npm - pentesting - Versions diffs - 0.24.2 → 0.24.4 - Mend

pentesting 0.24.2 → 0.24.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +3 -11
package/dist/main.js +709 -74
package/dist/prompts/ctf-mode.md +212 -13
package/dist/prompts/strategy.md +51 -0
package/dist/prompts/techniques/crypto.md +139 -0
package/dist/prompts/techniques/forensics.md +268 -44
package/dist/prompts/techniques/pwn.md +336 -51
package/package.json +2 -2

package/dist/prompts/techniques/forensics.md CHANGED Viewed

@@ -1,89 +1,313 @@
-# Forensics & Steganography Techniques
+# Forensics & Steganography — Comprehensive CTF Guide
+> **Cross-ref**: file-attacks.md (file operations), pwn.md (binary analysis)
+## Phase 0: File Analysis — Universal First Steps
-## File Analysis
 ```
-First steps with any file:
-├── file <file>          → identify type
+With ANY unknown file:
+├── file <file>          → identify type (NEVER trust extension alone!)
 ├── strings <file>       → extract readable strings
-├── strings -el <file>   → UTF-16 strings (Windows)
-├── xxd <file> | head    → hex dump
+├── strings -el <file>   → UTF-16 strings (Windows executables)
+├── xxd <file> | head    → hex dump first bytes (check magic bytes)
 ├── exiftool <file>      → metadata (GPS, creator, timestamps, hidden fields)
 ├── binwalk <file>       → embedded files/filesystems
 │   └── binwalk -e <file>  → extract embedded files
-└── foremost <file>      → file carving
+├── foremost <file>      → file carving (alternative to binwalk)
+└── entropy analysis:
+    binwalk -E <file>    → high entropy = encrypted/compressed
+Magic bytes quick reference:
+├── 89 50 4E 47      → PNG
+├── FF D8 FF         → JPEG
+├── 47 49 46 38      → GIF
+├── 50 4B 03 04      → ZIP (also DOCX, XLSX, APK, JAR)
+├── 1F 8B            → GZIP
+├── 42 5A 68         → BZIP2
+├── 7F 45 4C 46      → ELF (Linux binary)
+├── 4D 5A            → PE (Windows executable)
+├── 25 50 44 46      → PDF
+├── D0 CF 11 E0      → MS Office (OLE2) — DOC, XLS, PPT
+├── 52 49 46 46      → RIFF (WAV, AVI, WebP)
+└── 00 00 00 18/20   → MP4 (ftyp)
+File repair:
+├── Corrupted header? → fix magic bytes manually with hex editor
+├── PNG: pngcheck -v <file> → diagnose chunk errors
+│   Fix CRC: python3 script to recalculate chunk CRC
+│   Fix IHDR: width/height may be wrong → brute-force dimensions
+├── ZIP: zip -FF corrupt.zip --out fixed.zip → repair archive
+└── JPEG: truncated? → might still have flag in extractable data
 ```
 ## Steganography
 ```
-Image stego:
+═══════════════════════════════════════
+Image Steganography:
+═══════════════════════════════════════
+JPEG:
 ├── steghide extract -sf <image.jpg> -p ""    → try empty password first
 ├── steghide extract -sf <image.jpg> -p <pw>  → with password
-├── stegseek <image.jpg> /usr/share/wordlists/rockyou.txt  → brute force
-├── zsteg <image.png>    → PNG/BMP LSB analysis
-├── pngcheck <image.png> → PNG structure validation
-├── Compare file size to expected → hidden data after IEND (PNG) or EOI (JPEG)
-└── CyberChef: Extract LSB, XOR, decompress
-Audio stego:
-├── Audacity: spectrogram view (View → Spectrogram)
-├── sonic-visualiser: layer analysis
-├── DTMF decoder: for phone tones
-├── morse-decoder: for morse code audio
-└── Look for hidden images in spectrograms
-Text stego:
+├── stegseek <image.jpg> rockyou.txt          → brute force steghide password
+├── stegcracker <image.jpg> rockyou.txt       → alternative brute force
+├── jsteg reveal <image.jpg>                  → jsteg extraction
+└── outguess -r <image.jpg> output.txt        → outguess extraction
+PNG / BMP:
+├── zsteg <image.png>              → LSB analysis (multiple channels, orders)
+├── zsteg -a <image.png>           → try ALL extraction methods
+├── pngcheck -v <image.png>        → PNG structure validation
+├── IDAT chunks: hidden data after IEND marker
+│   python3 -c "data=open('img.png','rb').read(); print(data[data.index(b'IEND')+8:])"
+├── LSB manual extraction:
+│   from PIL import Image
+│   img = Image.open('img.png')
+│   bits = ''.join(str(px & 1) for px in img.getdata() for _ in [px] if isinstance(px, int))
+│   # or for RGB: iterate R,G,B channels separately
+└── Compare two similar images:
+    compare <img1> <img2> diff.png  (ImageMagick)
+    → pixel differences often reveal hidden data
+GIF:
+├── Multiple frames may hide data across frames
+├── identify -verbose <file.gif> → frame count
+├── convert <file.gif> frame_%d.png → extract all frames
+└── Hidden frame with very short display time
+General image:
+├── StegSolve.jar → visual analysis (bit plane viewer, color channels)
+├── CyberChef: Extract LSB
+├── Compare file size to expected → hidden data appended
+└── Check alpha channel (transparency) for hidden data
+    from PIL import Image
+    img = Image.open('img.png').split()[-1]  # alpha channel
+═══════════════════════════════════════
+Audio Steganography:
+═══════════════════════════════════════
+├── Audacity → spectrogram view (Analyze → Plot Spectrum or View → Spectrogram)
+│   Hidden images/text visible in frequency domain
+├── sonic-visualiser → detailed spectrogram layers
+├── DTMF decoder → phone dial tones (multimon-ng)
+├── morse-decoder → morse code in audio
+├── wav hidden data:
+│   python3 → read raw samples → LSB extraction
+│   stegolsb wavsteg -r -i audio.wav -o output.txt
+├── SSTV (Slow-Scan Television):
+│   qsstv or RX-SSTV → decode image from audio signal
+│   Common in space/radio-themed CTFs
+└── mp3stego → MP3-specific steganography
+═══════════════════════════════════════
+Text / Document Steganography:
+═══════════════════════════════════════
 ├── Whitespace stego: stegsnow -C <file>
-├── Zero-width characters: Unicode U+200B, U+200C, U+200D
-└── Line-ending manipulation: CRLF vs LF patterns
+│   Tabs and spaces encode binary data at end of lines
+├── Zero-width characters: Unicode U+200B, U+200C, U+200D, U+FEFF
+│   cat -v <file> | grep -o '\xE2\x80[\x8B-\x8F]' → detect
+├── Homoglyph attacks: visually identical but different Unicode chars
+│   'а' (Cyrillic) vs 'a' (Latin) → different bytes
+├── Line-ending manipulation: CRLF vs LF patterns encode bits
+├── PDF steganography:
+│   ├── pdf-parser.py <file.pdf> → analyze objects
+│   ├── Hidden JavaScript: /JavaScript, /JS keys
+│   ├── Embedded files in PDF streams
+│   ├── Invisible text (white on white)
+│   └── pdftotext <file.pdf> → extract all text
+└── Office documents (DOCX/XLSX):
+    ├── unzip <file.docx> → extract XML contents
+    ├── Hidden text (white font, tiny size)
+    ├── Document properties / custom metadata
+    └── Embedded OLE objects / macros
 ```
 ## Network Forensics (PCAP)
 ```
+═══════════════════════════════════════
 Wireshark / tshark analysis:
+═══════════════════════════════════════
 ├── tshark -r file.pcap -T fields -e data     → raw data extraction
 ├── tshark -r file.pcap -Y "http" -T fields -e http.request.uri
 ├── tshark -r file.pcap -Y "ftp" -T fields -e ftp.request.arg
 ├── Follow TCP stream: tcp.stream eq <N>
 ├── Export HTTP objects: File → Export Objects → HTTP
-├── DNS exfiltration: Check TXT records for base64 data
-├── ICMP tunneling: Check data field in ICMP packets
-└── Extract files: binwalk, foremost on raw TCP stream data
+└── Statistics → Protocol Hierarchy → see what protocols are used
-Key filters:
+═══════════════════════════════════════
+Common PCAP patterns in CTF:
+═══════════════════════════════════════
+├── HTTP: credentials in POST, file downloads, flag in response
+├── FTP: RETR/STOR commands → extract transferred files
+│   tshark -r file.pcap -Y "ftp-data" -T fields -e data | xxd -r -p > extracted
+├── DNS exfiltration:
+│   ├── Subdomain encoding: base64/hex data in query names
+│   ├── TXT records containing hidden data
+│   └── tshark -r file.pcap -Y "dns.qry.type==16" -T fields -e dns.txt
+├── ICMP tunneling:
+│   ├── Data hidden in ICMP payload (ping data section)
+│   └── tshark -r file.pcap -Y "icmp" -T fields -e data
+├── TLS/SSL:
+│   ├── If RSA private key available: edit → preferences → TLS → RSA keys
+│   ├── If SSLKEYLOGFILE available: set in TLS preferences → pre-master secret log
+│   └── Check for self-signed certs, weak ciphers, heartbleed
+├── USB keyboard capture:
+│   ├── tshark -r file.pcap -Y "usb.transfer_type==0x01" -T fields -e usbhid.data
+│   └── Map HID keycodes to characters (0x04=a, 0x05=b, ...)
+├── WiFi (802.11):
+│   ├── aircrack-ng file.pcap -w rockyou.txt → crack WPA
+│   └── airdecap-ng -p <password> file.pcap → decrypt traffic
+└── Custom protocols:
+    ├── Unknown ports → analyze payload patterns manually
+    └── Scapy: rdpcap('file.pcap') → programmatic analysis
+═══════════════════════════════════════
+Key Wireshark filters:
+═══════════════════════════════════════
 ├── http.request.method == "POST"  → credential submissions
 ├── ftp.request.command == "PASS"  → FTP passwords
 ├── smtp contains "AUTH"           → email credentials
 ├── tcp.flags.syn == 1             → connection attempts
-└── frame contains "flag"          → direct flag search
+├── frame contains "flag"          → direct flag search
+├── !(arp || dns || mdns)          → filter noise
+├── ip.addr == 10.0.0.1            → specific host traffic
+└── tcp.port == 4444               → specific port (reverse shell?)
 ```
 ## Memory Forensics
 ```
+═══════════════════════════════════════
 Volatility 3 (preferred):
-├── vol3 -f memory.dmp windows.info
+═══════════════════════════════════════
+Profile detection:
+├── vol3 -f memory.dmp banners.Banners     → detect OS
+├── vol3 -f memory.dmp windows.info        → Windows version info
+└── vol3 -f memory.dmp linux.bash          → Linux bash history
+Key plugins — Windows:
 ├── vol3 -f memory.dmp windows.pslist      → process list
-├── vol3 -f memory.dmp windows.filescan    → file handles
+├── vol3 -f memory.dmp windows.pstree      → process tree
 ├── vol3 -f memory.dmp windows.cmdline     → command history
-├── vol3 -f memory.dmp windows.hashdump    → password hashes
-├── vol3 -f memory.dmp windows.netscan     → network connections
+├── vol3 -f memory.dmp windows.filescan    → file handles in memory
 ├── vol3 -f memory.dmp windows.dumpfiles   → extract files
-└── strings memory.dmp | grep -i "flag\|password\|secret"
+│   --pid <PID> → filter by process
+├── vol3 -f memory.dmp windows.hashdump    → SAM password hashes → crack with hashcat!
+├── vol3 -f memory.dmp windows.netscan     → network connections
+├── vol3 -f memory.dmp windows.registry.hivelist → registry hives
+├── vol3 -f memory.dmp windows.registry.printkey → dump registry key
+├── vol3 -f memory.dmp windows.malfind     → detect injected code
+├── vol3 -f memory.dmp windows.envars      → environment variables (FLAG!)
+└── vol3 -f memory.dmp windows.clipboard   → clipboard content
+Key plugins — Linux:
+├── vol3 -f memory.dmp linux.pslist        → processes
+├── vol3 -f memory.dmp linux.bash          → bash history (FLAG!)
+├── vol3 -f memory.dmp linux.check_syscall → rootkit detection
+├── vol3 -f memory.dmp linux.proc.Maps     → memory maps
+└── strings memory.dmp | grep -i "flag\|password\|secret\|key"
+═══════════════════════════════════════
 Volatility 2 (legacy):
-├── vol.py -f memory.dmp imageinfo
-├── vol.py -f memory.dmp --profile=<profile> pslist
-└── vol.py -f memory.dmp --profile=<profile> hashdump
+═══════════════════════════════════════
+├── vol.py -f memory.dmp imageinfo         → determine profile
+├── vol.py -f memory.dmp --profile=<P> pslist
+├── vol.py -f memory.dmp --profile=<P> hashdump
+├── vol.py -f memory.dmp --profile=<P> mimikatz  → credential extraction
+├── vol.py -f memory.dmp --profile=<P> memdump -p <PID> -D output/
+└── vol.py -f memory.dmp --profile=<P> timeliner → timeline analysis
+═══════════════════════════════════════
+Quick wins in memory forensics:
+═══════════════════════════════════════
+├── 1. strings + grep for flag patterns FIRST (fastest!)
+├── 2. Process list → suspicious process? → dump its memory
+├── 3. Command history (cmdline/bash) → look for flag manipulation
+├── 4. Environment variables → flag stored in env
+├── 5. Network connections → hidden services, exfiltration
+├── 6. File scan → find flag.txt, secret.txt in memory
+├── 7. Registry → passwords, recent documents, USB history
+└── 8. Clipboard → copied passwords/flags
 ```
 ## Disk Forensics
 ```
+═══════════════════════════════════════
+Disk / Filesystem Analysis:
+═══════════════════════════════════════
 ├── fdisk -l disk.img               → partition layout
-├── mount -o loop,ro disk.img /mnt  → mount read-only
+├── mmls disk.img                   → partition table (sleuthkit)
+├── mount -o loop,ro,offset=<N> disk.img /mnt  → mount partition
+│   offset = start_sector × 512
 ├── autopsy                         → GUI forensic suite
-├── sleuthkit (fls, icat)          → file system analysis
-│   ├── fls -r disk.img            → list all files (including deleted)
-│   └── icat disk.img <inode>      → extract file by inode
-├── photorec disk.img              → recover deleted files
-└── Check alternate data streams (Windows NTFS):
-    └── dir /r → lists ADS
+├── Sleuthkit tools:
+│   ├── fls -r disk.img            → list all files (including deleted!)
+│   ├── icat disk.img <inode>      → extract file by inode
+│   ├── blkcat disk.img <block>    → read specific block
+│   └── tsk_recover -e disk.img output/ → recover all files
+├── photorec disk.img              → recover deleted files (by file signature)
+├── testdisk disk.img              → partition recovery + file undelete
+└── Check slack space:
+    blkstat disk.img <block>       → check if block is allocated
+═══════════════════════════════════════
+Specific filesystem features:
+═══════════════════════════════════════
+├── NTFS Alternate Data Streams:
+│   ├── dir /r                     → list ADS on Windows
+│   ├── getfattr -R -d /mnt/*     → list ADS on mounted NTFS
+│   └── cat /mnt/file:hidden_stream → read ADS content
+├── ext4 extended attributes:
+│   ├── getfattr -d <file>         → list xattrs
+│   └── Journal: jls / jcat to read deleted journal entries
+├── FAT filesystem:
+│   ├── No file permissions → everything is readable
+│   ├── Deleted files: filename starts with 0xE5
+│   └── Volume label may contain clues
+└── Filesystem timeline:
+    fls -m "/" -r disk.img | mactime -b - > timeline.csv
+    → chronological view of file access/modification/creation
+```
+## Archive Analysis
+```
+Archive forensics:
+├── ZIP:
+│   ├── unzip -l archive.zip       → list contents without extracting
+│   ├── zipinfo archive.zip        → detailed structure
+│   ├── Known-plaintext attack: pkcrack → crack if partial content known
+│   ├── fcrackzip -b -c 'aA1!' -l 1-8 archive.zip → brute force
+│   ├── john --format=zip hash.txt → John the Ripper (zip2john first)
+│   └── Zip slip: path traversal via ../../ in filenames
+├── RAR:
+│   ├── rar2john archive.rar > hash.txt → extract hash
+│   └── hashcat -m 13000 hash.txt wordlist → crack
+├── 7z:
+│   └── 7z l -slt archive.7z     → detailed listing
+├── tar/gz/bz2:
+│   ├── tar tf archive.tar        → list contents
+│   └── Check timestamp/permissions for clues
+└── Nested archives:
+    Multiple compression layers (zip inside gz inside tar)
+    → automate: write script to recursively extract until flag found
+```
+## Firmware Analysis
+```
+├── binwalk -e firmware.bin        → extract filesystem
+├── firmware-mod-kit                → unpack/repack firmware
+├── Common filesystems: squashfs, jffs2, cramfs, yaffs2
+│   unsquashfs extracted/squashfs → mount squashfs
+├── Look for:
+│   ├── /etc/shadow or /etc/passwd → hardcoded credentials
+│   ├── /etc/config/* → configuration files with secrets
+│   ├── *.key, *.pem → private keys
+│   ├── Web interface source code → vulnerabilities
+│   └── Compiled binaries → reverse engineer
+└── Emulation: qemu or firmadyne → run firmware for dynamic analysis
 ```