mblanke/GooseStrike
1
0
Fork 0
mirror of https://github.com/mblanke/GooseStrike.git synced 2026-03-01 14:00:21 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
97bb575cbd30a68de9c32e0187988ad39f9b1edf
GooseStrike/README.md

292 lines
16 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# GooseStrike
GooseStrike is an AI-assisted, Canadian-themed offensive security and CTF operations toolkit. It blends subnet discovery, CVE/exploit correlation, task orchestration, and agent-driven planning into one cohesive platform designed **only** for authorized lab environments.
## Features
- **Scanner** wraps `nmap`, preserves MAC/OUI data, captures timestamps/notes, and automatically ingests results with a scan UUID for replay-grade history.
- **Indexer** parses NVD + Exploit-DB + PacketStorm data into `db/exploits.db`, ensuring CVEs, severities, and exploit metadata always live in SQLite for offline ops.
- **FastAPI backend** tracks assets, services, CVEs, scan runs, MITRE ATT&CK suggestions, and alerts while exposing webhook hooks for n8n automations.
- **Task queue + runners** enqueue work for Metasploit, SQLMap, Hydra, OWASP ZAP, the password cracking helper, and now manage every job directly from the dashboard.
- **Password cracking automation** orchestrate Hashcat, John the Ripper, or rainbow-table (`rcrack`) jobs with consistent logging.
- **LLM agents** structured recon / CVE / exploit / privilege escalation / planning agents for high-level guidance.
- **Claude + HackGPT + Ollama fallback** the LLM router cycles through Claude, HackGPT, then your local Ollama node so targeting recommendations keep flowing even offline.
- **Local CVE API server** a standalone FastAPI microservice (`cve_api.py`) serves CVE + exploit matches for air-gapped use.
- **Web UI** Canadian-themed dashboard that now shows assets, scan history, MITRE recommendations, the task queue, and inline forms to submit tool runs or password-cracking jobs inspired by OWASP Nettacker & Exploitivator playbooks.
- **Roadmap + mock data** `/core_snapshot`, `/roadmap`, and `/mock/dashboard-data` feed both the live UI and a static mock dashboard so you can preview GooseStrike with fake sample data (served at `/mockup`).
- **Armitage-style frontend** `/armitage` renders a radial host/service/CVE graph with mock or live data for briefing-style screenshots.
- **Integration health checks** `/integrations/test/n8n` and `/integrations/test/ollama` verify automation + AI endpoints from the backend without leaving the UI.
## Delivery status
The table below summarizes what has landed versus what remains from the running request list.
| Area | Status | Notes |
| --- | --- | --- |
| Core scanner + history | ✅ Complete | CIDR scanning with MAC/OUI capture, scan UUIDs, and `/scans` history APIs are live.
| CVE / exploit indexer | ✅ Complete | `indexer.py` hydrates `db/exploits.db` from NVD, Exploit-DB, and PacketStorm mirrors.
| FastAPI backend + web UI | ✅ Complete | Canadian-themed dashboard, `/assets`, `/roadmap`, `/mock/dashboard-data`, `/mockup`, webhook, and task endpoints shipped.
| Task queue + tool runners | ✅ Complete | SQLite-backed queue plus Metasploit, SQLMap, Hydra, ZAP, and password-cracking runners.
| MITRE/ATT&CK suggestions | ✅ Complete | `mitre_mapping.py` drives `/attack_suggestions` and the UI cards.
| Password cracking helper | ✅ Complete | `password_cracker_runner.py` supports Hashcat, John, and rainbow tables with log capture.
| Mock dashboard data | ✅ Complete | `GET /mock/dashboard-data` and `/mockup` render the full interface with sample data for demos.
| Roadmap + core snapshot APIs | ✅ Complete | `/core_snapshot` + `/roadmap` expose the same copy used in the UI.
| docker-compose goosestrike full stack | ✅ Complete | `docker-compose.goosestrike-full.yml` now launches API, scanner, indexer, CVE API, HackGPT relay, and n8n together.
| HackGPT API container | ✅ Complete | `hackgpt_api.py` relays prompts to n8n webhooks and ships as its own container.
| Local CVE API server | ✅ Complete | `cve_api.py` exposes the offline CVE mirror over FastAPI/uvicorn.
| Claude + HackGPT fallback system | ✅ Complete | `app/agents/llm_router.py` automatically fails over between providers.
| n8n workflow `.json` import | ✅ Complete | `/n8n/workflows/import` persists exports and `/n8n/workflows` lists them.
| Target prioritizer AI agent | ✅ Complete | `app/agents/prioritizer_agent.py` powers the `/agents/prioritize` endpoint.
| SVG architecture diagram | ✅ Complete | `web/static/architecture.svg` is linked below.
| Armitage-style dashboard view | ✅ Complete | `/armitage` renders the radial host/service/CVE graph with live data.
| Mythic/Sliver C2 bridge | 🔸 Optional | C2 integration untouched pending scoping.
## GooseStrike Core snapshot
| Highlight | Details |
| --- | --- |
| 🔧 Stack | Nmap, Metasploit, SQLMap, Hydra, OWASP ZAP (all wired into runners) |
| 🧠 AI-ready | External LLM exploit assistant hooks for Claude / HackGPT / Ollama |
| 📚 Offline CVE mirroring | `update_cve.sh` keeps the SQLite CVE/exploit mirror fresh when air-gapped |
| 🗂 Branding kit | ASCII banner, official crest, and PDF-ready branding pack for your ops briefings |
| 📜 CVE helpers | Scan-to-CVE JSON matching scripts pulled from Nettacker / Exploitivator inspirations |
| 📦 Artifact drops | `goosestrike-cve-enabled.zip` & `hackgpt-ai-stack.zip` ship with READMEs + architecture notes |
### Coming next (roadmap you requested)
| Task | Status |
| --- | --- |
| 🐳 Build `docker-compose.goosestrike-full.yml` | ✅ Complete |
| 🧠 HackGPT API container (linked to n8n) | ✅ Complete |
| 🌐 Local CVE API server | ✅ Complete |
| 🧬 Claude + HackGPT fallback system | ✅ Complete |
| 🔄 n8n workflow `.json` import | ✅ Complete |
| 🎯 Target "prioritizer" AI agent | ✅ Complete |
| 🧭 SVG architecture diagram | ✅ Complete |
| 🖥 Dashboard frontend (Armitage-style) | ✅ Complete |
| 🔐 C2 bridging to Mythic/Sliver | Optional |
You can query the same table programmatically at `GET /roadmap` or fetch the bullet list at `GET /core_snapshot`.
## Architecture Overview
![GooseStrike architecture diagram](web/static/architecture.svg)
```
scanner.py -> /ingest/scan ---->
FastAPI (api.py) ---> db/goosestrike.db
| ├─ assets / services / service_cves
| ├─ scan_runs + scan_services (historical state)
| └─ attack_suggestions + alerts
indexer.py -> db/exploits.db --/ |
REST/JSON + Web UI (assets, scans, MITRE)
|
+-> task_queue.py -> runners (metasploit/sqlmap/hydra/zap) -> logs/
+-> app/agents/* (LLM guidance)
+-> n8n webhooks (/webhook/n8n/*)
```
## Quickstart
1. **Clone & install dependencies**
```bash
git clone <repo>
cd GooseStrike
pip install -r requirements.txt # create your own env if desired
```
2. **Run the API + UI**
```bash
uvicorn api:app --reload
```
Visit http://localhost:8000/ for the themed dashboard.
3. **Index CVEs & exploits (required for CVE severity + MITRE context)**
```bash
python indexer.py --nvd data/nvd --exploitdb data/exploitdb --packetstorm data/packetstorm.xml
```
4. **Scan a subnet**
```bash
python scanner.py 192.168.1.0/24 --fast --api http://localhost:8000 --notes "Lab validation"
```
Every run stores MAC/OUI data, timestamps, the CLI metadata, and the raw payload so `/scans` keeps a tamper-evident trail.
5. **Enqueue tool runs**
```bash
python task_queue.py enqueue sqlmap "http://example" '{"level": 2}'
```
Then invoke the appropriate runner (e.g., `python sqlmap_runner.py`) inside your own automation glue.
6. **Crack passwords (hashcat / John / rainbow tables)**
```bash
python task_queue.py enqueue password_cracker hashes '{"crack_tool": "hashcat", "hash_file": "hashes.txt", "wordlist": "/wordlists/rockyou.txt", "mode": 0}'
python password_cracker_runner.py
```
Adjust the JSON for `crack_tool` (`hashcat`, `john`, or `rainbow`) plus specific options like masks, rules, or rainbow-table paths. Prefer the dashboard forms if you want to queue these jobs without hand-writing JSON.
## Customizing the dashboard logo
Drop the exact artwork you want to display into `web/static/uploads/` (PNG/SVG/JPG/WebP). The UI auto-loads the first supported file it finds at startup, so the logo you uploaded appears at the top-right of the header instead of the default crest. If you need to host the logo elsewhere, set `GOOSESTRIKE_LOGO` to a reachable URL (or another `/static/...` path) before launching `uvicorn`.
## API Examples
- **Ingest a host**
```bash
curl -X POST http://localhost:8000/ingest/scan \
-H 'Content-Type: application/json' \
-d '{
"ip": "10.0.0.5",
"mac_address": "00:11:22:33:44:55",
"mac_vendor": "Acme Labs",
"scan": {"scan_id": "demo-001", "scanner": "GooseStrike", "mode": "fast"},
"services": [
{"port": 80, "proto": "tcp", "product": "nginx", "version": "1.23", "cves": ["CVE-2023-12345"]}
]
}'
```
- **List assets**
```bash
curl http://localhost:8000/assets
```
- **Get CVE + exploit context**
```bash
curl http://localhost:8000/cve/CVE-2023-12345
```
- **Review scan history + MITRE suggestions**
```bash
curl http://localhost:8000/scans
curl http://localhost:8000/attack_suggestions
```
- **Roadmap + mock data**
```bash
curl http://localhost:8000/core_snapshot
curl http://localhost:8000/roadmap
curl http://localhost:8000/mock/dashboard-data
```
Preview the populated UI without touching production data at http://localhost:8000/mockup .
- **Import + list n8n workflows**
```bash
curl -X POST http://localhost:8000/n8n/workflows/import \
-H 'Content-Type: application/json' \
-d '{"name": "drop-scan", "workflow": {"nodes": ["scan", "notify"]}}'
curl http://localhost:8000/n8n/workflows
```
- **Queue & review tasks**
```bash
curl -X POST http://localhost:8000/tasks \
-H 'Content-Type: application/json' \
-d '{
"tool": "password_cracker",
"target": "lab-hash",
"params": {"crack_tool": "hashcat", "hash_file": "hashes.txt", "wordlist": "rockyou.txt"}
}'
curl http://localhost:8000/tasks
```
Workers can update entries through `POST /tasks/{task_id}/status` once a run completes.
- **n8n webhook**
```bash
curl -X POST http://localhost:8000/webhook/n8n/new_cve \
-H 'Content-Type: application/json' \
-d '{"cve_id": "CVE-2023-12345", "critical": true}'
```
- **Armitage data + prioritizer agent**
```bash
curl http://localhost:8000/armitage/data
curl -X POST http://localhost:8000/agents/prioritize \
-H 'Content-Type: application/json' \
-d '{"assets": [{"ip": "10.0.0.21", "services": []}]}'
```
## Full-stack Docker Compose
Bring everything (API, scanner, indexer, HackGPT relay, CVE API, and n8n) up in one go:
```bash
docker compose -f docker-compose.goosestrike-full.yml build
docker compose -f docker-compose.goosestrike-full.yml up -d api hackgpt cve-api n8n
# open http://localhost:8000 for the UI and http://localhost:8500/prompt for the HackGPT relay
```
Use `docker compose ... run --rm scanner python scanner.py ...` or `... run --rm indexer python indexer.py` to execute jobs from dedicated containers.
## HackGPT relay + Claude / HackGPT / Ollama fallback
- `hackgpt_api.py` exposes `POST /prompt` (default on port 8500) and forwards every call to `N8N_WEBHOOK_URL` so your automation workflows can react instantly.
- Set any combination of `CLAUDE_API_URL`, `HACKGPT_API_URL`, and `OLLAMA_BASE_URL`/`OLLAMA_API_URL` (with optional `CLAUDE_API_KEY`, `HACKGPT_API_KEY`, and `OLLAMA_MODEL`). The router in `app/agents/llm_router.py` will try Claude first, then HackGPT, and finally fall back to the local Ollama instance.
- The new `/integrations/test/ollama` route helps you confirm GooseStrike can reach your Ollama node before relying on it for agent prompts.
## Local CVE API server
Run `uvicorn cve_api:app --host 0.0.0.0 --port 8600` (or use the compose file) to offer offline CVE lookups:
```bash
curl http://localhost:8600/cve/CVE-2023-12345
curl "http://localhost:8600/search?q=openssl"
```
The service reads the same `db/exploits.db` populated by `indexer.py`.
## Armitage-style dashboard + mock graph
- Browse `http://localhost:8000/armitage` for the live radial graph.
- `GET /armitage/data` returns the same JSON used by the view, while `GET /mock/armitage-data` exposes the sample payload for demos.
## Target prioritizer agent
Send any subset of `AssetOut` structures to `POST /agents/prioritize` to receive ranked notes backed by the LLM fallback path. Use it in tandem with the MITRE cards to plan next actions.
## Password cracking runner
`password_cracker_runner.py` centralizes cracking workflows:
- **Hashcat** supply `hash_file`, `wordlist` or `mask`, and optional `mode`, `attack_mode`, `rules`, `workload`, or arbitrary `extra_args`.
- **John the Ripper** provide `hash_file` plus switches like `wordlist`, `format`, `rules`, `incremental`, or `potfile`.
- **Rainbow tables** call `rcrack` by specifying `tables_path` along with either `hash_value` or `hash_file` and optional thread counts.
All runs land in `logs/` with timestamped records so you can prove what was attempted during an engagement.
## Kali Linux Docker stack
Need everything preloaded inside Kali? Use the included `Dockerfile.kali` and `docker-compose.kali.yml`:
```bash
docker compose -f docker-compose.kali.yml build
docker compose -f docker-compose.kali.yml up -d api
# run scanners or runners inside dedicated containers
docker compose -f docker-compose.kali.yml run --rm scanner python scanner.py 10.0.0.0/24 --fast --api http://api:8000
docker compose -f docker-compose.kali.yml run --rm worker python password_cracker_runner.py
```
The image layers the GooseStrike codebase on top of `kalilinux/kali-rolling`, installs `nmap`, `masscan`, `sqlmap`, `hydra`, `metasploit-framework`, `hashcat`, `john`, and `rainbowcrack`, and exposes persistent `db/`, `logs/`, and `data/` volumes so scan history and cracking outputs survive container restarts.
## Extending GooseStrike
- **Add a new runner** by following the `runner_utils.run_subprocess` pattern and placing a `<tool>_runner.py` file that interprets task dictionaries safely.
- **Add more agents** by subclassing `app.agents.base_agent.BaseAgent` and exposing a simple `run(context)` helper similar to the existing agents.
- **Enhance the UI** by editing `web/templates/index.html` + `web/static/styles.css` and creating dedicated JS components that consume `/assets`, `/scans`, and `/attack_suggestions`.
- **Integrate orchestration** tools (n8n, Celery, etc.) by interacting with `task_queue.py` and the FastAPI webhook endpoints.
## Safety & Legal Notice
GooseStrike is intended for **authorized security assessments, CTF competitions, and lab research only**. You are responsible for obtaining written permission before scanning, exploiting, or otherwise interacting with any system. The maintainers provide no warranty, and misuse may be illegal.
- **Test n8n & Ollama integrations**
```bash
curl -X POST http://localhost:8000/integrations/test/n8n \
-H 'Content-Type: application/json' \
-d '{"url": "http://n8n.local/webhook/goose", "payload": {"ping": "demo"}}'
curl -X POST http://localhost:8000/integrations/test/ollama \
-H 'Content-Type: application/json' \
-d '{"url": "http://localhost:11434", "model": "llama3", "prompt": "ping"}'
```
Both endpoints accept optional overrides and default to the `N8N_WEBHOOK_TEST_URL`, `OLLAMA_BASE_URL`, and `OLLAMA_MODEL` environment variables so you can store safe defaults in compose files.
Reference in New Issue View Git Blame Copy Permalink