myaidev-method 0.2.19 → 0.2.22

package/src/templates/claude/commands/sc:security-recon.md

@@ -0,0 +1,281 @@
+---
+name: security-recon
+description: OSINT and reconnaissance operations with authorization enforcement
+version: 1.0.0
+category: security
+agent: osint-researcher
+---
+
+# Security Reconnaissance Command
+
+Execute comprehensive OSINT and reconnaissance operations following professional intelligence gathering methodologies.
+
+## Pre-Execution Requirements
+
+**CRITICAL Authorization Check:**
+```javascript
+const { requireAuthorization, AuthLevel } = require('./src/libs/security/authorization-checker.js');
+
+// User must provide target
+const target = process.argv[2];
+if (!target) {
+  console.error('Usage: /sc:security-recon <target>');
+  console.error('Example: /sc:security-recon example.com');
+  process.exit(1);
+}
+
+// Verify authorization (passive OSINT allowed)
+await requireAuthorization(target, AuthLevel.PASSIVE);
+```
+
+## Command Workflow
+
+When user requests reconnaissance on a target:
+
+### Step 1: Activate osint-researcher Agent
+
+```
+You are now in OSINT and reconnaissance mode.
+
+Target: [USER_PROVIDED_TARGET]
+Authorization Level: PASSIVE (no direct interaction)
+
+Execute comprehensive passive reconnaissance following this workflow:
+
+1. DNS Intelligence Gathering
+2. WHOIS and Domain Registration
+3. Subdomain Discovery
+4. Technology Stack Identification
+5. Email and Personnel Intelligence
+6. Code Repository Analysis
+7. Search Engine Intelligence (Google Dorking)
+8. Cloud Infrastructure Discovery
+9. Historical Data Analysis
+10. Generate Intelligence Report
+```
+
+### Step 2: DNS Intelligence
+
+```bash
+# Execute DNS enumeration
+dig [TARGET] ANY
+dig [TARGET] NS
+dig [TARGET] MX
+dig [TARGET] TXT
+
+# Subdomain discovery
+subfinder -d [TARGET] -o subdomains.txt
+amass enum -d [TARGET] -o amass_results.txt
+
+# Certificate transparency
+curl -s "https://crt.sh/?q=%.[TARGET]&output=json" | jq -r '.[].name_value' | sort -u
+```
+
+### Step 3: WHOIS Intelligence
+
+```bash
+# Domain WHOIS
+whois [TARGET]
+
+# Historical WHOIS data
+# Note: Visit whoisology.com for historical records
+```
+
+### Step 4: Technology Stack
+
+```bash
+# Web technology detection
+whatweb -a 3 https://[TARGET]
+
+# CMS detection
+wpscan --url https://[TARGET] --enumerate vp
+```
+
+### Step 5: Search Engine Intelligence
+
+```
+Google Dork Queries:
+- site:[TARGET] filetype:pdf
+- site:[TARGET] inurl:admin
+- site:[TARGET] intext:password
+- site:*.[TARGET]
+
+Shodan Queries:
+- hostname:[TARGET]
+- org:"[ORGANIZATION]"
+```
+
+### Step 6: Email Harvesting
+
+```bash
+# theHarvester
+theHarvester -d [TARGET] -b all -l 500
+
+# Hunter.io (if API key available)
+# Manual search for email patterns
+```
+
+### Step 7: Generate Report
+
+Create comprehensive intelligence report:
+
+```markdown
+# OSINT Reconnaissance Report: [TARGET]
+
+**Date:** [CURRENT_DATE]
+**Authorization:** Passive reconnaissance authorized
+**Analyst:** Security Team
+
+## Executive Summary
+
+Brief overview of key findings from passive reconnaissance.
+
+## DNS Intelligence
+
+### Domain Records
+- A Records: [IPs]
+- MX Records: [Mail servers]
+- NS Records: [Name servers]
+- TXT Records: [SPF, DKIM, etc.]
+
+### Subdomains Discovered
+- Total: [COUNT]
+- Active: [LIST]
+- Interesting: [HIGHLIGHTS]
+
+## Infrastructure Intelligence
+
+### Hosting Information
+- Provider: [AWS/Azure/GCP/Other]
+- IP Range: [RANGE]
+- ASN: [NUMBER]
+- Location: [GEOGRAPHIC]
+
+### Technology Stack
+- Web Server: [Apache/Nginx/etc.]
+- CMS: [WordPress/Drupal/etc.]
+- Frameworks: [React/Angular/etc.]
+- CDN: [Cloudflare/etc.]
+
+## Personnel Intelligence
+
+### Email Addresses Found
+- Count: [NUMBER]
+- Pattern: [first.last@domain.com]
+- Key Personnel: [EXECUTIVES]
+
+### Employees Identified
+- LinkedIn: [COUNT]
+- GitHub: [COUNT]
+- Public Profiles: [COUNT]
+
+## Public Exposure
+
+### Sensitive Information
+- Documents: [COUNT PDFs, DOCs, etc.]
+- Code Repositories: [PUBLIC REPOS]
+- Exposed Credentials: [FINDINGS]
+
+### Attack Surface
+
+**External Attack Surface:**
+- Web Applications: [COUNT]
+- Email Services: [COUNT]
+- VPN/Remote Access: [FINDINGS]
+- Cloud Services: [S3, BLOB, etc.]
+
+## Recommendations
+
+### Immediate Actions
+1. Review exposed sensitive documents
+2. Check for credential leaks
+3. Audit public code repositories
+4. Verify cloud storage permissions
+
+### Next Steps
+- Active reconnaissance (requires higher authorization)
+- Network scanning
+- Service enumeration
+- Vulnerability assessment
+
+---
+
+**Classification:** CONFIDENTIAL
+**Distribution:** Authorized Personnel Only
+```
+
+## Usage Examples
+
+**Basic Reconnaissance:**
+```
+User: "/sc:security-recon example.com"
+
+Response:
+1. Check authorization for example.com
+2. Activate osint-researcher agent
+3. Execute passive OSINT workflow
+4. Generate intelligence report
+5. Save to: reports/osint-example.com-[DATE].md
+```
+
+**Reconnaissance with Specific Focus:**
+```
+User: "/sc:security-recon example.com --focus subdomains"
+
+Response:
+1. Verify authorization
+2. Focus on subdomain discovery
+3. Use multiple tools: subfinder, amass, crt.sh
+4. Generate subdomain-focused report
+```
+
+## Output
+
+Save intelligence report to:
+```
+reports/osint-[TARGET]-[TIMESTAMP].md
+```
+
+Log operation:
+```javascript
+await authChecker.logOperation({
+  type: 'osint_reconnaissance',
+  target: target,
+  result: 'completed',
+  findings_count: findings.length,
+  user: process.env.USER
+});
+```
+
+## Error Handling
+
+**No Authorization:**
+```
+❌ Authorization Required
+
+Target: example.com is NOT in authorized scope.
+
+Authorized targets:
+  - *.acme.com
+  - 192.168.1.0/24
+
+This target requires authorization before reconnaissance.
+```
+
+**No Target Provided:**
+```
+❌ Target Required
+
+Usage: /sc:security-recon <target>
+
+Examples:
+  /sc:security-recon example.com
+  /sc:security-recon 192.168.1.10
+  /sc:security-recon https://app.example.com
+```
+
+---
+
+**Agent:** osint-researcher
+**Authorization Level:** PASSIVE
+**Version:** 1.0.0