{"id":47724191,"url":"https://github.com/nox-project/nox-framework","last_synced_at":"2026-04-15T12:01:34.736Z","repository":{"id":350668042,"uuid":"1203636982","full_name":"nox-project/nox-framework","owner":"nox-project","description":"High-performance OSINT/CTI framework for automated identity pivoting and risk analysis across 120+ sources.","archived":false,"fork":false,"pushed_at":"2026-04-13T08:59:08.000Z","size":282,"stargazers_count":122,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-13T10:36:17.005Z","etag":null,"topics":["aiohttp","asyncio","automation","bug-bounty","cybersecurity","data-breach","footprinting","framework","infosec","investigative-tool","osint","penetration-testing","python","reconnaissance","red-team","threat-intelligence"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nox-project.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-07T08:17:10.000Z","updated_at":"2026-04-13T08:59:07.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/nox-project/nox-framework","commit_stats":null,"previous_names":["nox-project/nox-framework"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/nox-project/nox-framework","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nox-project%2Fnox-framework","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nox-project%2Fnox-framework/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nox-project%2Fnox-framework/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nox-project%2Fnox-framework/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nox-project","download_url":"https://codeload.github.com/nox-project/nox-framework/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nox-project%2Fnox-framework/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31840113,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-15T11:29:19.690Z","status":"ssl_error","status_checked_at":"2026-04-15T11:29:19.171Z","response_time":63,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aiohttp","asyncio","automation","bug-bounty","cybersecurity","data-breach","footprinting","framework","infosec","investigative-tool","osint","penetration-testing","python","reconnaissance","red-team","threat-intelligence"],"created_at":"2026-04-02T20:04:23.051Z","updated_at":"2026-04-15T12:01:34.701Z","avatar_url":"https://github.com/nox-project.png","language":"Python","readme":"\u003cdiv align=\"center\"\u003e\n\n```\n    ███╗   ██╗ ██████╗ ██╗  ██╗\n    ████╗  ██║██╔═══██╗╚██╗██╔╝\n    ██╔██╗ ██║██║   ██║ ╚███╔╝\n    ██║╚██╗██║██║   ██║ ██╔██╗\n    ██║ ╚████║╚██████╔╝██╔╝ ██╗\n    ╚═╝  ╚═══╝ ╚═════╝ ╚═╝  ╚═╝\n```\n\n**Cyber Threat Intelligence Framework**\n\n[![Status](https://img.shields.io/badge/Status-v1.0.0-success)](https://github.com/nox-project/nox-framework/releases/tag/v1.0.0)\n[![Python](https://img.shields.io/badge/Python-3.8%2B-blue?logo=python\u0026logoColor=white)](https://www.python.org/)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE.txt)\n[![Kali Linux](https://img.shields.io/badge/Kali%20Linux-Ready-557C94?logo=kalilinux\u0026logoColor=white)](https://www.kali.org/)\n[![Platform](https://img.shields.io/badge/Platform-Linux%20%7C%20macOS%20%7C%20Windows-lightgrey)](https://github.com/nox-project/nox-framework)\n[![Sources](https://img.shields.io/badge/Sources-124-red)](https://github.com/nox-project/nox-framework)\n\n*OSINT framework for red teaming, digital forensics, and corporate exposure analysis.*\n\n\u003c/div\u003e\n\n---\n\n## Introduction\n\nNOX is a purpose-built cyber threat intelligence engine designed for operators who require speed, operational security, and depth in a single cohesive framework. It is not a wrapper around existing tools — it is a fully async, plugin-driven intelligence platform with a strict separation between execution logic and source definitions.\n\n| Capability | Detail |\n|-|-|\n| ⚡ **Async Execution Engine** | Massively parallel scanning across 124 intelligence feeds with no sequential bottlenecks and no blocking I/O. |\n| 🛡️ **Guardian Engine** | Integrated OPSEC layer with automatic proxy rotation and SOCKS5 support. Fail-safe kill-switch halts all traffic if the transport circuit is unavailable. |\n| 🧠 **Risk Scoring** | Dynamic 0–100 scoring with time-decay, source confidence weighting, password complexity analysis, persistence multipliers, and HVT detection. |\n| 🔗 **Recursive Avalanche Engine** | Every discovered asset — username, email, cracked password, phone — is automatically re-injected as a new scan seed. Per-asset pipeline runs sequentially (breach → crack → dork → scrape); child assets run concurrently. Identifiers from all four phases feed the pivot queue. Global deduplication and configurable depth cap prevent runaway recursion. |\n| 🔍 **Autoscan** | Single command triggers breach scan + recursive pivot + dorking + paste scraping — fully automated, no manual chaining. |\n\n---\n\n## Features\n\n| Feature | Description |\n|-|-|\n| **124 JSON Plugin Sources** | Every intelligence source is a JSON plugin. The execution engine contains zero hardcoded source logic. |\n| **Async Core** | Full `asyncio` event loop with JA3 fingerprinting, SSL session management, per-request jitter, and configurable concurrency. |\n| **Autoscan Pipeline** | `--autoscan` triggers: breach scan → recursive pivot → Google/Bing/DDG dorking → paste/Telegram scraping — all in one command. |\n| **Recursive Avalanche Engine** | Every identifier discovered — from breach records, dork hits, or scraped paste/Telegram content — is re-injected as a new seed. Per-asset pipeline is sequential (breach → crack → dork → scrape); child assets run concurrently via `asyncio.gather`. A global `seen_assets` set prevents infinite loops. Concurrency and depth are fully configurable at runtime via `--threads` and `--depth`. |\n| **Hash Pivoting** | Hashes found in breach data are automatically identified (MD5/SHA1/SHA256/NTLM/bcrypt) and cracked via concurrent background API queries. Cracked plaintexts are injected into the pivot queue as password-recycling seeds. Failures are logged silently — the scan never stops. |\n| **Guardian Proxy Engine** | Zero-config OPSEC layer: reads `proxies.txt` if present; otherwise auto-fetches and validates a high-anonymity proxy pool in-memory. Full SOCKS5/HTTP/S and Tor support. |\n| **API Key Rotation** | `api_key_slots` per source — NOX round-robins across multiple keys to bypass per-key rate limits. |\n| **Identity Graphing** | Union-Find correlation engine unifies breach records into identity clusters across all sources, using type-aware pivot classification. |\n| **Enterprise Forensic Reports** | Professional PDF/HTML/JSON/CSV/Markdown reports with Executive Summary dashboard (Total Time, Nodes Discovered, Cleartext Passwords, Pivot Depth), interactive Pivot Chain Visualization, and strict data sanitization — no technical noise in output. JSON exports are self-describing with a full metadata block. |\n| **HVT Detection** | Auto-flags C-level, Admin, DevOps, and government domain accounts as High-Value Targets. |\n| **Dorking Engine** | Passive document discovery via Google/Bing/DDG dorks with PDF/Office metadata extraction. |\n| **Scraping Engine** | Paste site indexing, Telegram CTI channel monitoring, credential extraction, and misconfiguration discovery. Each autoscan asset gets a dedicated scrape session — no shared state. |\n| **Proxy / Tor** | SOCKS5, HTTP/S proxy, full Tor routing via `stem`, and automatic Guardian fallback. SOCKS5 proxies are validated and routed correctly via `aiohttp-socks`. |\n| **Secure Key Store** | API keys managed via `~/.config/nox-cli/apikeys.json` (chmod 0600). Unconfigured keys are silently skipped. Keys set via environment variable are picked up automatically without restarting. |\n| **System Logging** | All scan events, phase completions, pivot discoveries, API events, rate-limits, and crack attempts are written to `~/.nox/logs/nox.log`. Only actionable intelligence reaches the terminal. |\n| **Plugin Debug** | `--list-sources` prints a full operator debug table: plugin name, input type, confidence score, key status (configured / not configured / public), and any JSON parse errors. |\n\n---\n\n## Architecture\n\n### Plugin-Driven Design\n\nNOX operates on a strict separation of concerns: `nox.py` is a **pure, agnostic execution engine** — it handles async I/O, JA3 fingerprinting, SSL session management, recursive pivoting, and result correlation. It contains no hardcoded intelligence logic.\n\nAll intelligence is defined as **JSON plugins** in `sources/`. These plugins are the sole source of truth for what NOX queries, how it authenticates, and what it extracts. The build tool `build_sources.py` is the only authorised way to create or modify them.\n\n```\nbuild_sources.py  ──►  sources/*.json  ──►  nox.py (runtime loader)\n   [Builder]              [Plugins]           [Execution Engine]\n```\n\n\u003e [!IMPORTANT]\n\u003e **`sources/*.json` files are auto-generated artifacts. Never edit them directly.**\n\u003e All source additions and modifications must be made in `build_sources.py` and applied by running `python build_sources.py`. Manual edits will be overwritten on the next build.\n\n#### Source Schema\n\n```json\n{\n  \"name\": \"MyPrivateDB\",\n  \"endpoint\": \"https://api.myprivatedb.com/search?q={target}\",\n  \"method\": \"GET\",\n  \"headers\": { \"Authorization\": \"Bearer {MY_API_KEY}\" },\n  \"regex_pattern\": \"([\\\\w.+-]+@[\\\\w-]+\\\\.[\\\\w.]+):([\\\\S]+)\",\n  \"required_api_key_name\": \"MY_API_KEY\",\n  \"api_key_slots\": [\"{MY_API_KEY}\"],\n  \"input_type\": \"email\",\n  \"output_type\": [\"username\", \"ip\"],\n  \"pivot_types\": [\"email\", \"username\"],\n  \"confidence\": 0.9\n}\n```\n\nSupported fields: `name`, `endpoint`, `method`, `headers`, `regex_pattern` (or `json_root` + `normalization_map`), `required_api_key_name`, `api_key_slots`, `input_type`, `output_type`, `pivot_types`, `confidence`.\n\n---\n\n### Autoscan Pipeline\n\n`--autoscan` (CLI) / `autoscan` (REPL) executes the full intelligence pipeline in a single command:\n\n```\nFor each asset (seed + every discovered identifier):\n  ├─ Phase 1 — Breach Scan\n  │     124 sources queried in parallel (async)\n  │\n  ├─ Phase 2 — Hash Crack (non-blocking, concurrent)\n  │     Hashes found in breach data → rainbow-table APIs → cracked plaintext\n  │     → password-recycling breach scan\n  │\n  ├─ Phase 3 — Dorking\n  │     Google/Bing/DDG dorks → leaked docs, .env files, SQL dumps\n  │     → new identifiers extracted and re-injected\n  │\n  └─ Phase 4 — Scraping\n        Pastebin, IntelX, Telegram CTI channels → credential extraction\n        → new identifiers extracted and re-injected\n\nAll identifiers discovered in phases 1–4 are re-injected as new seeds.\nChild assets are processed concurrently via asyncio.gather.\n```\n\n`scan` (without `--autoscan`) runs Phase 1 only — breach sources, no pivot/dork/scrape.\n\n---\n\n### Recursive Avalanche Engine\n\nEvery identifier discovered during a scan — from breach records, dork hits, or scraped paste/Telegram content — is treated as a new intelligence seed. For each asset, the engine runs four phases sequentially: breach scan → hash crack → dork → scrape. Identifiers extracted from **all four phases** are harvested and re-injected as new seeds. Child assets are then processed concurrently via `asyncio.gather`.\n\n```\ntarget@company.com\n  └─► [Breach] username: j.doe      ──► [Breach + Crack + Dork + Scrape]\n  │         └─► github.com/jdoe     ──► [Breach + Crack + Dork + Scrape]\n  └─► [Breach] hash: 5f4dcc...      ──► [AutoCrack] → \"password123\"\n  │         └─► [Breach] password-recycling scan across all sources\n  └─► [Dork] new@email.com          ──► [Breach + Crack + Dork + Scrape]\n  └─► [Scrape/paste] admin@corp.com ──► [Breach + Crack + Dork + Scrape]\n```\n\n- **`seen_assets` set** — global deduplication; no identifier is ever processed twice, regardless of which phase discovered it\n- **Global semaphore** — single shared concurrency cap across the entire discovery tree, respecting `--threads`\n- **`--depth N`** — configurable pivot depth (default: 2); hard backstop prevents runaway recursion\n- **`--no-pivot`** — disable recursive enrichment for a fast breach-only scan\n\n---\n\n### Hash Pivoting\n\nWhen a hash is found in breach data during `--autoscan`:\n\n1. Hash type is identified (MD5/NTLM, SHA1, SHA256, bcrypt)\n2. Multiple rainbow-table APIs are queried **concurrently** in a background task\n3. **If cracked** — plaintext is logged, the record is updated, and the password is injected into the pivot queue for password-recycling analysis across all breach sources\n4. **If not cracked** — failure is logged to `nox_system.log`, the hash is preserved in the report, and pivoting on all other assets continues immediately\n\nThe crack process is fully non-blocking. A timeout or API failure never pauses the scan. Use `--no-online-crack` to restrict cracking to the local wordlist only (no data sent to third-party APIs).\n\n---\n\n### Guardian Proxy Engine\n\nThe Guardian Engine is NOX's zero-config OPSEC layer. It activates automatically when no `--proxy` or `--tor` flag is supplied.\n\n**Resolution order:**\n\n1. **`proxies.txt`** — if present in the working directory, NOX loads and rotates through the listed proxies.\n2. **Dynamic fetch** — if `proxies.txt` is absent, the Guardian Engine fetches a fresh list of high-anonymity public proxies, validates each one, and holds the validated pool in-memory for the session. Nothing is written to disk.\n3. **Direct connection** — if no valid proxies are found, NOX falls back to a direct connection and emits a warning.\n\n\u003e [!WARNING]\n\u003e Public proxy pools are inherently untrusted infrastructure. For sensitive engagements, always supply a controlled proxy via `--proxy` or route through Tor via `--tor`.\n\n| Flag | Behaviour |\n|-|-|\n| `--proxy \u003curl\u003e` | Route all traffic through the specified HTTP/S or SOCKS5 proxy. Disables Guardian. |\n| `--tor` | Route all traffic through Tor (requires `tor` service on port 9050). Disables Guardian. |\n| `--guardian-off` | Bypass the OPSEC kill-switch and connect directly. |\n| *(no flag)* | Guardian Engine activates automatically. |\n\n---\n\n### Reporting\n\nAll report formats include an **Executive Summary dashboard**:\n\n| Metric | Description |\n|-|-|\n| Total Time | Wall-clock duration of the full scan |\n| Nodes Discovered | Unique identities surfaced across all sources |\n| Cleartext Passwords | Plaintext credentials found or cracked |\n| Pivot Depth | Depth reached by the recursive avalanche engine |\n\nReports also include a **Pivot Chain Visualization** showing the full relational path from initial seed to final discovery:\n\n```\n[seed@corp.com] -\u003e [LeakA / username:jdoe] -\u003e [Dork: leaked .env] -\u003e [new@email.com]\n```\n\nJSON exports include a `_meta` block with `scan_id`, `target`, `timestamp`, `nox_version`, and `pivot_depth_reached` — making every export self-describing for ingestion into case management platforms.\n\nAll output is sanitized — proxy errors, timeouts, and tracebacks are stripped. Only actionable intelligence is included.\n\n---\n\n## Filesystem Layout\n\n```\n~/.nox/\n├── sources/               # Auto-generated JSON source plugins\n├── reports/               # Generated forensic reports\n├── logs/                  # Runtime log (nox.log)\n├── wordlists/             # Hash cracking wordlists\n├── vault/                 # Secure storage\n└── nox_cache.db           # Forensic persistence database (SQLite)\n\n~/.config/nox-cli/\n├── apikeys.json           # API keys — chmod 0600, never committed to VCS\n└── logs/\n    └── nox_system.log     # Silent system log: API events, rate-limits, crack attempts\n\n# .deb install (isolated venv)\n/opt/nox-cli/\n├── nox.py\n├── build_sources.py\n├── requirements.txt\n├── sources/\n└── .venv/                 # Isolated Python environment (PEP 668 compliant)\n```\n\n---\n\n## Prerequisites\n\n- **Python 3.8+**\n- **pip** (`python3-pip` on Debian/Kali)\n- **Tor** *(optional)* — required only for `--tor`. On Kali: `sudo apt install tor -y`. The `tor` service must be running on port `9050`.\n\n---\n\n## Installation\n\n### Option 1: Debian / Kali Linux — Isolated .deb (Recommended)\n\nDownload the `.deb` package from the [Releases page](https://github.com/nox-project/nox-framework/releases), then run:\n\n```bash\nsudo dpkg -i nox-cli_*_all.deb\nnox-cli --help\n```\n\nThe post-install script automatically:\n1. Creates an isolated virtual environment at `/opt/nox-cli/.venv`\n2. Installs all Python dependencies inside the venv (PEP 668 compliant — zero system pollution)\n3. Builds the 124 source plugins\n4. Links `/usr/bin/nox-cli` → `/opt/nox-cli/nox-wrapper.sh`\n\n### Option 2: From Source\n\n```bash\ngit clone https://github.com/nox-project/nox-framework.git\ncd nox-framework\npip install -r requirements.txt\npython build_sources.py\npython3 nox.py\n```\n\n---\n\n## Quick Start\n\n**Step 1 — Build source plugins** *(from source only — .deb does this automatically)*\n\n```bash\npython build_sources.py\n```\n\n**Step 2 — Configure API keys**\n\n`build_sources.py` creates `~/.config/nox-cli/apikeys.json` on first run, pre-populated with every supported service. The file is `chmod 0600` and is never committed to VCS.\n\nThis is the **single canonical key store** — all sources read from it at runtime.\n\n```bash\n# Edit the file directly\nnano ~/.config/nox-cli/apikeys.json\n\n# Or inspect plugin status and key configuration\nnox-cli --list-sources\n```\n\n\u003e [!NOTE]\n\u003e Any key set to `INSERT_API_KEY_HERE` or `\"\"` is treated as unconfigured — that source is silently skipped. Sources without a key requirement are always active.\n\u003e\n\u003e **Load priority:** environment variable (e.g. `export HIBP_API_KEY=xxx`) → `~/.config/nox-cli/apikeys.json`\n\n**Step 3 — Execute**\n\n\u003e [!NOTE]\n\u003e **OPSEC Kill-Switch:** By default, NOX activates the Guardian Engine (auto proxy rotation). Use `--guardian-off` to connect directly.\n\n```bash\n# Breach scan — input type auto-detected (email / domain / ip / username / hash / phone)\nnox-cli -t target@company.com\n\n# Full autoscan: breach + recursive pivot + dork + scrape\nnox-cli -t target@company.com --autoscan\n\n# Autoscan with Tor routing\nnox-cli -t target@company.com --autoscan --tor\n\n# Autoscan with SOCKS5 proxy + PDF report\nnox-cli -t target@company.com --autoscan --proxy socks5://127.0.0.1:1080 -o report.pdf --format pdf\n\n# Autoscan with custom pivot depth\nnox-cli -t target@company.com --autoscan --depth 3\n\n# Breach scan only — no pivot, no dork, no scrape\nnox-cli -t target@company.com --no-pivot\n\n# Domain scan\nnox-cli -t company.com\n\n# Hash identification and cracking\nnox-cli --crack 5f4dcc3b5aa765d61d8327deb882cf99\n\n# Hash cracking — local wordlist only, no third-party API calls\nnox-cli --crack 5f4dcc3b5aa765d61d8327deb882cf99 --no-online-crack\n\n# Password strength analysis\nnox-cli --analyze \"P@ssw0rd123\"\n\n# Google dorking\nnox-cli --dork target@company.com\n\n# Paste / Telegram scraping\nnox-cli --scrape target@company.com\n\n# Compare scan against last cached result — show only new findings\nnox-cli -t target@company.com --diff\n\n# Plugin debug: loaded sources, input types, confidence, key status\nnox-cli --list-sources\n\n# Force resync of source plugins from package\nnox-cli --reset-sources\n```\n\n---\n\n## CLI Reference\n\n```\nusage: nox-cli [-h] [-t TARGET] [-i] [--version]\n               [--autoscan] [--fullscan] [--no-pivot] [--depth N]\n               [--dork TARGET] [--scrape TARGET]\n               [--crack HASH] [--no-online-crack]\n               [--analyze PASS] [--list-sources] [--reset-sources]\n               [--tor] [--proxy URL] [--guardian-off] [--allow-leak]\n               [--threads N] [--timeout N]\n               [-o FILE] [--format {json,csv,html,md,pdf}]\n               [--diff]\n\n  -t, --target TARGET     Target to scan (auto-detected type)\n  -i, --interactive       Launch interactive REPL\n  --version               Show version and exit\n  --autoscan              Full pipeline: breach + pivot + dork + scrape\n  --fullscan              Breach + pivot only (no dork/scrape)\n  --no-pivot              Disable recursive pivot enrichment\n  --depth N               Avalanche pivot depth (default: 2)\n  --dork TARGET           Google/Bing/DDG dorking for leaked documents\n  --scrape TARGET         Paste site + Telegram scraping\n  --crack HASH            Identify and crack a hash\n  --no-online-crack       Local wordlist only — no data sent to third-party APIs\n  --analyze PASS          Deep password strength analysis\n  --list-sources          Plugin debug: input type, confidence, key status\n  --reset-sources         Force resync of source plugins from package\n  --tor                   Route all traffic through Tor (port 9050)\n  --proxy URL             HTTP/S or SOCKS5 proxy URL\n  --guardian-off          Bypass OPSEC kill-switch (direct connection)\n  --allow-leak            Allow direct connection if proxy/Tor is unavailable\n  --threads N             Concurrency limit (default: 20)\n  --timeout N             Request timeout in seconds (default: 15)\n  -o, --output FILE       Output file path\n  --format FORMAT         Output format: json, csv, html, md, pdf\n  --diff                  Show only new findings vs last cached scan\n```\n\n---\n\n## REPL\n\nLaunch the interactive REPL with no arguments:\n\n```bash\nnox-cli\n```\n\n```\nCommand        Description\n-----------    ---------------------------------------------------------------\nautoscan       Full pipeline: breach + pivot + dork + scrape\nscan           Breach intelligence scan only\ndork           Google/Bing/DDG dorking for leaked documents\nscrape         Paste site + Telegram scraping\ncrack          Identify and crack a hash\nanalyze        Deep password strength analysis\ngraph          ASCII identity graph of last scan\nvisualize      ASCII relationship map (Target → Data → Pivots)\npivot \u003cn\u003e      Re-scan using result #n as new pivot seed\nsearch \u003cq\u003e     Filter in-memory records by keyword\nsources        Plugin debug: input type, confidence, key status\nexport         Export results (json / csv / html / md / pdf)\ntor            Toggle Tor routing on/off\nproxy          Set or clear proxy URL\nconfig         Configure threads / timeout / depth\nhelp           Show this menu\nquit           Exit NOX\n```\n\n**Examples:**\n\n```\nnox\u003e autoscan target@company.com\nnox\u003e graph\nnox\u003e visualize\nnox\u003e pivot 3\nnox\u003e search admin\nnox\u003e export pdf investigation.pdf\nnox\u003e sources\nnox\u003e config threads 30\nnox\u003e config depth 3\nnox\u003e proxy socks5://127.0.0.1:1080\nnox\u003e tor\n```\n\n---\n\n## Source Management\n\n### Adding a Source\n\n**1. Define in `build_sources.py`:**\n\n```python\n_auth(\"NewIntelDB\", \"breaches\",\n      \"https://api.newinteldb.com/v1/search?q={target}\", \"GET\",\n      {\"results\": \"$.results\"},\n      headers={\"X-API-Key\": \"{NEWINTELDB_API_KEY}\"},\n      api_key_slots=[\"{NEWINTELDB_API_KEY}\"],\n      normalization_map={\"email\": \"email\", \"password\": \"password\"},\n      input_type=\"email\",\n      output_type=[\"username\", \"ip\"],\n      confidence=0.85)\n```\n\n**2. Rebuild:**\n\n```bash\npython build_sources.py\n```\n\n\u003e [!NOTE]\n\u003e The builder validates every source at build time: GET endpoints must contain `{target}`, volatile sources must have `reliability_score ≤ 4`, and the `confidence` field can be set explicitly to override the formula-derived value.\n\n---\n\n## Building the .deb Package\n\n```bash\ngem install fpm\nbash build_deb.sh\nsudo dpkg -i dist/nox-cli_*_all.deb\n```\n\n---\n\n## Legal Disclaimer\n\n\u003e [!WARNING]\n\u003e **NOX is intended exclusively for:**\n\u003e - Authorised penetration testing and red team engagements with explicit written consent\n\u003e - Corporate exposure analysis on assets you own or are contracted to assess\n\u003e - Digital forensics and incident response\n\u003e - Academic and security research in controlled, isolated environments\n\u003e\n\u003e **Unauthorised use of this tool against systems, networks, or individuals without explicit written permission is a criminal offence** under the Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030), the Computer Misuse Act 1990 (CMA), and equivalent legislation in all major jurisdictions worldwide.\n\u003e\n\u003e The authors and contributors of NOX accept **no liability** for any direct, indirect, incidental, or consequential damages arising from misuse of this software. By downloading, installing, or executing NOX, you unconditionally agree to comply with all applicable local, national, and international laws, and to only target systems and data for which you hold explicit, documented authorisation.\n\u003e\n\u003e **If you do not agree to these terms, do not use this software.**\n\n---\n\n## License\n\n[Apache License 2.0](LICENSE.txt)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnox-project%2Fnox-framework","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnox-project%2Fnox-framework","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnox-project%2Fnox-framework/lists"}