Conversation
Major architecture refactor for zombie v2: Session layer: typed capability interfaces (ShellSession, SQLSession, KVSession, FileSession, DirectorySession) replacing raw connection hiding. Plugin.Open() returns Session instead of Login() returning error. Action layer: composable post-auth pipeline. PostAction collects remote info (Loot) and runs proton template matching on remote data. Triggered via --proton --scan-template flags; default behavior (pure brute) unchanged. Plugin rewrite: all 23 plugins converted to stateless factories returning typed Sessions. Shared sqlsess/kvsess internal packages eliminate duplication. Dispatch switch replaced by plugin registry. Worker: Execute(task, plugins, pipeline) replaces Brute(task). Empty pipeline = pure auth verification (backward compatible). 27 e2e tests cover: CLI parsing, 3 attack modes, 6+ services, --proton pipeline, Runner API, Worker Execute. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- Execute(): check for nil session before defer Close() - OutputHandler: guard result.Err.Error() against nil Err - Add 8 panic-specific tests covering: nil session, nil Param on all 23 plugins, nil ActionResult merge, nil Err formatting Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
…g logging - Signal handling: SIGINT/SIGTERM triggers graceful shutdown with partial stats - Pool release: defer Pool.Release() to prevent goroutine leak in SDK usage - File cleanup: close output file after run completes - Error classification: categorize errors into timeout/refused/auth/other - Unified stats: Statistor.SummaryString() consolidates total/success/extracteds/loot/errors - Debug logging: action/post.go logs partial failures at Debug level for diagnostics - Worker logging: Execute/ExecuteUnauth log action errors at Debug level - Remove dead code: delete unused telnet plugin Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Mirrors gogo/spray ResourceLoader pattern. SDK zombie engine sets it to no-op after init, preventing repeated resource loading. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Inner goroutines may still be sending on OutputCh when the main goroutine closes it after wg.Wait(). Protect both sides with a mutex and a closed flag. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Introduce a new `service` protocol that extends neutron's template engine
into zombie's post-exploitation domain. Templates define operations
(shell/db/kv/file/ldap) against authenticated sessions, reusing neutron's
matcher/extractor/DSL engine for result analysis.
Key components:
- service/ package: Request, Op, Template implementing protocols.Request
- Op types aligned to session types: shell, db, kv, file:{list/read}, ldap
- KV unified command expression with GET/KEYS dispatch + RawCommander fallback
- Template-level variables, CLI overrides (-V key=value), payload iteration
- Chain mechanism for OS-adaptive template dispatch
- ServiceAction bridging into zombie's existing worker pipeline
- RedisSession.Command() for raw Redis command execution
- --service-template CLI flag for loading service templates
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
…§marker§ support
- Template.ExecuteWithOptions(session, host, vars, payloads) for full control
- Payload CLI override via -V and cliPayloads passthrough
- ServiceAction chain execution with dynamic value propagation
- §marker§ payload marker replacement in op fields
- parseCommandFields with quoted string and escape support
- formatCommandResult for array/interface{} Redis responses
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Replace hand-rolled DFS chain logic with neutron's generic ChainExecutor (DepthFirst + PassVariables). Removes loadServiceTemplateFileWithChains, findChainTemplateFile, and chainTargets field — chain resolution is now fully in-memory via the shared executor. Adds comprehensive chain tests. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
… filter, FileSession.Write, gather embedding - Template supports neutron HTTP and Network request types alongside service ops - Info struct with Risk field (safe/dangerous/critical) for template filtering - HasTag/RiskAllowed methods for runtime template selection - FileSession.Write interface + SMB/FTP implementations - FileOp Write/Data support in service execute - --gather flag loads embedded service templates (tag=gather) - --risk and --tags CLI filters for ServiceAction - LoadServiceTemplatesFromData/FromPaths for embedded + path-based loading - templates submodule updated with 70+ service templates Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
…o service templates PostAction no longer collects data from sessions (credentialColumns, shellScanPaths, shellGatherCmds, per-protocol enumeration). All info gathering is now driven by service templates in templates/services/. PostAction retains only the proton scanner — called after pipeline execution to scan Loot produced by ServiceAction templates. - Remove postShell/postSQL/postKV/postFile and all hardcoded constants - PostAction.ScanData() replaces the private scanData method - worker.go feeds result.Loot to PostAction after pipeline completes - PostAction moved from Pipeline to Runner.PostAction field - Remove unused DBLimit option Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Each plugin package now registers itself and its service definition in its own init(), eliminating the centralized registry.go and the 26 hardcoded Service variables in pkg/types.go. - Plugin interface moved to pkg.Plugin; plugin/ package provides thin aliases - Each plugin init() calls pkg.RegisterPlugin() + pkg.Services.Register() - plugin/registry.go reduced to blank imports that trigger init() - pkg/types.go: removed all global Service vars and RegisterServices() - Adding a new plugin only requires creating the package + importing it Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Session interfaces now provide only atomic DSL execution, with template-driven orchestration on top. - SQLSession: remove Databases() — templates use `db: "SHOW DATABASES"` directly - KVSession: absorb RawCommander's Command() — unified kv op dispatch - Delete 5 AsXxx() helpers — direct type assertions in execute.go - Remove Op.Databases field and __databases__ special case in execDB - Memcached: implement KVSession (Get/Command for SET/DELETE/FLUSH) - MongoDB: implement KVSession (Get/Keys/Command via RunCommand) - ZooKeeper: implement KVSession (Get/Keys/Command for SET/CREATE/DELETE) Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
MongoDB is a database, not a KV store. Query() now handles: - "show databases" → ListDatabaseNames - "show collections <db>" → ListCollectionNames - any other command → RunCommand on admin db Templates use `db: "show databases"` instead of forced KV semantics. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Connect the ServiceAction → Loot → PostAction pipeline: - service/execute.go: populate OperatorsResult.Response with raw op output - service/template.go: accumulate raw responses across all requests - action/service.go: store raw response as Loot entry per template - action/post.go: add NewPostActionFromData() for embedded loot rules - core/runner.go: --gather auto-activates PostAction from embedded rules Add 10 PII/secret detection rules (proton file: format): phone, email, id-card, bank-card, password-hash, jwt, cloud-credential, connection-string, private-key, internal-ip Embed loot rules via templates_gen.go zombie_loot key. CI: split into lint/test/build/templates jobs, add template validation and embedded-data freshness check. Tests: Response preservation, Loot population, PostActionFromData, gather pipeline, loot template validation, docker integration. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Aligns with RequestsHTTP and RequestsNetwork naming convention. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Zombie 2.0 对核心架构进行了重构,引入 Session/Action 模型和 YAML 驱动的 service template 协议。
架构改动
chain字段声明依赖,ChainExecutor 按拓扑序执行并传递变量新功能
--service-template <path>加载 service template 目录--gather加载内嵌信息收集模板(70+ 模板覆盖 SSH/MySQL/PostgreSQL/MSSQL/Oracle/Redis/SMB/FTP/LDAP/Memcached/MongoDB)--risk safe|dangerous|critical按风险等级过滤模板--tags <tag>按标签过滤模板--proton+--scan-template启用 proton 凭证扫描--payload key=value和-V key=value自定义模板变量/payloadFileSession.Write支持 SMB/FTP 文件写入--concurrency)避免冲破服务端限速凭证爆破增强
pk:/hash:/raw:凭证前缀--strict)指纹匹配后才爆破稳定性
Test plan
go test ./...全部通过🤖 Generated with Claude Code