npm - pentesting - Versions diffs - 0.56.8 → 0.70.2 - Mend

pentesting 0.56.8 → 0.70.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/README.md +2 -2
package/dist/{chunk-CQP3HGEW.js → chunk-FRZJJB6X.js} +16 -0
package/dist/main.js +5109 -4374
package/dist/{process-registry-LAAAYEWU.js → process-registry-P22TUNRK.js} +1 -1
package/dist/prompts/offensive-playbook.md +81 -0
package/dist/prompts/strategist-system.md +34 -0
package/dist/prompts/techniques/ad-attack.md +114 -9
package/dist/prompts/techniques/auth-access.md +165 -21
package/dist/prompts/techniques/enterprise-pentest.md +175 -0
package/dist/prompts/techniques/injection.md +4 -0
package/dist/prompts/techniques/network-svc.md +4 -0
package/dist/prompts/techniques/pivoting.md +205 -0
package/dist/prompts/techniques/privesc.md +4 -0
package/dist/prompts/techniques/pwn.md +187 -3
package/dist/prompts/techniques/shells.md +4 -0
package/dist/prompts/zero-day.md +125 -0
package/package.json +4 -5

package/dist/prompts/zero-day.md CHANGED Viewed

@@ -170,3 +170,128 @@ DISCOVERY → SEARCH → ATTACK → ADAPT → CHAIN → PIVOT → REPEAT
 NEVER give up. ALWAYS search. The answer exists on the internet.
 web_search("how to exploit {specific_thing_you_discovered}")
 ```
+## 🎯 Phase C: DEF CON / Enterprise Level
+### C1: Fuzzing Loop — Write, Compile, Fuzz, Analyze
+```
+When dealing with compiled targets or custom protocols:
+AFL++ / LibFuzzer Loop:
+1. write_file("fuzz_target.c", harness_code)
+   - Harness: reads from stdin → passes to target function
+   - Prototype: int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+2. run_cmd("AFL_USE_ASAN=1 afl-cc -o fuzz_target fuzz_target.c -fsanitize=address")
+3. run_cmd("afl-fuzz -i seed_corpus/ -o findings/ -- ./fuzz_target @@")
+4. Monitor: run_cmd("afl-whatsup findings/")  → crash rate, path coverage
+5. Triage: run_cmd("afl-cmin -i findings/ -o min/ -- ./fuzz_target @@")
+6. Analyze: for crash in findings/crashes/*; do
+              ASAN_OPTIONS=symbolize=1 ./fuzz_target $crash
+            done
+7. Root cause → write exploit
+Network Fuzzer (custom protocol):
+write_file("fuzzer.py", """
+import socket, itertools, random
+def mutate(data):  # bit flip, byte replace, insert/delete
+    ...
+for payload in corpus:
+    s = socket.connect(HOST, PORT)
+    s.send(mutate(payload))
+    response = s.recv(1024)
+    if unusual(response):  log(payload, response)
+""")
+run_cmd("python3 fuzzer.py")
+web_search("AFL++ tutorial custom protocol fuzzing {year}")
+web_search("libfuzzer harness writing guide {binary_type}")
+```
+### C2: Patch Diffing → N-Day/1-Day Exploitation
+```
+When target is slightly behind on patches:
+1. Identify version: banner, file metadata, build strings
+2. Find next patched version:
+   web_search("{software} {version} → {next_version} security changelog")
+   web_search("{software} CVE {year} patch commit")
+3. If open source → diff:
+   git clone {repo}
+   git diff v{old_version} v{new_version} -- {likely_vuln_files}
+   → Look for: bounds checks added, condition added before dangerous call
+4. Understand the vulnerability class from the diff
+5. Craft exploit targeting the exact unfixed version
+6. Test locally with same version → adapt to remote
+Patch diffing tools:
+├── bindiff (IDA plugin): binary-level diff between versions
+├── diaphora (free alternative): similar to bindiff
+├── patchdiff2: older but works
+└── web_search("bindiff tutorial patch diffing binary exploitation")
+```
+### C3: Variant Hunting — Known Bug Class, Unknown Instances
+```
+Once you find ONE vulnerability, hunt for variants:
+Source code search:
+grep -rn "same_dangerous_pattern" src/
+grep -rn "similar_function_name" --include="*.c" .
+Binary variant hunting:
+├── If SQLi here → test ALL similar parameters in ALL endpoints
+├── If UAF in module A → check module B's dealloc order
+├── If path traversal in /upload → test /backup, /export, /download
+IDOR/Logic flaw variants:
+├── Found IDOR on id= → test: user_id= order_id= doc_id= ref= token=
+├── Found admin bypass via X-Role header → test ALL other privilege endpoints
+└── Found TOCTOU in open() → check other syscall pairs: stat()+open(), lstat()+open()
+Automated variant search:
+write_file("variant_hunter.py", """
+import requests
+ENDPOINTS = ['/api/v1/user', '/api/v1/order', '/api/v2/...']
+PAYLOADS = [...]  # from original finding
+for ep in ENDPOINTS:
+    for p in PAYLOADS:
+        r = requests.get(f'BASE_URL{ep}', params=p)
+        if r.status_code != 403:
+            print(f'POTENTIAL: {ep} {p} → {r.status_code}')
+""")
+```
+### C4: Enterprise Internal Network
+```
+Initial foothold → internal network playbook:
+SEGMENT DISCOVERY:
+├── ip route + arp -a + netstat → map known segments
+├── Scan adjacent /24 blocks: nmap -sn 10.{1..20}.0.0/24
+├── DNS enumeration: for i in $(seq 1 254); do host 10.x.x.$i; done
+└── SNMP sweep: onesixtyone -c community.txt -i targets.txt
+CRITICAL INTERNAL SERVICES TO FIND:
+├── Active Directory DC:   88/TCP (Kerberos), 389/389 (LDAP), 636 (LDAPS)
+├── SCCM/WSUS:             8530/HTTP → privilege escalation paths
+├── Exchange/Mail:         25/443 → phishing from internal, relay attacks
+├── Corporate CA:          80 (web enrollment) → ADCS attacks
+├── Jump hosts/bastion:    SSH/RDP → lateral movement hub
+├── Prod databases:        1433/3306/5432 → credential reuse + data dump
+├── DevOps infra:          8080(Jenkins)/9090(Prometheus)/9000(SonarQube)
+│                          → often weak auth → code execution
+└── Cloud endpoints:       169.254.169.254 (AWS/Azure metadata) → IAM creds
+AD FOREST ATTACKS:
+├── Forest trust → SID history → Enterprise Admin across forests
+├── External trusts → kerberoast across trust → crack → access other domain
+└── web_search("active directory forest trust attack SID filtering bypass {year}")
+CLOUD PIVOT (when enterprise uses hybrid):
+├── From on-prem → find AWS/Azure creds in env vars, files, secrets managers
+│   env | grep -i aws/azure/gcp/secret
+│   find / -name "*.env" -o -name "credentials" -o -name "*.pem" 2>/dev/null
+├── AWS: aws sts get-caller-identity → role → escalate via misconfigured policies
+├── Azure: az account list → subscriptions → VMs → managed identity → creds
+└── web_search("cloud privilege escalation {provider} misconfiguration {year}")
+```

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pentesting",
-  "version": "0.56.8",
+  "version": "0.70.2",
   "description": "Autonomous Penetration Testing AI Agent",
   "type": "module",
   "main": "dist/main.js",
@@ -11,7 +11,6 @@
   "files": [
     "dist",
     "skills",
-    "src/agents/specs",
     "README.md"
   ],
   "scripts": {
@@ -19,7 +18,7 @@
     "dev:tsx": "tsx src/platform/tui/main.tsx",
     "build": "tsup",
     "start": "node dist/main.js",
-    "test": "mkdir -p .vitest && TMPDIR=.vitest vitest run && rm -rf .vitest .pentesting",
+    "test": "mkdir -p .vitest && TMPDIR=.vitest npx vitest run && rm -rf .vitest .pentesting",
     "test:watch": "vitest",
     "lint": "tsc --noEmit",
     "prepublishOnly": "npm run build",
@@ -36,9 +35,9 @@
     "type": "git",
     "url": "git+https://github.com/agnusdei1207"
   },
-  "homepage": "https://pentesting.agnusdei.kr",
+  "homepage": "https://agnusdei1207.github.io/brainscience/",
   "bugs": {
-    "url": "https://github.com/agnusdei1207"
+    "url": "https://agnusdei1207.github.io/brainscience/"
   },
   "keywords": [
     "penetration-testing",