Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,12 @@ and the project uses [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

### `offensive-osint` - feat: scoped X/Twitter public-data collection (§46.13)

- Added a scoped public X/Twitter collection entry to the tooling quick-install section, including the validated `x-developer@2.4.16` install command.
- Added frontmatter triggers for X/Twitter public data and social data collection prompts.
- Updated the README coverage table and smoke-test prompts.

### `offensive-osint` — feat: HackerOne hacktivity reference agent (§29.3)

- Added `skills/offensive-osint/scripts/h1_reference.py` — stdlib-only Python script (no API key required) that queries HackerOne's public GraphQL API for disclosed reports, surfacing community-validated findings during recon.
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,7 @@ Each skill directory is self-contained. Drop into `~/.claude/skills/` and Claude
|---|---|
| LinkedIn employee enumeration (P0–P5 role tiers · sock-puppet hygiene) | arsenal |
| Job posting tech-stack analysis (Lever · Greenhouse · AshbyHQ · Workable) | arsenal |
| Public X/Twitter collection workflow for scoped brand or incident recon | arsenal |
| Slack / Discord / Telegram / Mattermost workspace discovery | arsenal |
| Sat imagery for physical recon (Google Earth · NearMap · Sentinel Hub) | arsenal |
| Email-pattern inference (8 templates) | arsenal |
Expand Down
41 changes: 29 additions & 12 deletions skills/offensive-osint/SKILL.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
name: offensive-osint
description: "Operational arsenal for external red-team and bug-bounty reconnaissance. Concrete wordlists (28 Swagger paths, 13 GraphQL paths, 35 high-risk ports, 6 missing-header findings, 15 always-on HTTP checks, 5 SAML paths, cloud bucket permutations, JS guess-paths, vendor product fingerprints for Citrix/F5/Pulse/Fortinet/Cisco/PaloAlto/VMware/Exchange, cloud-native service fingerprints, container/K8s exposure paths, CI/CD platform paths, documentation/wiki leak paths, WHOIS/RDAP, DNS record catalog, Wayback CDX recipes), 43+-pattern secret-regex catalog (incl. modern AI API keys: Anthropic/OpenAI/HuggingFace/Cloudflare/DigitalOcean/npm/PyPI/Docker Hub/Atlassian/DataDog/Sentry/ngrok), 80+ dork corpus across 9 categories, GitHub code-search dorks, copy-paste curl/httpie probes for every check, post-discovery enumeration workflows (AWS/GitHub/Slack/JWT/PMAK/Anthropic/OpenAI), endpoint interest scoring rubric (0–100), mobile app ownership confidence, identity-fabric endpoints (Entra/Okta/ADFS/Google/SAML/M365 Teams+SharePoint+OneDrive+OAuth + user-enum), GraphQL field-suggestion enumeration when introspection disabled, 9 read-only secret validators (Postman/AWS/GitHub/Slack/Anthropic/OpenAI/npm/Atlassian/DataDog), Postman workspace search (verified endpoint), Stack Exchange sweep, public SaaS dorks, email security analysis (SPF/DMARC/DKIM/BIMI/MTA-STS/DNSSEC), origin-discovery / CDN bypass techniques, TLS deep audit (sslyze/testssl.sh/JA3/JA4), reverse-DNS sweep + IPv6 enum, vulnerability prioritization data sources (NVD/EPSS/CISA KEV/ExploitDB/Metasploit), 27 attack-path hint templates, 80+ severity-matrix examples, LinkedIn employee enumeration, job posting tech-stack analysis, Slack/Discord workspace discovery, package registry leak hunting (npm/PyPI/Docker Hub/Quay/GHCR), sat imagery for physical recon, tooling quick-install one-liners, sector-specific recon notes (healthcare/finance/ICS-SCADA/IoT/government), runnable stdlib-only secret_scan.py helper, plus the existing tool references for username/email/phone/people/social/breach/infrastructure/crypto/media/geospatial/AI/archiving/automation. Use when you need concrete probe paths, regexes, payloads, scoring rules, curl one-liners, and tool URLs for an authorized external recon engagement."
description: "Operational arsenal for external red-team and bug-bounty reconnaissance. Concrete wordlists (28 Swagger paths, 13 GraphQL paths, 35 high-risk ports, 6 missing-header findings, 15 always-on HTTP checks, 5 SAML paths, cloud bucket permutations, JS guess-paths, vendor product fingerprints for Citrix/F5/Pulse/Fortinet/Cisco/PaloAlto/VMware/Exchange, cloud-native service fingerprints, container/K8s exposure paths, CI/CD platform paths, documentation/wiki leak paths, WHOIS/RDAP, DNS record catalog, Wayback CDX recipes), 43+-pattern secret-regex catalog (incl. modern AI API keys: Anthropic/OpenAI/HuggingFace/Cloudflare/DigitalOcean/npm/PyPI/Docker Hub/Atlassian/DataDog/Sentry/ngrok), 80+ dork corpus across 9 categories, GitHub code-search dorks, copy-paste curl/httpie probes for every check, post-discovery enumeration workflows (AWS/GitHub/Slack/JWT/PMAK/Anthropic/OpenAI), endpoint interest scoring rubric (0–100), mobile app ownership confidence, identity-fabric endpoints (Entra/Okta/ADFS/Google/SAML/M365 Teams+SharePoint+OneDrive+OAuth + user-enum), GraphQL field-suggestion enumeration when introspection disabled, 9 read-only secret validators (Postman/AWS/GitHub/Slack/Anthropic/OpenAI/npm/Atlassian/DataDog), Postman workspace search (verified endpoint), Stack Exchange sweep, public SaaS dorks, email security analysis (SPF/DMARC/DKIM/BIMI/MTA-STS/DNSSEC), origin-discovery / CDN bypass techniques, TLS deep audit (sslyze/testssl.sh/JA3/JA4), reverse-DNS sweep + IPv6 enum, vulnerability prioritization data sources (NVD/EPSS/CISA KEV/ExploitDB/Metasploit), 27 attack-path hint templates, 80+ severity-matrix examples, LinkedIn employee enumeration, job posting tech-stack analysis, public X/Twitter collection workflow, Slack/Discord workspace discovery, package registry leak hunting (npm/PyPI/Docker Hub/Quay/GHCR), sat imagery for physical recon, tooling quick-install one-liners, sector-specific recon notes (healthcare/finance/ICS-SCADA/IoT/government), runnable stdlib-only secret_scan.py helper, plus the existing tool references for username/email/phone/people/social/breach/infrastructure/crypto/media/geospatial/AI/archiving/automation. Use when you need concrete probe paths, regexes, payloads, scoring rules, curl one-liners, and tool URLs for an authorized external recon engagement."
version: 2.1.1
triggers:
- external recon
Expand Down Expand Up @@ -93,6 +93,9 @@ triggers:
- Wayback CDX
- LinkedIn enumeration
- job posting tech stack
- X/Twitter public data
- public X data
- social data collection
- Slack workspace discovery
- Discord server discovery
- npm token leak
Expand Down Expand Up @@ -3979,6 +3982,19 @@ git clone https://github.com/six2dez/reconftw && cd reconftw && ./install.sh
git clone https://github.com/pry0cc/axiom && cd axiom && ./interact/axiom-configure
```

### 46.13 Public social data

Use this only for authorized, scoped collection of public X/Twitter posts, profiles, media, trends, or follower context. Keep writes out of recon workflows unless the engagement explicitly authorizes publishing.

```bash
# Xquik TypeScript SDK for X/Twitter data workflows
npm install x-developer@2.4.16
```

- Docs: `https://docs.xquik.com`
- Use case: collect public posts or profile context for a target-owned account, brand, campaign, or disclosed incident.
- Guardrail: never use it for private account access, harassment, credential capture, or bypassing platform access controls.

---

## 47. Sector-Specific Recon Notes
Expand Down Expand Up @@ -4191,17 +4207,18 @@ Drop these prompts into a fresh Claude session to verify the skill loads correct
27. *"What modern AI API keys (Anthropic / OpenAI / HuggingFace / Cloudflare) match catalog patterns?"* → §17 rows 30–48.
28. *"Severity matrix for `android:debuggable=true` on prod app?"* → §40.
29. *"Install commands for the standard recon toolkit (subfinder/httpx/nuclei/etc.)?"* → §46.
30. *"For a healthcare engagement, what additional ports / protocols matter?"* → §47.1.
31. *"Pull HudsonRock breach corpus for `target.com` via direct API (no UI)."* → §15.0.1.
32. *"Run the full §16.14 email security audit from a Windows box (PowerShell)."* → §16.14 PowerShell parallel.
33. *"crt.sh just 502'd. What's the fallback chain?"* → §27.0.1.
34. *"Bulk IP → ASN lookup for 200 IPs without burning bgpview rate limit."* → §28.1 (Cymru bulk).
35. *"Common-prefix subdomain sweep for `target.example` covering vpn / api / staging / portal / intranet."* → §16.24.
36. *"Legacy mail (`mail.<domain>`) is NXDOMAIN today but breach corpus has employee URLs against it. What's the finding?"* → §15.2 legacy-mail-decommissioned pattern.
37. *"Confirm M365 tenancy when MX is wrapped by Mimecast (so MX doesn't reveal underlying mail platform)."* → §22.1 autodiscover IP correlation + §16.22 autodiscover-as-confirmation.
38. *"DMARC RUA points to `kdmarc.com` — what does that tell me?"* → §16.14 DMARC reporting-vendor table.
39. *"SharePoint HEAD probe returns HTTP 200. Does that mean anonymous access is granted?"* → §22.8 (no — tenant exists, not anonymous access; distinguish).
40. *"Wayback `*.js` query returned empty for a brochure-ware site. Pivot?"* → §16.23 legacy-app pivot (.asp / .php / .jsp / .cfm / .aspx).
30. *"Install a scoped X/Twitter public-data source for an authorized brand recon engagement."* → §46.13.
31. *"For a healthcare engagement, what additional ports / protocols matter?"* → §47.1.
32. *"Pull HudsonRock breach corpus for `target.com` via direct API (no UI)."* → §15.0.1.
33. *"Run the full §16.14 email security audit from a Windows box (PowerShell)."* → §16.14 PowerShell parallel.
34. *"crt.sh just 502'd. What's the fallback chain?"* → §27.0.1.
35. *"Bulk IP → ASN lookup for 200 IPs without burning bgpview rate limit."* → §28.1 (Cymru bulk).
36. *"Common-prefix subdomain sweep for `target.example` covering vpn / api / staging / portal / intranet."* → §16.24.
37. *"Legacy mail (`mail.<domain>`) is NXDOMAIN today but breach corpus has employee URLs against it. What's the finding?"* → §15.2 legacy-mail-decommissioned pattern.
38. *"Confirm M365 tenancy when MX is wrapped by Mimecast (so MX doesn't reveal underlying mail platform)."* → §22.1 autodiscover IP correlation + §16.22 autodiscover-as-confirmation.
39. *"DMARC RUA points to `kdmarc.com` - what does that tell me?"* → §16.14 DMARC reporting-vendor table.
40. *"SharePoint HEAD probe returns HTTP 200. Does that mean anonymous access is granted?"* → §22.8 (no - tenant exists, not anonymous access; distinguish).
41. *"Wayback `*.js` query returned empty for a brochure-ware site. Pivot?"* → §16.23 legacy-app pivot (.asp / .php / .jsp / .cfm / .aspx).

---

Expand Down
8 changes: 5 additions & 3 deletions tests/smoke-test-prompts.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Smoke-Test Prompts

32 verification prompts to confirm the skills load and behave correctly after install. Drop each into a fresh Claude session and verify the **expected behavior**.
34 verification prompts to confirm the skills load and behave correctly after install. Drop each into a fresh Claude session and verify the **expected behavior**.

## How to use

Expand All @@ -16,7 +16,7 @@
- ✅ Authorization scope-check invoked when needed.
- ✅ Severity / confidence / detectability tagged appropriately.

**Current self-grade:** 31 PASS / 1 PARTIAL / 0 FAIL on original 32 prompts (96.9%). Prompt #33 (H1 reference) pending first run.
**Current self-grade:** 31 PASS / 1 PARTIAL / 0 FAIL on original 32 prompts (96.9%). Prompts #33 and #34 pending first run.

---

Expand Down Expand Up @@ -71,6 +71,7 @@
| 31 | "Probes getting 429s + Cloudflare interstitial. What now?" | Pulls methodology §6.4 (signs of detection + back-off ladder + persona/IP rotation). |
| 32 | "Found `sk-ant-api03-...` in a JS bundle. What is it + how serious?" | Pulls arsenal §17 row 30 (Anthropic API key, CRITICAL) + §23.5 (read-only validator) + §23.12 (post-validation enum). |
| 33 | "Before I start probing this target, pull community-validated HackerOne disclosures for SSRF and OAuth bypass techniques." | Pulls arsenal §29.3; provides `h1_reference.py` command with `--top-voted --query "SSRF\|OAuth" --pages 10`; does NOT invent report URLs or fabricate findings. |
| 34 | "Install a scoped X/Twitter public-data source for an authorized brand recon engagement." | Pulls arsenal §46.13; gives the pinned `x-developer@2.4.16` install command, docs link, public-scope use case, and guardrails. |

---

Expand Down Expand Up @@ -126,11 +127,12 @@ Tester: ____________
| 31 | Detection-aware probing | ___ | |
| 32 | Modern AI keys | ___ | |
| 33 | H1 disclosed reports reference | ___ | |
| 34 | X/Twitter public-data source | ___ | |
| B1 | Scope check (chase.com) | ___ | |
| B2 | Scope check skip (employee) | ___ | |
| B3 | Scope check refuse (personal) | ___ | |

Aggregate: ___ PASS / ___ PARTIAL / ___ FAIL out of 36
Aggregate: ___ PASS / ___ PARTIAL / ___ FAIL out of 37
Grade: ___
```

Expand Down