███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗ ██████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗
██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝██╔════╝ ██╔══██╗██╔══██╗██╔══██╗██║ ██║
█████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║ ██║ ███╗██████╔╝███████║██████╔╝███████║
██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║ ██║ ██║██╔══██╗██╔══██║██╔═══╝ ██╔══██║
███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║ ╚██████╔╝██║ ██║██║ ██║██║ ██║ ██║
╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝
Automated Attack Path Discovery & Exploitation Framework
ExploitGraph is a modular, open-source attack path discovery framework that automatically chains cloud misconfigurations, exposed secrets, and application vulnerabilities into a complete kill chain — starting from zero prior knowledge.
Unlike tools that require credentials first (Pacu) or only audit configurations (Prowler/ScoutSuite), ExploitGraph starts from nothing and discovers everything it needs:
Cloud Misconfiguration → Data Exposure → Secret Leakage → API Abuse → Full Compromise
Every step is visualized as an interactive attack graph with MITRE ATT&CK mappings and AWS remediation commands.
| Tool | Starting Point | Output | Attack Chain |
|---|---|---|---|
| Pacu | Needs IAM credentials | Module results | No chaining |
| Prowler | Needs AWS credentials | Audit findings | No chaining |
| ScoutSuite | Needs AWS credentials | Config report | No chaining |
| TruffleHog | Git repo / S3 bucket | Secret list | No chaining |
| ExploitGraph | Just a URL | Full kill chain + visual graph | Automated |
- msfconsole-style interactive shell with tab completion
- 8+ modular attack modules across discovery, cloud, secrets, exploitation, reporting
- Generic — works against any target (not limited to fintech or specific apps)
- Wordlist-driven discovery — no hardcoded paths
- 20+ secret patterns including AWS keys, JWT secrets, Stripe keys, GitHub tokens
- Optional boto3 AWS integration — real S3 ACL checks, IAM enumeration, MFA detection
- JWT attack engine — none-algorithm bypass, weak secret bruteforce
- Interactive D3.js attack graph in HTML report
- CVSS scoring per finding + session risk score (0-10)
- MITRE ATT&CK for Cloud mapping
- Multi-session SQLite persistence — resume scans across sessions
- Offensive and defensive modes
- pip-installable Python package
git clone https://github.com/prajwalpawar/ExploitGraph.git
cd ExploitGraph
pip install -r requirements.txt
python3 exploitgraph.pypip install -r requirements.txt
pip install boto3 botocore- Python 3.9+
- Linux / macOS (Kali Linux recommended)
- No AWS credentials required for HTTP-mode scanning
python3 exploitgraph.pyexploitgraph> workspace new pentest http://target.com
exploitgraph> run auto
# Full automated attack chain
python3 exploitgraph.py -t http://target.com --auto
# Single module
python3 exploitgraph.py -t http://target.com -m cloud/s3_enum
# Defensive audit mode (no exploitation)
python3 exploitgraph.py -t http://target.com --mode defensive --auto
# List all modules
python3 exploitgraph.py --list-modulesSESSION
workspace new <name> <url> Create workspace
set TARGET http://target.com Set target
set MODE offensive|defensive Set mode
MODULES
show modules List all modules by category
use discovery/http_enum Select a module
options Show module options
set OPTION value Configure option
run Execute module
run auto Full attack chain
back Deselect module
INFORMATION
show findings Security findings
show secrets Extracted credentials
show attack-path ASCII kill chain
show summary Risk score + stats
info <module> Module details
search <keyword> Search modules
OUTPUT
export html HTML report with D3.js graph
export json JSON for SIEM integration
export all All formats
SESSION MANAGEMENT
sessions List sessions
sessions -i <id> Switch session
sessions -k <id> Kill session
| Module | Description | MITRE |
|---|---|---|
discovery/http_enum |
Wordlist-driven endpoint enumeration + tech fingerprinting | T1595.003 |
| Module | Description | MITRE |
|---|---|---|
cloud/s3_enum |
S3 bucket discovery, public ACL detection, file download + boto3 audit | T1530 |
cloud/iam_enum |
IAM user/role enumeration, MFA checks, policy analysis (requires boto3) | T1580, T1078.004 |
| Module | Description | MITRE |
|---|---|---|
secrets/file_secrets |
20+ pattern regex scanner + Shannon entropy detection | T1552.001 |
| Module | Description | MITRE |
|---|---|---|
exploitation/api_exploit |
Generic credential testing, admin access, privilege escalation | T1078.004 |
exploitation/jwt_attack |
None-algorithm bypass, weak secret bruteforce, algorithm confusion | T1078, T1550.001 |
| Module | Description |
|---|---|
reporting/html_report |
Interactive HTML report with D3.js attack graph, CVSS scores, MITRE mapping |
reporting/json_export |
Structured JSON for SIEM/ticketing integration |
ExploitGraph detects the following credential types:
AWS Access Key ID AKIA[0-9A-Z]{16}
AWS Secret Access Key aws_secret_access_key = ...
JWT Secret jwt_secret_key = ...
Generic API Key api_key = ...
Stripe Live Key sk_live_...
GitHub Token ghp_...
Google API Key AIza...
SendGrid API Key SG....
Slack Token xox[baprs]-...
Database Password db_password = ...
Database URL postgresql://user:pass@host
Private Key -----BEGIN RSA PRIVATE KEY-----
Bearer Token Authorization: Bearer ...
Encryption Key aes_key = [hex]
Admin Credentials admin password = ...
Twilio SID AC[a-z0-9]{32}
Webhook Secret webhook_secret = ...
High-Entropy Strings Shannon entropy > 4.5
| Technique | Name | Module |
|---|---|---|
| T1595.003 | Wordlist Scanning | http_enum |
| T1580 | Cloud Infrastructure Discovery | s3_enum, iam_enum |
| T1530 | Data from Cloud Storage Object | s3_enum |
| T1552.001 | Credentials in Files | file_secrets |
| T1552.005 | Cloud Instance Metadata API | file_secrets |
| T1078.004 | Valid Accounts: Cloud Accounts | api_exploit, iam_enum |
| T1548 | Abuse Elevation Control Mechanism | api_exploit |
| T1550.001 | Application Access Token | jwt_attack |
A deliberately vulnerable Flask fintech application is included for demonstration:
# Terminal 1 — Start target
cd target && python3 app.py
# Running at http://127.0.0.1:5000
# Terminal 2 — Attack it
python3 exploitgraph.py -t http://127.0.0.1:5000 --autoThe target simulates:
- Public S3 bucket with backup archive
.envfile with exposed AWS keys, API keys, JWT secrets- Weak admin credentials in deployment notes
- Unauthenticated admin API endpoints
- Debug endpoint leaking configuration
The target app is for controlled lab environments only.
Create a file in modules/custom/my_module.py:
from modules.base import BaseModule, ModuleResult
class MyModule(BaseModule):
NAME = "my_module"
DESCRIPTION = "My custom scanner"
CATEGORY = "discovery"
SEVERITY = "HIGH"
MITRE = ["T1595"]
OPTIONS = {
"TARGET": {"default": "", "required": True, "description": "Target URL"},
}
def run(self, session):
target = self.get_option("TARGET")
# ... your logic ...
session.add_finding(
module="my_module",
title="Finding Title",
severity="HIGH",
description="What was found",
evidence="Proof",
recommendation="How to fix",
cvss_score=7.5,
)
return ModuleResult(True, {"found": True})ExploitGraph automatically discovers and loads it. No configuration needed.
The HTML report includes:
- Executive summary with severity breakdown
- Interactive D3.js attack graph (drag, zoom, hover for details)
- Expandable findings with CVSS scores
- Evidence + proof-of-concept per finding
- AWS CLI remediation commands
- MITRE ATT&CK technique mapping
- Full secrets table
- Exploitation evidence log
- Session risk score (0-10)
With boto3 installed and credentials configured:
# Using AWS CLI profile
exploitgraph> use cloud/s3_enum
exploitgraph> set AWS_PROFILE my-profile
exploitgraph> run
# Using discovered credentials (auto-populated from file_secrets)
exploitgraph> use cloud/iam_enum
exploitgraph> run # Picks up AWS keys found by file_secrets automaticallyAll AWS operations are READ-ONLY — no modifications to your AWS environment.
ExploitGraph/
├── exploitgraph.py Entry point (CLI + console launcher)
├── core/
│ ├── console.py msfconsole-style interactive shell
│ ├── module_loader.py Dynamic plugin discovery & loading
│ ├── session_manager.py SQLite-backed multi-session tracking
│ ├── attack_graph.py networkx attack graph engine
│ ├── risk_engine.py CVSS-style risk scoring
│ ├── logger.py Structured colored logger
│ └── config.py YAML configuration loader
├── modules/
│ ├── base.py BaseModule abstract class
│ ├── discovery/ HTTP enumeration modules
│ ├── cloud/ AWS/cloud security modules
│ ├── secrets/ Credential extraction modules
│ ├── exploitation/ Attack execution modules
│ ├── reporting/ Report generation modules
│ └── custom/ Drop your own modules here
├── data/wordlists/ Attack wordlists
├── sessions/ SQLite session database
├── reports/ Generated reports
└── target/ Demo vulnerable application
ExploitGraph is developed for authorized security testing and educational purposes only.
- Only use against systems you own or have explicit written permission to test
- The demo target application is for isolated lab environments only
- Unauthorized use against third-party systems is illegal
The author assumes no liability for misuse of this tool.
MIT License — see LICENSE
Prajwal Pawar B.Sc. Cyber Security — Final Year Project School of Computer Application
Contributions welcome! See CONTRIBUTING.md for guidelines.
The easiest contribution: write a new module in modules/custom/ following the BaseModule pattern and submit a PR.