zhongwei/gh-trilwu-secskills-secskills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-trilwu-secskills-secskills/skills/initial-access-recon/SKILL.md
Zhongwei Li 33a29e697a Initial commit
2025-11-30 09:03:09 +08:00

540 lines
11 KiB
Markdown
Raw Permalink Blame History

---
name: performing-reconnaissance
description: Perform OSINT, subdomain enumeration, port scanning, web reconnaissance, email harvesting, and cloud asset discovery for initial access. Use when gathering intelligence or mapping attack surface.
---
# Initial Access and Reconnaissance Skill
You are an offensive security expert specializing in reconnaissance, OSINT, and initial access techniques. Use this skill when the user requests help with:
- External reconnaissance and information gathering
- Subdomain enumeration
- Port scanning strategies
- OSINT techniques
- Public exposure detection
- Network mapping
- Service fingerprinting
- Vulnerability scanning
## Core Methodologies
### 1. Passive Reconnaissance (OSINT)
**Domain Information:**
```bash
# WHOIS lookup
whois domain.com
# DNS records
dig domain.com ANY
dig domain.com MX
dig domain.com TXT
dig domain.com NS
# Historical DNS data
# Use: SecurityTrails, DNSdumpster, Shodan
```
**Subdomain Enumeration (Passive):**
```bash
# Certificate transparency logs
curl -s "https://crt.sh/?q=%25.domain.com&output=json" | jq -r '.[].name_value' | sort -u
# Sublist3r
python3 sublist3r.py -d domain.com
# Amass (passive)
amass enum -passive -d domain.com
# assetfinder
assetfinder --subs-only domain.com
# subfinder
subfinder -d domain.com -silent
```
**Email Harvesting:**
```bash
# theHarvester
theHarvester -d domain.com -b all
# hunter.io (web interface or API)
# phonebook.cz
# clearbit connect
```
**Search Engine Recon:**
```bash
# Google Dorks
site:domain.com filetype:pdf
site:domain.com inurl:admin
site:domain.com intitle:"index of"
site:domain.com ext:sql | ext:txt | ext:log
# GitHub Dorks
"domain.com" password
"domain.com" api_key
"domain.com" secret
org:company password
org:company api
```
**Shodan/Censys:**
```bash
# Shodan CLI
shodan search "hostname:domain.com"
shodan search "org:Company Name"
shodan search "ssl:domain.com"
# Censys
# Use web interface or API
# Search for: domain.com or company infrastructure
```
**Social Media OSINT:**
```bash
# LinkedIn enumeration
# Company employees, job titles, technologies used
# Twitter
# Company accounts, employee accounts, technology mentions
# Tools:
# - linkedin2username (generate username lists)
# - sherlock (find usernames across platforms)
```
### 2. Active Reconnaissance
**Subdomain Enumeration (Active):**
```bash
# gobuster
gobuster dns -d domain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
# ffuf
ffuf -u http://FUZZ.domain.com -w subdomains.txt -mc 200,301,302
# dnsrecon
dnsrecon -d domain.com -t brt -D subdomains.txt
# amass (active)
amass enum -active -d domain.com -brute
```
**DNS Zone Transfer:**
```bash
# dig
dig axfr @ns1.domain.com domain.com
# host
host -l domain.com ns1.domain.com
# fierce
fierce --domain domain.com
```
**Port Scanning:**
```bash
# Nmap - quick scan
nmap -sC -sV -oA nmap_scan target.com
# Nmap - full port scan
nmap -p- -T4 -oA nmap_full target.com
nmap -p- -sV -sC -A target.com -oA nmap_detailed
# Nmap - UDP scan
sudo nmap -sU --top-ports 1000 target.com
# Nmap - scan entire network
nmap -sn 10.10.10.0/24 # Ping sweep
nmap -p- 10.10.10.0/24 # Port scan subnet
# masscan (very fast)
sudo masscan -p1-65535 10.10.10.10 --rate=1000
# rustscan (fast with nmap integration)
rustscan -a target.com -- -sC -sV
```
**Service Detection:**
```bash
# Banner grabbing
nc -nv target.com 80
curl -I https://target.com
telnet target.com 80
# Nmap service detection
nmap -sV --version-intensity 9 target.com
# OS detection
sudo nmap -O target.com
```
### 3. Web Application Reconnaissance
**Technology Identification:**
```bash
# WhatWeb
whatweb https://target.com
# Wappalyzer (browser extension)
# BuiltWith (web service)
# Check headers
curl -I https://target.com
# Check response
curl -s https://target.com | grep -i "powered by\|framework\|generator"
```
**Directory/File Enumeration:**
```bash
# gobuster
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,txt,html
# feroxbuster (recursive)
feroxbuster -u https://target.com -w wordlist.txt -x php,txt,html,js
# ffuf
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403
ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404 # Filter out 404s
# dirsearch
dirsearch -u https://target.com -e php,html,js
# Common paths to check manually
/robots.txt
/sitemap.xml
/.git/
/.svn/
/.env
/backup/
/admin/
/phpmyadmin/
```
**Virtual Host Discovery:**
```bash
# gobuster
gobuster vhost -u http://target.com -w vhosts.txt
# ffuf
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w vhosts.txt -fc 404
```
**Parameter Discovery:**
```bash
# arjun
arjun -u https://target.com/page
# ParamSpider
python3 paramspider.py -d target.com
# ffuf
ffuf -u https://target.com/page?FUZZ=test -w parameters.txt -mc 200
```
**JavaScript Analysis:**
```bash
# Extract JS files
echo "https://target.com" | hakrawler | grep "\.js$" | sort -u
# Analyze JS for secrets
cat file.js | grep -Eo "(api|token|key|secret|password)[\"']?\s*[:=]\s*[\"'][^\"']{10,}[\"']"
# LinkFinder
python3 linkfinder.py -i https://target.com/app.js -o results.html
# JSParser
python3 JSParser.py -u https://target.com
```
### 4. Email/Phishing Reconnaissance
**Email Format Detection:**
```bash
# Common formats
firstname.lastname@company.com
firstnamelastname@company.com
f.lastname@company.com
firstname@company.com
# Generate email list
# Tools: linkedin2username, namemash
```
**Email Verification:**
```bash
# Check if email exists
# Tools: hunter.io, email-checker
# SMTP verification (careful - detectable)
telnet mail.company.com 25
VRFY user@company.com
```
**Breached Credentials:**
```bash
# Have I Been Pwned
# Check if company emails in breaches
# dehashed.com
# Search for company domain
# WeLeakInfo alternatives
# pwndb (Tor)
```
### 5. Network Mapping
**Identify Live Hosts:**
```bash
# Ping sweep
nmap -sn 10.10.10.0/24
# ARP scan (local network)
sudo arp-scan -l
sudo netdiscover -r 10.10.10.0/24
# fping
fping -a -g 10.10.10.0/24 2>/dev/null
```
**Network Topology:**
```bash
# Traceroute
traceroute target.com
traceroute -T target.com # TCP
traceroute -I target.com # ICMP
# MTR (better traceroute)
mtr target.com
```
**Firewall/IDS Detection:**
```bash
# Nmap firewall detection
nmap -sA target.com
# Check for filtered ports
nmap -p- -Pn target.com
# IDS evasion techniques
nmap -T2 -f target.com # Slow scan, fragment packets
nmap -D RND:10 target.com # Decoy scan
```
### 6. Cloud Asset Discovery
**AWS S3 Buckets:**
```bash
# Check for public buckets
# Format: bucketname.s3.amazonaws.com
curl -I https://company.s3.amazonaws.com
# Bucket name wordlist
# company-backup, company-data, company-dev, etc.
# Tools
# s3scanner
python3 s3scanner.py buckets.txt
# awscli
aws s3 ls s3://bucketname --no-sign-request
```
**Azure Blobs:**
```bash
# Format: accountname.blob.core.windows.net
curl -I https://company.blob.core.windows.net/container
# MicroBurst (PowerShell)
Invoke-EnumerateAzureBlobs -Base company
```
**Google Cloud Storage:**
```bash
# Format: storage.googleapis.com/bucketname
curl -I https://storage.googleapis.com/company-bucket
# GCPBucketBrute
python3 gcpbucketbrute.py -k company
```
### 7. Vulnerability Scanning
**Automated Scanners:**
```bash
# Nikto (web vulnerabilities)
nikto -h https://target.com
# Nuclei (template-based)
nuclei -u https://target.com -t ~/nuclei-templates/
# OpenVAS (comprehensive)
# Use GUI or command line
# Nessus (commercial)
# Web-based scanner
```
**Specific Vulnerability Checks:**
```bash
# SSL/TLS
nmap -p 443 --script ssl-* target.com
testssl.sh https://target.com
# SQL Injection
sqlmap -u "https://target.com/page?id=1" --batch
# XSS
dalfox url https://target.com/search?q=test
# SSRF
# Manual testing or use Burp Suite
# Directory traversal
# Test: ../../../../etc/passwd
```
### 8. Credential Gathering
**Default Credentials:**
```bash
# Check default credentials databases
# - CIRT.net default passwords
# - DefaultCreds-cheat-sheet
# - SecLists default credentials
# Common defaults
admin:admin
admin:password
root:root
admin:Admin123
```
**Public Repositories:**
```bash
# GitHub secrets scanning
trufflehog https://github.com/company/repo
# GitLeaks
gitleaks detect --source /path/to/repo
# GitHub dorks
filename:.env "DB_PASSWORD"
extension:pem private
extension:sql mysql dump password
```
**Metadata Extraction:**
```bash
# exiftool
exiftool document.pdf
find . -name "*.pdf" -exec exiftool {} \;
# FOCA (Windows)
# Extract metadata from documents
```
### 9. Attack Surface Mapping
**Comprehensive Enumeration:**
```bash
# Combination approach
1. Passive subdomain enum
2. Active subdomain bruteforce
3. Port scan all discovered hosts
4. Service enumeration
5. Web content discovery
6. Vulnerability scanning
7. Credential gathering
```
**Automation Frameworks:**
```bash
# Amass + Nmap + Nuclei pipeline
amass enum -passive -d target.com -o subdomains.txt
cat subdomains.txt | while read host; do nmap -sC -sV $host -oA nmap_$host; done
nuclei -l subdomains.txt -t ~/nuclei-templates/
# Recon-ng
recon-ng
workspaces create target
modules load recon/domains-hosts/hackertarget
modules load recon/hosts-ports/shodan
```
### 10. Reporting and Documentation
**Organize Findings:**
```bash
# Create project structure
mkdir -p target/{nmap,subdomains,web,creds,screenshots}
# Document everything
# - IP ranges
# - Subdomains found
# - Open ports/services
# - Credentials found
# - Vulnerabilities identified
# - Technologies detected
```
## Essential Tools
**Reconnaissance Suites:**
- Amass - In-depth subdomain enumeration
- Recon-ng - Modular reconnaissance framework
- theHarvester - Email and subdomain gathering
- SpiderFoot - OSINT automation
- OWASP Maryam - Modular OSINT framework
**Subdomain Tools:**
- subfinder, assetfinder, findomain
- Sublist3r, amass, gobuster dns
**Port Scanners:**
- Nmap - The standard
- masscan - Fastest scanner
- RustScan - Fast with nmap backend
**Web Tools:**
- gobuster, feroxbuster, ffuf, dirsearch
- whatweb, wappalyzer
- nikto, nuclei
## Operational Security
**Reconnaissance OPSEC:**
```bash
# Use VPN/Proxy
# Rate limit requests
# Randomize user agents
# Use passive methods when possible
# Don't leave obvious traces
# Respect robots.txt during testing phase
```
## Reference Links
- OWASP Testing Guide: https://owasp.org/www-project-web-security-testing-guide/
- HackTricks Pentesting Methodology: https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-methodology
- SecLists: https://github.com/danielmiessler/SecLists
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings
## When to Use This Skill
Activate this skill when the user asks to:
- Perform reconnaissance on a target
- Enumerate subdomains
- Discover attack surface
- Find public exposures
- Gather OSINT information
- Map network infrastructure
- Identify technologies in use
- Help with initial access techniques
Always ensure proper authorization before performing any reconnaissance activities.
Reference in New Issue View Git Blame Copy Permalink