Share
## https://sploitus.com/exploit?id=B553B224-054C-50F3-8D32-6612D5FC2024
# ๐Ÿ”ด AI-Driven Red Team Simulation Framework

A production-ready offensive security simulation platform that autonomously models a complete attack lifecycle โ€” from reconnaissance through exploitation, privilege escalation, and persistence โ€” using real tools and MITRE ATT&CK mappings.

---

## Architecture

```
redteam/
โ”œโ”€โ”€ core/                    # Engine & orchestration
โ”‚   โ”œโ”€โ”€ engine.py            # Main orchestration engine
โ”‚   โ”œโ”€โ”€ attack_lifecycle.py  # Phase state machine & data structures
โ”‚   โ”œโ”€โ”€ event_bus.py         # Async pub/sub event system
โ”‚   โ””โ”€โ”€ plugin_loader.py     # Dynamic module discovery
โ”œโ”€โ”€ recon/                   # Reconnaissance modules
โ”‚   โ”œโ”€โ”€ subdomain_enum.py    # DNS brute-force + crt.sh CT logs
โ”‚   โ”œโ”€โ”€ port_scanner.py      # Nmap wrapper with async scanning
โ”‚   โ”œโ”€โ”€ vuln_scanner.py      # NVD API + searchsploit integration
โ”‚   โ”œโ”€โ”€ web_recon.py         # Directory brute-force + tech detection
โ”‚   โ””โ”€โ”€ os_fingerprint.py    # Nmap OS detect + banner grabbing
โ”œโ”€โ”€ exploit/                 # Exploitation modules
โ”‚   โ”œโ”€โ”€ exploit_selector.py  # AI-driven exploit scoring engine
โ”‚   โ”œโ”€โ”€ brute_force.py       # Hydra wrapper + Python SSH/FTP fallback
โ”‚   โ”œโ”€โ”€ web_exploits.py      # SQLi/XSS/CMDi/LFI + SQLMap
โ”‚   โ””โ”€โ”€ cve_exploits.py      # EternalBlue, Log4Shell, Shellshock
โ”œโ”€โ”€ post_exploit/            # Post-exploitation modules
โ”‚   โ”œโ”€โ”€ priv_escalation.py   # Linux SUID/sudo + Windows UAC/token
โ”‚   โ”œโ”€โ”€ lateral_movement.py  # Subnet scan + credential reuse
โ”‚   โ”œโ”€โ”€ persistence.py       # Cron/SSH/registry/services
โ”‚   โ””โ”€โ”€ credential_harvest.py# Shadow/LSASS/SAM/browser/cloud
โ”œโ”€โ”€ mitre/                   # MITRE ATT&CK integration
โ”‚   โ”œโ”€โ”€ attack_map.py        # ~50 technique database
โ”‚   โ””โ”€โ”€ navigator.py         # ATT&CK Navigator layer export
โ”œโ”€โ”€ reporting/               # Report generation
โ”‚   โ”œโ”€โ”€ attack_graph.py      # NetworkX graph โ†’ JSON/DOT/PNG
โ”‚   โ””โ”€โ”€ report_generator.py  # Dark-themed HTML report (Jinja2)
โ”œโ”€โ”€ dashboard/               # Real-time monitoring
โ”‚   โ””โ”€โ”€ server.py            # Flask + SocketIO web dashboard
โ”œโ”€โ”€ cli.py                   # CLI entry point
โ””โ”€โ”€ config.py                # YAML configuration loader
```

## Features

### Reconnaissance
- **Subdomain Enumeration** โ€” DNS brute-force with built-in wordlist + Certificate Transparency log queries via crt.sh
- **Port Scanning** โ€” Full Nmap integration with service version detection, or pure-Python socket fallback
- **Vulnerability Scanning** โ€” NVD CVE database queries + local searchsploit integration
- **Web Reconnaissance** โ€” Directory brute-forcing, technology fingerprinting (Wappalyzer-style), robots.txt parsing
- **OS Fingerprinting** โ€” Nmap OS detection + TCP/IP stack analysis + banner grabbing

### Exploitation
- **Intelligent Exploit Selection** โ€” Scores and prioritizes exploits based on CVSS, service versions, and known high-value CVE patterns
- **Credential Brute Force** โ€” Hydra wrapper with Python fallbacks for SSH (paramiko) and FTP (ftplib)
- **Web Application Attacks** โ€” SQL injection, XSS, command injection, LFI/RFI testing with SQLMap integration
- **CVE Exploits** โ€” Real vulnerability checks for EternalBlue (MS17-010), Log4Shell, Shellshock, and more

### Post-Exploitation
- **Privilege Escalation** โ€” Linux (SUID binaries, sudo misconfigs, kernel exploits like DirtyCow/DirtyPipe) and Windows (UAC bypass, token impersonation, DLL hijacking)
- **Lateral Movement** โ€” Internal subnet discovery, SSH/SMB credential reuse, pass-the-hash analysis
- **Persistence** โ€” Identifies mechanisms: cron jobs, SSH keys, systemd services, registry run keys, scheduled tasks, WMI subscriptions
- **Credential Harvesting** โ€” Maps credential stores: /etc/shadow, LSASS, SAM, Kerberos tickets, browser passwords, cloud credentials

### Reporting & Visualization
- **Attack Path Graph** โ€” NetworkX-powered directed graph exported as JSON (D3.js), DOT (Graphviz), and PNG
- **HTML Security Report** โ€” Professional dark-themed report with executive summary, risk matrix, vulnerability table, attack timeline, MITRE ATT&CK coverage grid, and remediation recommendations
- **Real-Time Dashboard** โ€” Flask + SocketIO web dashboard with live event feed, phase progression bar, target status tracking

### MITRE ATT&CK
- ~50 techniques mapped across all attack phases
- ATT&CK Navigator layer export for visualization
- Every attack step tagged with technique IDs

---

## Installation

```bash
# Clone the repository
git clone https://github.com/apocalypse9949/Redteam-Automation.git
cd Redteam-Automation

# Install in development mode
pip install -e .

# Optional: Install external tools for full functionality
# - nmap (port scanning, OS detection)
# - hydra (credential brute-force)
# - sqlmap (SQL injection)
# - gobuster (directory brute-force)
# - searchsploit (local exploit database)
```

## Usage

```bash
# Basic scan against a single target
redteam scan 192.168.1.1

# Full scan with real-time dashboard
redteam scan 10.0.0.0/24 --full --dashboard --verbose

# Scan specific phases only
redteam scan target.com --phases recon,exploit --output ./results

# Custom engagement name and log file
redteam scan 192.168.1.1 --engagement-name "Q1 Assessment" --log-file scan.log

# Generate report from previous engagement data
redteam report ./output/engagement_data.json
```

### CLI Options

| Flag | Description |
|------|-------------|
| `--config, -c` | Path to YAML config file (default: `config.yaml`) |
| `--output, -o` | Output directory for reports (default: `./output`) |
| `--phases` | Comma-separated phases to run (default: all) |
| `--full` | Run all phases including post-exploitation |
| `--dashboard` | Start real-time web dashboard |
| `--dashboard-port` | Dashboard port (default: 5000) |
| `--verbose, -v` | Enable debug logging |
| `--log-file` | Log to file in addition to console |
| `--engagement-name` | Custom name for the engagement |

---

## Configuration

Edit `config.yaml` to customize behavior:

```yaml
general:
  engagement_name: "RedTeam Assessment"
  output_dir: "./output"

recon:
  dns_wordlist: null        # Path to DNS wordlist (uses built-in)
  port_range: "1-1024"      # Nmap port range
  scan_speed: 4             # Nmap timing (1-5)
  use_crtsh: true           # Query Certificate Transparency logs

exploit:
  min_cvss: 5.0             # Minimum CVSS score for exploitation
  brute_timeout: 10         # Per-attempt timeout in seconds
  max_brute_attempts: 100   # Max credential attempts per service

dashboard:
  enabled: false
  port: 5000
```

---

## Attack Lifecycle

The framework follows a structured phase-based attack lifecycle:

```
INIT โ†’ RECON โ†’ SCANNING โ†’ ENUMERATION โ†’ EXPLOITATION
  โ†’ PRIVILEGE ESCALATION โ†’ LATERAL MOVEMENT โ†’ PERSISTENCE
  โ†’ CREDENTIAL ACCESS โ†’ REPORTING โ†’ COMPLETE
```

Each phase is orchestrated by the core engine with full event tracking and MITRE ATT&CK technique mapping.

---

## Output

After an engagement, the `output/` directory contains:

| File | Description |
|------|-------------|
| `security_assessment_report.html` | Full HTML report with dark theme |
| `report_data.json` | Raw engagement data in JSON |
| `attack_graph.json` | D3.js-compatible graph data |
| `attack_graph.dot` | Graphviz DOT format |
| `attack_graph.png` | Visual attack path diagram |
| `engagement_data.json` | Complete engagement state |
| `mitre_navigator_layer.json` | ATT&CK Navigator layer |

---

## Dependencies

| Package | Purpose |
|---------|---------|
| `python-nmap` | Nmap integration |
| `requests` | HTTP requests for web recon/exploitation |
| `beautifulsoup4` | HTML parsing for web exploitation |
| `flask` + `flask-socketio` | Real-time dashboard |
| `networkx` | Attack path graph generation |
| `jinja2` | HTML report templating |
| `matplotlib` | Graph PNG export |
| `pyyaml` | Configuration loading |
| `rich` | Terminal output formatting |

---

## โš ๏ธ Legal Disclaimer

This tool is designed for **authorized security testing and research only**. Always obtain proper written authorization before scanning or testing any systems. Unauthorized use of this tool against systems you do not own or have permission to test is illegal and unethical.

---

## License

MIT License