rtexit-method 0.1.0 → 0.1.1

package/packaged-assets/.agents/skills/rt-exploit-ssrf/payloads.txt

@@ -0,0 +1,23 @@
+# SSRF validation reference.
+# Use controlled callback endpoints and harmless metadata-safe checks.
+
+## Safe Callback Patterns
+
+https://example-callback.invalid/ping
+https://[your-controlled-callback]/rtexit-ssrf-marker
+
+## Local Address Classes To Consider
+
+http://127.0.0.1/
+http://localhost/
+http://[::1]/
+http://10.0.0.1/
+http://172.16.0.1/
+http://192.168.0.1/
+
+## Cloud Metadata Safety Notes
+
+- Do not retrieve live credentials unless explicitly authorized.
+- Prefer proving metadata service reachability through safe headers/status behavior.
+- Pair SSRF remediation with egress filtering and URL allowlists.
+

package/packaged-assets/.agents/skills/rt-exploit-ssrf/workflow.md

@@ -0,0 +1,68 @@
+# Workflow - rt-exploit-ssrf
+
+## Purpose
+
+This workflow standardizes how $skill is executed inside RTExit. It is designed for authorized engagements, evidence-first documentation, and consistent handoff into reporting.
+
+## Authorization Gate
+
+Before execution, confirm:
+
+- SEAD exists and explicitly covers the target asset or activity.
+- Rules of Engagement define allowed techniques, rate limits, and stop conditions.
+- The operator knows the evidence handling rules.
+- Any active or sensitive validation has client approval.
+
+If any item is unclear, pause and invoke 
+
+## Required Inputs
+
+| Input | Source | Notes |
+|---|---|---|
+| Engagement reference | _rtexit/config.toml or SEAD | Used in output names. |
+| Target asset(s) | Scope document | Must be explicitly approved. |
+| Operator name | Config/user context | Used in timeline entries. |
+| Evidence directory | _rtexit-output/docs/evidence/ | Store logs, screenshots, and artifacts. |
+| Finding tracker | _rtexit-output/docs/findings/ | Create/update findings when confirmed. |
+
+## Execution Steps
+
+1. Load current engagement configuration.
+2. Read scope, exclusions, and current findings.
+3. Build a small test plan for this skill with target, expected control, and evidence type.
+4. Run the lowest-risk validation first.
+5. Capture baseline behavior before proof behavior.
+6. Record exact timestamp, account/role used, and affected asset.
+7. Stop when evidence is sufficient; avoid unnecessary data access.
+8. Create or update findings through the RTExit finding tracker.
+9. Map remediation owner and recommended timeline.
+10. Add a timeline entry and evidence chain entry.
+
+## Evidence Requirements
+
+| Evidence | Required? | Notes |
+|---|---|---|
+| Command or action summary | Yes | Redact secrets and tokens. |
+| Screenshot or transcript | If useful | Store under evidence folder. |
+| Request/response pair | For web/API | Redact cookies and bearer tokens. |
+| Config excerpt | For cloud/infra | Include only relevant lines. |
+| Business impact note | Yes | Explain why it matters. |
+
+## Autodoc Commands
+
+`ash
+python _rtexit/scripts/autodoc_engine.py log --skill rt-exploit-ssrf --phase auto --cmd "workflow execution" --output "summary"
+python _rtexit/scripts/finding_tracker.py list
+`
+
+## Completion Criteria
+
+- Scope and authorization are referenced.
+- Evidence is stored and redacted.
+- Findings are added or explicitly marked as not found.
+- Remediation guidance is actionable.
+- Timeline and chain of custody are updated where applicable.
+
+## Handoff
+
+Send confirmed findings to 

package/packaged-assets/.agents/skills/rt-exploit-vishing/SKILL.md

@@ -0,0 +1,121 @@
+---
+name: rt-exploit-vishing
+description: "Voice-based social engineering awareness testing skill. Requires SEAD authorization for vishing simulation. Tests employee security awareness through authorized phone-based scenarios. Output: awareness test results and employee training recommendations."
+---
+
+# rt-exploit-vishing — Voice Social Engineering Testing
+
+> ⚠️ **AUTHORIZATION REQUIRED**: Vishing simulations require explicit written authorization in SEAD. All test calls must be within defined scope. This skill is for authorized security awareness testing only.
+
+## Overview
+
+Tests organization's resilience to phone-based social engineering by:
+1. Identifying high-risk call scenarios for the organization
+2. Conducting authorized awareness tests (if in scope)
+3. Measuring employee response rates
+4. Providing security awareness training recommendations
+
+## Prerequisites
+
+- [ ] SEAD explicitly authorizes vishing simulation
+- [ ] Target employees confirmed in scope (or random sampling agreed)
+- [ ] Cover story agreed with client (or client confirms no cover story)
+- [ ] Recording/documentation requirements confirmed
+- [ ] Post-test notification process defined
+
+---
+
+## Step 1 — Target Research
+
+Before any authorized test call, understand the organization:
+
+```bash
+# From reconnaissance phase, gather:
+# - Org chart / department structure (LinkedIn, company website)
+# - IT helpdesk contact information
+# - Known internal processes (password reset, VPN access)
+# - Technology stack (what systems do they use)
+# - Recent company events (mergers, system migrations = pretext opportunities)
+```
+
+## Step 2 — Scenario Design (For Client Approval)
+
+Present scenarios to client for approval BEFORE execution:
+
+**Scenario Type 1 — IT Helpdesk Test**
+- Caller claims to be new employee needing VPN access
+- Tests: whether helpdesk verifies identity before providing access
+- Expected security control: identity verification process
+
+**Scenario Type 2 — Executive Impersonation Awareness**
+- Caller claims to be CTO requesting urgent IT action
+- Tests: whether employees challenge authority without verification
+- Expected security control: callback verification to known number
+
+**Scenario Type 3 — Vendor Call Test**
+- Caller claims to be software vendor needing access for maintenance
+- Tests: whether employees grant access without proper authorization
+- Expected security control: vendor management process
+
+## Step 3 — Test Call Documentation
+
+For each authorized test call, document:
+
+```markdown
+## Vishing Test Record
+
+| Field | Value |
+|-------|-------|
+| Test Date/Time | [TIMESTAMP] |
+| Caller (tester) | [OPERATOR NAME] |
+| Target Department | [DEPT] |
+| Scenario Used | [SCENARIO NAME] |
+| Call Duration | [MINUTES] |
+| Outcome | Pass / Fail / N/A |
+| Employee Response | [Brief description] |
+| Security Control Tested | [What control was evaluated] |
+| Finding | [What vulnerability was identified, if any] |
+```
+
+## Step 4 — Results Analysis
+
+```markdown
+## Vishing Simulation Results
+
+### Overall Results
+| Metric | Count | Percentage |
+|--------|-------|-----------|
+| Calls attempted | X | 100% |
+| Calls answered | X | X% |
+| Tests passed (employee resisted) | X | X% |
+| Tests failed (employee complied) | X | X% |
+| Employee reported suspicious call | X | X% |
+
+### Findings by Department
+| Department | Pass Rate | Key Finding |
+|------------|-----------|-------------|
+| IT Helpdesk | X% | [observation] |
+| Finance | X% | [observation] |
+```
+
+## Remediation Recommendations
+
+1. **Identity Verification Process**: Implement callback verification to known numbers before fulfilling any sensitive requests
+2. **Security Awareness Training**: Include vishing awareness in annual security training
+3. **Reporting Culture**: Create easy channel for employees to report suspicious calls
+4. **Vendor Management**: Require vendors to coordinate through official channels
+5. **Call Scripts for Helpdesk**: Provide clear scripts for handling unverified callers
+
+## Skill Levels
+
+| Level | Activities |
+|-------|-----------|
+| BEGINNER | Scenario design, documentation |
+| INTERMEDIATE | Authorized test call execution, result analysis |
+| ADVANCED | Multi-stage scenario design, targeting by role |
+| EXPERT | Full awareness program design and measurement |
+
+## Resources
+- Social Engineering Toolkit (SET): github.com/trustedsec/social-engineer-toolkit
+- SANS Security Awareness: sans.org/security-awareness-training
+- Vishing Defense Guide: knowbe4.com

package/packaged-assets/.agents/skills/rt-exploit-vishing/scripts.md

@@ -0,0 +1,4 @@
+# Vishing Simulation Scripts
+
+Keep all scripts client-approved, clearly labeled as simulations, and designed to test verification behavior rather than obtain secrets.
+