Run any Skill in Manus with one click

red-team-tools

Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.

Run Skill in Manus

Overview

Install command

npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill red-team-tools

Copy and paste this command into Claude Code to install the skill

Source

sickn33/antigravity-awesome-skills

Stars39,610

Forks6,420

UpdatedMarch 29, 2026 at 08:55

SKILL.md

readonly

More from this repository

same repository

vercel-optimize

sickn33/antigravity-awesome-skills

Audit deployed Vercel apps for cost and performance issues using metrics, project config, code scans, and version-aware recommendations.

2026-06-0339.6k

accesslint-audit

sickn33/antigravity-awesome-skills

Find and fix WCAG 2.2 accessibility issues. Two modes — report (sweep a codebase or page, produce a prioritized written report, no edits) and fix (audit→edit→verify loop on a target). Prefers direct-CDP live-DOM auditing; falls back to a browser-MCP composition or HTML-string audits.

2026-06-0339.6k

accesslint-diff

sickn33/antigravity-awesome-skills

Diff a live page's accessibility violations against a baseline — by default compares uncommitted changes (stash-based), or pass --branch [<name>] to diff against a branch. Reports only new violations introduced, violations fixed, and pre-existing count. Use `scan` for a full audit with no diffing.

2026-06-0339.6k

accesslint-scan

sickn33/antigravity-awesome-skills

Audit a live page for accessibility issues, locate each WCAG violation precisely, and return a selector-grounded fix worklist without editing.

2026-06-0339.6k

composition-patterns

sickn33/antigravity-awesome-skills

Use when working with composition-patterns tasks or workflows

2026-06-0339.6k

debugging-toolkit

sickn33/antigravity-awesome-skills

Use when working with debugging toolkit smart debug (Alias for debugging-toolkit-smart-debug)

2026-06-0339.6k

Source

sickn33

sickn33/antigravity-awesome-skills

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name	red-team-tools
description	Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.
risk	offensive
source	community
author	zebbern
date_added	2026-02-27

AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.

Red Team Tools and Methodology

Purpose

Inputs/Prerequisites

Target scope definition (domains, IP ranges, applications)
Linux-based attack machine (Kali, Ubuntu)
Bug bounty program rules and scope
Tool dependencies installed (Go, Python, Ruby)
API keys for various services (Shodan, Censys, etc.)

Outputs/Deliverables

Comprehensive subdomain enumeration
Live host discovery and technology fingerprinting
Identified vulnerabilities and attack vectors
Automated recon pipeline outputs
Documented findings for reporting

Core Workflow

1. Project Tracking and Acquisitions

Set up reconnaissance tracking:

# Create project structure
mkdir -p target/{recon,vulns,reports}
cd target

# Find acquisitions using Crunchbase
# Search manually for subsidiary companies

# Get ASN for targets
amass intel -org "Target Company" -src

# Alternative ASN lookup
curl -s "https://bgp.he.net/search?search=targetcompany&commit=Search"

2. Subdomain Enumeration

Comprehensive subdomain discovery:

# Create wildcards file
echo "target.com" > wildcards

# Run Amass passively
amass enum -passive -d target.com -src -o amass_passive.txt

# Run Amass actively
amass enum -active -d target.com -src -o amass_active.txt

# Use Subfinder
subfinder -d target.com -silent -o subfinder.txt

# Asset discovery
cat wildcards | assetfinder --subs-only | anew domains.txt

# Alternative subdomain tools
findomain -t target.com -o

# Generate permutations with dnsgen
cat domains.txt | dnsgen - | httprobe > permuted.txt

# Combine all sources
cat amass_*.txt subfinder.txt | sort -u > all_subs.txt

3. Live Host Discovery

Identify responding hosts:

# Check which hosts are live with httprobe
cat domains.txt | httprobe -c 80 --prefer-https | anew hosts.txt

# Use httpx for more details
cat domains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt

# Alternative with massdns
massdns -r resolvers.txt -t A -o S domains.txt > resolved.txt

4. Technology Fingerprinting

Identify technologies for targeted attacks:

# Whatweb scanning
whatweb -i hosts.txt -a 3 -v > tech_stack.txt

# Nuclei technology detection
nuclei -l hosts.txt -t technologies/ -o tech_nuclei.txt

# Wappalyzer (if available)
# Browser extension for manual review

5. Content Discovery

Find hidden endpoints and files:

# Directory bruteforce with ffuf
ffuf -ac -v -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

# Historical URLs from Wayback
waybackurls target.com | tee wayback.txt

# Find all URLs with gau
gau target.com | tee all_urls.txt

# Parameter discovery
cat all_urls.txt | grep "=" | sort -u > params.txt

# Generate custom wordlist from historical data
cat all_urls.txt | unfurl paths | sort -u > custom_wordlist.txt

6. Application Analysis (Jason Haddix Method)

Heat Map Priority Areas:

File Uploads - Test for injection, XXE, SSRF, shell upload
Content Types - Filter Burp for multipart forms
APIs - Look for hidden methods, lack of auth
Profile Sections - Stored XSS, custom fields
Integrations - SSRF through third parties
Error Pages - Exotic injection points

Analysis Questions:

How does the app pass data? (Params, API, Hybrid)
Where does the app talk about users? (UID, UUID endpoints)
Does the site have multi-tenancy or user levels?
Does it have a unique threat model?
How does the site handle XSS/CSRF?
Has the site had past writeups/exploits?

7. Automated XSS Hunting

# ParamSpider for parameter extraction
python3 paramspider.py --domain target.com -o params.txt

# Filter with Gxss
cat params.txt | Gxss -p test

# Dalfox for XSS testing
cat params.txt | dalfox pipe --mining-dict params.txt -o xss_results.txt

# Alternative workflow
waybackurls target.com | grep "=" | qsreplace '"><script>alert(1)</script>' | while read url; do
    curl -s "$url" | grep -q 'alert(1)' && echo "$url"
done > potential_xss.txt

8. Vulnerability Scanning

# Nuclei comprehensive scan
nuclei -l hosts.txt -t ~/nuclei-templates/ -o nuclei_results.txt

# Check for common CVEs
nuclei -l hosts.txt -t cves/ -o cve_results.txt

# Web vulnerabilities
nuclei -l hosts.txt -t vulnerabilities/ -o vuln_results.txt

9. API Enumeration

Wordlists for API fuzzing:

# Enumerate API endpoints
ffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt

# Test API versions
ffuf -u https://target.com/api/v1/FUZZ -w api_wordlist.txt
ffuf -u https://target.com/api/v2/FUZZ -w api_wordlist.txt

# Check for hidden methods
for method in GET POST PUT DELETE PATCH; do
    curl -X $method https://target.com/api/users -v
done

10. Automated Recon Script

#!/bin/bash
domain=$1

if [[ -z $domain ]]; then
    echo "Usage: ./recon.sh <domain>"
    exit 1
fi

mkdir -p "$domain"

# Subdomain enumeration
echo "[*] Enumerating subdomains..."
subfinder -d "$domain" -silent > "$domain/subs.txt"

# Live host discovery
echo "[*] Finding live hosts..."
cat "$domain/subs.txt" | httpx -title -tech-detect -status-code > "$domain/live.txt"

# URL collection
echo "[*] Collecting URLs..."
cat "$domain/live.txt" | waybackurls > "$domain/urls.txt"

# Nuclei scanning
echo "[*] Running Nuclei..."
nuclei -l "$domain/live.txt" -o "$domain/nuclei.txt"

echo "[+] Recon complete!"

Quick Reference

Essential Tools

Tool	Purpose
Amass	Subdomain enumeration
Subfinder	Fast subdomain discovery
httpx/httprobe	Live host detection
ffuf	Content discovery
Nuclei	Vulnerability scanning
Burp Suite	Manual testing
Dalfox	XSS automation
waybackurls	Historical URL mining

Key API Endpoints to Check

/api/v1/users
/api/v1/admin
/api/v1/profile
/api/users/me
/api/config
/api/debug
/api/swagger
/api/graphql

XSS Filter Testing

<!-- Test encoding handling -->
<h1><img><table>
<script>
%3Cscript%3E
%253Cscript%253E
%26lt;script%26gt;

Constraints

Respect program scope boundaries
Avoid DoS or fuzzing on production without permission
Rate limit requests to avoid blocking
Some tools may generate false positives
API keys required for full functionality of some tools

Examples

Example 1: Quick Subdomain Recon

subfinder -d target.com | httpx -title | tee results.txt

Example 2: XSS Hunting Pipeline

waybackurls target.com | grep "=" | qsreplace "test" | httpx -silent | dalfox pipe

Example 3: Comprehensive Scan

# Full recon chain
amass enum -d target.com | httpx | nuclei -t ~/nuclei-templates/

Troubleshooting

Issue	Solution
Rate limited	Use proxy rotation, reduce concurrency
Too many results	Focus on specific technology stacks
False positives	Manually verify findings before reporting
Missing subdomains	Combine multiple enumeration sources
API key errors	Verify keys in config files
Tools not found	Install Go tools with `go install`

When to Use

This skill is applicable to execute the workflow or actions described in the overview.