has proof (screenshot, output, log) |
| **Severity Matters** | Findings auto-categorized by CVSS |
| **Report Ready** | Final report is generated, not hand-written from scratch |
---
## ๐ Commands Reference
```bash
# New automated engagement
./arsenal/orchestrator.py --new --target IP_OR_DOMAIN --name NAME
# New engagement with aggressive auto-attack
./arsenal/orchestrator.py --new --target IP_OR_DOMAIN --name NAME --aggressive
# Resume existing engagement
./arsenal/orchestrator.py --resume engagements/2025-04-08_name/
# Run only recon (no attacks)
./arsenal/orchestrator.py --recon-only --target IP_OR_DOMAIN --name NAME
# Generate report only
./arsenal/reporting/generate_report.py --engagement engagements/2025-04-08_name/
# List all engagements
./arsenal/orchestrator.py --list
# Validate permission email exists
./arsenal/orchestrator.py --check-permission engagements/2025-04-08_name/
# Run exploits on existing engagement
./arsenal/orchestrator.py --exploit engagements/2025-04-08_name/ --auto-approve
```
---
## ๐ซ What This Is NOT
| Not | Because |
|-----|---------|
| **A replacement for manual testing** | Automation misses business logic flaws |
| **A zero-click weapon** | You need permission and a target |
| **Undetectable** | Scans are noisy โ don't use without permission |
| **A vulnerability scanner** | It's an exploitation framework, not just a scanner |
| **Ready out of the box** | You need to install tools and configure rules |
---
## ๐ค Contributing
Add rules, executors, or scan modules:
1. Fork the repo
2. Add your rule in `arsenal/exploitation/rules/`
3. Add your executor in `arsenal/exploitation/executors/`
4. Submit a PR with example output
---
## ๐ License
**Educational and authorized testing use only.**
Unauthorized use against systems you do not own or have explicit permission to test is **illegal**. The authors assume no liability for misuse.
---
## โญ Final Word
**The Exploit Foundry** is a framework that grows with you.
- Start with manual testing โ learn the phases
- Add your own rules โ customize detection
- Write custom executors โ automate your favorite attacks
- Build your arsenal โ become faster, more thorough, more professional
> *"Give me a target I have permission to test. I'll break it, document it, and report it."*
---
**Happy (authorized) hacking.** ๐ฅ