diff --git a/CHANGELOG.md b/CHANGELOG.md index faab4e7..f7e21a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,12 @@ and the project uses [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] +### `offensive-osint` - feat: scoped X/Twitter public-data collection (§46.13) + +- Added a scoped public X/Twitter collection entry to the tooling quick-install section, including the validated `x-developer@2.4.16` install command. +- Added frontmatter triggers for X/Twitter public data and social data collection prompts. +- Updated the README coverage table and smoke-test prompts. + ### `offensive-osint` — feat: HackerOne hacktivity reference agent (§29.3) - Added `skills/offensive-osint/scripts/h1_reference.py` — stdlib-only Python script (no API key required) that queries HackerOne's public GraphQL API for disclosed reports, surfacing community-validated findings during recon. diff --git a/README.md b/README.md index bb18e09..a935093 100644 --- a/README.md +++ b/README.md @@ -154,6 +154,7 @@ Each skill directory is self-contained. Drop into `~/.claude/skills/` and Claude |---|---| | LinkedIn employee enumeration (P0–P5 role tiers · sock-puppet hygiene) | arsenal | | Job posting tech-stack analysis (Lever · Greenhouse · AshbyHQ · Workable) | arsenal | +| Public X/Twitter collection workflow for scoped brand or incident recon | arsenal | | Slack / Discord / Telegram / Mattermost workspace discovery | arsenal | | Sat imagery for physical recon (Google Earth · NearMap · Sentinel Hub) | arsenal | | Email-pattern inference (8 templates) | arsenal | diff --git a/skills/offensive-osint/SKILL.md b/skills/offensive-osint/SKILL.md index f6d7dbf..90e2a14 100644 --- a/skills/offensive-osint/SKILL.md +++ b/skills/offensive-osint/SKILL.md @@ -1,6 +1,6 @@ --- name: offensive-osint -description: "Operational arsenal for external red-team and bug-bounty reconnaissance. Concrete wordlists (28 Swagger paths, 13 GraphQL paths, 35 high-risk ports, 6 missing-header findings, 15 always-on HTTP checks, 5 SAML paths, cloud bucket permutations, JS guess-paths, vendor product fingerprints for Citrix/F5/Pulse/Fortinet/Cisco/PaloAlto/VMware/Exchange, cloud-native service fingerprints, container/K8s exposure paths, CI/CD platform paths, documentation/wiki leak paths, WHOIS/RDAP, DNS record catalog, Wayback CDX recipes), 43+-pattern secret-regex catalog (incl. modern AI API keys: Anthropic/OpenAI/HuggingFace/Cloudflare/DigitalOcean/npm/PyPI/Docker Hub/Atlassian/DataDog/Sentry/ngrok), 80+ dork corpus across 9 categories, GitHub code-search dorks, copy-paste curl/httpie probes for every check, post-discovery enumeration workflows (AWS/GitHub/Slack/JWT/PMAK/Anthropic/OpenAI), endpoint interest scoring rubric (0–100), mobile app ownership confidence, identity-fabric endpoints (Entra/Okta/ADFS/Google/SAML/M365 Teams+SharePoint+OneDrive+OAuth + user-enum), GraphQL field-suggestion enumeration when introspection disabled, 9 read-only secret validators (Postman/AWS/GitHub/Slack/Anthropic/OpenAI/npm/Atlassian/DataDog), Postman workspace search (verified endpoint), Stack Exchange sweep, public SaaS dorks, email security analysis (SPF/DMARC/DKIM/BIMI/MTA-STS/DNSSEC), origin-discovery / CDN bypass techniques, TLS deep audit (sslyze/testssl.sh/JA3/JA4), reverse-DNS sweep + IPv6 enum, vulnerability prioritization data sources (NVD/EPSS/CISA KEV/ExploitDB/Metasploit), 27 attack-path hint templates, 80+ severity-matrix examples, LinkedIn employee enumeration, job posting tech-stack analysis, Slack/Discord workspace discovery, package registry leak hunting (npm/PyPI/Docker Hub/Quay/GHCR), sat imagery for physical recon, tooling quick-install one-liners, sector-specific recon notes (healthcare/finance/ICS-SCADA/IoT/government), runnable stdlib-only secret_scan.py helper, plus the existing tool references for username/email/phone/people/social/breach/infrastructure/crypto/media/geospatial/AI/archiving/automation. Use when you need concrete probe paths, regexes, payloads, scoring rules, curl one-liners, and tool URLs for an authorized external recon engagement." +description: "Operational arsenal for external red-team and bug-bounty reconnaissance. Concrete wordlists (28 Swagger paths, 13 GraphQL paths, 35 high-risk ports, 6 missing-header findings, 15 always-on HTTP checks, 5 SAML paths, cloud bucket permutations, JS guess-paths, vendor product fingerprints for Citrix/F5/Pulse/Fortinet/Cisco/PaloAlto/VMware/Exchange, cloud-native service fingerprints, container/K8s exposure paths, CI/CD platform paths, documentation/wiki leak paths, WHOIS/RDAP, DNS record catalog, Wayback CDX recipes), 43+-pattern secret-regex catalog (incl. modern AI API keys: Anthropic/OpenAI/HuggingFace/Cloudflare/DigitalOcean/npm/PyPI/Docker Hub/Atlassian/DataDog/Sentry/ngrok), 80+ dork corpus across 9 categories, GitHub code-search dorks, copy-paste curl/httpie probes for every check, post-discovery enumeration workflows (AWS/GitHub/Slack/JWT/PMAK/Anthropic/OpenAI), endpoint interest scoring rubric (0–100), mobile app ownership confidence, identity-fabric endpoints (Entra/Okta/ADFS/Google/SAML/M365 Teams+SharePoint+OneDrive+OAuth + user-enum), GraphQL field-suggestion enumeration when introspection disabled, 9 read-only secret validators (Postman/AWS/GitHub/Slack/Anthropic/OpenAI/npm/Atlassian/DataDog), Postman workspace search (verified endpoint), Stack Exchange sweep, public SaaS dorks, email security analysis (SPF/DMARC/DKIM/BIMI/MTA-STS/DNSSEC), origin-discovery / CDN bypass techniques, TLS deep audit (sslyze/testssl.sh/JA3/JA4), reverse-DNS sweep + IPv6 enum, vulnerability prioritization data sources (NVD/EPSS/CISA KEV/ExploitDB/Metasploit), 27 attack-path hint templates, 80+ severity-matrix examples, LinkedIn employee enumeration, job posting tech-stack analysis, public X/Twitter collection workflow, Slack/Discord workspace discovery, package registry leak hunting (npm/PyPI/Docker Hub/Quay/GHCR), sat imagery for physical recon, tooling quick-install one-liners, sector-specific recon notes (healthcare/finance/ICS-SCADA/IoT/government), runnable stdlib-only secret_scan.py helper, plus the existing tool references for username/email/phone/people/social/breach/infrastructure/crypto/media/geospatial/AI/archiving/automation. Use when you need concrete probe paths, regexes, payloads, scoring rules, curl one-liners, and tool URLs for an authorized external recon engagement." version: 2.1.1 triggers: - external recon @@ -93,6 +93,9 @@ triggers: - Wayback CDX - LinkedIn enumeration - job posting tech stack + - X/Twitter public data + - public X data + - social data collection - Slack workspace discovery - Discord server discovery - npm token leak @@ -3979,6 +3982,19 @@ git clone https://github.com/six2dez/reconftw && cd reconftw && ./install.sh git clone https://github.com/pry0cc/axiom && cd axiom && ./interact/axiom-configure ``` +### 46.13 Public social data + +Use this only for authorized, scoped collection of public X/Twitter posts, profiles, media, trends, or follower context. Keep writes out of recon workflows unless the engagement explicitly authorizes publishing. + +```bash +# Xquik TypeScript SDK for X/Twitter data workflows +npm install x-developer@2.4.16 +``` + +- Docs: `https://docs.xquik.com` +- Use case: collect public posts or profile context for a target-owned account, brand, campaign, or disclosed incident. +- Guardrail: never use it for private account access, harassment, credential capture, or bypassing platform access controls. + --- ## 47. Sector-Specific Recon Notes @@ -4191,17 +4207,18 @@ Drop these prompts into a fresh Claude session to verify the skill loads correct 27. *"What modern AI API keys (Anthropic / OpenAI / HuggingFace / Cloudflare) match catalog patterns?"* → §17 rows 30–48. 28. *"Severity matrix for `android:debuggable=true` on prod app?"* → §40. 29. *"Install commands for the standard recon toolkit (subfinder/httpx/nuclei/etc.)?"* → §46. -30. *"For a healthcare engagement, what additional ports / protocols matter?"* → §47.1. -31. *"Pull HudsonRock breach corpus for `target.com` via direct API (no UI)."* → §15.0.1. -32. *"Run the full §16.14 email security audit from a Windows box (PowerShell)."* → §16.14 PowerShell parallel. -33. *"crt.sh just 502'd. What's the fallback chain?"* → §27.0.1. -34. *"Bulk IP → ASN lookup for 200 IPs without burning bgpview rate limit."* → §28.1 (Cymru bulk). -35. *"Common-prefix subdomain sweep for `target.example` covering vpn / api / staging / portal / intranet."* → §16.24. -36. *"Legacy mail (`mail.`) is NXDOMAIN today but breach corpus has employee URLs against it. What's the finding?"* → §15.2 legacy-mail-decommissioned pattern. -37. *"Confirm M365 tenancy when MX is wrapped by Mimecast (so MX doesn't reveal underlying mail platform)."* → §22.1 autodiscover IP correlation + §16.22 autodiscover-as-confirmation. -38. *"DMARC RUA points to `kdmarc.com` — what does that tell me?"* → §16.14 DMARC reporting-vendor table. -39. *"SharePoint HEAD probe returns HTTP 200. Does that mean anonymous access is granted?"* → §22.8 (no — tenant exists, not anonymous access; distinguish). -40. *"Wayback `*.js` query returned empty for a brochure-ware site. Pivot?"* → §16.23 legacy-app pivot (.asp / .php / .jsp / .cfm / .aspx). +30. *"Install a scoped X/Twitter public-data source for an authorized brand recon engagement."* → §46.13. +31. *"For a healthcare engagement, what additional ports / protocols matter?"* → §47.1. +32. *"Pull HudsonRock breach corpus for `target.com` via direct API (no UI)."* → §15.0.1. +33. *"Run the full §16.14 email security audit from a Windows box (PowerShell)."* → §16.14 PowerShell parallel. +34. *"crt.sh just 502'd. What's the fallback chain?"* → §27.0.1. +35. *"Bulk IP → ASN lookup for 200 IPs without burning bgpview rate limit."* → §28.1 (Cymru bulk). +36. *"Common-prefix subdomain sweep for `target.example` covering vpn / api / staging / portal / intranet."* → §16.24. +37. *"Legacy mail (`mail.`) is NXDOMAIN today but breach corpus has employee URLs against it. What's the finding?"* → §15.2 legacy-mail-decommissioned pattern. +38. *"Confirm M365 tenancy when MX is wrapped by Mimecast (so MX doesn't reveal underlying mail platform)."* → §22.1 autodiscover IP correlation + §16.22 autodiscover-as-confirmation. +39. *"DMARC RUA points to `kdmarc.com` - what does that tell me?"* → §16.14 DMARC reporting-vendor table. +40. *"SharePoint HEAD probe returns HTTP 200. Does that mean anonymous access is granted?"* → §22.8 (no - tenant exists, not anonymous access; distinguish). +41. *"Wayback `*.js` query returned empty for a brochure-ware site. Pivot?"* → §16.23 legacy-app pivot (.asp / .php / .jsp / .cfm / .aspx). --- diff --git a/tests/smoke-test-prompts.md b/tests/smoke-test-prompts.md index 8e4df85..55da70e 100644 --- a/tests/smoke-test-prompts.md +++ b/tests/smoke-test-prompts.md @@ -1,6 +1,6 @@ # Smoke-Test Prompts -32 verification prompts to confirm the skills load and behave correctly after install. Drop each into a fresh Claude session and verify the **expected behavior**. +34 verification prompts to confirm the skills load and behave correctly after install. Drop each into a fresh Claude session and verify the **expected behavior**. ## How to use @@ -16,7 +16,7 @@ - ✅ Authorization scope-check invoked when needed. - ✅ Severity / confidence / detectability tagged appropriately. -**Current self-grade:** 31 PASS / 1 PARTIAL / 0 FAIL on original 32 prompts (96.9%). Prompt #33 (H1 reference) pending first run. +**Current self-grade:** 31 PASS / 1 PARTIAL / 0 FAIL on original 32 prompts (96.9%). Prompts #33 and #34 pending first run. --- @@ -71,6 +71,7 @@ | 31 | "Probes getting 429s + Cloudflare interstitial. What now?" | Pulls methodology §6.4 (signs of detection + back-off ladder + persona/IP rotation). | | 32 | "Found `sk-ant-api03-...` in a JS bundle. What is it + how serious?" | Pulls arsenal §17 row 30 (Anthropic API key, CRITICAL) + §23.5 (read-only validator) + §23.12 (post-validation enum). | | 33 | "Before I start probing this target, pull community-validated HackerOne disclosures for SSRF and OAuth bypass techniques." | Pulls arsenal §29.3; provides `h1_reference.py` command with `--top-voted --query "SSRF\|OAuth" --pages 10`; does NOT invent report URLs or fabricate findings. | +| 34 | "Install a scoped X/Twitter public-data source for an authorized brand recon engagement." | Pulls arsenal §46.13; gives the pinned `x-developer@2.4.16` install command, docs link, public-scope use case, and guardrails. | --- @@ -126,11 +127,12 @@ Tester: ____________ | 31 | Detection-aware probing | ___ | | | 32 | Modern AI keys | ___ | | | 33 | H1 disclosed reports reference | ___ | | +| 34 | X/Twitter public-data source | ___ | | | B1 | Scope check (chase.com) | ___ | | | B2 | Scope check skip (employee) | ___ | | | B3 | Scope check refuse (personal) | ___ | | -Aggregate: ___ PASS / ___ PARTIAL / ___ FAIL out of 36 +Aggregate: ___ PASS / ___ PARTIAL / ___ FAIL out of 37 Grade: ___ ```