myaidev-method 0.2.19 → 0.2.22

package/src/templates/claude/commands/sc:security-scan.md

@@ -0,0 +1,441 @@
+---
+name: security-scan
+description: Active network and service scanning with authorization enforcement
+version: 1.0.0
+category: security
+agent: penetration-tester
+---
+
+# Security Scanning Command
+
+Execute active network and service scanning following professional security assessment methodologies.
+
+## Pre-Execution Requirements
+
+**CRITICAL Authorization Check:**
+```javascript
+import { requireAuthorization, AuthLevel } from '../../../src/libs/security/authorization-checker.js';
+
+// User must provide target
+const target = process.argv[2];
+if (!target) {
+  console.error('Usage: /sc:security-scan <target>');
+  console.error('Example: /sc:security-scan 192.168.1.0/24');
+  process.exit(1);
+}
+
+// Verify authorization (active scanning requires ACTIVE level)
+await requireAuthorization(target, AuthLevel.ACTIVE);
+```
+
+## Command Workflow
+
+When user requests active scanning on a target:
+
+### Step 1: Activate penetration-tester Agent
+
+```
+You are now in active scanning mode.
+
+Target: [USER_PROVIDED_TARGET]
+Authorization Level: ACTIVE (network interaction allowed)
+
+Execute comprehensive active scanning following this workflow:
+
+1. Initial Host Discovery
+2. Port Scanning (TCP/UDP)
+3. Service Enumeration
+4. OS Detection
+5. Vulnerability Scanning
+6. SSL/TLS Analysis
+7. Generate Scan Report
+```
+
+### Step 2: Host Discovery
+
+```bash
+# Ping sweep for live hosts
+nmap -sn [TARGET_RANGE]
+
+# ARP scan for local network
+nmap -PR [LOCAL_NETWORK]
+
+# TCP SYN ping (stealth)
+nmap -PS22,80,443 [TARGET]
+
+# ICMP echo request
+ping -c 4 [TARGET]
+```
+
+### Step 3: Port Scanning
+
+```bash
+# Quick scan (common ports)
+nmap -F [TARGET]
+
+# Full TCP scan
+nmap -p- [TARGET]
+
+# UDP scan (top ports)
+nmap -sU --top-ports 100 [TARGET]
+
+# SYN stealth scan
+nmap -sS -p- [TARGET]
+
+# Fast parallel scan with masscan
+masscan -p1-65535 [TARGET] --rate=10000
+```
+
+### Step 4: Service Enumeration
+
+```bash
+# Service version detection
+nmap -sV -p [PORTS] [TARGET]
+
+# Aggressive service detection
+nmap -sV --version-intensity 9 -p [PORTS] [TARGET]
+
+# NSE scripts for service enumeration
+nmap -sC -sV -p [PORTS] [TARGET]
+
+# Banner grabbing with netcat
+nc -v [TARGET] [PORT]
+```
+
+### Step 5: OS Detection
+
+```bash
+# OS detection
+nmap -O [TARGET]
+
+# Aggressive OS detection
+nmap -A [TARGET]
+
+# OS fingerprinting with p0f (passive)
+p0f -i eth0
+```
+
+### Step 6: Vulnerability Scanning
+
+```bash
+# Nmap vulnerability scripts
+nmap --script vuln -p [PORTS] [TARGET]
+
+# Specific vulnerability checks
+nmap --script ssl-heartbleed,ssl-poodle -p 443 [TARGET]
+
+# OpenVAS comprehensive scan
+openvas --scan [TARGET]
+
+# Nuclei template scanning
+nuclei -u https://[TARGET] -t ~/nuclei-templates/
+```
+
+### Step 7: SSL/TLS Analysis
+
+```bash
+# SSL/TLS configuration scan
+nmap --script ssl-enum-ciphers -p 443 [TARGET]
+
+# SSLScan
+sslscan [TARGET]:443
+
+# testssl.sh comprehensive
+testssl.sh [TARGET]:443
+```
+
+### Step 8: Web Service Scanning
+
+```bash
+# Web technology detection
+whatweb -a 3 https://[TARGET]
+
+# Nikto web scanner
+nikto -h https://[TARGET]
+
+# Directory brute force
+gobuster dir -u https://[TARGET] -w /usr/share/wordlists/dirb/common.txt
+
+# OWASP ZAP automated scan
+zap-cli quick-scan https://[TARGET]
+```
+
+### Step 9: Generate Scan Report
+
+Create comprehensive scan report:
+
+```markdown
+# Network Scan Report: [TARGET]
+
+**Date:** [CURRENT_DATE]
+**Authorization:** Active scanning authorized (Level: ACTIVE)
+**Scanner:** Security Team
+**Duration:** [SCAN_DURATION]
+
+## Executive Summary
+
+High-level overview of scan results, critical findings, and risk assessment.
+
+## Scope
+
+**Target:** [TARGET]
+**IP Range:** [RANGE]
+**Scan Type:** Full TCP/UDP port scan with service enumeration
+**Exclusions:** [OUT_OF_SCOPE]
+
+## Host Discovery
+
+### Live Hosts
+- Total hosts scanned: [COUNT]
+- Live hosts found: [COUNT]
+- Responsive hosts: [LIST]
+
+**Host Details:**
+| IP Address | Hostname | MAC Address | OS Guess |
+|------------|----------|-------------|----------|
+| [IP] | [HOSTNAME] | [MAC] | [OS] |
+
+## Open Ports and Services
+
+### TCP Ports
+| IP | Port | State | Service | Version |
+|----|------|-------|---------|---------|
+| [IP] | 22 | open | SSH | OpenSSH 8.2p1 |
+| [IP] | 80 | open | HTTP | Apache 2.4.41 |
+| [IP] | 443 | open | HTTPS | Apache 2.4.41 |
+
+### UDP Ports
+| IP | Port | State | Service | Version |
+|----|------|-------|---------|---------|
+| [IP] | 53 | open | DNS | ISC BIND 9.16 |
+| [IP] | 161 | open | SNMP | Net-SNMP 5.8 |
+
+## Service Analysis
+
+### HTTP/HTTPS Services
+- **Count:** [NUMBER]
+- **Technologies:** [Apache, Nginx, IIS, etc.]
+- **Interesting Headers:** [SECURITY_HEADERS]
+- **Missing Headers:** [CSP, HSTS, etc.]
+
+### SSH Services
+- **Version:** [SSH_VERSION]
+- **Algorithms:** [KEY_EXCHANGE]
+- **Weak Ciphers:** [YES/NO]
+
+### Database Services
+- **Type:** [MySQL, PostgreSQL, MongoDB, etc.]
+- **Version:** [VERSION]
+- **Anonymous Access:** [YES/NO]
+
+## Operating System Detection
+
+### OS Fingerprinting Results
+| IP | OS Detection | Accuracy | Details |
+|----|--------------|----------|---------|
+| [IP] | Ubuntu Linux 20.04 | 95% | Kernel 5.4 |
+| [IP] | Windows Server 2019 | 92% | Build 17763 |
+
+## Vulnerability Assessment
+
+### Critical Vulnerabilities (CVSS 9.0-10.0)
+1. **CVE-XXXX-XXXX** - [Vulnerability Name]
+   - Affected Service: [SERVICE:PORT]
+   - Impact: [RCE/Disclosure/DoS]
+   - Remediation: [UPDATE/PATCH]
+
+### High Risk Vulnerabilities (CVSS 7.0-8.9)
+1. **CVE-XXXX-XXXX** - [Vulnerability Name]
+   - Affected Service: [SERVICE:PORT]
+   - Impact: [IMPACT]
+   - Remediation: [FIX]
+
+### Medium Risk (CVSS 4.0-6.9)
+- [LIST OF MEDIUM SEVERITY ISSUES]
+
+### Low Risk (CVSS 0.1-3.9)
+- [LIST OF LOW SEVERITY ISSUES]
+
+## SSL/TLS Configuration
+
+### Certificate Analysis
+- **Valid:** [YES/NO]
+- **Issuer:** [CA]
+- **Expiry:** [DATE]
+- **Chain Valid:** [YES/NO]
+- **Subject Alternative Names:** [SANS]
+
+### Cipher Suite Analysis
+- **Weak Ciphers:** [RC4, DES, etc.]
+- **Strong Ciphers:** [AES-GCM, ChaCha20, etc.]
+- **Perfect Forward Secrecy:** [YES/NO]
+- **TLS 1.3 Support:** [YES/NO]
+
+### Protocol Support
+- SSL 2.0: [DISABLED/ENABLED]
+- SSL 3.0: [DISABLED/ENABLED]
+- TLS 1.0: [DISABLED/ENABLED]
+- TLS 1.1: [DISABLED/ENABLED]
+- TLS 1.2: [ENABLED]
+- TLS 1.3: [ENABLED]
+
+## Attack Surface Summary
+
+**Total Attack Surface:**
+- Open TCP Ports: [COUNT]
+- Open UDP Ports: [COUNT]
+- Web Applications: [COUNT]
+- Database Services: [COUNT]
+- Admin Interfaces: [COUNT]
+- Legacy Services: [COUNT]
+
+**High-Risk Exposure:**
+- Unencrypted Services: [COUNT]
+- Default Credentials: [COUNT]
+- Outdated Software: [COUNT]
+- Missing Security Headers: [COUNT]
+
+## Security Recommendations
+
+### Immediate Actions (0-7 days)
+1. Patch critical vulnerabilities ([CVE-LIST])
+2. Disable unnecessary services
+3. Update outdated software versions
+4. Fix SSL/TLS configuration issues
+
+### Short-term (1-4 weeks)
+1. Implement network segmentation
+2. Deploy Web Application Firewall (WAF)
+3. Enable security headers on web services
+4. Conduct penetration testing
+
+### Long-term (1-3 months)
+1. Implement intrusion detection/prevention (IDS/IPS)
+2. Deploy security information and event management (SIEM)
+3. Establish vulnerability management program
+4. Conduct regular security assessments
+
+## Next Steps
+
+**Recommended Follow-up:**
+- Exploitation testing (requires EXPLOITATION authorization level)
+- Web application security assessment
+- Wireless network assessment
+- Social engineering assessment
+- Physical security assessment
+
+---
+
+**Classification:** CONFIDENTIAL
+**Distribution:** Authorized Personnel Only
+**Engagement ID:** [ENGAGEMENT_ID]
+```
+
+## Usage Examples
+
+**Basic Network Scan:**
+```
+User: "/sc:security-scan 192.168.1.0/24"
+
+Response:
+1. Check authorization for 192.168.1.0/24
+2. Activate penetration-tester agent
+3. Execute host discovery
+4. Perform port scanning
+5. Enumerate services
+6. Detect operating systems
+7. Run vulnerability scans
+8. Generate comprehensive report
+9. Save to: reports/scan-192.168.1.0-24-[DATE].md
+```
+
+**Single Host Deep Scan:**
+```
+User: "/sc:security-scan 192.168.1.10 --deep"
+
+Response:
+1. Verify authorization
+2. Full TCP/UDP port scan
+3. Aggressive service version detection
+4. OS fingerprinting
+5. Vulnerability assessment with multiple tools
+6. SSL/TLS comprehensive analysis
+7. Generate detailed host report
+```
+
+**Web Application Scan:**
+```
+User: "/sc:security-scan https://app.example.com --web"
+
+Response:
+1. Check authorization for app.example.com
+2. Technology stack detection
+3. Directory enumeration
+4. SSL/TLS configuration
+5. HTTP security headers
+6. OWASP ZAP automated scan
+7. Generate web-focused report
+```
+
+## Output
+
+Save scan report to:
+```
+reports/scan-[TARGET]-[TIMESTAMP].md
+```
+
+Log operation:
+```javascript
+await authChecker.logOperation({
+  type: 'active_scanning',
+  target: target,
+  result: 'completed',
+  findings_count: findings.length,
+  critical_count: criticalFindings.length,
+  user: process.env.USER
+});
+```
+
+## Error Handling
+
+**No Authorization:**
+```
+❌ Authorization Required
+
+Target: 192.168.1.0/24 is NOT in authorized scope.
+
+Authorized targets:
+  - 192.168.100.0/24
+  - *.example.com
+
+This target requires authorization before scanning.
+```
+
+**Insufficient Authorization Level:**
+```
+❌ Insufficient Authorization Level
+
+Required: ACTIVE
+Current: PASSIVE
+
+Active scanning requires ACTIVE authorization level.
+Passive reconnaissance only with PASSIVE level.
+```
+
+**No Target Provided:**
+```
+❌ Target Required
+
+Usage: /sc:security-scan <target>
+
+Examples:
+  /sc:security-scan 192.168.1.0/24
+  /sc:security-scan 192.168.1.10
+  /sc:security-scan example.com
+```
+
+---
+
+**Agent:** penetration-tester
+**Authorization Level:** ACTIVE
+**Version:** 1.0.0