1a3fea615a
New persona variants: - forge/frontend-design — DESIGN.md methodology, 58-brand reference, UI/UX intelligence - oracle/source-verification — 5-section forensic verification protocol (ethos/pathos/context/intent/logos) - sentinel/c2-hunting — 6-phase C2 hunting with beaconing detection, detection engineering Enhanced existing personas: - neo: Added Active Directory exploitation (Kerberoasting, DCSync, delegation), network pivoting, cloud attacks - frodo: Added response mode auto-detection, claim extraction, Devil's Advocate, explicit uncertainty tracking - ghost: Added cognitive warfare expertise (behavioral science weaponization, algorithmic amplification) Build system enhancements: - Cross-persona escalation graph auto-extracted → generated/_index/escalation_graph.json - Trigger→persona routing index → generated/_index/trigger_index.json - Quality validation with warnings for thin/missing sections - Section word counts injected into every output - Richer CATALOG.md with depth stats, escalation paths, trigger index Platform auto-install: - python3 build.py --install claude — 111 slash commands → ~/.claude/commands/ - python3 build.py --install antigravity — personas → ~/.config/antigravity/personas/ - python3 build.py --install gemini — Gems → generated/_gems/ - python3 build.py --install openclaw — IDENTITY.md + personas → generated/_openclaw/ - python3 build.py --install all — deploy to all platforms Shared reference library: - personas/_shared/kali-tools/ — 16 Kali Linux tool reference docs - personas/_shared/osint-sources/ — OSINT master reference - personas/_shared/ad-attack-tools/ — AD attack chain reference Stats: 29 personas, 111 variants, 59,712 words Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
13 KiB
13 KiB
Wireless & Network Discovery Tools
wifite
[32m . [37m[2m [0m[32m . [0m
[32m.´ · .[37m[2m [0m[32m. · `. [32mwifite2 [2m2.8.1[0m
[32m: : : [37m[2m (¯) [0m[32m : : : [0m[2ma wireless auditor by derv82[0m
[32m`. · `[37m[2m /¯\ [0m[32m´ · .´ [0m[2mmaintained by kimocoder[0m
[32m ` [37m[2m/¯¯¯\[0m[32m ´ [36m[2mhttps://github.com/kimocoder/wifite2[0m
options:
-h, --help show this help message and exit
[36mSETTINGS[0m:
-v, --verbose Shows more options ([36m-h -v[0m). Prints commands and outputs. (default: [32mquiet[0m)
-i [interface] Wireless interface to use, e.g. [36mwlan0mon[0m (default: [32mask[0m)
-c [channel] Wireless channel to scan e.g. [36m1,3-6[0m (default: [32mall 2Ghz channels[0m)
-inf, --infinite Enable infinite attack mode. Modify scanning time with [36m-p[0m (default: [32moff[0m)
-mac, --random-mac Randomize wireless card MAC address (default: [32moff[0m)
-p [scan_time] [32mPillage[0m: Attack all targets after [36mscan_time[0m (seconds)
--kill Kill processes that conflict with Airmon/Airodump (default: [32moff[0m)
-pow, --power [min_power] Attacks any targets with at least [36mmin_power[0m signal strength
--skip-crack Skip cracking captured handshakes/pmkid (default: [32moff[0m)
-first, --first [attack_max] Attacks the first [36mattack_max[0m targets
-ic, --ignore-cracked Hides previously-cracked targets. (default: [32moff[0m)
--clients-only Only show targets that have associated clients (default: [32moff[0m)
--nodeauths Passive mode: Never deauthenticates clients (default: [32mdeauth targets[0m)
--daemon Puts device back in managed mode after quitting (default: [32moff[0m)
[36mWEP[0m:
--wep Show only [36mWEP-encrypted networks[0m
--require-fakeauth Fails attacks if [36mfake-auth[0m fails (default: [32moff[0m)
--keep-ivs Retain .IVS files and reuse when cracking (default: [32moff[0m)
[36mWPA[0m:
--wpa Show only [36mWPA/WPA2-encrypted networks[0m (may include [36mWPS[0m)
--wpa3 Show only [36mWPA3-encrypted networks[0m (SAE/OWE)
--owe Show only [36mOWE-encrypted networks[0m (Enhanced Open)
--new-hs Captures new handshakes, ignores existing handshakes in [36mhs[0m (default: [32moff[0m)
--dict [file] File containing passwords for cracking (default: [32m/usr/share/dict/wordlist-probable.txt[0m)
[36mWPS[0m:
--wps Show only [36mWPS-enabled networks[0m
--wps-only [33mOnly[0m use [36mWPS PIN[0m & [36mPixie-Dust[0m attacks (default: [32moff[0m)
--bully Use [32mbully[0m program for WPS PIN & Pixie-Dust attacks (default: [32mreaver[0m)
--reaver Use [32mreaver[0m program for WPS PIN & Pixie-Dust attacks (default: [32mreaver[0m)
--ignore-locks Do [33mnot[0m stop WPS PIN attack if AP becomes [33mlocked[0m (default: [32mstop[0m)
[36mPMKID[0m:
--pmkid [33mOnly[0m use [36mPMKID capture[0m, avoids other WPS & WPA attacks (default: [32moff[0m)
--no-pmkid [33mDon't[0m use [36mPMKID capture[0m (default: [32moff[0m)
--pmkid-timeout [sec] Time to wait for PMKID capture (default: [32m300[0m seconds)
[36mCOMMANDS[0m:
--cracked Print previously-cracked access points
--ignored Print ignored access points
--check [file] Check a [36m.cap file[0m (or all [36mhs/*.cap[0m files) for WPA handshakes
--crack Show commands to crack a captured handshake
--update-db Update the local MAC address prefix database from IEEE registries
reaver
macchanger
GNU MAC Changer
Usage: macchanger [options] device
-h, --help Print this help
-V, --version Print version and exit
-s, --show Print the MAC address and exit
-e, --ending Don't change the vendor bytes
-a, --another Set random vendor MAC of the same kind
-A Set random vendor MAC of any kind
-p, --permanent Reset to original, permanent hardware MAC
-r, --random Set fully random MAC
-l, --list[=keyword] Print known vendors
-b, --bia Pretend to be a burned-in-address
-m, --mac=XX:XX:XX:XX:XX:XX
--mac XX:XX:XX:XX:XX:XX Set the MAC XX:XX:XX:XX:XX:XX
Report bugs to https://github.com/alobbs/macchanger/issues
netdiscover
Netdiscover 0.21 [Active/passive ARP reconnaissance tool]
Written by: Jaime Penalba <jpenalbae@gmail.com>
Usage: netdiscover [-i device] [-r range | -l file | -p] [-m file] [-F filter] [-s time] [-c count] [-n node] [-dfPLNS]
-i device: your network device
-r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8
-l file: scan the list of ranges contained into the given file
-p passive mode: do not send anything, only sniff
-m file: scan a list of known MACs and host names
-F filter: customize pcap filter expression (default: "arp")
-s time: time to sleep between each ARP request (milliseconds)
-c count: number of times to send each ARP request (for nets with packet loss)
-n node: last source IP octet used for scanning (from 2 to 253)
-d ignore home config files for autoscan and fast mode
-R assume user is root or has the required capabilities without running any checks
-f enable fastmode scan, saves a lot of time, recommended for auto
-P print results in a format suitable for parsing by another program and stop after active scan
-L similar to -P but continue listening after the active scan is completed
-N Do not print header. Only valid when -P or -L is enabled.
-S enable sleep time suppression between each request (hardcore mode)
If -r, -l or -p are not enabled, netdiscover will scan for common LAN addresses.
arp-scan
Usage: arp-scan [options] [hosts...]
Target hosts must be specified on the command line unless the --file or
--localnet option is used.
arp-scan uses raw sockets, which requires privileges on some systems:
Linux with POSIX.1e capabilities support using libcap:
arp-scan is capabilities aware. It requires CAP_NET_RAW in the permitted
set and only enables that capability for the required functions.
BSD and macOS:
You need read/write access to /dev/bpf*
Any operating system:
Running as root or SUID root will work on any OS but other methods
are preferable where possible.
Targets can be IPv4 addresses or hostnames. You can also use CIDR notation
(10.0.0.0/24) (network and broadcast included), ranges (10.0.0.1-10.0.0.10),
and network:mask (10.0.0.0:255.255.255.0).
Options:
The data type for option arguments is shown by a letter in angle brackets:
<s> Character string.
<i> Decimal integer, or hex if preceeded by 0x e.g. 2048 or 0x800.
<f> Floating point decimal number.
<m> MAC address, e.g. 01:23:45:67:89:ab or 01-23-45-67-89-ab (case insensitive)
<a> IPv4 address e.g. 10.0.0.1
<h> Hex encoded binary data. No leading 0x. (case insensitive).
<x> Something else - see option description.
General Options:
--help or -h Display this usage message and exit.
--verbose or -v Display verbose progress messages.
Can be used than once to increase verbosity. Max=3.
--version or -V Display program version details and exit.
Shows the version, license details, libpcap version,
and whether POSIX.1e capability support is included.
--interface=<s> or -I <s> Use network interface <s>.
If this option is not specified, arp-scan will search
the system interface list for the lowest numbered,
configured up interface (excluding loopback).
Host Selection:
fping
Usage: fping [options] [targets...]
Probing options:
-4, --ipv4 only ping IPv4 addresses
-6, --ipv6 only ping IPv6 addresses
-b, --size=BYTES amount of ping data to send, in bytes (default: 56)
-B, --backoff=N set exponential backoff factor to N (default: 1.5)
-c, --count=N count mode: send N pings to each target
-f, --file=FILE read list of targets from a file ( - means stdin)
-g, --generate generate target list (only if no -f specified)
(give start and end IP in the target list, or a CIDR address)
(ex. fping -g 192.168.1.0 192.168.1.255 or fping -g 192.168.1.0/24)
-H, --ttl=N set the IP TTL value (Time To Live hops)
-I, --iface=IFACE bind to a particular interface
-l, --loop loop mode: send pings forever
-m, --all use all IPs of provided hostnames (e.g. IPv4 and IPv6), use with -A
-M, --dontfrag set the Don't Fragment flag
-O, --tos=N set the type of service (tos) flag on the ICMP packets
-p, --period=MSEC interval between ping packets to one target (in ms)
(in loop and count modes, default: 1000 ms)
-r, --retry=N number of retries (default: 3)
-R, --random random packet data (to foil link data compression)
-S, --src=IP set source address
-t, --timeout=MSEC individual target initial timeout (default: 500 ms,
except with -l/-c/-C, where it's the -p period up to 2000 ms)
Output options:
-a, --alive show targets that are alive
-A, --addr show targets by address
-C, --vcount=N same as -c, report results in verbose format
-d, --rdns show targets by name (force reverse-DNS lookup)
-D, --timestamp print timestamp before each output line
-e, --elapsed show elapsed time on return packets
-i, --interval=MSEC interval between sending ping packets (default: 10 ms)
-n, --name show targets by name (reverse-DNS lookup for target IPs)
-N, --netdata output compatible for netdata (-l -Q are required)
-o, --outage show the accumulated outage time (lost packets * packet interval)
-q, --quiet quiet (don't show per-target/per-ping results)
-Q, --squiet=SECS same as -q, but add interval summary every SECS seconds
-s, --stats print final stats
-u, --unreach show targets that are unreachable
-v, --version show version
-x, --reachable=N shows if >=N hosts are reachable or not
mitmproxy
usage: mitmproxy [options]
options:
-h, --help show this help message and exit
--version show version number and exit
--options Show all options and their default values
--commands Show all commands and their signatures
--set option[=value] Set an option. When the value is omitted, booleans are
set to true, strings and integers are set to None (if
permitted), and sequences are emptied. Boolean values
can be true, false or toggle. Sequences are set using
multiple invocations to set for the same option.
-q, --quiet Quiet.
-v, --verbose Increase log verbosity.
--mode, -m MODE The proxy server type(s) to spawn. Can be passed
multiple times. Mitmproxy supports "regular" (HTTP),
"local", "transparent", "socks5", "reverse:SPEC",
"upstream:SPEC", and "wireguard[:PATH]" proxy servers.
For reverse and upstream proxy modes, SPEC is host
specification in the form of "http[s]://host[:port]".
For WireGuard mode, PATH may point to a file
containing key material. If no such file exists, it
will be created on startup. You may append
`@listen_port` or `@listen_host:listen_port` to
override `listen_host` or `listen_port` for a specific
proxy mode. Features such as client playback will use
the first mode to determine which upstream server to
use. May be passed multiple times.
--no-anticache
--anticache Strip out request headers that might cause the server
to return 304-not-modified.
--no-showhost
--showhost Use the Host header to construct URLs for display.
This option is disabled by default because malicious
apps may send misleading host headers to evade your
analysis. If this is not a concern, enable this
options for better flow display.
--no-show-ignored-hosts
--show-ignored-hosts Record ignored flows in the UI even if we do not
perform TLS interception. This option will keep