diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index 6ffa217..0000000 Binary files a/.DS_Store and /dev/null differ diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4a5bb25 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +__pycache__/ +*.py[cod] +.DS_Store diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..81fe142 --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,42 @@ +# Repository Guidance for Codex Agents + +## Project purpose + +`skills-red` is a cross-platform offensive-security skill library for Claude and Codex, forked from Claude Red. The repository ships portable `SKILL.md` files for authorized red-team, penetration-testing, bug-bounty, CTF, and security-research workflows. + +## Safety boundaries + +- Keep examples scoped to authorized testing and lab/CTF contexts. +- Do not add real victim infrastructure, credentials, customer data, or destructive defaults. +- Preserve responsible-disclosure and evidence-handling guidance when editing reporting or exploit content. + +## Skill format + +- Skills live at `Skills///SKILL.md`. +- The folder name must match the frontmatter `name` value. +- Codex uses the frontmatter `name` and `description` for skill discovery; keep descriptions specific and trigger-rich. +- Prefer concise, operator-useful instructions over generic background. +- Use language tags on code blocks. + +## Codex packaging expectations + +- Codex installs skills as `$CODEX_HOME/skills//SKILL.md` (default `$CODEX_HOME` is `~/.codex`). +- `./install.sh --platform codex` flattens category folders into individual Codex skill directories. +- `./install.sh --platform claude` preserves the Claude-compatible category tree. +- Regenerate manifests after skill or metadata changes: + +```bash +python3 tools/build_manifest.py +``` + +## Verification + +Before claiming completion for repository changes, run the narrowest relevant checks: + +```bash +python3 tools/build_manifest.py +./install.sh --platform codex --dry-run +./install.sh --platform claude --dry-run +``` + +For shell changes, also run `bash -n install.sh`. diff --git a/CHANGELOG.md b/CHANGELOG.md index c7c6690..397152c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,20 @@ # Changelog -All notable changes to `claude-red` are documented here. The library follows a phased roadmap (see [README.md](README.md#roadmap)). Versions follow [Semantic Versioning](https://semver.org/) where breaking changes mean skill renames, removals, or category restructures. +All notable changes to `skills-red` are documented here. The library follows a phased roadmap (see [README.md](README.md#roadmap)). Versions follow [Semantic Versioning](https://semver.org/) where breaking changes mean skill renames, removals, or category restructures. ## [Unreleased] +### Added + +- Cross-platform installation paths in `install.sh` for Codex, Claude, and OpenCode, selected explicitly by prompt or `--platform`. +- `codex-skills.json` and `opencode-skills.json` manifests generated alongside the Claude-compatible manifest. +- Root `AGENTS.md` with cross-platform repository operating guidance. + +### Changed + +- README and contributor guidance now document Codex, Claude, and OpenCode as first-class installation targets with no default installer platform. +- Legacy platform-specific skill headings now use platform-neutral `Operational Instructions`. + ### Planned - Phase 1 — Internal AD/Windows split (16 skills) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c9a599e..346ccdf 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,11 +1,11 @@ -# Contributing to claude-red +# Contributing to skills-red Thanks for contributing. This guide explains the skill format, the review process, and the conventions to keep the library coherent as it grows. ## Quick Rules 1. **One skill, one surface.** Prefer focused skills (`offensive-kerberoasting`) over monolithic overviews (`offensive-active-directory`). -2. **YAML frontmatter is required.** Skills without it won't load via the Claude Skills system. +2. **YAML frontmatter is required.** Skills without it won't load reliably via Codex or Claude skill discovery. 3. **Cite sources.** Every technique should be attributable. Link CVEs, advisories, original research. 4. **No unauthorized targeting.** Don't include hardcoded victim domains, real customer data, or credentials. 5. **Use code blocks with language tags.** It's how Claude (and humans) parse them best. @@ -27,11 +27,11 @@ The folder name **must** match the `name:` field in the frontmatter. ```yaml --- name: offensive- -description: "One paragraph (50–500 words). State the surface, the techniques covered, and when to use this skill. Claude uses this for trigger matching — be specific about scenarios, tools, and sub-topics." +description: "One paragraph (50–500 words). State the surface, the techniques covered, and when to use this skill. Codex uses this for trigger matching — be specific about scenarios, tools, and sub-topics." --- ``` -The `description` is what Claude matches against. Make it dense with relevant terms an operator would mention. Avoid marketing language. +The `description` is what Codex and Claude use for trigger matching. Make it dense with relevant terms an operator would mention. Avoid marketing language. ### Body Structure (recommended) @@ -89,8 +89,13 @@ The `description` is what Claude matches against. Make it dense with relevant te 3. Write the frontmatter and body following the structure above. 4. Update [`README.md`](README.md) — add the skill to the relevant category table. 5. Update [`CHANGELOG.md`](CHANGELOG.md) under the next version. -6. Update [`claude-skills.json`](claude-skills.json) if it exists (run `python tools/build_manifest.py` if available). -7. Run any local lint: +6. Update the generated manifests (`claude-skills.json`, `codex-skills.json`, and `opencode-skills.json`) by running `python3 tools/build_manifest.py`. +7. Confirm the generated manifests are fresh: + ```bash + python3 tools/check_manifest_fresh.py + ``` + Manifest install paths preserve `skills-red//` under each platform skill root; update `tools/platform_defaults.sh` rather than editing generated JSON by hand. +8. Run any local lint: ```bash ./tools/check-skill.sh Skills///SKILL.md ``` @@ -107,7 +112,7 @@ When a skill grows beyond one surface (e.g. `offensive-wifi` covering WPA2, WPA3 1. Keep the original as a brief overview that points to the new focused skills 2. Move detailed content into new per-surface skills -3. Update README, CHANGELOG, and the manifest +3. Update README, CHANGELOG, and the generated manifests The roadmap in README tracks current splits. @@ -131,7 +136,7 @@ Expect one round of review. Maintainers may request edits before merging. - Tooling that has destructive defaults without warnings - Bypasses for vendor-mandated security telemetry without legitimate red team context - Content under non-MIT-compatible licenses -- AI-generated skills without operator review (use Claude to draft, then verify and edit) +- AI-generated skills without operator review (use Codex or Claude to draft, then verify and edit) --- diff --git a/MINDMAP.md b/MINDMAP.md index a41b359..84954d7 100644 --- a/MINDMAP.md +++ b/MINDMAP.md @@ -1,4 +1,4 @@ -# claude-red — Library Mindmap +# skills-red — Library Mindmap A visual map of every skill in the library, by category. Use it to navigate, to discover skills you didn't know existed, and to spot coverage gaps before an engagement. @@ -10,7 +10,7 @@ References for completeness checking: [MITRE ATT&CK](https://attack.mitre.org/), ```mermaid mindmap - root((claude-red)) + root((skills-red)) Web sqli xss diff --git a/README.md b/README.md index ebffe62..84b1249 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,16 @@ -![claude-red banner](/assets/banner.png) +![skills-red banner](/assets/banner.png)
-# claude-red +# skills-red -**Offensive security skills for Claude — drop-in `SKILL.md` files that turn Claude into a context-aware red team operator.** +**Offensive security skills for Claude, Codex, and OpenCode — portable `SKILL.md` files that turn AI coding agents into context-aware red team operators.** [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE) [![Skills](https://img.shields.io/badge/skills-58-red.svg)](#skill-index) [![Categories](https://img.shields.io/badge/categories-13-orange.svg)](#categories) -[![Stars](https://img.shields.io/github/stars/SnailSploit/claude-red?style=social)](https://github.com/SnailSploit/claude-red) -[![Forks](https://img.shields.io/github/forks/SnailSploit/claude-red?style=social)](https://github.com/SnailSploit/claude-red/network/members) +[![Stars](https://img.shields.io/github/stars/trewwwsec/skills-red?style=social)](https://github.com/trewwwsec/skills-red) +[![Forks](https://img.shields.io/github/forks/trewwwsec/skills-red?style=social)](https://github.com/trewwwsec/skills-red/network/members) Built by **[SnailSploit](https://snailsploit.com)** — GenAI Security Research. @@ -22,6 +22,7 @@ Built by **[SnailSploit](https://snailsploit.com)** — GenAI Security Research. - [What is this](#what-is-this) - [Quickstart](#quickstart) +- [Generated manifests](#generated-manifests) - [Categories](#categories) - [Skill Index](#skill-index) - [Web Application](#web-application) @@ -46,9 +47,9 @@ Built by **[SnailSploit](https://snailsploit.com)** — GenAI Security Research. ## What is this -`claude-red` is a curated library of offensive security skills for the [Claude Skills system](https://docs.claude.com). Each skill is a structured `SKILL.md` file that primes Claude with expert-level methodology for a specific attack surface — from SQLi to shellcode, EDR evasion to ADCS abuse. +`skills-red` is a curated library of offensive security skills for Claude, Codex, and OpenCode skill systems. Each skill is a structured `SKILL.md` file that primes an AI coding agent with expert-level methodology for a specific attack surface — from SQLi to shellcode, EDR evasion to ADCS abuse. -Drop a skill into your Claude environment and it behaves like a specialist: it knows the techniques, the tooling, the edge cases, and the escalation paths. Skills load on demand based on conversational triggers — you don't pay context for skills you aren't using. +Install skills into `$CODEX_HOME/skills/skills-red` for Codex, `~/.claude/skills/skills-red` for Claude, or `~/.config/opencode/skills/skills-red` for OpenCode. The same `SKILL.md` files are portable across all supported platforms; the installer preserves the category tree under the `skills-red` namespace for each platform. **Use it for:** authorized red team engagements, bug bounty triage, security research, CTF preparation, training operators, and exploring attack surfaces methodically. @@ -56,15 +57,60 @@ Drop a skill into your Claude environment and it behaves like a specialist: it k ## Quickstart -### Claude Skills System (recommended) +### Codex Skills System ```bash -# Clone into a directory Claude will scan -git clone https://github.com/SnailSploit/claude-red ~/.claude/skills/claude-red +# Clone this repo and install all skills into ~/.codex/skills/skills-red// +git clone https://github.com/trewwwsec/skills-red +cd skills-red +./install.sh --platform codex # Or install only one category -git clone --filter=blob:none --sparse https://github.com/SnailSploit/claude-red -cd claude-red && git sparse-checkout set Skills/web Skills/active-directory +./install.sh --platform codex --category web +``` + +Restart Codex after installation so the skill metadata is picked up. Current Codex releases recursively discover `SKILL.md` files under `$CODEX_HOME/skills`, so the installer keeps skills namespaced as `$CODEX_HOME/skills/skills-red///SKILL.md`. + +### Manual Codex install + +```bash +mkdir -p ~/.codex/skills/skills-red/web +cp -R Skills/web/offensive-sqli ~/.codex/skills/skills-red/web/offensive-sqli +``` + +### OpenCode Agent Skills + +```bash +# Install all skills into ~/.config/opencode/skills/skills-red// +git clone https://github.com/trewwwsec/skills-red +cd skills-red +./install.sh --platform opencode + +# Or install only one category +./install.sh --platform opencode --category web +``` + +Start a new OpenCode session after installation so the `skill` tool refreshes its available skills. OpenCode's public docs show the simple one-folder layout, but current OpenCode releases recursively scan `SKILL.md` files under configured skill roots (`{skill,skills}/**/SKILL.md` in the upstream loader). The installer relies on that current recursive discovery behavior to keep skills namespaced as `~/.config/opencode/skills/skills-red///SKILL.md`. + +### Manual OpenCode install + +```bash +mkdir -p ~/.config/opencode/skills/skills-red/web +cp -R Skills/web/offensive-sqli ~/.config/opencode/skills/skills-red/web/offensive-sqli +``` + +### Claude Skills System + +```bash +# Upstream Claude Red install into a directory Claude will scan +git clone https://github.com/SnailSploit/claude-red ~/.claude/skills/claude-red +``` + +```bash +# Or install skills-red while preserving Claude's category tree +git clone https://github.com/trewwwsec/skills-red +cd skills-red +./install.sh --platform claude ``` Claude will auto-load matching skills based on conversational triggers (e.g. mentioning SQLi loads `offensive-sqli`). @@ -79,20 +125,48 @@ cat Skills/web/offensive-sqli/SKILL.md | claude --system-file - cat Skills/active-directory/**/SKILL.md | claude --system-file - ``` -### Claude.ai (Manual) - -Paste the contents of a `SKILL.md` into a Project's system prompt or prepend to your conversation. - ### Install Script ```bash -./install.sh # interactive -./install.sh --target ~/.claude/skills # explicit target +./install.sh # prompt for platform, then target +./install.sh --platform codex # Codex install +./install.sh --platform claude # Claude-compatible install +./install.sh --platform opencode # OpenCode agent-skill install +./install.sh --target ~/.codex/skills/skills-red # prompt for platform, explicit target +./install.sh --platform opencode --target ~/.config/opencode/skills/skills-red # explicit OpenCode target ./install.sh --category web # one category +./install.sh --dry-run # prompt for platform and preview copy plan ``` --- +## Generated manifests + +The root `claude-skills.json`, `codex-skills.json`, and `opencode-skills.json` +files are generated distribution indexes, not hand-authored skill sources. They +summarize the `Skills///SKILL.md` tree for platform +tooling, marketplace/index consumers, and release review while keeping each +`SKILL.md` file as the source of truth. + +Manifest `install_path` values are install-location metadata for indexes and review. They intentionally include the `skills-red//` namespace so generated indexes match each platform's target layout after the installer prompts for, or receives, an explicit platform. For Codex and OpenCode this depends on current recursive skill discovery; if either platform drops recursive scanning, update `tools/platform_defaults.sh`, `install.sh`, and regenerated manifests together. Runtime installation behavior, including platform selection, `--target`, `CODEX_HOME`, and `OPENCODE_CONFIG_HOME` overrides, is owned by [`install.sh`](install.sh). + +Regenerate them after any skill metadata, category, or install-path change: + +```bash +python3 tools/build_manifest.py +python3 tools/check_manifest_fresh.py +``` + +The freshness check also validates manifest `install_path` values against the +shared defaults in `tools/platform_defaults.sh`, which are consumed by both the +installer and manifest tooling. + +Do not edit the root manifest JSON files by hand; update the relevant +`SKILL.md` frontmatter or `tools/build_manifest.py`, then regenerate and commit +the resulting manifest diff. + +--- + ## Categories | Category | Skills | Focus | @@ -308,7 +382,7 @@ Contributions welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for the skill temp
-> *"Give Claude the right skill and it stops being a chatbot. It becomes an operator."* +> *"Give the agent the right skill and it stops being a chatbot. It becomes an operator."*
@@ -320,7 +394,7 @@ Contributions welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for the skill temp This project's full writeup, methodology, and related research lives at: -**[https://snailsploit.com/claude-red](https://snailsploit.com/claude-red)** +**Upstream:** [https://snailsploit.com/claude-red](https://snailsploit.com/claude-red) Created by **Kai Aizen** — independent offensive security researcher. diff --git a/SECURITY.md b/SECURITY.md index c81b158..c8bee24 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,6 +1,6 @@ # Security Policy -`claude-red` is an offensive security tooling library. Its content describes attack methodologies for use by authorized red team operators, penetration testers, and security researchers. +`skills-red` is an offensive security tooling library. Its content describes attack methodologies for use by authorized red team operators, penetration testers, and security researchers. ## Intended Use @@ -13,7 +13,7 @@ These skills are intended for: These skills are **not** intended for unauthorized access to systems you do not own or do not have explicit, written permission to test. Misuse may violate computer-misuse laws in your jurisdiction (CFAA in the US, Computer Misuse Act in the UK, equivalent statutes elsewhere). -## Reporting a Vulnerability in claude-red Itself +## Reporting a Vulnerability in skills-red Itself If you discover a security issue in this repository — for example a malicious payload accidentally committed, a credential leaked in an example, a typosquat-prone install path, or an unsafe shell command in `install.sh` — please report it privately rather than opening a public issue. @@ -30,7 +30,7 @@ We aim to acknowledge reports within 72 hours and resolve confirmed issues withi ## Reporting a Vulnerability Found Using This Library -If you discover a vulnerability in a third-party product or service while using `claude-red`'s methodologies, follow that vendor's responsible disclosure process. The [`offensive-reporting`](Skills/utility/offensive-reporting/SKILL.md) skill includes guidance on responsible disclosure, evidence handling, and report writing. +If you discover a vulnerability in a third-party product or service while using `skills-red`'s methodologies, follow that vendor's responsible disclosure process. The [`offensive-reporting`](Skills/utility/offensive-reporting/SKILL.md) skill includes guidance on responsible disclosure, evidence handling, and report writing. If the vendor has no published security contact: @@ -47,7 +47,7 @@ This repository is signed by SnailSploit. Verify commit signatures with: git log --show-signature ``` -If you receive a `claude-red` archive from a third party (mirror, pastebin, package manager), verify it against the upstream repository before using. +If you receive a `skills-red` archive from a third party (mirror, pastebin, package manager), verify it against the upstream repository before using. ## Scope diff --git a/Skills/ai/offensive-ai-security/SKILL.md b/Skills/ai/offensive-ai-security/SKILL.md index 639ef11..184bc39 100644 --- a/Skills/ai/offensive-ai-security/SKILL.md +++ b/Skills/ai/offensive-ai-security/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-ai-security +description: "AI/LLM security offensive checklist: prompt injection, jailbreaking, model extraction, training data poisoning, adversarial inputs, LLM-assisted attack automation, and AI system reconnaissance. Use when assessing AI/ML systems, red-teaming LLMs, or researching AI attack vectors." +--- + # SKILL: AI Pentest ## Metadata @@ -12,7 +17,7 @@ AI/LLM security offensive checklist: prompt injection, jailbreaking, model extra Use this skill when the conversation involves any of: `AI security, LLM security, prompt injection, jailbreak, model extraction, training data poisoning, adversarial input, AI red team, ML security, RAG poisoning, AI attack` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/auth/offensive-oauth/SKILL.md b/Skills/auth/offensive-oauth/SKILL.md index 0816cf0..4233251 100644 --- a/Skills/auth/offensive-oauth/SKILL.md +++ b/Skills/auth/offensive-oauth/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-oauth +description: "OAuth 2.0 attack checklist: authorization code interception, redirect_uri bypass, CSRF on OAuth flow, state parameter abuse, open redirector chaining, token leakage via Referer, PKCE bypass, and scope escalation. Use when testing OAuth implementations in web apps or bug bounty." +--- + # SKILL: OAuth Security Testing ## Metadata @@ -12,7 +17,7 @@ OAuth 2.0 attack checklist: authorization code interception, redirect_uri bypass Use this skill when the conversation involves any of: `OAuth, OAuth 2.0, authorization code, redirect_uri bypass, OAuth CSRF, state parameter, PKCE bypass, scope escalation, token leakage, open redirector, OAuth attack` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/exploit-dev/offensive-basic-exploitation/SKILL.md b/Skills/exploit-dev/offensive-basic-exploitation/SKILL.md index d424845..d84c0ba 100644 --- a/Skills/exploit-dev/offensive-basic-exploitation/SKILL.md +++ b/Skills/exploit-dev/offensive-basic-exploitation/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-basic-exploitation +description: "Week 5 exploit development curriculum. Foundational exploitation techniques: controlling EIP/RIP, ROP chain construction, ret2libc, shellcode injection, heap spraying, bypass techniques for ASLR/NX/stack canaries. Use when building initial PoCs or understanding classic exploitation primitives." +--- + # SKILL: Week 5: Basic Exploitation (Linux with Mitigations Disabled) ## Metadata @@ -12,7 +17,7 @@ Week 5 exploit development curriculum. Foundational exploitation techniques: con Use this skill when the conversation involves any of: `basic exploitation, EIP control, RIP control, ROP chain, ret2libc, shellcode injection, heap spray, ASLR bypass, NX bypass, stack canary bypass, week 5` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/exploit-dev/offensive-crash-analysis/SKILL.md b/Skills/exploit-dev/offensive-crash-analysis/SKILL.md index 8e487e9..c2c8272 100644 --- a/Skills/exploit-dev/offensive-crash-analysis/SKILL.md +++ b/Skills/exploit-dev/offensive-crash-analysis/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-crash-analysis +description: "Week 4 exploit development curriculum. Crash triage and analysis methodology: WinDbg/GDB analysis, ASAN/MSAN output interpretation, exploitability assessment, register/stack trace reading, root cause identification. Use when analyzing crash dumps, assessing exploitability, or understanding fuzzer-generated crashes." +--- + # SKILL: Week 4: Crash Analysis and Exploitability Assessment ## Metadata @@ -12,7 +17,7 @@ Week 4 exploit development curriculum. Crash triage and analysis methodology: Wi Use this skill when the conversation involves any of: `crash analysis, crash triage, WinDbg, GDB, ASAN, MSAN, exploitability, stack trace, register dump, segfault, null deref, access violation, week 4` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/exploit-dev/offensive-exploit-dev-course/SKILL.md b/Skills/exploit-dev/offensive-exploit-dev-course/SKILL.md index 01e475e..f3fe864 100644 --- a/Skills/exploit-dev/offensive-exploit-dev-course/SKILL.md +++ b/Skills/exploit-dev/offensive-exploit-dev-course/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-exploit-dev-course +description: "Full exploit development course roadmap and syllabus: weekly topics, recommended reading, lab setup, and learning path from vulnerability classes through advanced exploitation. Use to structure exploit dev training or onboard new researchers." +--- + # SKILL: Exploit Development ## Metadata @@ -12,7 +17,7 @@ Full exploit development course roadmap and syllabus: weekly topics, recommended Use this skill when the conversation involves any of: `exploit development course, exploit dev curriculum, learning path, syllabus, exploit dev training, vulnerability research training, course overview` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/exploit-dev/offensive-exploit-development/SKILL.md b/Skills/exploit-dev/offensive-exploit-development/SKILL.md index f78b417..3901363 100644 --- a/Skills/exploit-dev/offensive-exploit-development/SKILL.md +++ b/Skills/exploit-dev/offensive-exploit-development/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-exploit-development +description: "Exploit development operational guide: environment setup, debugging workflow, PoC development lifecycle, writing reliable exploits, using pwntools/pwndbg, heap exploitation techniques, and weaponization considerations. Use when actively developing exploits or setting up an exploit dev environment." +--- + # SKILL: Exploit Development ## Metadata @@ -12,7 +17,7 @@ Exploit development operational guide: environment setup, debugging workflow, Po Use this skill when the conversation involves any of: `exploit development, pwntools, pwndbg, heap exploitation, PoC development, exploit reliability, weaponization, debugging workflow, exploit dev environment` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/exploit-dev/offensive-mitigations/SKILL.md b/Skills/exploit-dev/offensive-mitigations/SKILL.md index 94b7422..e948dd7 100644 --- a/Skills/exploit-dev/offensive-mitigations/SKILL.md +++ b/Skills/exploit-dev/offensive-mitigations/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-mitigations +description: "Security mitigation reference and bypass catalog: ASLR, DEP/NX, RELRO, stack canaries, CFI, sandboxing, seccomp. Covers both detection of enabled mitigations and known bypass techniques. Use when assessing target hardening or planning exploit mitigation bypasses." +--- + # SKILL: Modern Kernel Exploit Mitigations ## Metadata @@ -12,7 +17,7 @@ Security mitigation reference and bypass catalog: ASLR, DEP/NX, RELRO, stack can Use this skill when the conversation involves any of: `mitigations, ASLR bypass, DEP bypass, NX bypass, RELRO, stack canary bypass, CFI bypass, sandbox bypass, seccomp bypass, mitigation detection, checksec` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/fuzzing/offensive-bug-identification/SKILL.md b/Skills/fuzzing/offensive-bug-identification/SKILL.md index 0c35c83..550cbf6 100644 --- a/Skills/fuzzing/offensive-bug-identification/SKILL.md +++ b/Skills/fuzzing/offensive-bug-identification/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-bug-identification +description: "Systematic bug identification methodology: source code review patterns, black-box testing strategies, taint analysis, dangerous function hunting, data flow tracing, and automated scanning setup. Use for code audits, bug bounty triage, or building vulnerability identification pipelines." +--- + # SKILL: Bug Identification ## Metadata @@ -12,7 +17,7 @@ Systematic bug identification methodology: source code review patterns, black-bo Use this skill when the conversation involves any of: `bug identification, code review, taint analysis, dangerous functions, data flow, source audit, black box, vulnerability identification, static analysis, code audit, bug hunting` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/fuzzing/offensive-fuzzing-course/SKILL.md b/Skills/fuzzing/offensive-fuzzing-course/SKILL.md index 9686c96..086cdbb 100644 --- a/Skills/fuzzing/offensive-fuzzing-course/SKILL.md +++ b/Skills/fuzzing/offensive-fuzzing-course/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-fuzzing-course +description: "Week 2 of the exploit development curriculum. Covers fuzzing methodology: target selection, corpus generation, coverage-guided fuzzing with AFL++/libFuzzer, structured fuzzing, and triage/deduplication. Use when setting up fuzz campaigns, selecting harness strategies, or triaging fuzzer output." +--- + # SKILL: Week 2: Finding Vulnerabilities Through Fuzzing ## Metadata @@ -12,7 +17,7 @@ Week 2 of the exploit development curriculum. Covers fuzzing methodology: target Use this skill when the conversation involves any of: `fuzzing curriculum, AFL++, libFuzzer, coverage-guided fuzzing, corpus generation, harness, fuzz target, mutation, triage, crash dedup, week 2, exploit dev course` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/fuzzing/offensive-vuln-classes/SKILL.md b/Skills/fuzzing/offensive-vuln-classes/SKILL.md index bb2774d..41e6ede 100644 --- a/Skills/fuzzing/offensive-vuln-classes/SKILL.md +++ b/Skills/fuzzing/offensive-vuln-classes/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-vuln-classes +description: "Exploit development curriculum covering core vulnerability classes with real-world CVE case studies: stack/heap buffer overflows, use-after-free, integer overflows, format strings, type confusion, and race conditions. Use when learning or teaching vuln classes, researching specific CVE patterns, or building exploit dev knowledge." +--- + # SKILL: Week 1: Vulnerability Classes with Real-World Examples ## Metadata @@ -12,7 +17,7 @@ Exploit development curriculum covering core vulnerability classes with real-wor Use this skill when the conversation involves any of: `vulnerability classes, buffer overflow, use-after-free, UAF, heap overflow, stack overflow, type confusion, integer overflow, format string, memory corruption, CVE case study, exploit development, Day 1-7` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/infrastructure/offensive-advanced-redteam/SKILL.md b/Skills/infrastructure/offensive-advanced-redteam/SKILL.md index 04e226f..ad07678 100644 --- a/Skills/infrastructure/offensive-advanced-redteam/SKILL.md +++ b/Skills/infrastructure/offensive-advanced-redteam/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-advanced-redteam +description: "Practical advanced red team operations guide: OPSEC discipline, C2 infrastructure design, living-off-the-land techniques, lateral movement, persistence, data exfiltration, and evading modern defenses. Use for planning advanced red team engagements or understanding APT TTPs." +--- + # SKILL: Advanced Redteam Ops ## Metadata @@ -12,7 +17,7 @@ Practical advanced red team operations guide: OPSEC discipline, C2 infrastructur Use this skill when the conversation involves any of: `advanced red team, red team operations, OPSEC, C2 infrastructure, living off the land, LOTL, lateral movement, persistence, exfiltration, APT, advanced threat, red team for dummies` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/infrastructure/offensive-edr-evasion/SKILL.md b/Skills/infrastructure/offensive-edr-evasion/SKILL.md index 9c451f8..cf7f92b 100644 --- a/Skills/infrastructure/offensive-edr-evasion/SKILL.md +++ b/Skills/infrastructure/offensive-edr-evasion/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-edr-evasion +description: "EDR evasion offensive checklist: hook unhooking (user/kernel), direct syscalls, PPID spoofing, process injection variants, AMSI bypass, ETW patching, memory encryption, and behavior-based evasion. Use when planning EDR bypass during red team engagements or researching AV/EDR evasion techniques." +--- + # SKILL: Endpoint Detection and Response ## Metadata @@ -12,7 +17,7 @@ EDR evasion offensive checklist: hook unhooking (user/kernel), direct syscalls, Use this skill when the conversation involves any of: `EDR evasion, EDR bypass, hook unhooking, direct syscalls, PPID spoofing, process injection, AMSI bypass, ETW patch, memory encryption, AV evasion, behavioral evasion, red team evasion` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/infrastructure/offensive-initial-access/SKILL.md b/Skills/infrastructure/offensive-initial-access/SKILL.md index 2a1851e..e8d4d3d 100644 --- a/Skills/infrastructure/offensive-initial-access/SKILL.md +++ b/Skills/infrastructure/offensive-initial-access/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-initial-access +description: "Initial access techniques checklist: phishing (spear/smishing), credential stuffing, exposed service exploitation, supply chain attacks, watering hole, VPN/RDP brute force, public-facing application exploitation. Maps to MITRE ATT&CK TA0001. Use when planning initial access phases of red team engagements." +--- + # SKILL: Modern Initial Access ## Metadata @@ -12,7 +17,7 @@ Initial access techniques checklist: phishing (spear/smishing), credential stuff Use this skill when the conversation involves any of: `initial access, phishing, spear phishing, credential stuffing, exposed service, supply chain, watering hole, VPN brute force, RDP attack, MITRE TA0001, initial foothold` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/infrastructure/offensive-keylogger-arch/SKILL.md b/Skills/infrastructure/offensive-keylogger-arch/SKILL.md index c8fa054..7fd0c32 100644 --- a/Skills/infrastructure/offensive-keylogger-arch/SKILL.md +++ b/Skills/infrastructure/offensive-keylogger-arch/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-keylogger-arch +description: "Low-level keylogger architecture design: kernel driver hooks (WH_KEYBOARD_LL, SetWindowsHookEx), ETW-based input capture, user-mode vs kernel-mode approaches, stealth techniques, and data exfiltration. Use for understanding input capture mechanisms, EDR evasion research, or malware architecture analysis." +--- + # SKILL: Novel research ## Metadata @@ -12,7 +17,7 @@ Low-level keylogger architecture design: kernel driver hooks (WH_KEYBOARD_LL, Se Use this skill when the conversation involves any of: `keylogger, keyboard hook, WH_KEYBOARD_LL, SetWindowsHookEx, ETW, kernel driver, input capture, low-level keylogger, malware architecture, stealth, exfiltration` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/infrastructure/offensive-windows-boundaries/SKILL.md b/Skills/infrastructure/offensive-windows-boundaries/SKILL.md index d22150d..1f000d4 100644 --- a/Skills/infrastructure/offensive-windows-boundaries/SKILL.md +++ b/Skills/infrastructure/offensive-windows-boundaries/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-windows-boundaries +description: "Windows security boundary taxonomy and attack surface enumeration: kernel/user boundary, sandbox boundaries (LPAC, AppContainer), COM/RPC boundaries, hypervisor boundary, trust level transitions. Use when planning privilege escalation paths, sandbox escapes, or understanding Windows security architecture." +--- + # SKILL: Week 7: Defeating Windows Security Boundaries ## Metadata @@ -12,7 +17,7 @@ Windows security boundary taxonomy and attack surface enumeration: kernel/user b Use this skill when the conversation involves any of: `Windows boundaries, security boundary, kernel user boundary, sandbox escape, AppContainer, LPAC, COM boundary, RPC boundary, hypervisor, Hyper-V, privilege escalation, trust level` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/infrastructure/offensive-windows-mitigations/SKILL.md b/Skills/infrastructure/offensive-windows-mitigations/SKILL.md index 1896c55..a2029af 100644 --- a/Skills/infrastructure/offensive-windows-mitigations/SKILL.md +++ b/Skills/infrastructure/offensive-windows-mitigations/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-windows-mitigations +description: "Deep-dive on Windows exploit mitigations: ASLR, DEP/NX, CFG, CET/Shadow Stack, SEHOP, Heap Guard, ACG, Arbitrary Code Guard. Covers both the protection mechanism and known bypass techniques. Use when researching Windows exploit mitigations, planning bypass strategies, or understanding protection depth." +--- + # SKILL: Week 6: Understanding Windows Mitigations ## Metadata @@ -12,7 +17,7 @@ Deep-dive on Windows exploit mitigations: ASLR, DEP/NX, CFG, CET/Shadow Stack, S Use this skill when the conversation involves any of: `Windows mitigations, ASLR, DEP, NX, CFG, CET, shadow stack, SEHOP, heap guard, ACG, mitigation bypass, exploit mitigation, Windows hardening` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/recon/offensive-osint-methodology/SKILL.md b/Skills/recon/offensive-osint-methodology/SKILL.md index a85e335..648ff4e 100644 --- a/Skills/recon/offensive-osint-methodology/SKILL.md +++ b/Skills/recon/offensive-osint-methodology/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-osint-methodology +description: "Structured OSINT methodology framework: target definition, source selection, collection workflows, data correlation, timeline reconstruction, and reporting. Use to guide systematic OSINT campaigns or teach OSINT methodology." +--- + # SKILL: OSINT Methodology ## Metadata @@ -12,7 +17,7 @@ Structured OSINT methodology framework: target definition, source selection, col Use this skill when the conversation involves any of: `OSINT methodology, open source intelligence, target profiling, data correlation, OSINT workflow, intelligence collection, OSINT campaign, recon methodology` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/utility/offensive-fast-checking/SKILL.md b/Skills/utility/offensive-fast-checking/SKILL.md index 964ad64..afae2a4 100644 --- a/Skills/utility/offensive-fast-checking/SKILL.md +++ b/Skills/utility/offensive-fast-checking/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-fast-checking +description: "Speed-optimized offensive checklist for rapid assessment: quick-win vulnerability patterns, fast recon shortcuts, automated scanner configurations, and triage shortcuts. Use for time-boxed assessments, CTF-speed engagements, or initial rapid surface mapping." +--- + # SKILL: Fast Testing Checklist ## Metadata @@ -12,7 +17,7 @@ Speed-optimized offensive checklist for rapid assessment: quick-win vulnerabilit Use this skill when the conversation involves any of: `fast check, quick recon, rapid assessment, quick wins, fast triage, speed checklist, time-boxed, CTF, fast scan, quick vulnerability` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/web/offensive-deserialization/SKILL.md b/Skills/web/offensive-deserialization/SKILL.md index 83fd18b..643b143 100644 --- a/Skills/web/offensive-deserialization/SKILL.md +++ b/Skills/web/offensive-deserialization/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-deserialization +description: "Insecure deserialization attack checklist: identifying deserialization sinks, Java/PHP/.NET/Python deserialization exploitation, ysoserial gadget chains, magic method abuse, and detection evasion. Use when testing deserialization endpoints or developing deserialization exploits." +--- + # SKILL: Insecure Deserialization ## Metadata @@ -12,7 +17,7 @@ Insecure deserialization attack checklist: identifying deserialization sinks, Ja Use this skill when the conversation involves any of: `deserialization, insecure deserialization, ysoserial, Java deserialization, PHP deserialization, .NET deserialization, pickle, gadget chain, magic method, ObjectInputStream` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/web/offensive-file-upload/SKILL.md b/Skills/web/offensive-file-upload/SKILL.md index 3020ea5..53033b7 100644 --- a/Skills/web/offensive-file-upload/SKILL.md +++ b/Skills/web/offensive-file-upload/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-file-upload +description: "File upload vulnerability checklist: MIME type bypass, extension bypass, magic byte manipulation, path traversal in filenames, stored XSS via SVG/HTML upload, server-side processing attacks, and race conditions. Use for assessing file upload endpoints in web app pentests or bug bounty." +--- + # SKILL: File Upload Vulnerabilities ## Metadata @@ -12,7 +17,7 @@ File upload vulnerability checklist: MIME type bypass, extension bypass, magic b Use this skill when the conversation involves any of: `file upload, MIME bypass, extension bypass, magic byte, path traversal upload, SVG XSS, polyglot, upload bypass, malicious upload, web shell upload` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/web/offensive-graphql/SKILL.md b/Skills/web/offensive-graphql/SKILL.md index 4d2639e..315c801 100644 --- a/Skills/web/offensive-graphql/SKILL.md +++ b/Skills/web/offensive-graphql/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-graphql +description: "GraphQL security testing checklist: introspection abuse, batching attacks, query depth/complexity DoS, field suggestion enumeration, IDOR via GraphQL, injection through arguments, authorization bypass. Use when assessing GraphQL endpoints in web app tests or bug bounty." +--- + # SKILL: GraphQL Vulnerabilities ## Metadata @@ -12,7 +17,7 @@ GraphQL security testing checklist: introspection abuse, batching attacks, query Use this skill when the conversation involves any of: `GraphQL, introspection, batching attack, query depth, GraphQL injection, GraphQL IDOR, field suggestion, GraphQL auth bypass, GraphQL DoS, GraphQL security` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/web/offensive-idor/SKILL.md b/Skills/web/offensive-idor/SKILL.md index ce95b65..0a338c8 100644 --- a/Skills/web/offensive-idor/SKILL.md +++ b/Skills/web/offensive-idor/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-idor +description: "IDOR (Insecure Direct Object Reference) testing checklist: object ID enumeration, horizontal/vertical privilege escalation, GUID predictability, indirect references via hashes, chained IDOR, and API endpoint IDOR. Use for web app pentests and bug bounty IDOR discovery." +--- + # SKILL: Insecure Direct Object References (IDOR) ## Metadata @@ -12,7 +17,7 @@ IDOR (Insecure Direct Object Reference) testing checklist: object ID enumeration Use this skill when the conversation involves any of: `IDOR, insecure direct object reference, horizontal privilege escalation, vertical privilege escalation, object enumeration, GUID, API IDOR, mass assignment, broken access control` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/web/offensive-open-redirect/SKILL.md b/Skills/web/offensive-open-redirect/SKILL.md index 7cae273..0013ab2 100644 --- a/Skills/web/offensive-open-redirect/SKILL.md +++ b/Skills/web/offensive-open-redirect/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-open-redirect +description: "Open redirect vulnerability checklist: parameter identification, bypass techniques (URL encoding, double slashes, CRLF injection, protocol handlers), chaining with OAuth/SSRF, and impact escalation paths. Use for web app testing and bug bounty open redirect discovery." +--- + # SKILL: Open Redirect Vulnerabilities ## Metadata @@ -12,7 +17,7 @@ Open redirect vulnerability checklist: parameter identification, bypass techniqu Use this skill when the conversation involves any of: `open redirect, URL redirect, redirect bypass, URL encoding bypass, CRLF, protocol handler, redirect chain, OAuth redirect, SSRF chain, open redirection` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/web/offensive-parameter-pollution/SKILL.md b/Skills/web/offensive-parameter-pollution/SKILL.md index 63c75d6..c3f00ee 100644 --- a/Skills/web/offensive-parameter-pollution/SKILL.md +++ b/Skills/web/offensive-parameter-pollution/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-parameter-pollution +description: "HTTP parameter pollution (HPP) checklist: duplicate parameter injection, backend vs frontend parsing differences, WAF bypass via HPP, server-side vs client-side HPP, and practical exploitation patterns. Use when testing web applications for parameter handling flaws." +--- + # SKILL: HTTP Parameter Pollution (HPP) ## Metadata @@ -12,7 +17,7 @@ HTTP parameter pollution (HPP) checklist: duplicate parameter injection, backend Use this skill when the conversation involves any of: `parameter pollution, HTTP parameter pollution, HPP, duplicate parameter, WAF bypass, parsing differences, server-side HPP, client-side HPP, parameter injection` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/web/offensive-race-condition/SKILL.md b/Skills/web/offensive-race-condition/SKILL.md index 2fab610..dd99651 100644 --- a/Skills/web/offensive-race-condition/SKILL.md +++ b/Skills/web/offensive-race-condition/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-race-condition +description: "Race condition (TOCTOU) testing checklist: identifying timing windows, Burp Suite Turbo Intruder, Last-Byte sync technique, rate limit bypass, double-spend attacks, and concurrent request exploitation. Use for web app race condition testing or bug bounty time-of-check-to-time-of-use bugs." +--- + # SKILL: Race Conditions ## Metadata @@ -12,7 +17,7 @@ Race condition (TOCTOU) testing checklist: identifying timing windows, Burp Suit Use this skill when the conversation involves any of: `race condition, TOCTOU, timing attack, Turbo Intruder, last-byte sync, rate limit bypass, double spend, concurrent request, race window, time of check, time of use` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/web/offensive-rce/SKILL.md b/Skills/web/offensive-rce/SKILL.md index f038864..8a45972 100644 --- a/Skills/web/offensive-rce/SKILL.md +++ b/Skills/web/offensive-rce/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-rce +description: "Remote Code Execution testing checklist: OS command injection, SSTI-to-RCE, deserialization RCE, file upload RCE, XXE with SSRF to RCE, RCE via dependency confusion, and CVE-based RCE patterns. Use for web app pentests and bug bounty RCE discovery." +--- + # SKILL: Remote Code Execution ## Metadata @@ -12,7 +17,7 @@ Remote Code Execution testing checklist: OS command injection, SSTI-to-RCE, dese Use this skill when the conversation involves any of: `RCE, remote code execution, command injection, OS injection, SSTI RCE, deserialization RCE, file upload RCE, XXE RCE, dependency confusion, code execution` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/web/offensive-request-smuggling/SKILL.md b/Skills/web/offensive-request-smuggling/SKILL.md index 041a030..1c7a116 100644 --- a/Skills/web/offensive-request-smuggling/SKILL.md +++ b/Skills/web/offensive-request-smuggling/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-request-smuggling +description: "HTTP request smuggling checklist: CL.TE, TE.CL, TE.TE variants, detection with timing and differential responses, WAF bypass, cache poisoning, credential hijacking, and request smuggling via HTTP/2. Use when testing reverse proxy/load balancer configurations." +--- + # SKILL: HTTP Request Smuggling ## Metadata @@ -12,7 +17,7 @@ HTTP request smuggling checklist: CL.TE, TE.CL, TE.TE variants, detection with t Use this skill when the conversation involves any of: `request smuggling, HTTP smuggling, CL.TE, TE.CL, TE.TE, HTTP/2 smuggling, cache poisoning, WAF bypass, differential response, smuggling detection, proxy desync` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/web/offensive-ssrf/SKILL.md b/Skills/web/offensive-ssrf/SKILL.md index d018653..427d91f 100644 --- a/Skills/web/offensive-ssrf/SKILL.md +++ b/Skills/web/offensive-ssrf/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-ssrf +description: "Server-Side Request Forgery testing checklist: SSRF discovery, blind SSRF with out-of-band, cloud metadata endpoints (AWS/GCP/Azure), SSRF filter bypass techniques (IP encoding, DNS rebinding, redirect chains), and SSRF to RCE escalation. Use for web app SSRF testing and bug bounty." +--- + # SKILL: Server-Side Request Forgery (SSRF) ## Metadata @@ -12,7 +17,7 @@ Server-Side Request Forgery testing checklist: SSRF discovery, blind SSRF with o Use this skill when the conversation involves any of: `SSRF, server-side request forgery, blind SSRF, cloud metadata, AWS metadata, GCP metadata, SSRF bypass, DNS rebinding, redirect chain, SSRF RCE, internal port scan` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/web/offensive-ssti/SKILL.md b/Skills/web/offensive-ssti/SKILL.md index 73c8914..05ad1e6 100644 --- a/Skills/web/offensive-ssti/SKILL.md +++ b/Skills/web/offensive-ssti/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-ssti +description: "Server-Side Template Injection testing checklist: template engine identification (Jinja2, Twig, Freemarker, Pebble, Velocity), polyglot detection payloads, engine-specific RCE payloads, blind SSTI, and filter bypass. Use when testing web apps for template injection vulnerabilities." +--- + # SKILL: Server-Side Template Injection (SSTI) ## Metadata @@ -12,7 +17,7 @@ Server-Side Template Injection testing checklist: template engine identification Use this skill when the conversation involves any of: `SSTI, server-side template injection, Jinja2, Twig, Freemarker, Pebble, Velocity, template injection, template RCE, polyglot payload, template engine, blind SSTI` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/web/offensive-waf-bypass/SKILL.md b/Skills/web/offensive-waf-bypass/SKILL.md index 3eb882b..78a9f24 100644 --- a/Skills/web/offensive-waf-bypass/SKILL.md +++ b/Skills/web/offensive-waf-bypass/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-waf-bypass +description: "WAF bypass techniques checklist: encoding bypass (URL/HTML/Unicode/double encoding), case variation, comment injection, HTTP header manipulation, chunked encoding, IP rotation, timing attacks, and payload obfuscation per WAF vendor. Use when WAF is blocking payloads during web app tests." +--- + # SKILL: WAF Bypass Techniques ## Metadata @@ -12,7 +17,7 @@ WAF bypass techniques checklist: encoding bypass (URL/HTML/Unicode/double encodi Use this skill when the conversation involves any of: `WAF bypass, web application firewall bypass, URL encoding, double encoding, Unicode bypass, comment injection, HTTP header bypass, chunked encoding, IP rotation, payload obfuscation, WAF evasion` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/web/offensive-xss/SKILL.md b/Skills/web/offensive-xss/SKILL.md index f60dd6a..9e2ddae 100644 --- a/Skills/web/offensive-xss/SKILL.md +++ b/Skills/web/offensive-xss/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-xss +description: "Cross-Site Scripting testing checklist: stored/reflected/DOM/blind XSS discovery, polyglot payloads, CSP bypass, XSS filter bypass, event handler injection, DOM clobbering, mutation XSS, and impact escalation (session hijack, phishing, keylogging). Use for web app XSS testing and bug bounty." +--- + # SKILL: Cross-Site Scripting (XSS) ## Metadata @@ -12,7 +17,7 @@ Cross-Site Scripting testing checklist: stored/reflected/DOM/blind XSS discovery Use this skill when the conversation involves any of: `XSS, cross-site scripting, stored XSS, reflected XSS, DOM XSS, blind XSS, CSP bypass, XSS filter bypass, polyglot, DOM clobbering, mutation XSS, event handler injection` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/Skills/web/offensive-xxe/SKILL.md b/Skills/web/offensive-xxe/SKILL.md index f560892..8cd8477 100644 --- a/Skills/web/offensive-xxe/SKILL.md +++ b/Skills/web/offensive-xxe/SKILL.md @@ -1,3 +1,8 @@ +--- +name: offensive-xxe +description: "XML External Entity injection testing checklist: classic XXE, blind XXE (out-of-band), XXE via file upload (SVG/docx), XXE in SOAP/REST, error-based XXE, XInclude attacks, and XXE filter bypass. Use for web app XXE testing and bug bounty." +--- + # SKILL: XML External Entity (XXE) Injection ## Metadata @@ -12,7 +17,7 @@ XML External Entity injection testing checklist: classic XXE, blind XXE (out-of- Use this skill when the conversation involves any of: `XXE, XML external entity, blind XXE, out-of-band XXE, XXE file upload, SVG XXE, SOAP XXE, XInclude, entity bypass, XXE SSRF, XXE file read` -## Instructions for Claude +## Operational Instructions When this skill is active: 1. Load and apply the full methodology below as your operational checklist diff --git a/claude-skills.json b/claude-skills.json index bd7944f..3e10ce8 100644 --- a/claude-skills.json +++ b/claude-skills.json @@ -1,8 +1,9 @@ { - "name": "claude-red", + "name": "skills-red", "version": "0.2.0", + "platform": "claude", "license": "MIT", - "homepage": "https://github.com/SnailSploit/claude-red", + "homepage": "https://github.com/trewwwsec/skills-red", "categories": { "active-directory": [ "offensive-active-directory" @@ -94,348 +95,406 @@ "name": "offensive-active-directory", "category": "active-directory", "path": "Skills/active-directory/offensive-active-directory/SKILL.md", + "install_path": "~/.claude/skills/skills-red/active-directory/offensive-active-directory", "description": "Active Directory attack methodology for internal network red team engagements. Covers reconnaissance (BloodHound, PowerView, ADExplorer), credential abuse (Kerberoasting, ASREProasting, NTLM relay, LLMNR/NBT-NS poisoning), privilege escalation (ACL abuse, GPO abuse, unconstrained/constrained delegation), lateral movement (Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, WMI/WinRM/PsExec), persistence (Golden/Silver/Diamond Tickets, DCSync, DCShadow, AdminSDHolder, Skeleton Key), forest trust attacks, ADCS abuse (ESC1-ESC15), and modern MDI/Defender for Identity evasion. Use when assessing on-prem AD, hybrid AD/Entra ID environments, or ADCS deployments." }, { "name": "offensive-ai-security", "category": "ai", "path": "Skills/ai/offensive-ai-security/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/ai/offensive-ai-security", + "description": "AI/LLM security offensive checklist: prompt injection, jailbreaking, model extraction, training data poisoning, adversarial inputs, LLM-assisted attack automation, and AI system reconnaissance. Use when assessing AI/ML systems, red-teaming LLMs, or researching AI attack vectors." }, { "name": "offensive-jwt", "category": "auth", "path": "Skills/auth/offensive-jwt/SKILL.md", + "install_path": "~/.claude/skills/skills-red/auth/offensive-jwt", "description": "JWT attack methodology for penetration testers. Covers algorithm confusion (alg:none, RS256→HS256), weak HMAC secret brute force, kid parameter injection (SQLi, path traversal), jku/x5u/jwk header injection, JWKS cache poisoning, JWS/JWE confusion, timing attacks, and mobile JWT storage extraction. Use when testing JWT-based authentication, hunting auth bypass via token manipulation, or evaluating JWT implementation security in web or mobile apps." }, { "name": "offensive-oauth", "category": "auth", "path": "Skills/auth/offensive-oauth/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/auth/offensive-oauth", + "description": "OAuth 2.0 attack checklist: authorization code interception, redirect_uri bypass, CSRF on OAuth flow, state parameter abuse, open redirector chaining, token leakage via Referer, PKCE bypass, and scope escalation. Use when testing OAuth implementations in web apps or bug bounty." }, { "name": "offensive-cloud", "category": "cloud", "path": "Skills/cloud/offensive-cloud/SKILL.md", + "install_path": "~/.claude/skills/skills-red/cloud/offensive-cloud", "description": "Cloud security attack methodology covering AWS, Azure, and GCP. Includes credential harvesting (IMDS, ~/.aws, env vars, leaked CI secrets, instance roles), enumeration with cloud-specific tools (pacu, ScoutSuite, Prowler, ROADtools, gcp_enum), privilege escalation paths (IAM PassRole, AssumeRole chains, Lambda/Functions privilege flips, Azure Owner-on-self, GCP serviceAccountTokenCreator), persistence techniques (IAM user/key creation, AAD app registration, GCP svc account key creation, EventBridge/Logic Apps backdoors), data exfiltration (S3/Blob/GCS, snapshot share, RDS/CosmosDB/Cloud SQL exfil), cloud-native lateral movement (cross-account assume, Azure AD multi-tenant, GCP project hierarchy), serverless attacks (Lambda env vars, layer hijack, Step Functions), Kubernetes-on-cloud (EKS/AKS/GKE-specific paths to node and AWS metadata), and CSPM evasion (CloudTrail blind spots, GuardDuty mute, Sentinel rule shaping). Use when the engagement scope is cloud accounts, when you've stolen cloud credentials, or when assessing cloud posture." }, { "name": "offensive-basic-exploitation", "category": "exploit-dev", "path": "Skills/exploit-dev/offensive-basic-exploitation/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/exploit-dev/offensive-basic-exploitation", + "description": "Week 5 exploit development curriculum. Foundational exploitation techniques: controlling EIP/RIP, ROP chain construction, ret2libc, shellcode injection, heap spraying, bypass techniques for ASLR/NX/stack canaries. Use when building initial PoCs or understanding classic exploitation primitives." }, { "name": "offensive-crash-analysis", "category": "exploit-dev", "path": "Skills/exploit-dev/offensive-crash-analysis/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/exploit-dev/offensive-crash-analysis", + "description": "Week 4 exploit development curriculum. Crash triage and analysis methodology: WinDbg/GDB analysis, ASAN/MSAN output interpretation, exploitability assessment, register/stack trace reading, root cause identification. Use when analyzing crash dumps, assessing exploitability, or understanding fuzzer-generated crashes." }, { "name": "offensive-exploit-dev-course", "category": "exploit-dev", "path": "Skills/exploit-dev/offensive-exploit-dev-course/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/exploit-dev/offensive-exploit-dev-course", + "description": "Full exploit development course roadmap and syllabus: weekly topics, recommended reading, lab setup, and learning path from vulnerability classes through advanced exploitation. Use to structure exploit dev training or onboard new researchers." }, { "name": "offensive-exploit-development", "category": "exploit-dev", "path": "Skills/exploit-dev/offensive-exploit-development/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/exploit-dev/offensive-exploit-development", + "description": "Exploit development operational guide: environment setup, debugging workflow, PoC development lifecycle, writing reliable exploits, using pwntools/pwndbg, heap exploitation techniques, and weaponization considerations. Use when actively developing exploits or setting up an exploit dev environment." }, { "name": "offensive-mitigations", "category": "exploit-dev", "path": "Skills/exploit-dev/offensive-mitigations/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/exploit-dev/offensive-mitigations", + "description": "Security mitigation reference and bypass catalog: ASLR, DEP/NX, RELRO, stack canaries, CFI, sandboxing, seccomp. Covers both detection of enabled mitigations and known bypass techniques. Use when assessing target hardening or planning exploit mitigation bypasses." }, { "name": "offensive-toctou", "category": "exploit-dev", "path": "Skills/exploit-dev/offensive-toctou/SKILL.md", + "install_path": "~/.claude/skills/skills-red/exploit-dev/offensive-toctou", "description": "Time-of-Check / Time-of-Use (TOCTOU) race condition exploitation methodology across binary, kernel, filesystem, web, and container layers. Covers symbolic-link races (open/access/stat split), file-descriptor races, fopen/realpath traversal races, /proc and procfs races, FUSE-backed slow-fs races to widen the window, ptrace and signal races, kernel double-fetch / userspace pointer races, container/runc/symlink escape primitives, kubernetes admission/authz TOCTOU, web auth-vs-authz TOCTOU, JWT-claim TOCTOU at gateway vs service, payment/idempotency races, and modern race-amplification techniques (single-packet attack, slow loris, FUSE pause, cgroup freeze, scheduler shaping). Use when you've identified a 'check then act' pattern in code, when fuzzing for race conditions, or when exploiting concurrency bugs in privileged binaries / kernel / orchestrators." }, { "name": "offensive-bug-identification", "category": "fuzzing", "path": "Skills/fuzzing/offensive-bug-identification/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/fuzzing/offensive-bug-identification", + "description": "Systematic bug identification methodology: source code review patterns, black-box testing strategies, taint analysis, dangerous function hunting, data flow tracing, and automated scanning setup. Use for code audits, bug bounty triage, or building vulnerability identification pipelines." }, { "name": "offensive-fuzzing", "category": "fuzzing", "path": "Skills/fuzzing/offensive-fuzzing/SKILL.md", + "install_path": "~/.claude/skills/skills-red/fuzzing/offensive-fuzzing", "description": "Practical offensive fuzzing methodology covering target identification, fuzzer selection (AFL++, libFuzzer, Honggfuzz, Boofuzz, syzkaller), harness writing, corpus curation, mutation strategies, coverage measurement, and crash triage. Use when setting up or running fuzz campaigns against any target: file parsers, network protocols, kernel drivers, EDR engines, embedded firmware, or language runtimes." }, { "name": "offensive-fuzzing-course", "category": "fuzzing", "path": "Skills/fuzzing/offensive-fuzzing-course/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/fuzzing/offensive-fuzzing-course", + "description": "Week 2 of the exploit development curriculum. Covers fuzzing methodology: target selection, corpus generation, coverage-guided fuzzing with AFL++/libFuzzer, structured fuzzing, and triage/deduplication. Use when setting up fuzz campaigns, selecting harness strategies, or triaging fuzzer output." }, { "name": "offensive-vuln-classes", "category": "fuzzing", "path": "Skills/fuzzing/offensive-vuln-classes/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/fuzzing/offensive-vuln-classes", + "description": "Exploit development curriculum covering core vulnerability classes with real-world CVE case studies: stack/heap buffer overflows, use-after-free, integer overflows, format strings, type confusion, and race conditions. Use when learning or teaching vuln classes, researching specific CVE patterns, or building exploit dev knowledge." }, { "name": "offensive-advanced-redteam", "category": "infrastructure", "path": "Skills/infrastructure/offensive-advanced-redteam/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/infrastructure/offensive-advanced-redteam", + "description": "Practical advanced red team operations guide: OPSEC discipline, C2 infrastructure design, living-off-the-land techniques, lateral movement, persistence, data exfiltration, and evading modern defenses. Use for planning advanced red team engagements or understanding APT TTPs." }, { "name": "offensive-edr-evasion", "category": "infrastructure", "path": "Skills/infrastructure/offensive-edr-evasion/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/infrastructure/offensive-edr-evasion", + "description": "EDR evasion offensive checklist: hook unhooking (user/kernel), direct syscalls, PPID spoofing, process injection variants, AMSI bypass, ETW patching, memory encryption, and behavior-based evasion. Use when planning EDR bypass during red team engagements or researching AV/EDR evasion techniques." }, { "name": "offensive-initial-access", "category": "infrastructure", "path": "Skills/infrastructure/offensive-initial-access/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/infrastructure/offensive-initial-access", + "description": "Initial access techniques checklist: phishing (spear/smishing), credential stuffing, exposed service exploitation, supply chain attacks, watering hole, VPN/RDP brute force, public-facing application exploitation. Maps to MITRE ATT&CK TA0001. Use when planning initial access phases of red team engagements." }, { "name": "offensive-keylogger-arch", "category": "infrastructure", "path": "Skills/infrastructure/offensive-keylogger-arch/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/infrastructure/offensive-keylogger-arch", + "description": "Low-level keylogger architecture design: kernel driver hooks (WH_KEYBOARD_LL, SetWindowsHookEx), ETW-based input capture, user-mode vs kernel-mode approaches, stealth techniques, and data exfiltration. Use for understanding input capture mechanisms, EDR evasion research, or malware architecture analysis." }, { "name": "offensive-shellcode", "category": "infrastructure", "path": "Skills/infrastructure/offensive-shellcode/SKILL.md", + "install_path": "~/.claude/skills/skills-red/infrastructure/offensive-shellcode", "description": "Shellcode development reference for offensive security engagements. Use when writing custom x86/x64 shellcode, implementing position-independent code (PIC), building shellcode loaders, evading AV/EDR detection, or converting PE files to shellcode. Covers null byte avoidance, API hashing, encoder/decoder patterns, staged vs stageless payloads, Windows PEB traversal, and cross-platform shellcode techniques." }, { "name": "offensive-windows-boundaries", "category": "infrastructure", "path": "Skills/infrastructure/offensive-windows-boundaries/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/infrastructure/offensive-windows-boundaries", + "description": "Windows security boundary taxonomy and attack surface enumeration: kernel/user boundary, sandbox boundaries (LPAC, AppContainer), COM/RPC boundaries, hypervisor boundary, trust level transitions. Use when planning privilege escalation paths, sandbox escapes, or understanding Windows security architecture." }, { "name": "offensive-windows-mitigations", "category": "infrastructure", "path": "Skills/infrastructure/offensive-windows-mitigations/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/infrastructure/offensive-windows-mitigations", + "description": "Deep-dive on Windows exploit mitigations: ASLR, DEP/NX, CFG, CET/Shadow Stack, SEHOP, Heap Guard, ACG, Arbitrary Code Guard. Covers both the protection mechanism and known bypass techniques. Use when researching Windows exploit mitigations, planning bypass strategies, or understanding protection depth." }, { "name": "offensive-iot", "category": "iot", "path": "Skills/iot/offensive-iot/SKILL.md", + "install_path": "~/.claude/skills/skills-red/iot/offensive-iot", "description": "IoT and embedded device security testing methodology. Covers hardware reconnaissance (UART, JTAG, SWD, SPI flash, I2C EEPROM, eMMC chip-off), firmware acquisition (vendor portals, OTA capture, flash dump, binwalk extraction), firmware analysis (filesystem mounting, binary triage, hardcoded secrets, default credential discovery), bootloader attacks (U-Boot console, secure-boot bypass, fault injection), runtime attacks on embedded Linux/RTOS (busybox CVEs, MTD writes, /dev/mem), wireless protocol attacks (Zigbee, BLE, Z-Wave, LoRaWAN, Thread/Matter, sub-GHz), MQTT/CoAP/Modbus/BACnet/OPC-UA exploitation, mobile companion app analysis, cloud-IoT API abuse, and side-channel/glitching basics. Use for IoT pentest, smart-home assessment, ICS/OT testing, or embedded vulnerability research." }, { "name": "offensive-mobile", "category": "mobile", "path": "Skills/mobile/offensive-mobile/SKILL.md", + "install_path": "~/.claude/skills/skills-red/mobile/offensive-mobile", "description": "Mobile (Android + iOS) application penetration testing methodology. Covers static analysis (apktool/jadx for Android, class-dump/Hopper/IDA for iOS), dynamic instrumentation with Frida and Objection, SSL pinning bypass strategies, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported component attacks (Android activities, services, providers, receivers; iOS XPC, URL schemes, universal links), insecure data storage (SharedPrefs, KeyStore misuse, NSUserDefaults, Keychain ACL bypass), IPC / Intent redirection, WebView vulnerabilities (JavaScriptInterface, file:// access), Firebase/AWS/Azure misconfiguration leakage, mobile API testing, biometric/Face ID/Touch ID bypass, app-cloning and runtime patching, and mobile malware/RAT analysis primitives. Use for mobile pentest, bug bounty mobile triage, or app-store reconnaissance." }, { "name": "offensive-osint", "category": "recon", "path": "Skills/recon/offensive-osint/SKILL.md", + "install_path": "~/.claude/skills/skills-red/recon/offensive-osint", "description": "Comprehensive OSINT methodology skill for offensive security, red team intelligence gathering, and bug bounty reconnaissance. Covers domain recon, email harvesting, social media profiling, GitHub/code leaks, Shodan/Censys enumeration, breach data lookup, employee profiling, infrastructure mapping, cryptocurrency tracing, geospatial intelligence, and AI-assisted analysis workflows. Use when performing reconnaissance against a target domain or organization, investigating a person or entity, tracing cryptocurrency flows, geolocating images or events, or building an attack-surface map." }, { "name": "offensive-osint-methodology", "category": "recon", "path": "Skills/recon/offensive-osint-methodology/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/recon/offensive-osint-methodology", + "description": "Structured OSINT methodology framework: target definition, source selection, collection workflows, data correlation, timeline reconstruction, and reporting. Use to guide systematic OSINT campaigns or teach OSINT methodology." }, { "name": "offensive-fast-checking", "category": "utility", "path": "Skills/utility/offensive-fast-checking/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/utility/offensive-fast-checking", + "description": "Speed-optimized offensive checklist for rapid assessment: quick-win vulnerability patterns, fast recon shortcuts, automated scanner configurations, and triage shortcuts. Use for time-boxed assessments, CTF-speed engagements, or initial rapid surface mapping." }, { "name": "offensive-reporting", "category": "utility", "path": "Skills/utility/offensive-reporting/SKILL.md", + "install_path": "~/.claude/skills/skills-red/utility/offensive-reporting", "description": "Penetration test and red team report writing methodology. Covers executive summary structuring (risk-led narrative for non-technical readers), technical finding format (title, severity, affected scope, narrative, reproduction steps, impact, remediation, references), CVSS v3.1 / v4.0 scoring with vector justification, OWASP risk rating, evidence hygiene (redacting credentials, hashing client data, time-stamping every action), screenshot and PoC artifact management, finding chain narratives, scope/limitations/assumptions documentation, retest evidence and remediation tracking, deliverable formats (PDF, DOCX, HTML, JSON for SIEM ingestion), client-customer-deliverable separation, and common report mistakes (over-CVSSing, undermining the triager, missing the 'so what'). Use at the end of an engagement when authoring a deliverable, when restructuring a draft for executive readability, or when establishing a reusable report template for a consulting practice." }, { "name": "offensive-business-logic", "category": "web", "path": "Skills/web/offensive-business-logic/SKILL.md", + "install_path": "~/.claude/skills/skills-red/web/offensive-business-logic", "description": "Business logic vulnerability testing for web/mobile/API engagements. Covers workflow bypass, state machine violations, multi-step process abuse, price/quantity/discount manipulation, currency confusion, coupon stacking, refund/chargeback abuse, race conditions on logic boundaries, parameter tampering for hidden flows, role/tenant boundary violations, time-of-check vs use, anti-automation defeat, fraud-detection evasion, and subscription/quota abuse. Use when scoping an application after surface-level OWASP Top 10 has been covered, or when the asset is a transactional/marketplace/fintech/e-commerce/SaaS app where logic flaws produce direct financial impact." }, { "name": "offensive-deserialization", "category": "web", "path": "Skills/web/offensive-deserialization/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/web/offensive-deserialization", + "description": "Insecure deserialization attack checklist: identifying deserialization sinks, Java/PHP/.NET/Python deserialization exploitation, ysoserial gadget chains, magic method abuse, and detection evasion. Use when testing deserialization endpoints or developing deserialization exploits." }, { "name": "offensive-file-upload", "category": "web", "path": "Skills/web/offensive-file-upload/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/web/offensive-file-upload", + "description": "File upload vulnerability checklist: MIME type bypass, extension bypass, magic byte manipulation, path traversal in filenames, stored XSS via SVG/HTML upload, server-side processing attacks, and race conditions. Use for assessing file upload endpoints in web app pentests or bug bounty." }, { "name": "offensive-graphql", "category": "web", "path": "Skills/web/offensive-graphql/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/web/offensive-graphql", + "description": "GraphQL security testing checklist: introspection abuse, batching attacks, query depth/complexity DoS, field suggestion enumeration, IDOR via GraphQL, injection through arguments, authorization bypass. Use when assessing GraphQL endpoints in web app tests or bug bounty." }, { "name": "offensive-idor", "category": "web", "path": "Skills/web/offensive-idor/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/web/offensive-idor", + "description": "IDOR (Insecure Direct Object Reference) testing checklist: object ID enumeration, horizontal/vertical privilege escalation, GUID predictability, indirect references via hashes, chained IDOR, and API endpoint IDOR. Use for web app pentests and bug bounty IDOR discovery." }, { "name": "offensive-open-redirect", "category": "web", "path": "Skills/web/offensive-open-redirect/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/web/offensive-open-redirect", + "description": "Open redirect vulnerability checklist: parameter identification, bypass techniques (URL encoding, double slashes, CRLF injection, protocol handlers), chaining with OAuth/SSRF, and impact escalation paths. Use for web app testing and bug bounty open redirect discovery." }, { "name": "offensive-parameter-pollution", "category": "web", "path": "Skills/web/offensive-parameter-pollution/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/web/offensive-parameter-pollution", + "description": "HTTP parameter pollution (HPP) checklist: duplicate parameter injection, backend vs frontend parsing differences, WAF bypass via HPP, server-side vs client-side HPP, and practical exploitation patterns. Use when testing web applications for parameter handling flaws." }, { "name": "offensive-race-condition", "category": "web", "path": "Skills/web/offensive-race-condition/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/web/offensive-race-condition", + "description": "Race condition (TOCTOU) testing checklist: identifying timing windows, Burp Suite Turbo Intruder, Last-Byte sync technique, rate limit bypass, double-spend attacks, and concurrent request exploitation. Use for web app race condition testing or bug bounty time-of-check-to-time-of-use bugs." }, { "name": "offensive-rce", "category": "web", "path": "Skills/web/offensive-rce/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/web/offensive-rce", + "description": "Remote Code Execution testing checklist: OS command injection, SSTI-to-RCE, deserialization RCE, file upload RCE, XXE with SSRF to RCE, RCE via dependency confusion, and CVE-based RCE patterns. Use for web app pentests and bug bounty RCE discovery." }, { "name": "offensive-request-smuggling", "category": "web", "path": "Skills/web/offensive-request-smuggling/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/web/offensive-request-smuggling", + "description": "HTTP request smuggling checklist: CL.TE, TE.CL, TE.TE variants, detection with timing and differential responses, WAF bypass, cache poisoning, credential hijacking, and request smuggling via HTTP/2. Use when testing reverse proxy/load balancer configurations." }, { "name": "offensive-sqli", "category": "web", "path": "Skills/web/offensive-sqli/SKILL.md", + "install_path": "~/.claude/skills/skills-red/web/offensive-sqli", "description": "SQL injection testing skill for offensive security assessments and bug bounty hunting. Covers error-based, UNION-based, boolean/time-based blind, out-of-band, second-order, NoSQL, GraphQL, WebSocket, and JSON-operator SQLi. Includes WAF bypass techniques, database-specific exploitation (MySQL, MSSQL, PostgreSQL, Oracle), cloud-native attack paths, ORM CVE tracking, and SQLmap automation. Use when performing web application SQL injection testing, database enumeration, privilege escalation via SQLi, or assessing injection vectors in APIs and modern stacks." }, { "name": "offensive-ssrf", "category": "web", "path": "Skills/web/offensive-ssrf/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/web/offensive-ssrf", + "description": "Server-Side Request Forgery testing checklist: SSRF discovery, blind SSRF with out-of-band, cloud metadata endpoints (AWS/GCP/Azure), SSRF filter bypass techniques (IP encoding, DNS rebinding, redirect chains), and SSRF to RCE escalation. Use for web app SSRF testing and bug bounty." }, { "name": "offensive-ssti", "category": "web", "path": "Skills/web/offensive-ssti/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/web/offensive-ssti", + "description": "Server-Side Template Injection testing checklist: template engine identification (Jinja2, Twig, Freemarker, Pebble, Velocity), polyglot detection payloads, engine-specific RCE payloads, blind SSTI, and filter bypass. Use when testing web apps for template injection vulnerabilities." }, { "name": "offensive-waf-bypass", "category": "web", "path": "Skills/web/offensive-waf-bypass/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/web/offensive-waf-bypass", + "description": "WAF bypass techniques checklist: encoding bypass (URL/HTML/Unicode/double encoding), case variation, comment injection, HTTP header manipulation, chunked encoding, IP rotation, timing attacks, and payload obfuscation per WAF vendor. Use when WAF is blocking payloads during web app tests." }, { "name": "offensive-xss", "category": "web", "path": "Skills/web/offensive-xss/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/web/offensive-xss", + "description": "Cross-Site Scripting testing checklist: stored/reflected/DOM/blind XSS discovery, polyglot payloads, CSP bypass, XSS filter bypass, event handler injection, DOM clobbering, mutation XSS, and impact escalation (session hijack, phishing, keylogging). Use for web app XSS testing and bug bounty." }, { "name": "offensive-xxe", "category": "web", "path": "Skills/web/offensive-xxe/SKILL.md", - "description": "" + "install_path": "~/.claude/skills/skills-red/web/offensive-xxe", + "description": "XML External Entity injection testing checklist: classic XXE, blind XXE (out-of-band), XXE via file upload (SVG/docx), XXE in SOAP/REST, error-based XXE, XInclude attacks, and XXE filter bypass. Use for web app XXE testing and bug bounty." }, { "name": "offensive-bluetooth-ble", "category": "wireless", "path": "Skills/wireless/offensive-bluetooth-ble/SKILL.md", + "install_path": "~/.claude/skills/skills-red/wireless/offensive-bluetooth-ble", "description": "Bluetooth Low Energy (BLE) attack methodology — GATT enumeration, characteristic read/write without auth, pairing downgrade (Just Works forced), LE Secure Connections bypass, MITM via active relay, sniffing with Sniffle (TI CC1352) / Ubertooth / Frontline, encryption key extraction (LE Legacy Pairing crackable, LE Secure Connections strong), proximity authentication abuse (cars, locks), and companion-app trust analysis. Use for IoT BLE devices, smart locks, fitness trackers, medical devices, BLE beacons, or any device pairing over BLE." }, { "name": "offensive-bluetooth-classic", "category": "wireless", "path": "Skills/wireless/offensive-bluetooth-classic/SKILL.md", + "install_path": "~/.claude/skills/skills-red/wireless/offensive-bluetooth-classic", "description": "Bluetooth Classic (BR/EDR) attack methodology — device discovery, service enumeration via SDP, LMP/L2CAP layer attacks, legacy PIN cracking (BlueBorne / KNOB), Bluetooth file-transfer abuse (BlueSnarfing legacy), unauthenticated profile abuse (HSP, HFP, OPP), and modern relevance against older industrial / automotive / accessory targets. Use when in-scope devices use Bluetooth Classic (Bluetooth ≤ 4.0 BR/EDR) — common in legacy car kits, industrial sensors, older medical devices, and audio accessories." }, { "name": "offensive-deauth-disassoc", "category": "wireless", "path": "Skills/wireless/offensive-deauth-disassoc/SKILL.md", + "install_path": "~/.claude/skills/skills-red/wireless/offensive-deauth-disassoc", "description": "Deauthentication and disassociation attacks against 802.11 networks — targeted single-client deauth for handshake capture, broadcast deauth for DoS (with authorization), action-frame attacks bypassing 802.11w (PMF), beacon flooding, mdk4 / aireplay-ng tooling, and rate-limit / PMF-aware operation. Use to coerce client reconnection (handshake capture, evil-twin roaming), as targeted DoS, or to test PMF posture." }, { "name": "offensive-evil-twin", "category": "wireless", "path": "Skills/wireless/offensive-evil-twin/SKILL.md", + "install_path": "~/.claude/skills/skills-red/wireless/offensive-evil-twin", "description": "Evil Twin / KARMA / Mana access point methodology — rogue AP construction with hostapd-mana / wifiphisher / airgeddon, KARMA universal probe response, Mana selective probe response, captive portal phishing, deauth-driven client coercion to attacker AP, MAC randomization defeat via PNL leak analysis, post-association MITM (DNS, ARP, transparent proxy), credential capture for portal/web/SMB, and detection-evasion tactics. Use to coerce client devices onto an attacker-controlled AP, intercept their traffic, harvest credentials, or deliver payloads via captive portal." }, { "name": "offensive-krack-fragattacks", "category": "wireless", "path": "Skills/wireless/offensive-krack-fragattacks/SKILL.md", + "install_path": "~/.claude/skills/skills-red/wireless/offensive-krack-fragattacks", "description": "KRACK (CVE-2017-13077..082) and FragAttacks (CVE-2020-24586..588 + 26139-26147) — key reinstallation, fragmentation, and aggregation attacks against WPA2 supplicants. Covers Vanhoef's test scripts, viability against modern patched stacks (mostly mitigated post-2021), residual unpatched embedded devices and IoT vendors, and the practical limitations of these attacks in modern engagements. Use when assessing legacy supplicants, embedded clients, or vendors with poor patch cadence." }, { "name": "offensive-lorawan-sub-ghz", "category": "wireless", "path": "Skills/wireless/offensive-lorawan-sub-ghz/SKILL.md", + "install_path": "~/.claude/skills/skills-red/wireless/offensive-lorawan-sub-ghz", "description": "LoRaWAN and sub-GHz (433 / 868 / 915 MHz) attack methodology — LoRaWAN ABP/OTAA join attack, network/session key reuse, frame counter replay, downlink injection on TTN/Helium-style networks, sub-GHz protocol replay (KeeLoq garage doors, fixed-code remotes, TPMS spoofing, smart plug telemetry), HackRF / RTL-SDR / Flipper Zero workflows, signal analysis with Inspectrum / Universal Radio Hacker, and reconstruction of proprietary packet formats. Use for LoRaWAN deployments (smart cities, asset tracking, industrial telemetry), or any wireless device using the unlicensed 433/868/915 MHz bands (garage openers, doorbells, IoT sensors, RC equipment)." }, { "name": "offensive-wifi", "category": "wireless", "path": "Skills/wireless/offensive-wifi/SKILL.md", + "install_path": "~/.claude/skills/skills-red/wireless/offensive-wifi", "description": "Wireless / 802.11 attack methodology for red team engagements and wireless security assessments. Covers monitor-mode setup, WPA/WPA2-PSK handshake capture and PMKID attacks, WPA3 SAE downgrade and Dragonblood, WPA-Enterprise (EAP) attacks (MSCHAPv2 cracking, EAP-TLS cert theft, evil-twin RADIUS), Karma / Known Beacons / Mana evil twin attacks, captive-portal phishing, KRACK and FragAttacks, WPS Pixie Dust, deauthentication and disassociation attacks, rogue AP construction (hostapd-mana), 802.1X bypass, MAC randomization defeat, BLE/Zigbee/IEEE 802.15.4 sidebands, and Wi-Fi 6/6E/7 considerations. Use when scoping wireless pentest, war-driving an estate, or testing corporate wireless segmentation." }, { "name": "offensive-wifi-recon", "category": "wireless", "path": "Skills/wireless/offensive-wifi-recon/SKILL.md", + "install_path": "~/.claude/skills/skills-red/wireless/offensive-wifi-recon", "description": "Wi-Fi reconnaissance methodology — adapter selection, monitor mode and packet injection setup, regulatory domain handling, multi-band airspace mapping, hidden SSID discovery, BSSID/ESSID/channel/PMF/encryption fingerprinting, client probe analysis, vendor OUI lookup, war-driving with Kismet/airodump-ng/Wigle, and structured airspace data capture for downstream attacks. Use at the start of any wireless engagement to build the target map before active attacks; covers 2.4 GHz, 5 GHz, and 6 GHz (Wi-Fi 6E) bands and adapter compatibility for each." }, { "name": "offensive-wpa-enterprise", "category": "wireless", "path": "Skills/wireless/offensive-wpa-enterprise/SKILL.md", + "install_path": "~/.claude/skills/skills-red/wireless/offensive-wpa-enterprise", "description": "WPA/WPA2/WPA3-Enterprise (802.1X / EAP) attack methodology — EAP method identification (PEAP-MSCHAPv2, EAP-TTLS, EAP-TLS, EAP-GTC, EAP-PWD, EAP-FAST), evil-twin RADIUS attacks with eaphammer for credential capture, MSCHAPv2 challenge-response cracking, EAP-TLS client certificate theft paths (DPAPI, NDES, AD CS auto-enrollment), supplicant validation bypass (missing server cert validation, missing CN pinning, BYOD misconfigurations), and post-capture pivots into AD via cracked domain credentials. Use for corporate Wi-Fi engagements where the network is 802.1X authenticated." }, { "name": "offensive-wpa2-psk", "category": "wireless", "path": "Skills/wireless/offensive-wpa2-psk/SKILL.md", + "install_path": "~/.claude/skills/skills-red/wireless/offensive-wpa2-psk", "description": "WPA/WPA2-PSK attack methodology — four-way handshake capture via targeted deauthentication, PMKID attacks (no client required), hcxdumptool / hcxpcapngtool conversion to hashcat hc22000 format, GPU-accelerated cracking with dictionary, mask, and rule-based attacks, vendor default-PSK generators (UPC, Sky, BT, etc.), 802.11r FT key cracking, opportunistic key cache analysis, and signal-level optimization. Use when the in-scope network is WPA/WPA2 Personal — the most common consumer/SMB encryption mode." }, { "name": "offensive-wpa3-sae", "category": "wireless", "path": "Skills/wireless/offensive-wpa3-sae/SKILL.md", + "install_path": "~/.claude/skills/skills-red/wireless/offensive-wpa3-sae", "description": "WPA3 / SAE (Simultaneous Authentication of Equals) attack methodology — transition-mode (mixed WPA2/WPA3) downgrade, Dragonblood side-channel attacks (CVE-2019-9494, 9495, 13377, 13456), SAE auth flooding for AP CPU exhaustion, Hash-to-Element (H2E) timing analysis, group downgrade, and 6 GHz / Wi-Fi 6E spec implications (PMF mandatory, no transition mode allowed). Use when target advertises WPA3-SAE or WPA3-Personal/Enterprise, or operates in 6 GHz where WPA3 + PMF are required by spec." }, { "name": "offensive-wps", "category": "wireless", "path": "Skills/wireless/offensive-wps/SKILL.md", + "install_path": "~/.claude/skills/skills-red/wireless/offensive-wps", "description": "WPS (Wi-Fi Protected Setup) PIN attack methodology — Pixie Dust offline attack against vulnerable chipsets (Ralink, Realtek, Broadcom, MediaTek), online PIN brute-force with reaver/bully, lockout handling, time-of-day evasion, WPS push-button vulnerability windows, and PIN-to-PSK derivation. Use when a target SOHO router exposes WPS — common on consumer ISP gear, often left enabled by default even when WPS attacks have been known for over a decade." }, { "name": "offensive-z-wave", "category": "wireless", "path": "Skills/wireless/offensive-z-wave/SKILL.md", + "install_path": "~/.claude/skills/skills-red/wireless/offensive-z-wave", "description": "Z-Wave attack methodology — sniffing with Z-Force / EZ-Wave / RTL-SDR + ZniffMobile, S0 (legacy) network-key derivation flaw and key reuse, S2 (modern) ECDH commissioning analysis, replay/injection on unauthenticated nodes, default-key brute-force on test deployments, and home-automation hub pivots. Use when targeting Z-Wave smart home devices (door locks, sensors, garage controllers) — common in mid-2010s smart home deployments still in production." }, { "name": "offensive-zigbee-thread-matter", "category": "wireless", "path": "Skills/wireless/offensive-zigbee-thread-matter/SKILL.md", + "install_path": "~/.claude/skills/skills-red/wireless/offensive-zigbee-thread-matter", "description": "Zigbee, Thread, and Matter mesh-protocol attack methodology — IEEE 802.15.4 sniffing with TI CC2531 / CC2540 / Sonoff Zigbee Dongle E, KillerBee toolkit, Touchlink commissioning abuse with the well-known transport key, replay/injection attacks, Zigbee Cluster Library command abuse for door locks and bulbs, Thread network credential theft, Matter commissioning chain analysis, and 6LoWPAN/IPv6 routing exploitation. Use when targeting smart-home or commercial mesh deployments, Zigbee-based door locks, lighting, or sensor networks." } ], diff --git a/codex-skills.json b/codex-skills.json new file mode 100644 index 0000000..c098127 --- /dev/null +++ b/codex-skills.json @@ -0,0 +1,503 @@ +{ + "name": "skills-red", + "version": "0.2.0", + "platform": "codex", + "license": "MIT", + "homepage": "https://github.com/trewwwsec/skills-red", + "categories": { + "active-directory": [ + "offensive-active-directory" + ], + "ai": [ + "offensive-ai-security" + ], + "auth": [ + "offensive-jwt", + "offensive-oauth" + ], + "cloud": [ + "offensive-cloud" + ], + "exploit-dev": [ + "offensive-basic-exploitation", + "offensive-crash-analysis", + "offensive-exploit-dev-course", + "offensive-exploit-development", + "offensive-mitigations", + "offensive-toctou" + ], + "fuzzing": [ + "offensive-bug-identification", + "offensive-fuzzing", + "offensive-fuzzing-course", + "offensive-vuln-classes" + ], + "infrastructure": [ + "offensive-advanced-redteam", + "offensive-edr-evasion", + "offensive-initial-access", + "offensive-keylogger-arch", + "offensive-shellcode", + "offensive-windows-boundaries", + "offensive-windows-mitigations" + ], + "iot": [ + "offensive-iot" + ], + "mobile": [ + "offensive-mobile" + ], + "recon": [ + "offensive-osint", + "offensive-osint-methodology" + ], + "utility": [ + "offensive-fast-checking", + "offensive-reporting" + ], + "web": [ + "offensive-business-logic", + "offensive-deserialization", + "offensive-file-upload", + "offensive-graphql", + "offensive-idor", + "offensive-open-redirect", + "offensive-parameter-pollution", + "offensive-race-condition", + "offensive-rce", + "offensive-request-smuggling", + "offensive-sqli", + "offensive-ssrf", + "offensive-ssti", + "offensive-waf-bypass", + "offensive-xss", + "offensive-xxe" + ], + "wireless": [ + "offensive-bluetooth-ble", + "offensive-bluetooth-classic", + "offensive-deauth-disassoc", + "offensive-evil-twin", + "offensive-krack-fragattacks", + "offensive-lorawan-sub-ghz", + "offensive-wifi", + "offensive-wifi-recon", + "offensive-wpa-enterprise", + "offensive-wpa2-psk", + "offensive-wpa3-sae", + "offensive-wps", + "offensive-z-wave", + "offensive-zigbee-thread-matter" + ] + }, + "skills": [ + { + "name": "offensive-active-directory", + "category": "active-directory", + "path": "Skills/active-directory/offensive-active-directory/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/active-directory/offensive-active-directory", + "description": "Active Directory attack methodology for internal network red team engagements. Covers reconnaissance (BloodHound, PowerView, ADExplorer), credential abuse (Kerberoasting, ASREProasting, NTLM relay, LLMNR/NBT-NS poisoning), privilege escalation (ACL abuse, GPO abuse, unconstrained/constrained delegation), lateral movement (Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, WMI/WinRM/PsExec), persistence (Golden/Silver/Diamond Tickets, DCSync, DCShadow, AdminSDHolder, Skeleton Key), forest trust attacks, ADCS abuse (ESC1-ESC15), and modern MDI/Defender for Identity evasion. Use when assessing on-prem AD, hybrid AD/Entra ID environments, or ADCS deployments." + }, + { + "name": "offensive-ai-security", + "category": "ai", + "path": "Skills/ai/offensive-ai-security/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/ai/offensive-ai-security", + "description": "AI/LLM security offensive checklist: prompt injection, jailbreaking, model extraction, training data poisoning, adversarial inputs, LLM-assisted attack automation, and AI system reconnaissance. Use when assessing AI/ML systems, red-teaming LLMs, or researching AI attack vectors." + }, + { + "name": "offensive-jwt", + "category": "auth", + "path": "Skills/auth/offensive-jwt/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/auth/offensive-jwt", + "description": "JWT attack methodology for penetration testers. Covers algorithm confusion (alg:none, RS256→HS256), weak HMAC secret brute force, kid parameter injection (SQLi, path traversal), jku/x5u/jwk header injection, JWKS cache poisoning, JWS/JWE confusion, timing attacks, and mobile JWT storage extraction. Use when testing JWT-based authentication, hunting auth bypass via token manipulation, or evaluating JWT implementation security in web or mobile apps." + }, + { + "name": "offensive-oauth", + "category": "auth", + "path": "Skills/auth/offensive-oauth/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/auth/offensive-oauth", + "description": "OAuth 2.0 attack checklist: authorization code interception, redirect_uri bypass, CSRF on OAuth flow, state parameter abuse, open redirector chaining, token leakage via Referer, PKCE bypass, and scope escalation. Use when testing OAuth implementations in web apps or bug bounty." + }, + { + "name": "offensive-cloud", + "category": "cloud", + "path": "Skills/cloud/offensive-cloud/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/cloud/offensive-cloud", + "description": "Cloud security attack methodology covering AWS, Azure, and GCP. Includes credential harvesting (IMDS, ~/.aws, env vars, leaked CI secrets, instance roles), enumeration with cloud-specific tools (pacu, ScoutSuite, Prowler, ROADtools, gcp_enum), privilege escalation paths (IAM PassRole, AssumeRole chains, Lambda/Functions privilege flips, Azure Owner-on-self, GCP serviceAccountTokenCreator), persistence techniques (IAM user/key creation, AAD app registration, GCP svc account key creation, EventBridge/Logic Apps backdoors), data exfiltration (S3/Blob/GCS, snapshot share, RDS/CosmosDB/Cloud SQL exfil), cloud-native lateral movement (cross-account assume, Azure AD multi-tenant, GCP project hierarchy), serverless attacks (Lambda env vars, layer hijack, Step Functions), Kubernetes-on-cloud (EKS/AKS/GKE-specific paths to node and AWS metadata), and CSPM evasion (CloudTrail blind spots, GuardDuty mute, Sentinel rule shaping). Use when the engagement scope is cloud accounts, when you've stolen cloud credentials, or when assessing cloud posture." + }, + { + "name": "offensive-basic-exploitation", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-basic-exploitation/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/exploit-dev/offensive-basic-exploitation", + "description": "Week 5 exploit development curriculum. Foundational exploitation techniques: controlling EIP/RIP, ROP chain construction, ret2libc, shellcode injection, heap spraying, bypass techniques for ASLR/NX/stack canaries. Use when building initial PoCs or understanding classic exploitation primitives." + }, + { + "name": "offensive-crash-analysis", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-crash-analysis/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/exploit-dev/offensive-crash-analysis", + "description": "Week 4 exploit development curriculum. Crash triage and analysis methodology: WinDbg/GDB analysis, ASAN/MSAN output interpretation, exploitability assessment, register/stack trace reading, root cause identification. Use when analyzing crash dumps, assessing exploitability, or understanding fuzzer-generated crashes." + }, + { + "name": "offensive-exploit-dev-course", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-exploit-dev-course/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/exploit-dev/offensive-exploit-dev-course", + "description": "Full exploit development course roadmap and syllabus: weekly topics, recommended reading, lab setup, and learning path from vulnerability classes through advanced exploitation. Use to structure exploit dev training or onboard new researchers." + }, + { + "name": "offensive-exploit-development", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-exploit-development/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/exploit-dev/offensive-exploit-development", + "description": "Exploit development operational guide: environment setup, debugging workflow, PoC development lifecycle, writing reliable exploits, using pwntools/pwndbg, heap exploitation techniques, and weaponization considerations. Use when actively developing exploits or setting up an exploit dev environment." + }, + { + "name": "offensive-mitigations", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-mitigations/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/exploit-dev/offensive-mitigations", + "description": "Security mitigation reference and bypass catalog: ASLR, DEP/NX, RELRO, stack canaries, CFI, sandboxing, seccomp. Covers both detection of enabled mitigations and known bypass techniques. Use when assessing target hardening or planning exploit mitigation bypasses." + }, + { + "name": "offensive-toctou", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-toctou/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/exploit-dev/offensive-toctou", + "description": "Time-of-Check / Time-of-Use (TOCTOU) race condition exploitation methodology across binary, kernel, filesystem, web, and container layers. Covers symbolic-link races (open/access/stat split), file-descriptor races, fopen/realpath traversal races, /proc and procfs races, FUSE-backed slow-fs races to widen the window, ptrace and signal races, kernel double-fetch / userspace pointer races, container/runc/symlink escape primitives, kubernetes admission/authz TOCTOU, web auth-vs-authz TOCTOU, JWT-claim TOCTOU at gateway vs service, payment/idempotency races, and modern race-amplification techniques (single-packet attack, slow loris, FUSE pause, cgroup freeze, scheduler shaping). Use when you've identified a 'check then act' pattern in code, when fuzzing for race conditions, or when exploiting concurrency bugs in privileged binaries / kernel / orchestrators." + }, + { + "name": "offensive-bug-identification", + "category": "fuzzing", + "path": "Skills/fuzzing/offensive-bug-identification/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/fuzzing/offensive-bug-identification", + "description": "Systematic bug identification methodology: source code review patterns, black-box testing strategies, taint analysis, dangerous function hunting, data flow tracing, and automated scanning setup. Use for code audits, bug bounty triage, or building vulnerability identification pipelines." + }, + { + "name": "offensive-fuzzing", + "category": "fuzzing", + "path": "Skills/fuzzing/offensive-fuzzing/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/fuzzing/offensive-fuzzing", + "description": "Practical offensive fuzzing methodology covering target identification, fuzzer selection (AFL++, libFuzzer, Honggfuzz, Boofuzz, syzkaller), harness writing, corpus curation, mutation strategies, coverage measurement, and crash triage. Use when setting up or running fuzz campaigns against any target: file parsers, network protocols, kernel drivers, EDR engines, embedded firmware, or language runtimes." + }, + { + "name": "offensive-fuzzing-course", + "category": "fuzzing", + "path": "Skills/fuzzing/offensive-fuzzing-course/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/fuzzing/offensive-fuzzing-course", + "description": "Week 2 of the exploit development curriculum. Covers fuzzing methodology: target selection, corpus generation, coverage-guided fuzzing with AFL++/libFuzzer, structured fuzzing, and triage/deduplication. Use when setting up fuzz campaigns, selecting harness strategies, or triaging fuzzer output." + }, + { + "name": "offensive-vuln-classes", + "category": "fuzzing", + "path": "Skills/fuzzing/offensive-vuln-classes/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/fuzzing/offensive-vuln-classes", + "description": "Exploit development curriculum covering core vulnerability classes with real-world CVE case studies: stack/heap buffer overflows, use-after-free, integer overflows, format strings, type confusion, and race conditions. Use when learning or teaching vuln classes, researching specific CVE patterns, or building exploit dev knowledge." + }, + { + "name": "offensive-advanced-redteam", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-advanced-redteam/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/infrastructure/offensive-advanced-redteam", + "description": "Practical advanced red team operations guide: OPSEC discipline, C2 infrastructure design, living-off-the-land techniques, lateral movement, persistence, data exfiltration, and evading modern defenses. Use for planning advanced red team engagements or understanding APT TTPs." + }, + { + "name": "offensive-edr-evasion", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-edr-evasion/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/infrastructure/offensive-edr-evasion", + "description": "EDR evasion offensive checklist: hook unhooking (user/kernel), direct syscalls, PPID spoofing, process injection variants, AMSI bypass, ETW patching, memory encryption, and behavior-based evasion. Use when planning EDR bypass during red team engagements or researching AV/EDR evasion techniques." + }, + { + "name": "offensive-initial-access", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-initial-access/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/infrastructure/offensive-initial-access", + "description": "Initial access techniques checklist: phishing (spear/smishing), credential stuffing, exposed service exploitation, supply chain attacks, watering hole, VPN/RDP brute force, public-facing application exploitation. Maps to MITRE ATT&CK TA0001. Use when planning initial access phases of red team engagements." + }, + { + "name": "offensive-keylogger-arch", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-keylogger-arch/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/infrastructure/offensive-keylogger-arch", + "description": "Low-level keylogger architecture design: kernel driver hooks (WH_KEYBOARD_LL, SetWindowsHookEx), ETW-based input capture, user-mode vs kernel-mode approaches, stealth techniques, and data exfiltration. Use for understanding input capture mechanisms, EDR evasion research, or malware architecture analysis." + }, + { + "name": "offensive-shellcode", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-shellcode/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/infrastructure/offensive-shellcode", + "description": "Shellcode development reference for offensive security engagements. Use when writing custom x86/x64 shellcode, implementing position-independent code (PIC), building shellcode loaders, evading AV/EDR detection, or converting PE files to shellcode. Covers null byte avoidance, API hashing, encoder/decoder patterns, staged vs stageless payloads, Windows PEB traversal, and cross-platform shellcode techniques." + }, + { + "name": "offensive-windows-boundaries", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-windows-boundaries/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/infrastructure/offensive-windows-boundaries", + "description": "Windows security boundary taxonomy and attack surface enumeration: kernel/user boundary, sandbox boundaries (LPAC, AppContainer), COM/RPC boundaries, hypervisor boundary, trust level transitions. Use when planning privilege escalation paths, sandbox escapes, or understanding Windows security architecture." + }, + { + "name": "offensive-windows-mitigations", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-windows-mitigations/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/infrastructure/offensive-windows-mitigations", + "description": "Deep-dive on Windows exploit mitigations: ASLR, DEP/NX, CFG, CET/Shadow Stack, SEHOP, Heap Guard, ACG, Arbitrary Code Guard. Covers both the protection mechanism and known bypass techniques. Use when researching Windows exploit mitigations, planning bypass strategies, or understanding protection depth." + }, + { + "name": "offensive-iot", + "category": "iot", + "path": "Skills/iot/offensive-iot/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/iot/offensive-iot", + "description": "IoT and embedded device security testing methodology. Covers hardware reconnaissance (UART, JTAG, SWD, SPI flash, I2C EEPROM, eMMC chip-off), firmware acquisition (vendor portals, OTA capture, flash dump, binwalk extraction), firmware analysis (filesystem mounting, binary triage, hardcoded secrets, default credential discovery), bootloader attacks (U-Boot console, secure-boot bypass, fault injection), runtime attacks on embedded Linux/RTOS (busybox CVEs, MTD writes, /dev/mem), wireless protocol attacks (Zigbee, BLE, Z-Wave, LoRaWAN, Thread/Matter, sub-GHz), MQTT/CoAP/Modbus/BACnet/OPC-UA exploitation, mobile companion app analysis, cloud-IoT API abuse, and side-channel/glitching basics. Use for IoT pentest, smart-home assessment, ICS/OT testing, or embedded vulnerability research." + }, + { + "name": "offensive-mobile", + "category": "mobile", + "path": "Skills/mobile/offensive-mobile/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/mobile/offensive-mobile", + "description": "Mobile (Android + iOS) application penetration testing methodology. Covers static analysis (apktool/jadx for Android, class-dump/Hopper/IDA for iOS), dynamic instrumentation with Frida and Objection, SSL pinning bypass strategies, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported component attacks (Android activities, services, providers, receivers; iOS XPC, URL schemes, universal links), insecure data storage (SharedPrefs, KeyStore misuse, NSUserDefaults, Keychain ACL bypass), IPC / Intent redirection, WebView vulnerabilities (JavaScriptInterface, file:// access), Firebase/AWS/Azure misconfiguration leakage, mobile API testing, biometric/Face ID/Touch ID bypass, app-cloning and runtime patching, and mobile malware/RAT analysis primitives. Use for mobile pentest, bug bounty mobile triage, or app-store reconnaissance." + }, + { + "name": "offensive-osint", + "category": "recon", + "path": "Skills/recon/offensive-osint/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/recon/offensive-osint", + "description": "Comprehensive OSINT methodology skill for offensive security, red team intelligence gathering, and bug bounty reconnaissance. Covers domain recon, email harvesting, social media profiling, GitHub/code leaks, Shodan/Censys enumeration, breach data lookup, employee profiling, infrastructure mapping, cryptocurrency tracing, geospatial intelligence, and AI-assisted analysis workflows. Use when performing reconnaissance against a target domain or organization, investigating a person or entity, tracing cryptocurrency flows, geolocating images or events, or building an attack-surface map." + }, + { + "name": "offensive-osint-methodology", + "category": "recon", + "path": "Skills/recon/offensive-osint-methodology/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/recon/offensive-osint-methodology", + "description": "Structured OSINT methodology framework: target definition, source selection, collection workflows, data correlation, timeline reconstruction, and reporting. Use to guide systematic OSINT campaigns or teach OSINT methodology." + }, + { + "name": "offensive-fast-checking", + "category": "utility", + "path": "Skills/utility/offensive-fast-checking/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/utility/offensive-fast-checking", + "description": "Speed-optimized offensive checklist for rapid assessment: quick-win vulnerability patterns, fast recon shortcuts, automated scanner configurations, and triage shortcuts. Use for time-boxed assessments, CTF-speed engagements, or initial rapid surface mapping." + }, + { + "name": "offensive-reporting", + "category": "utility", + "path": "Skills/utility/offensive-reporting/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/utility/offensive-reporting", + "description": "Penetration test and red team report writing methodology. Covers executive summary structuring (risk-led narrative for non-technical readers), technical finding format (title, severity, affected scope, narrative, reproduction steps, impact, remediation, references), CVSS v3.1 / v4.0 scoring with vector justification, OWASP risk rating, evidence hygiene (redacting credentials, hashing client data, time-stamping every action), screenshot and PoC artifact management, finding chain narratives, scope/limitations/assumptions documentation, retest evidence and remediation tracking, deliverable formats (PDF, DOCX, HTML, JSON for SIEM ingestion), client-customer-deliverable separation, and common report mistakes (over-CVSSing, undermining the triager, missing the 'so what'). Use at the end of an engagement when authoring a deliverable, when restructuring a draft for executive readability, or when establishing a reusable report template for a consulting practice." + }, + { + "name": "offensive-business-logic", + "category": "web", + "path": "Skills/web/offensive-business-logic/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-business-logic", + "description": "Business logic vulnerability testing for web/mobile/API engagements. Covers workflow bypass, state machine violations, multi-step process abuse, price/quantity/discount manipulation, currency confusion, coupon stacking, refund/chargeback abuse, race conditions on logic boundaries, parameter tampering for hidden flows, role/tenant boundary violations, time-of-check vs use, anti-automation defeat, fraud-detection evasion, and subscription/quota abuse. Use when scoping an application after surface-level OWASP Top 10 has been covered, or when the asset is a transactional/marketplace/fintech/e-commerce/SaaS app where logic flaws produce direct financial impact." + }, + { + "name": "offensive-deserialization", + "category": "web", + "path": "Skills/web/offensive-deserialization/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-deserialization", + "description": "Insecure deserialization attack checklist: identifying deserialization sinks, Java/PHP/.NET/Python deserialization exploitation, ysoserial gadget chains, magic method abuse, and detection evasion. Use when testing deserialization endpoints or developing deserialization exploits." + }, + { + "name": "offensive-file-upload", + "category": "web", + "path": "Skills/web/offensive-file-upload/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-file-upload", + "description": "File upload vulnerability checklist: MIME type bypass, extension bypass, magic byte manipulation, path traversal in filenames, stored XSS via SVG/HTML upload, server-side processing attacks, and race conditions. Use for assessing file upload endpoints in web app pentests or bug bounty." + }, + { + "name": "offensive-graphql", + "category": "web", + "path": "Skills/web/offensive-graphql/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-graphql", + "description": "GraphQL security testing checklist: introspection abuse, batching attacks, query depth/complexity DoS, field suggestion enumeration, IDOR via GraphQL, injection through arguments, authorization bypass. Use when assessing GraphQL endpoints in web app tests or bug bounty." + }, + { + "name": "offensive-idor", + "category": "web", + "path": "Skills/web/offensive-idor/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-idor", + "description": "IDOR (Insecure Direct Object Reference) testing checklist: object ID enumeration, horizontal/vertical privilege escalation, GUID predictability, indirect references via hashes, chained IDOR, and API endpoint IDOR. Use for web app pentests and bug bounty IDOR discovery." + }, + { + "name": "offensive-open-redirect", + "category": "web", + "path": "Skills/web/offensive-open-redirect/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-open-redirect", + "description": "Open redirect vulnerability checklist: parameter identification, bypass techniques (URL encoding, double slashes, CRLF injection, protocol handlers), chaining with OAuth/SSRF, and impact escalation paths. Use for web app testing and bug bounty open redirect discovery." + }, + { + "name": "offensive-parameter-pollution", + "category": "web", + "path": "Skills/web/offensive-parameter-pollution/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-parameter-pollution", + "description": "HTTP parameter pollution (HPP) checklist: duplicate parameter injection, backend vs frontend parsing differences, WAF bypass via HPP, server-side vs client-side HPP, and practical exploitation patterns. Use when testing web applications for parameter handling flaws." + }, + { + "name": "offensive-race-condition", + "category": "web", + "path": "Skills/web/offensive-race-condition/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-race-condition", + "description": "Race condition (TOCTOU) testing checklist: identifying timing windows, Burp Suite Turbo Intruder, Last-Byte sync technique, rate limit bypass, double-spend attacks, and concurrent request exploitation. Use for web app race condition testing or bug bounty time-of-check-to-time-of-use bugs." + }, + { + "name": "offensive-rce", + "category": "web", + "path": "Skills/web/offensive-rce/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-rce", + "description": "Remote Code Execution testing checklist: OS command injection, SSTI-to-RCE, deserialization RCE, file upload RCE, XXE with SSRF to RCE, RCE via dependency confusion, and CVE-based RCE patterns. Use for web app pentests and bug bounty RCE discovery." + }, + { + "name": "offensive-request-smuggling", + "category": "web", + "path": "Skills/web/offensive-request-smuggling/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-request-smuggling", + "description": "HTTP request smuggling checklist: CL.TE, TE.CL, TE.TE variants, detection with timing and differential responses, WAF bypass, cache poisoning, credential hijacking, and request smuggling via HTTP/2. Use when testing reverse proxy/load balancer configurations." + }, + { + "name": "offensive-sqli", + "category": "web", + "path": "Skills/web/offensive-sqli/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-sqli", + "description": "SQL injection testing skill for offensive security assessments and bug bounty hunting. Covers error-based, UNION-based, boolean/time-based blind, out-of-band, second-order, NoSQL, GraphQL, WebSocket, and JSON-operator SQLi. Includes WAF bypass techniques, database-specific exploitation (MySQL, MSSQL, PostgreSQL, Oracle), cloud-native attack paths, ORM CVE tracking, and SQLmap automation. Use when performing web application SQL injection testing, database enumeration, privilege escalation via SQLi, or assessing injection vectors in APIs and modern stacks." + }, + { + "name": "offensive-ssrf", + "category": "web", + "path": "Skills/web/offensive-ssrf/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-ssrf", + "description": "Server-Side Request Forgery testing checklist: SSRF discovery, blind SSRF with out-of-band, cloud metadata endpoints (AWS/GCP/Azure), SSRF filter bypass techniques (IP encoding, DNS rebinding, redirect chains), and SSRF to RCE escalation. Use for web app SSRF testing and bug bounty." + }, + { + "name": "offensive-ssti", + "category": "web", + "path": "Skills/web/offensive-ssti/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-ssti", + "description": "Server-Side Template Injection testing checklist: template engine identification (Jinja2, Twig, Freemarker, Pebble, Velocity), polyglot detection payloads, engine-specific RCE payloads, blind SSTI, and filter bypass. Use when testing web apps for template injection vulnerabilities." + }, + { + "name": "offensive-waf-bypass", + "category": "web", + "path": "Skills/web/offensive-waf-bypass/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-waf-bypass", + "description": "WAF bypass techniques checklist: encoding bypass (URL/HTML/Unicode/double encoding), case variation, comment injection, HTTP header manipulation, chunked encoding, IP rotation, timing attacks, and payload obfuscation per WAF vendor. Use when WAF is blocking payloads during web app tests." + }, + { + "name": "offensive-xss", + "category": "web", + "path": "Skills/web/offensive-xss/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-xss", + "description": "Cross-Site Scripting testing checklist: stored/reflected/DOM/blind XSS discovery, polyglot payloads, CSP bypass, XSS filter bypass, event handler injection, DOM clobbering, mutation XSS, and impact escalation (session hijack, phishing, keylogging). Use for web app XSS testing and bug bounty." + }, + { + "name": "offensive-xxe", + "category": "web", + "path": "Skills/web/offensive-xxe/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/web/offensive-xxe", + "description": "XML External Entity injection testing checklist: classic XXE, blind XXE (out-of-band), XXE via file upload (SVG/docx), XXE in SOAP/REST, error-based XXE, XInclude attacks, and XXE filter bypass. Use for web app XXE testing and bug bounty." + }, + { + "name": "offensive-bluetooth-ble", + "category": "wireless", + "path": "Skills/wireless/offensive-bluetooth-ble/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/wireless/offensive-bluetooth-ble", + "description": "Bluetooth Low Energy (BLE) attack methodology — GATT enumeration, characteristic read/write without auth, pairing downgrade (Just Works forced), LE Secure Connections bypass, MITM via active relay, sniffing with Sniffle (TI CC1352) / Ubertooth / Frontline, encryption key extraction (LE Legacy Pairing crackable, LE Secure Connections strong), proximity authentication abuse (cars, locks), and companion-app trust analysis. Use for IoT BLE devices, smart locks, fitness trackers, medical devices, BLE beacons, or any device pairing over BLE." + }, + { + "name": "offensive-bluetooth-classic", + "category": "wireless", + "path": "Skills/wireless/offensive-bluetooth-classic/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/wireless/offensive-bluetooth-classic", + "description": "Bluetooth Classic (BR/EDR) attack methodology — device discovery, service enumeration via SDP, LMP/L2CAP layer attacks, legacy PIN cracking (BlueBorne / KNOB), Bluetooth file-transfer abuse (BlueSnarfing legacy), unauthenticated profile abuse (HSP, HFP, OPP), and modern relevance against older industrial / automotive / accessory targets. Use when in-scope devices use Bluetooth Classic (Bluetooth ≤ 4.0 BR/EDR) — common in legacy car kits, industrial sensors, older medical devices, and audio accessories." + }, + { + "name": "offensive-deauth-disassoc", + "category": "wireless", + "path": "Skills/wireless/offensive-deauth-disassoc/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/wireless/offensive-deauth-disassoc", + "description": "Deauthentication and disassociation attacks against 802.11 networks — targeted single-client deauth for handshake capture, broadcast deauth for DoS (with authorization), action-frame attacks bypassing 802.11w (PMF), beacon flooding, mdk4 / aireplay-ng tooling, and rate-limit / PMF-aware operation. Use to coerce client reconnection (handshake capture, evil-twin roaming), as targeted DoS, or to test PMF posture." + }, + { + "name": "offensive-evil-twin", + "category": "wireless", + "path": "Skills/wireless/offensive-evil-twin/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/wireless/offensive-evil-twin", + "description": "Evil Twin / KARMA / Mana access point methodology — rogue AP construction with hostapd-mana / wifiphisher / airgeddon, KARMA universal probe response, Mana selective probe response, captive portal phishing, deauth-driven client coercion to attacker AP, MAC randomization defeat via PNL leak analysis, post-association MITM (DNS, ARP, transparent proxy), credential capture for portal/web/SMB, and detection-evasion tactics. Use to coerce client devices onto an attacker-controlled AP, intercept their traffic, harvest credentials, or deliver payloads via captive portal." + }, + { + "name": "offensive-krack-fragattacks", + "category": "wireless", + "path": "Skills/wireless/offensive-krack-fragattacks/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/wireless/offensive-krack-fragattacks", + "description": "KRACK (CVE-2017-13077..082) and FragAttacks (CVE-2020-24586..588 + 26139-26147) — key reinstallation, fragmentation, and aggregation attacks against WPA2 supplicants. Covers Vanhoef's test scripts, viability against modern patched stacks (mostly mitigated post-2021), residual unpatched embedded devices and IoT vendors, and the practical limitations of these attacks in modern engagements. Use when assessing legacy supplicants, embedded clients, or vendors with poor patch cadence." + }, + { + "name": "offensive-lorawan-sub-ghz", + "category": "wireless", + "path": "Skills/wireless/offensive-lorawan-sub-ghz/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/wireless/offensive-lorawan-sub-ghz", + "description": "LoRaWAN and sub-GHz (433 / 868 / 915 MHz) attack methodology — LoRaWAN ABP/OTAA join attack, network/session key reuse, frame counter replay, downlink injection on TTN/Helium-style networks, sub-GHz protocol replay (KeeLoq garage doors, fixed-code remotes, TPMS spoofing, smart plug telemetry), HackRF / RTL-SDR / Flipper Zero workflows, signal analysis with Inspectrum / Universal Radio Hacker, and reconstruction of proprietary packet formats. Use for LoRaWAN deployments (smart cities, asset tracking, industrial telemetry), or any wireless device using the unlicensed 433/868/915 MHz bands (garage openers, doorbells, IoT sensors, RC equipment)." + }, + { + "name": "offensive-wifi", + "category": "wireless", + "path": "Skills/wireless/offensive-wifi/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/wireless/offensive-wifi", + "description": "Wireless / 802.11 attack methodology for red team engagements and wireless security assessments. Covers monitor-mode setup, WPA/WPA2-PSK handshake capture and PMKID attacks, WPA3 SAE downgrade and Dragonblood, WPA-Enterprise (EAP) attacks (MSCHAPv2 cracking, EAP-TLS cert theft, evil-twin RADIUS), Karma / Known Beacons / Mana evil twin attacks, captive-portal phishing, KRACK and FragAttacks, WPS Pixie Dust, deauthentication and disassociation attacks, rogue AP construction (hostapd-mana), 802.1X bypass, MAC randomization defeat, BLE/Zigbee/IEEE 802.15.4 sidebands, and Wi-Fi 6/6E/7 considerations. Use when scoping wireless pentest, war-driving an estate, or testing corporate wireless segmentation." + }, + { + "name": "offensive-wifi-recon", + "category": "wireless", + "path": "Skills/wireless/offensive-wifi-recon/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/wireless/offensive-wifi-recon", + "description": "Wi-Fi reconnaissance methodology — adapter selection, monitor mode and packet injection setup, regulatory domain handling, multi-band airspace mapping, hidden SSID discovery, BSSID/ESSID/channel/PMF/encryption fingerprinting, client probe analysis, vendor OUI lookup, war-driving with Kismet/airodump-ng/Wigle, and structured airspace data capture for downstream attacks. Use at the start of any wireless engagement to build the target map before active attacks; covers 2.4 GHz, 5 GHz, and 6 GHz (Wi-Fi 6E) bands and adapter compatibility for each." + }, + { + "name": "offensive-wpa-enterprise", + "category": "wireless", + "path": "Skills/wireless/offensive-wpa-enterprise/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/wireless/offensive-wpa-enterprise", + "description": "WPA/WPA2/WPA3-Enterprise (802.1X / EAP) attack methodology — EAP method identification (PEAP-MSCHAPv2, EAP-TTLS, EAP-TLS, EAP-GTC, EAP-PWD, EAP-FAST), evil-twin RADIUS attacks with eaphammer for credential capture, MSCHAPv2 challenge-response cracking, EAP-TLS client certificate theft paths (DPAPI, NDES, AD CS auto-enrollment), supplicant validation bypass (missing server cert validation, missing CN pinning, BYOD misconfigurations), and post-capture pivots into AD via cracked domain credentials. Use for corporate Wi-Fi engagements where the network is 802.1X authenticated." + }, + { + "name": "offensive-wpa2-psk", + "category": "wireless", + "path": "Skills/wireless/offensive-wpa2-psk/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/wireless/offensive-wpa2-psk", + "description": "WPA/WPA2-PSK attack methodology — four-way handshake capture via targeted deauthentication, PMKID attacks (no client required), hcxdumptool / hcxpcapngtool conversion to hashcat hc22000 format, GPU-accelerated cracking with dictionary, mask, and rule-based attacks, vendor default-PSK generators (UPC, Sky, BT, etc.), 802.11r FT key cracking, opportunistic key cache analysis, and signal-level optimization. Use when the in-scope network is WPA/WPA2 Personal — the most common consumer/SMB encryption mode." + }, + { + "name": "offensive-wpa3-sae", + "category": "wireless", + "path": "Skills/wireless/offensive-wpa3-sae/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/wireless/offensive-wpa3-sae", + "description": "WPA3 / SAE (Simultaneous Authentication of Equals) attack methodology — transition-mode (mixed WPA2/WPA3) downgrade, Dragonblood side-channel attacks (CVE-2019-9494, 9495, 13377, 13456), SAE auth flooding for AP CPU exhaustion, Hash-to-Element (H2E) timing analysis, group downgrade, and 6 GHz / Wi-Fi 6E spec implications (PMF mandatory, no transition mode allowed). Use when target advertises WPA3-SAE or WPA3-Personal/Enterprise, or operates in 6 GHz where WPA3 + PMF are required by spec." + }, + { + "name": "offensive-wps", + "category": "wireless", + "path": "Skills/wireless/offensive-wps/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/wireless/offensive-wps", + "description": "WPS (Wi-Fi Protected Setup) PIN attack methodology — Pixie Dust offline attack against vulnerable chipsets (Ralink, Realtek, Broadcom, MediaTek), online PIN brute-force with reaver/bully, lockout handling, time-of-day evasion, WPS push-button vulnerability windows, and PIN-to-PSK derivation. Use when a target SOHO router exposes WPS — common on consumer ISP gear, often left enabled by default even when WPS attacks have been known for over a decade." + }, + { + "name": "offensive-z-wave", + "category": "wireless", + "path": "Skills/wireless/offensive-z-wave/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/wireless/offensive-z-wave", + "description": "Z-Wave attack methodology — sniffing with Z-Force / EZ-Wave / RTL-SDR + ZniffMobile, S0 (legacy) network-key derivation flaw and key reuse, S2 (modern) ECDH commissioning analysis, replay/injection on unauthenticated nodes, default-key brute-force on test deployments, and home-automation hub pivots. Use when targeting Z-Wave smart home devices (door locks, sensors, garage controllers) — common in mid-2010s smart home deployments still in production." + }, + { + "name": "offensive-zigbee-thread-matter", + "category": "wireless", + "path": "Skills/wireless/offensive-zigbee-thread-matter/SKILL.md", + "install_path": "$CODEX_HOME/skills/skills-red/wireless/offensive-zigbee-thread-matter", + "description": "Zigbee, Thread, and Matter mesh-protocol attack methodology — IEEE 802.15.4 sniffing with TI CC2531 / CC2540 / Sonoff Zigbee Dongle E, KillerBee toolkit, Touchlink commissioning abuse with the well-known transport key, replay/injection attacks, Zigbee Cluster Library command abuse for door locks and bulbs, Thread network credential theft, Matter commissioning chain analysis, and 6LoWPAN/IPv6 routing exploitation. Use when targeting smart-home or commercial mesh deployments, Zigbee-based door locks, lighting, or sensor networks." + } + ], + "skill_count": 58, + "category_count": 13 +} diff --git a/install.sh b/install.sh index 2000837..5c06ea6 100755 --- a/install.sh +++ b/install.sh @@ -1,33 +1,79 @@ #!/usr/bin/env bash -# claude-red installer -# Copies offensive security skills into a Claude skills directory. +# skills-red installer +# Copies offensive security skills into a Codex, Claude, or OpenCode skills directory. # # Usage: -# ./install.sh # interactive (asks for target) -# ./install.sh --target ~/.claude/skills # explicit target -# ./install.sh --category web # one category only -# ./install.sh --target DIR --category web # combined -# ./install.sh --list # list available categories -# ./install.sh --dry-run # show what would be copied +# ./install.sh # prompt for platform, then target +# ./install.sh --platform codex # install Codex skills under skills-red category tree +# ./install.sh --platform claude # install Claude category tree +# ./install.sh --platform opencode # install OpenCode skills under skills-red category tree +# ./install.sh --target ~/.codex/skills/skills-red # prompt for platform, explicit target +# ./install.sh --category web # one category only +# ./install.sh --target DIR --category web # combined +# ./install.sh --list # list available categories +# ./install.sh --dry-run # prompt for platform and show copy plan # -# Default target: ~/.claude/skills/claude-red +# No platform is selected by default; omit --platform only in an interactive TTY. +# Default Codex target: ~/.codex/skills/skills-red +# Default Claude target: ~/.claude/skills/skills-red +# Default OpenCode target: ~/.config/opencode/skills/skills-red set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" SKILLS_DIR="$SCRIPT_DIR/Skills" -DEFAULT_TARGET="${HOME}/.claude/skills/claude-red" +# shellcheck source=tools/platform_defaults.sh +. "$SCRIPT_DIR/tools/platform_defaults.sh" +PLATFORM="" TARGET="" CATEGORY="" DRY_RUN=0 LIST_ONLY=0 +SKILL_COUNT=0 usage() { - sed -n '2,12p' "$0" | sed 's/^# \{0,1\}//' + sed -n '2,18p' "$0" | sed 's/^# \{0,1\}//' exit "${1:-0}" } + +validate_platform() { + case "$1" in + codex|claude|opencode) return 0 ;; + *) return 1 ;; + esac +} + +validate_category() { + local category="$1" + + # Categories are first-level Skills/ directories, not path fragments. + if [[ -z "$category" || "$category" == "." || "$category" == ".." || "$category" == */* || "$category" == *\\* ]]; then + return 1 + fi + + [ -d "$SKILLS_DIR/$category" ] +} + +prompt_platform() { + local choice="" + echo "Select install platform:" + echo " 1) codex" + echo " 2) claude" + echo " 3) opencode" + while true; do + read -r -p "Platform (codex/claude/opencode): " choice || true + case "$choice" in + 1|codex) PLATFORM="codex"; return ;; + 2|claude) PLATFORM="claude"; return ;; + 3|opencode) PLATFORM="opencode"; return ;; + "") echo "Error: platform is required; there is no default platform." >&2 ;; + *) echo "Error: platform must be codex, claude, or opencode." >&2 ;; + esac + done +} + list_categories() { echo "Available categories:" for d in "$SKILLS_DIR"/*/; do @@ -38,8 +84,136 @@ list_categories() { done } +validate_skill_metadata() { + local source_root="$1" + local platform="$2" + local seen_names="" + local errors=0 + + while IFS= read -r -d '' skill_md; do + skill_dir=$(dirname "$skill_md") + skill_name=$(basename "$skill_dir") + first_line=$(sed -n '1p' "$skill_md") + frontmatter=$(sed -n '2,/^---$/p' "$skill_md" | sed '$d') + closing_line=$(sed -n '2,/^---$/p' "$skill_md" | tail -1) + + if [ "$first_line" != "---" ] || [ "$closing_line" != "---" ]; then + echo "Error: $skill_md missing leading YAML frontmatter block" >&2 + errors=$((errors + 1)) + fi + if ! printf '%s\n' "$frontmatter" | grep -q "^name: $skill_name$"; then + echo "Error: $skill_md frontmatter name must match folder '$skill_name'" >&2 + errors=$((errors + 1)) + fi + if [ "$platform" = "opencode" ] && ! printf '%s\n' "$skill_name" | grep -Eq '^[a-z0-9]+(-[a-z0-9]+)*$'; then + echo "Error: $skill_md skill name must be lowercase kebab-case for OpenCode" >&2 + errors=$((errors + 1)) + fi + description=$(printf '%s\n' "$frontmatter" | sed -n 's/^description: //p' | head -1 | sed 's/^\"//; s/\"$//') + if [ -z "$description" ]; then + echo "Error: $skill_md missing frontmatter description" >&2 + errors=$((errors + 1)) + fi + case " $seen_names " in + *" $skill_name "*) + echo "Error: duplicate skill folder name '$skill_name'" >&2 + errors=$((errors + 1)) + ;; + esac + seen_names="$seen_names $skill_name" + done < <(find "$source_root" -mindepth 2 -maxdepth 3 -name SKILL.md -print0 | sort -z) + + if [ "$errors" -ne 0 ]; then + exit 1 + fi +} + +normalize_opencode_skill() { + local skill_file="$1" + python3 - "$skill_file" <<'PY' +import json +import re +import sys +from pathlib import Path + +LIMIT = 1024 +path = Path(sys.argv[1]) +text = path.read_text(encoding="utf-8") +match = re.match(r"^---\n(.*?)\n---", text, re.DOTALL) +if not match: + raise SystemExit(0) +frontmatter = match.group(1) +desc_match = re.search(r'^description:\s*(.*)$', frontmatter, re.MULTILINE) +if not desc_match: + raise SystemExit(0) +raw = desc_match.group(1).strip() +try: + description = json.loads(raw) if raw.startswith('"') else raw +except json.JSONDecodeError: + description = raw.strip('"') +if len(description) <= LIMIT: + raise SystemExit(0) +truncated = description[: LIMIT - 1].rsplit(" ", 1)[0].rstrip(",;:.- ") + "…" +replacement = "description: " + json.dumps(truncated, ensure_ascii=False) +frontmatter = re.sub(r'^description:\s*.*$', replacement, frontmatter, count=1, flags=re.MULTILINE) +path.write_text("---\n" + frontmatter + text[match.end() - 4 :], encoding="utf-8") +PY +} + +copy_tree() { + local source="$1" + local dest="$2" + mkdir -p "$dest" + if command -v rsync >/dev/null 2>&1; then + rsync -a "$source/" "$dest/" + else + cp -R "$source/." "$dest/" + echo "Copied via cp (install rsync for progress info)." + fi +} + +install_platform_skills() { + local source_root="$1" + local target_root="$2" + local platform="$3" + local copied=0 + + if [ "$DRY_RUN" -ne 1 ]; then + mkdir -p "$target_root" + fi + while IFS= read -r -d '' skill_md; do + skill_dir=$(dirname "$skill_md") + skill_name=$(basename "$skill_dir") + category="$(basename "$(dirname "$skill_dir")")" + dest="$target_root/$category/$skill_name" + if [ "$DRY_RUN" -eq 1 ]; then + printf " %s -> %s\n" "$skill_dir" "$dest" + else + copy_tree "$skill_dir" "$dest" + if [ "$platform" = "opencode" ]; then + normalize_opencode_skill "$dest/SKILL.md" + fi + fi + copied=$((copied + 1)) + done < <(find "$source_root" -mindepth 2 -maxdepth 3 -name SKILL.md -print0 | sort -z) + + SKILL_COUNT="$copied" +} + while [ $# -gt 0 ]; do case "$1" in + --platform) + if [ $# -lt 2 ]; then + echo "Error: --platform requires codex, claude, or opencode" >&2 + exit 1 + fi + PLATFORM="$2" + if ! validate_platform "$PLATFORM"; then + echo "Error: --platform must be codex, claude, or opencode" >&2 + exit 1 + fi + shift 2 + ;; --target) TARGET="$2"; shift 2 ;; --category) CATEGORY="$2"; shift 2 ;; --dry-run) DRY_RUN=1; shift ;; @@ -59,50 +233,80 @@ if [ ! -d "$SKILLS_DIR" ]; then exit 1 fi -# Interactive prompt if no target given +if [ -z "$PLATFORM" ]; then + if [ -t 0 ]; then + prompt_platform + else + echo "Error: platform is required when not running interactively. Use --platform codex, --platform claude, or --platform opencode." >&2 + exit 1 + fi +fi + if [ -z "$TARGET" ]; then + case "$PLATFORM" in + codex) DEFAULT_TARGET="$DEFAULT_CODEX_TARGET" ;; + claude) DEFAULT_TARGET="$DEFAULT_CLAUDE_TARGET" ;; + opencode) DEFAULT_TARGET="$DEFAULT_OPENCODE_TARGET" ;; + esac if [ -t 0 ]; then read -r -p "Install target [$DEFAULT_TARGET]: " TARGET || true fi TARGET="${TARGET:-$DEFAULT_TARGET}" fi -# Validate category if specified if [ -n "$CATEGORY" ]; then - if [ ! -d "$SKILLS_DIR/$CATEGORY" ]; then - echo "Error: Category '$CATEGORY' not found." >&2 + if ! validate_category "$CATEGORY"; then + echo "Error: Category '$CATEGORY' not found or invalid." >&2 echo "" >&2 list_categories >&2 exit 1 fi SOURCE="$SKILLS_DIR/$CATEGORY" - DEST="$TARGET/$CATEGORY" else SOURCE="$SKILLS_DIR" +fi + +if [ "$PLATFORM" = "codex" ] || [ "$PLATFORM" = "opencode" ]; then + DEST="$TARGET" +elif [ -n "$CATEGORY" ]; then + DEST="$TARGET/$CATEGORY" +else DEST="$TARGET" fi -echo "Source: $SOURCE" -echo "Target: $DEST" +echo "Platform: $PLATFORM" +echo "Source: $SOURCE" +echo "Target: $DEST" echo if [ "$DRY_RUN" -eq 1 ]; then echo "[dry-run] Would copy:" - find "$SOURCE" -name SKILL.md | sed "s|^$SOURCE| $DEST|" - exit 0 fi -mkdir -p "$DEST" - -# Use rsync if available for nicer output, else cp -r -if command -v rsync >/dev/null 2>&1; then - rsync -a --info=stats1 "$SOURCE/" "$DEST/" +if [ "$PLATFORM" = "codex" ] || [ "$PLATFORM" = "opencode" ]; then + validate_skill_metadata "$SOURCE" "$PLATFORM" + install_platform_skills "$SOURCE" "$DEST" "$PLATFORM" + skill_count="$SKILL_COUNT" else - cp -r "$SOURCE/." "$DEST/" - echo "Copied via cp (install rsync for progress info)." + if [ "$DRY_RUN" -eq 1 ]; then + find "$SOURCE" -name SKILL.md | sed "s|^$SOURCE| $DEST|" + skill_count=$(find "$SOURCE" -name SKILL.md | wc -l | tr -d ' ') + else + copy_tree "$SOURCE" "$DEST" + skill_count=$(find "$DEST" -name SKILL.md | wc -l | tr -d ' ') + fi +fi + +if [ "$DRY_RUN" -eq 1 ]; then + echo + echo "Dry run complete: $skill_count skill(s) selected." + exit 0 fi -skill_count=$(find "$DEST" -name SKILL.md | wc -l | tr -d ' ') echo echo "Installed $skill_count skill(s) to $DEST" -echo "Claude should now auto-discover them on next session start." +case "$PLATFORM" in + codex) echo "Restart Codex to pick up new skills." ;; + claude) echo "Claude should now auto-discover them on next session start." ;; + opencode) echo "Restart OpenCode, or start a new session, to refresh available skills." ;; +esac diff --git a/opencode-skills.json b/opencode-skills.json new file mode 100644 index 0000000..e063798 --- /dev/null +++ b/opencode-skills.json @@ -0,0 +1,503 @@ +{ + "name": "skills-red", + "version": "0.2.0", + "platform": "opencode", + "license": "MIT", + "homepage": "https://github.com/trewwwsec/skills-red", + "categories": { + "active-directory": [ + "offensive-active-directory" + ], + "ai": [ + "offensive-ai-security" + ], + "auth": [ + "offensive-jwt", + "offensive-oauth" + ], + "cloud": [ + "offensive-cloud" + ], + "exploit-dev": [ + "offensive-basic-exploitation", + "offensive-crash-analysis", + "offensive-exploit-dev-course", + "offensive-exploit-development", + "offensive-mitigations", + "offensive-toctou" + ], + "fuzzing": [ + "offensive-bug-identification", + "offensive-fuzzing", + "offensive-fuzzing-course", + "offensive-vuln-classes" + ], + "infrastructure": [ + "offensive-advanced-redteam", + "offensive-edr-evasion", + "offensive-initial-access", + "offensive-keylogger-arch", + "offensive-shellcode", + "offensive-windows-boundaries", + "offensive-windows-mitigations" + ], + "iot": [ + "offensive-iot" + ], + "mobile": [ + "offensive-mobile" + ], + "recon": [ + "offensive-osint", + "offensive-osint-methodology" + ], + "utility": [ + "offensive-fast-checking", + "offensive-reporting" + ], + "web": [ + "offensive-business-logic", + "offensive-deserialization", + "offensive-file-upload", + "offensive-graphql", + "offensive-idor", + "offensive-open-redirect", + "offensive-parameter-pollution", + "offensive-race-condition", + "offensive-rce", + "offensive-request-smuggling", + "offensive-sqli", + "offensive-ssrf", + "offensive-ssti", + "offensive-waf-bypass", + "offensive-xss", + "offensive-xxe" + ], + "wireless": [ + "offensive-bluetooth-ble", + "offensive-bluetooth-classic", + "offensive-deauth-disassoc", + "offensive-evil-twin", + "offensive-krack-fragattacks", + "offensive-lorawan-sub-ghz", + "offensive-wifi", + "offensive-wifi-recon", + "offensive-wpa-enterprise", + "offensive-wpa2-psk", + "offensive-wpa3-sae", + "offensive-wps", + "offensive-z-wave", + "offensive-zigbee-thread-matter" + ] + }, + "skills": [ + { + "name": "offensive-active-directory", + "category": "active-directory", + "path": "Skills/active-directory/offensive-active-directory/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/active-directory/offensive-active-directory", + "description": "Active Directory attack methodology for internal network red team engagements. Covers reconnaissance (BloodHound, PowerView, ADExplorer), credential abuse (Kerberoasting, ASREProasting, NTLM relay, LLMNR/NBT-NS poisoning), privilege escalation (ACL abuse, GPO abuse, unconstrained/constrained delegation), lateral movement (Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, WMI/WinRM/PsExec), persistence (Golden/Silver/Diamond Tickets, DCSync, DCShadow, AdminSDHolder, Skeleton Key), forest trust attacks, ADCS abuse (ESC1-ESC15), and modern MDI/Defender for Identity evasion. Use when assessing on-prem AD, hybrid AD/Entra ID environments, or ADCS deployments." + }, + { + "name": "offensive-ai-security", + "category": "ai", + "path": "Skills/ai/offensive-ai-security/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/ai/offensive-ai-security", + "description": "AI/LLM security offensive checklist: prompt injection, jailbreaking, model extraction, training data poisoning, adversarial inputs, LLM-assisted attack automation, and AI system reconnaissance. Use when assessing AI/ML systems, red-teaming LLMs, or researching AI attack vectors." + }, + { + "name": "offensive-jwt", + "category": "auth", + "path": "Skills/auth/offensive-jwt/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/auth/offensive-jwt", + "description": "JWT attack methodology for penetration testers. Covers algorithm confusion (alg:none, RS256→HS256), weak HMAC secret brute force, kid parameter injection (SQLi, path traversal), jku/x5u/jwk header injection, JWKS cache poisoning, JWS/JWE confusion, timing attacks, and mobile JWT storage extraction. Use when testing JWT-based authentication, hunting auth bypass via token manipulation, or evaluating JWT implementation security in web or mobile apps." + }, + { + "name": "offensive-oauth", + "category": "auth", + "path": "Skills/auth/offensive-oauth/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/auth/offensive-oauth", + "description": "OAuth 2.0 attack checklist: authorization code interception, redirect_uri bypass, CSRF on OAuth flow, state parameter abuse, open redirector chaining, token leakage via Referer, PKCE bypass, and scope escalation. Use when testing OAuth implementations in web apps or bug bounty." + }, + { + "name": "offensive-cloud", + "category": "cloud", + "path": "Skills/cloud/offensive-cloud/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/cloud/offensive-cloud", + "description": "Cloud security attack methodology covering AWS, Azure, and GCP. Includes credential harvesting (IMDS, ~/.aws, env vars, leaked CI secrets, instance roles), enumeration with cloud-specific tools (pacu, ScoutSuite, Prowler, ROADtools, gcp_enum), privilege escalation paths (IAM PassRole, AssumeRole chains, Lambda/Functions privilege flips, Azure Owner-on-self, GCP serviceAccountTokenCreator), persistence techniques (IAM user/key creation, AAD app registration, GCP svc account key creation, EventBridge/Logic Apps backdoors), data exfiltration (S3/Blob/GCS, snapshot share, RDS/CosmosDB/Cloud SQL exfil), cloud-native lateral movement (cross-account assume, Azure AD multi-tenant, GCP project hierarchy), serverless attacks (Lambda env vars, layer hijack, Step Functions), Kubernetes-on-cloud (EKS/AKS/GKE-specific paths to node and AWS metadata), and CSPM evasion (CloudTrail blind spots, GuardDuty mute, Sentinel rule shaping). Use when the engagement scope is cloud accounts, when you've stolen cloud credentials, or…" + }, + { + "name": "offensive-basic-exploitation", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-basic-exploitation/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/exploit-dev/offensive-basic-exploitation", + "description": "Week 5 exploit development curriculum. Foundational exploitation techniques: controlling EIP/RIP, ROP chain construction, ret2libc, shellcode injection, heap spraying, bypass techniques for ASLR/NX/stack canaries. Use when building initial PoCs or understanding classic exploitation primitives." + }, + { + "name": "offensive-crash-analysis", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-crash-analysis/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/exploit-dev/offensive-crash-analysis", + "description": "Week 4 exploit development curriculum. Crash triage and analysis methodology: WinDbg/GDB analysis, ASAN/MSAN output interpretation, exploitability assessment, register/stack trace reading, root cause identification. Use when analyzing crash dumps, assessing exploitability, or understanding fuzzer-generated crashes." + }, + { + "name": "offensive-exploit-dev-course", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-exploit-dev-course/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/exploit-dev/offensive-exploit-dev-course", + "description": "Full exploit development course roadmap and syllabus: weekly topics, recommended reading, lab setup, and learning path from vulnerability classes through advanced exploitation. Use to structure exploit dev training or onboard new researchers." + }, + { + "name": "offensive-exploit-development", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-exploit-development/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/exploit-dev/offensive-exploit-development", + "description": "Exploit development operational guide: environment setup, debugging workflow, PoC development lifecycle, writing reliable exploits, using pwntools/pwndbg, heap exploitation techniques, and weaponization considerations. Use when actively developing exploits or setting up an exploit dev environment." + }, + { + "name": "offensive-mitigations", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-mitigations/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/exploit-dev/offensive-mitigations", + "description": "Security mitigation reference and bypass catalog: ASLR, DEP/NX, RELRO, stack canaries, CFI, sandboxing, seccomp. Covers both detection of enabled mitigations and known bypass techniques. Use when assessing target hardening or planning exploit mitigation bypasses." + }, + { + "name": "offensive-toctou", + "category": "exploit-dev", + "path": "Skills/exploit-dev/offensive-toctou/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/exploit-dev/offensive-toctou", + "description": "Time-of-Check / Time-of-Use (TOCTOU) race condition exploitation methodology across binary, kernel, filesystem, web, and container layers. Covers symbolic-link races (open/access/stat split), file-descriptor races, fopen/realpath traversal races, /proc and procfs races, FUSE-backed slow-fs races to widen the window, ptrace and signal races, kernel double-fetch / userspace pointer races, container/runc/symlink escape primitives, kubernetes admission/authz TOCTOU, web auth-vs-authz TOCTOU, JWT-claim TOCTOU at gateway vs service, payment/idempotency races, and modern race-amplification techniques (single-packet attack, slow loris, FUSE pause, cgroup freeze, scheduler shaping). Use when you've identified a 'check then act' pattern in code, when fuzzing for race conditions, or when exploiting concurrency bugs in privileged binaries / kernel / orchestrators." + }, + { + "name": "offensive-bug-identification", + "category": "fuzzing", + "path": "Skills/fuzzing/offensive-bug-identification/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/fuzzing/offensive-bug-identification", + "description": "Systematic bug identification methodology: source code review patterns, black-box testing strategies, taint analysis, dangerous function hunting, data flow tracing, and automated scanning setup. Use for code audits, bug bounty triage, or building vulnerability identification pipelines." + }, + { + "name": "offensive-fuzzing", + "category": "fuzzing", + "path": "Skills/fuzzing/offensive-fuzzing/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/fuzzing/offensive-fuzzing", + "description": "Practical offensive fuzzing methodology covering target identification, fuzzer selection (AFL++, libFuzzer, Honggfuzz, Boofuzz, syzkaller), harness writing, corpus curation, mutation strategies, coverage measurement, and crash triage. Use when setting up or running fuzz campaigns against any target: file parsers, network protocols, kernel drivers, EDR engines, embedded firmware, or language runtimes." + }, + { + "name": "offensive-fuzzing-course", + "category": "fuzzing", + "path": "Skills/fuzzing/offensive-fuzzing-course/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/fuzzing/offensive-fuzzing-course", + "description": "Week 2 of the exploit development curriculum. Covers fuzzing methodology: target selection, corpus generation, coverage-guided fuzzing with AFL++/libFuzzer, structured fuzzing, and triage/deduplication. Use when setting up fuzz campaigns, selecting harness strategies, or triaging fuzzer output." + }, + { + "name": "offensive-vuln-classes", + "category": "fuzzing", + "path": "Skills/fuzzing/offensive-vuln-classes/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/fuzzing/offensive-vuln-classes", + "description": "Exploit development curriculum covering core vulnerability classes with real-world CVE case studies: stack/heap buffer overflows, use-after-free, integer overflows, format strings, type confusion, and race conditions. Use when learning or teaching vuln classes, researching specific CVE patterns, or building exploit dev knowledge." + }, + { + "name": "offensive-advanced-redteam", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-advanced-redteam/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/infrastructure/offensive-advanced-redteam", + "description": "Practical advanced red team operations guide: OPSEC discipline, C2 infrastructure design, living-off-the-land techniques, lateral movement, persistence, data exfiltration, and evading modern defenses. Use for planning advanced red team engagements or understanding APT TTPs." + }, + { + "name": "offensive-edr-evasion", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-edr-evasion/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/infrastructure/offensive-edr-evasion", + "description": "EDR evasion offensive checklist: hook unhooking (user/kernel), direct syscalls, PPID spoofing, process injection variants, AMSI bypass, ETW patching, memory encryption, and behavior-based evasion. Use when planning EDR bypass during red team engagements or researching AV/EDR evasion techniques." + }, + { + "name": "offensive-initial-access", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-initial-access/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/infrastructure/offensive-initial-access", + "description": "Initial access techniques checklist: phishing (spear/smishing), credential stuffing, exposed service exploitation, supply chain attacks, watering hole, VPN/RDP brute force, public-facing application exploitation. Maps to MITRE ATT&CK TA0001. Use when planning initial access phases of red team engagements." + }, + { + "name": "offensive-keylogger-arch", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-keylogger-arch/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/infrastructure/offensive-keylogger-arch", + "description": "Low-level keylogger architecture design: kernel driver hooks (WH_KEYBOARD_LL, SetWindowsHookEx), ETW-based input capture, user-mode vs kernel-mode approaches, stealth techniques, and data exfiltration. Use for understanding input capture mechanisms, EDR evasion research, or malware architecture analysis." + }, + { + "name": "offensive-shellcode", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-shellcode/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/infrastructure/offensive-shellcode", + "description": "Shellcode development reference for offensive security engagements. Use when writing custom x86/x64 shellcode, implementing position-independent code (PIC), building shellcode loaders, evading AV/EDR detection, or converting PE files to shellcode. Covers null byte avoidance, API hashing, encoder/decoder patterns, staged vs stageless payloads, Windows PEB traversal, and cross-platform shellcode techniques." + }, + { + "name": "offensive-windows-boundaries", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-windows-boundaries/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/infrastructure/offensive-windows-boundaries", + "description": "Windows security boundary taxonomy and attack surface enumeration: kernel/user boundary, sandbox boundaries (LPAC, AppContainer), COM/RPC boundaries, hypervisor boundary, trust level transitions. Use when planning privilege escalation paths, sandbox escapes, or understanding Windows security architecture." + }, + { + "name": "offensive-windows-mitigations", + "category": "infrastructure", + "path": "Skills/infrastructure/offensive-windows-mitigations/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/infrastructure/offensive-windows-mitigations", + "description": "Deep-dive on Windows exploit mitigations: ASLR, DEP/NX, CFG, CET/Shadow Stack, SEHOP, Heap Guard, ACG, Arbitrary Code Guard. Covers both the protection mechanism and known bypass techniques. Use when researching Windows exploit mitigations, planning bypass strategies, or understanding protection depth." + }, + { + "name": "offensive-iot", + "category": "iot", + "path": "Skills/iot/offensive-iot/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/iot/offensive-iot", + "description": "IoT and embedded device security testing methodology. Covers hardware reconnaissance (UART, JTAG, SWD, SPI flash, I2C EEPROM, eMMC chip-off), firmware acquisition (vendor portals, OTA capture, flash dump, binwalk extraction), firmware analysis (filesystem mounting, binary triage, hardcoded secrets, default credential discovery), bootloader attacks (U-Boot console, secure-boot bypass, fault injection), runtime attacks on embedded Linux/RTOS (busybox CVEs, MTD writes, /dev/mem), wireless protocol attacks (Zigbee, BLE, Z-Wave, LoRaWAN, Thread/Matter, sub-GHz), MQTT/CoAP/Modbus/BACnet/OPC-UA exploitation, mobile companion app analysis, cloud-IoT API abuse, and side-channel/glitching basics. Use for IoT pentest, smart-home assessment, ICS/OT testing, or embedded vulnerability research." + }, + { + "name": "offensive-mobile", + "category": "mobile", + "path": "Skills/mobile/offensive-mobile/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/mobile/offensive-mobile", + "description": "Mobile (Android + iOS) application penetration testing methodology. Covers static analysis (apktool/jadx for Android, class-dump/Hopper/IDA for iOS), dynamic instrumentation with Frida and Objection, SSL pinning bypass strategies, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported component attacks (Android activities, services, providers, receivers; iOS XPC, URL schemes, universal links), insecure data storage (SharedPrefs, KeyStore misuse, NSUserDefaults, Keychain ACL bypass), IPC / Intent redirection, WebView vulnerabilities (JavaScriptInterface, file:// access), Firebase/AWS/Azure misconfiguration leakage, mobile API testing, biometric/Face ID/Touch ID bypass, app-cloning and runtime patching, and mobile malware/RAT analysis primitives. Use for mobile pentest, bug bounty mobile triage, or app-store reconnaissance." + }, + { + "name": "offensive-osint", + "category": "recon", + "path": "Skills/recon/offensive-osint/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/recon/offensive-osint", + "description": "Comprehensive OSINT methodology skill for offensive security, red team intelligence gathering, and bug bounty reconnaissance. Covers domain recon, email harvesting, social media profiling, GitHub/code leaks, Shodan/Censys enumeration, breach data lookup, employee profiling, infrastructure mapping, cryptocurrency tracing, geospatial intelligence, and AI-assisted analysis workflows. Use when performing reconnaissance against a target domain or organization, investigating a person or entity, tracing cryptocurrency flows, geolocating images or events, or building an attack-surface map." + }, + { + "name": "offensive-osint-methodology", + "category": "recon", + "path": "Skills/recon/offensive-osint-methodology/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/recon/offensive-osint-methodology", + "description": "Structured OSINT methodology framework: target definition, source selection, collection workflows, data correlation, timeline reconstruction, and reporting. Use to guide systematic OSINT campaigns or teach OSINT methodology." + }, + { + "name": "offensive-fast-checking", + "category": "utility", + "path": "Skills/utility/offensive-fast-checking/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/utility/offensive-fast-checking", + "description": "Speed-optimized offensive checklist for rapid assessment: quick-win vulnerability patterns, fast recon shortcuts, automated scanner configurations, and triage shortcuts. Use for time-boxed assessments, CTF-speed engagements, or initial rapid surface mapping." + }, + { + "name": "offensive-reporting", + "category": "utility", + "path": "Skills/utility/offensive-reporting/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/utility/offensive-reporting", + "description": "Penetration test and red team report writing methodology. Covers executive summary structuring (risk-led narrative for non-technical readers), technical finding format (title, severity, affected scope, narrative, reproduction steps, impact, remediation, references), CVSS v3.1 / v4.0 scoring with vector justification, OWASP risk rating, evidence hygiene (redacting credentials, hashing client data, time-stamping every action), screenshot and PoC artifact management, finding chain narratives, scope/limitations/assumptions documentation, retest evidence and remediation tracking, deliverable formats (PDF, DOCX, HTML, JSON for SIEM ingestion), client-customer-deliverable separation, and common report mistakes (over-CVSSing, undermining the triager, missing the 'so what'). Use at the end of an engagement when authoring a deliverable, when restructuring a draft for executive readability, or when establishing a reusable report template for a consulting practice." + }, + { + "name": "offensive-business-logic", + "category": "web", + "path": "Skills/web/offensive-business-logic/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-business-logic", + "description": "Business logic vulnerability testing for web/mobile/API engagements. Covers workflow bypass, state machine violations, multi-step process abuse, price/quantity/discount manipulation, currency confusion, coupon stacking, refund/chargeback abuse, race conditions on logic boundaries, parameter tampering for hidden flows, role/tenant boundary violations, time-of-check vs use, anti-automation defeat, fraud-detection evasion, and subscription/quota abuse. Use when scoping an application after surface-level OWASP Top 10 has been covered, or when the asset is a transactional/marketplace/fintech/e-commerce/SaaS app where logic flaws produce direct financial impact." + }, + { + "name": "offensive-deserialization", + "category": "web", + "path": "Skills/web/offensive-deserialization/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-deserialization", + "description": "Insecure deserialization attack checklist: identifying deserialization sinks, Java/PHP/.NET/Python deserialization exploitation, ysoserial gadget chains, magic method abuse, and detection evasion. Use when testing deserialization endpoints or developing deserialization exploits." + }, + { + "name": "offensive-file-upload", + "category": "web", + "path": "Skills/web/offensive-file-upload/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-file-upload", + "description": "File upload vulnerability checklist: MIME type bypass, extension bypass, magic byte manipulation, path traversal in filenames, stored XSS via SVG/HTML upload, server-side processing attacks, and race conditions. Use for assessing file upload endpoints in web app pentests or bug bounty." + }, + { + "name": "offensive-graphql", + "category": "web", + "path": "Skills/web/offensive-graphql/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-graphql", + "description": "GraphQL security testing checklist: introspection abuse, batching attacks, query depth/complexity DoS, field suggestion enumeration, IDOR via GraphQL, injection through arguments, authorization bypass. Use when assessing GraphQL endpoints in web app tests or bug bounty." + }, + { + "name": "offensive-idor", + "category": "web", + "path": "Skills/web/offensive-idor/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-idor", + "description": "IDOR (Insecure Direct Object Reference) testing checklist: object ID enumeration, horizontal/vertical privilege escalation, GUID predictability, indirect references via hashes, chained IDOR, and API endpoint IDOR. Use for web app pentests and bug bounty IDOR discovery." + }, + { + "name": "offensive-open-redirect", + "category": "web", + "path": "Skills/web/offensive-open-redirect/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-open-redirect", + "description": "Open redirect vulnerability checklist: parameter identification, bypass techniques (URL encoding, double slashes, CRLF injection, protocol handlers), chaining with OAuth/SSRF, and impact escalation paths. Use for web app testing and bug bounty open redirect discovery." + }, + { + "name": "offensive-parameter-pollution", + "category": "web", + "path": "Skills/web/offensive-parameter-pollution/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-parameter-pollution", + "description": "HTTP parameter pollution (HPP) checklist: duplicate parameter injection, backend vs frontend parsing differences, WAF bypass via HPP, server-side vs client-side HPP, and practical exploitation patterns. Use when testing web applications for parameter handling flaws." + }, + { + "name": "offensive-race-condition", + "category": "web", + "path": "Skills/web/offensive-race-condition/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-race-condition", + "description": "Race condition (TOCTOU) testing checklist: identifying timing windows, Burp Suite Turbo Intruder, Last-Byte sync technique, rate limit bypass, double-spend attacks, and concurrent request exploitation. Use for web app race condition testing or bug bounty time-of-check-to-time-of-use bugs." + }, + { + "name": "offensive-rce", + "category": "web", + "path": "Skills/web/offensive-rce/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-rce", + "description": "Remote Code Execution testing checklist: OS command injection, SSTI-to-RCE, deserialization RCE, file upload RCE, XXE with SSRF to RCE, RCE via dependency confusion, and CVE-based RCE patterns. Use for web app pentests and bug bounty RCE discovery." + }, + { + "name": "offensive-request-smuggling", + "category": "web", + "path": "Skills/web/offensive-request-smuggling/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-request-smuggling", + "description": "HTTP request smuggling checklist: CL.TE, TE.CL, TE.TE variants, detection with timing and differential responses, WAF bypass, cache poisoning, credential hijacking, and request smuggling via HTTP/2. Use when testing reverse proxy/load balancer configurations." + }, + { + "name": "offensive-sqli", + "category": "web", + "path": "Skills/web/offensive-sqli/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-sqli", + "description": "SQL injection testing skill for offensive security assessments and bug bounty hunting. Covers error-based, UNION-based, boolean/time-based blind, out-of-band, second-order, NoSQL, GraphQL, WebSocket, and JSON-operator SQLi. Includes WAF bypass techniques, database-specific exploitation (MySQL, MSSQL, PostgreSQL, Oracle), cloud-native attack paths, ORM CVE tracking, and SQLmap automation. Use when performing web application SQL injection testing, database enumeration, privilege escalation via SQLi, or assessing injection vectors in APIs and modern stacks." + }, + { + "name": "offensive-ssrf", + "category": "web", + "path": "Skills/web/offensive-ssrf/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-ssrf", + "description": "Server-Side Request Forgery testing checklist: SSRF discovery, blind SSRF with out-of-band, cloud metadata endpoints (AWS/GCP/Azure), SSRF filter bypass techniques (IP encoding, DNS rebinding, redirect chains), and SSRF to RCE escalation. Use for web app SSRF testing and bug bounty." + }, + { + "name": "offensive-ssti", + "category": "web", + "path": "Skills/web/offensive-ssti/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-ssti", + "description": "Server-Side Template Injection testing checklist: template engine identification (Jinja2, Twig, Freemarker, Pebble, Velocity), polyglot detection payloads, engine-specific RCE payloads, blind SSTI, and filter bypass. Use when testing web apps for template injection vulnerabilities." + }, + { + "name": "offensive-waf-bypass", + "category": "web", + "path": "Skills/web/offensive-waf-bypass/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-waf-bypass", + "description": "WAF bypass techniques checklist: encoding bypass (URL/HTML/Unicode/double encoding), case variation, comment injection, HTTP header manipulation, chunked encoding, IP rotation, timing attacks, and payload obfuscation per WAF vendor. Use when WAF is blocking payloads during web app tests." + }, + { + "name": "offensive-xss", + "category": "web", + "path": "Skills/web/offensive-xss/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-xss", + "description": "Cross-Site Scripting testing checklist: stored/reflected/DOM/blind XSS discovery, polyglot payloads, CSP bypass, XSS filter bypass, event handler injection, DOM clobbering, mutation XSS, and impact escalation (session hijack, phishing, keylogging). Use for web app XSS testing and bug bounty." + }, + { + "name": "offensive-xxe", + "category": "web", + "path": "Skills/web/offensive-xxe/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/web/offensive-xxe", + "description": "XML External Entity injection testing checklist: classic XXE, blind XXE (out-of-band), XXE via file upload (SVG/docx), XXE in SOAP/REST, error-based XXE, XInclude attacks, and XXE filter bypass. Use for web app XXE testing and bug bounty." + }, + { + "name": "offensive-bluetooth-ble", + "category": "wireless", + "path": "Skills/wireless/offensive-bluetooth-ble/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/wireless/offensive-bluetooth-ble", + "description": "Bluetooth Low Energy (BLE) attack methodology — GATT enumeration, characteristic read/write without auth, pairing downgrade (Just Works forced), LE Secure Connections bypass, MITM via active relay, sniffing with Sniffle (TI CC1352) / Ubertooth / Frontline, encryption key extraction (LE Legacy Pairing crackable, LE Secure Connections strong), proximity authentication abuse (cars, locks), and companion-app trust analysis. Use for IoT BLE devices, smart locks, fitness trackers, medical devices, BLE beacons, or any device pairing over BLE." + }, + { + "name": "offensive-bluetooth-classic", + "category": "wireless", + "path": "Skills/wireless/offensive-bluetooth-classic/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/wireless/offensive-bluetooth-classic", + "description": "Bluetooth Classic (BR/EDR) attack methodology — device discovery, service enumeration via SDP, LMP/L2CAP layer attacks, legacy PIN cracking (BlueBorne / KNOB), Bluetooth file-transfer abuse (BlueSnarfing legacy), unauthenticated profile abuse (HSP, HFP, OPP), and modern relevance against older industrial / automotive / accessory targets. Use when in-scope devices use Bluetooth Classic (Bluetooth ≤ 4.0 BR/EDR) — common in legacy car kits, industrial sensors, older medical devices, and audio accessories." + }, + { + "name": "offensive-deauth-disassoc", + "category": "wireless", + "path": "Skills/wireless/offensive-deauth-disassoc/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/wireless/offensive-deauth-disassoc", + "description": "Deauthentication and disassociation attacks against 802.11 networks — targeted single-client deauth for handshake capture, broadcast deauth for DoS (with authorization), action-frame attacks bypassing 802.11w (PMF), beacon flooding, mdk4 / aireplay-ng tooling, and rate-limit / PMF-aware operation. Use to coerce client reconnection (handshake capture, evil-twin roaming), as targeted DoS, or to test PMF posture." + }, + { + "name": "offensive-evil-twin", + "category": "wireless", + "path": "Skills/wireless/offensive-evil-twin/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/wireless/offensive-evil-twin", + "description": "Evil Twin / KARMA / Mana access point methodology — rogue AP construction with hostapd-mana / wifiphisher / airgeddon, KARMA universal probe response, Mana selective probe response, captive portal phishing, deauth-driven client coercion to attacker AP, MAC randomization defeat via PNL leak analysis, post-association MITM (DNS, ARP, transparent proxy), credential capture for portal/web/SMB, and detection-evasion tactics. Use to coerce client devices onto an attacker-controlled AP, intercept their traffic, harvest credentials, or deliver payloads via captive portal." + }, + { + "name": "offensive-krack-fragattacks", + "category": "wireless", + "path": "Skills/wireless/offensive-krack-fragattacks/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/wireless/offensive-krack-fragattacks", + "description": "KRACK (CVE-2017-13077..082) and FragAttacks (CVE-2020-24586..588 + 26139-26147) — key reinstallation, fragmentation, and aggregation attacks against WPA2 supplicants. Covers Vanhoef's test scripts, viability against modern patched stacks (mostly mitigated post-2021), residual unpatched embedded devices and IoT vendors, and the practical limitations of these attacks in modern engagements. Use when assessing legacy supplicants, embedded clients, or vendors with poor patch cadence." + }, + { + "name": "offensive-lorawan-sub-ghz", + "category": "wireless", + "path": "Skills/wireless/offensive-lorawan-sub-ghz/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/wireless/offensive-lorawan-sub-ghz", + "description": "LoRaWAN and sub-GHz (433 / 868 / 915 MHz) attack methodology — LoRaWAN ABP/OTAA join attack, network/session key reuse, frame counter replay, downlink injection on TTN/Helium-style networks, sub-GHz protocol replay (KeeLoq garage doors, fixed-code remotes, TPMS spoofing, smart plug telemetry), HackRF / RTL-SDR / Flipper Zero workflows, signal analysis with Inspectrum / Universal Radio Hacker, and reconstruction of proprietary packet formats. Use for LoRaWAN deployments (smart cities, asset tracking, industrial telemetry), or any wireless device using the unlicensed 433/868/915 MHz bands (garage openers, doorbells, IoT sensors, RC equipment)." + }, + { + "name": "offensive-wifi", + "category": "wireless", + "path": "Skills/wireless/offensive-wifi/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/wireless/offensive-wifi", + "description": "Wireless / 802.11 attack methodology for red team engagements and wireless security assessments. Covers monitor-mode setup, WPA/WPA2-PSK handshake capture and PMKID attacks, WPA3 SAE downgrade and Dragonblood, WPA-Enterprise (EAP) attacks (MSCHAPv2 cracking, EAP-TLS cert theft, evil-twin RADIUS), Karma / Known Beacons / Mana evil twin attacks, captive-portal phishing, KRACK and FragAttacks, WPS Pixie Dust, deauthentication and disassociation attacks, rogue AP construction (hostapd-mana), 802.1X bypass, MAC randomization defeat, BLE/Zigbee/IEEE 802.15.4 sidebands, and Wi-Fi 6/6E/7 considerations. Use when scoping wireless pentest, war-driving an estate, or testing corporate wireless segmentation." + }, + { + "name": "offensive-wifi-recon", + "category": "wireless", + "path": "Skills/wireless/offensive-wifi-recon/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/wireless/offensive-wifi-recon", + "description": "Wi-Fi reconnaissance methodology — adapter selection, monitor mode and packet injection setup, regulatory domain handling, multi-band airspace mapping, hidden SSID discovery, BSSID/ESSID/channel/PMF/encryption fingerprinting, client probe analysis, vendor OUI lookup, war-driving with Kismet/airodump-ng/Wigle, and structured airspace data capture for downstream attacks. Use at the start of any wireless engagement to build the target map before active attacks; covers 2.4 GHz, 5 GHz, and 6 GHz (Wi-Fi 6E) bands and adapter compatibility for each." + }, + { + "name": "offensive-wpa-enterprise", + "category": "wireless", + "path": "Skills/wireless/offensive-wpa-enterprise/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/wireless/offensive-wpa-enterprise", + "description": "WPA/WPA2/WPA3-Enterprise (802.1X / EAP) attack methodology — EAP method identification (PEAP-MSCHAPv2, EAP-TTLS, EAP-TLS, EAP-GTC, EAP-PWD, EAP-FAST), evil-twin RADIUS attacks with eaphammer for credential capture, MSCHAPv2 challenge-response cracking, EAP-TLS client certificate theft paths (DPAPI, NDES, AD CS auto-enrollment), supplicant validation bypass (missing server cert validation, missing CN pinning, BYOD misconfigurations), and post-capture pivots into AD via cracked domain credentials. Use for corporate Wi-Fi engagements where the network is 802.1X authenticated." + }, + { + "name": "offensive-wpa2-psk", + "category": "wireless", + "path": "Skills/wireless/offensive-wpa2-psk/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/wireless/offensive-wpa2-psk", + "description": "WPA/WPA2-PSK attack methodology — four-way handshake capture via targeted deauthentication, PMKID attacks (no client required), hcxdumptool / hcxpcapngtool conversion to hashcat hc22000 format, GPU-accelerated cracking with dictionary, mask, and rule-based attacks, vendor default-PSK generators (UPC, Sky, BT, etc.), 802.11r FT key cracking, opportunistic key cache analysis, and signal-level optimization. Use when the in-scope network is WPA/WPA2 Personal — the most common consumer/SMB encryption mode." + }, + { + "name": "offensive-wpa3-sae", + "category": "wireless", + "path": "Skills/wireless/offensive-wpa3-sae/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/wireless/offensive-wpa3-sae", + "description": "WPA3 / SAE (Simultaneous Authentication of Equals) attack methodology — transition-mode (mixed WPA2/WPA3) downgrade, Dragonblood side-channel attacks (CVE-2019-9494, 9495, 13377, 13456), SAE auth flooding for AP CPU exhaustion, Hash-to-Element (H2E) timing analysis, group downgrade, and 6 GHz / Wi-Fi 6E spec implications (PMF mandatory, no transition mode allowed). Use when target advertises WPA3-SAE or WPA3-Personal/Enterprise, or operates in 6 GHz where WPA3 + PMF are required by spec." + }, + { + "name": "offensive-wps", + "category": "wireless", + "path": "Skills/wireless/offensive-wps/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/wireless/offensive-wps", + "description": "WPS (Wi-Fi Protected Setup) PIN attack methodology — Pixie Dust offline attack against vulnerable chipsets (Ralink, Realtek, Broadcom, MediaTek), online PIN brute-force with reaver/bully, lockout handling, time-of-day evasion, WPS push-button vulnerability windows, and PIN-to-PSK derivation. Use when a target SOHO router exposes WPS — common on consumer ISP gear, often left enabled by default even when WPS attacks have been known for over a decade." + }, + { + "name": "offensive-z-wave", + "category": "wireless", + "path": "Skills/wireless/offensive-z-wave/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/wireless/offensive-z-wave", + "description": "Z-Wave attack methodology — sniffing with Z-Force / EZ-Wave / RTL-SDR + ZniffMobile, S0 (legacy) network-key derivation flaw and key reuse, S2 (modern) ECDH commissioning analysis, replay/injection on unauthenticated nodes, default-key brute-force on test deployments, and home-automation hub pivots. Use when targeting Z-Wave smart home devices (door locks, sensors, garage controllers) — common in mid-2010s smart home deployments still in production." + }, + { + "name": "offensive-zigbee-thread-matter", + "category": "wireless", + "path": "Skills/wireless/offensive-zigbee-thread-matter/SKILL.md", + "install_path": "~/.config/opencode/skills/skills-red/wireless/offensive-zigbee-thread-matter", + "description": "Zigbee, Thread, and Matter mesh-protocol attack methodology — IEEE 802.15.4 sniffing with TI CC2531 / CC2540 / Sonoff Zigbee Dongle E, KillerBee toolkit, Touchlink commissioning abuse with the well-known transport key, replay/injection attacks, Zigbee Cluster Library command abuse for door locks and bulbs, Thread network credential theft, Matter commissioning chain analysis, and 6LoWPAN/IPv6 routing exploitation. Use when targeting smart-home or commercial mesh deployments, Zigbee-based door locks, lighting, or sensor networks." + } + ], + "skill_count": 58, + "category_count": 13 +} diff --git a/tools/build_manifest.py b/tools/build_manifest.py index b5536ba..753c97e 100755 --- a/tools/build_manifest.py +++ b/tools/build_manifest.py @@ -1,12 +1,13 @@ #!/usr/bin/env python3 -"""Generate claude-skills.json manifest from Skills/ tree. +"""Generate Claude, Codex, and OpenCode skill manifests from the Skills/ tree. -Reads YAML frontmatter from each SKILL.md and emits a compact JSON manifest +Reads YAML frontmatter from each SKILL.md and emits compact JSON manifests of all skills, grouped by category, for tooling that needs a machine-readable index of the library. """ from __future__ import annotations +import argparse import json import re import sys @@ -14,12 +15,20 @@ ROOT = Path(__file__).resolve().parent.parent SKILLS_DIR = ROOT / "Skills" -OUT = ROOT / "claude-skills.json" +MANIFESTS = { + "claude": ROOT / "claude-skills.json", + "codex": ROOT / "codex-skills.json", + "opencode": ROOT / "opencode-skills.json", +} +PLATFORM_DEFAULTS = ROOT / "tools" / "platform_defaults.sh" FRONTMATTER_RE = re.compile(r"^---\n(.*?)\n---", re.DOTALL) +SKILL_NAME_RE = re.compile(r"^[a-z0-9]+(-[a-z0-9]+)*$") +OPENCODE_DESCRIPTION_LIMIT = 1024 +MANIFEST_ROOT_RE = re.compile(r"^MANIFEST_(CODEX|CLAUDE|OPENCODE)_INSTALL_ROOT='([^']+)'$", re.MULTILINE) -def parse_frontmatter(text: str) -> dict: +def parse_frontmatter(text: str) -> dict[str, str]: m = FRONTMATTER_RE.match(text) if not m: return {} @@ -46,20 +55,58 @@ def parse_frontmatter(text: str) -> dict: return out -def main() -> int: - if not SKILLS_DIR.is_dir(): - print(f"Error: {SKILLS_DIR} not found", file=sys.stderr) - return 1 +def normalize_opencode_description(description: str) -> str: + """Return an OpenCode-compatible description without changing source SKILL.md.""" + if len(description) <= OPENCODE_DESCRIPTION_LIMIT: + return description + truncated = description[: OPENCODE_DESCRIPTION_LIMIT - 1].rsplit(" ", 1)[0].rstrip(",;:.- ") + return f"{truncated}…" + +def manifest_install_roots() -> dict[str, str]: + defaults = { + platform.lower(): root + for platform, root in MANIFEST_ROOT_RE.findall(PLATFORM_DEFAULTS.read_text(encoding="utf-8")) + } + missing = sorted({"codex", "claude", "opencode"} - defaults.keys()) + if missing: + raise ValueError(f"{PLATFORM_DEFAULTS} missing manifest install root(s): {', '.join(missing)}") + return defaults + + +def validate_skill_metadata(skill_dir: Path, fm: dict[str, str], platform: str) -> list[str]: + errors: list[str] = [] + name = fm.get("name", "").strip() + description = fm.get("description", "").strip() + if not fm: + errors.append(f"{skill_dir}: missing YAML frontmatter") + if not name: + errors.append(f"{skill_dir}: missing frontmatter name") + elif name != skill_dir.name: + errors.append(f"{skill_dir}: frontmatter name '{name}' does not match folder '{skill_dir.name}'") + elif platform == "opencode" and not SKILL_NAME_RE.fullmatch(name): + errors.append(f"{skill_dir}: frontmatter name '{name}' is not OpenCode-compatible kebab-case") + if not description: + errors.append(f"{skill_dir}: missing frontmatter description") + return errors + + +def build_manifest(platform: str) -> tuple[dict, list[str]]: + homepage = "https://github.com/trewwwsec/skills-red" + install_roots = manifest_install_roots() manifest: dict = { - "name": "claude-red", + "name": "skills-red", "version": "0.2.0", + "platform": platform, "license": "MIT", - "homepage": "https://github.com/SnailSploit/claude-red", + "homepage": homepage, "categories": {}, "skills": [], } + errors: list[str] = [] + seen_names: dict[str, Path] = {} + for category_dir in sorted(SKILLS_DIR.iterdir()): if not category_dir.is_dir(): continue @@ -70,20 +117,66 @@ def main() -> int: if not skill_md.is_file(): continue fm = parse_frontmatter(skill_md.read_text(encoding="utf-8")) + errors.extend(validate_skill_metadata(skill_dir, fm, platform)) + skill_name = fm.get("name", skill_dir.name) + if skill_name in seen_names: + errors.append( + f"{skill_dir}: duplicate skill name '{skill_name}' also used by {seen_names[skill_name]}" + ) + else: + seen_names[skill_name] = skill_dir + install_path = f"{install_roots[platform]}/{category}/{skill_dir.name}" entry = { - "name": fm.get("name", skill_dir.name), + "name": skill_name, "category": category, "path": str(skill_md.relative_to(ROOT)), - "description": fm.get("description", ""), + "install_path": install_path, + "description": normalize_opencode_description(fm.get("description", "")) + if platform == "opencode" + else fm.get("description", ""), } manifest["categories"][category].append(entry["name"]) manifest["skills"].append(entry) manifest["skill_count"] = len(manifest["skills"]) manifest["category_count"] = len(manifest["categories"]) + return manifest, errors + + +def main() -> int: + parser = argparse.ArgumentParser(description=__doc__) + parser.add_argument( + "--platform", + choices=("all", "codex", "claude", "opencode"), + default="all", + help="Which manifest to write (default: all).", + ) + args = parser.parse_args() + + if not SKILLS_DIR.is_dir(): + print(f"Error: {SKILLS_DIR} not found", file=sys.stderr) + return 1 + + platforms = ("claude", "codex", "opencode") if args.platform == "all" else (args.platform,) + all_errors: list[str] = [] + manifests: list[tuple[str, dict]] = [] + for platform in platforms: + manifest, errors = build_manifest(platform) + manifests.append((platform, manifest)) + all_errors.extend(errors) + + if all_errors: + for error in all_errors: + print(f"Error: {error}", file=sys.stderr) + return 1 - OUT.write_text(json.dumps(manifest, indent=2, ensure_ascii=False) + "\n", encoding="utf-8") - print(f"Wrote {OUT} with {manifest['skill_count']} skills across {manifest['category_count']} categories.") + for platform, manifest in manifests: + out = MANIFESTS[platform] + out.write_text(json.dumps(manifest, indent=2, ensure_ascii=False) + "\n", encoding="utf-8") + print( + f"Wrote {out} with {manifest['skill_count']} skills " + f"across {manifest['category_count']} categories." + ) return 0 diff --git a/tools/check_manifest_fresh.py b/tools/check_manifest_fresh.py new file mode 100644 index 0000000..8186cdc --- /dev/null +++ b/tools/check_manifest_fresh.py @@ -0,0 +1,98 @@ +#!/usr/bin/env python3 +"""Fail when generated root skill manifests are stale. + +This helper intentionally regenerates the manifests in-place, then asks Git +whether the tracked manifest files changed. It keeps the source of truth in +``Skills/**/SKILL.md`` while making the root JSON distribution indexes hard to +forget during local review or CI. +""" +from __future__ import annotations + +import json +import re +import subprocess +import sys +from pathlib import Path + +ROOT = Path(__file__).resolve().parent.parent +MANIFESTS = ("claude-skills.json", "codex-skills.json", "opencode-skills.json") +PLATFORM_DEFAULTS = ROOT / "tools" / "platform_defaults.sh" +MANIFEST_ROOT_RE = re.compile( + r"^MANIFEST_(CODEX|CLAUDE|OPENCODE)_INSTALL_ROOT='([^']+)'$", + re.MULTILINE, +) + + +def run(cmd: list[str]) -> subprocess.CompletedProcess[str]: + return subprocess.run( + cmd, + cwd=ROOT, + text=True, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + check=False, + ) + + +def manifest_install_roots() -> dict[str, str]: + defaults = { + platform.lower(): root + for platform, root in MANIFEST_ROOT_RE.findall(PLATFORM_DEFAULTS.read_text(encoding="utf-8")) + } + missing = sorted({"codex", "claude", "opencode"} - defaults.keys()) + if missing: + raise ValueError(f"{PLATFORM_DEFAULTS} missing manifest install root(s): {', '.join(missing)}") + return defaults + + +def validate_manifest_install_paths() -> list[str]: + roots = manifest_install_roots() + errors: list[str] = [] + for manifest_name in MANIFESTS: + manifest = json.loads((ROOT / manifest_name).read_text(encoding="utf-8")) + platform = manifest["platform"] + root = roots[platform] + for skill in manifest["skills"]: + expected = f"{root}/{skill['category']}/{skill['name']}" + if skill["install_path"] != expected: + errors.append( + f"{manifest_name}: {skill['name']} install_path is " + f"{skill['install_path']!r}, expected {expected!r}" + ) + return errors + + +def main() -> int: + build = run([sys.executable, "tools/build_manifest.py"]) + if build.returncode != 0: + sys.stdout.write(build.stdout) + return build.returncode + + try: + install_path_errors = validate_manifest_install_paths() + except (OSError, ValueError, KeyError, json.JSONDecodeError) as exc: + print(f"Manifest install-path validation failed: {exc}", file=sys.stderr) + return 1 + if install_path_errors: + print("Manifest install paths do not match install.sh defaults:", file=sys.stderr) + for error in install_path_errors: + print(f"- {error}", file=sys.stderr) + return 1 + + diff = run(["git", "diff", "--exit-code", "--", *MANIFESTS]) + if diff.returncode == 0: + print("Generated skill manifests are fresh.") + return 0 + + sys.stdout.write(build.stdout) + sys.stdout.write(diff.stdout) + print( + "Generated skill manifests were stale. " + "Review and commit the regenerated *-skills.json files.", + file=sys.stderr, + ) + return diff.returncode + + +if __name__ == "__main__": + raise SystemExit(main()) diff --git a/tools/platform_defaults.sh b/tools/platform_defaults.sh new file mode 100644 index 0000000..321f232 --- /dev/null +++ b/tools/platform_defaults.sh @@ -0,0 +1,15 @@ +# Shared platform install defaults for install.sh and manifest tooling. +# shellcheck shell=bash +# shellcheck disable=SC2034,SC2016,SC2088 +# +# DEFAULT_* values are shell-expanded runtime defaults used by install.sh. +# MANIFEST_* values are literal distribution metadata roots emitted into +# generated *-skills.json indexes. + +DEFAULT_CODEX_TARGET="${CODEX_HOME:-${HOME}/.codex}/skills/skills-red" +DEFAULT_CLAUDE_TARGET="${HOME}/.claude/skills/skills-red" +DEFAULT_OPENCODE_TARGET="${OPENCODE_CONFIG_HOME:-${HOME}/.config/opencode}/skills/skills-red" + +MANIFEST_CODEX_INSTALL_ROOT='$CODEX_HOME/skills/skills-red' +MANIFEST_CLAUDE_INSTALL_ROOT='~/.claude/skills/skills-red' +MANIFEST_OPENCODE_INSTALL_ROOT='~/.config/opencode/skills/skills-red'