NullSec Enhanced Framework - Complete Guide

January 31, 2026 Β· View on GitHub

πŸ“‹ Table of Contents

  1. Overview
  2. Features
  3. Directory Structure
  4. Using Enhanced Modules
  5. Creating Enhanced Modules
  6. Attack Logging System
  7. Vulnerability Tracking
  8. Examples

🎯 Overview

The NullSec Enhanced Framework provides:

  • Interactive Parameter Collection - Rich prompts with validation
  • Automatic Logging - Every attack is logged with timestamps
  • Vulnerability Tracking - Auto-detect and catalog discovered vulnerabilities
  • Organized Storage - Target-specific folders for all attack data
  • Next Steps Suggestions - AI-generated recommendations after each attack
  • Professional Output - Beautiful formatted displays and summaries

✨ Features

Interactive Elements

  • βœ… Multiple parameter types (IP, Port, File, Choice, Boolean, etc.)
  • βœ… Real-time input validation
  • βœ… Default value suggestions
  • βœ… Help text and descriptions
  • βœ… Numbered choice menus
  • βœ… Confirmation before execution

Logging & Output

  • πŸ“ Timestamped execution logs
  • πŸ“Š Vulnerability severity tracking
  • πŸ“ Organized target directories
  • πŸ“‹ Markdown summary reports
  • 🎯 Suggested next steps
  • πŸ’Ύ All output files preserved

Auto-Discovery

  • πŸ” Detects vulnerabilities from log output
  • 🎯 Categorizes by severity (Critical/High/Medium/Low)
  • πŸ“Š Generates exploitation recommendations
  • πŸ—ΊοΈ Maps attack paths automatically

πŸ“ Directory Structure

All attack results are organized under ~/nullsec/logs/:

~/nullsec/logs/
β”œβ”€β”€ targets/
β”‚   β”œβ”€β”€ 192.168.1.100/
β”‚   β”‚   β”œβ”€β”€ SUMMARY.md                    # Main summary with all attacks
β”‚   β”‚   β”œβ”€β”€ ad-attack_20260114_153045.log # Timestamped attack logs
β”‚   β”‚   β”œβ”€β”€ nmap-scan_20260114_154230.log
β”‚   β”‚   β”œβ”€β”€ scans/                        # Scan results
β”‚   β”‚   β”‚   β”œβ”€β”€ nmap_full.xml
β”‚   β”‚   β”‚   β”œβ”€β”€ nikto_output.txt
β”‚   β”‚   β”‚   └── enum4linux.txt
β”‚   β”‚   β”œβ”€β”€ exploits/                     # Exploit attempts
β”‚   β”‚   β”‚   β”œβ”€β”€ exploit_log.txt
β”‚   β”‚   β”‚   └── payload.bin
β”‚   β”‚   β”œβ”€β”€ credentials/                  # Captured credentials
β”‚   β”‚   β”‚   β”œβ”€β”€ hashes.txt
β”‚   β”‚   β”‚   β”œβ”€β”€ passwords.txt
β”‚   β”‚   β”‚   └── kerberos_tickets.kirbi
β”‚   β”‚   └── screenshots/                  # Evidence screenshots
β”‚   β”‚       └── desktop_20260114.png
β”‚   β”‚
β”‚   β”œβ”€β”€ dc01.corp.local/
β”‚   β”‚   β”œβ”€β”€ SUMMARY.md
β”‚   β”‚   β”œβ”€β”€ asrep_hashes.txt
β”‚   β”‚   β”œβ”€β”€ bloodhound_corp_20260114.zip
β”‚   β”‚   └── ldap_enumeration.txt
β”‚   β”‚
β”‚   └── webserver.example.com/
β”‚       β”œβ”€β”€ SUMMARY.md
β”‚       β”œβ”€β”€ sql_injection_test.log
β”‚       └── xss_vectors.txt

πŸš€ Using Enhanced Modules

From NullSec Launcher

cd ~/nullsec
./nullsec-launcher.py
# Select any module with a .json config - it uses enhanced mode automatically

From NullSec Desktop

  • Launch NullSec Desktop GUI
  • Browse modules by category
  • Click any enhanced module
  • Interactive prompts appear in terminal

Direct Execution

python3 module-framework.py <script.sh> <config.json>

# Example:
python3 module-framework.py \
    nullsecurity/ad-attack-enhanced.sh \
    nullsecurity/ad-attack.json

πŸ”§ Creating Enhanced Modules

Step 1: Copy Templates

cd ~/nullsec/nullsecurity/
cp module-template.sh my-new-module.sh
cp module-template.json my-new-module.json

Step 2: Edit JSON Configuration

{
  "name": "My Custom Attack",
  "description": "What this module does",
  "category": "Exploitation",
  "requires_root": false,
  "pre_run_checks": ["nmap", "nikto"],
  "parameters": [
    {
      "name": "target",
      "prompt": "Target IP Address",
      "param_type": "ip",
      "required": true,
      "description": "Primary attack target"
    }
  ],
  "examples": [
    {"desc": "Example usage scenario"}
  ]
}

Step 3: Edit Bash Script

#!/bin/bash
# Read parameters from environment
TARGET="${NULLSEC_TARGET}"
PORT="${NULLSEC_PORT}"

# Logging paths (auto-provided)
TARGET_DIR="${NULLSEC_TARGET_DIR}"
LOG_FILE="${NULLSEC_LOG_FILE}"

# Use helper functions
log_to_file "Attack started against $TARGET"
save_output "results.txt" "Attack data here"
log_vulnerability "high" "SQL Injection" "Found in login form"

Parameter Types Available

  • string - Free text input
  • ip - IP address with validation
  • port - Port number (1-65535)
  • file - File path with existence check
  • choice - Multiple choice menu
  • boolean - Yes/No question
  • domain - Domain name
  • url - URL validation

Helper Functions in Scripts

log_to_file

log_to_file "Your message here"
# Adds timestamped entry to log file

save_output

save_output "filename.txt" "content to save"
# Saves to target directory and logs it

log_vulnerability

log_vulnerability "severity" "Vulnerability Type" "Description"
# Severities: critical, high, medium, low
# Examples:
log_vulnerability "critical" "RCE" "Remote code execution in upload function"
log_vulnerability "high" "SQLi" "SQL injection in search parameter"
log_vulnerability "medium" "XSS" "Reflected XSS in username field"

πŸ“Š Attack Logging System

What Gets Logged

  • βœ… Execution timestamps (start/end)
  • βœ… All parameters used (passwords redacted)
  • βœ… Module output and results
  • βœ… Discovered vulnerabilities
  • βœ… Exit codes and errors
  • βœ… Generated files and their paths

Log File Format

[2026-01-14 15:30:45] === NullSec Attack Log ===
[2026-01-14 15:30:45] Target: dc01.corp.local
[2026-01-14 15:30:45] Module: Active Directory Attack
[2026-01-14 15:30:45] Timestamp: 2026-01-14T15:30:45
[2026-01-14 15:30:45] Target Directory: /home/user/nullsec/logs/targets/dc01.corp.local
[2026-01-14 15:30:45] ==================================================
[2026-01-14 15:30:45] Execution started with parameters:
[2026-01-14 15:30:45]   attack_type: AS-REP Roasting
[2026-01-14 15:30:45]   domain_controller: dc01.corp.local
[2026-01-14 15:30:45]   domain: corp.local
[2026-01-14 15:30:46] Connected to LDAP://dc01.corp.local:389
[2026-01-14 15:30:47] VULNERABILITY: Found 3 AS-REP roastable accounts
[2026-01-14 15:30:48] Saved output to .../asrep_hashes.txt
[2026-01-14 15:30:50] Execution completed in 5.23 seconds
[2026-01-14 15:30:50] Exit code: 0

Summary Report (SUMMARY.md)

Each target gets a markdown summary with:

  • Attack history and timeline
  • All parameters used
  • Discovered vulnerabilities (color-coded by severity)
  • Suggested next steps
  • Links to all output files

🎯 Vulnerability Tracking

Automatic Detection

The framework automatically detects these patterns in logs:

  • Weak/default credentials
  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Remote Code Execution (RCE)
  • File inclusion vulnerabilities
  • Exposed services
  • Outdated software
  • Misconfigurations

Manual Logging

log_vulnerability "critical" "Authentication Bypass" "Admin panel accessible without credentials"

Severity Levels

  • πŸ”΄ Critical - Immediate exploitation possible (RCE, auth bypass)
  • 🟠 High - Significant impact (SQLi, XSS, privilege escalation)
  • 🟑 Medium - Security weaknesses (weak passwords, misconfig)
  • 🟒 Low - Information disclosure, minor issues

πŸ“š Examples

Example 1: Active Directory Attack

python3 module-framework.py \
    nullsecurity/ad-attack-enhanced.sh \
    nullsecurity/ad-attack.json

Interactive prompts:

  1. Select attack vector (choice menu)
  2. Enter domain controller
  3. Enter domain name
  4. Optional credentials
  5. Stealth mode preference
  6. Output format
  7. Timeout value

Result:

  • Log: ~/nullsec/logs/targets/dc01.corp.local/ad-attack_20260114_153045.log
  • Hashes: ~/nullsec/logs/targets/dc01.corp.local/asrep_hashes.txt
  • Summary: ~/nullsec/logs/targets/dc01.corp.local/SUMMARY.md

Example 2: Network Scan

# Create nmap-scan.json:
{
  "name": "Network Scanner",
  "parameters": [
    {"name": "target", "prompt": "Target IP/Network", "param_type": "ip", "required": true},
    {"name": "scan_type", "prompt": "Scan Type", "param_type": "choice", 
     "choices": ["Quick", "Full", "Stealth"], "required": true}
  ]
}

# Create nmap-scan.sh:
#!/bin/bash
TARGET="${NULLSEC_TARGET}"
SCAN_TYPE="${NULLSEC_SCAN_TYPE}"
log_to_file "Starting $SCAN_TYPE scan of $TARGET"
# ... nmap commands ...
save_output "nmap_results.xml" "$nmap_output"

πŸ” Security Best Practices

  1. Credential Handling

    • Passwords are automatically redacted in logs
    • Store captured credentials in credentials/ subdirectory
    • Never commit logs with real credentials to git
  2. Target Authorization

    • Only test targets you have written permission to test
    • Keep authorization documentation in target folder
    • Document scope and limitations
  3. Data Protection

    • Encrypt sensitive log data
    • Secure delete when testing is complete
    • Follow data retention policies

πŸ†˜ Troubleshooting

Module not using enhanced mode

  • Ensure .json file exists with same base name as .sh
  • Check JSON syntax with: python3 -m json.tool config.json
  • Verify module-framework.py is in ~/nullsec/

Logs not being created

  • Check permissions on ~/nullsec/logs/
  • Ensure NULLSEC_TARGET_DIR environment variable is set
  • Verify disk space available

Parameters not working

  • Check parameter names match between JSON and bash script
  • Remember to prefix with NULLSEC_ in environment variables
  • Use printenv | grep NULLSEC to debug

πŸ“ž Support

For issues or enhancements:

  • Review this guide thoroughly
  • Check existing modules for examples
  • Test with module-template.sh first
  • Consult ENHANCED_FRAMEWORK_GUIDE.md

πŸŽ“ Learning Resources

  • Study ad-attack-enhanced.sh for complete example
  • Review module-framework.py for framework internals
  • Check SUMMARY.md files for output format examples
  • Explore existing .json configs for parameter patterns