{/* Back Button */} {/* Header */}

{attacker.ip}

{attacker.country_code && ( {attacker.country_code} )} {attacker.is_traversal && ( TRAVERSAL )}

{/* Stats Row */}

{attacker.event_count}

EVENTS

{attacker.bounty_count}

BOUNTIES

{attacker.credential_count}

CREDENTIALS

{attacker.service_count}

SERVICES

{attacker.decky_count}

DECKIES

{/* Scanned vs. Interacted — activity-depth signal */} {attacker.service_activity && (attacker.service_activity.scanned.length > 0 || attacker.service_activity.interacted.length > 0) && (

0 ? `Services: ${attacker.service_activity.scanned.join(', ')}` : 'No services were scanned without engagement.' } >

{attacker.service_activity.scanned.length}

SCANNED · SERVICES

0 ? `Services: ${attacker.service_activity.interacted.join(', ')}` : 'No services were interacted with — scan-only attacker.' } >

{attacker.service_activity.interacted.length}

INTERACTED WITH · SERVICES

)} {/* Timestamps */}

toggle('timeline')}>

FIRST SEEN: {new Date(attacker.first_seen).toLocaleString()}

LAST SEEN: {new Date(attacker.last_seen).toLocaleString()}

UPDATED: {new Date(attacker.updated_at).toLocaleString()}

ORIGIN: {attacker.country_code ? ( {attacker.country_code} {attacker.country_source && ( ({attacker.country_source}) )} ) : ( unknown )}

REVERSE DNS: {attacker.ptr_record ? ( {attacker.ptr_record} ) : ( — )}

{attacker.ip_leaks && attacker.ip_leaks.length > 0 && (

LEAKED IPs:{' '} {Array.from( new Set( (attacker.ip_leaks || []) .map((l) => l.payload?.real_ip_claim) .filter((v): v is string => !!v), ), ).map((ip, i, arr) => { const latest = (attacker.ip_leaks || []).find( (l) => l.payload?.real_ip_claim === ip, ); const tooltip = latest ? `Leaked via ${latest.payload.source_header ?? '?'}; source ${latest.payload.source_ip ?? '?'}` : ''; return ( {ip} {i < arr.length - 1 ? ', ' : ''} ); })}

)}

{/* Services */}

toggle('services')}>

{attacker.services.length > 0 ? attacker.services.map((svc) => { const isActive = serviceFilter === svc; return ( setServiceFilter(isActive ? null : svc)} title={isActive ? 'Clear filter' : `Filter by ${svc.toUpperCase()}`} > {svc.toUpperCase()} ); }) : ( No services recorded )}

{/* Deckies & Traversal */}

toggle('deckies')}>

{attacker.traversal_path ? (

TRAVERSAL PATH: {attacker.traversal_path}

) : (

{attacker.deckies.map((d) => ( {d} ))} {attacker.deckies.length === 0 && No deckies recorded}

)}

{/* Behavioral Profile */}

toggle('behavior')} > {attacker.behavior ? (

) : ( )}

{/* Commands */} {(() => { const cmdTotalPages = Math.ceil(cmdTotal / cmdLimit); return (

COMMANDS ({cmdTotal}{serviceFilter ? ` ${serviceFilter.toUpperCase()}` : ''})} open={openSections.commands} onToggle={() => toggle('commands')} right={openSections.commands && cmdTotalPages > 1 ? (

Page {cmdPage} of {cmdTotalPages}

) : undefined} > {commands.length > 0 ? (

{commands.map((cmd, i) => ( ))}

TIMESTAMP	SERVICE	DECKY	COMMAND
{cmd.timestamp ? new Date(cmd.timestamp).toLocaleString() : '-'}	{cmd.service}	{cmd.decky}	{cmd.command}

) : ( )}

); })()} {/* Fingerprints — grouped by type */} {(() => { const filteredFps = serviceFilter ? attacker.fingerprints.filter((fp) => { const p = getPayload(fp); return p.service === serviceFilter; }) : attacker.fingerprints; // Group fingerprints by type const groups: Record = {}; filteredFps.forEach((fp) => { const p = getPayload(fp); const fpType: string = p.fingerprint_type || 'unknown'; if (!groups[fpType]) groups[fpType] = []; groups[fpType].push(fp); }); // Active probes first, then passive, then unknown const activeTypes = ['jarm', 'hassh_server', 'tcpfp']; const passiveTypes = ['ja3', 'ja4l', 'tls_resumption', 'tls_certificate', 'http_useragent', 'http_quirks', 'vnc_client_version']; const knownTypes = [...activeTypes, ...passiveTypes]; const unknownTypes = Object.keys(groups).filter((t) => !knownTypes.includes(t)); const hasActive = activeTypes.some((t) => groups[t]); const hasPassive = [...passiveTypes, ...unknownTypes].some((t) => groups[t]); return (

FINGERPRINTS ({filteredFps.length}{serviceFilter ? ` / ${attacker.fingerprints.length}` : ''})} open={openSections.fingerprints} onToggle={() => toggle('fingerprints')} > {filteredFps.length > 0 ? (

{/* Active probes section */} {hasActive && (

ACTIVE PROBES

{activeTypes.filter((t) => groups[t]).map((fpType) => ( ))}

)} {/* Passive fingerprints section */} {hasPassive && (

PASSIVE FINGERPRINTS

{[...passiveTypes, ...unknownTypes].filter((t) => groups[t]).map((fpType) => ( ))}

)}

) : (

{serviceFilter ? `NO ${serviceFilter.toUpperCase()} FINGERPRINTS CAPTURED` : 'NO FINGERPRINTS CAPTURED'}

)}

); })()} {/* Captured Artifacts */}

CAPTURED ARTIFACTS ({artifacts.length})} open={openSections.artifacts} onToggle={() => toggle('artifacts')} > {artifacts.length > 0 ? (

{artifacts.map((row) => { let fields: Record = {}; try { fields = JSON.parse(row.fields || '{}'); } catch {} const storedAs = fields.stored_as ? String(fields.stored_as) : null; const sha = fields.sha256 ? String(fields.sha256) : ''; return ( ); })}

TIMESTAMP	DECKY	FILENAME	SIZE	SHA-256
{new Date(row.timestamp).toLocaleString()}	{row.decky}	{fields.orig_path ?? storedAs ?? '—'}	{fields.size ? `${fields.size} B` : '—'}	{sha ? `${sha.slice(0, 12)}…` : '—'}	{storedAs && ( )}

) : ( )}

{artifact && ( setArtifact(null)} /> )} {/* SMTP Victim Domains (viewer-safe rollup) */}

SMTP VICTIM DOMAINS ({smtpTargets.length})} open={openSections.smtpTargets} onToggle={() => toggle('smtpTargets')} > {smtpTargets.length > 0 ? (

{smtpTargets.map((row) => ( ))}

DOMAIN	COUNT	FIRST SEEN	LAST SEEN
{row.domain}	{row.count}	{new Date(row.first_seen).toLocaleString()}	{new Date(row.last_seen).toLocaleString()}

) : ( )}

{/* Stored Mail (admin only — bodies are attacker-controlled) */}

STORED MAIL ({mail.length})} open={openSections.mail} onToggle={() => toggle('mail')} > {mailForbidden ? ( ) : mail.length > 0 ? (

{mail.map((row) => { let fields: Record = {}; try { fields = JSON.parse(row.fields || '{}'); } catch {} const storedAs = fields.stored_as ? String(fields.stored_as) : null; return ( ); })}

TIMESTAMP	DECKY	SUBJECT	FROM	SIZE
{new Date(row.timestamp).toLocaleString()}	{row.decky}	{fields.subject \|\| '—'}	{fields.from_addr \|\| fields.mail_from \|\| '—'}	{fields.size ? `${fields.size} B` : '—'}	{storedAs && ( )}

) : ( )}

{mailItem && ( setMailItem(null)} /> )} {/* Recorded PTY Sessions (SSH / Telnet) */}

SESSION TRANSCRIPTS ({sessions.length})} open={openSections.sessions} onToggle={() => toggle('sessions')} > {sessions.length > 0 ? (

{sessions.map((row) => { let fields: Record = {}; try { fields = JSON.parse(row.fields || '{}'); } catch {} const sid = fields.sid ? String(fields.sid) : null; const dur = fields.duration_s; const bytes = fields.bytes; return ( ); })}

TIMESTAMP	DECKY	SERVICE	DURATION	BYTES
{new Date(row.timestamp).toLocaleString()}	{row.decky}	{fields.service ?? row.service}	{dur ? `${dur}s` : '—'}	{bytes ? `${bytes} B` : '—'}	{sid && ( )}

) : ( )}

{session && ( setSession(null)} /> )} {/* UUID footer */}

UUID: {attacker.uuid}

{title}

{attacker.ip}