Share
## https://sploitus.com/exploit?id=B553B224-054C-50F3-8D32-6612D5FC2024
# ๐ด AI-Driven Red Team Simulation Framework
A production-ready offensive security simulation platform that autonomously models a complete attack lifecycle โ from reconnaissance through exploitation, privilege escalation, and persistence โ using real tools and MITRE ATT&CK mappings.
---
## Architecture
```
redteam/
โโโ core/ # Engine & orchestration
โ โโโ engine.py # Main orchestration engine
โ โโโ attack_lifecycle.py # Phase state machine & data structures
โ โโโ event_bus.py # Async pub/sub event system
โ โโโ plugin_loader.py # Dynamic module discovery
โโโ recon/ # Reconnaissance modules
โ โโโ subdomain_enum.py # DNS brute-force + crt.sh CT logs
โ โโโ port_scanner.py # Nmap wrapper with async scanning
โ โโโ vuln_scanner.py # NVD API + searchsploit integration
โ โโโ web_recon.py # Directory brute-force + tech detection
โ โโโ os_fingerprint.py # Nmap OS detect + banner grabbing
โโโ exploit/ # Exploitation modules
โ โโโ exploit_selector.py # AI-driven exploit scoring engine
โ โโโ brute_force.py # Hydra wrapper + Python SSH/FTP fallback
โ โโโ web_exploits.py # SQLi/XSS/CMDi/LFI + SQLMap
โ โโโ cve_exploits.py # EternalBlue, Log4Shell, Shellshock
โโโ post_exploit/ # Post-exploitation modules
โ โโโ priv_escalation.py # Linux SUID/sudo + Windows UAC/token
โ โโโ lateral_movement.py # Subnet scan + credential reuse
โ โโโ persistence.py # Cron/SSH/registry/services
โ โโโ credential_harvest.py# Shadow/LSASS/SAM/browser/cloud
โโโ mitre/ # MITRE ATT&CK integration
โ โโโ attack_map.py # ~50 technique database
โ โโโ navigator.py # ATT&CK Navigator layer export
โโโ reporting/ # Report generation
โ โโโ attack_graph.py # NetworkX graph โ JSON/DOT/PNG
โ โโโ report_generator.py # Dark-themed HTML report (Jinja2)
โโโ dashboard/ # Real-time monitoring
โ โโโ server.py # Flask + SocketIO web dashboard
โโโ cli.py # CLI entry point
โโโ config.py # YAML configuration loader
```
## Features
### Reconnaissance
- **Subdomain Enumeration** โ DNS brute-force with built-in wordlist + Certificate Transparency log queries via crt.sh
- **Port Scanning** โ Full Nmap integration with service version detection, or pure-Python socket fallback
- **Vulnerability Scanning** โ NVD CVE database queries + local searchsploit integration
- **Web Reconnaissance** โ Directory brute-forcing, technology fingerprinting (Wappalyzer-style), robots.txt parsing
- **OS Fingerprinting** โ Nmap OS detection + TCP/IP stack analysis + banner grabbing
### Exploitation
- **Intelligent Exploit Selection** โ Scores and prioritizes exploits based on CVSS, service versions, and known high-value CVE patterns
- **Credential Brute Force** โ Hydra wrapper with Python fallbacks for SSH (paramiko) and FTP (ftplib)
- **Web Application Attacks** โ SQL injection, XSS, command injection, LFI/RFI testing with SQLMap integration
- **CVE Exploits** โ Real vulnerability checks for EternalBlue (MS17-010), Log4Shell, Shellshock, and more
### Post-Exploitation
- **Privilege Escalation** โ Linux (SUID binaries, sudo misconfigs, kernel exploits like DirtyCow/DirtyPipe) and Windows (UAC bypass, token impersonation, DLL hijacking)
- **Lateral Movement** โ Internal subnet discovery, SSH/SMB credential reuse, pass-the-hash analysis
- **Persistence** โ Identifies mechanisms: cron jobs, SSH keys, systemd services, registry run keys, scheduled tasks, WMI subscriptions
- **Credential Harvesting** โ Maps credential stores: /etc/shadow, LSASS, SAM, Kerberos tickets, browser passwords, cloud credentials
### Reporting & Visualization
- **Attack Path Graph** โ NetworkX-powered directed graph exported as JSON (D3.js), DOT (Graphviz), and PNG
- **HTML Security Report** โ Professional dark-themed report with executive summary, risk matrix, vulnerability table, attack timeline, MITRE ATT&CK coverage grid, and remediation recommendations
- **Real-Time Dashboard** โ Flask + SocketIO web dashboard with live event feed, phase progression bar, target status tracking
### MITRE ATT&CK
- ~50 techniques mapped across all attack phases
- ATT&CK Navigator layer export for visualization
- Every attack step tagged with technique IDs
---
## Installation
```bash
# Clone the repository
git clone https://github.com/apocalypse9949/Redteam-Automation.git
cd Redteam-Automation
# Install in development mode
pip install -e .
# Optional: Install external tools for full functionality
# - nmap (port scanning, OS detection)
# - hydra (credential brute-force)
# - sqlmap (SQL injection)
# - gobuster (directory brute-force)
# - searchsploit (local exploit database)
```
## Usage
```bash
# Basic scan against a single target
redteam scan 192.168.1.1
# Full scan with real-time dashboard
redteam scan 10.0.0.0/24 --full --dashboard --verbose
# Scan specific phases only
redteam scan target.com --phases recon,exploit --output ./results
# Custom engagement name and log file
redteam scan 192.168.1.1 --engagement-name "Q1 Assessment" --log-file scan.log
# Generate report from previous engagement data
redteam report ./output/engagement_data.json
```
### CLI Options
| Flag | Description |
|------|-------------|
| `--config, -c` | Path to YAML config file (default: `config.yaml`) |
| `--output, -o` | Output directory for reports (default: `./output`) |
| `--phases` | Comma-separated phases to run (default: all) |
| `--full` | Run all phases including post-exploitation |
| `--dashboard` | Start real-time web dashboard |
| `--dashboard-port` | Dashboard port (default: 5000) |
| `--verbose, -v` | Enable debug logging |
| `--log-file` | Log to file in addition to console |
| `--engagement-name` | Custom name for the engagement |
---
## Configuration
Edit `config.yaml` to customize behavior:
```yaml
general:
engagement_name: "RedTeam Assessment"
output_dir: "./output"
recon:
dns_wordlist: null # Path to DNS wordlist (uses built-in)
port_range: "1-1024" # Nmap port range
scan_speed: 4 # Nmap timing (1-5)
use_crtsh: true # Query Certificate Transparency logs
exploit:
min_cvss: 5.0 # Minimum CVSS score for exploitation
brute_timeout: 10 # Per-attempt timeout in seconds
max_brute_attempts: 100 # Max credential attempts per service
dashboard:
enabled: false
port: 5000
```
---
## Attack Lifecycle
The framework follows a structured phase-based attack lifecycle:
```
INIT โ RECON โ SCANNING โ ENUMERATION โ EXPLOITATION
โ PRIVILEGE ESCALATION โ LATERAL MOVEMENT โ PERSISTENCE
โ CREDENTIAL ACCESS โ REPORTING โ COMPLETE
```
Each phase is orchestrated by the core engine with full event tracking and MITRE ATT&CK technique mapping.
---
## Output
After an engagement, the `output/` directory contains:
| File | Description |
|------|-------------|
| `security_assessment_report.html` | Full HTML report with dark theme |
| `report_data.json` | Raw engagement data in JSON |
| `attack_graph.json` | D3.js-compatible graph data |
| `attack_graph.dot` | Graphviz DOT format |
| `attack_graph.png` | Visual attack path diagram |
| `engagement_data.json` | Complete engagement state |
| `mitre_navigator_layer.json` | ATT&CK Navigator layer |
---
## Dependencies
| Package | Purpose |
|---------|---------|
| `python-nmap` | Nmap integration |
| `requests` | HTTP requests for web recon/exploitation |
| `beautifulsoup4` | HTML parsing for web exploitation |
| `flask` + `flask-socketio` | Real-time dashboard |
| `networkx` | Attack path graph generation |
| `jinja2` | HTML report templating |
| `matplotlib` | Graph PNG export |
| `pyyaml` | Configuration loading |
| `rich` | Terminal output formatting |
---
## โ ๏ธ Legal Disclaimer
This tool is designed for **authorized security testing and research only**. Always obtain proper written authorization before scanning or testing any systems. Unauthorized use of this tool against systems you do not own or have permission to test is illegal and unethical.
---
## License
MIT License