Skill2.3k estrellas del repoactualizado 1mo ago

offensive-fuzzing

Offensive-fuzzing is a comprehensive skill for setting up and executing vulnerability discovery campaigns using fuzzing techniques. It covers target reconnaissance, fuzzer selection across black-box, grey-box, snapshot, white-box, and ensemble approaches, harness development for diverse targets, corpus preparation, instrumentation with AFL++, libFuzzer, and Honggfuzz, and crash analysis workflows. Use when identifying memory safety bugs, logic flaws, or security vulnerabilities in file parsers, network protocols, kernel drivers, firmware, or runtime engines through automated input mutation and coverage-guided testing.

Ver fuente Repositorio: Claude-Red

Instalar en Claude Code

Copiar

git clone --depth 1 https://github.com/SnailSploit/Claude-Red /tmp/offensive-fuzzing && cp -r /tmp/offensive-fuzzing/Skills/fuzzing/offensive-fuzzing ~/.claude/skills/offensive-fuzzing

Después abre una sesión nueva de Claude Code; el skill carga automáticamente.

Definición

SKILL.md

# Offensive Fuzzing

## Fuzzer Types

| Type | Coverage | Speed | Tools |
|------|----------|-------|-------|
| BlackBox | Poor | Fast | Peach, Boofuzz |
| GreyBox | Good | Fast | AFL++, Honggfuzz, libFuzzer, WinAFL |
| Snapshot | Good | Fastest | Nyx, wtf, Snapchange |
| WhiteBox | Best | Slow | KLEE, QSYM, SymSan |
| Ensemble | Best | Fast | AFL++ + Honggfuzz + libFuzzer |

**GreyBox sub-variants:** Directed (AFLGo, UAFuzz), Grammar (AFLSmart, Tlspuffin), Concolic (QSYM, Driller), Kernel (syzkaller, kAFL, wtf).

## Core Workflow

```
Research target → Choose analyses → Build harness → Seed corpus → Instrument → Fuzz → Triage crashes → Report
```

### 1. Research Target

- Map all input surfaces (files, network, IPC, syscalls, IOCTL)
- Identify high-value areas: previously patched code, complex parsers, newly added code, input ingestion points
- For kernel modules: look beyond `copy_from_user` — DMA-BUF ops, page fault handlers, VM operation structs, allocation callbacks

### 2. Instrument and Build

```bash
# AFL++ (preferred for GreyBox)
CC=afl-clang-fast CXX=afl-clang-fast++ cmake -DCMAKE_BUILD_TYPE=Release .. && make -j

# libFuzzer + ASan/UBSan (C/C++)
cmake -DCMAKE_CXX_FLAGS="-fsanitize=fuzzer,address,undefined -O1 -g" ..

# CmpLog build for hard compares
AFL_LLVM_CMPLOG=1 CC=afl-clang-fast CXX=afl-clang-fast++ make clean all
```

**Windows (MSVC):** `Project Properties → C/C++ → Address Sanitizer: Yes (/fsanitize=address)`

### 3. Write Harness

**libFuzzer (C++):**
```cpp
#include <cstdint>
#include <cstddef>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
    parse_or_process(data, size);
    return 0;
}
```

**Honggfuzz HF_ITER (persistent mode — preferred for large targets):**
```cpp
#include "honggfuzz.h"
int main(int argc, char** argv) {
    initialize_target(); // runs once
    for (;;) {
        size_t len; uint8_t *buf;
        HF_ITER(&buf, &len);
        FILE* s = fmemopen(buf, len, "r");
        target_function(s);
        fclose(s);
        reset_target_state();
    }
}
```

**AFL++ persistent mode (`__AFL_LOOP`):**
```cpp
while (__AFL_LOOP(10000)) {
    // re-read input and process
}
```

**macOS IPC (Mach message fuzzing):**
```c
void *lib_handle = dlopen("libexample.dylib", RTLD_LAZY);
pFunction = dlsym(lib_handle, "DesiredFunction");
```

### 4. Build Seed Corpus

- Pull from target's test suite, bug reports, and real-world samples
- Web-crawl (Common Crawl) for file formats; filter by MIME type
- Minimize: `afl-cmin -i raw_corpus -o seeds -- ./target @@`
- Trim inputs: `afl-tmin -i crash -o crash.min -- ./target @@`

### 5. Launch Fuzzing

**AFL++ parallel (primary + secondary with cmplog):**
```bash
afl-fuzz -M f1 -i seeds -o findings -x dict.txt -- ./target @@
afl-fuzz -S s1 -i seeds -o findings -c 0 -- ./target @@
```

**libFuzzer:**
```bash
./target_libfuzzer corpus/ -max_total_time=3600 -workers=4
```

**Binary-only (QEMU):**
```bash
afl-fuzz -Q -i seeds -o findings -- target.exe @@
```

**Snapshot (AFL++ Nyx):**
```bash
NYX_MODE=1 AFL_MAP_SIZE=1048576 afl-fuzz -i seeds -o findings -- ./target_nyx @@
```

**Ensemble (AFL++ + Honggfuzz sharing corpus):**
```bash
# Terminal 1
afl-fuzz -M fuzzer1 -i seeds -o sync_dir -- ./target @@
# Terminal 2
../honggfuzz/honggfuzz -i sync_dir/fuzzer1/queue -W sync_dir/hfuzz \
  --linux_perf_ipt_block -t 10 -- ./target ___FILE___
```

### 6. Monitor and Unstick

If progress stalls:
- Enable CmpLog: `-c 0` on AFL++ secondaries
- Add dictionary: `-x dict.txt` or `AFL_TOKEN_FILE`
- Switch to directed fuzzing (AFLGo) targeting specific BBs/functions
- Use concolic assistance (QSYM, Driller) on hard branches
- Snapshot the target to increase exec/s
- `AFL_MAP_SIZE=1048576`, `-L 0` for MOpt scheduler

### 7. Triage Crashes

```bash
# 1. Minimize
afl-tmin -i crash -o crash.min -- ./target @@
# 2. Symbolize
ASAN_OPTIONS=abort_on_error=1:symbolize=1 ./target crash.min 2>asan.log
# 3. Hash + bucket
./cov-tool --bbids ./target crash.min > cov.hash
./bucket.py --key "$(cat cov.hash)" --log asan.log --out triage/
```

**Sanitizer env quick reference:**
```
ASAN_OPTIONS=abort_on_error=1:symbolize=1:detect_stack_use_after_return=1
UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
TSAN_OPTIONS=halt_on_error=1:history_size=7
MSAN_OPTIONS=poison_in_dtor=1:track_origins=2
```

## Oracle Selection

| Bug Class | Oracle |
|-----------|--------|
| Memory safety | ASan, HWASan (AArch64, lower overhead) |
| Uninitialized reads | MSan |
| Concurrency | TSan |
| Undefined behavior | UBSan |
| Type safety | TypeSan |
| Heap hardening | Scudo Hardened Allocator |
| Logic bugs | Differential / idempotency oracles |
| Kernel memory | KASAN, KMSAN, KCSAN |
| Kernel UB | KUBSan (`CONFIG_UBSAN_TRAP=y`) |
| CFI | KCFI (`-fsanitize=kcfi`, Clang 18) |
| Binary-only | QASAN (QEMU+ASan), DynamoRIO |

**Property oracle patterns:**
- Idempotency: `f(x) == f(f(x))`
- Differential: compare two impls, bucket on output mismatch
- Invariants: monotonic lengths, checksum equality, schema validation post-parse

## Specialized Targets

### Kernel (Linux) — syzkaller

```json
{
  "target": "linux/arm64",
  "http": ":56700",
  "workdir": "/path/to/workdir",
  "kernel_obj": "/path/to/kernel",
  "image": "/path/to/rootfs.ext3",
  "sshkey": "/path/to/id_rsa",
  "procs": 8,
  "enable_syscalls": ["openat$module_name", "ioctl$IOCTL_CMD", "mmap"],
  "type": "qemu",
  "vm": { "count": 4, "cpu": 2, "mem": 2048 }
}
```

- Limit `enable_syscalls` to deepen coverage on specific subsystems
- Use `syz-extract` to pull constants for custom modules
- Enable `CONFIG_KASAN=y`, `CONFIG_KCFI=y`, `CONFIG_DEBUG_INFO_BTF=y`
- Use `kcov` filters and `syz_cover_filter` to direct coverage
- Network fuzzing: inject via `TUN/TAP` + pseudo-syscalls (`syz_emit_ethernet`)
- Crash decode: `./scripts/decode_stacktrace.sh vmlinux ... < dmesg.log`

**syzkaller repro:**
```bash
syz-execprog -repeat=0 -procs=1 -cover=0 -debug target.repro
```

### EDR / Windows Scanning Engines

**WTF

Del mismo repositorio

offensive-active-directorySkill

Active Directory attack methodology for internal network red team engagements. Covers reconnaissance (BloodHound, PowerView, ADExplorer), credential abuse (Kerberoasting, ASREProasting, NTLM relay, LLMNR/NBT-NS poisoning), privilege escalation (ACL abuse, GPO abuse, unconstrained/constrained delegation), lateral movement (Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, WMI/WinRM/PsExec), persistence (Golden/Silver/Diamond Tickets, DCSync, DCShadow, AdminSDHolder, Skeleton Key), forest trust attacks, ADCS abuse (ESC1-ESC15), and modern MDI/Defender for Identity evasion. Use when assessing on-prem AD, hybrid AD/Entra ID environments, or ADCS deployments.

offensive-ai-securitySkill

offensive-jwtSkill

JWT attack methodology for penetration testers. Covers algorithm confusion (alg:none, RS256→HS256), weak HMAC secret brute force, kid parameter injection (SQLi, path traversal), jku/x5u/jwk header injection, JWKS cache poisoning, JWS/JWE confusion, timing attacks, and mobile JWT storage extraction. Use when testing JWT-based authentication, hunting auth bypass via token manipulation, or evaluating JWT implementation security in web or mobile apps.

offensive-oauthSkill

offensive-cloudSkill

Cloud security attack methodology covering AWS, Azure, and GCP. Includes credential harvesting (IMDS, ~/.aws, env vars, leaked CI secrets, instance roles), enumeration with cloud-specific tools (pacu, ScoutSuite, Prowler, ROADtools, gcp_enum), privilege escalation paths (IAM PassRole, AssumeRole chains, Lambda/Functions privilege flips, Azure Owner-on-self, GCP serviceAccountTokenCreator), persistence techniques (IAM user/key creation, AAD app registration, GCP svc account key creation, EventBridge/Logic Apps backdoors), data exfiltration (S3/Blob/GCS, snapshot share, RDS/CosmosDB/Cloud SQL exfil), cloud-native lateral movement (cross-account assume, Azure AD multi-tenant, GCP project hierarchy), serverless attacks (Lambda env vars, layer hijack, Step Functions), Kubernetes-on-cloud (EKS/AKS/GKE-specific paths to node and AWS metadata), and CSPM evasion (CloudTrail blind spots, GuardDuty mute, Sentinel rule shaping). Use when the engagement scope is cloud accounts, when you've stolen cloud credentials, or when assessing cloud posture.

offensive-basic-exploitationSkill

offensive-crash-analysisSkill

offensive-exploit-dev-courseSkill