added first two nfos

2 files changed, 393 insertions, 0 deletions

diff --git a/opsec-field-guide-for-red-teamers.nfo b/opsec-field-guide-for-red-teamers.nfo
new file mode 100644
index 0000000..8724135
--- /dev/null
+++ b/opsec-field-guide-for-red-teamers.nfo
@@ -0,0 +1,301 @@
+.:: OpSec Field Guide for Red Teamers ::.
+
+[ Introduction ]
+
+Running offensive operations - whether you're a red teamer probing a corporate
+network or studying black-hat tradecraft to understand adversaries - is like
+sneaking through a minefield blindfolded. Blue teams have SIEM systems
+dissecting every packet, EDR tools like CrowdStrike watching your endpoints, and
+ISPs logging your every move. Law enforcement can pull metadata, issue
+subpoenas, or rip apart your devices with forensic tools. One mistake - a reused
+email, a traceable IP, a moment of laziness - and your op is burned, possibly
+tied back to your personal life.
+
+The goal isn't perfect anonymity; that's a pipe dream against nation-states or
+relentless threat hunters. Instead, it's about making attribution so costly and
+time-consuming that adversaries slam into a dead end. The dual-identity
+framework is your lifeline: your day-to-day life (personal phone, home Wi-Fi,
+work email) must never touch your operational persona. This guide is for red
+teamers working under strict Rules of Engagement (RoE). Let's be straight:
+unauthorized hacking, like black-hat activity, violates laws like the CFAA or
+GDPR and can land you in prison. This is about learning to strengthen defenses,
+not enabling crime.
+
+The mindset is ruthless compartmentalization and relentless paranoia. Every
+device, network, account, and action in your operational life must be isolated
+from your personal one. Assume you're being watched - by blue teams, cops, or
+even hacktivists - and plan to leave them chasing nothing but noise. This guide
+starts with the threat model, then dives into the strategies:
+compartmentalization, network obfuscation, infrastructure segmentation,
+anti-forensics, deception, and additional angles like physical OpSec, social
+engineering, crypto, mobile devices, cloud risks, cleanup, psychological
+discipline, and counter-intelligence.
+
+[ Threat Model ]
+
+You can't outmaneuver an adversary you don't understand. Nation-states wield
+SIGINT (signals intelligence), HUMINT (human intelligence), and OSINT
+(open-source intelligence), tapping global surveillance networks and legal
+powers to track you. Law enforcement can subpoena ISPs, seize devices, and
+correlate metadata from cloud providers or financial records. Blue team threat
+hunters and private-sector analysts use behavioral tracking, malware analysis,
+and threat intel feeds to pin down your moves. Even OSINT specialists or rival
+hacktivists can piece together your infrastructure from public data like domain
+registrations or SSL certificates.
+
+Their tools are relentless. Network traffic analysis can trace your IP through
+sloppy VPNs or proxies by correlating timing or fingerprinting patterns.
+Metadata - your browser setup, typing habits, or reused usernames - can betray
+you. Infrastructure like C2 servers or phishing domains can be linked through
+purchase records or hosting artifacts. Third parties, like registrars or payment
+services, often keep logs that can be subpoenaed. Identity correlation - reusing
+a PGP key, crypto wallet, or even a linguistic quirk - can tie your ops to your
+real-world identity. And don't forget social engineering: adversaries might
+phish your operational accounts or trick you into clicking a link that leaks
+metadata, unraveling your carefully built persona.
+
+The mindset is strategic: you're not aiming to be invisible forever, but to make
+attribution a logistical nightmare. Break your operational chain into isolated
+segments - devices, networks, accounts - so no single piece leads back to you.
+Think like a chess player: anticipate every move your adversary might make, from
+technical tracking to psychological traps, and stay three steps ahead.
+
+[ Compartmentalization ]
+
+Compartmentalization is the heart of dual-identity OpSec. Your personal life -
+your daily phone, home Wi-Fi, work email - must never touch your operational
+persona. This isn't just about tools; it's about living two separate lives, like
+a spy who never breaks character. The mindset is discipline: one slip, and the
+firewall between your personal and operational identities collapses.
+
+Start with hardware. Your personal laptop or phone is radioactive for ops - too
+tied to your identity through accounts, logs, or geolocation. Buy a used laptop
+or budget Android from a pawn shop, paid for in cash to avoid any financial
+trail. Look for something with enough power to handle VMs - say, 8-16GB RAM and
+an i5 processor. If you're paranoid, rip out the WiFi card, webcam, and
+microphone to kill any chance of remote tracking. These devices are your
+operational persona's lifeline, stored in a Faraday bag when not in use to block
+signals. Never let them near your home network or personal accounts.
+
+Mobile devices are a special case. A burner phone isn't enough if it's still
+leaking data. Flash a custom ROM like LineageOS or GrapheneOS to strip out
+telemetry, disable GPS, Bluetooth, and unnecessary sensors, and stick to apps
+from F-Droid, avoiding mainstream stores like Google Play. Use a prepaid SIM,
+bought with cash and without KYC requirements, and top it up in person at a
+kiosk, never online or with a bank card. The mindset is treating your phone like
+a hostile device you're borrowing for the op - it's not yours, and it's not
+trusted.
+
+Networks need the same split. Your home Wi-Fi or personal cell plan? Off-limits.
+Use public Wi-Fi - coffee shops, libraries, anywhere far from your usual haunts
+- to keep your ops geographically separate. Spoof your MAC address every time
+you connect, and never hit the same spot twice to avoid CCTV or staff noticing
+your burner laptop. If you need a stable connection, a travel router with a
+prepaid SIM gives you control, or you can compromise a nearby Wi-Fi network to
+piggyback off their bandwidth. Physical OpSec is just as critical: vary your
+locations, blend into the crowd, and assume every public space has eyes -
+cameras, employees, or nosy bystanders. One CCTV clip tying your burner device
+to your car's license plate can unravel everything.
+
+Accounts are where most people screw up. Your operational persona needs its own
+email, VPN, and communication platforms, created from scratch with no ties to
+your personal life. Use privacy-focused services like ProtonMail or onion-based
+email providers, paid with Monero or cash-bought gift cards. Don't reuse
+usernames or passwords - ever. A password manager on an encrypted USB keeps
+things straight, but the real key is mental separation: treat your operational
+accounts like they belong to someone else. For comms, skip mainstream apps like
+WhatsApp or Gmail. Use XMPP with OTR/OMEMO encryption or Signal on a burner
+phone, registered with a pseudonymous number. If you need a high-reputation
+email for phishing, pick one that doesn't demand a phone number, but treat it as
+a last resort.
+
+Behaviorally, live the split. Operate from designated locations at irregular
+times to avoid patterns that blue teams or analysts could correlate. Never
+discuss ops on personal channels - your work Slack, your iMessage, nothing.
+Psychological discipline is critical: maintaining dual identities is mentally
+taxing, and stress or overconfidence can make you sloppy - reusing a password,
+forgetting to spoof a MAC. Build rituals - always verify your setup, practice in
+a lab, never rush. OpSec isn't a toolset; it's a lifestyle you live every op.
+The goal is a clean break: if your operational persona gets burned, your
+personal life stays untouched, like a ship's watertight compartments keeping it
+afloat after a hit.
+
+[ Network Obfuscation ]
+
+Your network activity is a beacon unless you obscure it. Blue teams and
+adversaries can trace IPs, correlate timing, or fingerprint your traffic to
+pinpoint your infrastructure. The mindset is stealth: make your network presence
+so convoluted that tracing it is like chasing a ghost through a storm.
+
+Tor is your starting point, routing traffic through encrypted relays to mask
+your origin. Use it via Tor Browser or Whonix, which tunnels all activity
+through a hardened gateway. But don't trust Tor blindly - disable JavaScript to
+block fingerprinting, stick to HTTPS or .onion sites to avoid exit node
+snooping, and check for DNS leaks that could expose your real IP. Layering a
+no-logs VPN like Mullvad or ProtonVPN after connecting to Tor adds redundancy
+and a clean exit IP, paid for with Monero to keep it untraceable. Configure a
+killswitch to cut traffic if the VPN drops. The principle is layering: no single
+tool is your shield.
+
+Public Wi-Fi is your operational network, but it's a minefield. Hotspots can log
+MAC addresses or have cameras watching you. Spoof your MAC and vary your
+locations to avoid correlation. If you need a stable connection, a travel router
+with a prepaid SIM or a compromised Wi-Fi network can work, but don't get lazy
+and reuse access points. For initial infrastructure setup, like provisioning a
+VPS, always go through Tor or multi-hop VPNs to keep your real-world location
+dark. Later, you can switch to SSH over an onion service for secure access.
+
+The mindset is unpredictability: vary your connection points, timing, and
+traffic patterns to break any chance of correlation. Red teamers use this to
+mimic APTs, routing scans or C2 traffic through anonymized channels. Black hats
+use it to hide phishing domains or botnets. The goal is the same: make your
+network footprint a puzzle with missing pieces.
+
+[ Infrastructure Segmentation ]
+
+Your operational infrastructure - C2 servers, phishing domains, VPSes - is a
+weak link if not handled right. Adversaries can link domains, hosting providers,
+or payment records to attribute your ops. The mindset is segmentation: treat
+every operation as a standalone entity with no overlap, and be prepared to
+deploy or nuke it fast.
+
+Use different hosting providers, cloud regions, and registrars for each op. For
+a C2 server, pick a VPS provider in a privacy-friendly jurisdiction like
+Iceland, paid with Monero. For phishing domains, use a different registrar, and
+never reuse SSL/TLS certificates across ops. Spread your infrastructure across
+providers to avoid a single point of failure - if one gets burned, the others
+stay dark. Avoid mainstream cloud services like AWS or Azure unless you're
+mimicking a specific threat actor, as they're more likely to log and comply with
+subpoenas. Cloud risks are real - their extensive logging can expose your setup
+if you're not careful, so stick to providers with minimal retention policies.
+
+Payments are a hidden trap. Never use a bank card or PayPal tied to your name.
+Monero is your best bet, but it's not foolproof - blockchain analysis can trace
+even "private" coins if you're sloppy. Tumble your coins through a mixer and set
+up wallets on an air-gapped device to prevent key theft. Avoid centralized
+exchanges entirely for operational payments - they're KYC traps that can link
+your wallet to your personal identity. The principle is isolation: no part of
+your infrastructure should link to another, and none should trace back to you.
+
+Preparedness is a game-changer here. Having pre-established deployment
+procedures and automations can slash setup and teardown times, reducing your
+exposure. Script your infrastructure spins with tools like Terraform or Ansible,
+pre-configuring VPSes, firewalls, and onion routing. Store these scripts on an
+encrypted drive, ready to deploy a new C2 server or phishing domain in minutes.
+Automate teardown processes too - cron jobs or scripts to nuke servers, wipe
+logs, or rotate domains after a set time or trigger. This cuts down on manual
+errors and ensures you can disappear fast if things heat up.
+
+For red teamers, this means streamlined ops that test blue team response times;
+for black-hat analysis, it's about how adversaries spin up and vanish
+infrastructure on a dime. The mindset is efficiency: be ready to build and burn
+your setup.
+
+[ Anti-Forensics ]
+
+Forensic evidence - logs, files, or device artifacts - can sink you. The mindset
+is ephemerality: your ops should leave no trace, like footprints washed away by
+the tide. Use Tails OS for sensitive tasks, running everything in RAM and wiping
+on shutdown. Route all traffic through Tor and use encrypted storage like
+VeraCrypt or LUKS for anything you need to keep temporarily. If you're working
+with VMs, Whonix's Gateway-Workstation setup is a solid choice, but harden it by
+disabling automatic updates or services that phone home. Virtualization risks
+are real - a misconfigured VM can leak data between host and guest, like
+clipboard sharing or network settings exposing your personal IP. Use a
+dedicated, air-gapped host for virtualization to lock it down.
+
+File deletion isn't just hitting "delete". Overwrite sensitive files multiple
+times to ensure they're unrecoverable, and avoid SSDs since their TRIM function
+can complicate secure wipes. For full device sanitization, nuke the drive before
+disposal. When deploying payloads, spend the time to develop and obfuscate them
+to slip past EDR systems like SentinelOne or CrowdStrike, and test in a sandbox
+to avoid tipping off defenders. The goal is less artifacts that could be
+recovered. For red teamers, this means simulating stealthy malware to challenge
+blue team detection. For black-hat analysis, it's about understanding how
+adversaries maintain persistence without leaving digital breadcrumbs.
+
+[ Deception and Noise ]
+
+Sometimes, the best defense is a good offense. Deception and noise generation
+can throw adversaries off your trail by flooding them with false leads. The
+mindset is misdirection: make attribution so confusing that investigators chase
+ghosts instead of you. Plant false indicators in your ops - use TTPs that mimic
+other threat actors, like a known APT group, to blend into their noise. Drop
+decoy files or logs that point to fake infrastructure, like a VPS in a different
+country. Use multiple proxy hops or overlapping C2 channels to create a web of
+activity that's hard to untangle. Spin up a decoy phishing domain that mimics
+your real one but leads nowhere, wasting blue team resources.
+
+Noise generation is about overwhelming. Run low-level scans or unrelated traffic
+from different IPs to dilute your real op's footprint. The goal is to make your
+signal indistinguishable from the internet's background hum.
+Counter-intelligence takes this further: monitor how adversaries are trying to
+attribute you. Check if your domains or IPs are flagged in threat feeds, or if
+your C2 traffic is triggering alerts. Use OSINT to see what blue teams see - are
+your TTPs being discussed in threat reports? The best operators don't just hide;
+they know when they're being hunted and adjust. For red teamers, this tests blue
+team filtering capabilities; for black-hat analysis, it's about how adversaries
+stay ahead of hunters. The principle is control: you dictate what adversaries
+see, and it's never the full picture.
+
+[ Post-Operation Cleanup ]
+
+When the op's done, you don't linger. The mindset is finality: leave the
+battlefield cleaner than you found it. Tear down your infrastructure immediately
+- nuke VPSes, delete DNS configurations, and wipe logs. Automate this with
+scripts that trigger on a schedule or signal, ensuring no manual errors leave
+artifacts behind. Destroy prepaid SIMs, wipe burner devices, and sanitize drives
+to ensure nothing's recoverable.
+
+Have an exit plan - know when to abort if things heat up, like blue team alerts
+or law enforcement sniffing around. A single forgotten domain or log can lead
+adversaries back to you, so plan your escape before you start. For red teamers,
+this means clean handoffs to clients with no loose ends; for black-hat analysis,
+it's about how adversaries disappear after a campaign.
+
+[ Real-World Perspective ]
+
+Picture a red teamer running a pen-test. They're on a cash-bought laptop with
+Tails, scanning a target's web app through Tor and a no-logs VPN, coordinating
+via Signal with messages that vanish after an hour. They're at a random library,
+spoofing their MAC address, blending into the crowd to dodge CCTV. Their C2
+server is a Monero-paid VPS in Iceland, unlinked to their phishing domain on a
+different provider, spun up with pre-tested Ansible playbooks and ready to nuke
+post-op.
+
+Now imagine a black hat pulling a phishing op, hosting it on a Tor hidden
+service, exfiltrating credentials via a private XMPP server, and using a burner
+phone with LineageOS or GrapheneOS from a public Wi-Fi. The TTPs overlap -
+layered anonymity, segmented infrastructure, no traces - but the red teamer's
+work is legal, while the black hat's isn't. The mindset is identical: stay
+invisible, stay disciplined.
+
+[ Avoiding the Traps ]
+
+Your biggest threat is yourself. Metadata - like EXIF data in a screenshot - can
+unravel your op. Reusing a username, email, or crypto wallet across ops invites
+correlation. Operating from the same Wi-Fi or at predictable times hands
+adversaries a pattern. Misconfigured tools - a VPN leaking your IP, a VM phoning
+home - can burn you in seconds.
+
+Social engineering is a killer: adversaries might phish your operational
+accounts or trick you into clicking a link that leaks metadata. The mindset is
+relentless self-auditing: test your setup in a sandbox, randomize your patterns,
+verify every interaction, and never assume you're safe. Every op is a chance to
+screw up, so double-check everything.
+
+[ The Legal Line ]
+
+Red teamers, you need a signed RoE before you start - document every move and
+stick to laws like CFAA or GDPR. Black-hat activity is a one-way ticket to legal
+trouble. This guide is about understanding adversary TTPs to build better
+defenses, not crossing into illegal territory. Screw up, and you're on your own.
+
+[ Final Thoughts ]
+
+Dual-identity OpSec is about living two lives - one personal, one operational -
+with no overlap. Compartmentalize your hardware, networks, accounts, and
+behavior. Obscure your network presence, segment your infrastructure, erase your
+traces, and throw adversaries off with deception. Automate your setups and
+teardowns to stay nimble. Stay paranoid, stay disciplined, and monitor how
+you're being hunted.
diff --git a/ssti-discovery-in-python.nfo b/ssti-discovery-in-python.nfo
new file mode 100644
index 0000000..bbea9cc
--- /dev/null
+++ b/ssti-discovery-in-python.nfo
@@ -0,0 +1,92 @@
+.:: SSTI Discovery in Python ::.
+
+Server-Side Template Injection (SSTI) is a critical vulnerability in web
+applications that allows attackers to inject malicious template code,
+potentially leading to remote code execution (RCE). This research presents a
+Python-based tool designed to identify and analyze SSTI vulnerabilities in
+Jinja2 templates, a popular templating engine. By dynamically importing modules
+and enumerating their attributes, the tool discovers potential RCE vectors,
+enabling security researchers to assess and mitigate SSTI risks effectively.
+
+[ Introduction ]
+
+The tool leverages Python's importlib to dynamically import user-specified
+modules and a custom enumeration function to inspect their attributes, globals,
+and subclasses. By simulating Flask and Django contexts, it identifies paths to
+potentially dangerous objects like os.system or subprocess.Popen, which are
+common SSTI exploit primitives.
+
+Note that False Positives are common and most vectors should be tested manually.
+Currently, the tool works by potentially dangerous functions, modules and
+keywords.
+
+The tool code repository is located at https://cgit.heqnx.com/ssti-discovery and
+can be cloned easily with git clone https://cgit.heqnx.com/ssti-discovery.
+
+[ Tool Usage ]
+
+$ python3 ssti-discovery.py -h
+usage: ssti-discovery.py [-h] --module MODULE [--framework {jinja2,django}] [--output OUTPUT]
+
+SSTI RCE Vector Discovery Tool
+
+options:
+  -h, --help            show this help message and exit
+  --module MODULE       Module to import (e.g., os, numpy, myutils)
+  --framework {jinja2,django}
+                        Template framework to simulate (jinja2 or django)
+  --output OUTPUT       Output file for results (default: console)
+
+[ Tool Output Example ]
+
+$ python3 ssti-discovery.py --module numpy --framework jinja2
+{
+  "module": "numpy",
+  "framework": "jinja2",
+  "rce_vectors": [
+    {
+      "path": "dict.__subclasses__.CallbackDict",
+      "type": "potentially dangerous class, investigate manually",
+      "details": "access to CallbackDict"
+    },
+    {
+      "path": "lipsum.__globals__.os",
+      "type": "potentially dangerous module, investigate manually",
+      "details": "access to 'os' module"
+    },
+    {
+      "path": "joiner.__call__",
+      "type": "potentially dangerous function, investigate manually",
+      "details": "access to '__call__' function"
+    },
+    {
+      "path": "joiner.__call__.__globals__.os",
+      "type": "potentially dangerous module, investigate manually",
+      "details": "access to 'os' module"
+    },
+    {
+      "path": "namespace.__getattribute__.__globals__.os",
+      "type": "potentially dangerous module, investigate manually",
+      "details": "access to 'os' module"
+    },
+    {
+      "path": "request._load_form_data",
+      "type": "potentially dangerous function, investigate manually",
+      "details": "access to '_load_form_data' function"
+    }
+  ]
+}
+
+[ Payload Testing ]
+
+The ssti-app.py is a Python-based tool built with Flask and Jinja2 to
+help in identifying and testing Server-Side Template Injection payloads.
+This tool provides a controlled environment to execute and analyze Jinja2
+template payloads, enabling users to explore potential remote code execution
+(RCE) vectors in web applications.
+
+The tool accepts command-line arguments to import Python modules (e.g., os,
+subprocess) into the Jinja2 environment, simulating real-world scenarios where
+sensitive modules might be exposed. The Flask webapp runs on localhost on port
+:5000. A basic index.html interface (served at /) allows for easy interaction,
+making it accessible for both manual and automated testing.