Share
## https://sploitus.com/exploit?id=EE88CE65-3768-553B-989B-92C6B9CA2E80
# DEM β€” Docker Exploit Mapper



Welcome to **DEM**, a fully containerized
cybersecurity evaluation system designed to support authorized analysts
in conducting structured host discovery, container analysis,
vulnerability enumeration, exploitation testing, and reporting
operations.

DEM operates as a **self-contained Docker Compose environment**,
bundling the backend, frontend, and Neo4j database into isolated
containers. 

---

## Table of Contents

- [Overview](#overview)
- [Interface Preview](#interface-preview)
- [Architecture Summary](#architecture-summary)
  - [Containerized Services](#containerized-services)
  - [Third-Party Tool Versions](#thirdparty-tool-versions)
- [Product Features](#product-features)
- [Deployment Using Docker Compose](#deployment-using-docker-compose)
  - [Prerequisites](#prerequisites)
  - [Deployment Steps](#deployment-steps)
  - [Managing the Environment](#managing-the-environment)
  - [Troubleshooting](#troubleshooting)
- [Database Schema](#database-schema)
- [Backend Architecture](#backend-architecture)
- [CAT 1 STIG Justification](#cat-1-stig-justification)
- [License](#license)
- [Support & Subsystem Responsibilities](#support--subsystem-responsibilities)

---

## Overview

DEM is an integrated vulnerability‑assessment and exploitation platform
that unifies host discovery, container enumeration, topology mapping,
vulnerability analysis, exploitation workflows, and reporting into a
single cohesive system.

The platform enables analysts to: 
- Detect hosts and running Docker
containers within a target host
- Retrieve metadata, open ports, services, and container configurations
- Analyze container relationships and generate interactive topology
visualizations
- Perform vulnerability enumeration using Trivy, Grype, Dockle, and
Gobuster
- Execute controlled exploitation with Metasploit and record supporting
artifacts
- Compile and export structured reports in PDF, CSV, or XML formats

DEM is designed for use within a controlled environment and assumes
users are authenticated prior to accessing the system. User
authorization is handled externally, while DEM focuses exclusively on
analysis, exploitation workflows, and reporting.

---

## Interface Preview


  
    
      
        
        Dashboard
      
      
        
        Discovery
      
      
        
        Assessment
      
    
    
      
        
        Exploitation
      
      
        
        Reporting
      
      
        
        Topology Map
      
    
  



## Architecture Summary

- **Frontend:** SvelteKit application (`5173`)
- **Backend:** FastAPI service (`8000`)
- **Database:** Neo4j Graph Database (`7474`, `7687`)
- **Security Tools:** Trivy, Grype, Gobuster, Nmap, Dockle, Metasploit
- **Managers:** Handle project lifecycle, scans, topology, dashboard functions, and secure DB operations.

### Containerized Services

DEM operates as four coordinated Docker containers, each with a dedicated role within the system architecture:

| Container | Purpose | Description |
|----------|----------|-------------|
| **Frontend** | User Interface | Hosts the SvelteKit application that delivers all pages for discovery, assessment, exploitation, reporting, and topology visualization. |
| **Backend** | API & Processing Layer | Runs the FastAPI backend, all managers, tool interfaces, routing logic, and system orchestration. |
| **Neo4j** | Primary Data Store | Stores projects, topology graphs, scan results, activities, notes, and all operational data. |
| **Neo4j Backup** | Automated Backup Sidecar | Continuously performs scheduled backups of Neo4j data volumes to prevent data loss during restarts, resets, or redeployments. |


### Third‑Party Tool Versions

| Tool | Version |
|------|---------|
| Docker Engine | 28.x |
| Dockle | 0.4.15 |
| Gobuster | 3.6.0 |
| Grype | 0.91.0 |
| Trivy | 0.61.1 |
| Nmap | 7.95 |
| Metasploit Framework | 6.4 |
| SSH/OpenSSH | 10.x |

```
DEM/
β”œβ”€β”€ backend/
β”‚   β”œβ”€β”€ app/
β”‚   β”‚   β”œβ”€β”€ core/
β”‚   β”‚   β”œβ”€β”€ managers/
β”‚   β”‚   β”œβ”€β”€ models/
β”‚   β”‚   β”œβ”€β”€ routes/
β”‚   β”‚   β”œβ”€β”€ tools/
β”‚   β”‚   β”œβ”€β”€ utils/
β”‚   β”‚   └── main.py
β”‚   └── tests/
β”‚   β”œβ”€β”€ Dockerfile
β”‚   └── pyproject.toml
β”‚
β”œβ”€β”€ frontend/
β”‚   β”œβ”€β”€ src/
β”‚   β”‚   β”œβ”€β”€ lib/
β”‚   β”‚   β”œβ”€β”€ routes/
β”‚   β”œβ”€β”€ static/
β”‚   β”œβ”€β”€ package.json
β”‚   └── Dockerfile
β”‚
β”œβ”€β”€ sample_data/
β”œβ”€β”€ scripts/
β”œβ”€β”€ docker-compose.yml
└── README.md
```

---


## Product Features 

- **Project Management** (create, open, archive, import/export)
- **Container Identification**
- **Topology Mapping**
- **Vulnerability Analysis** using Trivy, Grype, Dockle, Gobuster
- **Exploitation Workflow** using Metasploit
- **Dashboard Management** (activity logs, notes, container history)
- **Report Generation** (PDF, XML, CSV)

---

## Deployment Using Docker Compose

### Prerequisites

- Docker Desktop or Docker Engine  
- Ability to run Docker containers  
- SSH tunnel to target hosts must be prepared prior to discovery  
- Authorized DAC analyst access  

---

### Deployment Steps

1. **Clone the repository**
```bash
git clone https://github.com/sofimaynez/CS4311_DEM_Bravo_Fall2025.git
cd CS4311_DEM_Bravo_Fall2025
```

2. **Start the environment**
``` bash
docker compose up --build
```

(Optional) Run the environment in the background (detached mode):

``` bash
docker compose up -d --build
```

This launches:
- Neo4j
- Neo4j backup
- FastAPI backend  
- SvelteKit frontend  
- All security tool interfaces  

3. **Access services**

| Service | URL |
|---------|-----|
| Frontend | http://localhost:5173 |
| Backend API | http://localhost:8000 |
| Neo4j Browser | http://localhost:7474 |

4. **Health check**
```bash
curl http://localhost:8000/health
```

Expected:
```json
{"ok": true}
```

---

### Managing the Environment

| Action | Command |
|--------|---------|
| Stop all containers | `docker compose down` |
| Rebuild | `docker compose up --build` |
| View logs | `docker compose logs -f` |
| Restart backend | `docker compose restart backend` |
| Reset (remove volumes) | `docker compose down -v` |

---

### Troubleshooting

| Issue | Resolution |
|--------|------------|
| Port conflict | Free ports 7474, 7687, 8000, 5173 |
| Backend can't reach Neo4j | Wait 5–10 seconds; backend retries automatically |
| Containers start incorrectly | `docker compose down && docker compose up --build` |
| Neo4j password mismatch | Update the `NEO4J_AUTH` variable |

---

## Database Schema

```mermaid
flowchart TB
    classDef root fill:#e8f0ff,stroke:#2f5597,stroke-width:1.5px,color:#1a3557,font-size:14px,font-weight:bold;
    classDef mid fill:#f7f9fc,stroke:#8a9bb5,stroke-width:1.1px,color:#2f3a45,font-size:12px;
    classDef leaf fill:#fff9e6,stroke:#c9a34e,stroke-width:1px,color:#5c4a1d,font-size:11px;

    linkStyle default stroke:#777,stroke-width:0.8px,color:#444,fill:none;

    Project["Project"]:::root
    Host["Host"]:::mid
    Container["Container"]:::mid
    Scan["Scan"]:::mid
    Vulnerability["Vulnerability"]:::leaf
    Finding["Finding"]:::leaf
    Activity["Activity Log"]:::mid
    Note["Note"]:::mid

    Project -->|HAS_HOST| Host
    Host -->|HAS_CONTAINER| Container
    Container -->|HAS_SCAN| Scan
    Scan -->|FOUND| Vulnerability
    Scan -->|FOUND| Finding
    Project -->|HAS_ACTIVITY| Activity
    Project -->|HAS_NOTE| Note
```

---

## Backend Architecture

```mermaid
flowchart TD

classDef api   fill:#e7f0ff,stroke:#205295,stroke-width:1.5px,color:#102544,font-weight:bold;
classDef mgr   fill:#f4f7ff,stroke:#3b6fb6,stroke-width:1.3px,color:#102544;
classDef tool  fill:#edf4ff,stroke:#5b8fe0,stroke-width:1.3px,color:#102544;
classDef db    fill:#d8e6ff,stroke:#1b437d,stroke-width:1.8px,color:#0b2440,font-weight:bold;

subgraph API_Routes["API Layer β€” Routes"]
    direction TB
    DiscoveryAPI
    AssessmentAPI
    ExploitationAPI
    ReportsAPI
    TopologyAPI
end
class API_Routes,DiscoveryAPI,AssessmentAPI,ExploitationAPI,ReportsAPI,TopologyAPI api;

subgraph Managers["Managers / Service Layer"]
    direction TB
    ProjectManager
    ScanInfoManager
    DiscoveryManager
    ContainerInfoManager
    HostInfoManager
    DashboardManager
    TopologyManager
    ReportManager
    NotesManager
    ActivityManager
end
class Managers,ProjectManager,ScanInfoManager,DiscoveryManager,ContainerInfoManager,HostInfoManager,DashboardManager,TopologyManager,ReportManager,NotesManager,ActivityManager mgr;

subgraph Tools["Tool Interfaces"]
    direction TB
    NmapInterfacer
    TrivyInterfacer
    GrypeInterfacer
    DockleInterfacer
    GobusterInterfacer
    MetasploitInterfacer
    DockerInterfacer
end
class Tools,NmapInterfacer,TrivyInterfacer,GrypeInterfacer,DockleInterfacer,GobusterInterfacer,MetasploitInterfacer,DockerInterfacer tool;

subgraph DataLayer["Data & Security Layer"]
    direction TB
    DatabaseSecurityManager
    DatabaseManager
    Neo4j[(Neo4j Graph DB)]
end
class DataLayer,DatabaseSecurityManager,DatabaseManager,Neo4j db;

API_Routes --> Managers
Managers --> Tools
Managers --> DatabaseManager
DatabaseSecurityManager --> DatabaseManager
DatabaseManager --> Neo4j
```

---

## CAT 1 STIG Justification 

This section documents mitigation and justification for all Category I
STIG vulnerabilities relevant to the DEM application.


| VULNERABILITY ID | DESCRIPTION | MITIGATING REASON |
|------------------|-------------|--------------------|
| V – 222400 | Validity periods must be verified on all application messages using WS-Security or SAML assertions. | For this project, this would not apply. |
| V – 222404 | The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion. | For this project, this would not apply. |
| V – 222612 | The application must not be vulnerable to overflow attacks. | DEM mitigates overflow attacks by implementing: Input Validation  Buffer Size Checks Secure Coding PracticesMemory Safety Languages Static Code Analysis Dynamic Analysis |
| V – 222578 | The application must destroy the session ID value and/or cookie on logoff or browser close. | There will be no sessions established on this project. |
| V – 222430 | The application must execute without excessive account permissions. | DEM will inherit permission inline with DAC Analysts. |
| V – 222432 | The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. | For this project, this would not apply. |
| V – 222577 | The application must not expose session IDs.  | For this project, this does not apply. |
| V – 222609 | The application must not be subject to input handling vulnerabilities.  | DEM address input handling vulnerabilities by implementing: Avoid trusting user input Use parameterized queries File upload security (valid file types and restrict size)Error HandlingInput Validation |
| V – 222608 | The application must not be vulnerable to XML-oriented attacks | For this project, this does not apply. |
| V – 222602 | The application must protect from Cross-Site Scripting (XSS) vulnerabilities | DEM mitigates Cross-Site Scripting (XSS) vulnerabilities by implementing: Output encoding Use frameworks with built-in protection (.g. React, Angular, Vue...) Escape Dynamic JavaScript values |
| V – 222601 | The application must not store sensitive information in hidden fields | DEM does not store sensitive information in hidden fields by implementing these practices: Avoid Storing Sensitive Data Secure Communication Channels Use local storage Data Masking |
| V – 222607 | The application must not be vulnerable to SQL Injection. | Neo4J is a NoSQL database and not susceptible to traditional SQL injection attacks.DEM prevents NoSQL injection by implementing: Use parameterized queries Sanitize input Error Handling Update dependencies |
| V – 222604 | The application must be protected from command injection. | DEM mitigates command injection vulnerabilities, especially in the context of using Neo4J, by implementing: Use parameterized queries Sanitize input Error Handling Update dependencies |
| V – 222403 | The application must use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion. | The analysts shall not be required to log in, so this does not apply. |
| V – 222585 | The application must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. | DEM fails to a secure state by implementing: Error handlingGraceful initializationShutdown processAbort handlingTesting Scenarios |
| V – 222550 | The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path to an accepted trust anchor. | DEM shall validate certificates as necessary to ensure system security and trustworthiness. |
| V – 222522 | The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | For this project, this would not apply. |
| V – 222554 | The application must not display passwords/PINs as clear text. | For this project, this would not apply. |
| V – 222596 | The application must protect the confidentiality and integrity of transmitted information. | DEM Will communicate with devices using an SSH Encrypted Channel. |
| V – 222399 | Messages protected with WS_Security must use time stamps with creation and expiration times. | N/ADEM will not use WS_Security tokens. |
| V – 222658 | All products must be supported by the vendor or the development team. | All products from DEM will be supported by the development team and vendor. |
| V – 222659 | The application must be decommissioned when maintenance or support is no longer available. | When decommissioned DEM will be available to terminate any files and storage |
| V – 222551 | The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key. | All PKI-Based Authentication shall give access to a corresponding private key. |
| V – 222620 | Application web servers must be on a separate network segment from the application and database servers if it is a tiered application operating in the DoD DMZ. | DEM will have no use of the internet. |
| V – 222536 | The application must enforce a minimum 15-character password length. | For this project, this would not apply. |
| V – 222643 | The application must have the capability to mark sensitive/classified output when required. | DEM gives the option to mark sensitive data to specific users. |
| V – 222542 | The application must only store cryptographic representations of passwords. | For this project, this would not apply. |
| V – 222543 | The application must transmit only cryptographically-protected passwords. | For this project, this would not apply. |
| V – 222425 | The application must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | DEM gives the approved user specific data they are entrusted with. |
| V – 222642 | The application must not contain embedded authentication data. | For this project, this would not apply. |
| V – 222662 | Default passwords must be changed. | For this project, this would not apply. |
| V – 222555 | The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. | DEM will follow all the guidelines of Federal Laws, Executive Orders, Policies, Regulations, Stands for the cryptographic module. |

---

## License

This project is for educational, evaluation, and controlled deployment
use unless otherwise licensed.

---

## Support & Subsystem Responsibilities

| **Subsystem** | **Responsibilities** | **Contact** |
|---------------|-----------------------|------------------------|
| **Subsystem 1** | - Dashboard View & Backend- Discovery Views & Backends- Docker PS & SSH Tunnel Compatibility- Nmap Component | **Team 7**Ivan Armenta |
| **Subsystem 2** | - Projects Component- Assessment Views & Backends- Grype Component | **Team 16**Joe Mota |
| **Subsystem 3** | - Topology Map Views & Backends- Database- Trivy Component | **Team 14**Javier Falliner |
| **Subsystem 4** | - Exploitation Views & Backends- Reporting Views & Backends- Dockle Component | **Team 15**Victor Gonzalez |