[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-4eeffe99-2df8-45f9-8987-419bccdafcd8":3,"$fT9OofW8qSv7xB69arSNEy7chgs_wQMqIzj_IVxE7oL8":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"4eeffe99-2df8-45f9-8987-419bccdafcd8","red-team-tools","实施顶级安全研究人员验证的方法论和工具工作流程，以实现有效的侦察、漏洞发现和漏洞赏金狩猎。在保持对攻击面全面覆盖的同时自动化常见任务。","cat_life_career","mod_other","sickn33,other","---\nname: red-team-tools\ndescription: \"Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.\"\nrisk: offensive\nsource: community\nauthor: zebbern\ndate_added: \"2026-02-27\"\n---\n\n> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.\n\n# Red Team Tools and Methodology\n\n## Purpose\n\nImplement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.\n\n## Inputs\u002FPrerequisites\n\n- Target scope definition (domains, IP ranges, applications)\n- Linux-based attack machine (Kali, Ubuntu)\n- Bug bounty program rules and scope\n- Tool dependencies installed (Go, Python, Ruby)\n- API keys for various services (Shodan, Censys, etc.)\n\n## Outputs\u002FDeliverables\n\n- Comprehensive subdomain enumeration\n- Live host discovery and technology fingerprinting\n- Identified vulnerabilities and attack vectors\n- Automated recon pipeline outputs\n- Documented findings for reporting\n\n## Core Workflow\n\n### 1. Project Tracking and Acquisitions\n\nSet up reconnaissance tracking:\n\n```bash\n# Create project structure\nmkdir -p target\u002F{recon,vulns,reports}\ncd target\n\n# Find acquisitions using Crunchbase\n# Search manually for subsidiary companies\n\n# Get ASN for targets\namass intel -org \"Target Company\" -src\n\n# Alternative ASN lookup\ncurl -s \"https:\u002F\u002Fbgp.he.net\u002Fsearch?search=targetcompany&commit=Search\"\n```\n\n### 2. Subdomain Enumeration\n\nComprehensive subdomain discovery:\n\n```bash\n# Create wildcards file\necho \"target.com\" > wildcards\n\n# Run Amass passively\namass enum -passive -d target.com -src -o amass_passive.txt\n\n# Run Amass actively\namass enum -active -d target.com -src -o amass_active.txt\n\n# Use Subfinder\nsubfinder -d target.com -silent -o subfinder.txt\n\n# Asset discovery\ncat wildcards | assetfinder --subs-only | anew domains.txt\n\n# Alternative subdomain tools\nfindomain -t target.com -o\n\n# Generate permutations with dnsgen\ncat domains.txt | dnsgen - | httprobe > permuted.txt\n\n# Combine all sources\ncat amass_*.txt subfinder.txt | sort -u > all_subs.txt\n```\n\n### 3. Live Host Discovery\n\nIdentify responding hosts:\n\n```bash\n# Check which hosts are live with httprobe\ncat domains.txt | httprobe -c 80 --prefer-https | anew hosts.txt\n\n# Use httpx for more details\ncat domains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt\n\n# Alternative with massdns\nmassdns -r resolvers.txt -t A -o S domains.txt > resolved.txt\n```\n\n### 4. Technology Fingerprinting\n\nIdentify technologies for targeted attacks:\n\n```bash\n# Whatweb scanning\nwhatweb -i hosts.txt -a 3 -v > tech_stack.txt\n\n# Nuclei technology detection\nnuclei -l hosts.txt -t technologies\u002F -o tech_nuclei.txt\n\n# Wappalyzer (if available)\n# Browser extension for manual review\n```\n\n### 5. Content Discovery\n\nFind hidden endpoints and files:\n\n```bash\n# Directory bruteforce with ffuf\nffuf -ac -v -u https:\u002F\u002Ftarget.com\u002FFUZZ -w \u002Fusr\u002Fshare\u002Fseclists\u002FDiscovery\u002FWeb-Content\u002Fraft-medium-directories.txt\n\n# Historical URLs from Wayback\nwaybackurls target.com | tee wayback.txt\n\n# Find all URLs with gau\ngau target.com | tee all_urls.txt\n\n# Parameter discovery\ncat all_urls.txt | grep \"=\" | sort -u > params.txt\n\n# Generate custom wordlist from historical data\ncat all_urls.txt | unfurl paths | sort -u > custom_wordlist.txt\n```\n\n### 6. Application Analysis (Jason Haddix Method)\n\n**Heat Map Priority Areas:**\n\n1. **File Uploads** - Test for injection, XXE, SSRF, shell upload\n2. **Content Types** - Filter Burp for multipart forms\n3. **APIs** - Look for hidden methods, lack of auth\n4. **Profile Sections** - Stored XSS, custom fields\n5. **Integrations** - SSRF through third parties\n6. **Error Pages** - Exotic injection points\n\n**Analysis Questions:**\n- How does the app pass data? (Params, API, Hybrid)\n- Where does the app talk about users? (UID, UUID endpoints)\n- Does the site have multi-tenancy or user levels?\n- Does it have a unique threat model?\n- How does the site handle XSS\u002FCSRF?\n- Has the site had past writeups\u002Fexploits?\n\n### 7. Automated XSS Hunting\n\n```bash\n# ParamSpider for parameter extraction\npython3 paramspider.py --domain target.com -o params.txt\n\n# Filter with Gxss\ncat params.txt | Gxss -p test\n\n# Dalfox for XSS testing\ncat params.txt | dalfox pipe --mining-dict params.txt -o xss_results.txt\n\n# Alternative workflow\nwaybackurls target.com | grep \"=\" | qsreplace '\">\u003Cscript>alert(1)\u003C\u002Fscript>' | while read url; do\n    curl -s \"$url\" | grep -q 'alert(1)' && echo \"$url\"\ndone > potential_xss.txt\n```\n\n### 8. Vulnerability Scanning\n\n```bash\n# Nuclei comprehensive scan\nnuclei -l hosts.txt -t ~\u002Fnuclei-templates\u002F -o nuclei_results.txt\n\n# Check for common CVEs\nnuclei -l hosts.txt -t cves\u002F -o cve_results.txt\n\n# Web vulnerabilities\nnuclei -l hosts.txt -t vulnerabilities\u002F -o vuln_results.txt\n```\n\n### 9. API Enumeration\n\n**Wordlists for API fuzzing:**\n\n```bash\n# Enumerate API endpoints\nffuf -u https:\u002F\u002Ftarget.com\u002Fapi\u002FFUZZ -w \u002Fusr\u002Fshare\u002Fseclists\u002FDiscovery\u002FWeb-Content\u002Fapi\u002Fapi-endpoints.txt\n\n# Test API versions\nffuf -u https:\u002F\u002Ftarget.com\u002Fapi\u002Fv1\u002FFUZZ -w api_wordlist.txt\nffuf -u https:\u002F\u002Ftarget.com\u002Fapi\u002Fv2\u002FFUZZ -w api_wordlist.txt\n\n# Check for hidden methods\nfor method in GET POST PUT DELETE PATCH; do\n    curl -X $method https:\u002F\u002Ftarget.com\u002Fapi\u002Fusers -v\ndone\n```\n\n### 10. Automated Recon Script\n\n```bash\n#!\u002Fbin\u002Fbash\ndomain=$1\n\nif [[ -z $domain ]]; then\n    echo \"Usage: .\u002Frecon.sh \u003Cdomain>\"\n    exit 1\nfi\n\nmkdir -p \"$domain\"\n\n# Subdomain enumeration\necho \"[*] Enumerating subdomains...\"\nsubfinder -d \"$domain\" -silent > \"$domain\u002Fsubs.txt\"\n\n# Live host discovery\necho \"[*] Finding live hosts...\"\ncat \"$domain\u002Fsubs.txt\" | httpx -title -tech-detect -status-code > \"$domain\u002Flive.txt\"\n\n# URL collection\necho \"[*] Collecting URLs...\"\ncat \"$domain\u002Flive.txt\" | waybackurls > \"$domain\u002Furls.txt\"\n\n# Nuclei scanning\necho \"[*] Running Nuclei...\"\nnuclei -l \"$domain\u002Flive.txt\" -o \"$domain\u002Fnuclei.txt\"\n\necho \"[+] Recon complete!\"\n```\n\n## Quick Reference\n\n### Essential Tools\n\n| Tool | Purpose |\n|------|---------|\n| Amass | Subdomain enumeration |\n| Subfinder | Fast subdomain discovery |\n| httpx\u002Fhttprobe | Live host detection |\n| ffuf | Content discovery |\n| Nuclei | Vulnerability scanning |\n| Burp Suite | Manual testing |\n| Dalfox | XSS automation |\n| waybackurls | Historical URL mining |\n\n### Key API Endpoints to Check\n\n```\n\u002Fapi\u002Fv1\u002Fusers\n\u002Fapi\u002Fv1\u002Fadmin\n\u002Fapi\u002Fv1\u002Fprofile\n\u002Fapi\u002Fusers\u002Fme\n\u002Fapi\u002Fconfig\n\u002Fapi\u002Fdebug\n\u002Fapi\u002Fswagger\n\u002Fapi\u002Fgraphql\n```\n\n### XSS Filter Testing\n\n```html\n\u003C!-- Test encoding handling -->\n\u003Ch1>\u003Cimg>\u003Ctable>\n\u003Cscript>\n%3Cscript%3E\n%253Cscript%253E\n%26lt;script%26gt;\n```\n\n## Constraints\n\n- Respect program scope boundaries\n- Avoid DoS or fuzzing on production without permission\n- Rate limit requests to avoid blocking\n- Some tools may generate false positives\n- API keys required for full functionality of some tools\n\n## Examples\n\n### Example 1: Quick Subdomain Recon\n\n```bash\nsubfinder -d target.com | httpx -title | tee results.txt\n```\n\n### Example 2: XSS Hunting Pipeline\n\n```bash\nwaybackurls target.com | grep \"=\" | qsreplace \"test\" | httpx -silent | dalfox pipe\n```\n\n### Example 3: Comprehensive Scan\n\n```bash\n# Full recon chain\namass enum -d target.com | httpx | nuclei -t ~\u002Fnuclei-templates\u002F\n```\n\n## Troubleshooting\n\n| Issue | Solution |\n|-------|----------|\n| Rate limited | Use proxy rotation, reduce concurrency |\n| Too many results | Focus on specific technology stacks |\n| False positives | Manually verify findings before reporting |\n| Missing subdomains | Combine multiple enumeration sources |\n| API key errors | Verify keys in config files |\n| Tools not found | Install Go tools with `go install` |\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,63,1735,"2026-05-16 13:36:53",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"其他","other","mdi-page-next-outline","其他类型Skill",5,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"职场发展","career","mdi-briefcase-outline","面试准备、简历优化、职业规划",4,575,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"d921ade2-8c1e-4328-b258-58dce5ac4fec","1.0.0","red-team-tools.zip",3451,"uploads\u002Fskills\u002F4eeffe99-2df8-45f9-8987-419bccdafcd8\u002Fred-team-tools.zip","4e6f61c97f29747e9cb1405ef30a6b68131884c4e86168402aed7aeb45a4346c","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":8011}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]