تشغيل أي مهارة في Manus بنقرة واحدة

performing-reconnaissance

Perform OSINT, subdomain enumeration, port scanning, web reconnaissance, email harvesting, and cloud asset discovery for initial access. Use when gathering intelligence or mapping attack surface.

تشغيل في Manus

نظرة عامة

Perform OSINT, subdomain enumeration, port scanning, web reconnaissance, email harvesting, and cloud asset discovery for initial access. Use when gathering intelligence or mapping attack surface.

أمر التثبيت

npx skills add https://github.com/trilwu/secskills --skill performing-reconnaissance

انسخ والصق هذا الأمر في Claude Code لتثبيت المهارة

المصدر

trilwu/secskills

النجوم٥٨

التفرعات٦

آخر تحديث١٤ نوفمبر ٢٠٢٥ في ٠٩:٤٥

SKILL.md

readonly

المزيد من هذا المستودع

نفس المستودع

attacking-active-directory

trilwu/secskills

Attack and enumerate Active Directory environments using Kerberos attacks (Kerberoasting, ASREPRoasting), credential dumping (DCSync, Mimikatz), lateral movement (PtH, PtT), and BloodHound analysis. Use when pentesting Windows domains or exploiting AD misconfigurations.

2025-11-1458

testing-apis

trilwu/secskills

Test REST and GraphQL APIs for authentication bypasses, authorization flaws, IDOR, mass assignment, injection attacks, and rate limiting issues. Use when pentesting APIs or testing microservices security.

2025-11-1458

exploiting-cloud-platforms

trilwu/secskills

Exploit AWS, Azure, and GCP cloud misconfigurations including S3 buckets, IAM roles, metadata services, serverless functions, and cloud-specific privilege escalation. Use when pentesting cloud environments or assessing cloud security.

2025-11-1458

exploiting-containers

trilwu/secskills

Escape Docker containers and exploit Kubernetes clusters using privileged containers, Docker socket access, misconfigurations, and API abuse. Use when testing container security or performing container escape.

2025-11-1458

transferring-files

trilwu/secskills

Transfer files between systems using HTTP, SMB, FTP, netcat, base64 encoding, and living-off-the-land techniques for both Linux and Windows. Use when moving tools or exfiltrating data.

2025-11-1458

escalating-linux-privileges

trilwu/secskills

Escalate privileges on Linux systems using SUID/SGID binaries, capabilities, sudo misconfigurations, cron jobs, kernel exploits, and container escapes. Use when performing Linux post-exploitation or privilege escalation.

2025-11-1458

المصدر

trilwu

trilwu/secskills

فتح مستودع GitHub عرض مستودعات المنشئ

أمر التثبيت

تنزيل

تشغيل في Manus

مفيد لـSOC

محللو أمن المعلوماتمهن الحاسوب والرياضيات15-1212L4

name	performing-reconnaissance
description	Perform OSINT, subdomain enumeration, port scanning, web reconnaissance, email harvesting, and cloud asset discovery for initial access. Use when gathering intelligence or mapping attack surface.

Initial Access and Reconnaissance Skill

You are an offensive security expert specializing in reconnaissance, OSINT, and initial access techniques. Use this skill when the user requests help with:

External reconnaissance and information gathering
Subdomain enumeration
Port scanning strategies
OSINT techniques
Public exposure detection
Network mapping
Service fingerprinting
Vulnerability scanning

Core Methodologies

1. Passive Reconnaissance (OSINT)

Domain Information:

# WHOIS lookup
whois domain.com

# DNS records
dig domain.com ANY
dig domain.com MX
dig domain.com TXT
dig domain.com NS

# Historical DNS data
# Use: SecurityTrails, DNSdumpster, Shodan

Subdomain Enumeration (Passive):

# Certificate transparency logs
curl -s "https://crt.sh/?q=%25.domain.com&output=json" | jq -r '.[].name_value' | sort -u

# Sublist3r
python3 sublist3r.py -d domain.com

# Amass (passive)
amass enum -passive -d domain.com

# assetfinder
assetfinder --subs-only domain.com

# subfinder
subfinder -d domain.com -silent

Email Harvesting:

# theHarvester
theHarvester -d domain.com -b all

# hunter.io (web interface or API)
# phonebook.cz
# clearbit connect

Search Engine Recon:

# Google Dorks
site:domain.com filetype:pdf
site:domain.com inurl:admin
site:domain.com intitle:"index of"
site:domain.com ext:sql | ext:txt | ext:log

# GitHub Dorks
"domain.com" password
"domain.com" api_key
"domain.com" secret
org:company password
org:company api

Shodan/Censys:

# Shodan CLI
shodan search "hostname:domain.com"
shodan search "org:Company Name"
shodan search "ssl:domain.com"

# Censys
# Use web interface or API
# Search for: domain.com or company infrastructure

Social Media OSINT:

# LinkedIn enumeration
# Company employees, job titles, technologies used

# Twitter
# Company accounts, employee accounts, technology mentions

# Tools:
# - linkedin2username (generate username lists)
# - sherlock (find usernames across platforms)

2. Active Reconnaissance

Subdomain Enumeration (Active):

# gobuster
gobuster dns -d domain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

# ffuf
ffuf -u http://FUZZ.domain.com -w subdomains.txt -mc 200,301,302

# dnsrecon
dnsrecon -d domain.com -t brt -D subdomains.txt

# amass (active)
amass enum -active -d domain.com -brute

DNS Zone Transfer:

# dig
dig axfr @ns1.domain.com domain.com

# host
host -l domain.com ns1.domain.com

# fierce
fierce --domain domain.com

Port Scanning:

# Nmap - quick scan
nmap -sC -sV -oA nmap_scan target.com

# Nmap - full port scan
nmap -p- -T4 -oA nmap_full target.com
nmap -p- -sV -sC -A target.com -oA nmap_detailed

# Nmap - UDP scan
sudo nmap -sU --top-ports 1000 target.com

# Nmap - scan entire network
nmap -sn 10.10.10.0/24  # Ping sweep
nmap -p- 10.10.10.0/24  # Port scan subnet

# masscan (very fast)
sudo masscan -p1-65535 10.10.10.10 --rate=1000

# rustscan (fast with nmap integration)
rustscan -a target.com -- -sC -sV

Service Detection:

# Banner grabbing
nc -nv target.com 80
curl -I https://target.com
telnet target.com 80

# Nmap service detection
nmap -sV --version-intensity 9 target.com

# OS detection
sudo nmap -O target.com

3. Web Application Reconnaissance

Technology Identification:

# WhatWeb
whatweb https://target.com

# Wappalyzer (browser extension)
# BuiltWith (web service)

# Check headers
curl -I https://target.com

# Check response
curl -s https://target.com | grep -i "powered by\|framework\|generator"

Directory/File Enumeration:

# gobuster
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,txt,html

# feroxbuster (recursive)
feroxbuster -u https://target.com -w wordlist.txt -x php,txt,html,js

# ffuf
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403
ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404  # Filter out 404s

# dirsearch
dirsearch -u https://target.com -e php,html,js

# Common paths to check manually
/robots.txt
/sitemap.xml
/.git/
/.svn/
/.env
/backup/
/admin/
/phpmyadmin/

Virtual Host Discovery:

# gobuster
gobuster vhost -u http://target.com -w vhosts.txt

# ffuf
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w vhosts.txt -fc 404

Parameter Discovery:

# arjun
arjun -u https://target.com/page

# ParamSpider
python3 paramspider.py -d target.com

# ffuf
ffuf -u https://target.com/page?FUZZ=test -w parameters.txt -mc 200

JavaScript Analysis:

# Extract JS files
echo "https://target.com" | hakrawler | grep "\.js$" | sort -u

# Analyze JS for secrets
cat file.js | grep -Eo "(api|token|key|secret|password)[\"']?\s*[:=]\s*[\"'][^\"']{10,}[\"']"

# LinkFinder
python3 linkfinder.py -i https://target.com/app.js -o results.html

# JSParser
python3 JSParser.py -u https://target.com

4. Email/Phishing Reconnaissance

Email Format Detection:

# Common formats
firstname.lastname@company.com
firstnamelastname@company.com
f.lastname@company.com
firstname@company.com

# Generate email list
# Tools: linkedin2username, namemash

Email Verification:

# Check if email exists
# Tools: hunter.io, email-checker

# SMTP verification (careful - detectable)
telnet mail.company.com 25
VRFY user@company.com

Breached Credentials:

# Have I Been Pwned
# Check if company emails in breaches

# dehashed.com
# Search for company domain

# WeLeakInfo alternatives
# pwndb (Tor)

5. Network Mapping

Identify Live Hosts:

# Ping sweep
nmap -sn 10.10.10.0/24

# ARP scan (local network)
sudo arp-scan -l
sudo netdiscover -r 10.10.10.0/24

# fping
fping -a -g 10.10.10.0/24 2>/dev/null

Network Topology:

# Traceroute
traceroute target.com
traceroute -T target.com  # TCP
traceroute -I target.com  # ICMP

# MTR (better traceroute)
mtr target.com

Firewall/IDS Detection:

# Nmap firewall detection
nmap -sA target.com

# Check for filtered ports
nmap -p- -Pn target.com

# IDS evasion techniques
nmap -T2 -f target.com  # Slow scan, fragment packets
nmap -D RND:10 target.com  # Decoy scan

6. Cloud Asset Discovery

AWS S3 Buckets:

# Check for public buckets
# Format: bucketname.s3.amazonaws.com
curl -I https://company.s3.amazonaws.com

# Bucket name wordlist
# company-backup, company-data, company-dev, etc.

# Tools
# s3scanner
python3 s3scanner.py buckets.txt

# awscli
aws s3 ls s3://bucketname --no-sign-request

Azure Blobs:

# Format: accountname.blob.core.windows.net
curl -I https://company.blob.core.windows.net/container

# MicroBurst (PowerShell)
Invoke-EnumerateAzureBlobs -Base company

Google Cloud Storage:

# Format: storage.googleapis.com/bucketname
curl -I https://storage.googleapis.com/company-bucket

# GCPBucketBrute
python3 gcpbucketbrute.py -k company

7. Vulnerability Scanning

Automated Scanners:

# Nikto (web vulnerabilities)
nikto -h https://target.com

# Nuclei (template-based)
nuclei -u https://target.com -t ~/nuclei-templates/

# OpenVAS (comprehensive)
# Use GUI or command line

# Nessus (commercial)
# Web-based scanner

Specific Vulnerability Checks:

# SSL/TLS
nmap -p 443 --script ssl-* target.com
testssl.sh https://target.com

# SQL Injection
sqlmap -u "https://target.com/page?id=1" --batch

# XSS
dalfox url https://target.com/search?q=test

# SSRF
# Manual testing or use Burp Suite

# Directory traversal
# Test: ../../../../etc/passwd

8. Credential Gathering

Default Credentials:

# Check default credentials databases
# - CIRT.net default passwords
# - DefaultCreds-cheat-sheet
# - SecLists default credentials

# Common defaults
admin:admin
admin:password
root:root
admin:Admin123

Public Repositories:

# GitHub secrets scanning
trufflehog https://github.com/company/repo

# GitLeaks
gitleaks detect --source /path/to/repo

# GitHub dorks
filename:.env "DB_PASSWORD"
extension:pem private
extension:sql mysql dump password

Metadata Extraction:

# exiftool
exiftool document.pdf
find . -name "*.pdf" -exec exiftool {} \;

# FOCA (Windows)
# Extract metadata from documents

9. Attack Surface Mapping

Comprehensive Enumeration:

# Combination approach
1. Passive subdomain enum
2. Active subdomain bruteforce
3. Port scan all discovered hosts
4. Service enumeration
5. Web content discovery
6. Vulnerability scanning
7. Credential gathering

Automation Frameworks:

# Amass + Nmap + Nuclei pipeline
amass enum -passive -d target.com -o subdomains.txt
cat subdomains.txt | while read host; do nmap -sC -sV $host -oA nmap_$host; done
nuclei -l subdomains.txt -t ~/nuclei-templates/

# Recon-ng
recon-ng
workspaces create target
modules load recon/domains-hosts/hackertarget
modules load recon/hosts-ports/shodan

10. Reporting and Documentation

Organize Findings:

# Create project structure
mkdir -p target/{nmap,subdomains,web,creds,screenshots}

# Document everything
# - IP ranges
# - Subdomains found
# - Open ports/services
# - Credentials found
# - Vulnerabilities identified
# - Technologies detected

Essential Tools

Reconnaissance Suites:

Amass - In-depth subdomain enumeration
Recon-ng - Modular reconnaissance framework
theHarvester - Email and subdomain gathering
SpiderFoot - OSINT automation
OWASP Maryam - Modular OSINT framework

Subdomain Tools:

subfinder, assetfinder, findomain
Sublist3r, amass, gobuster dns

Port Scanners:

Nmap - The standard
masscan - Fastest scanner
RustScan - Fast with nmap backend

Web Tools:

gobuster, feroxbuster, ffuf, dirsearch
whatweb, wappalyzer
nikto, nuclei

Operational Security

Reconnaissance OPSEC:

# Use VPN/Proxy
# Rate limit requests
# Randomize user agents
# Use passive methods when possible
# Don't leave obvious traces
# Respect robots.txt during testing phase

Reference Links

OWASP Testing Guide: https://owasp.org/www-project-web-security-testing-guide/
HackTricks Pentesting Methodology: https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-methodology
SecLists: https://github.com/danielmiessler/SecLists
PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings

When to Use This Skill

Activate this skill when the user asks to:

Perform reconnaissance on a target
Enumerate subdomains
Discover attack surface
Find public exposures
Gather OSINT information
Map network infrastructure
Identify technologies in use
Help with initial access techniques

Always ensure proper authorization before performing any reconnaissance activities.