creator/Anthropic-Cybersecurity-Skills

Fork 0

mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00

Files

T

mukul975 22a7ab1462 Initial commit - 611 cybersecurity skills across all subdomains

2026-02-25 10:47:44 +01:00

6.6 KiB

Raw Blame History

OSINT Gathering Workflows

Workflow 1: Domain and Infrastructure Reconnaissance

Step 1: Passive DNS and WHOIS

# WHOIS lookup
whois targetdomain.com

# DNS record enumeration
dig targetdomain.com ANY
dig targetdomain.com MX
dig targetdomain.com TXT
dig targetdomain.com NS

# Reverse DNS
dig -x <IP_ADDRESS>

# Zone transfer attempt
dig axfr @ns1.targetdomain.com targetdomain.com

Step 2: Subdomain Enumeration

# Using Subfinder for passive enumeration
subfinder -d targetdomain.com -o subdomains.txt

# Using Amass for comprehensive enumeration
amass enum -passive -d targetdomain.com -o amass_results.txt

# Certificate Transparency log search
curl -s "https://crt.sh/?q=%.targetdomain.com&output=json" | jq -r '.[].name_value' | sort -u

# Using httpx to probe discovered subdomains
cat subdomains.txt | httpx -status-code -title -tech-detect -o live_subdomains.txt

Step 3: IP Range and ASN Discovery

# ASN lookup
whois -h whois.radb.net -- '-i origin AS12345'

# BGP prefix lookup via Hurricane Electric
curl -s "https://bgp.he.net/AS12345#_prefixes"

# Shodan search for organization
shodan search "org:Target Corporation" --fields ip_str,port,product

Step 4: Cloud Asset Discovery

# AWS S3 bucket enumeration
python3 cloud_enum.py -k targetcorp -l cloud_results.txt

# Azure blob storage check
for name in targetcorp targetcorp-dev targetcorp-backup; do
  curl -s -o /dev/null -w "%{http_code}" "https://${name}.blob.core.windows.net/"
done

# GCP bucket check
gsutil ls gs://targetcorp-*

Workflow 2: Personnel Intelligence

Step 1: Employee Enumeration

# theHarvester for email and name harvesting
theHarvester -d targetdomain.com -b all -l 500 -f harvest_results

# LinkedIn enumeration (manual + tools)
# Use LinkedIn search operators:
# site:linkedin.com/in "targetcorp" "security engineer"
# site:linkedin.com/in "targetcorp" "system administrator"

# CrossLinked for LinkedIn name harvesting
python3 crosslinked.py -f '{first}.{last}@targetdomain.com' "Target Corporation"

Step 2: Email Validation

# Verify email format using Hunter.io API
curl "https://api.hunter.io/v2/domain-search?domain=targetdomain.com&api_key=YOUR_KEY"

# SMTP verification (careful - can be logged)
# Use tools like EmailHippo or NeverBounce for passive verification

# Sherlock for username enumeration across platforms
python3 sherlock username --timeout 5 --output sherlock_results.txt

# Social media searching
# Twitter advanced search: from:username targetcorp
# Instagram: #targetcorp
# GitHub: org:targetcorp

Workflow 3: Credential and Data Leak Discovery

Step 1: Breach Database Search

# Have I Been Pwned API check
curl "https://haveibeenpwned.com/api/v3/breachedaccount/user@targetdomain.com" \
  -H "hibp-api-key: YOUR_KEY"

# DeHashed search (requires subscription)
curl "https://api.dehashed.com/search?query=domain:targetdomain.com" \
  -u email:api_key

Step 2: GitHub Secret Scanning

# GitDorker for GitHub dorking
python3 GitDorker.py -tf tokens.txt -d dorks/alldorksv3 -q targetdomain.com

# truffleHog for repository scanning
trufflehog github --org=targetcorp --only-verified

# Manual GitHub dorking
# Search: "targetdomain.com" password
# Search: "targetdomain.com" api_key
# Search: "targetcorp" filename:.env
# Search: "targetcorp" filename:wp-config.php

Step 3: Google Dorking

# Sensitive files
site:targetdomain.com filetype:pdf
site:targetdomain.com filetype:xlsx
site:targetdomain.com filetype:docx confidential

# Configuration files
site:targetdomain.com filetype:xml
site:targetdomain.com filetype:conf
site:targetdomain.com filetype:env

# Login pages and admin panels
site:targetdomain.com inurl:admin
site:targetdomain.com inurl:login
site:targetdomain.com intitle:"index of"

# Error messages with sensitive info
site:targetdomain.com "error" "sql" "syntax"
site:targetdomain.com "php error" "on line"

Workflow 4: Technology Stack Identification

Step 1: Web Technology Fingerprinting

# Wappalyzer CLI
wappalyzer https://targetdomain.com

# WhatWeb for technology identification
whatweb targetdomain.com -v

# Nuclei for technology detection
nuclei -u https://targetdomain.com -t technologies/

Step 2: Service and Version Detection

# Nmap service detection (active - requires authorization)
nmap -sV -sC -p- targetdomain.com -oA nmap_results

# Shodan host lookup
shodan host <IP_ADDRESS>

# Censys host search
censys search "services.tls.certificates.leaf_data.subject.organization:Target Corp"

Step 3: Job Posting Analysis

# Search job boards for technology mentions:
# LinkedIn Jobs: "Target Corporation" AND ("AWS" OR "Azure" OR "GCP")
# Indeed: "Target Corporation" "security" tools
# Glassdoor: Target Corporation technology stack

# Look for mentions of:
# - Cloud platforms (AWS, Azure, GCP)
# - Security tools (CrowdStrike, Carbon Black, Splunk)
# - Development languages and frameworks
# - Network equipment vendors (Cisco, Palo Alto, Fortinet)
# - Identity providers (Okta, Azure AD, Ping Identity)

Workflow 5: Physical Intelligence

Step 1: Location Mapping

# Google Maps reconnaissance:
# - Office locations and building layouts
# - Parking areas and entry points
# - Nearby businesses for staging
# - Delivery entrance locations

# Google Street View:
# - Access control systems (card readers, turnstiles)
# - Security camera locations
# - Badge/lanyard colors and designs
# - Building signage

Step 2: Document Metadata Extraction

# ExifTool for document metadata
exiftool -r -ext pdf -ext docx -ext xlsx ./downloaded_documents/

# FOCA for metadata analysis (Windows)
# Import documents and analyze:
# - Author names and usernames
# - Software versions
# - Internal file paths
# - Printer names and network paths

Workflow 6: OSINT Report Compilation

Report Structure

1. Executive Summary
   - Key findings overview
   - Risk assessment

2. Attack Surface Map
   - External infrastructure diagram
   - Domain and subdomain inventory
   - Exposed services and applications

3. Personnel Intelligence
   - Key personnel profiles
   - Email address list
   - Organizational chart

4. Credential Exposure
   - Breach database findings
   - Leaked secrets and API keys
   - Password pattern analysis

5. Technology Stack
   - Identified technologies and versions
   - Known vulnerabilities for detected versions
   - Security tool coverage gaps

6. Recommended Attack Vectors
   - Prioritized initial access options
   - Social engineering target list
   - Technical vulnerability targets

6.6 KiB Raw Blame History

OSINT Gathering Workflows

Workflow 1: Domain and Infrastructure Reconnaissance

Step 1: Passive DNS and WHOIS

Step 2: Subdomain Enumeration

Step 3: IP Range and ASN Discovery

Step 4: Cloud Asset Discovery

Workflow 2: Personnel Intelligence

Step 1: Employee Enumeration

Step 2: Email Validation

Step 3: Social Media Profiling

Workflow 3: Credential and Data Leak Discovery

Step 1: Breach Database Search

Step 2: GitHub Secret Scanning

Step 3: Google Dorking

Workflow 4: Technology Stack Identification

Step 1: Web Technology Fingerprinting

Step 2: Service and Version Detection

Step 3: Job Posting Analysis

Workflow 5: Physical Intelligence

Step 1: Location Mapping

Step 2: Document Metadata Extraction

Workflow 6: OSINT Report Compilation

Report Structure

6.6 KiB

Raw Blame History