Diablo_Rain/Diablo_ClaudeMD_Ricing_example
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
8b47d8e2b8
Diablo_ClaudeMD_Ricing_example/skills/recon-osint/SKILL.md
diablo 50fa79407d
Some checks are pending
CI — CoM Config Validation / Validate JSON Configs (push) Waiting to run
Details
CI — CoM Config Validation / Validate YAML Configs (push) Waiting to run
Details
CI — CoM Config Validation / Lint Shell Scripts (push) Waiting to run
Details
CI — CoM Config Validation / Secret Detection (push) Waiting to run
Details
CI — CoM Config Validation / Lint Markdown (push) Waiting to run
Details
CI — CoM Config Validation / Validate CODEOWNERS (push) Waiting to run
Details
CoM Claude Command Center — sanitized public configuration 
Public, sanitized mirror of an AI orchestration command center: agents, skills,
MCP servers, slash-command workflows. All infrastructure identifiers, hostnames,
mesh IPs/subnets, repo paths, maintainer identity, and hardware fleet specifics
scrubbed to <placeholders>; session debug logs and host-specific memory removed.
No live credentials. Verified clean by automated leak sweep. See SANITIZATION.md.

churchofmalware.org . authorized research only
2026-06-10 02:02:03 -04:00

220 lines
6.6 KiB
Markdown
Raw Blame History

---
name: Reconnaissance & OSINT Automation
description: Comprehensive reconnaissance and open-source intelligence gathering for security assessments
version: 1.0.0
author: Masriyan
tags: [cybersecurity, reconnaissance, osint, enumeration, dns, subdomain]
---
# 🔍 Reconnaissance & OSINT Automation
## Overview
This skill enables Claude to assist with comprehensive reconnaissance and open-source intelligence (OSINT) gathering during security assessments. It covers passive and active reconnaissance techniques, subdomain enumeration, port scanning, DNS analysis, technology fingerprinting, and OSINT data correlation.
> **⚠️ Important**: Always obtain proper authorization before performing reconnaissance against any target. Unauthorized scanning is illegal in most jurisdictions.
---
## Prerequisites
### Required
- Python 3.8+
- `requests`, `dnspython`, `python-whois`, `beautifulsoup4`, `shodan`
### Optional (Enhanced Capabilities)
- **Nmap** — Active port scanning and service detection
- **Amass** — Advanced subdomain enumeration
- **Subfinder** — Passive subdomain discovery
- **theHarvester** — Email and subdomain harvesting
- **Shodan API key** — Internet-wide device search
- **Censys API key** — Certificate and host search
```bash
pip install requests dnspython python-whois beautifulsoup4 shodan censys
```
---
## Core Capabilities
### 1. Subdomain Enumeration
- Passive subdomain discovery using certificate transparency logs
- DNS brute-force enumeration with customizable wordlists
- Recursive subdomain discovery
- Wildcard detection and filtering
- Result deduplication and validation
**When the user asks to enumerate subdomains:**
1. Start with passive methods (CT logs, DNS records, search engines)
2. Validate discovered subdomains via DNS resolution
3. Optionally perform active brute-force enumeration
4. Detect wildcard DNS and filter false positives
5. Resolve all valid subdomains to IP addresses
6. Group results by IP for infrastructure mapping
7. Output results in structured JSON format
### 2. Port Scanning & Service Detection
- TCP SYN/Connect scanning
- UDP scanning for critical services
- Service version detection
- OS fingerprinting
- Banner grabbing
- Rate-limited scanning to avoid detection
**When the user asks to scan ports:**
1. Determine scan scope (single host, subnet, list)
2. Select appropriate scan technique based on authorization level
3. Perform service version detection on open ports
4. Identify potential vulnerabilities based on service versions
5. Generate structured scan report
### 3. DNS Reconnaissance
- DNS record enumeration (A, AAAA, MX, NS, TXT, SOA, SRV, CNAME)
- Zone transfer attempts (AXFR)
- DNS cache snooping
- Reverse DNS lookups
- SPF/DKIM/DMARC analysis for email security posture
- DNS history and passive DNS lookups
**When the user asks for DNS recon:**
1. Enumerate all DNS record types for the target domain
2. Attempt zone transfers on all nameservers
3. Analyze SPF, DKIM, and DMARC records
4. Perform reverse DNS on discovered IPs
5. Check for DNS misconfigurations
6. Document findings with security implications
### 4. Technology Fingerprinting
- Web technology identification (CMS, frameworks, libraries)
- HTTP header analysis
- SSL/TLS certificate analysis
- WAF detection
- CDN identification
- JavaScript library version detection
**When the user asks to fingerprint technologies:**
1. Analyze HTTP response headers
2. Parse HTML for framework indicators
3. Check for common CMS signatures
4. Analyze JavaScript includes and their versions
5. Detect WAF presence and type
6. Check SSL certificate details
7. Generate technology stack profile
### 5. OSINT Gathering
- Email address discovery and validation
- Social media profile correlation
- Domain WHOIS analysis
- Company infrastructure mapping
- Leaked credential checking (via public APIs)
- Metadata extraction from public documents
- Google dorking query generation
**When the user asks for OSINT:**
1. Gather WHOIS information for domains
2. Search certificate transparency logs
3. Discover email addresses associated with the domain
4. Generate and execute Google dork queries
5. Check for exposed services and data
6. Correlate findings across multiple sources
7. Present findings with confidence levels
---
## Usage Instructions
### Basic Reconnaissance Workflow
```
Step 1: Define target scope and authorization
Step 2: Passive reconnaissance (OSINT, DNS, CT logs)
Step 3: Subdomain enumeration
Step 4: Port scanning and service detection
Step 5: Technology fingerprinting
Step 6: Consolidate and report findings
```
### Example Prompts
```
> Enumerate all subdomains for example.com using passive methods
> Perform a full DNS reconnaissance of target.org
> Fingerprint the technology stack of https://target.com
> Generate Google dork queries for finding exposed files on example.com
> Scan the top 1000 ports on <lan-ip>/24
```
---
## Integration Guide
### Chaining with Other Skills
- **→ Vulnerability Scanner (02)**: Feed discovered hosts and services into vulnerability scanning
- **→ Web Security (09)**: Pass discovered web applications for security testing
- **→ Network Security (08)**: Use scan results for network architecture mapping
- **→ Cloud Security (10)**: Identify cloud-hosted assets for cloud-specific auditing
### Output Formats
All scripts output structured JSON by default, compatible with:
- SIEM ingestion
- Custom reporting pipelines
- Other skill scripts
---
## Script Reference
### `subdomain_enum.py`
Passive and active subdomain enumeration with validation.
```bash
python scripts/subdomain_enum.py --domain target.com --output results.json
python scripts/subdomain_enum.py --domain target.com --wordlist wordlist.txt --threads 20
python scripts/subdomain_enum.py --domain target.com --passive-only
```
### `dns_recon.py`
Comprehensive DNS reconnaissance and analysis.
```bash
python scripts/dns_recon.py --domain target.com --output dns_report.json
python scripts/dns_recon.py --domain target.com --check-zone-transfer
```
### `tech_fingerprint.py`
Web technology fingerprinting and stack identification.
```bash
python scripts/tech_fingerprint.py --url https://target.com --output tech_report.json
python scripts/tech_fingerprint.py --urls urls.txt --output tech_report.json
```
---
## References
- [OWASP Testing Guide — Information Gathering](https://owasp.org/www-project-web-security-testing-guide/)
- [Shodan API Documentation](https://developer.shodan.io/)
- [Certificate Transparency](https://certificate.transparency.dev/)
- [MITRE ATT&CK — Reconnaissance](https://attack.mitre.org/tactics/TA0043/)
- [DNS RFC 1035](https://www.rfc-editor.org/rfc/rfc1035)
Reference in New Issue View Git Blame Copy Permalink