rtexit-method 0.1.0 → 0.1.1

package/packaged-assets/.agents/skills/rt-active-recon/SKILL.md

@@ -0,0 +1,767 @@
+---
+name: rt-active-recon
+description: "Active reconnaissance skill. Use for port scanning (Nmap, Masscan), service fingerprinting, OS detection, WAF detection (wafw00f), web technology identification (WhatWeb, Wappalyzer), directory enumeration (gobuster, ffuf), and vulnerability scanning (Nuclei). Makes direct contact with target systems."
+---
+
+# rt-active-recon
+
+## Overview
+
+Active reconnaissance is the phase where the Red Team operator makes **direct, measurable contact** with target systems. Unlike passive recon (OSINT, DNS lookups, Shodan), active recon generates traffic logs on the target's infrastructure and may trigger IDS/IPS/WAF alerts. Every command in this skill should be executed only after:
+
+1. Rules of Engagement (ROE) are signed and in scope is confirmed (`/rt-rules-of-engagement`)
+2. Scope is locked in `_rtexit/config.user.toml` under `[scope]`
+3. Methodology has been selected (`/rt-methodology-selector`)
+
+**Output discipline:** All tool output MUST be saved to `_rtexit-output/recon/active/` in structured subdirectories. The RTExit autodoc engine indexes everything under `_rtexit-output/`. Raw tool output + a brief operator note is sufficient — the scribe agent will formalize it.
+
+**OPSEC note:** Active recon is loud. Consider using pivots, VPN egress nodes, or cloud burner instances for external engagements. For internal engagements, coordinate with the client's SOC window if required by ROE.
+
+---
+
+## Skill Levels
+
+### BEGINNER
+
+Suitable for: Learning the toolchain, CTFs, internal lab targets, supervised engagements.
+
+**Goal:** Get a basic open-port list and identify running services.
+
+```bash
+# Basic Nmap scan — top 1000 ports, version detection, default scripts
+nmap -sV -sC -oA _rtexit-output/recon/active/nmap/basic-scan <TARGET_IP>
+
+# Ping sweep a /24 subnet (identify live hosts)
+nmap -sn 192.168.1.0/24 -oG _rtexit-output/recon/active/nmap/ping-sweep.gnmap
+
+# Quick web tech check with WhatWeb
+whatweb http://<TARGET> -v --log-verbose=_rtexit-output/recon/active/whatweb/whatweb-basic.txt
+
+# Basic directory bruteforce with gobuster
+gobuster dir \
+  -u http://<TARGET> \
+  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
+  -o _rtexit-output/recon/active/gobuster/common-dirs.txt
+```
+
+---
+
+### INTERMEDIATE
+
+Suitable for: Professional penetration tests, solo operators, external attack surface assessments.
+
+**Goal:** Full TCP/UDP coverage, OS fingerprinting, WAF detection, targeted directory enumeration, initial vulnerability scan.
+
+```bash
+# Full TCP port scan (all 65535 ports) — use Masscan first for speed, then Nmap for fingerprinting
+masscan <TARGET_IP/CIDR> -p1-65535 --rate=10000 \
+  -oG _rtexit-output/recon/active/masscan/full-tcp.gnmap
+
+# Parse Masscan output to get open port list for Nmap
+grep "open" _rtexit-output/recon/active/masscan/full-tcp.gnmap \
+  | awk '{print $5}' | cut -d'/' -f1 | sort -u | tr '\n' ',' \
+  > /tmp/open-ports.txt
+
+# Targeted Nmap with version + script scan on confirmed open ports
+nmap -sV -sC -A -p$(cat /tmp/open-ports.txt) \
+  --script=banner,http-title,ssl-cert,ssh-hostkey \
+  -oA _rtexit-output/recon/active/nmap/targeted-scan \
+  <TARGET_IP>
+
+# WAF detection
+wafw00f http://<TARGET> -o _rtexit-output/recon/active/waf/wafw00f.txt -f text
+
+# WhatWeb with aggression level 3
+whatweb http://<TARGET> -a 3 \
+  --log-json=_rtexit-output/recon/active/whatweb/whatweb-full.json \
+  --log-verbose=_rtexit-output/recon/active/whatweb/whatweb-full.txt
+
+# Directory enumeration with medium wordlist and extension bruteforce
+gobuster dir \
+  -u http://<TARGET> \
+  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
+  -x php,asp,aspx,jsp,html,txt,bak,zip,conf,env \
+  -t 50 \
+  -o _rtexit-output/recon/active/gobuster/medium-dirs.txt \
+  --timeout 15s
+
+# Nuclei — community templates for CVE and misconfiguration detection
+nuclei -u http://<TARGET> \
+  -t /root/nuclei-templates/ \
+  -severity low,medium,high,critical \
+  -o _rtexit-output/recon/active/nuclei/nuclei-scan.txt \
+  -json-export _rtexit-output/recon/active/nuclei/nuclei-scan.json
+```
+
+---
+
+### ADVANCED
+
+Suitable for: Red team engagements, external infrastructure attacks, multi-host environments, evading detection.
+
+**Goal:** Stealthy scanning, comprehensive fingerprinting, virtual host enumeration, API endpoint discovery, authenticated scans, custom Nuclei templates.
+
+```bash
+# Slow stealthy Nmap scan (evade basic IDS rate thresholds)
+nmap -sS -T2 -Pn -f --data-length 24 \
+  -p21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080,8443 \
+  --randomize-hosts \
+  -oA _rtexit-output/recon/active/nmap/stealth-scan \
+  <TARGET_IP>
+
+# UDP port scan (often missed, catches SNMP, DNS, TFTP, NFS)
+nmap -sU --top-ports 200 -T3 \
+  -oA _rtexit-output/recon/active/nmap/udp-top200 \
+  <TARGET_IP>
+
+# Virtual host enumeration (find hidden vhosts on shared IP)
+ffuf -u http://<TARGET_IP> \
+  -H "Host: FUZZ.<TARGET_DOMAIN>" \
+  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
+  -fc 404,400 \
+  -o _rtexit-output/recon/active/ffuf/vhost-enum.json \
+  -of json
+
+# API endpoint discovery
+ffuf -u http://<TARGET>/FUZZ \
+  -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
+  -mc 200,201,204,301,302,307,401,403 \
+  -o _rtexit-output/recon/active/ffuf/api-endpoints.json \
+  -of json
+
+# Subdomain enumeration via DNS bruteforce
+gobuster dns \
+  -d <TARGET_DOMAIN> \
+  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
+  -o _rtexit-output/recon/active/gobuster/dns-subdomains.txt \
+  --timeout 5s
+
+# Nmap with NSE script categories for deeper enumeration
+nmap -sV -p80,443,8080,8443 \
+  --script="http-enum,http-headers,http-methods,http-auth-finder,http-config-backup,http-git,http-php-version,ssl-enum-ciphers,ssl-heartbleed,ssl-poodle" \
+  -oA _rtexit-output/recon/active/nmap/web-scripts \
+  <TARGET_IP>
+
+# SMB enumeration (if port 445 is open)
+nmap -p445 --script="smb-vuln*,smb-enum*,smb2-security-mode" \
+  -oA _rtexit-output/recon/active/nmap/smb-enum \
+  <TARGET_IP>
+
+# Custom Nuclei scan — specific tags only
+nuclei -u http://<TARGET> \
+  -tags cve,rce,sqli,ssrf,lfi,xss,auth-bypass,misconfig \
+  -severity medium,high,critical \
+  -rl 30 \
+  -o _rtexit-output/recon/active/nuclei/targeted-nuclei.txt \
+  -json-export _rtexit-output/recon/active/nuclei/targeted-nuclei.json
+```
+
+---
+
+### EXPERT
+
+Suitable for: Adversary simulation, APT-style engagements, red team operations requiring evasion and high-fidelity fingerprinting.
+
+**Goal:** Operator-written scripts, authenticated scanning, WAF bypass techniques, chained tool pipelines, custom fingerprinting.
+
+```bash
+# Masscan + Nmap pipeline — scan entire /16 fast, then deep-dive open hosts
+masscan 10.0.0.0/16 -p1-65535 --rate=50000 \
+  --exclude 10.0.0.1 \
+  -oX _rtexit-output/recon/active/masscan/internal-full.xml
+
+# Parse Masscan XML and auto-run Nmap on each live host
+python3 << 'EOF'
+import xml.etree.ElementTree as ET
+import subprocess, os
+
+tree = ET.parse("_rtexit-output/recon/active/masscan/internal-full.xml")
+hosts = {}
+for host in tree.findall("host"):
+    ip = host.find("address").get("addr")
+    for port in host.findall(".//port"):
+        hosts.setdefault(ip, []).append(port.get("portid"))
+
+os.makedirs("_rtexit-output/recon/active/nmap/hosts", exist_ok=True)
+for ip, ports in hosts.items():
+    port_str = ",".join(ports)
+    safe_ip = ip.replace(".", "_")
+    cmd = [
+        "nmap", "-sV", "-sC", "-A", f"-p{port_str}",
+        "-oA", f"_rtexit-output/recon/active/nmap/hosts/{safe_ip}",
+        ip
+    ]
+    print(f"[*] Scanning {ip} on ports {port_str}")
+    subprocess.run(cmd, capture_output=True)
+    print(f"[+] Done: {ip}")
+print("[*] Pipeline complete.")
+EOF
+
+# ffuf with WAF bypass headers
+ffuf -u "https://<TARGET>/FUZZ" \
+  -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt \
+  -H "X-Forwarded-For: 127.0.0.1" \
+  -H "X-Originating-IP: 127.0.0.1" \
+  -H "X-Remote-IP: 127.0.0.1" \
+  -H "X-Remote-Addr: 127.0.0.1" \
+  -H "X-Client-IP: 127.0.0.1" \
+  -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" \
+  -fc 404,429 \
+  -rate 20 \
+  -o _rtexit-output/recon/active/ffuf/waf-bypass-files.json \
+  -of json
+
+# Nuclei with custom template targeting specific tech stack
+# (assumes you know the stack from passive recon / WhatWeb output)
+nuclei -u https://<TARGET> \
+  -t /root/nuclei-templates/technologies/wordpress/ \
+  -t /root/nuclei-templates/cves/2024/ \
+  -t /root/nuclei-templates/vulnerabilities/ \
+  -severity critical,high \
+  -rl 10 \
+  -H "User-Agent: Mozilla/5.0" \
+  -json-export _rtexit-output/recon/active/nuclei/expert-scan.json
+
+# Authenticated Nmap scan (if credentials obtained from earlier phase)
+nmap -sV -p- \
+  --script="http-auth,http-form-brute,http-brute" \
+  --script-args="http-brute.path=/admin,brute.firstonly=true" \
+  -oA _rtexit-output/recon/active/nmap/auth-scan \
+  <TARGET_IP>
+
+# OS fingerprinting + traceroute
+nmap -O --osscan-guess --traceroute \
+  -oA _rtexit-output/recon/active/nmap/os-fingerprint \
+  <TARGET_IP>
+
+# SSL/TLS deep audit
+nmap -p443,8443 \
+  --script="ssl-cert,ssl-enum-ciphers,ssl-dh-params,ssl-heartbleed,ssl-poodle,ssl-ccs-injection,tls-alpn,tls-nextprotoneg" \
+  -oA _rtexit-output/recon/active/nmap/ssl-audit \
+  <TARGET_IP>
+
+# Wappalyzer CLI fingerprinting (Node.js based, more accurate than WhatWeb on SPAs)
+wappalyzer https://<TARGET> \
+  | tee _rtexit-output/recon/active/wappalyzer/fingerprint.json
+```
+
+---
+
+## Step-by-Step Workflow
+
+### Step 1 — Validate Scope Before Touching Anything
+
+```bash
+# Confirm target is in scope
+cat _rtexit/config.user.toml | grep -A 20 "\[scope\]"
+
+# Confirm ROE permits active scanning
+cat _rtexit-output/docs/engagement/roe.md | grep -i "active\|scanning\|nmap\|port"
+```
+
+Do not proceed until scope is confirmed. If uncertain, run `/rt-scope-definition` to re-validate.
+
+### Step 2 — Prepare Output Directory Structure
+
+```bash
+mkdir -p _rtexit-output/recon/active/{nmap,masscan,gobuster,ffuf,nuclei,whatweb,wappalyzer,waf,screenshots,notes}
+echo "Active recon started: $(date)" > _rtexit-output/recon/active/notes/session.log
+echo "Target: <TARGET>" >> _rtexit-output/recon/active/notes/session.log
+echo "Operator: <OPERATOR_ALIAS>" >> _rtexit-output/recon/active/notes/session.log
+```
+
+### Step 3 — Host Discovery (Are Targets Live?)
+
+```bash
+# ICMP ping sweep (may be blocked by firewall)
+nmap -sn <TARGET_CIDR> -oG _rtexit-output/recon/active/nmap/host-discovery.gnmap
+
+# TCP SYN ping to common ports (more reliable than ICMP)
+nmap -sn -PS22,80,443,8080,3389 <TARGET_CIDR> \
+  -oG _rtexit-output/recon/active/nmap/host-discovery-syn.gnmap
+
+# Extract live hosts
+grep "Up" _rtexit-output/recon/active/nmap/host-discovery.gnmap \
+  | awk '{print $2}' > _rtexit-output/recon/active/nmap/live-hosts.txt
+
+echo "[*] Live hosts found: $(wc -l < _rtexit-output/recon/active/nmap/live-hosts.txt)"
+```
+
+### Step 4 — Port Scanning
+
+```bash
+# Fast scan with Masscan (for large IP ranges)
+masscan -iL _rtexit-output/recon/active/nmap/live-hosts.txt \
+  -p1-65535 --rate=5000 \
+  -oG _rtexit-output/recon/active/masscan/all-ports.gnmap
+
+# Targeted Nmap service scan on open ports
+nmap -iL _rtexit-output/recon/active/nmap/live-hosts.txt \
+  -sV -sC --version-intensity 7 \
+  -oA _rtexit-output/recon/active/nmap/service-scan
+
+# UDP scan (SNMP, DNS, TFTP, NTP)
+nmap -iL _rtexit-output/recon/active/nmap/live-hosts.txt \
+  -sU --top-ports 100 \
+  -oA _rtexit-output/recon/active/nmap/udp-scan
+```
+
+### Step 5 — Web Technology Fingerprinting
+
+```bash
+# Extract all web-facing targets from Nmap output
+grep -E "80/open|443/open|8080/open|8443/open|8000/open" \
+  _rtexit-output/recon/active/nmap/service-scan.gnmap \
+  | awk '{print $2}' > /tmp/web-targets.txt
+
+# WhatWeb all web targets
+while IFS= read -r host; do
+  whatweb "http://${host}" -a 3 \
+    --log-json=_rtexit-output/recon/active/whatweb/${host//\//_}-http.json 2>/dev/null
+  whatweb "https://${host}" -a 3 \
+    --log-json=_rtexit-output/recon/active/whatweb/${host//\//_}-https.json 2>/dev/null
+done < /tmp/web-targets.txt
+
+# WAF detection on all web targets
+while IFS= read -r host; do
+  wafw00f "http://${host}" >> _rtexit-output/recon/active/waf/waf-results.txt
+done < /tmp/web-targets.txt
+```
+
+### Step 6 — Directory and File Enumeration
+
+```bash
+# gobuster with raft-large wordlist + common extensions
+gobuster dir \
+  -u http://<TARGET> \
+  -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt \
+  -x php,asp,aspx,jsp,html,txt,bak,zip,conf,env,json,xml,yaml,yml,log,old,backup \
+  -t 40 \
+  -b 404,400 \
+  -o _rtexit-output/recon/active/gobuster/raft-large.txt \
+  --timeout 20s
+
+# ffuf for parameter fuzzing on a discovered endpoint
+ffuf -u "http://<TARGET>/api/endpoint?FUZZ=test" \
+  -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
+  -mc 200,302 \
+  -o _rtexit-output/recon/active/ffuf/param-fuzz.json \
+  -of json
+```
+
+### Step 7 — Vulnerability Scanning with Nuclei
+
+```bash
+# Full Nuclei scan (all severities, all templates)
+nuclei -u http://<TARGET> \
+  -t /root/nuclei-templates/ \
+  -severity info,low,medium,high,critical \
+  -rate-limit 20 \
+  -o _rtexit-output/recon/active/nuclei/full-scan.txt \
+  -json-export _rtexit-output/recon/active/nuclei/full-scan.json \
+  -stats
+
+# Technology-specific scan (e.g., after WhatWeb reveals Apache Tomcat)
+nuclei -u http://<TARGET> \
+  -tags tomcat,apache \
+  -severity medium,high,critical \
+  -o _rtexit-output/recon/active/nuclei/tomcat-scan.txt
+```
+
+### Step 8 — Screenshot and Evidence Collection
+
+```bash
+# EyeWitness — screenshot all web targets for visual review
+eyewitness --web -f /tmp/web-targets.txt \
+  --timeout 10 \
+  -d _rtexit-output/recon/active/screenshots/eyewitness/
+
+# gowitness — fast Chromium-based screenshotter
+gowitness file -f /tmp/web-targets.txt \
+  --screenshot-path _rtexit-output/recon/active/screenshots/gowitness/ \
+  --log-scan-errors
+```
+
+### Step 9 — Document Findings and Feed Autodoc Engine
+
+```bash
+# Generate a consolidated summary for the RTExit autodoc engine
+cat > _rtexit-output/recon/active/notes/active-recon-summary.md << 'EOF'
+# Active Recon Summary
+
+## Engagement: <ENGAGEMENT_NAME>
+## Date: $(date)
+## Operator: <OPERATOR_ALIAS>
+
+## Live Hosts
+$(cat _rtexit-output/recon/active/nmap/live-hosts.txt)
+
+## Open Ports (Key Services)
+<!-- Paste Nmap service scan highlights here -->
+
+## Web Technologies Identified
+<!-- WhatWeb/Wappalyzer key findings -->
+
+## WAF Status
+<!-- wafw00f results -->
+
+## Directories/Files Found
+<!-- Notable gobuster/ffuf findings -->
+
+## Nuclei Findings Summary
+<!-- Count by severity, list critical/high findings -->
+
+## Next Phase
+<!-- Reference to exploitation plan or next skill -->
+EOF
+```
+
+The RTExit autodoc engine will detect and index `_rtexit-output/recon/active/notes/active-recon-summary.md` on next run of `/rt-status`.
+
+---
+
+## All Relevant Commands with Explanations
+
+### Nmap
+
+| Flag | Purpose |
+|------|---------|
+| `-sS` | SYN scan (stealth, requires root) |
+| `-sV` | Version detection |
+| `-sC` | Default NSE scripts |
+| `-A` | Aggressive: OS detect + version + scripts + traceroute |
+| `-T0` to `-T5` | Timing (T0=paranoid/stealth, T5=insane/fast) |
+| `-p-` | All 65535 ports |
+| `-Pn` | Skip host discovery (treat all as up) |
+| `-f` | Fragment packets (evade simple firewalls) |
+| `--data-length 24` | Append random data to packets (IDS evasion) |
+| `--randomize-hosts` | Scan hosts in random order |
+| `-oA` | Output in all formats (nmap, gnmap, xml) |
+| `-oX` | XML output only |
+| `-oG` | Grepable output |
+| `--script=` | Specify NSE scripts |
+| `--open` | Show only open ports |
+
+### Masscan
+
+| Flag | Purpose |
+|------|---------|
+| `-p1-65535` | Scan all ports |
+| `--rate=` | Packets per second (10000 = fast, 100000 = very fast) |
+| `--exclude` | Exclude specific IPs from scan |
+| `-oG` | Grepable output |
+| `-oX` | XML output |
+| `-iL` | Input from file |
+
+### gobuster
+
+| Flag | Purpose |
+|------|---------|
+| `dir` | Directory/file enumeration mode |
+| `dns` | DNS subdomain enumeration mode |
+| `vhost` | Virtual host enumeration mode |
+| `-u` | Target URL |
+| `-w` | Wordlist path |
+| `-x` | File extensions to append |
+| `-t` | Threads |
+| `-b` | Blacklist status codes |
+| `-o` | Output file |
+| `--timeout` | Request timeout |
+
+### ffuf
+
+| Flag | Purpose |
+|------|---------|
+| `-u` | URL with FUZZ keyword |
+| `-w` | Wordlist |
+| `-H` | Custom header |
+| `-mc` | Match HTTP status codes |
+| `-fc` | Filter/exclude status codes |
+| `-rate` | Requests per second limit |
+| `-of json` | Output format JSON |
+| `-o` | Output file |
+| `-fs` | Filter by response size |
+| `-fw` | Filter by word count |
+
+### wafw00f
+
+| Flag | Purpose |
+|------|---------|
+| `-a` | Try to detect all WAFs |
+| `-o` | Output file |
+| `-f` | Output format (json, text, csv) |
+
+### WhatWeb
+
+| Flag | Purpose |
+|------|---------|
+| `-a 1` | Stealthy (no extra requests) |
+| `-a 3` | Aggressive (many extra requests) |
+| `--log-json=` | JSON log file |
+| `--log-verbose=` | Verbose text log |
+
+### Nuclei
+
+| Flag | Purpose |
+|------|---------|
+| `-u` | Single target URL |
+| `-l` | List of targets |
+| `-t` | Template directory |
+| `-tags` | Run templates matching tags |
+| `-severity` | Filter by severity |
+| `-rl` / `-rate-limit` | Requests per second |
+| `-o` | Text output file |
+| `-json-export` | JSON output file |
+| `-stats` | Show scan statistics |
+| `-H` | Custom header |
+
+---
+
+## Tools Referenced
+
+| Tool | Purpose | URL |
+|------|---------|-----|
+| Nmap | Port scanning, service detection, NSE scripts | https://github.com/nmap/nmap |
+| Masscan | Ultra-fast TCP port scanner | https://github.com/robertdavidgraham/masscan |
+| gobuster | Directory, DNS, vhost enumeration | https://github.com/OJ/gobuster |
+| ffuf | Fuzzing — directories, parameters, headers, vhosts | https://github.com/ffuf/ffuf |
+| Nuclei | Template-based vulnerability scanner | https://github.com/projectdiscovery/nuclei |
+| nuclei-templates | Community vulnerability templates | https://github.com/projectdiscovery/nuclei-templates |
+| WhatWeb | Web technology fingerprinting | https://github.com/urbanadventurer/WhatWeb |
+| wafw00f | WAF detection and fingerprinting | https://github.com/EnableSecurity/wafw00f |
+| EyeWitness | Web screenshot and report generation | https://github.com/RedSiege/EyeWitness |
+| gowitness | Fast Chromium-based screenshotter | https://github.com/sensepost/gowitness |
+| SecLists | Community wordlists for all enumeration types | https://github.com/danielmiessler/SecLists |
+| Wappalyzer CLI | SPA-aware tech fingerprinting | https://github.com/wappalyzer/wappalyzer |
+
+---
+
+## Output Files — What to Save and Where
+
+All output goes under `_rtexit-output/recon/active/`. The RTExit autodoc engine watches this tree.
+
+```
+_rtexit-output/recon/active/
+├── nmap/
+│   ├── basic-scan.{nmap,gnmap,xml}       # Initial scan
+│   ├── targeted-scan.{nmap,gnmap,xml}    # Deep service scan on open ports
+│   ├── udp-scan.{nmap,gnmap,xml}         # UDP scan
+│   ├── ssl-audit.{nmap,gnmap,xml}        # SSL/TLS audit
+│   ├── smb-enum.{nmap,gnmap,xml}         # SMB enumeration
+│   ├── web-scripts.{nmap,gnmap,xml}      # Web-specific NSE scripts
+│   ├── os-fingerprint.{nmap,gnmap,xml}   # OS detection
+│   ├── live-hosts.txt                    # Clean list of live IPs
+│   └── hosts/                            # Per-host scan files (pipeline output)
+│       └── 10_0_0_1.{nmap,gnmap,xml}
+├── masscan/
+│   ├── full-tcp.gnmap                    # All-port masscan output
+│   └── internal-full.xml                 # Large subnet XML output
+├── gobuster/
+│   ├── common-dirs.txt                   # Common wordlist results
+│   ├── medium-dirs.txt                   # Medium wordlist results
+│   ├── raft-large.txt                    # Raft-large results
+│   └── dns-subdomains.txt                # DNS subdomain enumeration
+├── ffuf/
+│   ├── vhost-enum.json                   # Virtual host enumeration
+│   ├── api-endpoints.json                # API endpoint discovery
+│   ├── param-fuzz.json                   # Parameter fuzzing
+│   └── waf-bypass-files.json             # WAF bypass attempts
+├── nuclei/
+│   ├── full-scan.txt                     # Full Nuclei text output
+│   ├── full-scan.json                    # Full Nuclei JSON export
+│   ├── targeted-nuclei.json              # Tag-targeted scan
+│   └── expert-scan.json                  # Expert-mode scan
+├── whatweb/
+│   ├── whatweb-basic.txt                 # Basic WhatWeb output
+│   ├── whatweb-full.txt                  # Verbose WhatWeb output
+│   └── whatweb-full.json                 # WhatWeb JSON log
+├── wappalyzer/
+│   └── fingerprint.json                  # Wappalyzer fingerprint
+├── waf/
+│   ├── wafw00f.txt                       # WAF detection results
+│   └── waf-results.txt                   # Multi-target WAF results
+├── screenshots/
+│   ├── eyewitness/                       # EyeWitness report
+│   └── gowitness/                        # gowitness screenshots
+└── notes/
+    ├── session.log                       # Operator session log
+    └── active-recon-summary.md           # Summary for autodoc engine
+```
+
+**Naming convention:** Use underscores in filenames, no spaces, no special characters. The autodoc engine parses filenames for indexing.
+
+**Retention:** All raw output files are evidence. Do not delete or overwrite during the engagement. Append a timestamp if re-running: `nmap-scan-$(date +%Y%m%d-%H%M%S).xml`.
+
+---
+
+## Integration with RTExit Autodoc Engine
+
+The RTExit autodoc engine indexes `_rtexit-output/` and auto-populates the engagement report. To ensure active recon findings appear in the report:
+
+1. Always save output to `_rtexit-output/recon/active/` using the directory structure above.
+2. Create or update `_rtexit-output/recon/active/notes/active-recon-summary.md` with a human-readable summary after each scanning session.
+3. Run `/rt-status` to trigger autodoc re-indexing and see your findings reflected in the engagement dashboard.
+4. Run `/rt-agent-scribe` to have the Scribe agent formalize findings into the report narrative.
+5. For critical findings discovered during active recon (e.g., Nuclei detects an unauthenticated RCE), immediately log to `_rtexit-output/findings/` using the finding template format — do not wait for the post-recon phase.
+
+---
+
+## SecLists Wordlist Reference
+
+SecLists is pre-installed on Kali at `/usr/share/seclists/`. Install manually: `sudo apt install seclists` or clone from https://github.com/danielmiessler/SecLists.
+
+| Wordlist Path | Use Case |
+|--------------|---------|
+| `Discovery/Web-Content/common.txt` | Quick web directory scan |
+| `Discovery/Web-Content/directory-list-2.3-medium.txt` | Standard directory scan |
+| `Discovery/Web-Content/raft-large-directories.txt` | Comprehensive directory scan |
+| `Discovery/Web-Content/raft-large-files.txt` | File discovery |
+| `Discovery/Web-Content/api/api-endpoints.txt` | REST API endpoint discovery |
+| `Discovery/Web-Content/burp-parameter-names.txt` | Parameter name fuzzing |
+| `Discovery/Web-Content/CGIs.txt` | CGI endpoint discovery |
+| `Discovery/DNS/subdomains-top1million-5000.txt` | Fast subdomain enum |
+| `Discovery/DNS/subdomains-top1million-20000.txt` | Thorough subdomain enum |
+| `Discovery/DNS/dns-Jhaddix.txt` | Comprehensive DNS wordlist |
+| `Usernames/top-usernames-shortlist.txt` | Quick username bruteforce |
+| `Passwords/darkweb2017-top10000.txt` | Common password list |
+
+---
+
+## Useful Python Snippets
+
+### Parse Nmap XML and Extract Services
+
+```python
+#!/usr/bin/env python3
+"""
+parse-nmap-xml.py — Extract host/port/service data from Nmap XML output.
+Usage: python3 parse-nmap-xml.py <nmap-output.xml>
+"""
+import xml.etree.ElementTree as ET
+import sys
+import json
+
+def parse_nmap(xml_file):
+    tree = ET.parse(xml_file)
+    root = tree.getroot()
+    results = []
+
+    for host in root.findall("host"):
+        status = host.find("status")
+        if status is None or status.get("state") != "up":
+            continue
+
+        addr_el = host.find("address[@addrtype='ipv4']")
+        ip = addr_el.get("addr") if addr_el is not None else "unknown"
+
+        hostname_el = host.find(".//hostname")
+        hostname = hostname_el.get("name") if hostname_el is not None else ""
+
+        ports = []
+        for port in host.findall(".//port"):
+            state = port.find("state")
+            if state is None or state.get("state") != "open":
+                continue
+            service = port.find("service")
+            ports.append({
+                "port": port.get("portid"),
+                "protocol": port.get("protocol"),
+                "service": service.get("name") if service is not None else "unknown",
+                "product": service.get("product", "") if service is not None else "",
+                "version": service.get("version", "") if service is not None else "",
+            })
+
+        results.append({"ip": ip, "hostname": hostname, "ports": ports})
+
+    return results
+
+if __name__ == "__main__":
+    data = parse_nmap(sys.argv[1])
+    print(json.dumps(data, indent=2))
+    # Summary
+    print(f"\n[*] Hosts: {len(data)}")
+    print(f"[*] Total open ports: {sum(len(h['ports']) for h in data)}")
+```
+
+### Extract Web Targets from Nmap XML
+
+```python
+#!/usr/bin/env python3
+"""
+extract-web-targets.py — Pull all HTTP/HTTPS targets from Nmap XML.
+Usage: python3 extract-web-targets.py <nmap-output.xml> > web-targets.txt
+"""
+import xml.etree.ElementTree as ET
+import sys
+
+WEB_PORTS = {"80": "http", "443": "https", "8080": "http", "8443": "https",
+             "8000": "http", "8888": "http", "3000": "http", "4443": "https"}
+
+tree = ET.parse(sys.argv[1])
+for host in tree.findall("host"):
+    addr = host.find("address[@addrtype='ipv4']")
+    if addr is None:
+        continue
+    ip = addr.get("addr")
+    for port in host.findall(".//port"):
+        state = port.find("state")
+        if state is None or state.get("state") != "open":
+            continue
+        portid = port.get("portid")
+        if portid in WEB_PORTS:
+            scheme = WEB_PORTS[portid]
+            print(f"{scheme}://{ip}:{portid}")
+```
+
+### Nuclei JSON to Markdown Table
+
+```python
+#!/usr/bin/env python3
+"""
+nuclei-to-md.py — Convert Nuclei JSON export to Markdown findings table.
+Usage: python3 nuclei-to-md.py <nuclei-scan.json> > findings-table.md
+"""
+import json, sys
+
+severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3, "info": 4}
+
+findings = []
+with open(sys.argv[1]) as f:
+    for line in f:
+        line = line.strip()
+        if line:
+            findings.append(json.loads(line))
+
+findings.sort(key=lambda x: severity_order.get(x.get("info", {}).get("severity", "info"), 99))
+
+print("| Severity | Name | Host | Template ID |")
+print("|----------|------|------|-------------|")
+for f in findings:
+    info = f.get("info", {})
+    print(f"| {info.get('severity','').upper()} | {info.get('name','')} | {f.get('host','')} | {f.get('template-id','')} |")
+```
+
+---
+
+## Resources
+
+| Resource | URL |
+|---------|-----|
+| Nmap Book (official) | https://nmap.org/book/man.html |
+| Nmap NSE Script Reference | https://nmap.org/nsedoc/ |
+| Masscan README | https://github.com/robertdavidgraham/masscan/blob/master/README.md |
+| gobuster Documentation | https://github.com/OJ/gobuster#readme |
+| ffuf Wiki | https://github.com/ffuf/ffuf/wiki |
+| Nuclei Documentation | https://docs.projectdiscovery.io/tools/nuclei/overview |
+| Nuclei Templates Docs | https://docs.projectdiscovery.io/templates/introduction |
+| WhatWeb Wiki | https://github.com/urbanadventurer/WhatWeb/wiki |
+| wafw00f Docs | https://github.com/EnableSecurity/wafw00f/blob/master/README.md |
+| SecLists Repository | https://github.com/danielmiessler/SecLists |
+| OWASP Testing Guide v4.2 | https://owasp.org/www-project-web-security-testing-guide/ |
+| HackTricks — Network Scanning | https://book.hacktricks.xyz/network-services-pentesting/pentesting-network |
+| HackTricks — Web Recon | https://book.hacktricks.xyz/network-services-pentesting/pentesting-web |
+| PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings |
+| Red Team Notes — Recon | https://www.ired.team/offensive-security/reconnaissance |
+| EyeWitness Documentation | https://github.com/RedSiege/EyeWitness/blob/master/README.md |
+| gowitness Documentation | https://github.com/sensepost/gowitness/wiki |
+| ProjectDiscovery Tools | https://projectdiscovery.io/open-source |