Skip to content

NeuroSploit v3.5.5 — Cloud Testing & REPL polish

Latest

Choose a tag to compare

@JoasASantos JoasASantos released this 02 Jul 01:38

NeuroSploit v3.5.5 — Release Notes

Release Date: July 2026
Codename: Cloud Testing, REPL Navigation & Deeper Recon
License: MIT
Credits: Joas A Santos & Red Team Leaders


TL;DR

v3.5.5 adds cloud infrastructure testing (AWS / GCP / Azure) with first-class
credential connection, 27 new agents (17 cloud + 10 misconfig/CVE/PoC/rate-
limit → library 375), a much more capable and navigable REPL (idle
guardrail, multi-target, results browser), deeper recon (downloads & analyzes
JS, request/response differentials, smart nuclei), Burp/ZAP proxy support, a
PoC workspace, a strict data-safety/PII guardrail, and a fix for garbled
interactive line-editing.

Cloud testing

  • +17 cloud agents. AWS, GCP and Azure specialists in
    agents_md/infra/: IAM/RBAC privilege escalation, storage exposure
    (S3 / GCS / Blob), compute & network exposure + IMDS, secrets (Secrets Manager /
    Secret Manager / Key Vault), service-account & service-principal abuse, and
    Entra ID enumeration — plus a multi-cloud footprint/identity recon agent.
    Read-only-first, non-destructive.
  • Connect cloud credentials via creds.yaml (aws:, gcp:, azure:
    blocks). The harness exports the right env vars so aws / gcloud / az pick
    them up automatically, and tells the agents how to authenticate & what to
    enumerate:
    • AWSaccess_key_id/secret_access_key[/session_token]/region, or a profile.
    • GCP — a service-account JSON (service_account_json, path recommended) →
      GOOGLE_APPLICATION_CREDENTIALS + project.
    • Azure — a service principal (tenant_id/client_id/client_secret/
      subscription_id) → az login --service-principal.
    • Secrets are never written to disk beyond your creds.yaml; inline GCP JSON is
      materialized to a temp file only to satisfy the SDK/CLI.

REPL — navigation & control

  • Idle guardrail — /timeout <min>. If no NEW finding lands within the
    window, the run soft-stops and validates what was found (/timeout 1 = 1 min,
    10 = 10 min, 60 = 1 hour, 0 = off). Default 5 min.
  • Multiple targets — /target url1,url2,url3. A comma-separated list; /run
    tests them sequentially (a queue auto-advances to the next when the current
    finishes) — one report per URL.
  • /results navigation browser (interactive): pick a target/run → pick a
    vulnerability → see full detail; Esc steps back a level (vuln → target →
    back to the live session).
  • /report selection: with multiple runs, choose which report to open from a
    menu.
  • /chain <n> (attack-chain depth), /agents list (library category
    counts incl. infra/cloud); /show now shows chain-depth, idle-stop and
    enabled integrations.
  • Fix: the interactive prompt no longer embeds ANSI/newline, so line editing
    (typing, backspace, history, cursor, multiline) is no longer garbled in a real
    terminal (the readline prompt is plain; color is applied via the highlighter).

Deeper recon & analysis (agent prompts)

  • RECON_SYS now crawls pages/params/headers/cookies, downloads the linked
    JavaScript and analyzes it
    (API endpoints, hidden params, GraphQL, secrets /
    keys / tokens, sourceMappingURL → recover original source), fingerprints
    exact stack versions, and does response-differential analysis; richer JSON
    schema (js_findings, secrets, hosts, …).
  • tool_doctrine adds JS-analysis (linkfinder / gau / katana + grep for
    endpoints/secrets/source-maps) and request/response-analysis guidance (status,
    all headers, Set-Cookie flags, timing/length differentials, auth-vs-anon and
    valid-vs-invalid comparisons) — applied to both recon and exploitation.

Exploitation depth, safety & Burp

  • +10 exploitation agents. Absurd-misconfig hunters (exposed .git/.env/
    backups, debug/actuator endpoints, default creds, directory listing, exposed
    ops dashboards, permissive CORS, verbose errors), a CVE Hunter (fingerprint
    → correlate → safe PoC), a PoC Developer (writes runnable exploit scripts),
    and a Rate-Limit / Anti-Automation tester.
  • Data-safety / PII guardrail injected into every exploit/chain/host prompt:
    no modifying, deleting, exfiltrating data or changing state without explicit
    permission; on PII, prove with a single masked sample + a count — never
    dump. When unsure an action is safe, don't do it.
  • Smart nuclei in recon — fingerprint first, then run nuclei on targeted
    templates/tags/CVE ids with rate/timeouts (fast, never a blind full scan).
  • Burp/ZAP proxy/proxy <url> (or /burp, default :8080) in the REPL,
    or the NEUROSPLOIT_PROXY env var. Agents route curl through it (--proxy … -k)
    so you can inspect/replay traffic in Burp Suite while the test runs.
  • PoC workspace — each run gets a pocs/ directory ($NEUROSPLOIT_POCS);
    agents save custom, reproducible exploit scripts there and cite them as evidence.
  • Tool download (authorized) — agents may git clone a specific public PoC/
    exploit repo or download a scanner when needed (reputable/pinned, reviewed).
  • Rate-limit testing is a first-class control check (small non-disruptive
    burst → look for 429/lockout/Retry-After), never a DoS.

Multi-role auth & access-control testing

  • Named identities in creds.yaml for IDOR / BOLA / BFLA / privilege-escalation
    testing. Define two or more roles and the agent authenticates as each and tests
    cross-role access (control vs unauthorized request):
    admin:
      jwt: eyJ...              # or header:/cookie:/apikey:/login+username+password
    user:
      apikey: abc123          # → X-Api-Key: abc123
    victim:
      cookie: "session=..."
    Supported per role: jwt, header (raw), cookie, apikey, or a
    login/username/password self-login. With ≥2 roles the harness injects an
    access-control directive (capture one role's object IDs/functions, attempt them
    as another role, prove authorized-vs-denied) under the data-safety guardrail.

Attribution & identification (anti-plagiarism)

  • Identifying User-Agent on every request — default
    NeuroSploit/<ver> (authorized security assessment; +github…), plus an
    X-NeuroSploit-Scan header. Change it with /ua <string> (REPL) or the
    NEUROSPLOIT_UA env var; the run banner shows it.
  • Attribution stamped into every finding ("Identified and validated by
    NeuroSploit — multi-model adversarial validation …") so provenance travels with
    the finding across the report, findings.json and any copy — in the traffic,
    the finding text, and the report footer, so the work can't be silently re-badged.

Notes

  • Additive/back-compatible. Provider count is 14 (Azure OpenAI added in v3.5.2).
    See the README "Cloud credentials" section for a full creds.yaml example.