rtexit-method 0.1.23 → 0.1.25

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rtexit-method",
-  "version": "0.1.23",
+  "version": "0.1.25",
   "description": "RTExit - AI-assisted Red Team methodology installer",
   "license": "MIT",
   "author": "Exit Code",

package/packaged-assets/.agents/skills/rt-agent-breaker/SKILL.md

@@ -1,7 +1,43 @@
----
+---
 name: rt-agent-breaker
 description: "Vulnerability Analyst agent (Karim). Invoke for web application testing (OWASP WSTG), API security, injection attacks, authentication bypass, file upload exploitation, language-specific vulnerabilities (PHP/Python/Java/Node.js/.NET), database exploitation, JWT/OAuth attacks, WordPress/CMS hacking."
 ---
+## Step 0 — Docker Environment Check (REQUIRED BEFORE ANYTHING)
+
+Before activating, verify the RTExit Kali container is running:
+
+```bash
+docker ps --filter "name=rtexit-kali" --format "{{.Status}}"
+```
+
+**If the output shows `Up`** → proceed to Step 1.
+
+**If the container is NOT running**, say exactly this to the user:
+
+> ⚠️ **rtexit-kali container is not running.**
+> Please start it with:
+> ```bash
+> docker start rtexit-kali
+> ```
+> Or if it doesn't exist yet:
+> ```bash
+> docker run -d \
+>   --name rtexit-kali \
+>   --network lab_rtexit-lab \
+>   --ip 192.168.200.10 \
+>   --cap-add NET_ADMIN \
+>   --cap-add NET_RAW \
+>   -p 2222:22 -p 4444:4444 -p 8080:8080 \
+>   -v "$(pwd)/docker/lab/workspace:/workspace" \
+>   rtexit/kali:v3.1
+> ```
+> Let me know when it's running and I'll continue.
+
+**Once confirmed running**, save to memory:
+> 🧠 **Memory note:** rtexit-kali Docker container is active. All attack commands must use `docker exec rtexit-kali bash -c "COMMAND"` or `docker exec -it rtexit-kali bash` for interactive sessions. This applies for the entire session.
+
+---
+
 
 # 💀 Karim — Vulnerability Analyst & Exploitation Specialist
 

package/packaged-assets/.agents/skills/rt-agent-breaker/customize.toml

@@ -74,3 +74,55 @@ skill = "rt-exploit-databases"
 code = "LG"
 description = "Language-specific attacks — PHP, Python, Java, Node.js, .NET"
 skill = "rt-exploit-frameworks"
+
+[[agent.menu]]
+code = "SC"
+description = "Syscall bypass — direct syscalls, Syswhispers3, HellsGate, HalosGate to evade EDR hooks"
+skill = "rt-syscall-bypass"
+
+[[agent.menu]]
+code = "ET"
+description = "ETW bypass — patch EtwEventWrite, kill EDR telemetry, blind SIEM"
+skill = "rt-etw-bypass"
+
+[[agent.menu]]
+code = "PI"
+description = "Advanced process injection — hollowing, APC, module stomping, thread hijacking, doppelganging"
+skill = "rt-process-injection-advanced"
+
+[[agent.menu]]
+code = "PP"
+description = "PPID spoofing — fake parent process to bypass EDR parent-child behavioral rules"
+skill = "rt-ppid-spoofing"
+
+[[agent.menu]]
+code = "SM"
+description = "Beacon sleep masking — Ekko/Foliage memory encryption, PE stomping, heap encryption for C2 persistence"
+skill = "rt-beacon-sleep-masking"
+
+[[agent.menu]]
+code = "CL"
+description = "CLM/JEA escape — break out of Constrained Language Mode and Just Enough Administration restrictions"
+skill = "rt-clm-jea-escape"
+
+[[agent.menu]]
+code = "AC"
+description = "ADCS ESC9-13 — advanced certificate template abuse, latest SpecterOps research 2024"
+skill = "rt-adcs-esc9-13"
+
+[context_awareness]
+context_file = "{project-root}/_rtexit-output/data/engagement-context.json"
+reads_live_hosts = true
+
+[kali_integration]
+web_command = "bash {project-root}/scripts/rt-web-full-scan.sh {target}"
+ad_command = "bash {project-root}/scripts/rt-ad-full.sh {dc_ip} {domain} {user} {pass}"
+nuclei_command = "nuclei -u {target} -t {project-root}/nuclei-templates/rtexit/"
+
+[[smart_recommendations]]
+condition = "attack_surface.web_apps > 0"
+suggest = "Run: bash scripts/rt-web-full-scan.sh {target}"
+
+[[smart_recommendations]]
+condition = "ports contains 445 or ports contains 88"
+suggest = "AD detected — Run: bash scripts/rt-ad-full.sh {dc_ip} {domain} {user} {pass}"

package/packaged-assets/.agents/skills/rt-agent-commander/SKILL.md

@@ -1,7 +1,43 @@
----
+---
 name: rt-agent-commander
 description: "Red Team Commander agent (Ahmed). Invoke when starting a new engagement, defining scope, creating SEAD, selecting methodology, threat modeling, or planning strategy. Coordinates all other agents. Manages authorization and engagement lifecycle."
 ---
+## Step 0 — Docker Environment Check (REQUIRED BEFORE ANYTHING)
+
+Before activating, verify the RTExit Kali container is running:
+
+```bash
+docker ps --filter "name=rtexit-kali" --format "{{.Status}}"
+```
+
+**If the output shows `Up`** → proceed to Step 1.
+
+**If the container is NOT running**, say exactly this to the user:
+
+> ⚠️ **rtexit-kali container is not running.**
+> Please start it with:
+> ```bash
+> docker start rtexit-kali
+> ```
+> Or if it doesn't exist yet:
+> ```bash
+> docker run -d \
+>   --name rtexit-kali \
+>   --network lab_rtexit-lab \
+>   --ip 192.168.200.10 \
+>   --cap-add NET_ADMIN \
+>   --cap-add NET_RAW \
+>   -p 2222:22 -p 4444:4444 -p 8080:8080 \
+>   -v "$(pwd)/docker/lab/workspace:/workspace" \
+>   rtexit/kali:v3.1
+> ```
+> Let me know when it's running and I'll continue.
+
+**Once confirmed running**, save to memory:
+> 🧠 **Memory note:** rtexit-kali Docker container is active. All attack commands must use `docker exec rtexit-kali bash -c "COMMAND"` or `docker exec -it rtexit-kali bash` for interactive sessions. This applies for the entire session.
+
+---
+
 
 # 🎯 Ahmed — Red Team Commander
 

package/packaged-assets/.agents/skills/rt-agent-commander/customize.toml

@@ -65,3 +65,43 @@ skill = "rt-status"
 code = "RM"
 description = "Generate risk matrix for executive presentation"
 skill = "rt-risk-matrix"
+
+[[agent.menu]]
+code = "PT"
+description = "Purple team — adversary simulation with Caldera + Atomic Red Team (Docker lab: 192.168.200.54:8888)"
+skill = "rt-purple-team"
+
+[context_awareness]
+# Commander automatically reads engagement-context.json on activation
+context_file = "{project-root}/_rtexit-output/data/engagement-context.json"
+auto_suggest = true
+
+[[smart_recommendations]]
+condition = "phase == 'planning' and findings == []"
+suggest = "Start with rt-recon → rt-osint → rt-attack-surface-map"
+
+[[smart_recommendations]]
+condition = "subdomains > 0 and live_hosts == []"
+suggest = "Run rt-active-recon to find live hosts from discovered subdomains"
+
+[[smart_recommendations]]
+condition = "live_hosts > 0 and findings == []"
+suggest = "Run rt-exploit-web or rt-web-full-scan.sh on live hosts"
+
+[[smart_recommendations]]
+condition = "credentials.valid > 0 and phase != 'post-exploitation'"
+suggest = "Valid credentials found — pivot with rt-lateral-movement or rt-exploit-active-directory"
+
+[[smart_recommendations]]
+condition = "findings.critical > 0"
+suggest = "Critical findings present — document with rt-finding-document then rt-executive-report"
+
+[kali_integration]
+# Commands Commander can suggest to run directly
+automation_scripts = [
+  "bash scripts/rt-recon.sh {target}",
+  "bash scripts/rt-web-full-scan.sh {target}",
+  "bash scripts/rt-ad-full.sh {dc_ip} {domain} {user} {pass}",
+  "bash scripts/rt-aws-audit.sh"
+]
+docker_command = "docker exec -it rtexit-kali bash -c '{command}'"

package/packaged-assets/.agents/skills/rt-agent-ghost/SKILL.md

@@ -1,7 +1,43 @@
----
+---
 name: rt-agent-ghost
 description: "Post-Exploitation specialist agent (Sara). Invoke after initial access is obtained. Covers internal discovery, privilege escalation (Windows + Linux), lateral movement, persistence mechanisms, C2 operations, Active Directory attacks (Kerberoasting, BloodHound, DCSync), cloud post-exploitation (AWS/Azure/GCP), data exfiltration PoC."
 ---
+## Step 0 — Docker Environment Check (REQUIRED BEFORE ANYTHING)
+
+Before activating, verify the RTExit Kali container is running:
+
+```bash
+docker ps --filter "name=rtexit-kali" --format "{{.Status}}"
+```
+
+**If the output shows `Up`** → proceed to Step 1.
+
+**If the container is NOT running**, say exactly this to the user:
+
+> ⚠️ **rtexit-kali container is not running.**
+> Please start it with:
+> ```bash
+> docker start rtexit-kali
+> ```
+> Or if it doesn't exist yet:
+> ```bash
+> docker run -d \
+>   --name rtexit-kali \
+>   --network lab_rtexit-lab \
+>   --ip 192.168.200.10 \
+>   --cap-add NET_ADMIN \
+>   --cap-add NET_RAW \
+>   -p 2222:22 -p 4444:4444 -p 8080:8080 \
+>   -v "$(pwd)/docker/lab/workspace:/workspace" \
+>   rtexit/kali:v3.1
+> ```
+> Let me know when it's running and I'll continue.
+
+**Once confirmed running**, save to memory:
+> 🧠 **Memory note:** rtexit-kali Docker container is active. All attack commands must use `docker exec rtexit-kali bash -c "COMMAND"` or `docker exec -it rtexit-kali bash` for interactive sessions. This applies for the entire session.
+
+---
+
 
 # 👻 Sara — Post-Exploitation & Lateral Movement Specialist
 

package/packaged-assets/.agents/skills/rt-agent-ghost/customize.toml

@@ -75,3 +75,53 @@ skill = "rt-defense-evasion"
 code = "EX"
 description = "Data exfiltration PoC — minimum viable sample per SEAD guidelines"
 skill = "rt-data-exfiltration"
+
+[[agent.menu]]
+code = "CO"
+description = "Coercion attacks — force DC/server auth via MS-RPRN/PetitPotam/MS-DFSNM using Coercer (Docker: rtexit/kali:v3.1)"
+skill = "rt-coercion-attacks"
+
+[[agent.menu]]
+code = "V6"
+description = "IPv6 MITM — rogue DHCPv6 + DNS takeover + NTLM relay using mitm6 (Docker: rtexit/kali:v3.1)"
+skill = "rt-ipv6-mitm"
+
+[[agent.menu]]
+code = "DP"
+description = "DPAPI hunting — extract browser/WiFi/RDP/cert credentials domain-wide using DonPAPI (Docker: rtexit/kali:v3.1)"
+skill = "rt-dpapi-hunting"
+
+[[agent.menu]]
+code = "NP"
+description = "NoPac exploit — CVE-2021-42278/42287 instant Domain Admin via sAMAccountName spoofing (Docker: rtexit/kali:v3.1)"
+skill = "rt-nopac-exploit"
+
+[[agent.menu]]
+code = "KR"
+description = "Kerberos relay (KrbRelayUp) — local PrivEsc to SYSTEM without admin, RBCD via Kerberos, works when NTLM disabled"
+skill = "rt-kerberos-relay"
+
+[[agent.menu]]
+code = "DT"
+description = "Diamond/Sapphire tickets — undetectable Kerberos ticket forging, evades Golden Ticket detection"
+skill = "rt-diamond-sapphire-tickets"
+
+[[agent.menu]]
+code = "SK"
+description = "Skeleton key — inject DC master password backdoor, authenticate as any user without knowing their password"
+skill = "rt-skeleton-key"
+
+[[agent.menu]]
+code = "ZL"
+description = "Zerologon (CVE-2020-1472) — instant domain compromise with zero credentials via MS-NRPC flaw"
+skill = "rt-zerologon"
+
+[[agent.menu]]
+code = "PNR"
+description = "PrintNightmare RCE (CVE-2021-34527) — SYSTEM on any host as any domain user via Print Spooler"
+skill = "rt-printnightmare-rce"
+
+[[agent.menu]]
+code = "GS"
+description = "Golden SAML — forge SAML tokens using ADFS cert for persistent access to O365/Azure/AWS without passwords"
+skill = "rt-golden-saml"

package/packaged-assets/.agents/skills/rt-agent-navigator/SKILL.md

@@ -1,7 +1,43 @@
----
+---
 name: rt-agent-navigator
 description: "Mobile and Desktop Specialist agent (Rami). Invoke for Android/iOS application testing (OWASP MASVS), Electron app exploitation, Windows desktop (.NET/Win32) attacks, macOS app testing, IoT firmware analysis, SCADA/ICS security assessment. Reverse engineering and binary analysis."
 ---
+## Step 0 — Docker Environment Check (REQUIRED BEFORE ANYTHING)
+
+Before activating, verify the RTExit Kali container is running:
+
+```bash
+docker ps --filter "name=rtexit-kali" --format "{{.Status}}"
+```
+
+**If the output shows `Up`** → proceed to Step 1.
+
+**If the container is NOT running**, say exactly this to the user:
+
+> ⚠️ **rtexit-kali container is not running.**
+> Please start it with:
+> ```bash
+> docker start rtexit-kali
+> ```
+> Or if it doesn't exist yet:
+> ```bash
+> docker run -d \
+>   --name rtexit-kali \
+>   --network lab_rtexit-lab \
+>   --ip 192.168.200.10 \
+>   --cap-add NET_ADMIN \
+>   --cap-add NET_RAW \
+>   -p 2222:22 -p 4444:4444 -p 8080:8080 \
+>   -v "$(pwd)/docker/lab/workspace:/workspace" \
+>   rtexit/kali:v3.1
+> ```
+> Let me know when it's running and I'll continue.
+
+**Once confirmed running**, save to memory:
+> 🧠 **Memory note:** rtexit-kali Docker container is active. All attack commands must use `docker exec rtexit-kali bash -c "COMMAND"` or `docker exec -it rtexit-kali bash` for interactive sessions. This applies for the entire session.
+
+---
+
 
 # 📱 Rami — Mobile & Desktop Specialist
 

package/packaged-assets/.agents/skills/rt-agent-phantom/SKILL.md

@@ -1,7 +1,43 @@
----
+---
 name: rt-agent-phantom
 description: "Social Engineering and Physical Security specialist agent (Omar). Invoke for phishing campaigns (DMARC bypass, email spoofing), spear phishing, vishing scripts, Business Email Compromise (BEC), physical security testing (badge cloning, lock picking, tailgating), RFID/NFC exploitation, and onsite infiltration planning."
 ---
+## Step 0 — Docker Environment Check (REQUIRED BEFORE ANYTHING)
+
+Before activating, verify the RTExit Kali container is running:
+
+```bash
+docker ps --filter "name=rtexit-kali" --format "{{.Status}}"
+```
+
+**If the output shows `Up`** → proceed to Step 1.
+
+**If the container is NOT running**, say exactly this to the user:
+
+> ⚠️ **rtexit-kali container is not running.**
+> Please start it with:
+> ```bash
+> docker start rtexit-kali
+> ```
+> Or if it doesn't exist yet:
+> ```bash
+> docker run -d \
+>   --name rtexit-kali \
+>   --network lab_rtexit-lab \
+>   --ip 192.168.200.10 \
+>   --cap-add NET_ADMIN \
+>   --cap-add NET_RAW \
+>   -p 2222:22 -p 4444:4444 -p 8080:8080 \
+>   -v "$(pwd)/docker/lab/workspace:/workspace" \
+>   rtexit/kali:v3.1
+> ```
+> Let me know when it's running and I'll continue.
+
+**Once confirmed running**, save to memory:
+> 🧠 **Memory note:** rtexit-kali Docker container is active. All attack commands must use `docker exec rtexit-kali bash -c "COMMAND"` or `docker exec -it rtexit-kali bash` for interactive sessions. This applies for the entire session.
+
+---
+
 
 # 🎭 Omar — Social Engineering & Physical Security Specialist
 

package/packaged-assets/.agents/skills/rt-agent-scout/SKILL.md

@@ -1,7 +1,43 @@
----
+---
 name: rt-agent-scout
 description: "Reconnaissance Specialist agent (Nour). Invoke for OSINT, subdomain enumeration, attack surface mapping, JavaScript bundle analysis, credential hunting, Shodan/Censys recon, employee directory building. Passive-first approach."
 ---
+## Step 0 — Docker Environment Check (REQUIRED BEFORE ANYTHING)
+
+Before activating, verify the RTExit Kali container is running:
+
+```bash
+docker ps --filter "name=rtexit-kali" --format "{{.Status}}"
+```
+
+**If the output shows `Up`** → proceed to Step 1.
+
+**If the container is NOT running**, say exactly this to the user:
+
+> ⚠️ **rtexit-kali container is not running.**
+> Please start it with:
+> ```bash
+> docker start rtexit-kali
+> ```
+> Or if it doesn't exist yet:
+> ```bash
+> docker run -d \
+>   --name rtexit-kali \
+>   --network lab_rtexit-lab \
+>   --ip 192.168.200.10 \
+>   --cap-add NET_ADMIN \
+>   --cap-add NET_RAW \
+>   -p 2222:22 -p 4444:4444 -p 8080:8080 \
+>   -v "$(pwd)/docker/lab/workspace:/workspace" \
+>   rtexit/kali:v3.1
+> ```
+> Let me know when it's running and I'll continue.
+
+**Once confirmed running**, save to memory:
+> 🧠 **Memory note:** rtexit-kali Docker container is active. All attack commands must use `docker exec rtexit-kali bash -c "COMMAND"` or `docker exec -it rtexit-kali bash` for interactive sessions. This applies for the entire session.
+
+---
+
 
 # 🔭 Nour — Reconnaissance Specialist
 

package/packaged-assets/.agents/skills/rt-agent-scout/customize.toml

@@ -59,3 +59,20 @@ skill = "rt-shodan-recon"
 code = "AS"
 description = "Build complete attack surface map from all recon data"
 skill = "rt-attack-surface-map"
+
+[context_awareness]
+context_file = "{project-root}/_rtexit-output/data/engagement-context.json"
+auto_load = true
+
+[kali_integration]
+quick_command = "bash {project-root}/scripts/rt-recon.sh {target}"
+osint_command = "bash {project-root}/scripts/rt-osint.sh {target}"
+output_feeds_context = true
+
+[[smart_recommendations]]
+condition = "recon.subdomains == []"
+suggest = "bash scripts/rt-recon.sh {target} — runs subfinder+amass+httpx automatically"
+
+[[smart_recommendations]]
+condition = "recon.subdomains > 0 and recon.live_hosts == []"
+suggest = "bash scripts/rt-osint.sh {target} — runs OSINT pipeline automatically"

package/packaged-assets/.agents/skills/rt-agent-scribe/SKILL.md

@@ -1,7 +1,43 @@
----
+---
 name: rt-agent-scribe
 description: "Report Writer and Evidence Specialist agent (Layla). Invoke for documenting findings (single finding with CVSS), generating executive and technical reports, MITRE ATT&CK mapping, Kill Chain mapping, remediation roadmaps, chain of custody documentation, PoC writing, and compliance mapping (PCI-DSS, GDPR, ISO 27001)."
 ---
+## Step 0 — Docker Environment Check (REQUIRED BEFORE ANYTHING)
+
+Before activating, verify the RTExit Kali container is running:
+
+```bash
+docker ps --filter "name=rtexit-kali" --format "{{.Status}}"
+```
+
+**If the output shows `Up`** → proceed to Step 1.
+
+**If the container is NOT running**, say exactly this to the user:
+
+> ⚠️ **rtexit-kali container is not running.**
+> Please start it with:
+> ```bash
+> docker start rtexit-kali
+> ```
+> Or if it doesn't exist yet:
+> ```bash
+> docker run -d \
+>   --name rtexit-kali \
+>   --network lab_rtexit-lab \
+>   --ip 192.168.200.10 \
+>   --cap-add NET_ADMIN \
+>   --cap-add NET_RAW \
+>   -p 2222:22 -p 4444:4444 -p 8080:8080 \
+>   -v "$(pwd)/docker/lab/workspace:/workspace" \
+>   rtexit/kali:v3.1
+> ```
+> Let me know when it's running and I'll continue.
+
+**Once confirmed running**, save to memory:
+> 🧠 **Memory note:** rtexit-kali Docker container is active. All attack commands must use `docker exec rtexit-kali bash -c "COMMAND"` or `docker exec -it rtexit-kali bash` for interactive sessions. This applies for the entire session.
+
+---
+
 
 # 📝 Layla — Report Writer & Evidence Specialist
 

package/packaged-assets/.agents/skills/rt-agent-scribe/customize.toml

@@ -75,3 +75,19 @@ skill = "rt-poc-writer"
 code = "CM"
 description = "Map findings to compliance frameworks (PCI-DSS, GDPR, ISO 27001)"
 skill = "rt-compliance-mapper"
+
+[context_awareness]
+context_file = "{project-root}/_rtexit-output/data/engagement-context.json"
+reads_findings = true
+auto_generate = true
+
+[kali_integration]
+report_command = "bash {project-root}/scripts/rt-report.sh"
+
+[[smart_recommendations]]
+condition = "findings > 0"
+suggest = "Run: bash scripts/rt-report.sh — auto-generates executive + technical report"
+
+[[smart_recommendations]]
+condition = "findings.critical > 0"
+suggest = "CRITICAL findings present — generate report immediately: bash scripts/rt-report.sh"

package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: rt-exploit-cloud-aws
-description: "AWS Red Team exploitation skill. Covers IAM privilege escalation paths (role assumption, policy exploitation), EC2 instance metadata service (IMDS v1/v2) access for credential theft, S3 bucket misconfiguration exploitation, Lambda function vulnerabilities, secrets in CloudFormation stacks, cross-account attacks, and AWS-specific C2. Tools: Pacu, ScoutSuite, aws-cli, CloudFox."
+description: "AWS Red Team exploitation skill. Covers IAM privilege escalation paths (role assumption, policy exploitation), EC2 instance metadata service (IMDS v1/v2) access for credential theft, S3 bucket misconfiguration exploitation, Lambda function vulnerabilities, secrets in CloudFormation stacks, cross-account attacks, and AWS-specific C2. Tools: Pacu, aws-cli, CloudFox, prowler, enumerate-iam, awswhoami. Note: ScoutSuite requires separate Docker image (Python 3.13 conflict)."
 ---
 
 # rt-exploit-cloud-aws — AWS Red Team Exploitation
@@ -67,9 +67,15 @@ python pacu.py
 
 ### 2.3 ScoutSuite (Multi-Cloud Auditing)
 
+> ⚠️ **Note:** ScoutSuite has Python 3.13 dependency conflicts. Run via Docker instead:
+
 ```bash
-pip3 install scoutsuite
-scout aws --profile target --report-dir ./scoutsuite-report
+# Option A: Run ScoutSuite via its own Docker image
+docker run -it --rm -v ~/.aws:/root/.aws rossja/ncc-scoutsuite \
+  scout aws --profile target --report-dir /tmp/scoutsuite-report
+
+# Option B: Use prowler as alternative (installed in rtexit-kali)
+prowler aws -f us-east-1 --output-directory ./prowler-report
 ```
 
 ### 2.4 CloudFox (Cloud Privilege Escalation Discovery)

package/packaged-assets/.agents/skills/rt-exploit-cloud-gcp/SKILL.md

@@ -68,8 +68,8 @@ sudo ln -s /opt/cloudfox/cloudfox /usr/local/bin/cloudfox
 # GCP IAM Privilege Escalation scripts (Rhino Security Labs)
 git clone https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation.git /opt/gcp-privesc
 
-# ScoutSuite — multi-cloud auditing (useful for gap analysis)
-pip3 install scoutsuite
+# ScoutSuite — run via Docker (Python 3.13 conflict in rtexit-kali)
+# docker run -it --rm rossja/ncc-scoutsuite scout gcp --project <project-id>
 
 # gcp_scanner — Google's own attack surface scanner
 pip3 install gcp-scanner

package/packaged-assets/_rtexit/TOOLS.md

@@ -0,0 +1,151 @@
+# RTExit — Available Tools Reference
+# Verified working in rtexit-kali Docker container
+
+> All commands run as: `docker exec rtexit-kali bash -c "COMMAND"`
+
+---
+
+## How to Use Tools
+
+```bash
+# Enter the container shell
+docker exec -it rtexit-kali bash
+
+# Or run a single command
+docker exec rtexit-kali bash -c "nmap -sV TARGET"
+```
+
+---
+
+## Phase 1 — Scanning & Recon ✅ 36/36
+
+| Tool | Command | Use Case |
+|------|---------|----------|
+| nmap | `nmap` | Port scanning |
+| masscan | `masscan` | Fast mass scanning |
+| zmap | `zmap` | Internet-scale scanning |
+| rustscan | `rustscan` | Fast port scanner |
+| nuclei | `nuclei` | Vulnerability scanning |
+| ffuf | `ffuf` | Web fuzzing |
+| gobuster | `gobuster` | Directory brute-force |
+| feroxbuster | `feroxbuster` | Recursive brute-force |
+| subfinder | `subfinder` | Subdomain enumeration |
+| amass | `amass` | OSINT + subdomain enum |
+| gau | `gau` | URL discovery |
+| katana | `katana` | Web crawling |
+| x8 | `x8` | Hidden parameter discovery |
+| subzy | `subzy` | Subdomain takeover |
+
+---
+
+## Phase 2 — Web Application ✅ 34/34
+
+| Tool | Command | Use Case |
+|------|---------|----------|
+| sqlmap | `sqlmap` | SQL injection |
+| ghauri | `ghauri` | Advanced SQLi |
+| tplmap | `tplmap` | SSTI detection |
+| dalfox | `dalfox` | XSS scanning |
+| jwt_tool | `jwt_tool` | JWT attacks |
+| semgrep | `semgrep` | Source code analysis |
+| checkov | `checkov` | IaC misconfiguration |
+| gitleaks | `gitleaks` | Secret scanning |
+| git-dumper | `git-dumper` | Exposed .git dump |
+| syft | `syft` | SBOM generation |
+| grype | `grype` | Vulnerability scan |
+| wpscan | `wpscan` | WordPress scanning |
+| graphql-cop | `graphql-cop` | GraphQL security |
+
+---
+
+## Phase 3 — Active Directory ✅ 52/52
+
+| Tool | Command | Use Case |
+|------|---------|----------|
+| impacket-secretsdump | `impacket-secretsdump` | Credential dump |
+| impacket-psexec | `impacket-psexec` | Remote execution |
+| impacket-GetUserSPNs | `impacket-GetUserSPNs` | Kerberoasting |
+| certipy | `certipy` | ADCS attacks |
+| evil-winrm | `evil-winrm` | WinRM shell |
+| bloodhound-python | `bloodhound-python` | AD graph |
+| kerbrute | `kerbrute` | User enumeration |
+| netexec | `netexec` | Network enumeration |
+| crackmapexec | `crackmapexec` | Alias → netexec |
+| responder | `responder` | NTLM capture |
+| mitm6 | `mitm6` | IPv6 MITM |
+| coercer | `coercer` | Auth coercion |
+| bloodyAD | `bloodyAD` | AD attacks |
+
+---
+
+## Phase 4 — Cloud ✅ 37/37
+
+| Tool | Command | Use Case |
+|------|---------|----------|
+| aws | `aws` | AWS CLI |
+| pacu | `pacu` | AWS exploitation |
+| enumerate-iam | `enumerate-iam` | IAM enumeration |
+| awswhoami | `awswhoami` | AWS identity check |
+| cloudfox | `cloudfox` | Cloud privilege paths |
+| s3scanner | `s3scanner` | S3 bucket scanner |
+| prowler | `prowler` | AWS/Azure/GCP audit |
+| az | `az` | Azure CLI |
+| azcopy | `azcopy` | Azure data exfil |
+| kubectl | `kubectl` | Kubernetes |
+| helm | `helm` | Helm charts |
+| kube-bench | `kube-bench` | K8s CIS benchmark |
+| cdk | `cdk` | Container escape |
+| trivy | `trivy` | Container vuln scan |
+| checkov | `checkov` | IaC scanning |
+
+---
+
+## Mobile
+
+| Tool | Command | Use Case |
+|------|---------|----------|
+| adb | `adb` | Android debugging |
+| apktool | `apktool` | APK decompile |
+| jadx | `jadx` | Java decompiler |
+| frida | `frida` | Dynamic instrumentation |
+| objection | `objection` | Runtime manipulation |
+| setup-frida-server | `setup-frida-server` | Auto-setup frida-server |
+| uber-apk-signer | `uber-apk-signer` | APK signing |
+| apk-mitm | `apk-mitm` | SSL pinning bypass |
+
+---
+
+## C2 & Post-Exploitation
+
+| Tool | Command | Use Case |
+|------|---------|----------|
+| msfconsole | `msfconsole` | Metasploit |
+| msfvenom | `msfvenom` | Payload generation |
+| sliver-client | `sliver-client` | Sliver C2 |
+| chisel | `chisel` | TCP tunneling |
+| ligolo-proxy | `ligolo-proxy` | Layer 3 tunneling |
+
+---
+
+## ⚠️ NOT in Container
+
+| Tool | Alternative |
+|------|------------|
+| ScoutSuite | `docker run rossja/ncc-scoutsuite` or `prowler` |
+| Havoc C2 | Run on host machine (GUI required) |
+| Cobalt Strike | Commercial — not included |
+| Certify.exe | Windows binary — deploy to target |
+| Rubeus.exe | Windows binary — deploy to target |
+
+---
+
+## Wordlists Location
+
+```
+/opt/SecLists/
+├── Discovery/DNS/                    → subdomains
+├── Discovery/Web-Content/            → directories
+├── Passwords/Leaked-Databases/       → rockyou.txt
+├── Usernames/Names/                  → names.txt
+└── Fuzzing/                          → payloads
+```

package/packaged-assets/_rtexit/config.toml

@@ -93,6 +93,78 @@ title = "Report Writer & Evidence Specialist"
 icon = "📝"
 module = "4-reporting"
 
+# ─────────────────────────────────────────────
+# Docker Lab Environment
+# Tells all agents where tools live and how to execute them
+# ─────────────────────────────────────────────
+[docker]
+enabled = true
+container_name = "rtexit-kali"
+image = "rtexit/kali:v3.2"
+workspace_mount = "/workspace"
+exec_prefix = "docker exec rtexit-kali bash -c"
+
+# All verified tools available in the container (Phase 1-4 verified 100%)
+# Agents use this list to know what's available without guessing
+[docker.tools]
+
+# Phase 1 — Scanning & Recon
+scanning = ["nmap", "masscan", "zmap", "naabu", "rustscan", "httpx", "httprobe",
+  "nuclei", "ffuf", "gobuster", "feroxbuster", "dirsearch", "wfuzz", "dirb",
+  "nikto", "whatweb", "wafw00f", "testssl", "subfinder", "amass", "dnsx",
+  "dnsrecon", "dnsenum", "fierce", "puredns", "gau", "waybackurls", "katana",
+  "hakrawler", "linkfinder", "gowitness", "wappalyzer", "arjun", "x8",
+  "qsreplace", "subzy"]
+
+# Phase 2 — Web Testing
+web = ["sqlmap", "ghauri", "tplmap", "dalfox", "kxss", "interactsh-client",
+  "jwt_tool", "graphql-cop", "graphw00f", "inql", "smuggler", "mitmproxy",
+  "semgrep", "jsbeautifier", "wpscan", "grpcurl", "testssl", "gitleaks",
+  "git-dumper", "checkov", "syft", "grype", "ysoserial", "phpggc"]
+
+# Phase 3 — Active Directory
+ad = ["impacket-psexec", "impacket-smbexec", "impacket-wmiexec",
+  "impacket-secretsdump", "impacket-GetUserSPNs", "impacket-GetNPUsers",
+  "impacket-ntlmrelayx", "impacket-ticketer", "impacket-getST",
+  "certipy", "evil-winrm", "bloodhound-python", "kerbrute",
+  "netexec", "crackmapexec", "ldeep", "windapsearch", "enum4linux",
+  "enum4linux-ng", "nbtscan", "smbmap", "smbclient", "responder",
+  "mitm6", "coercer", "bloodyAD", "pypykatz"]
+
+# Phase 4 — Cloud
+cloud = ["aws", "pacu", "enumerate-iam", "awswhoami", "cloudfox", "s3scanner",
+  "prowler", "az", "azcopy", "roadrecon", "teamfiltration", "msticpy",
+  "kubectl", "kubectx", "kubens", "helm", "kube-hunter", "kube-bench",
+  "peirates", "cdk", "deepce", "botb", "trivy", "dive", "dependency-check",
+  "checkov", "syft", "grype"]
+
+# Mobile
+mobile = ["adb", "apktool", "jadx", "frida", "objection", "drozer",
+  "apkleaks", "uber-apk-signer", "setup-frida-server", "apk-mitm"]
+
+# C2 & Post-Exploitation
+c2 = ["msfconsole", "msfvenom", "sliver-client", "chisel",
+  "ligolo-proxy", "iodine", "socat", "proxychains4"]
+
+# Password Attacks
+passwords = ["hashcat", "john", "hydra", "medusa", "cewl", "cupp", "pypykatz"]
+
+# Binary Analysis
+binary = ["gdb", "radare2", "ghidra", "binwalk", "ROPgadget",
+  "ropper", "yara", "gitleaks"]
+
+# OSINT
+osint = ["theHarvester", "subfinder", "amass", "shodan", "gitleaks",
+  "trufflehog", "git-dumper", "recon-ng"]
+
+# NOT available in container (use alternatives)
+[docker.unavailable]
+ScoutSuite = "use: docker run rossja/ncc-scoutsuite OR prowler"
+Havoc = "GUI-only C2, run on host machine"
+Cobalt_Strike = "commercial, not included"
+Certify_exe = "Windows-only binary, deploy to target"
+Rubeus_exe = "Windows-only binary, deploy to target"
+
 # Compliance mapping targets
 [compliance]
 pci_dss = true