PhantomYerra v45.1.0
Universal AI-Agentic Security Assessment Platform - Complete Methodology

3.1 YerraScan Engine (Priority 1)

YerraScan Engine is PhantomYerra's primary vulnerability scanning engine. It performs template-based vulnerability detection using a continuously updated library of over 8,000 vulnerability checks covering CVEs, misconfigurations, default credentials, exposed panels, information disclosure, and more.

What information is needed to start

• Target URL(s) or a list of URLs (one per line, or piped from the reconnaissance phase)
• Optional: specific template tags to focus (e.g., cve, misconfig, exposure, default-login)
• Intensity level (controls rate limiting and template aggressiveness)
• Authenticated scan credentials (if testing behind login - cookies or bearer tokens)

How the test works step-by-step

1. Template Selection - Based on target technology fingerprinting, the engine selects relevant templates. A WordPress site triggers CMS-specific templates; a Java application triggers Struts/Spring templates; an IIS server triggers ASP.NET templates.
2. Request Generation - For each template, HTTP requests are crafted with specific paths, parameters, headers, and payloads defined in the template. Request ordering is optimized to reduce total round trips.
3. Response Matching - Responses are analyzed against multiple matchers: status codes, body content patterns (regex and keyword), header patterns, response time differentials, and DSL expressions that combine multiple conditions.
4. Severity Classification - Matches are classified by severity (Critical, High, Medium, Low, Info) based on the template definition, CVSS scoring, and whether the CVE appears in the CISA KEV catalog.
5. Evidence Capture - Full HTTP request/response pairs are captured and SHA-256 hashed as evidence for every confirmed finding.
6. Deduplication - Duplicate findings across multiple URLs are consolidated, with each affected URL listed in the finding detail.

What findings it produces

CVE vulnerabilities with CVSS scores, misconfiguration findings (exposed admin panels, debug endpoints, directory listings), default credential detections, technology exposure (version disclosure, stack traces), and information leakage (API keys in responses, internal IPs, backup files). Each finding includes the matched template identifier for traceability.

How to review results

Each finding includes: severity rating, CVE ID (if applicable), the matched template ID, full HTTP request/response evidence, a description of the vulnerability, business impact assessment, and remediation guidance. Findings are grouped by severity in the Scan Dashboard and can be filtered by category, severity, or affected URL. Clicking a finding opens the evidence viewer with side-by-side request/response display.

How to decide whether to exploit

The AI orchestrator evaluates each finding's exploitability: Is a public exploit available? Does the environment type permit exploitation? What additional data or access could be gained? If the finding is exploitable and within scope, the AI proceeds automatically. If exploitation would be destructive (data modification, service disruption), it pauses for operator confirmation in live_production environments.

Example findings

3.2 YerraBrute - Web Fuzzing Orchestrator (Priority 2)

YerraBrute is PhantomYerra's web fuzzing orchestrator that discovers hidden content, directories, files, virtual hosts, and parameters through intelligent wordlist-based probing. It coordinates three complementary fuzzing engines for maximum coverage, each specializing in a different aspect of content discovery.

FfufAdapter - Fast Web Fuzzer

The primary fuzzing engine handles directory/file discovery, virtual host enumeration, parameter fuzzing, and POST data fuzzing. It supports filtering responses by status code, response size, word count, line count, and regex patterns. Custom wordlists are selected based on the target technology stack (e.g., PHP-specific wordlists for PHP applications, ASP-specific for IIS/ASP.NET targets). It operates at high speed with configurable concurrency and automatic calibration to find the optimal request rate.

GobusterAdapter - Directory Buster

Focused on directory and DNS brute-forcing. Excels at deep recursive directory discovery with configurable depth levels. Supports extensions-based discovery (e.g., .php, .asp, .jsp, .bak, .old, .conf, .zip, .tar.gz). Handles stateful cookies for authenticated directory enumeration.

FeroxbusterAdapter - Recursive Content Discovery

Recursive forced browsing engine. Automatically discovers directories and then recursively fuzzes within each discovered directory. Handles auto-calibration of response filtering, making it effective against applications that return custom 404 pages with varying content lengths.

What information is needed

• Target URL (base URL to fuzz against)
• Wordlist selection (auto-selected based on technology fingerprint, or manually chosen)
• Extensions to append (auto-detected from technology fingerprint or manually specified)
• Recursion depth (default: 3 levels)
• Rate limit (requests per second; default adapts to target responsiveness)
• Authentication tokens if testing behind login

How the test works step-by-step

1. Technology fingerprinting determines which wordlists and extensions to use.
2. Baseline request captures the target's default 404 response signature (size, word count, status code).
3. Fuzzing begins with the primary wordlist, appending configured extensions to each word.
4. Responses are compared to the 404 baseline; significant deviations indicate discovered content.
5. Discovered directories trigger recursive fuzzing at deeper levels.
6. Results are deduplicated and classified by content type (directory, file, backup, config, admin panel).

How results are reviewed

Discovered paths are categorized by type: directories, files, backup files, configuration files, admin panels, API endpoints, and hidden functionality. Each discovery includes the HTTP status code, response size, and a content preview. Critical discoveries (backup files containing credentials, exposed admin panels, configuration files with secrets) are flagged with appropriate severity and feed into the attack graph.

Example findings

3.3 YerraTLS: TLS/SSL Security Analyzer (Priority 3)

YerraTLS performs full TLS/SSL analysis including protocol version support, cipher suite enumeration, certificate chain validation, key exchange strength, known vulnerabilities (POODLE, BEAST, CRIME, Heartbleed, ROBOT, Lucky13), HSTS configuration, certificate transparency log presence, and OCSP stapling status. It tests every TLS-enabled endpoint discovered during the reconnaissance phase.

What information is needed

• Target hostname and port (default: 443; also tests 8443, 8080 with TLS)
• No authentication required: TLS analysis uses the public handshake

How the test works

1. Initiates TLS handshakes with each supported protocol version (SSLv3, TLS 1.0, 1.1, 1.2, 1.3) to determine which are accepted.
2. Enumerates all accepted cipher suites for each protocol version.
3. Analyzes the certificate chain: validity dates, key sizes, signature algorithms, issuer chain, SAN entries.
4. Tests for specific vulnerabilities by sending crafted handshake messages (e.g., Heartbleed uses a malformed heartbeat request).
5. Checks security headers: HSTS (max-age, includeSubdomains, preload), Expect-CT.

What findings it produces

3.4 YerraParamDiscover - Hidden Parameter Finder (Priority 4)

YerraParamDiscover identifies hidden, undocumented, and debug parameters in web applications. Many applications accept parameters that are not visible in the UI or documentation but are processed by the backend. These hidden parameters can enable debug modes, bypass authentication, access admin functionality, or reveal internal data structures.

How it works

1. Sends a baseline request to the target URL and captures the response signature (size, word count, headers, status code).
2. Iterates through a wordlist of common parameter names (debug, admin, test, verbose, internal, token, secret, key, api_key, and thousands more), appending each to the request.
3. Compares each response against the baseline - significant deviations (different status code, changed response size, new headers, different content) indicate a recognized parameter.
4. Discovered parameters are tested with various values (boolean true/false, numeric 0/1, strings, special characters) to determine their function.
5. Parameters that enable debug output, bypass security checks, or reveal internal data are flagged with appropriate severity.

Example findings

3.5 YerraSurface - Web Server Scanner (Priority 5)

YerraSurface performs full web server analysis including server software identification, dangerous HTTP methods (PUT, DELETE, TRACE), default file detection, outdated server components, SSL/TLS configuration issues, and server-level misconfigurations. It complements application-level scanning by focusing on the web server infrastructure layer.

What it tests

• Over 6,700 potentially dangerous files and programs across all major web servers
• Outdated versions of over 1,250 web server software variants
• Version-specific vulnerabilities on 270+ server types
• Server configuration issues: directory listing, WebDAV methods, TRACE/TRACK methods, CORS misconfiguration
• SSL/TLS issues: expired certificates, weak ciphers, protocol downgrade opportunities
• HTTP security headers: missing Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
• Default installation pages, README files, CHANGELOG files that leak version information

3.6 YerraCMS - WordPress Security Scanner (Priority 6)

YerraCMS is a dedicated WordPress security assessment engine. It identifies WordPress installations, enumerates installed plugins and themes (including version numbers), tests for known vulnerabilities in each component, performs user enumeration, and tests authentication mechanisms including XML-RPC brute-force amplification.

How it works step-by-step

1. WordPress Detection - Identifies WordPress through meta generators, wp-content paths, REST API endpoints (/wp-json/), and xmlrpc.php presence.
2. Plugin Enumeration - Discovers installed plugins through multiple methods: passive detection from page source, aggressive probing of known plugin paths, REST API queries, and readme.txt version extraction.
3. Theme Enumeration - Identifies active and inactive themes via stylesheet references, template detection, and style.css version headers.
4. Vulnerability Cross-Reference - Each detected plugin/theme version is cross-referenced against vulnerability databases for known CVEs, including SQL injection, XSS, RCE, and file upload vulnerabilities.
5. User Enumeration - Discovers WordPress user accounts through author archives (/?author=1), REST API user endpoint (/wp-json/wp/v2/users), and login error oracle (different error messages for valid vs invalid usernames).
6. Authentication Testing - Tests for weak passwords against enumerated users using dictionary attacks, XML-RPC multicall brute-force amplification (testing hundreds of passwords per request), and default credentials.

3.7 YerraInfoGather - Web Information Harvester (Priority 7)

YerraInfoGather crawls web applications to extract sensitive information including API keys, tokens, email addresses, internal IP addresses, AWS/GCP/Azure credentials, database connection strings, JWT secrets, and other secrets embedded in HTML source, JavaScript files, and API responses. It operates alongside YerraCrawler but focuses specifically on information extraction rather than URL discovery. Every extracted piece of sensitive data is tested for liveness where applicable (e.g., testing if an extracted AWS key is still active).

3.8 YerraCrawler (Priority 8)

YerraCrawler is a high-performance web crawling engine that maps the full application structure by following links, parsing JavaScript, extracting URLs from comments and source code, and building a complete site map. Unlike traditional crawlers, it executes JavaScript to discover dynamically generated content and single-page application routes.

How it works

1. Seeds the crawl from the target URL and any previously discovered endpoints from reconnaissance.
2. Follows all links (anchor tags, form actions, JavaScript redirects, fetch/XHR calls).
3. Extracts URLs from inline JavaScript, CSS files, HTML comments, and meta tags.
4. Respects scope boundaries: only crawls within the defined target domain(s).
5. Outputs a complete URL list with parameter names, HTTP methods, and content types.

The crawler output feeds directly into other engines: discovered URLs are passed to YerraScan for vulnerability scanning, to YerraBrute for parameter fuzzing, and to the DAST engine for active testing.

3.9 YerraXSS - Cross-Site Scripting Specialist (Priority 9)

YerraXSS is a dedicated XSS vulnerability detection and exploitation engine. While the general DAST engine tests for XSS as part of its broader scan, YerraXSS provides specialized deep analysis including DOM-based XSS detection, blind XSS verification through out-of-band callbacks, and context-aware payload generation for various rendering contexts (HTML, attribute, JavaScript, URL, CSS).

Payload generation methodology

The engine analyzes how user input is reflected in the response. Based on the reflection context, it generates targeted payloads:

• HTML context: <script> tags, event handlers (onerror, onload, onfocus), <img>/<svg>/<details> with event attributes
• Attribute context: Attribute escape sequences, event handler injection, JavaScript protocol URLs
• JavaScript context: String break-out, template literal injection (${}), prototype chain manipulation
• URL context: javascript: protocol, data URIs, URL encoding bypasses

The engine automatically tests WAF bypass techniques: Unicode normalization, HTML entity encoding, double encoding, null byte injection, case randomization, and polyglot payloads. It generates hundreds of payload variants per injection point and tests them with an intelligent backoff strategy to avoid rate limiting.

How many exploitation attempts

The engine tests up to 300 payload variants per injection point. It begins with simple payloads and progressively escalates to more complex WAF-bypass techniques. Testing terminates early when a successful payload is confirmed or when all variants are exhausted.

Confirming exploitation

Reflected XSS is confirmed by verifying that the injected payload appears in the response unencoded within an executable context. Stored XSS is confirmed by injecting a payload, navigating to the storage/display page, and verifying execution. Blind XSS is verified using an out-of-band callback server that logs the execution with source URL, cookies, and DOM content.

Confirming NOT exploitable

An injection point is marked not vulnerable only after: (1) all standard payloads tested across all contexts, (2) all encoding/bypass variants exhausted, (3) DOM-based analysis completed, (4) OOB callback monitoring concluded. Evidence includes the list of tested payloads and the sanitization behavior observed.

3.10 YerraPatternMatch: URL Pattern Extractor (Priority 10)

YerraPatternMatch extracts interesting URLs from web crawling output using pattern-matching rules. It identifies URLs that contain potential injection points (parameters likely vulnerable to SQLi, XSS, SSRF, LFI, RCE), debug endpoints, file upload handlers, and redirect parameters. These extracted URLs are prioritized for further testing by the AI orchestrator, ensuring the most promising attack vectors are explored first.

3.11 YerraVisual - Web Screenshot Engine (Priority 11)

YerraVisual captures screenshots of web pages for visual reconnaissance and evidence collection. It processes lists of URLs in parallel, rendering each page in a headless browser and capturing a full-page screenshot. Screenshots are used for: (1) evidence in reports proving access to admin panels, login pages, and sensitive content; (2) visual similarity analysis to identify default installations and known software; (3) technology fingerprinting from visual layout patterns.

3.12 YerraLogicTest - Business Logic Vulnerability Scanner (Priority 12)

YerraLogicTest performs automated business logic vulnerability testing: a category that traditional scanners cannot detect because the vulnerabilities exist in the application's intended functionality rather than in technical implementation flaws. This engine requires authenticated access and understanding of the application's workflow.

Vulnerability classes tested

• IDOR (Insecure Direct Object Reference) - Tests whether modifying resource IDs (user IDs, order numbers, document references) provides access to other users' data. The engine systematically increments, decrements, and randomizes identifiers.
• BOLA (Broken Object-Level Authorization) - Verifies that API endpoints enforce authorization checks per object, not just per endpoint. Tests with different user sessions to confirm isolation.
• BFLA (Broken Function-Level Authorization) - Tests whether regular users can access administrative functions by directly calling admin API endpoints discovered through crawling or API documentation.
• Race Conditions - Sends concurrent requests to test for time-of-check-to-time-of-use (TOCTOU) vulnerabilities in financial transactions, coupon redemption, voting, inventory operations, and similar state-changing operations.
• Mass Assignment - Tests whether sending additional fields in API requests (e.g., "role":"admin", "isVerified":true) modifies protected attributes.
• Workflow Bypass - Tests whether multi-step processes (payment, approval, verification) can be bypassed by skipping intermediate steps or replaying final-step requests directly.
• JWT Manipulation - Tests for algorithm confusion (RS256 to HS256), none algorithm acceptance, key brute-force on weak secrets, and claim tampering (changing sub, role, exp claims).
• Price Manipulation - Tests whether client-side price values, discount codes, or quantity fields are trusted by the server without validation.

4.1 YerraPortScanner - Port Discovery Engine (Priority 1)

The primary port scanning engine that coordinates fast SYN-based discovery with detailed service enumeration. It first performs a rapid sweep of all 65,535 TCP ports using asynchronous connection probes, then hands discovered open ports to the service detection phase for banner grabbing and version identification. The two-stage approach combines speed (full port sweep in seconds) with depth (detailed service analysis of every open port).

4.2 YerraVPN: VPN Security Scanner (Priority 2)

YerraVPN tests VPN concentrators and remote access gateways for known vulnerabilities, weak configurations, and authentication bypass. Covers IPsec/IKE, SSL VPN (Pulse Secure/Ivanti, Fortinet, GlobalProtect, Citrix NetScaler), OpenVPN, and WireGuard. Tests include: IKE aggressive mode (extracting the pre-shared key hash for offline cracking), SSL VPN path traversal vulnerabilities (CVE-2019-11510, CVE-2018-13379), default credentials, certificate validation issues, and split-tunnel configuration weaknesses.

4.3 YerraAD - Active Directory Penetration Testing (Priority 3)

YerraAD is a dedicated Active Directory penetration testing orchestrator. It performs domain enumeration, trust relationship mapping, Kerberos attacks, LDAP reconnaissance, attack path analysis, GPO abuse, delegation attacks, ACL abuse, and certificate services attacks.

Attack techniques

• AS-REP Roasting - Extract hashes for accounts with "Do not require Kerberos pre-authentication" for offline cracking.
• Kerberoasting - Extract service ticket hashes (TGS) for service accounts for offline cracking.
• Golden Ticket - Forge Kerberos TGTs using the KRBTGT account hash (requires domain admin).
• Silver Ticket - Forge service tickets for specific services using the service account hash.
• Constrained/Unconstrained Delegation Abuse - Exploit misconfigured delegation settings to impersonate privileged users.
• Resource-Based Constrained Delegation (RBCD) - Modify the msDS-AllowedToActOnBehalfOfOtherIdentity attribute to escalate privileges.
• ACL Abuse - Exploit misconfigured access control entries (ForceChangePassword, GenericAll, WriteDacl, WriteOwner) for privilege escalation.
• AD Certificate Services (ESC1-ESC8) - Exploit vulnerable certificate templates, enrollment agent abuse, and NTLM relay to certificate services.
• BloodHound-Style Path Analysis - Build the complete AD relationship graph and identify the shortest path to Domain Admin.

Example attack chain

1. Enumerate domain users via LDAP (anonymous bind or with low-privilege credentials)
2. Identify AS-REP roastable accounts, extract hashes, crack offline with YerraCrack
3. Use cracked credential for Kerberoasting, extract service ticket hashes
4. Crack service account hash revealing SQL Server service account password
5. Connect to SQL Server, execute xp_cmdshell, extract additional credentials
6. Find domain admin hash in extracted credentials, pass-the-hash to domain controller
7. Full domain compromise documented with complete evidence chain

4.4 YerraNetworkOrch - Network Scan Orchestrator (Priority 4)

The Network Scan Orchestrator coordinates all network scanning engines into a unified workflow: fast port discovery feeds into detailed service enumeration, which feeds into service-specific vulnerability testing. The orchestrator manages scan state, deduplicates findings across engines, builds the network topology map, and ensures that each discovered service is tested by the most appropriate engine. It integrates YerraConnect (banner grabbing), YerraProbe (host alive), YerraRecon (service detection), and all exploitation engines.

4.5 YerraConnect - Network Communication Toolkit (Priority 5)

YerraConnect is a pure-Python network communication toolkit supporting TCP and SSL/TLS connections for banner grabbing, service verification, and custom protocol interaction. It performs asynchronous connect-scan probes across multiple targets simultaneously, capturing service banners and TLS certificate information. Capabilities include: TCP and TLS banner grabbing with configurable timeout, custom protocol probes (HTTP, SMTP, FTP, POP3, IMAP, MySQL, PostgreSQL, Redis, MongoDB), SSL/TLS certificate extraction and analysis, and raw socket communication for custom protocol testing.

4.6 YerraProbe - Host Alive & Latency Prober (Priority 6)

YerraProbe is a pure-Python host discovery engine that performs ICMP echo, TCP SYN, and TCP connect probes to determine host availability and measure network latency. It supports multiple probe types to bypass firewall restrictions, if ICMP is blocked, TCP probes on common ports (80, 443, 22, 3389) confirm host availability. Probes run in parallel across large networks. Output includes latency statistics (min/avg/max/jitter) per host and a host-alive determination for each target.

4.7 YerraPortProbe: SYN Port Scanner (Priority 7)

YerraPortProbe performs high-performance SYN scanning using raw packet manipulation. It is faster than full TCP connect scans because it sends SYN packets and interprets RST/SYN-ACK responses without completing the TCP handshake. The engine supports host exclusion, port exclusion, CIDR input, and outputs results in JSON for downstream processing by other engines.

4.8 YerraFastScan - Ultra-Fast Port Scanner (Priority 8)

YerraFastScan is an ultra-high-speed port scanner designed for rapid initial reconnaissance. It scans all 65,535 ports in seconds by using asynchronous socket connections with configurable batch size (default: 4,500 simultaneous connections). Open ports discovered by YerraFastScan are automatically passed to YerraRecon for detailed service enumeration and vulnerability assessment.

4.9 YerraRecon - Network Scanner (Priority 9)

YerraRecon is PhantomYerra's full network scanning engine performing host discovery, port scanning (TCP/UDP), service version detection, OS fingerprinting, and vulnerability detection scripts.

Scan phases

1. Host Discovery - Determines which hosts in the target range are alive using ICMP echo, TCP SYN to ports 80/443, TCP ACK, and ARP probes (for local networks).
2. Port Scanning - Scans the target port range. Default scans cover the top 1,000 ports; aggressive mode scans all 65,535 TCP ports plus the top 1,000 UDP ports.
3. Service Detection - Probes open ports to identify the running service and version using banner grabbing, protocol-specific probes, and SSL/TLS certificate inspection.
4. OS Fingerprinting - Analyzes TCP/IP stack behavior (initial TTL, window size, TCP options) to identify the target operating system and version.
5. Vulnerability Scripts - Runs vulnerability detection scripts against identified services: SMB vulnerabilities (EternalBlue/MS17-010), SSL/TLS issues, default credentials, known CVEs for detected service versions.

Example findings

4.10 YerraExploit - Windows/AD Attack Toolkit

YerraExploit provides deep Windows and Active Directory attack capabilities: credential harvesting (secretsdump for SAM/LSA/NTDS.dit), remote command execution (psexec, smbexec, wmiexec, dcomexec), Kerberos attacks (GetUserSPNs, GetNPUsers), NTLM relay (ntlmrelayx), MSSQL interaction (xp_cmdshell), and enumeration (rpcdump, lookupsid, samrdump). The AI orchestrator chains these attacks with findings from other engines automatically.

4.11 YerraEnum: SMB/NetBIOS Enumerator

YerraEnum performs full SMB and NetBIOS enumeration: user listing, group enumeration, share listing with permissions, password policy extraction, OS information, RID cycling for user discovery, and printer enumeration. Works against both Windows and Samba targets with null sessions (unauthenticated) or provided credentials.

4.12 YerraNetOps - Network Execution Framework

YerraNetOps is a multi-protocol execution framework supporting SMB, WinRM, MSSQL, LDAP, SSH, FTP, and RDP. It enables credential validation across multiple hosts simultaneously ("credential spraying"), share enumeration, command execution, and module-based post-exploitation. The spray technique tests a small number of passwords against all discovered user accounts to find weak credentials without triggering account lockouts.

4.13 YerraFramework - Exploitation Framework

YerraFramework provides access to thousands of exploits, payloads, and post-exploitation modules. The AI orchestrator selects and configures the appropriate exploit based on the target service version and vulnerability detected by YerraRecon. Capabilities include: exploit selection and automatic configuration, payload generation (Meterpreter, reverse shell, bind shell) tailored to target OS and architecture, post-exploitation modules (privilege escalation, credential harvesting, pivoting, persistence), auxiliary modules (service scanning, brute forcing, protocol fuzzing), and evasion modules (antivirus bypass, payload encoding, obfuscation).

4.14 YerraRouterExploit - Router/IoT Exploitation

YerraRouterExploit targets routers, access points, and network devices with exploit modules for Cisco, MikroTik, D-Link, Netgear, TP-Link, Huawei, ZyXEL, and others. Includes default credential testing and firmware vulnerability detection for infrastructure assessments.

5.1 YerraOSINT - Asset Discovery Engine (Priority 1)

YerraOSINT discovers subdomains and associated assets using passive data sources: certificate transparency logs (crt.sh, Certspotter, Facebook CT), DNS datasets (DNSdumpster, RapidDNS, HackerTarget), search engines (Google, Bing, DuckDuckGo dorking), web archives (Wayback Machine, CommonCrawl, AlienVault OTX), and threat intelligence feeds (VirusTotal, SecurityTrails, Shodan, Censys, BinaryEdge). It queries over 40 sources simultaneously without sending any traffic to the target, making it completely passive and undetectable. Output: a deduplicated list of discovered subdomains with DNS resolution status, IP addresses, CNAME records, and live/dead status.

5.2 YerraURLDiscovery: URL Discovery Orchestrator (Priority 2)

Coordinates multiple URL discovery engines (YerraArchive, YerraWayback, YerraSpider, YerraAssetFinder, YerraHTTPProbe, YerraDeepRecon) into a unified pipeline. Discovered URLs are deduplicated, normalized, and categorized by type (page, API endpoint, file, resource). The orchestrator manages rate limiting across engines and feeds results to the web scanning surface.

Sub-engines within URL Discovery

• GauAdapter (YerraArchive) - Retrieves historical URLs from the Wayback Machine, Common Crawl, AlienVault OTX, and URLScan.io. Discovers endpoints, parameters, and pages that no longer appear in the current application but may still be accessible.
• WaybackUrlsAdapter (YerraWayback) - Specifically queries the Wayback Machine CDX API for all archived URLs dating back years.
• GospiderAdapter (YerraSpider) - Passive web spider that extracts linked URLs, JavaScript file references, form actions, robots.txt entries, and sitemap.xml URLs.
• AssetfinderAdapter (YerraAssetFinder) - Discovers related domains and subdomains from certificate transparency logs and DNS records.
• HttpprobeAdapter (YerraHTTPProbe) - Probes domains for live HTTP/HTTPS services on ports 80, 443, 8080, 8443. Returns confirmed live web hosts with status codes and response titles.
• AmassAdapter (YerraDeepRecon) - Performs the most thorough subdomain enumeration: DNS brute-forcing, web scraping, certificate transparency, API sources, and graph-based DNS relationship mapping.

5.3 YerraDNS: DNS Brute-Force & Resolution (Priority 3)

Active DNS brute-forcing to discover subdomains not found in passive sources. Uses high-performance DNS resolution with wildcard detection and filtering. Methodology: (1) load wordlist (100K default, 1M+ aggressive), (2) detect wildcard DNS by resolving random non-existent subdomains, (3) resolve all entries, (4) filter wildcard matches, (5) output confirmed subdomains with resolved IPs.

5.4 YerraASN: ASN Mapping & IP Range Discovery (Priority 4)

Maps an organization's complete IP space by querying ASN databases. Given a domain or organization name, identifies all associated ASNs and their IP ranges, revealing cloud infrastructure, colocation facilities, and regional offices that may not be linked to the primary domain.

5.5 YerraMetaSearch: OSINT Aggregator (Priority 5)

Aggregates OSINT data from ASN lookups, IP-to-organization mapping, CIDR range discovery, related domain identification, and technology fingerprinting. Acts as a meta-search engine querying public databases to build a full profile of the target's internet presence.

5.6 YerraGitExpose - Exposed Git Repository Finder (Priority 6)

Detects exposed .git directories on web servers and extracts their contents. When a web server inadvertently serves the .git directory, the entire source code history (including credentials and API keys in past commits) can be reconstructed. Scans commit history for secrets and reports all sensitive data found.

5.7 YerraCIDR - Network Range Processor (Priority 7)

Processes CIDR ranges into individual IP addresses, aggregates overlapping ranges, converts between CIDR and IP list formats, and filters IP ranges. Used internally by other engines to normalize target specifications and prepare IP lists for scanning.

5.8 YerraChaosClient - Bug Bounty Recon Feed (Priority 8)

Retrieves subdomain data from the ProjectDiscovery Chaos dataset, a continuously updated repository of subdomains for bug bounty programs. When the target domain exists in the Chaos database, the engine retrieves all known subdomains instantly without any active scanning.

5.9 YerraTakeover - Subdomain Takeover Detection (Priority 9)

Identifies subdomains vulnerable to takeover. When a subdomain points to a decommissioned cloud service (S3, Heroku, GitHub Pages, Azure, Shopify, etc.) but the DNS record remains, an attacker can claim that resource. Impact: phishing on legitimate subdomain, cookie theft via parent domain, brand abuse, SPF bypass for email spoofing.

5.10 YerraCrawl - Advanced Web Crawler (Priority 10)

Advanced crawler supporting both standard and JavaScript-rendered crawling via headless browser. Discovers endpoints in SPAs, AJAX interfaces, and modern JavaScript frameworks that traditional crawlers miss. Extracts URLs from JavaScript source, API calls, WebSocket connections, and dynamic content.

6.1 YerraSAST - Universal Static Analyzer (Priority 1)

YerraSAST is the primary SAST engine supporting Python, JavaScript/TypeScript, Java, Go, Ruby, PHP, C#/.NET, Kotlin, Swift, Scala, Rust, C/C++, and COBOL. It uses pattern-based rules with dataflow analysis to detect: injection flaws (SQL, command, XSS, LDAP, XPath), authentication issues (hardcoded credentials, weak hashing), cryptographic weaknesses (weak algorithms, hardcoded keys, insecure RNG), insecure deserialization, path traversal, SSRF, race conditions, and information exposure.

Language-specific adapters

6.2 YerraGoSec - Go Security Analyzer (Priority 2)

Deep security analysis for Go codebases: unsafe pointer usage, SQL injection in database/sql, command injection in os/exec, insecure TLS configurations, weak cryptographic usage, file permission issues. Integrates with Go's AST parser for accurate analysis.

6.3 YerraCodeQL - Semantic Code Analysis

Semantic analysis using database queries over the code's AST, control flow graph, and data flow graph. Detects complex patterns: multi-step taint tracking, interprocedural analysis across multiple files, and context-sensitive detection where the same pattern is vulnerable in one context but safe in another.

6.4 YerraIaCAnalyze - IaC Static Scanner

Scans Infrastructure as Code (Terraform, CloudFormation, Ansible, Kubernetes YAML, Helm charts, Dockerfiles) for security misconfigurations within the SAST pipeline.

7.1 YerraSCA: SBOM Generator

Generates a Software Bill of Materials (SBOM) in CycloneDX and SPDX formats. Identifies all dependencies - direct, transitive, and vendored - across npm, pip, Maven, Gradle, Go modules, Cargo, NuGet, RubyGems, Composer, and CocoaPods.

What information is needed

• Path to the application source code, container image, or binary
• Package manifest files (package.json, requirements.txt, pom.xml, go.sum, Cargo.lock, etc.) are auto-detected
• Container registry credentials for private image scanning (optional)

How the test works step-by-step

1. Manifest Discovery - Recursively scans the project tree for all package managers and their lock files, including nested monorepo structures.
2. Dependency Resolution - Resolves the full dependency graph including transitive dependencies (dependencies of dependencies) to arbitrary depth. Vendored copies (node_modules, vendor/) are also cataloged.
3. Version Pinning - Extracts exact installed versions (not semver ranges) from lock files, ensuring accuracy in vulnerability matching.
4. SBOM Generation - Outputs CycloneDX 1.5 and SPDX 2.3 formatted SBOMs with component metadata: name, version, license, supplier, package URL (purl), and SHA-256 hash.
5. License Analysis - Identifies component licenses (MIT, Apache-2.0, GPL, AGPL, proprietary) and flags license conflicts that may create legal risk.

7.2 YerraVulnScan - Dependency Vulnerability Scanner

Scans the SBOM against NVD, GitHub Advisory, OSV.dev, and vendor-specific databases. Reports CVE ID, CVSS score, affected/fixed versions, and reachability analysis indicating whether the vulnerable function is actually called. Unreachable vulnerable code is downgraded to Informational.

How vulnerability matching works

1. Each component's package URL (purl) is matched against known vulnerability records in NVD, GitHub Security Advisories, OSV.dev, and vendor databases.
2. Version comparison uses semantic versioning and version-range matching to determine if the installed version falls within the affected range.
3. Reachability analysis traces call graphs from the application's entry points to determine whether the vulnerable function in the dependency is actually invoked. Unreachable vulnerabilities are downgraded.
4. Fix availability is checked: if a patched version exists, the finding includes the minimum fixed version and upgrade instructions.

Example findings

Confirming exploitation

When a reachable vulnerability is identified, the AI orchestrator attempts exploitation: for log4j, a JNDI lookup payload is injected; for deserialization flaws, a gadget chain is constructed; for path traversal in dependencies, traversal payloads target the vulnerable code path. Confirmed exploitation elevates the finding and includes full evidence (request, response, extracted data).

8.1 YerraTFSec - Terraform Security Scanner (Priority 1)

Deep static analysis of Terraform code including module resolution, variable interpolation, and cross-resource relationship analysis. Identifies issues requiring understanding of resource relationships (e.g., a load balancer terminating TLS but forwarding unencrypted traffic to backends, or an IAM policy granting * permissions on sensitive resources).

What information is needed

• Path to Terraform root module directory (auto-detects *.tf and *.tf.json files)
• Optional: variable values file (terraform.tfvars) for accurate variable interpolation
• Optional: cloud provider context (AWS, Azure, GCP) for provider-specific rule sets

How the test works step-by-step

1. Module Resolution - Resolves module references (local, registry, Git) and builds the complete resource graph.
2. Variable Interpolation - Substitutes variable values to analyze actual configurations (e.g., a cidr_block variable set to 0.0.0.0/0 exposes a security group to the internet).
3. Cross-Resource Analysis - Traces relationships between resources: security groups attached to instances, IAM policies attached to roles, encryption keys referenced by storage buckets.
4. Rule Evaluation - Evaluates 350+ rules covering CIS Benchmarks (AWS, Azure, GCP), encryption at rest and in transit, network exposure, IAM least privilege, logging and monitoring, and data protection.
5. Severity Assignment - Each finding receives a severity based on the potential exposure: an S3 bucket with public ACL is Critical; a missing access log is Low.

Example findings

8.2 YerraIaCGuard - Multi-IaC Scanner (Priority 2)

Scans Terraform, CloudFormation, Azure ARM, Kubernetes manifests, Helm charts, and Dockerfiles against 500+ policies covering CIS benchmarks, AWS/Azure/GCP best practices, and regulatory compliance (PCI-DSS, HIPAA, SOC2). Unlike YerraTFSec which focuses on Terraform depth, YerraIaCGuard provides breadth across all IaC formats.

Supported IaC formats

Compliance mapping

Each finding maps to one or more compliance frameworks (PCI-DSS 4.0, HIPAA, SOC2, CIS Benchmarks, NIST 800-53), enabling teams to demonstrate compliance coverage during audit. The compliance report groups findings by framework and control ID.

9.1 YerraCloudScan - Multi-Cloud Scanner (Priority 1)

Multi-purpose security scanning: container images in ECR/ACR/GCR for CVEs, secret exposure, and misconfigured permissions. Also scans filesystem paths, Git repositories, and Kubernetes clusters. Outputs SARIF for CI/CD integration.

What information is needed

• Cloud provider credentials with read-only access (AWS IAM role, Azure service principal, GCP service account)
• Container image references (registry/repository:tag) for container scanning
• Kubernetes kubeconfig for cluster assessment
• Scope definition: which accounts, regions, and resource types to assess

How the test works step-by-step

1. Authentication - Connects to the cloud provider API using provided credentials with least-privilege read-only access.
2. Resource Enumeration - Discovers all resources across specified regions: compute instances, storage buckets, databases, load balancers, IAM entities, networking components.
3. Configuration Assessment - Each resource's configuration is evaluated against security rules: is encryption enabled? Are access policies restrictive? Is logging active? Are security groups least-privilege?
4. Container Image Scanning - Pulls and layers container images to identify OS packages, language dependencies, and embedded secrets. Each component is checked against NVD, vendor advisories, and the CISA KEV catalog.
5. Kubernetes Assessment - Evaluates cluster configuration: RBAC policies, network policies, pod security standards, secrets management, admission controllers, and runtime security.

Example findings

9.2 YerraCloudPosture - Cloud Network Analyzer (Priority 2)

Analyzes VPC/VNet configurations, security groups, NACLs, route tables, peering connections across AWS, Azure, and GCP. Identifies overly permissive rules, unused security groups, publicly accessible resources, and network segmentation issues. Builds a topology diagram showing lateral movement opportunities from any compromised resource to other reachable resources.

Lateral movement analysis

The cloud network analyzer maps reachability between all resources: which instances can communicate with the database tier? Can a compromised web server reach the management plane? Are there cross-VPC paths through peering or transit gateways? The resulting topology graph is included in the report and feeds into the overall attack graph, connecting cloud misconfigurations to potential exploitation paths.

10.1 YerraDASTOrch: DAST Orchestrator (Priority 1)

Coordinates all dynamic testing engines. Manages authentication state, session cookies, CSRF tokens. Covers OWASP Top 10 comprehensively through active crawling, payload injection, authentication testing, and API mode (OpenAPI/Swagger). Implements intelligent deduplication across engines.

What information is needed

• Target application URL
• Authentication credentials (username/password, bearer token, or recorded login sequence)
• API specification (OpenAPI/Swagger, GraphQL schema, or WSDL) for API mode
• Environment type: test/staging (full exploitation) or production (safe checks only)
• Exclusion patterns: URLs or parameters that should not be modified (logout, delete, payment)

How the test works step-by-step

1. Authenticated Crawling - Logs into the application using provided credentials, then crawls all accessible pages while maintaining session state. JavaScript rendering discovers SPA routes.
2. Attack Surface Mapping - Identifies all input vectors: URL parameters, form fields, JSON/XML bodies, HTTP headers, cookies, file upload fields, and WebSocket messages.
3. Payload Injection - For each input vector, injects category-specific payloads: SQL injection, XSS, command injection, path traversal, SSRF, XXE, SSTI, CRLF injection, open redirect. Each payload set includes WAF-bypass variants.
4. Response Analysis - Compares injected responses against baselines looking for: error messages (SQL errors, stack traces), reflected payloads in unsafe contexts, response timing differences (blind injection), new headers or status codes.
5. API Mode - Parses the API specification and tests every endpoint with every parameter type. Tests include: parameter type confusion, boundary values, missing required fields, extra fields (mass assignment), authentication bypass via parameter manipulation.
6. Deduplication - Consolidates identical vulnerabilities found across multiple endpoints into single findings with all affected URLs listed.

Example findings

10.2 YerraOOB - Out-of-Band Testing Engine (Priority 2)

Detects vulnerabilities with no in-band response: blind SSRF, blind XSS, blind XXE, blind RCE, DNS rebinding, email header injection. Generates unique callback URLs per test case, injects them into payloads, and monitors for interactions. Each interaction is correlated with the originating test and captured as evidence (source IP, request method, headers, body, timing).

How out-of-band detection works

1. Callback URL Generation - For each injection point, a unique callback URL is generated containing a correlation ID (e.g., xyz123.oob.phantomyerra.local). This URL is embedded in payloads for each vulnerability class.
2. Payload Injection - Payloads are injected that would cause the server to make an outbound connection: <!ENTITY xxe SYSTEM "http://xyz123.oob..."> for XXE, curl http://xyz123.oob... for RCE, URL parameters with the callback for SSRF.
3. Interaction Monitoring - The OOB server monitors for DNS lookups, HTTP/HTTPS requests, and SMTP connections to any generated callback URL. Each interaction is logged with timestamp, source IP, protocol, and full request details.
4. Correlation - When an interaction is received, the correlation ID maps it back to the specific injection point and payload type, confirming the vulnerability class and producing a confirmed finding with evidence.

OOB vulnerability classes

11.1 YerraPromptInject - Prompt Injection Tester

Tests LLM applications for prompt injection (OWASP LLM01): direct injection, indirect injection via external data sources, jailbreak techniques (DAN, roleplay, hypothetical framing, language switching, encoding tricks), system prompt extraction, and instruction hierarchy bypass. Generates thousands of variants per test.

What information is needed

• Target LLM application URL or API endpoint
• Authentication method (API key, OAuth, session cookie)
• Known system prompt context (optional; the engine attempts extraction regardless)
• Model identifier if known (helps select model-specific bypass techniques)

Injection categories tested

How to confirm exploitation

Injection is confirmed when the LLM produces output that violates its system instructions: executing unauthorized actions, revealing system prompts, generating restricted content, or accessing data outside its intended scope. Each confirmed injection includes the full conversation log as evidence.

11.2 YerraRAGProbe: RAG Pipeline Tester

Tests RAG pipelines for data poisoning, context manipulation, and information leakage (LLM03, LLM06). Verifies that document-grounded responses cannot be manipulated to return unauthorized data, that cross-user document isolation is enforced, and that adversarial documents cannot override system instructions through the retrieval context.

Test methodology

1. Knowledge Base Injection - Uploads documents containing prompt injection payloads and verifies whether the LLM executes them when those documents are retrieved.
2. Cross-User Leakage - Queries the RAG system with prompts designed to trigger retrieval of other users' private documents. Tests access control boundaries in the vector database.
3. Retrieval Manipulation - Crafts queries that manipulate the similarity search to return unexpected documents, bypassing intended retrieval boundaries.
4. Context Window Poisoning - Tests whether adversarial content in retrieved documents can override or conflict with system-level instructions.

11.3 YerraAgentHijack: AI Agent Security Tester

Tests AI agents for excessive agency (LLM08): tool abuse beyond intended scope, permission escalation through prompt manipulation, unvalidated tool outputs that enable injection chains, and multi-agent context isolation failures where one agent's context leaks to another.

Attack vectors tested

• Tool Scope Abuse - Prompts the agent to use tools in ways not intended (e.g., file system tool to read /etc/passwd, email tool to send to unauthorized recipients)
• Permission Escalation - Attempts to convince the agent it has higher privileges than granted, bypassing tool restrictions
• Output Injection - Tests whether tool outputs (which may contain attacker-controlled data) are processed unsafely by the agent
• Multi-Agent Isolation - In multi-agent systems, tests whether one agent's conversation can influence another's behavior

11.4 YerraLLMFuzz: LLM Fuzzer

Fuzz testing against LLM endpoints: malformed inputs, boundary cases, token limits, unicode edge cases, multi-turn context overflow, concurrent request handling, and safety filter bypass. Identifies edge cases that cause unexpected behavior including model crashes, infinite loops, and safety bypass conditions.

Fuzzing strategies

• Token Boundary - Sends inputs at exact token limits to test truncation handling
• Unicode Abuse - Right-to-left override characters, zero-width joiners, homoglyphs, combining characters
• Context Overflow - Multi-turn conversations that exceed the context window to test memory management
• Concurrent Requests - Parallel requests to test session isolation and race conditions in stateful LLM applications
• Format Confusion - Mixing JSON, XML, markdown, and code blocks in unexpected ways

11.5 YerraAISec - Full AI Security Suite

Full LLM vulnerability scanner covering all OWASP LLM Top 10 with structured test suites. Runs systematic test campaigns against each category with hundreds of test cases per category, providing a complete compliance scorecard.

OWASP LLM Top 10 coverage

12.1 YerraOTProtocol: OT Protocol Scanner (Priority 1)

Coordinates scanning across Modbus TCP/RTU, S7Comm, EtherNet/IP, DNP3, OPC UA, BACnet, PROFINET, and HART. Safety-first approach: passive protocol identification, then read-only queries, with active probing only if explicitly authorized.

What information is needed

• Target IP range or specific device addresses
• Protocol identification (if known; otherwise, auto-detection is used)
• Safety authorization level: passive only, read-only active, or full active (write operations)
• Network topology documentation (optional; helps identify IT/OT boundary points)

How the test works step-by-step

1. Protocol Fingerprinting - Passively monitors network traffic to identify which industrial protocols are in use, without sending any packets.
2. Device Discovery - Sends protocol-specific discovery packets (Modbus device identification, S7Comm CPU identification, OPC UA discovery) to enumerate all reachable devices.
3. Read-Only Assessment - Queries device configuration, firmware version, CPU state, module inventory, and running programs using read-only protocol operations.
4. Authentication Testing - Tests whether devices accept unauthenticated connections for read and write operations. Most legacy protocols (Modbus, S7Comm) lack authentication entirely.
5. Network Segmentation Verification - Tests whether IT/OT boundaries are properly enforced: can an IT network host reach OT devices? Are engineering workstations properly segmented?

Example findings

12.2 YerraModbus - Modbus Protocol Tester (Priority 2)

Tests Modbus implementations: device identification (Function Code 43/14), register enumeration (holding, input, coils, discrete), unauthenticated write testing, function code fuzzing, broadcast response testing. Modbus, designed in 1979, lacks built-in authentication, encryption, or integrity checking - any device with network access to a Modbus endpoint can read and write all registers, potentially controlling physical equipment.

Register enumeration methodology

The engine systematically reads all register ranges: holding registers (40001-49999), input registers (30001-39999), coils (00001-09999), and discrete inputs (10001-19999). Register values are analyzed for patterns: temperature sensors, pressure readings, motor speeds, valve positions, setpoints, and alarm thresholds. Undocumented registers are flagged for manual review.

12.3 YerraOTScan: OT Scan Orchestrator (Priority 3)

Full OT assessment: PLC identification (Siemens S7, Allen-Bradley, Schneider, Mitsubishi), CPU type/firmware extraction, default password testing, network topology mapping, IT/OT convergence analysis, HMI web interface testing. Compliance mapping to IEC 62443, NERC CIP, and NIST 800-82 standards.

IEC 62443 compliance mapping

Every OT finding maps to the applicable IEC 62443 security level requirement, enabling organizations to assess their current security level (SL-1 through SL-4) and identify gaps required to reach their target security level. Findings also map to NERC CIP requirements for power grid operators and NIST 800-82 for general ICS environments.

13.1 YerraIoTOrch - IoT Orchestrator (Priority 1-2)

Coordinates all IoT scanners including firmware analysis, network scanning, and wireless protocol testing. Maps the complete IoT deployment: devices, protocols, cloud connections, and data flows. Identifies default credentials, unencrypted communications, outdated firmware, and exposed management interfaces.

What information is needed

• Target device IP addresses or network range
• Firmware images (if available for offline analysis)
• Device documentation (optional; helps identify expected services and protocols)
• Wireless adapter presence (required for BLE and Zigbee testing)

How the test works step-by-step

1. Device Discovery - Scans the network for IoT devices using protocol-specific probes (mDNS, SSDP/UPnP, SNMP, Bonjour, ARP) and fingerprints device types.
2. Service Enumeration - Maps exposed services: web interfaces, SSH/Telnet, MQTT, CoAP, custom TCP/UDP services. Each service is tested for default credentials and known vulnerabilities.
3. Firmware Analysis - Extracts and analyzes firmware for hardcoded credentials, backdoors, outdated libraries, and insecure configurations (see Section 15).
4. Communication Analysis - Captures and analyzes device-to-cloud and device-to-device traffic for unencrypted data transmission, authentication weaknesses, and data leakage.
5. Update Mechanism Testing - Tests OTA (over-the-air) update mechanisms for: unsigned firmware acceptance, rollback attacks, downgrade attacks, and man-in-the-middle update interception.

13.2 YerraBinaryDiff - Binary Differential Engine (Priority 4)

Compares firmware versions (pre-patch vs post-patch) to identify exactly which functions were modified, what vulnerability was fixed, and how to craft exploits for unpatched devices. Uses function-level hashing and control flow graph comparison to isolate security-relevant changes from unrelated code updates.

13.3 YerraUART: UART/Serial Interface Tester (Priority 5)

Tests UART serial interfaces: auto-detects baud rate (common: 9600, 19200, 38400, 57600, 115200), connects to serial console, identifies the environment (Linux shell, U-Boot bootloader, custom firmware CLI), and tests for authentication bypass. Many embedded devices expose an unauthenticated root shell via UART, providing complete device control.

Exploitation methodology

Once a UART console is accessed: (1) identify the operating system, (2) extract filesystem contents (/etc/shadow, configuration files, SSL keys), (3) dump flash memory, (4) modify boot parameters to gain root access, (5) establish persistent backdoor for remote access testing.

13.4 YerraJTAG: JTAG Debug Interface Tester (Priority 6)

Tests JTAG debug interfaces: identifies active pins on test points, detects TAP controller state machine, reads device ID registers (IDCODE), and extracts firmware from flash memory. An exposed JTAG port provides full processor control including reading/writing memory, single-stepping execution, setting breakpoints, and complete firmware extraction even when readout protection is not enabled.

13.5 YerraCoAP - CoAP Protocol Tester

Tests CoAP (Constrained Application Protocol) implementations: resource discovery via /.well-known/core, access control testing on each resource, DTLS implementation verification for transport security, observe notification subscription without authorization, and message fuzzing for buffer overflows and parsing vulnerabilities in the lightweight protocol stack.

13.6 YerraMQTT: MQTT Broker Tester

Tests MQTT brokers comprehensively: anonymous access, wildcard topic subscription (#), message injection to control topics, TLS configuration verification, ACL bypass attempts, retained message exploitation, and DoS resilience testing.

Common IoT attack chain via MQTT

1. Connect to MQTT broker anonymously (no authentication required).
2. Subscribe to # (all topics) to observe all device communications.
3. Identify control topics (e.g., home/thermostat/set, factory/valve/control).
4. Publish commands to control topics to manipulate physical devices.
5. Capture credentials and tokens transmitted in MQTT messages.

13.7 YerraBLE & YerraZigbee - Wireless IoT Scanners

BLE (Bluetooth Low Energy): Discovers BLE devices, enumerates services and characteristics (GATT profile), tests pairing mechanisms (Just Works, Passkey, Numeric Comparison), checks for unencrypted characteristics that expose sensitive data, and tests for BLE relay attacks. Zigbee: Captures Zigbee packets, decrypts traffic using known trust center keys (many devices use the well-known ZigbeeAlliance09 key), identifies all network devices, tests replay attacks on command frames, attempts network key extraction, and tests coordinator spoofing to take control of the network.

14.1 YerraADB - Android Debug Bridge Tester

Interfaces with Android devices for package extraction, application data dump, filesystem access, process analysis, and logcat monitoring for sensitive data leakage. Checks for debugging enabled, backup allowed, insecure exported components, and world-readable files in the application's sandbox.

What information is needed

• Android device or emulator with USB debugging enabled
• Target application package name (e.g., com.example.app)
• Root access preferred (but not required for many tests)

How the test works step-by-step

1. Package Extraction - Pulls the installed APK from the device for static analysis, including split APKs for app bundles.
2. Manifest Analysis - Parses AndroidManifest.xml for: debuggable flag, backup flag, exported components, custom permissions, minimum SDK (targeting old Android versions reduces security).
3. Data Storage Review - Examines shared preferences, SQLite databases, internal/external storage for sensitive data stored in plaintext: credentials, tokens, PII, encryption keys.
4. Logcat Monitoring - Captures application logs during runtime looking for leaked credentials, API keys, session tokens, and PII in log output.
5. Component Testing - Tests exported activities (can they be launched directly?), content providers (SQL injection, path traversal), broadcast receivers (intent injection), and services (unauthorized access).

14.2 YerraMITM - Mobile Traffic Interceptor

SSL/TLS interception with certificate pinning bypass. Captures and modifies all HTTP/HTTPS traffic between the mobile app and its backend servers. Detects: tokens transmitted in plaintext or URL parameters, unauthenticated API endpoints, PII sent without encryption, debug endpoints accessible in production builds, and hardcoded API keys in request headers.

Certificate pinning bypass

Applications that implement certificate pinning resist standard proxy interception. YerraMITM uses Frida scripts to hook into the SSL/TLS validation functions at runtime, disabling pinning checks while preserving all other TLS behavior. This works on both Android (OkHttp, Conscrypt, standard Java SSL) and iOS (NSURLSession, ATS, AFNetworking) pinning implementations.

14.3 YerraDrozer - Android Component Analyzer

Deep analysis of Android application components: Activities, Services, Content Providers, and Broadcast Receivers. Tests exported component abuse, intent injection, SQL injection in content providers, path traversal in file providers, and IPC security issues. Discovers the full application attack surface including undocumented components.

14.4 YerraFrida - Dynamic Instrumentation

Runtime instrumentation for both Android and iOS applications. Capabilities include: bypass root/jailbreak detection, disable certificate pinning, intercept cryptographic operations (capture keys and plaintext), trace API calls, modify function return values, dump decrypted network traffic, and hook into authentication functions to extract credentials.

Common Frida use cases in assessments

• Bypassing biometric authentication by hooking the authentication callback to always return success
• Extracting encryption keys from memory during runtime
• Modifying security checks (root detection, debugger detection, emulator detection) to enable testing on rooted/jailbroken devices
• Tracing all network API calls to identify undocumented endpoints

14.5 YerraiOSStatic / YerraiOSDynamic - iOS Analysis

Static Analysis: IPA binary inspection including Info.plist settings, entitlements, App Transport Security (ATS) exceptions, insecure URL schemes, hardcoded credentials, weak cryptographic usage, and debuggable builds. Checks for PIE (Position Independent Executable), stack canaries, and ARC (Automatic Reference Counting). Dynamic Analysis: Runtime analysis on jailbroken devices covering filesystem monitoring (Keychain access, plist files), network communications, clipboard usage, keyboard caching, screenshot caching, and pasteboard data leakage.

14.6 YerraMobSF - Mobile Security Framework

All-in-one mobile assessment combining static analysis (decompilation, manifest review, code pattern scanning), dynamic analysis (runtime monitoring, API fuzzing, traffic capture), and malware behavior analysis for both APK/AAB and IPA formats. Produces a full security scorecard mapped to the OWASP Mobile Top 10 (2024), with each finding including the specific MSTG (Mobile Security Testing Guide) test case reference.

OWASP Mobile Top 10 coverage

15.1 YerraCVEBin - Binary CVE Checker

Scans firmware images to identify embedded software components (OpenSSL, BusyBox, curl, zlib, glibc, dnsmasq, lighttpd, and hundreds more) by version strings and binary patterns, then cross-references each component against the NVD for known CVEs.

How it works

1. Binary Pattern Matching - Scans the firmware image for version strings embedded in binaries (e.g., OpenSSL 1.0.1e, BusyBox v1.26.2) using a database of known version string patterns.
2. CPE Mapping - Maps identified components to CPE (Common Platform Enumeration) identifiers for accurate NVD lookup.
3. CVE Cross-Reference - Queries the NVD for all CVEs affecting each identified component version, including CVSS scores and exploit availability.
4. Exploitability Assessment - For each CVE, checks ExploitDB and GitHub for public exploit code. Available exploits are flagged for potential validation.

15.2 YerraEMBA - Firmware Extraction & Analysis

Full firmware analysis: extraction (binwalk, unsquashfs, ubi_reader, jefferson for JFFS2, and 100+ additional formats), filesystem mapping, binary analysis (hardcoded passwords, unsafe C functions like strcpy/sprintf, static keys), CVE matching against all identified components, configuration review, and secret discovery across all extracted files.

What information is needed

• Firmware image file (binary blob, update package, or extracted flash dump)
• Device model and manufacturer (optional; aids in identification)
• Expected filesystem type if known (squashfs, cramfs, JFFS2, UBIFS, ext4)

Extraction methodology

The engine recursively extracts nested archives and filesystems: an update package may contain a compressed image that contains a squashfs filesystem that contains gzipped configuration files. Each layer is extracted and analyzed until no more nested content remains. The final output is a complete directory tree of all files in the firmware.

15.3 YerraFirmwalker - Firmware Secret Scanner

Scans extracted firmware filesystems for: /etc/shadow password hashes, SSH host keys and authorized keys, SSL/TLS certificates and private keys, database files (SQLite, BDB), configuration files containing credentials, scripts with hardcoded passwords, .htpasswd files, and any file containing patterns matching API keys, tokens, or connection strings.

Example findings

15.4 YerraGhidra - Firmware Decompiler

Decompiles firmware binaries across multiple architectures (ARM, MIPS, x86, x86_64, PowerPC, AArch64) to C-like pseudocode. Automated analysis identifies: authentication bypass logic (hardcoded credential comparisons), backdoor accounts (hidden username/password checks), hardcoded encryption keys, and exploitable memory corruption patterns (buffer overflows, format string vulnerabilities, use-after-free conditions).

AI-assisted binary analysis

The AI orchestrator reviews decompiled code from Ghidra, identifying suspicious patterns that automated rules may miss: custom authentication schemes with logic flaws, cryptographic implementations with key reuse or weak initialization vectors, command injection in CGI handlers, and intentional backdoors disguised as debug interfaces.

16.1 YerraAngr - Symbolic Execution

Explores all execution paths through a binary using constraint solving to discover: crash-triggering inputs, authentication bypass inputs, buffer overflow conditions, and path constraints that lead to privileged code sections. Supports x86, x86_64, ARM, MIPS, and PowerPC architectures.

What information is needed

• Target binary file (ELF, PE, Mach-O)
• Entry point or specific function to analyze (optional; defaults to main)
• Known good/bad program states to guide analysis (optional)

How symbolic execution works

1. State Initialization - Creates a symbolic state where inputs are represented as symbolic variables rather than concrete values.
2. Path Exploration - Executes the binary symbolically, forking at each branch condition to explore both paths. Each path accumulates constraints on the symbolic inputs.
3. Constraint Solving - When a target state is reached (crash, authentication success, privileged function), the constraint solver (Z3) produces concrete input values that trigger that path.
4. Vulnerability Confirmation - Generated inputs are tested against the actual binary to confirm the vulnerability. Crash inputs are classified by vulnerability type (stack overflow, heap overflow, format string, null dereference).

16.2 YerraDisasm - Interactive Disassembler

Deep reverse engineering: disassembly, decompilation to C-like pseudocode, function identification, cross-reference resolution, and data type annotation. The AI analyzes decompiled code for authentication bypass conditions, cryptographic weaknesses, backdoor logic, and unsafe memory operations.

AI-directed analysis workflow

The AI orchestrator identifies high-value analysis targets: functions containing string comparisons (potential hardcoded credentials), functions calling cryptographic APIs (potential weak crypto), functions accepting network input (potential injection points), and functions with privilege-changing system calls (potential escalation paths). Each identified target receives focused manual-equivalent analysis.

16.3 YerraCutter - Binary Analysis Platform

Visual binary analysis providing: control flow graphs (visualizing function logic), call graphs (showing which functions call which), hex viewing and editing, Python scripting for custom analysis, CPU emulation for tracing execution, and YARA rule creation for malware detection. Particularly useful for analyzing obfuscated binaries where the visual control flow graph reveals the true logic despite obfuscation attempts.

16.4 YerraDebug - x64 Debugger

Dynamic binary analysis on Windows: hardware and software breakpoints, execution tracing, memory read/write monitoring, register modification, and runtime behavior analysis. Used for: exploit development (finding exact crash offset, ROP gadget testing), obfuscated code analysis (watching runtime unpacking), anti-debugging technique identification and bypass, and runtime decryption capture (breaking on CryptDecrypt to capture plaintext).

17.1 YerraWiFi - Wireless Network Auditor

Full WiFi security assessment covering discovery, authentication attacks, and client-side exploitation.

What information is needed

• Wireless network adapter capable of monitor mode and packet injection
• Target network SSID and/or BSSID (or all networks in range for broad assessment)
• Physical proximity to the target network

Assessment methodology

1. Discovery - Monitor mode captures all beacon frames within range, identifying SSIDs, BSSIDs, encryption types, channels, client associations, and hidden networks.
2. WPA/WPA2 Assessment - Captures the 4-way handshake (via deauthentication or passive wait) or extracts PMKID from the first EAPOL frame. Captured material is tested against wordlists and rules.
3. WPA3 Assessment - Tests for Dragonblood vulnerabilities (CVE-2019-9494/9496), downgrade attacks from WPA3 to WPA2, side-channel attacks on the SAE handshake.
4. WEP Cracking: ARP replay attack to generate IVs, then FMS/PTW statistical attack for key recovery. WEP is broken regardless of key length.
5. Evil Twin - Creates a rogue access point mimicking the target network to capture credentials from connecting clients.
6. Client-Side Attacks - Exploits probe request leakage (devices broadcasting previously connected SSIDs) and KARMA attacks (responding to all probe requests to lure client connections).

Example findings

17.2 YerraNetAttack - Network Attack Framework

Man-in-the-middle attack framework for local network exploitation: ARP spoofing to intercept traffic, DNS spoofing to redirect connections, HTTPS downgrade (SSLStrip) to capture plaintext credentials, credential sniffing on HTTP/FTP/SMTP/POP3, WiFi deauthentication for denial-of-service and handshake capture, and BLE device reconnaissance. Demonstrates the impact of network-level access gained through wireless compromise.

18.1 YerraWordlistGen - Custom Wordlist Generator

Generates target-specific wordlists by crawling organization websites to extract: company name variations, product names, employee names, location names, and industry terms. Applies full mutation rules: capitalization patterns, number appending (1-9999), special character substitution, year patterns (2020-2026), leet speak conversion, and keyboard pattern generation.

Wordlist generation strategy

1. Base Word Collection - Crawls the organization's website extracting all unique words, names, and terms.
2. OSINT Enrichment - Adds employee names from LinkedIn/public sources, office locations, product/service names.
3. Mutation Rules - Applies password creation patterns observed in real breach datasets: Company2024!, P@ssw0rd, Summer2025#.
4. Output Tiers - Quick (100K entries, ~5 minutes cracking), thorough (10M entries, ~2 hours), exhaustive (100M+ entries, ~24 hours).

18.2 YerraCrack - Password Cracker

Offline password cracking supporting hundreds of hash formats: NTLM, NTLMv2, Kerberos TGS (TGS-REP, AS-REP), WPA/WPA2, bcrypt, scrypt, Argon2, SHA-256/512, MD5, MSSQL, Oracle, MySQL, PostgreSQL, and application-specific formats (WordPress, Drupal, phpBB, Joomla).

Attack modes

Example findings

19.1 YerraPhish - Phishing & Credential Harvesting

Authorized phishing simulations using reverse-proxy technology. Acts as a transparent proxy between the victim and the real authentication page, capturing credentials and session tokens including MFA tokens (TOTP, push notifications, WebAuthn where supported). Pre-built phishlet templates for Microsoft 365, Google Workspace, Okta, and Duo.

What information is needed

• Signed authorization letter specifying target employee list and campaign scope
• Domain for the phishing landing page (similar to target organization's domain)
• Target authentication platform (Microsoft 365, Google, Okta, custom)
• Campaign parameters: duration, email template, landing page design

How the campaign works

1. Phishlet Configuration - A phishlet (reverse-proxy configuration) is prepared for the target authentication provider. Custom phishlets can be created for any web application.
2. Domain Setup - The phishing domain receives a valid TLS certificate. The reverse proxy is configured to transparently forward traffic to the real authentication server.
3. Email Delivery - Phishing emails are sent to the target list with crafted pretexts (password reset, document share, security alert). Email headers mimic legitimate sender patterns.
4. Credential Capture - When a target visits the phishing page, they see the real login page. Credentials are captured as they flow through the proxy. MFA tokens are also captured in real time.
5. Campaign Tracking - Metrics are recorded: emails sent, emails opened, links clicked, credentials entered, MFA completed, sessions captured. Each metric is time-stamped per recipient.

Campaign results

20.1 YerraC2 - Command & Control Framework

Full C2 capabilities for authorized red team engagements. Implant generation supports Windows, Linux, and macOS with multiple communication protocols (mTLS, WireGuard, HTTP/S, DNS tunneling).

Post-exploitation capabilities

MITRE ATT&CK mapping

Every post-exploitation action maps to the corresponding MITRE ATT&CK technique ID (e.g., T1055 Process Injection, T1003 Credential Dumping, T1021 Lateral Movement). The red team report includes a full ATT&CK navigator heatmap showing which techniques were successfully executed during the engagement.

21.1 YerraBrowserExploit - Browser Exploitation Framework

Hooks browsers via XSS or social engineering, then executes post-exploitation modules in the victim's browser context.

Post-hook capabilities

• Fingerprinting - Browser type/version, installed plugins, screen resolution, timezone, WebGL renderer, canvas fingerprint
• Internal Scanning - Port scan the internal network from the victim's browser perspective using WebSocket connections, discovering services invisible from the external network
• Credential Capture - Inject fake login dialogs, capture form submissions, access stored passwords through browser APIs
• Session Hijacking - Extract cookies, session tokens, and LocalStorage/SessionStorage data
• Keystroke Capture - Log all keystrokes in the hooked browser tab
• Persistent Access - Maintain hook across page navigation using iframe injection or service worker registration
• Phishing Redirect - Redirect to a credential harvesting page designed to match the victim's current context

AI attack chain integration

The AI orchestrator automatically chains XSS findings into browser exploitation: a stored XSS on a user profile page triggers browser hooking, which then executes internal network scanning, revealing previously unknown internal services that become new targets in the attack graph.

22.1 YerraSecretsScan - Secrets Detection Engine

Scans source code repositories including the entire Git history, all branches, and all tags. Detects: AWS key pairs, GCP service account JSON, Azure connection strings, GitHub/GitLab tokens, Slack/Discord webhooks, database connection strings, JWT signing secrets, private keys (RSA, EC, SSH), SMTP credentials, and SaaS API keys (Stripe, Twilio, SendGrid). Each detected secret is automatically tested for liveness - active secrets are Critical, revoked secrets are Informational.

What information is needed

• Git repository path (local clone) or remote URL with access credentials
• Scan scope: current HEAD only, specific branch, or full history (all commits, all branches)
• Custom regex patterns for organization-specific secret formats (optional)

How the scan works step-by-step

1. History Traversal - Walks every commit in the repository's history, examining each diff for patterns matching known secret formats.
2. Pattern Matching - Applies 700+ regex patterns covering cloud providers, SaaS services, databases, messaging platforms, and generic high-entropy strings.
3. Entropy Analysis - Identifies high-entropy strings that may be secrets even without matching a known pattern. Shannon entropy above threshold triggers manual review.
4. Liveness Testing - For each detected secret: attempts a non-destructive API call to verify if the credential is still active. AWS keys are tested with sts:GetCallerIdentity; GitHub tokens with /user; Stripe keys with a read-only call.
5. Finding Classification - Active secrets are classified Critical with immediate remediation. Revoked secrets are classified Informational with rotation confirmation. Secrets in old commits that never reached production are classified Low.

Example findings

23.1 YerraAutomotive - Vehicle Security Suite

CAN Bus Testing (CanUtilsAdapter)

Captures CAN bus traffic to decode message identifiers, arbitration IDs, and payload structures. Tests include: message replay attacks (replaying captured door unlock messages), CAN injection (sending crafted messages to control vehicle functions), bus-off attacks (forcing an ECU off the bus through error frame flooding), and anomaly detection to identify ECUs communicating outside expected patterns.

UDS Diagnostics (UDSimAdapter)

Tests Unified Diagnostic Services (ISO 14229): unauthorized diagnostic session access (default security seeds, brute-force seed/key), DTC read/clear without authorization, memory read/write via diagnostic services, ECU identification and firmware version extraction, and unauthorized firmware update via UDS TransferData service.

OBD-II Testing (OBD2Adapter)

Data extraction via the OBD-II diagnostic port: VIN retrieval, sensor data (speed, RPM, fuel, temperatures), ECU enumeration, and CAN injection through the diagnostic connector. The OBD-II port provides physical access to the vehicle's CAN bus network.

V2X Communications (V2XScannerAdapter)

Tests Vehicle-to-Everything (V2X) communications: Basic Safety Message (BSM) spoofing, GPS position manipulation, certificate validation testing, privacy leakage analysis (tracking vehicles via BSM data), and denial-of-service through message flooding.

Telematics API (TCUAPIAdapter)

Tests vehicle cloud APIs: authentication bypass, unauthorized vehicle commands (lock/unlock, start/stop engine, location tracking, geofence modification), session hijacking between vehicles and mobile apps, and firmware update manipulation.

Example findings

24.1 YerraMedDevice - Medical Device Scanner

Identifies and assesses medical devices across the network: infusion pumps, patient monitors, imaging systems (CT, MRI, X-ray), lab instruments, clinical workstations, and pharmacy automation systems.

Assessment methodology

1. Device Discovery - Identifies medical devices through protocol fingerprinting (HL7, DICOM, FHIR, proprietary), banner analysis, and MAC address OUI lookup against medical device manufacturer databases.
2. Credential Testing - Tests for default credentials documented in FDA advisories, ICS-CERT bulletins, and manufacturer documentation. Common: admin/admin, service/service, manufacturer-specific defaults.
3. OS Assessment - Identifies the underlying operating system (many devices run Windows XP/7 Embedded, outdated Linux kernels) and checks for unpatched CVEs.
4. Communication Security - Verifies that device-to-server and device-to-device communications use encryption. Many medical devices transmit patient data in plaintext over HL7v2 or unencrypted DICOM.
5. Network Segmentation - Verifies that medical devices are properly segmented from general IT networks and guest WiFi, per FDA guidance and HIPAA technical safeguards.

24.2 YerraFHIR: FHIR API Tester

Tests HL7 FHIR (Fast Healthcare Interoperability Resources) APIs for security vulnerabilities. Covers: SMART on FHIR authentication and authorization (OAuth 2.0 scopes), patient data access control (can one patient access another's records?), bulk data export security (who can trigger bulk exports?), search parameter injection, and FHIR-specific resource access control violations. Verifies HIPAA Security Rule compliance for API-based PHI access.

Access control testing

Tests whether the FHIR API properly enforces patient compartment boundaries: User A should only access their own Patient, Observation, MedicationRequest, and related resources. The engine systematically attempts to access other patients' resources by manipulating resource IDs, search parameters, and _include/_revinclude references.

24.3 YerraDICOM: DICOM Protocol Tester

Tests DICOM (Digital Imaging and Communications in Medicine) services for security weaknesses. DICOM is the standard protocol for medical imaging, and many PACS (Picture Archiving and Communication System) implementations lack authentication.

DICOM service operations tested

HIPAA implications

Unauthenticated DICOM access exposes Protected Health Information (PHI) including patient names, dates of birth, medical record numbers, and diagnostic images. This constitutes a HIPAA breach requiring notification. Every DICOM finding includes the HIPAA Security Rule control reference (164.312) for compliance reporting.

25.1 YerraRobotics - Robotics Security Suite

DDS Testing (DDSScannerAdapter)

Tests Data Distribution Service (DDS) middleware used by ROS2 and many industrial systems: discovers DDS domains and topics, tests for unencrypted topic data, attempts unauthenticated publish/subscribe operations, enumerates domain IDs to discover all DDS networks on the segment, and tests control topic injection to send unauthorized commands to robot actuators.

OPC UA Testing (OPCUAAdapter)

Tests OPC UA (Unified Architecture) servers used in industrial automation: anonymous access testing, security mode enforcement verification (None vs Sign vs SignAndEncrypt), certificate validation testing, method execution authorization (can an unauthenticated client call control methods?), and node browsing to map the entire object hierarchy including robot configuration, programs, and I/O points.

ROS Testing (ROSPenToAdapter)

Tests Robot Operating System (ROS/ROS2) deployments: unauthenticated topic subscription (eavesdropping on sensor data, camera feeds, position data), service command injection (calling robot services to execute movements), parameter manipulation (changing safety limits, speed boundaries, workspace definitions), and unauthorized robot program upload/execution.

Web Controller Testing (RobotWebControllerAdapter)

Tests robot web management interfaces for ABB, KUKA, Fanuc, Universal Robots, and other manufacturers: default credential testing (common: admin/admin, User/User, operator/kuka), unauthenticated access to teach pendant interfaces, command injection in web interface parameters, and unauthorized program upload/download through the web interface.

Example findings