🔥 The Exploit Foundry

Development Setup

python3 -m pip install -e .
python3 -m pip install pytest pytest-cov
pytest
pytest --cov=arsenal --cov-report=html

An Automated, Intelligent Purple-Team Hacking Framework

"Give me a target I have permission to test. I'll break it, document it, and report it."

---

🎯 What Is This?

The Exploit Foundry is not just a folder structure. It's an automated framework that:

1. Takes a target (IP or domain) you have permission to test
2. Runs intelligent reconnaissance to discover attack surfaces
3. Matches findings against known attack patterns
4. Executes prioritized exploits automatically or with approval
5. Documents every finding with severity ratings
6. Generates professional reports (technical + executive)

You bring the permission. The Foundry brings the power.

---

⚖️ Legal & Ethics

┌─────────────────────────────────────────────────────────────────┐
│  ⚠️  YOU MUST HAVE WRITTEN PERMISSION TO TEST ANY TARGET        │
│                                                                  │
│  • Your own systems? ✅ Yes                                      │
│  • Systems you have written authorization for? ✅ Yes           │
│  • Bug bounty programs within scope? ✅ Yes                     │
│  • Random systems on the internet? ❌ NO (illegal)              │
│  • Employer systems without permission? ❌ NO (fireable)        │
└─────────────────────────────────────────────────────────────────┘

Every engagement folder contains 01_permission.email.eml — proof of authorization. No permission = no test.

---

📁 Structure

The-Exploit-Foundry/
│
├── arsenal/                    # The engine
│   ├── recon/                  # Scanner scripts
│   ├── exploitation/           
│   │   ├── rules/              # Match recon → attacks (includes SSH brute force)
│   │   ├── executors/          # Run the attacks (SSH brute force, WordPress exploit, SQLi, XSS, file upload, Joomla, etc.)
│   │   └── orchestrator.py     # Main controller
│   ├── post-exploitation/      # After initial access
│   └── reporting/              # Report generator
│
├── engagements/                # YOUR tests live here
│   ├── template/               # Copy this for new targets
│   │   ├── config.json         # {{target_ip}}, {{target_domain}}
│   │   ├── recon/              # AUTO-POPULATED from scans
│   │   ├── attack-plan/        # GENERATED from recon
│   │   ├── exploits/           # AUTO-UPDATED during execution
│   │   ├── findings/           # AUTO-POPULATED by severity
│   │   ├── logs/               # Everything captured
│   │   └── report/             # GENERATED at end
│   │
│   └── 2025-04-08_target-name/ # YOUR actual engagement
│
├── wordlists/                  # Password lists, directories, etc.
├── payloads/                   # Reverse shells, bind shells
└── README.md                   # This file
---

## 🕷️ Web Exploitation Arsenal

The framework includes comprehensive web vulnerability detection and exploitation:

### 🔍 **Reconnaissance & Detection**
- **Technology Fingerprinting**: Detects WordPress, Joomla, Drupal, Laravel, Django, Java, .NET, PHP, and more
- **Directory Brute Forcing**: Uses `gobuster` for efficient directory enumeration
- **CMS Version Detection**: Identifies vulnerable versions of popular CMS platforms

### 💥 **Vulnerability Scanners**
- **SQL Injection**: Automated testing with `sqlmap` integration
- **Cross-Site Scripting (XSS)**: Reflected and stored XSS detection
- **File Upload Vulnerabilities**: Tests for unrestricted uploads and remote code execution
- **WordPress Exploitation**: Full `wpscan` integration with plugin/theme scanning
- **Joomla Exploitation**: Version detection, component vulnerabilities, and admin exposure
- **SMB Vulnerabilities**: EternalBlue, anonymous access, and misconfigurations
- **RDP Security**: BlueKeep detection, NLA checking, and weak configurations
- **VNC Vulnerabilities**: Authentication bypass and weak password detection
- **Database Attacks**: MongoDB, Redis, and Elasticsearch unauthorized access
- **Web Attacks**: CSRF, command injection, XXE, SSRF, directory traversal, deserialization
- **Backup File Detection**: Finds exposed configuration and source code backups

### 🎯 **Attack Execution**
- **Intelligent Rule Matching**: Automatically matches recon findings to appropriate exploits
- **Prioritized Execution**: Runs attacks based on severity and success probability
- **Safe Exploitation**: Includes timeouts, error handling, and scope validation
- **Evidence Collection**: Captures all findings with detailed technical evidence

---

## 🚀 Quick Start

### Option 1: Web UI (Easiest - Recommended)

**Modern web-based interface for the complete framework experience.**

```bash
# Install web dependencies
pip3 install flask

# Start the web interface
python web_ui_launcher.py

# Open your browser to: http://localhost:5000

Features:

• 📊 Dashboard: Statistics and engagement overview
• 🎯 Engagement Management: Create and manage assessments
• 🔍 Interactive Scanning: Run recon and exploitation with live progress
• 📋 Report Generation: Generate comprehensive reports
• 🛡️ Safety First: Permission validation and approval workflows

Option 2: Native Installation (Recommended for Kali Linux)

# Clone the repository
git clone https://github.com/yourname/the-exploit-foundry.git
cd the-exploit-foundry

# Install Python dependencies (minimal - most tools are system packages)
pip3 install -r requirements.txt

# Make orchestrator executable
chmod +x arsenal/orchestrator.py

# Verify installation
./arsenal/orchestrator.py --help

System Requirements: The framework uses these external tools (pre-installed on Kali Linux):

• Reconnaissance: nmap, whatweb, gobuster, dirb, nikto
• Exploitation: sqlmap, wpscan, hydra, medusa
• Utilities: jq, tree, curl, wget

Install on Ubuntu/Debian: sudo apt install nmap whatweb gobuster dirb nikto sqlmap wpscan hydra medusa jq tree

---

Option 2: Docker (Recommended for Other Systems)

Prerequisites: Docker and Docker Compose installed

# Build the image (one-time setup)
docker build -t exploit-foundry:latest .

# Run a quick test
docker run --rm -it \
  -v $(pwd)/engagements:/app/engagements \
  --network host \
  exploit-foundry:latest --help

# Start your first engagement
docker run --rm -it \
  -v $(pwd)/engagements:/app/engagements \
  --network host \
  exploit-foundry:latest --new --target 192.168.1.100 --name "my-first-test"

Using Docker Compose (Easiest):

# Set API keys in environment (optional)
export SHODAN_API_KEY="your_key_here"
export VIRUSTOTAL_API_KEY="your_key_here"

# Run with docker-compose
docker-compose run --rm exploit-foundry --new --target 10.0.0.1 --name "docker-engagement"

📖 See docker-usage.md for complete Docker documentation.

---

Start Your First Engagement

cd The-Exploit-Foundry

# Run against a target you OWN or have PERMISSION for
./arsenal/orchestrator.py --new --target 192.168.1.100 --name "internal-server"

# Or with a domain
./arsenal/orchestrator.py --new --target blog.example.com --name "wordpress-audit"

3. What Happens Automatically

Phase	Action
Setup	Creates engagements/YYYY-MM-DD_name/ from template
Recon	Runs nmap, whatweb, gobuster, subfinder → populates recon/
Planning	Matches findings against rules → generates attack-plan/
Execution	Runs exploits in priority order → populates exploits/
Findings	Successful exploits → auto-categorized into findings/[severity]/
Reporting	Generates report/technical-report.md and executive-summary.md

---

📝 Manual Engagement (If You Prefer)

Not everything can be automated. For manual testing:

# Copy template
cp -r engagements/template engagements/2025-04-08_manual-test/

# Edit config.json with your target
vim engagements/2025-04-08_manual-test/config.json

# Run recon manually
nmap -sV -oA engagements/2025-04-08_manual-test/recon/nmap $TARGET

# Document findings in the appropriate severity folder
vim engagements/2025-04-08_manual-test/findings/critical/01_sql-injection.md

# Generate report
./arsenal/reporting/generate_report.py --engagement engagements/2025-04-08_manual-test/

---

🎮 Example: Full Automated Run

$ ./arsenal/orchestrator.py --new --target blog.example.com --name "client-wp"

🚀 The Exploit Foundry - Starting new engagement

📁 Created: engagements/2025-04-08_client-wp/

🔍 Running reconnaissance...
 ✓ nmap - 2 open ports (80, 443)
 ✓ whatweb - WordPress 5.8, nginx 1.18, PHP 7.4
 ✓ gobuster - Found 12 directories
 ✓ subfinder - Found 3 subdomains

📊 Tech stack: WordPress 5.8 on nginx/PHP 7.4

🎯 Generating attack plan...
 ✓ WordPress 5.8 → CVE-2021-29447 (XML-RPC)
 ✓ /backup.zip exposed → potential credentials
 ✓ wp-admin accessible → brute force possible

⚔️ Executing attacks...

 [1/3] /backup.zip...
    ✓ Downloaded
    ✓ Credentials found in wp-config.php
    📍 CRITICAL finding saved

 [2/3] XML-RPC exploitation...
    ✓ User enumeration successful
    📍 MEDIUM finding saved

 [3/3] Brute force (optional, requires approval)...
    ⊘ Skipped (requires --aggressive flag)

📝 Generating report...
 ✓ 1 CRITICAL, 0 HIGH, 1 MEDIUM, 0 LOW
 ✓ Report: engagements/2025-04-08_client-wp/report/

✅ Complete!

---

📊 The Engagement Folder (Populated Example)

engagements/2025-04-08_client-wp/
│
├── config.json
│   └── {"target_ip": "192.168.1.100", "target_domain": "blog.example.com"}
│
├── recon/
│   ├── ports.json          # {80, 443, 22}
│   ├── services.json       # {80: "nginx", 443: "WordPress 5.8"}
│   ├── directories.json    # {"/wp-admin": 200, "/backup.zip": 200}
│   └── tech-stack.json     # {"cms": "WordPress", "version": "5.8"}
│
├── attack-plan/
│   ├── possible-attacks.json   # 3 attacks identified
│   └── priority.md             # Ordered by severity/confidence
│
├── exploits/
│   ├── completed/
│   │   └── backup-creds.txt    # Successful exploit output
│   └── failed/
│       └── sqli-attempt.log    # Tried, didn't work
│
├── findings/
│   ├── critical/
│   │   └── 01_backup-credentials.md
│   └── medium/
│       └── 02_user-enumeration.md
│
├── logs/
│   ├── scan.log
│   ├── attack.log
│   └── timeline.json
│
└── report/
    ├── executive-summary.md    # For non-technical stakeholders
    ├── technical-report.md     # Full details with evidence
    └── findings.csv            # Spreadsheet of all findings

---

🛠️ Adding Your Own Rules & Exploits

Adding a Detection Rule

Create arsenal/exploitation/rules/my-rule.json:

{
  "name": "Custom MySQL Detection",
  "condition": {
    "ports": [3306],
    "service": "mysql"
  },
  "attack": "try-mysql-default-creds",
  "severity": "high",
  "confidence": 0.8
}

Adding a Custom Exploit Executor

Create arsenal/exploitation/executors/my-exploit.py:

#!/usr/bin/env python3
# Must accept --target and --output arguments

import argparse

def exploit(target, output_path):
    # Your exploit logic here
    result = run_attack(target)
    with open(output_path, 'w') as f:
        f.write(result)
    return {"success": True, "finding": "Critical SQL injection"}

if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("--target", required=True)
    parser.add_argument("--output", required=True)
    args = parser.parse_args()
    exploit(args.target, args.output)

---

🔧 Requirements

Tool	Purpose	Installation
Python 3.8+	Orchestrator	apt install python3
nmap	Port scanning	apt install nmap
whatweb	Web tech detection	gem install whatweb
gobuster	Directory brute force	apt install gobuster
subfinder	Subdomain discovery	go install
wpscan	WordPress scanning	gem install wpscan
nuclei	CVE scanning	go install

Optional but recommended:

• Metasploit
• Burp Suite (manual testing)
• SQLmap
• Hydra / John / Hashcat

---

📋 Environment Variables

Create .env in the root directory:

# Required for reporting (optional)
REPORT_NAME="Your Name"
REPORT_COMPANY="Your Company"

# API keys (for threat intel)
SECURITYTRAILS_API_KEY="your-key"
VIRUSTOTAL_API_KEY="your-key"
SHODAN_API_KEY="your-key"

# Aggressive mode (auto-executes all attacks)
AGGRESSIVE_MODE=false

---

🧠 Philosophy

Principle	Explanation
Permission First	No target is tested without written authorization
Automate the Boring	Scanning, enumeration, and reporting are automated
You Decide the Attack	Framework suggests, you approve (or auto with flag)
Evidence Always	Every finding has proof (screenshot, output, log)
Severity Matters	Findings auto-categorized by CVSS
Report Ready	Final report is generated, not hand-written from scratch

---

📋 Commands Reference

# New automated engagement
./arsenal/orchestrator.py --new --target IP_OR_DOMAIN --name NAME

# New engagement with aggressive auto-attack
./arsenal/orchestrator.py --new --target IP_OR_DOMAIN --name NAME --aggressive

# Resume existing engagement
./arsenal/orchestrator.py --resume engagements/2025-04-08_name/

# Run only recon (no attacks)
./arsenal/orchestrator.py --recon-only --target IP_OR_DOMAIN --name NAME

# Generate report only
./arsenal/reporting/generate_report.py --engagement engagements/2025-04-08_name/

# List all engagements
./arsenal/orchestrator.py --list

# Validate permission email exists
./arsenal/orchestrator.py --check-permission engagements/2025-04-08_name/

# Run exploits on existing engagement
./arsenal/orchestrator.py --exploit engagements/2025-04-08_name/ --auto-approve

---

🚫 What This Is NOT

Not	Because
A replacement for manual testing	Automation misses business logic flaws
A zero-click weapon	You need permission and a target
Undetectable	Scans are noisy — don't use without permission
A vulnerability scanner	It's an exploitation framework, not just a scanner
Ready out of the box	You need to install tools and configure rules

---

🤝 Contributing

Add rules, executors, or scan modules:

1. Fork the repo
2. Add your rule in arsenal/exploitation/rules/
3. Add your executor in arsenal/exploitation/executors/
4. Submit a PR with example output

---

📄 License

Educational and authorized testing use only.

Unauthorized use against systems you do not own or have explicit permission to test is illegal. The authors assume no liability for misuse.

---

⭐ Final Word

The Exploit Foundry is a framework that grows with you.

• Start with manual testing → learn the phases
• Add your own rules → customize detection
• Write custom executors → automate your favorite attacks
• Build your arsenal → become faster, more thorough, more professional

"Give me a target I have permission to test. I'll break it, document it, and report it."

---

Happy (authorized) hacking. 🔥