npm - d1337-kit - Versions diffs - 3.0.0 → 3.1.0 - Mend

d1337-kit 3.0.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/.agent/agents/penetration-tester.md +541 -256
package/.agent/agents/security-auditor.md +347 -175
package/.agent/rules/GEMINI.md +94 -17
package/.agent/workflows/cve-intel.md +148 -51
package/.agent/workflows/recon.md +203 -57
package/.agent/workflows/scan.md +287 -59
package/package.json +1 -1

package/.agent/workflows/recon.md CHANGED Viewed

@@ -1,116 +1,262 @@
 ---
-description: Offensive recon — subdomain, DNS history, leak search, fingerprint, OSINT
+description: Offensive recon — subdomain, DNS history, leak search, fingerprint, cloud assets, OSINT. Intelligence gathering yang THOROUGH.
 ---
 // turbo-all
-> CONTEXT: Workflow ini dipake buat full offensive recon terhadap target. Pakai SecurityTrails API buat domain/subdomain intel, kombinasi sama web search buat CVE/exploit terbaru.
+> **CONTEXT:** Full offensive reconnaissance. INTELLIGENCE gathering, bukan scanning. Lu collect SEMUA data yang ada sebelum satu exploit pun dijalanin. Tanpa recon = tembak buta.
-# /recon — D1337 Offensive Recon
+# /recon — D1337 Offensive Intelligence Gathering
+## 🔴 H3: HALAL HARAM HANTAM
+```
+HALAL: Setiap data point yang expand attack surface knowledge
+HARAM: Scanning tanpa intel, brute force tanpa wordlist yang targeted
+HANTAM: Gak ada recon yang "cukup" — dig deeper SELALU
+```
+---
 ## Prerequisites
-- SecurityTrails API key (set di env: `SECTRAILS_KEY`)
 - Target domain/IP dari Ketua/Abangda
+- SecurityTrails API key (env: `SECTRAILS_KEY`) — recommended
+- Shodan API key (env: `SHODAN_KEY`) — optional
+- VirusTotal API key (env: `VT_KEY`) — optional
 ---
-## Phase 1: Domain Intel (SecurityTrails)
+## Phase 1: Passive OSINT (ZERO NOISE — Target Gak Tau)
+### 1.1 Domain Intelligence
 ```bash
-# 1. Domain overview
+# SecurityTrails — domain overview
 curl -s "https://api.securitytrails.com/v1/domain/$TARGET" \
   -H "apikey: $SECTRAILS_KEY" | python -m json.tool
-# 2. Subdomain enumeration
+# Subdomain enumeration (passive — gak sentuh target)
 curl -s "https://api.securitytrails.com/v1/domain/$TARGET/subdomains" \
   -H "apikey: $SECTRAILS_KEY" | python -m json.tool
-# 3. DNS history (A records)
+# DNS history — cari origin IP di belakang CDN
 curl -s "https://api.securitytrails.com/v1/history/$TARGET/dns/a" \
   -H "apikey: $SECTRAILS_KEY" | python -m json.tool
-# 4. WHOIS history
+# MX records history — email infrastructure
+curl -s "https://api.securitytrails.com/v1/history/$TARGET/dns/mx" \
+  -H "apikey: $SECTRAILS_KEY" | python -m json.tool
+# WHOIS history — ownership changes
 curl -s "https://api.securitytrails.com/v1/history/$TARGET/whois" \
   -H "apikey: $SECTRAILS_KEY" | python -m json.tool
-# 5. Associated domains (reverse IP)
+# Associated domains (reverse IP — siapa lagi di server yang sama)
 curl -s "https://api.securitytrails.com/v1/domain/$TARGET/associated" \
   -H "apikey: $SECTRAILS_KEY" | python -m json.tool
 ```
-## Phase 2: Tech Fingerprint
+### 1.2 Certificate Transparency
 ```bash
-# Pakai search_web atau firecrawl_search
-# Target: "$TARGET site:shodan.io OR site:censys.io"
+# crt.sh — subdomain via CT logs (FREE, no API key)
+curl -s "https://crt.sh/?q=%25.$TARGET&output=json" | \
+  python -c "import sys,json; [print(x['name_value']) for x in json.load(sys.stdin)]" | \
+  sort -u
+# Alternative: certspotter
+curl -s "https://api.certspotter.com/v1/issuances?domain=$TARGET&include_subdomains=true" | \
+  python -c "import sys,json; [print(d) for x in json.load(sys.stdin) for d in x.get('dns_names',[])]" | \
+  sort -u
+```
-# Cek tech stack
-curl -s "https://$TARGET" -I | grep -i "server\|x-powered-by\|x-aspnet\|x-generator"
+### 1.3 Search Engine & Web Archive Recon
-# Pakai httpx kalau ada
-# httpx -u https://$TARGET -tech-detect -status-code
+```bash
+# Google dorks (via search_web)
+search_web: "site:$TARGET filetype:pdf OR filetype:doc OR filetype:xls"
+search_web: "site:$TARGET inurl:admin OR inurl:login OR inurl:dashboard"
+search_web: "site:$TARGET inurl:api OR inurl:swagger OR inurl:graphql"
+search_web: "\"$TARGET\" password OR secret OR api_key OR token"
+# GitHub dorks — leaked secrets
+search_web: "site:github.com \"$TARGET\" password OR secret OR api_key"
+search_web: "site:github.com \"$TARGET\" filename:.env OR filename:config"
+# Wayback Machine — historical pages
+search_web: "site:web.archive.org $TARGET"
+curl -s "https://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=json&fl=original&collapse=urlkey" | head -100
 ```
-## Phase 3: CVE & Exploit Hunting (WAJIB)
+### 1.4 Leak & Credential Search
 ```bash
-# search_web: "$TARGET_TECH CVE 2024 2025 exploit PoC"
-# search_web: "$TARGET_TECH vulnerability RCE"
+# IntelX — breach data search
+curl -s "https://3.intelx.io/intelligent/search" \
+  -H "x-key: $INTELX_KEY" \
+  -d '{"term":"$TARGET","maxresults":100,"media":0,"sort":2,"terminate":[]}'
-# Cek exploit-db
-# firecrawl_search: "site:exploit-db.com $TARGET_TECH"
+# Dehashed (via search_web kalau gak ada API)
+search_web: "site:dehashed.com $TARGET"
-# Cek GitHub PoCs
-# firecrawl_search: "site:github.com $TARGET_TECH exploit PoC"
+# HaveIBeenPwned domain search
+search_web: "\"$TARGET\" breach leaked credentials"
 ```
-**Output yang dibutuhin:**
-- CVE number
-- Affected versions
-- PoC link (GitHub/exploit-db)
-- Attack vector description
+## Phase 2: Active Recon (LOW NOISE — Calculated Probes)
-## Phase 4: Subdomain Takeover Check
+### 2.1 Tech Stack Fingerprint
 ```bash
-# Dari subdomain list Phase 1
-# Cek CNAME records yang dangling
-# dig CNAME sub.$TARGET
-# Kalau NXDOMAIN + CNAME ke service (AWS, Azure, Heroku) → takeover possible
+# HTTP headers analysis
+curl -sI "https://$TARGET" | grep -iE "server|x-powered-by|x-aspnet|x-generator|x-framework|set-cookie|content-security-policy"
+# Detailed tech detection
+search_web: "$TARGET technology stack web framework"
+# JavaScript analysis — hidden endpoints, API keys, tech indicators
+curl -s "https://$TARGET" | grep -oP 'src="[^"]*\.js"' | head -20
+# Download dan analisis JS files buat:
+# - API endpoints
+# - Hardcoded tokens/keys
+# - Framework signatures
+# - Source maps (goldmine kalau ada)
+# robots.txt + sitemap.xml — hidden paths
+curl -s "https://$TARGET/robots.txt"
+curl -s "https://$TARGET/sitemap.xml"
+# Common admin/debug endpoints
+curl -sI "https://$TARGET/.env" | head -5
+curl -sI "https://$TARGET/debug" | head -5
+curl -sI "https://$TARGET/info.php" | head -5
+curl -sI "https://$TARGET/server-status" | head -5
+curl -sI "https://$TARGET/.git/config" | head -5
+curl -sI "https://$TARGET/graphql" | head -5
+curl -sI "https://$TARGET/swagger.json" | head -5
+curl -sI "https://$TARGET/api-docs" | head -5
 ```
-## Phase 5: Report
+### 2.2 Port & Service Discovery
-Output format:
+```bash
+# Shodan — passive port scan (ZERO noise to target)
+curl -s "https://api.shodan.io/shodan/host/$TARGET_IP?key=$SHODAN_KEY" | python -m json.tool
-```markdown
-# Recon Report: $TARGET
+# Kalau Shodan gak available, search_web:
+search_web: "site:shodan.io $TARGET"
+search_web: "site:censys.io $TARGET"
-## Domain Intel
-- Subdomains found: X
-- DNS history changes: Y
-- Associated domains: Z
+# Active port scan (hanya kalau authorized)
+# nmap -sS -sV -T3 --top-ports 1000 $TARGET -oN recon_$TARGET.txt
+# masscan -p1-65535 $TARGET --rate=500 -oJ ports_$TARGET.json
+```
-## Tech Stack
-- Server: X
-- Framework: Y
-- CMS: Z
+## Phase 3: Cloud Asset Discovery
-## Vulnerabilities Found
-| CVE | Severity | PoC | Status |
-|-----|----------|-----|--------|
-| CVE-XXXX-XXXXX | Critical | [link] | Unpatched |
+```bash
+# AWS S3 bucket enum
+search_web: "site:s3.amazonaws.com $TARGET"
+search_web: "\"$TARGET\" s3 bucket"
+# Common patterns: $TARGET.s3.amazonaws.com, s3-$TARGET, $TARGET-backup, $TARGET-dev
+# Azure blob
+search_web: "site:blob.core.windows.net $TARGET"
+# Pattern: $TARGET.blob.core.windows.net
+# GCP storage
+search_web: "site:storage.googleapis.com $TARGET"
+# Pattern: storage.googleapis.com/$TARGET
+```
-## Subdomain Takeover
-| Subdomain | CNAME | Status |
+## Phase 4: Subdomain Takeover Check
+```bash
+# Dari subdomain list Phase 1, cek CNAME records
+# Yang dicari: CNAME pointing ke service yang UDAH GAK DIPAKE
+# Cek setiap subdomain:
+# 1. dig CNAME sub.$TARGET
+# 2. Kalau CNAME → external service (AWS, Azure, Heroku, GitHub Pages, Shopify)
+# 3. DAN service return 404/NXDOMAIN → TAKEOVER POSSIBLE
+# Services yang sering vulnerable:
+# - GitHub Pages (404)
+# - Heroku (No such app)
+# - AWS S3 (NoSuchBucket)
+# - Azure (404 Web Site not found)
+# - Shopify (Sorry, this shop is unavailable)
+# - Fastly (Fastly error: unknown domain)
+# - Pantheon (404 error unknown site)
+```
+## Phase 5: Compile Recon Report
+```markdown
+# 🔍 Recon Report: $TARGET
+## Target Overview
+- Domain: $TARGET
+- IP(s): [resolved IPs, CDN info]
+- Registrar: [from WHOIS]
+- Hosting: [cloud provider/datacenter]
+## Domain Intelligence
+| Data Point | Count | Source |
 |-----------|-------|--------|
+| Subdomains | X | SecurityTrails + CT logs |
+| DNS changes (1yr) | X | SecurityTrails history |
+| Associated domains | X | Reverse IP |
+| MX records | X | DNS |
+### Subdomains Found
+| Subdomain | IP | Status | Tech | Notes |
+|-----------|-----|--------|------|-------|
+| api.$TARGET | 1.2.3.4 | 200 | Node.js | API endpoint |
+| admin.$TARGET | 1.2.3.5 | 302→login | PHP | Admin panel |
+| staging.$TARGET | 1.2.3.6 | 200 | Same as prod | Possible test data |
-## Recommended Attack Vectors
-1. ...
-2. ...
-3. ...
+## Tech Stack
+| Component | Technology | Version | Notes |
+|----------|-----------|---------|-------|
+| Web server | nginx | 1.25.x | From headers |
+| Framework | Next.js | 14.x | From JS analysis |
+| Database | PostgreSQL | unknown | From error pages |
+| CDN | Cloudflare | - | DNS resolution |
+## Leaked/Exposed Data
+| Type | Source | Content | Risk |
+|------|--------|---------|------|
+| Credentials | [source] | X accounts found | HIGH |
+| API keys | [source] | X keys found | CRITICAL |
+| Source code | [source] | repo found | MEDIUM |
+## Subdomain Takeover
+| Subdomain | CNAME | Service | Status |
+|-----------|-------|---------|--------|
+| old.$TARGET | xyz.herokuapp.com | Heroku | ⚠️ TAKEOVER POSSIBLE |
+## Cloud Assets
+| Asset | Type | Access | Risk |
+|-------|------|--------|------|
+| $TARGET.s3.amazonaws.com | S3 bucket | Public listing | HIGH |
+## Vulnerabilities Identified (Pre-Exploitation)
+| CVE/Issue | Severity | Component | PoC Available |
+|-----------|----------|-----------|--------------|
+| CVE-XXXX-XXXXX | Critical | [component] | ✅ Yes |
+## Recommended Attack Vectors (Priority Order)
+1. [Highest impact, lowest effort — describe why]
+2. [Second priority — describe attack path]
+3. [Third priority — describe chain opportunity]
+## OPSEC Notes
+- CDN detected: [adjust techniques accordingly]
+- WAF detected: [type, bypass strategy]
+- Rate limiting: [observed limits]
 ```
 ---
-> **Recon itu fondasi. Tanpa recon yang solid, exploit lu bakal sia-sia. SCAN HABIS, DOCUMENT SEMUA.**
+> **"Recon yang THOROUGH = exploit yang PRESISI. Recon yang DANGKAL = tembak buta kayak script kiddie. Lu D1337 — lu GATHER INTELLIGENCE, bukan jalanin scanner."**