npm - rtexit-method - Versions diffs - 0.1.14 → 0.1.15 - Mend

rtexit-method 0.1.14 → 0.1.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/packaged-assets/.agents/skills/rt-mobile-static-deep/SKILL.md ADDED Viewed

@@ -0,0 +1,262 @@
+---
+name: rt-mobile-static-deep
+description: "Deep static analysis of mobile apps — MobSF automated scanning, manual jadx source review, secret scanning (API keys, tokens, hardcoded creds), native library analysis (.so files with Ghidra/radare2), third-party SDK vulnerability hunting, obfuscation bypass, APK/IPA binary analysis. Foundation of every mobile pentest before dynamic testing."
+---
+> 🐳 **Docker Environment (Recommended):** `docker exec -it rtexit-kali bash`
+# rt-mobile-static-deep — Mobile App Static Analysis
+## Overview
+Static analysis reveals hardcoded secrets, insecure code patterns, weak cryptography, and attack surfaces before running a single line of code. Should be the FIRST step in any mobile pentest.
+**What you find:**
+- Hardcoded API keys, tokens, passwords
+- Backend endpoints and internal hostnames
+- Cryptographic weaknesses
+- Exported components and deep links
+- Third-party SDK vulnerabilities
+- Native library vulnerabilities
+---
+## Phase 1: MobSF — Automated Full Scan
+```bash
+docker exec rtexit-kali bash -c "
+# Run MobSF Docker (fastest setup)
+docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
+# Upload APK/IPA via browser: http://localhost:8000
+# Or via API:
+curl -s 'http://localhost:8000/api/v1/upload' \
+  -H 'Authorization: YOUR_API_KEY' \
+  -F 'file=@target.apk' > /tmp/upload.json
+SCAN_HASH=\$(cat /tmp/upload.json | python3 -c \"import json,sys; print(json.load(sys.stdin)['hash'])\")
+# Run scan
+curl -s 'http://localhost:8000/api/v1/scan' \
+  -H 'Authorization: YOUR_API_KEY' \
+  -d \"scan_type=apk&file_name=target.apk&hash=\${SCAN_HASH}\"
+# Get JSON report
+curl -s \"http://localhost:8000/api/v1/report_json\" \
+  -H 'Authorization: YOUR_API_KEY' \
+  -d \"hash=\${SCAN_HASH}\" > /tmp/mobsf_report.json
+# Extract key findings
+python3 -c \"
+import json
+r = json.load(open('/tmp/mobsf_report.json'))
+print('=== Hardcoded Secrets ===')
+for s in r.get('secrets', []): print(' -', s)
+print('=== URLs ===')
+for u in r.get('urls', []): print(' -', u['url'])
+print('=== HIGH findings ===')
+for k, v in r.get('code_analysis', {}).get('findings', {}).items():
+    if v.get('level') == 'high': print(' -', k, ':', v.get('cvss'))
+\"
+"
+```
+---
+## Phase 2: Secret Scanning
+```bash
+docker exec rtexit-kali bash -c "
+# Decompile APK
+apktool d target.apk -o /tmp/target_dc
+jadx -d /tmp/target_java target.apk 2>/dev/null
+# Comprehensive secret scan
+# Tool: trufflehog
+pip3 install trufflehog3 2>/dev/null
+trufflehog filesystem /tmp/target_java/ --json > /tmp/secrets.json
+cat /tmp/secrets.json | python3 -m json.tool | grep -A3 'reason\|stringsFound'
+# Manual grep patterns
+echo '=== API Keys ==='
+grep -rE '(api[_-]?key|apikey)\s*[=:]\s*[\"'\'']\w{20,}' /tmp/target_java/ -i
+echo '=== AWS Keys ==='
+grep -rE 'AKIA[0-9A-Z]{16}' /tmp/target_java/
+echo '=== JWT Tokens ==='
+grep -rE 'eyJ[A-Za-z0-9+/=]{10,}\.[A-Za-z0-9+/=]{10,}' /tmp/target_java/
+echo '=== Hardcoded passwords ==='
+grep -rE '(password|passwd|pwd)\s*[=:]\s*[\"'\'']\w{4,}' /tmp/target_java/ -i
+echo '=== Private keys ==='
+grep -r 'BEGIN.*PRIVATE KEY\|BEGIN RSA\|BEGIN EC' /tmp/target_java/ -l
+echo '=== Firebase URLs ==='
+grep -rE 'firebaseio\.com|firebase\.google\.com' /tmp/target_java/
+echo '=== Google Maps API Key ==='
+grep -rE 'AIza[0-9A-Za-z-_]{35}' /tmp/target_java/
+"
+```
+---
+## Phase 3: Endpoint Discovery
+```bash
+docker exec rtexit-kali bash -c "
+# Extract all URLs and endpoints from source
+echo '=== HTTPS Endpoints ==='
+grep -rEoh 'https?://[^\"'\'')\s]{10,}' /tmp/target_java/ | sort -u | grep -v 'schema\|xmlns\|android\|google.com/design'
+echo '=== API Base URLs ==='
+grep -rEi 'base_?url|api_?url|endpoint|host_?url' /tmp/target_java/ | grep -oE '\"[^\"]*\"' | sort -u
+echo '=== IP Addresses ==='
+grep -rEoh '\b([0-9]{1,3}\.){3}[0-9]{1,3}(:[0-9]+)?\b' /tmp/target_java/ | grep -v '0\.0\.0\|127\.0\.0\|255\.255' | sort -u
+echo '=== WebSocket URLs ==='
+grep -rEoh 'wss?://[^\"'\'')\s]+' /tmp/target_java/ | sort -u
+"
+```
+---
+## Phase 4: AndroidManifest Deep Analysis
+```bash
+docker exec rtexit-kali bash -c "
+MANIFEST=/tmp/target_dc/AndroidManifest.xml
+echo '=== Package + Permissions ==='
+grep 'package\|uses-permission' \$MANIFEST | sort
+echo '=== DANGEROUS permissions ==='
+grep 'uses-permission' \$MANIFEST | grep -iE 'READ_SMS|READ_CONTACTS|READ_CALL_LOG|CAMERA|RECORD_AUDIO|ACCESS_FINE_LOCATION|PROCESS_OUTGOING_CALLS|BIND_ACCESSIBILITY'
+echo '=== Exported components (attack surface) ==='
+grep -E 'activity|service|receiver|provider' \$MANIFEST | grep 'exported=\"true\"'
+echo '=== Deep links / intent filters ==='
+grep -A5 'intent-filter' \$MANIFEST | grep -E 'scheme|host|path'
+echo '=== Debuggable flag ==='
+grep 'debuggable' \$MANIFEST
+echo '=== Backup flag ==='
+grep 'allowBackup' \$MANIFEST
+echo '=== Network security config ==='
+grep 'networkSecurityConfig' \$MANIFEST
+"
+```
+---
+## Phase 5: Native Library Analysis
+```bash
+docker exec rtexit-kali bash -c "
+# Extract and analyze .so files
+unzip target.apk 'lib/arm64-v8a/*.so' -d /tmp/libs/
+ls /tmp/libs/lib/arm64-v8a/
+# Quick strings analysis on each .so
+for lib in /tmp/libs/lib/arm64-v8a/*.so; do
+  echo \"=== \$lib ===\"
+  strings \"\$lib\" | grep -iE 'password|secret|api[_-]?key|token|http|base64|des|aes|rsa' | head -20
+done
+# Check for known vulnerable native libraries
+strings /tmp/libs/lib/arm64-v8a/*.so | grep -E 'OpenSSL|libcurl' | head -5
+# Look up CVEs for the versions found
+# Deeper analysis with radare2
+r2 /tmp/libs/lib/arm64-v8a/libapp.so
+# In r2:
+# aaa       → analyze all
+# afl       → list all functions
+# pdf @sym.verify_pin   → disassemble specific function
+"
+```
+---
+## Phase 6: Cryptographic Analysis
+```bash
+docker exec rtexit-kali bash -c "
+# Find cryptographic usage patterns in source
+echo '=== Weak algorithms ==='
+grep -rE 'DES[^3]|MD5|SHA1[^_]|RC4|ECB' /tmp/target_java/ -i | grep -v '//\|test\|Test'
+echo '=== Hardcoded IV / Keys ==='
+grep -rE 'IvParameterSpec|SecretKeySpec' /tmp/target_java/ -A2 | grep -E 'new byte\[\]|getBytes'
+echo '=== Insecure random ==='
+grep -rE 'new Random\(\)|Math\.random' /tmp/target_java/ | grep -v 'SecureRandom'
+echo '=== Keystore usage (secure vs insecure) ==='
+grep -rE 'KeyStore|AndroidKeyStore|KeyGenerator' /tmp/target_java/ -l
+# If NOT using AndroidKeyStore → keys stored insecurely
+"
+```
+---
+## Phase 7: Third-Party SDK Vulnerability Check
+```bash
+docker exec rtexit-kali bash -c "
+# Extract all third-party SDKs/libraries
+grep -r 'implementation\|compile' /tmp/target_java/ 2>/dev/null | grep -oE \"'[^']+:[^']+:[^']+'\"|sort -u
+# Check for known vulnerable SDKs from strings in APK
+strings /tmp/target_apk/classes*.dex | grep -E 'com\.(facebook|google|firebase|amazonaws|stripe|braintree|okhttp|retrofit)' | sort -u | head -30
+# Check OkHttp version (critical — many CVEs)
+grep -r 'okhttp' /tmp/target_java/ | grep -oE 'okhttp:[0-9]+\.[0-9]+\.[0-9]+' | sort -u
+"
+```
+---
+## iOS Static Analysis
+```bash
+docker exec rtexit-kali bash -c "
+# Extract IPA
+unzip target.ipa -d /tmp/ipa_extracted/
+APP_DIR=\$(find /tmp/ipa_extracted/Payload -name '*.app' -type d)
+# Binary analysis
+file \$APP_DIR/TargetApp
+# Check: encryption, architecture
+# Strings
+strings \$APP_DIR/TargetApp | grep -iE 'api[_-]?key|secret|password|http|token' | head -50
+# class-dump (get all Obj-C class declarations)
+class-dump \$APP_DIR/TargetApp > /tmp/classes.h
+grep -i 'password\|token\|pin\|secret\|auth' /tmp/classes.h | head -30
+# Check Info.plist (often has API keys, URLs)
+plutil -p \$APP_DIR/Info.plist 2>/dev/null || python3 -c \"
+import plistlib
+with open('\$APP_DIR/Info.plist', 'rb') as f:
+    plist = plistlib.load(f)
+    for k, v in plist.items():
+        if any(x in k.lower() for x in ['key', 'secret', 'token', 'url', 'api']):
+            print(k, '=', v)
+\"
+"
+```
+---
+## Related Skills
+- `rt-exploit-android` — dynamic testing following static findings
+- `rt-exploit-ios` — iOS dynamic testing
+- `rt-frida-advanced` — confirm static findings at runtime
+- `rt-android-intent-exploitation` — exploit exported components found in manifest
+## References
+- https://github.com/MobSF/Mobile-Security-Framework-MobSF
+- https://owasp.org/www-project-mobile-application-security-design-guide/
+- https://attack.mitre.org/techniques/T1418/ — Software Discovery

package/tools/installer/lib/profiles.js CHANGED Viewed

@@ -104,11 +104,20 @@ const PROFILES = {
   mobile: {
     label: 'Mobile',
-    description: 'Android, iOS, Bluetooth/BLE',
+    description: 'Android, iOS, BLE, Frida, SSL bypass, cross-platform, C2',
     skills: [
+      // Core mobile
       'rt-exploit-android',
       'rt-exploit-ios',
       'rt-bluetooth-ble',
+      // Advanced mobile (new)
+      'rt-frida-advanced',
+      'rt-mobile-ssl-pinning',
+      'rt-apk-repackaging',
+      'rt-android-intent-exploitation',
+      'rt-cross-platform-mobile',
+      'rt-mobile-malware-c2',
+      'rt-mobile-static-deep',
     ],
   },