zero hero the fun begins

[s-b-repo]

---

RustSploit - Release 0.4.9

Penetration testing framework written in Rust

239 modules | MIT License | For authorized security testing only

---

---

(latest) - All 32 Module Socket Warnings Fixed, Dependency Upgrades,
hex.rs Vendored Native Lib

Maintenance release - 0 warnings, dependency bumps, native hex decode, cred
module improvements.

Build status: 0 errors, 0 warnings - verified by cargo check and cargo run.

Dependency upgrades:
colored 3.0 -> 3.1
clap 4.5 -> 4.6
tokio 1.49 -> 1.51
uuid 1.19 -> 1.23
rand 0.9 -> 0.10 (RngExt migration)
rlimit 0.10 -> 0.11
btleplug 0.11 -> 0.12
tokio-tungstenite 0.28 -> 0.29
hyper-util 0.1 (tokio) -> 0.1 (tokio, service)

Fixes:

• TLS connection handler wrapped with TowerToHyperService - fixes Tower service
  trait mismatch that broke TLS accept loop
• 9 files updated for rand 0.10 - Rng -> RngExt migration (random(),
  random_range(), fill() moved to RngExt trait)
• native/hex.rs - vendored decode() function added; tightvnc module now uses
  crate::native::hex::decode instead of external hex crate
• All 71 module print_banner() functions guarded with is_batch_mode() and use
  mprintln_block! for atomic output - zero remaining unguarded banner sites
• Credential modules - all 19 cred modules now have info() metadata (100%
  coverage), 0 raw prompt_* calls remaining, 0 File::create without 0o600

Build dispatch:

• Dispatchers regenerated: 19 cred modules (19 info), 89+ exploit modules
  (with info/check), 1 plugin module - all auto-discovered at compile time

---

• Final Security Hardening - GlobalOptions Validation, Semaphore Drain,
  Silence Elimination

---

Security release - GlobalOptions audit, drain barrier refactor, concurrent
SSH/RDP/SSH fixes, spool TOCTOU.

GlobalOptions audit (6 findings fixed):

• Error swallowing on backup copy failure now logged
• Error swallowing on file read error now logged - was silently losing all
  global options
• set() validates key length (1-256), value length (max 4096), and entry cap
  (1024); returns false on rejection
• MCP handle_set_option now checks set() return and reports errors
• try_get write-contention - retries up to 50ms instead of silently returning
  None on a briefly-held write lock
• File target hardcoded concurrency (50) now reads from global options like
  other scan paths

Semaphore drain refactor:

• 3 sites in commands/mod.rs and 3 sites in utils/bruteforce.rs refactored -
  sequential acquire loop replaced with sem.acquire_many() - single syscall
  with diagnostic message on failure

Error silence elimination:

• loot.rs - atomic rename silently ignored -> now logged
• port_scanner.rs - probe never sent, false negatives -> explicitly handled
• ssh_scanner.rs - socket timeout setup failures ignored -> now skips to next
  address
• jobs.rs - poisoned RwLock recovered instead of returning empty data
• mcp/client.rs - shutdown timeout and kill errors logged; early return on
  clean exit
• workspace.rs / cred_store.rs - backup, read, serialize, write errors all
  logged

SSH / FTP / RDP cred module fixes:

• SSH timeout hardening - added set_read_timeout, set_write_timeout, and
  sess.set_timeout() so handshake/auth can't hang a blocking thread forever
• Combo overflow protection - Vec::with_capacity capped at 10M entries to
  avoid OOM on huge cross products
• Atomic ordering - print_progress and print_final now use Ordering::Acquire
  instead of Relaxed for consistent stats

---

• 239 Total Modules, Documentation Overhaul & Dependency Switch to ring

---

Release - aws-lc-sys removed, ring crypto backend, docs fully updated.

Module counts: 183 exploits | 27 scanners | 29 creds | 239 total

Dependency change - ring replaces aws-lc-rs:

• Switched reqwest, rustls, and tokio-rustls from aws-lc-rs to ring backend
• ssl_scanner.rs - changed to rustls::crypto::ring::default_provider()
• aws-lc-sys C library build (317s) eliminated - ring compiles from Rust+asm
  in ~15s; clean build significantly faster

Documentation updates (11 files):

• Module-Catalog.md - 57 new entries, 6 new category sections, totals updated
• Getting-Started.md - removed freerdp, added correct deps, minimum Rust 1.85+
• API-Server.md - REST -> WebSocket corrected; 5 phantom endpoints removed
• Testing-QA.md - module counts updated 181->240; CLI and API tests corrected
• Changelog.md - full session changelog prepended; all counts corrected

Other fixes:

• Sub-category grouping fixed - uses second-level directory for correct
  grouping in module list
• run_all command removed - ra alias now maps to run; WS API routes backward
• Tab completion fixed - exact match returns only that match

---

• Telnet IAC Flood Module & IAC Parser Safety

---

Feature/security release - New DoS module, IAC SB boundary fixes, buffer cap
on subnegotiation.

New: telnet_iac_flood.rs

• WILL/DO Storm - rapid-fire WILL/DO/WONT/DONT for 14 options
• Subnegotiation Bomb - IAC SB frames without IAC SE terminators + 4000+ byte
  payloads
• NOP Interleave - 1000+ IAC NOP commands interleaved with WILL/DO
• Combined - all three plus rapid option toggling cycles

IAC parser safety fixes:

• telnet_auth_bypass_cve_2026_24061.rs - usize underflow fix when data is empty
• Added sb_data.len() < 4096 cap - prevents unbounded memory from malicious SB
• telnet_bruteforce.rs - added SB scan range cap
• MAX_IAC_ROUNDS (64) - caps IAC negotiation responses per drain call
• MAX_DRAIN_BYTES (64 KB) - caps total bytes read per drain call
• IAC response batching - all responses in a single write_all

---

• WPair Bluetooth Module - Fast Pair Exploitation, GATT Fingerprinting,
  REPL Interface

---

Feature release - ML-KEM pairing attacks, 51 device database, 6 KBP
strategies, TUI -> REPL migration.

New exploit capabilities:

• ActionRequest strategy (6th strategy) using message type 0x10
• Improved GATT error classification: Write Not Permitted, Insufficient
  Authorization, Insufficient Encryption, Application Error

New GATT capabilities:

• Firmware Revision (0x2A26) - reads firmware version for fingerprinting
• Additional Data (0xFE2C1237) - reads personalized device name data
• FMDN Service (0xFD44) - detects Find My Device Network capability

Expanded device database (18 -> 51 devices):

• 33 new entries: Google Pixel Buds, Sony WF/WH-1000X series, JBL, Anker
  Liberty 4 NC, Jabra Elite 2, Bose QC35 II, Beats Studio Buds, Razer
  Hammerhead TWS X, LG HBS, Technics EAH-AZ60M2, B&O Beoplay series

REPL interface (TUI removed):

• crossterm + ratatui removed; replaced with rustyline REPL
• Commands: scan, list, select, test, exploit, fmdn, write, audio connect,
  listen, record, talk, stop, quit, help
• Connection timeout increased 10s -> 15s

---

• SSH / FTP / Output / Spool Audit - 5 Fixes Including Credential File
  Permissions

---

Security/bugfix release.

sshpwn_session.rs CRITICAL Command injection via unsanitized cd directory
-> shell-escape with single quotes
ssh_bruteforce.rs HIGH Panic on empty DNS iterator
-> .ok_or_else() returning proper I/O error
sshpwn_session.rs HIGH Unused timeout parameter causing indefinite
blocking -> implemented via sess.set_timeout()
ftp_bruteforce.rs MEDIUM FTP connection leak on FTPS fallback
-> added ftp.quit().await before fallback
ssh/ftp/rdp (3 files) HIGH Credential files world-readable (0644)
-> OpenOptions with mode(0o600)

Spool security:

• O_NOFOLLOW flag added to prevent TOCTOU symlink race
• Lock-first pattern before file creation
• Parent directory symlink check
• write_line() returns Result with flush after every write

---

• DoS Module Overhaul - Shared Socket Pools, sendmmsg, Pre-flight Tests

---

Feature/bugfix release - All raw-socket DoS modules rewritten.

Root cause of previous issues:

• 1000 workers x individual socket per worker -> hit default ulimit 1024
• Error handler only checked EPERM; all other send errors dropped silently
• null_syn_exhaustion advertised sendmmsg but called individual send_to
• 8 MB default stack x 1000 threads = 8 GB virtual memory

Fixes applied to all 8 modules:

• Shared socket pool via AsRawFd + libc::sendto - no more FD exhaustion
• Pre-flight test - sends one packet before workers; aborts on failure
• Comprehensive error handling - all errno values logged; ENOBUFS backoff;
  consecutive-error circuit breaker
• 128 KB thread stacks via thread::Builder - 64x less memory than default
• Graceful spawn failure handling

Modules fixed:
null_syn_exhaustion, dns_amplification, memcached_amplification,
ntp_amplification, ssdp_amplification, syn_ack_flood, icmp_flood, udp_flood

Performance (null_syn_exhaustion):

• Actual sendmmsg batching: 32 packets per syscall (was 32 individual sendto)
• 32x fewer syscalls; 32x fewer kernel socket lock acquisitions

---

• Scanner Phase Fixes - Port 0, CIDR OOM, Wildcard DNS, Unbounded HTTP

---

Bugfix release - 10 scanner module fixes.

S1 ping_sweep.rs CRITICAL /0 CIDR OOM -> networks >1M rejected;
.take(limit) safety net added
S2 api_endpoint_scanner.rs LOW Duplicate HTTP methods -> removed
S3 dns_recursion.rs MEDIUM Hardcoded DNS timeout -> configurable
S4 http_title_scanner.rs MEDIUM Full body buffered before truncation
-> bytes_stream() at 256 KB
S5 http_method_scanner.rs LOW Response body never dropped -> explicit
drop(resp) added
S6 port_scanner/ping_sweep MEDIUM Port 0 accepted -> skipped with warning;
source port range changed to 1-65535
S8 subdomain_scanner.rs MEDIUM 1 random test for wildcard -> 3 random,
marks wildcard if >=2 resolve same IP
S11 redis_scanner.rs LOW Silent truncation on large INFO responses
-> logs message when 8 KB buffer full

Additional security fixes:

• sshpwn_sftp_attacks.rs - SFTP read capped to 10 MB via Read::take()
• mongo/mongobleed.rs - zlib decompression capped to 64 MB via Read::take()

TOCTOU file permissions:

• cred_store.rs, loot.rs, global_options.rs, pq_channel.rs - files now created
  with 0o600 atomically via OpenOptions::mode()

Capacity overflow prevention:

• native/hex.rs, native/payload_engine.rs, utils/sanitize.rs - saturating_mul
  used in all capacity calculations

---

• Exploit Module Audit - Phases A & B Complete, 181 Modules Reviewed

---

Major maintenance - thread::sleep migration, references populated, privilege
helper, HTTP client unification.

Phase A - Mechanical bulk fixes:

• A1 - std::thread::sleep replaced with tokio::time::sleep in SSH modules;
  blocking ssh2 sessions wrapped in spawn_blocking
• A2 - All 39 modules with empty references populated with NVD + MITRE links
• A3 - New src/utils/privilege.rs - require_root() helper; all 9 raw-socket
  modules now gate at top of run() with clean error instead of crash

Phase B - Utility reuse migrations:

• B1 - ~14 raw TcpStream::connect sites migrated to tcp_connect_addr() across
  multiple module categories
• B2 - HttpClientOpts struct added; 47 sites across 41 files migrated to
  build_http_client_with()
• Existing build_http_client(timeout) retained as thin wrapper

Build system:

• Regex caching in build.rs - 3 regexes compiled once, reused
• Fast pre-filter - content.contains("fn run") checked before regex matching
• check_available() and check_available_by_category() generated per category

---

• SSRF Hardening - Complete IP Range Blocking, URL Parsing, Fail-Closed
  DNS

---

Security release.

Fix 1 - is_blocked_ip with complete coverage:

• Added loopback (127.0.0.0/8), private (10/8, 172.16/12, 192.168/16), 0.0.0.0
• Added IPv6 ::1, fe80::/10 (link-local), fc00::/7 (ULA)
• Split into is_blocked_ip + is_blocked_ipv4 for clarity

Fix 2 - URL parsing bypass hardening:

• Uses url::Url::parse for proper host extraction (handles @ userinfo, ports)
• Percent-decodes hostnames before blocklist checks
• Strips @ userinfo in fallback manual parsing
• Blocks file:// scheme entirely

Fix 3 - Fail-closed on DNS error:

• is_blocked_target_resolved returns true when DNS fails/times out
• rpc_set_target (ws.rs) - added async DNS check
• MCP tools - all relevant handlers updated with validation

---

• MCP Server, WebSocket API, Shell/API Parity - 15 New Commands in API

---

Major feature - MCP protocol server, WebSocket JSON-RPC API, 27 total
endpoints, module metadata via all interfaces.

New: MCP server (src/mcp/):

• isolate_protocol_stdout() - redirects fd 1 to /dev/null to prevent println!
  corrupting the JSON-RPC stream
• MAX_LINE_BYTES (1 MiB) cap to prevent memory exhaustion from malicious input
• Byte-level read_until for binary safety
• resources/read wrapped per MCP spec
• MCP tool input validation - field length limits, control char validation,
  SSRF checks

Shell/API parity - 15 commands added to WebSocket API:
info [module] Returns module metadata as JSON
check Runs non-destructive vuln check, returns CheckResult
setg / unsetg Sets/removes global options
creds add/search/delete/clear
hosts / services / notes
workspace
loot add/search
export fmt file
jobs -k id / clean

Bug fixes:

• Jobs tuple field swap in API responses fixed
• StatusCode always OK - failed commands now return 400 BAD_REQUEST
• Port 0 accepted as valid - added validation
• Resource script infinite recursion - MAX_RESOURCE_DEPTH = 16
• WebSocket rpc_run_module uses per-run config instead of polluting GLOBAL_OPTIONS
• Background jobs now receive full per-run config
• Module existence check added to rpc_run_module

---

• Batch Mode - Mass Scan Output Control & Prompt Cache

---

Feature release - Banner suppression, single-prompt-per-scan, per-task module
timeout, mprintln_block! macro.

Mass scan improvements:

• 163 display_banner/print_banner functions now early-return in batch mode -
  no more interleaved banners across 50 concurrent tasks
• Prompt cache - all 8 cfg_prompt_* wrappers route through cached_prompt();
  first task prompts, rest use cached answer
• Per-task module timeout - reads setg module_timeout (default 60s)
• 7 interactive shells now return errors instead of blocking stdin in batch mode

New: mprintln_block! macro:

• Holds STDOUT_MUTEX across all lines, preventing interleaved output from
  concurrent tasks

BatchGuard race condition fix:

• Replaced AtomicBool with AtomicUsize refcount - nested/concurrent batches
  now work correctly
• Prompt cache size limit: MAX_PROMPT_CACHE_ENTRIES = 256
• RAII BatchGuard calls set_batch_mode(false) on drop

---

• Bruteforce Engine Refactor - Streaming Wordlists, Batch Prompt Cache,
  EXCLUDED_RANGES Dedup

---

Refactor release.

Module migration:

• src/modules/creds/utils.rs -> src/utils/bruteforce.rs
• Registered as pub mod bruteforce in src/utils/mod.rs with re-exports for
  all 24 public items
• ~203 consumer files updated from crate::modules::creds::utils:: to
  crate::utils::

Streaming wordlist support:

• Files >250 MB processed in 500K-line batches without materializing full
  cross product in memory

EXCLUDED_RANGES deduplication:

• 10 duplicate const EXCLUDED_RANGES removed - all use crate::utils::
• Canonical definition is superset including Cloudflare + Google ranges

Engine bug fixes:

• Global lockout pause - shared AtomicBool; one task sleeps 30s, others
  spin-wait before attempting login
• Backoff off-by-one - first retry now uses 1x base (500ms) instead of 2x
• Random scan task drain - semaphore drain loop added after random scan exits
• Redis -NOAUTH - fixed return from Ok(false) to Ok(true)
• HTTP redirect without Location header - changed from false positive to
  retryable protocol error
• FTP IPv6 TLS hostname - replaced split on ':' with bracket-aware parser

---

• Bruteforce Engine Audit - 15 Critical/High Fixes, TOCTOU, Overflow,
  Channel Deadlock

---

Security/bugfix release.

Critical fixes (8):

• C1 - run_bruteforce drain loop was CPU busy-spin -> deleted poll_fn block
• C2 - run_subnet_bruteforce progress reporter ran forever -> AtomicBool stop
  flag
• C3 - generate_combos panics on empty input -> early return guard added
• C4 - IPv6 CIDR /64 OOM (2^64 hosts) -> capped at 1M hosts
• C5 - Telnet IAC byte at TCP chunk boundary corrupts prompts -> break instead
  of push
• C6 - Streaming mode never saved intermediate results -> print_found() +
  save_to_file() after each chunk
• C7 - verify_shell returns success on write failure -> documented with comment
• C8 - stop_on_success didn't break out of port loop in streaming mode ->
  stop_early flag added

High fixes (7):

• H1 - generate_random_public_ip infinite loop risk -> 100K iteration cap
• H3 - Concurrent file writes in subnet bruteforce corrupt output -> mpsc
  channel + single writer task
• H4 - verify_shell missed password re-prompts -> added to false-positive check
• H6 - SNMP malformed response treated as valid community -> changed to false
• H9 - Fortinet CSRF regex unreliable -> whitespace-tolerant patterns added
• H10 - MQTT unbounded allocation from malicious CONNACK -> capped at 256 bytes
• L2TP AVP length infinite loop (avp_len==0) -> avp_len < 6 guard added

Additional fixes:

• "press" substring collision fixed - matched "password", "express", etc.
• Channel deadlock on file open failure fixed with drain on Err arm
• Silent file load failure -> match with error message

---

• Major Telnet Overhaul - Lockout Detection, Verify Shell, Device
  Fingerprinting

---

Feature release - 55 default credentials, device-type fingerprinting,
multi-port parallel scanning.

Protocol improvements:

• TCP_NODELAY enabled - eliminates Nagle latency on credential packets
• TERMINAL_TYPE subnegotiation - responds with IS "xterm"
• TERMINAL_SPEED, NEW_ENVIRON, ENVIRON, X_DISPLAY_LOCATION refused
• IAC responses flushed immediately

New: verify_shell

• Sends "echo RS_VERIFIED" and checks for output - eliminates false positives
  from verbose banners

New: classify_response + AuthSignal enum

• Returns Success | Failure | Reprompt | Lockout | Ambiguous
• Check order: lockout > failure > re-prompt > success

New: lockout and EOF detection

• Lockout indicators: "too many failed", "account locked", "temporarily
  blocked", "please wait", "banned", "rate limit"
• Empty EOF after password = definitive failure

Device fingerprinting (15 device types):

• Dahua, Xiongmai, HiSilicon, ZTE, Huawei, MikroTik, Ubiquiti, Cisco, D-Link,
  TP-Link, Netgear, BusyBox, Raspberry Pi, Dell iDRAC, HP printers
• Device-specific credential prioritization in mass scan mode

Data expansion:

• 55 default credentials (was 44)
• Multi-port scanning - comma-separated ports; default "23,2323"
• 100 GB wordlist OOM fix - files >500 MB streamed in 100K-line chunks
• Expanded login/password prompts and success indicators

---

• Zero .unwrap() - All Panicking Paths Eliminated

---

Code quality release.

Rust - 15 fixes across 7 files:
pq_channel.rs (3) .expect("HKDF expand") -> anyhow::Result + ?
pq_middleware.rs (4) .unwrap() on headers -> .map_err StatusCode?
api.rs (6) .parse().unwrap() -> HeaderValue::from_static()
telnet_bruteforce.rs .unwrap() on file path -> .ok_or_else()?
shell.rs .expect("valid history size") -> .context()?
payload_engine.rs (2) .expect("Charset empty") -> if let / .unwrap_or
config.rs Regex recompiled every call -> once_cell::Lazy

Final state:

• 0 .unwrap() in Rust
• 0 TODO / FIXME in Rust or any module files
• 0 panic! / unreachable! / unimplemented! / todo!
• 0 #[allow(dead_code)] or #[allow(unused)]

---

• Networking Fixes - IPv6, Timeouts, Buffers, TCP_NODELAY

---

Bugfix release - Core network utilities, RDP BER encoding, 30+ bare TCP
connect sites.

Core utilities (src/utils/network.rs):

• 6 panicking unwrap() removed - replaced with infallible SocketAddr::new()
• udp_bind() now IPv6-aware - 8 callers updated
• DNS multi-address fallback - resolves all addresses and tries each on failure

RDP native (src/native/rdp.rs):

• BER length encoding - added 3-byte and 4-byte encoding; was silently
  truncating lengths >65535
• IPv6 TLS host extraction - bracket-aware parsing for [::1]:3389

TCP timeout fixes (10 locations across 8 files):

• Bare TcpStream::connect().await wrapped with tokio::time::timeout(10s)
• Blocking connect wrapped with connect_timeout()

Buffer and client fixes:

• SSH scanner banner buffer: 256 -> 1024 bytes
• Port scanner UDP recv buffer: 512 -> 1500 bytes (standard MTU)
• 5 modules missing danger_accept_invalid_certs(true) fixed
• TCP_NODELAY added to POP3, SMTP bruteforce, and SMTP user enum

---

• 100% Module Metadata Coverage - 152/152 Modules Have info()

---

Feature release - All modules discoverable, shell/API/MCP parity, credential
wiring.

Stats: 152/152 modules with info() | 15/19 creds with store_credential() |
0 raw prompt_* calls | 0 File::create without 0o600

Changes:

• 13 modules now persist credentials to ~/.rustsploit/creds.json
• 8 modules had File::create replaced with OpenOptions + mode(0o600)
• 5 modules fixed from raw prompt_* to cfg_prompt_* for API compatibility
• POP3 bruteforce - exponential backoff with retry added
• SSH Spray - stop-on-success flag with AtomicBool added
• MQTT bruteforce - real TLS via tokio-native-tls with generic handshake

---

• 9 New Credential Modules - Database, Web, Messaging Protocol Coverage

---

Feature release.

New modules:
http_basic_bruteforce HTTP Basic Auth 80/443 reqwest + Basic header
redis_bruteforce Redis 6379 Raw TCP AUTH command
imap_bruteforce IMAP/IMAPS 143/993 Raw TCP LOGIN + TLS
mysql_bruteforce MySQL 3306 Native wire protocol + SHA1
postgres_bruteforce PostgreSQL 5432 Wire protocol + MD5 auth
vnc_bruteforce VNC/RFB 5900 DES challenge-response
elasticsearch_brute Elasticsearch 9200 reqwest + Basic/API key
couchdb_bruteforce CouchDB 5984 reqwest + session/Basic auth
memcached_bruteforce Memcached 11211 Binary SASL PLAIN + open

Bug fixes in new modules:

• mysql_bruteforce / postgres_bruteforce - 1 MB packet limit reduced to 64 KB
• imap_bruteforce - passwords with '"' or '' now properly escaped per RFC 3501
• http_basic_bruteforce - success now matches 200-299 and redirects
• elasticsearch / couchdb - reqwest Client shared via Arc in mass scan

---

• Unlimited Subnet Scanning - Configurable Concurrency & Adaptive
  Progress

---

Feature release - Hard scan caps removed, setg knobs, percentage progress.

Removed hard caps:

• commands/mod.rs - is_huge_subnet logic removed; all CIDR subnets now
  iterate fully via lazy network.iter()
• creds/utils.rs - bail! blocking subnet bruteforce >1M hosts removed;
  replaced with a warning

New configurable options:
setg concurrency 200 controls parallel tasks (default 50)
setg max_random_hosts N caps random internet scans only
setg module_timeout 60 per-task module timeout

Adaptive progress reporting:

10M hosts : every 10,000 hosts
100K hosts : every 1,000 hosts
1K hosts : every 100 hosts
<1K hosts : every 50 hosts
Shows: [*] Progress: 50000/16777216 hosts (0.3%) | 12 ok | 3 err

---

• Post-Quantum Encryption - ML-KEM-768 + X25519 Replaces TLS & API Keys

---

Major feature - BREAKING CHANGE - SSH-style identity keys, mutual auth,
Double Ratchet forward secrecy.

BREAKING: TLS and Bearer token API authentication completely replaced by a
post-quantum hybrid scheme. Existing integrations must migrate to PQ identity
keys.

Removed:

• --api-key, --tls-cert, --tls-key CLI flags
• validate_api_key(), auth_middleware(), load_tls_certs(), TLS accept loop
• tokio-rustls, rustls, rustls-pemfile dependencies
• subtle crate

Added - SSH-style PQ identity keys:

• Host key: ML-KEM-768 + X25519 at ~/.rustsploit/pq_host_key - auto-generated
  on first run
• Authorized keys: ~/.rustsploit/pq_authorized_keys - one JSON per line
• Mutual auth: both sides prove key ownership via DH
• 3 shared secrets: Ephemeral X25519 DH + Identity X25519 DH + ML-KEM-768
• Forward secrecy: Double Ratchet (ChaCha20-Poly1305 AEAD)
• CLI flags: --pq-host-key , --pq-authorized-keys

New dependencies:
x25519-dalek 2.0, chacha20poly1305 0.10, hkdf 0.12, sha2 0.10, hex 0.4

Security model:

• No TLS - PQ encryption is the sole transport layer
• No API keys - identity proven by key ownership during handshake only
• Zero #[allow()] annotations in PQ code

---

• 8 New Scanner Modules - TLS, Redis, VNC, SNMP, WAF, DNS, NetBIOS

---

Feature release - Scanner suite expanded from 15 to 23 modules.

New scanner modules:
ssl_scanner TLS/SSL Certificate analysis, TLS version/cipher
detection, expired/self-signed flagging
redis_scanner Redis 6379 PING/INFO/CONFIG/DBSIZE, auth detection,
exploitation vector assessment
vnc_scanner VNC 5900 RFB version, security type enumeration,
unauthenticated access detection
snmp_scanner SNMP 161/UDP Manual BER/ASN.1, community string brute
(10 defaults + custom wordlist)
waf_detector HTTP/HTTPS 10 WAF signatures, confidence scoring
subdomain_scanner DNS 67 built-in subdomains + custom wordlist,
concurrent A/AAAA lookup
nbns_scanner NetBIOS 137 NBNS wildcard query, hostname/MAC extraction

Scanner bug fixes:

• ssl_scanner.rs - Mutex poison panic eliminated; added key_bits and SHA-256
  fingerprint; key size colored red if <2048 bits
• redis_scanner.rs - CONFIG GET parser rewritten
• snmp_scanner.rs - BER length encoding fixed; added 3-byte encoding
• waf_detector.rs - HTTPS auto-detection added; HTTP fallback
• subdomain_scanner.rs - Wildcard DNS detection added
• nbns_scanner.rs - Integer overflow protection; name count capped at 50

---

• DoS Module Performance Overhaul

---

Performance release.

null_syn_exhaustion.rs (SYN Flood):

• 4 MB socket send buffer (was 256 KB)
• Stats batch 5000 (was 500) - 10x fewer atomic ops
• Manual raw-byte packet construction - no pnet abstraction overhead
• Batch building: 32 packets built then sent in tight loop
• Default payload 1400 bytes (was 1024) - near MTU for max bandwidth
• Stats display now in Gbps instead of Mbps

tcp_connection_flood.rs:

• Default concurrency 2000 (was 500)
• SO_LINGER(0) / RST mode for faster teardown
• Optional HTTP payload to force server resource allocation
• Multi-port support - round-robin across comma-separated ports

cve_2023_44487_http2_rapid_reset.rs:

• Burst mode - 50 HEADERS back-to-back then RSTs all; actually models the CVE
• Concurrent connections (default 5, up to 50)
• Removed artificial delays
• Deduplicated ~130 lines of SSL/non-SSL copy-paste

---

• Global State Migration - Concurrent API, Structured Output, Findings
  API

---

Feature release - BREAKING CHANGE - tokio RwLock migration, output capture,
structured logging.

BREAKING: Module authors using raw println! must migrate to mprintln!.

Architectural changes:
Global mutable state (4 stores using std::sync::RwLock)
-> Migrated to tokio::sync::RwLock. File I/O no longer blocks runtime.
RunContext extended with per-request target + output accumulator.

stdout-capture via gag crate
-> gag removed. New src/output.rs with task-local OutputBuffer.
4683 println!/eprintln!/print! calls replaced with crate::mprintln!
API semaphore raised from 1 to num_cpus. Concurrent execution works.

No structured output
-> ModuleOutput, Finding, Severity, OutputAccumulator types added.
API returns findings array in JSON.

No structured logging
-> tracing::info! added to API dispatch and command resolution.

---

• Async Prompt System - All 132+ Modules Now Tokio-Safe

---

Refactor release - Blocking stdin on async runtime eliminated.

Core change:

• src/utils/prompt.rs - read_safe_input() now uses tokio::task::spawn_blocking()
  to run stdin().read_line() on a dedicated OS thread
• All 7 prompt functions are now async fn
• All 8 config-aware wrappers are now async fn

Scale of changes:

• 132+ module files had .await added to prompt calls
• 30 helper functions made async
• 4 bruteforce modules fixed for .await inside sync closures
• MutexGuard-across-await issue in smtp_user_enum.rs fixed

---

• Universal Target Support - CIDR, Multi-Target & Source Port Binding

---

Feature release - Every module now supports subnet and multi-target without
any per-module changes.

Target type support:
Single IP/host 192.168.1.1 Direct dispatch
CIDR subnet 10.0.0.0/24 Expand to IPs, 50 concurrent
Comma-separated 10.0.0.1,192.168.1.1 Split, dispatch each
File target list /tmp/targets.txt Read from file, 50 concurrent
Random mass scan random / 0.0.0.0 Generate random public IPs

Source port binding:
tcp_connect() Async TCP with source port ~64 modules
tcp_port_open() Async TCP port check ~79 mass-scan
blocking_tcp_connect() Blocking TCP ~22 SSH modules
udp_bind() Async UDP ~5 UDP modules

Bug fixes:

• /32 subnet overhead - single-host subnets dispatch directly
• Huge subnet OOM - subnets >1M IPs use semaphore-drain pattern
• Non-zero /0 subnets missed - 10.0.0.0/0 now correctly handled
• File/random scan task handle accumulation fixed
• Private subnet infinite loop fixed in generate_random_ip_in_network()
• Path traversal check incorrectly blocking legitimate file targets fixed

---

• 20 New Trending Exploit Modules - 148 Total Modules

---

Feature release - CVEs from 2025-2026, network infra, web apps, SSH, VoIP.

Stats: 109 exploits | 19 creds | 14 scanners | 1 plugin | 148 total

Web Application exploits (10 new):
xwiki_rce CVE-2025-24893 9.8 Groovy RCE via SolrSearch
craftcms_key_rce CVE-2025-23209 8.1 Known security key RCE

Network Infrastructure exploits (6 new):
citrixbleed2 CVE-2025-5777 9.3 CitrixBleed 2 memory leak
hpe_oneview_rce CVE-2025-37164 10.0 Code injection RCE
f5_bigip_rce CVE-2025-53521 9.3 F5 BIG-IP APM RCE
sonicwall_sma_rce CVE-2025-40602 9.8 SonicWall SMA1000 RCE
ivanti_ics_rce CVE-2025-22457 9.0 Stack overflow RCE
ivanti_preauth_rce CVE-2025-0282 9.0 Pre-auth buffer overflow

Frameworks, SSH, VoIP (4 new):
tomcat_put_rce CVE-2025-24813 9.8 PUT deserialization RCE
wsus_rce CVE-2025-59287 9.8 Windows WSUS deserialization RCE
erlang_otp_ssh_rce CVE-2025-32433 10.0 SSH pre-auth RCE
freepbx_cmdi CVE-2025-64328 8.6 Command injection

All new modules include info(), check(), full utils integration, API support,
host tracking, and credential storage.

Framework fix:

• Module listing and tab completion now use build-time registry instead of
  filesystem scanning

---

• Security Hardening Round 2 - 15 Fixes Across Scanners & Credentials

---

Bugfix release.

Scanner fixes (5):
ipmi_enum_exploit.rs HIGH Integer overflow in packet length
-> saturating_sub + bounds validation
port_scanner.rs MEDIUM Double file write for same result
-> deduplicated write logic
sequential_fuzzer.rs HIGH char as u8 truncates non-ASCII
-> as_bytes() for hex/octal
ssh_scanner.rs MEDIUM Silent CIDR truncation at 65536 hosts
-> warning message added
port_scanner.rs LOW Unused show_only_open parameter
-> prefixed with _

Credential module fixes (6):
ssh_user_enum.rs HIGH Blocking connect in async context
-> wrapped in spawn_blocking
pop3_bruteforce.rs HIGH Modulo by zero on empty lists
-> empty-list guard with bail!
mqtt_bruteforce.rs HIGH Same modulo-by-zero -> guard added
smtp_bruteforce.rs HIGH Same -> guard added
l2tp_bruteforce.rs HIGH Same -> guard added
fortinet_bruteforce.rs HIGH Same -> guard added

Build status: Zero errors, zero code warnings after all fixes.

---

• Security Hardening Round 1 - 17 Bug Fixes Across Framework & Exploits

---

Security audit - Patches critical path traversal, command injection, and data
corruption vulnerabilities.

Critical security fixes:
src/spool.rs CRITICAL Path traversal - only ".." was blocked;
absolute paths allowed -> reject absolute
paths, validate symlinks, flush writes
src/loot.rs CRITICAL Path traversal via loot_type in filename
-> sanitize to alphanumeric only; 100 MB
size limit
src/loot.rs HIGH file_path() exposed raw path joining
-> validate no /, , .., null bytes
src/cred_store.rs HIGH Silent data corruption on JSON parse failure
-> backup corrupted file, log warning
src/cred_store.rs HIGH No input validation on credential fields
-> MAX_FIELD_LEN (4096), reject empty host
src/global_options.rs HIGH Silent data corruption on JSON parse failure
-> backup, log warning
src/workspace.rs HIGH Silent data corruption on JSON parse failure
-> backup, log warning
src/workspace.rs HIGH Lock held during file I/O
-> clone data before I/O, release lock first
src/workspace.rs MEDIUM No input validation on add_host
-> validate IP length and control chars
src/export.rs HIGH CSV injection via formula prefix characters
-> prefix =, +, @, - with ' in CSV output
src/export.rs HIGH No path validation on export files
-> added validate_export_path()
src/jobs.rs MEDIUM Memory leak - finished jobs never cleaned
-> auto-cleanup on list() call

Command injection fixes (exploit modules):
n8n_rce_cve_2025_68613.rs CRITICAL Only '"' escaped before execSync()
-> escape_js_command(cmd, true)
react2shell.rs HIGH Weak js_encode() missing shell chars
-> crate::utils::escape_js_command

Protocol & file safety:

• heartbleed.rs - batch file read without size limit -> 50 MB check
• mongobleed.rs - unbounded response read (up to 4 GB) -> capped at 16 MB
• nginx_pwner.rs - integer overflow in content_len -> saturating_add/sub
• cve_2024_38094.rs - UTF-8 byte slicing at &digest[..40] -> .chars().take(40)
• native/rdp.rs - array indexing without bounds check -> bounds guards

---

• Framework Foundation - Core Architecture & Storage Layer

---

Initial release.

Stats: 16 docs updated | 8 new src files | 8 modified files

New source files:
src/module_info.rs ModuleInfo / CheckResult types, display formatting
src/global_options.rs Persistent global options with JSON storage
src/cred_store.rs Credential store with CRUD + JSON persistence
src/spool.rs Console output logging to file
src/workspace.rs Host/service tracking with workspace switching
src/loot.rs Loot management with file storage
src/export.rs JSON / CSV / summary report export
src/jobs.rs Background job management with cancellation

New shell commands:
info, check, setg, unsetg, show options, creds add/search/delete/clear,
spool on/off, resource, makerc, hosts add, services add, notes, workspace,
loot add/search, export json/csv/summary, jobs -k/clean, run -j

New API endpoints:
/api/options, /api/creds, /api/hosts, /api/services, /api/workspace,
/api/loot, /api/jobs, /api/export

Build system:

• build.rs now detects info() and check() and generates per-category
  dispatchers automatically
• src/shell.rs - ~30 new commands added; resource script support
• src/utils/prompt.rs - all cfg_prompt_* functions check global options
• src/cli.rs - added -r / --resource flag

What's Changed

• Enic enamle by @s-b-repo in Enic enamle #40

Full Changelog: v0.4.8...v0.4.9

---

This discussion was created from the release zero hero the fun begins.