rtexit-method 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +2 -5
- package/packaged-assets/.agents/skills/rt-active-recon/SKILL.md +767 -0
- package/packaged-assets/.agents/skills/rt-active-recon/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/customize.toml +76 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/customize.toml +67 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/customize.toml +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/SKILL.md +476 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/SKILL.md +1209 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/template.md +62 -0
- package/packaged-assets/.agents/skills/rt-autodoc/SKILL.md +258 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/SKILL.md +1072 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-compliance-mapper/SKILL.md +773 -0
- package/packaged-assets/.agents/skills/rt-create-sead/SKILL.md +74 -0
- package/packaged-assets/.agents/skills/rt-create-sead/template.md +89 -0
- package/packaged-assets/.agents/skills/rt-create-sead/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-credential-access/SKILL.md +756 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/SKILL.md +856 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/SKILL.md +542 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/cvss4-matrix.csv +20 -0
- package/packaged-assets/.agents/skills/rt-data-exfiltration/SKILL.md +784 -0
- package/packaged-assets/.agents/skills/rt-defense-evasion/SKILL.md +987 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/SKILL.md +712 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/template.md +31 -0
- package/packaged-assets/.agents/skills/rt-executive-report/SKILL.md +718 -0
- package/packaged-assets/.agents/skills/rt-executive-report/template.md +38 -0
- package/packaged-assets/.agents/skills/rt-executive-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/SKILL.md +1078 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/ad-checklist.csv +12 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/SKILL.md +1329 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/masvs-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/SKILL.md +1547 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/SKILL.md +1949 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-bec/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/SKILL.md +865 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-azure/SKILL.md +1258 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-gcp/SKILL.md +981 -0
- package/packaged-assets/.agents/skills/rt-exploit-containers/SKILL.md +55 -0
- package/packaged-assets/.agents/skills/rt-exploit-databases/SKILL.md +1374 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-mac/SKILL.md +834 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/SKILL.md +903 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-dotnet/SKILL.md +945 -0
- package/packaged-assets/.agents/skills/rt-exploit-elasticsearch/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/SKILL.md +1023 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/SKILL.md +1576 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/payloads/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-firebase/SKILL.md +54 -0
- package/packaged-assets/.agents/skills/rt-exploit-frameworks/SKILL.md +967 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/SKILL.md +1693 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/SKILL.md +1860 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/payloads/sqlmap-tampers.txt +22 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/SKILL.md +1214 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/SKILL.md +91 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-java/SKILL.md +1009 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/SKILL.md +1327 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-mongodb/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-mssql/SKILL.md +52 -0
- package/packaged-assets/.agents/skills/rt-exploit-mysql/SKILL.md +53 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/SKILL.md +118 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-nodejs/SKILL.md +852 -0
- package/packaged-assets/.agents/skills/rt-exploit-osticket/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/SKILL.md +173 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/templates/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-php/SKILL.md +1119 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-postgresql/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-python/SKILL.md +986 -0
- package/packaged-assets/.agents/skills/rt-exploit-redis/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ruby/SKILL.md +61 -0
- package/packaged-assets/.agents/skills/rt-exploit-scada/SKILL.md +1091 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/SKILL.md +1528 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/payloads.txt +23 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/SKILL.md +121 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/scripts.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/SKILL.md +1902 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/owasp-checklist.csv +14 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-wireless/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/SKILL.md +1565 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/cves.csv +7 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/SKILL.md +1526 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/payloads.txt +18 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-document/SKILL.md +687 -0
- package/packaged-assets/.agents/skills/rt-finding-document/template.md +71 -0
- package/packaged-assets/.agents/skills/rt-finding-document/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/SKILL.md +216 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-help/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-help/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/SKILL.md +639 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/patterns.txt +27 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-kill-chain-map/SKILL.md +393 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/SKILL.md +1032 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/frameworks.csv +10 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/SKILL.md +668 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/tactics.csv +16 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-osint/SKILL.md +775 -0
- package/packaged-assets/.agents/skills/rt-osint/osint-sources.csv +12 -0
- package/packaged-assets/.agents/skills/rt-osint/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-party-mode/SKILL.md +249 -0
- package/packaged-assets/.agents/skills/rt-party-mode/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-persistence/SKILL.md +1146 -0
- package/packaged-assets/.agents/skills/rt-persistence/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-poc-writer/SKILL.md +640 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/SKILL.md +998 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/windows-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/SKILL.md +1027 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/win-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/SKILL.md +665 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/template.md +28 -0
- package/packaged-assets/.agents/skills/rt-risk-matrix/SKILL.md +232 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-scenario-c001/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c002/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-scenario-c003/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c004/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c005/SKILL.md +72 -0
- package/packaged-assets/.agents/skills/rt-scenario-d001/SKILL.md +378 -0
- package/packaged-assets/.agents/skills/rt-scenario-d002/SKILL.md +392 -0
- package/packaged-assets/.agents/skills/rt-scenario-d003/SKILL.md +522 -0
- package/packaged-assets/.agents/skills/rt-scenario-d004/SKILL.md +373 -0
- package/packaged-assets/.agents/skills/rt-scenario-d005/SKILL.md +458 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/scenarios.csv +32 -0
- package/packaged-assets/.agents/skills/rt-scenario-m001/SKILL.md +796 -0
- package/packaged-assets/.agents/skills/rt-scenario-m002/SKILL.md +723 -0
- package/packaged-assets/.agents/skills/rt-scenario-m003/SKILL.md +463 -0
- package/packaged-assets/.agents/skills/rt-scenario-m004/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-m005/SKILL.md +505 -0
- package/packaged-assets/.agents/skills/rt-scenario-n001/SKILL.md +573 -0
- package/packaged-assets/.agents/skills/rt-scenario-n002/SKILL.md +112 -0
- package/packaged-assets/.agents/skills/rt-scenario-n003/SKILL.md +100 -0
- package/packaged-assets/.agents/skills/rt-scenario-n004/SKILL.md +90 -0
- package/packaged-assets/.agents/skills/rt-scenario-n005/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-w001/SKILL.md +635 -0
- package/packaged-assets/.agents/skills/rt-scenario-w002/SKILL.md +612 -0
- package/packaged-assets/.agents/skills/rt-scenario-w003/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-w004/SKILL.md +648 -0
- package/packaged-assets/.agents/skills/rt-scenario-w005/SKILL.md +479 -0
- package/packaged-assets/.agents/skills/rt-scenario-w006/SKILL.md +443 -0
- package/packaged-assets/.agents/skills/rt-scenario-w007/SKILL.md +494 -0
- package/packaged-assets/.agents/skills/rt-scenario-w008/SKILL.md +576 -0
- package/packaged-assets/.agents/skills/rt-scenario-w009/SKILL.md +518 -0
- package/packaged-assets/.agents/skills/rt-scenario-w010/SKILL.md +574 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/SKILL.md +79 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-shodan-recon/SKILL.md +880 -0
- package/packaged-assets/.agents/skills/rt-status/SKILL.md +64 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/SKILL.md +906 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-technical-report/SKILL.md +710 -0
- package/packaged-assets/.agents/skills/rt-technical-report/template.md +41 -0
- package/packaged-assets/.agents/skills/rt-technical-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-threat-model/SKILL.md +59 -0
- package/packaged-assets/.agents/skills/rt-threat-model/template.md +32 -0
- package/packaged-assets/.agents/skills/rt-threat-model/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-timeline/SKILL.md +338 -0
- package/packaged-assets/RTEXIT.md +127 -0
- package/tools/installer/lib/asset-manifest.js +10 -5
- package/tools/installer/lib/copy-assets.js +5 -2
- /package/{_rtexit → packaged-assets/_rtexit}/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/config.user.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/custom/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/autodoc_engine.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/finding_tracker.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_config.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_customization.py +0 -0
- /package/{resources → packaged-assets/resources}/certifications.md +0 -0
- /package/{resources → packaged-assets/resources}/payloads.md +0 -0
- /package/{resources → packaged-assets/resources}/tools.md +0 -0
- /package/{resources → packaged-assets/resources}/wordlists.md +0 -0
- /package/{templates → packaged-assets/templates}/attack-chain-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report.md +0 -0
- /package/{templates → packaged-assets/templates}/finding-template.md +0 -0
- /package/{templates → packaged-assets/templates}/remediation-roadmap.md +0 -0
- /package/{templates → packaged-assets/templates}/sead-template.md +0 -0
- /package/{templates → packaged-assets/templates}/technical-report.md +0 -0
|
@@ -0,0 +1,775 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: rt-osint
|
|
3
|
+
description: "OSINT reconnaissance skill. Use when gathering intelligence on a target — email harvesting, subdomain discovery, employee enumeration, social media footprint, credential leaks, company structure. Covers passive OSINT from beginner (Google Dorks) to expert (custom correlation frameworks). References: OSINT Framework, IntelTechniques, theHarvester, Amass, Shodan, DeHashed."
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# rt-osint — Red Team OSINT Reconnaissance Skill
|
|
7
|
+
|
|
8
|
+
## Overview
|
|
9
|
+
|
|
10
|
+
This skill covers passive and semi-passive Open Source Intelligence (OSINT) collection against a target organization. The goal is to build a detailed intelligence picture before any active engagement begins — identifying attack surface, personnel, infrastructure, leaked credentials, and technology stack without triggering detection.
|
|
11
|
+
|
|
12
|
+
OSINT is the first phase of every professional Red Team engagement. Intelligence gathered here directly informs phishing lures, password spray lists, subdomain targeting, and social engineering pretexts.
|
|
13
|
+
|
|
14
|
+
Scope of this skill:
|
|
15
|
+
- Email address harvesting and validation
|
|
16
|
+
- Subdomain and DNS enumeration (passive)
|
|
17
|
+
- Employee enumeration via LinkedIn, GitHub, and job boards
|
|
18
|
+
- Social media footprint mapping
|
|
19
|
+
- Credential leak discovery (DeHashed, HaveIBeenPwned, breach dumps)
|
|
20
|
+
- Company structure, M&A history, subsidiary mapping
|
|
21
|
+
- Technology stack fingerprinting (Shodan, Censys, BuiltWith)
|
|
22
|
+
- ASN and IP range discovery
|
|
23
|
+
- Document metadata extraction
|
|
24
|
+
|
|
25
|
+
> All commands assume Kali Linux unless noted. Replace `TARGET` and `DOMAIN` with the actual engagement target.
|
|
26
|
+
|
|
27
|
+
---
|
|
28
|
+
|
|
29
|
+
## Skill Levels
|
|
30
|
+
|
|
31
|
+
### BEGINNER — Passive Recon with Public Tools
|
|
32
|
+
|
|
33
|
+
At this level you use no accounts, no APIs, and no authentication. All data comes from search engines and publicly accessible web pages.
|
|
34
|
+
|
|
35
|
+
**Google Dorks**
|
|
36
|
+
|
|
37
|
+
```bash
|
|
38
|
+
# Find email addresses on the target domain
|
|
39
|
+
site:TARGET.com "@TARGET.com"
|
|
40
|
+
|
|
41
|
+
# Find subdomains via Google
|
|
42
|
+
site:*.TARGET.com -www
|
|
43
|
+
|
|
44
|
+
# Find exposed documents
|
|
45
|
+
site:TARGET.com filetype:pdf OR filetype:docx OR filetype:xlsx
|
|
46
|
+
|
|
47
|
+
# Find login portals
|
|
48
|
+
site:TARGET.com inurl:login OR inurl:portal OR inurl:admin
|
|
49
|
+
|
|
50
|
+
# Find employee names on LinkedIn
|
|
51
|
+
site:linkedin.com/in "TARGET Company" "Current"
|
|
52
|
+
|
|
53
|
+
# Find exposed configuration files
|
|
54
|
+
site:TARGET.com ext:env OR ext:cfg OR ext:conf OR ext:ini
|
|
55
|
+
|
|
56
|
+
# Find internal paths in cached pages
|
|
57
|
+
cache:TARGET.com
|
|
58
|
+
```
|
|
59
|
+
|
|
60
|
+
**Whois and DNS lookups**
|
|
61
|
+
|
|
62
|
+
```bash
|
|
63
|
+
# Whois lookup
|
|
64
|
+
whois TARGET.com
|
|
65
|
+
|
|
66
|
+
# Basic DNS enumeration
|
|
67
|
+
dig TARGET.com ANY
|
|
68
|
+
dig TARGET.com MX
|
|
69
|
+
dig TARGET.com TXT
|
|
70
|
+
dig TARGET.com NS
|
|
71
|
+
host -t ns TARGET.com
|
|
72
|
+
host -t mx TARGET.com
|
|
73
|
+
|
|
74
|
+
# Reverse DNS on the main IP
|
|
75
|
+
host $(dig +short TARGET.com)
|
|
76
|
+
|
|
77
|
+
# Check SPF, DKIM, DMARC records (email security posture)
|
|
78
|
+
dig TARGET.com TXT | grep -i spf
|
|
79
|
+
dig _dmarc.TARGET.com TXT
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
**Certificate Transparency Logs**
|
|
83
|
+
|
|
84
|
+
```bash
|
|
85
|
+
# Query crt.sh for all known subdomains
|
|
86
|
+
curl -s "https://crt.sh/?q=%.TARGET.com&output=json" | \
|
|
87
|
+
python3 -c "import sys,json; [print(c['name_value']) for c in json.load(sys.stdin)]" | \
|
|
88
|
+
sort -u
|
|
89
|
+
|
|
90
|
+
# Save output
|
|
91
|
+
curl -s "https://crt.sh/?q=%.TARGET.com&output=json" | \
|
|
92
|
+
python3 -c "import sys,json; [print(c['name_value']) for c in json.load(sys.stdin)]" | \
|
|
93
|
+
sort -u > output/subdomains-crt.txt
|
|
94
|
+
```
|
|
95
|
+
|
|
96
|
+
---
|
|
97
|
+
|
|
98
|
+
### INTERMEDIATE — API-Driven Enumeration
|
|
99
|
+
|
|
100
|
+
At this level you use tool suites with API keys, producing structured output suitable for downstream analysis.
|
|
101
|
+
|
|
102
|
+
**theHarvester**
|
|
103
|
+
|
|
104
|
+
```bash
|
|
105
|
+
# Install
|
|
106
|
+
pip3 install theHarvester
|
|
107
|
+
|
|
108
|
+
# Harvest emails, subdomains, hosts from multiple sources
|
|
109
|
+
theHarvester -d TARGET.com -b all -l 500 -f output/theharvester-TARGET
|
|
110
|
+
|
|
111
|
+
# Individual sources
|
|
112
|
+
theHarvester -d TARGET.com -b google
|
|
113
|
+
theHarvester -d TARGET.com -b bing
|
|
114
|
+
theHarvester -d TARGET.com -b linkedin
|
|
115
|
+
theHarvester -d TARGET.com -b shodan
|
|
116
|
+
theHarvester -d TARGET.com -b hunter
|
|
117
|
+
theHarvester -d TARGET.com -b github-code
|
|
118
|
+
```
|
|
119
|
+
|
|
120
|
+
**Amass — Passive Subdomain Enumeration**
|
|
121
|
+
|
|
122
|
+
```bash
|
|
123
|
+
# Passive only (safe for pre-authorization recon)
|
|
124
|
+
amass enum -passive -d TARGET.com -o output/amass-passive.txt
|
|
125
|
+
|
|
126
|
+
# With API keys configured in ~/.config/amass/datasources.yaml
|
|
127
|
+
amass enum -passive -d TARGET.com -config ~/.config/amass/datasources.yaml -o output/amass-passive.txt
|
|
128
|
+
|
|
129
|
+
# Show discovered assets with sources
|
|
130
|
+
amass enum -passive -d TARGET.com -v 2>&1 | tee output/amass-verbose.txt
|
|
131
|
+
|
|
132
|
+
# Database query after collection
|
|
133
|
+
amass db -d TARGET.com -show
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
**Subfinder**
|
|
137
|
+
|
|
138
|
+
```bash
|
|
139
|
+
# Install
|
|
140
|
+
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
|
|
141
|
+
|
|
142
|
+
# Passive subdomain discovery
|
|
143
|
+
subfinder -d TARGET.com -o output/subfinder.txt -all -recursive
|
|
144
|
+
|
|
145
|
+
# With silent output for piping
|
|
146
|
+
subfinder -d TARGET.com -silent | tee output/subfinder-silent.txt
|
|
147
|
+
|
|
148
|
+
# Resolve discovered subdomains
|
|
149
|
+
subfinder -d TARGET.com -silent | httpx -silent -o output/live-subdomains.txt
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
**Shodan**
|
|
153
|
+
|
|
154
|
+
```bash
|
|
155
|
+
# Install CLI
|
|
156
|
+
pip3 install shodan
|
|
157
|
+
shodan init YOUR_API_KEY
|
|
158
|
+
|
|
159
|
+
# Search by organization name
|
|
160
|
+
shodan search "org:\"Target Company Name\""
|
|
161
|
+
|
|
162
|
+
# Search by domain
|
|
163
|
+
shodan search "hostname:TARGET.com"
|
|
164
|
+
|
|
165
|
+
# Download full results
|
|
166
|
+
shodan download output/shodan-TARGET hostname:TARGET.com
|
|
167
|
+
shodan parse --fields ip_str,port,hostnames,org output/shodan-TARGET.json.gz > output/shodan-parsed.csv
|
|
168
|
+
|
|
169
|
+
# Find open RDP, SMB, VNC
|
|
170
|
+
shodan search "org:\"Target Company\" port:3389"
|
|
171
|
+
shodan search "org:\"Target Company\" port:445"
|
|
172
|
+
|
|
173
|
+
# Find exposed Elasticsearch
|
|
174
|
+
shodan search "org:\"Target Company\" product:Elastic"
|
|
175
|
+
|
|
176
|
+
# IP info
|
|
177
|
+
shodan host TARGET_IP
|
|
178
|
+
```
|
|
179
|
+
|
|
180
|
+
**Hunter.io Email Harvesting**
|
|
181
|
+
|
|
182
|
+
```bash
|
|
183
|
+
# Via API
|
|
184
|
+
curl "https://api.hunter.io/v2/domain-search?domain=TARGET.com&api_key=YOUR_KEY" \
|
|
185
|
+
-o output/hunter-TARGET.json
|
|
186
|
+
|
|
187
|
+
# Parse emails
|
|
188
|
+
cat output/hunter-TARGET.json | python3 -c "
|
|
189
|
+
import sys, json
|
|
190
|
+
data = json.load(sys.stdin)
|
|
191
|
+
for e in data['data']['emails']:
|
|
192
|
+
print(e['value'], e.get('first_name',''), e.get('last_name',''), e.get('position',''))
|
|
193
|
+
" > output/hunter-emails.txt
|
|
194
|
+
```
|
|
195
|
+
|
|
196
|
+
---
|
|
197
|
+
|
|
198
|
+
### ADVANCED — Deep Enumeration and Correlation
|
|
199
|
+
|
|
200
|
+
At this level you correlate data across multiple sources, enumerate infrastructure beyond the primary domain, and build employee target lists.
|
|
201
|
+
|
|
202
|
+
**ASN and IP Range Discovery**
|
|
203
|
+
|
|
204
|
+
```bash
|
|
205
|
+
# Find ASN for organization
|
|
206
|
+
curl -s "https://api.bgpview.io/search?query_term=Target+Company" | \
|
|
207
|
+
python3 -c "import sys,json; d=json.load(sys.stdin); [print(a['asn'],a['description']) for a in d['data']['asns']]"
|
|
208
|
+
|
|
209
|
+
# Get all prefixes for an ASN
|
|
210
|
+
ASN=12345
|
|
211
|
+
curl -s "https://api.bgpview.io/asn/${ASN}/prefixes" | \
|
|
212
|
+
python3 -c "import sys,json; d=json.load(sys.stdin); [print(p['prefix']) for p in d['data']['ipv4_prefixes']]" \
|
|
213
|
+
> output/asn-prefixes.txt
|
|
214
|
+
|
|
215
|
+
# Reverse WHOIS — find all domains registered by same org
|
|
216
|
+
curl "https://www.whoisxmlapi.com/whoisserver/WhoisService?apiKey=YOUR_KEY&domainName=TARGET.com&outputFormat=JSON"
|
|
217
|
+
```
|
|
218
|
+
|
|
219
|
+
**LinkedIn Employee Enumeration**
|
|
220
|
+
|
|
221
|
+
```bash
|
|
222
|
+
# Install linkedin2username
|
|
223
|
+
git clone https://github.com/initstring/linkedin2username
|
|
224
|
+
cd linkedin2username
|
|
225
|
+
pip3 install -r requirements.txt
|
|
226
|
+
|
|
227
|
+
# Enumerate employees (requires LinkedIn account)
|
|
228
|
+
python3 linkedin2username.py -u YOUR_LINKEDIN_EMAIL -c "Target Company" \
|
|
229
|
+
-o output/linkedin-employees.txt -s 1
|
|
230
|
+
|
|
231
|
+
# Generate username formats for password spraying
|
|
232
|
+
# linkedin2username produces: firstname.lastname, f.lastname, firstnamel, etc.
|
|
233
|
+
```
|
|
234
|
+
|
|
235
|
+
**GitHub Recon**
|
|
236
|
+
|
|
237
|
+
```bash
|
|
238
|
+
# Install gitrob or trufflehog
|
|
239
|
+
pip3 install trufflehog
|
|
240
|
+
|
|
241
|
+
# Search GitHub for secrets in target org repos
|
|
242
|
+
trufflehog github --org=TARGET_ORG_NAME --only-verified \
|
|
243
|
+
--json > output/trufflehog-TARGET.json
|
|
244
|
+
|
|
245
|
+
# Manual GitHub search dorks
|
|
246
|
+
# "TARGET.com" password
|
|
247
|
+
# "TARGET.com" secret
|
|
248
|
+
# "TARGET.com" api_key
|
|
249
|
+
# org:TARGET_ORG filename:.env
|
|
250
|
+
# org:TARGET_ORG filename:id_rsa
|
|
251
|
+
|
|
252
|
+
# gitleaks for local repo scanning
|
|
253
|
+
gitleaks detect --source /path/to/cloned/repo --report-path output/gitleaks-report.json
|
|
254
|
+
```
|
|
255
|
+
|
|
256
|
+
**Credential Leak Discovery**
|
|
257
|
+
|
|
258
|
+
```bash
|
|
259
|
+
# DeHashed API (paid)
|
|
260
|
+
curl -H "Accept: application/json" \
|
|
261
|
+
"https://api.dehashed.com/search?query=domain:TARGET.com&size=100" \
|
|
262
|
+
-u "YOUR_EMAIL:YOUR_API_KEY" | python3 -m json.tool > output/dehashed-TARGET.json
|
|
263
|
+
|
|
264
|
+
# Parse leaked passwords
|
|
265
|
+
cat output/dehashed-TARGET.json | python3 -c "
|
|
266
|
+
import sys, json
|
|
267
|
+
data = json.load(sys.stdin)
|
|
268
|
+
for entry in data.get('entries', []):
|
|
269
|
+
print(entry.get('email',''), entry.get('password',''), entry.get('hashed_password',''))
|
|
270
|
+
" > output/leaked-creds.txt
|
|
271
|
+
|
|
272
|
+
# HaveIBeenPwned — check domain breach exposure
|
|
273
|
+
curl -H "hibp-api-key: YOUR_KEY" \
|
|
274
|
+
"https://haveibeenpwned.com/api/v3/breachesforaccount/email@TARGET.com" \
|
|
275
|
+
> output/hibp-result.json
|
|
276
|
+
|
|
277
|
+
# h8mail — email breach lookup
|
|
278
|
+
pip3 install h8mail
|
|
279
|
+
h8mail -t TARGET.com -bc output/h8mail-breach.txt
|
|
280
|
+
```
|
|
281
|
+
|
|
282
|
+
**Document Metadata Extraction**
|
|
283
|
+
|
|
284
|
+
```bash
|
|
285
|
+
# Download all PDFs from target domain
|
|
286
|
+
wget -r -l2 -A "*.pdf,*.docx,*.xlsx,*.pptx" --no-parent -nd \
|
|
287
|
+
-P output/docs/ https://TARGET.com/
|
|
288
|
+
|
|
289
|
+
# Extract metadata with ExifTool
|
|
290
|
+
exiftool output/docs/*.pdf | grep -E "Author|Creator|Company|Producer|Last Modified" \
|
|
291
|
+
> output/pdf-metadata.txt
|
|
292
|
+
|
|
293
|
+
# Extract with metagoofil
|
|
294
|
+
metagoofil -d TARGET.com -t pdf,doc,xls,ppt -l 50 -n 10 -o output/metagoofil/
|
|
295
|
+
```
|
|
296
|
+
|
|
297
|
+
**Technology Fingerprinting**
|
|
298
|
+
|
|
299
|
+
```bash
|
|
300
|
+
# WhatWeb
|
|
301
|
+
whatweb -a 3 TARGET.com -v | tee output/whatweb.txt
|
|
302
|
+
|
|
303
|
+
# BuiltWith API
|
|
304
|
+
curl "https://api.builtwith.com/v20/api.json?KEY=YOUR_KEY&LOOKUP=TARGET.com" \
|
|
305
|
+
> output/builtwith.json
|
|
306
|
+
|
|
307
|
+
# Wappalyzer CLI
|
|
308
|
+
npm install -g wappalyzer
|
|
309
|
+
wappalyzer https://TARGET.com --pretty > output/wappalyzer.json
|
|
310
|
+
|
|
311
|
+
# httpx — banner grab and tech detection on all live subdomains
|
|
312
|
+
cat output/live-subdomains.txt | httpx -tech-detect -status-code -title \
|
|
313
|
+
-o output/httpx-tech.txt -json
|
|
314
|
+
```
|
|
315
|
+
|
|
316
|
+
---
|
|
317
|
+
|
|
318
|
+
### EXPERT — Custom Correlation Frameworks
|
|
319
|
+
|
|
320
|
+
At this level you build automated correlation pipelines, integrate multiple data sources, and produce actionable intelligence packages.
|
|
321
|
+
|
|
322
|
+
**Automated OSINT Pipeline Script**
|
|
323
|
+
|
|
324
|
+
```bash
|
|
325
|
+
#!/bin/bash
|
|
326
|
+
# rt-osint-pipeline.sh
|
|
327
|
+
# Full OSINT collection pipeline for a target domain
|
|
328
|
+
# Usage: ./rt-osint-pipeline.sh TARGET.com "Company Name" ENGAGEMENT_ID
|
|
329
|
+
|
|
330
|
+
DOMAIN=$1
|
|
331
|
+
COMPANY=$2
|
|
332
|
+
ENG_ID=$3
|
|
333
|
+
OUTDIR="engagements/${ENG_ID}/osint"
|
|
334
|
+
|
|
335
|
+
mkdir -p "${OUTDIR}"/{subdomains,emails,employees,infra,leaks,docs,social}
|
|
336
|
+
|
|
337
|
+
echo "[*] Starting OSINT pipeline for ${DOMAIN} (${COMPANY}) — $(date)"
|
|
338
|
+
|
|
339
|
+
# Phase 1: Subdomain discovery
|
|
340
|
+
echo "[*] Phase 1: Subdomain discovery"
|
|
341
|
+
subfinder -d "${DOMAIN}" -silent -all -recursive > "${OUTDIR}/subdomains/subfinder.txt"
|
|
342
|
+
amass enum -passive -d "${DOMAIN}" -o "${OUTDIR}/subdomains/amass.txt" 2>/dev/null
|
|
343
|
+
curl -s "https://crt.sh/?q=%.${DOMAIN}&output=json" | \
|
|
344
|
+
python3 -c "import sys,json; [print(c['name_value']) for c in json.load(sys.stdin)]" \
|
|
345
|
+
2>/dev/null | sort -u > "${OUTDIR}/subdomains/crtsh.txt"
|
|
346
|
+
|
|
347
|
+
# Merge and deduplicate
|
|
348
|
+
cat "${OUTDIR}/subdomains/"*.txt | sort -u > "${OUTDIR}/subdomains/all-subdomains.txt"
|
|
349
|
+
echo "[+] Found $(wc -l < "${OUTDIR}/subdomains/all-subdomains.txt") unique subdomains"
|
|
350
|
+
|
|
351
|
+
# Phase 2: Resolve live hosts
|
|
352
|
+
echo "[*] Phase 2: Resolving live hosts"
|
|
353
|
+
cat "${OUTDIR}/subdomains/all-subdomains.txt" | \
|
|
354
|
+
httpx -silent -status-code -title -tech-detect -json \
|
|
355
|
+
-o "${OUTDIR}/subdomains/live-hosts.json"
|
|
356
|
+
|
|
357
|
+
# Phase 3: Email harvesting
|
|
358
|
+
echo "[*] Phase 3: Email harvesting"
|
|
359
|
+
theHarvester -d "${DOMAIN}" -b google,bing,hunter,linkedin -l 500 \
|
|
360
|
+
-f "${OUTDIR}/emails/theharvester" 2>/dev/null
|
|
361
|
+
|
|
362
|
+
# Phase 4: Infrastructure mapping
|
|
363
|
+
echo "[*] Phase 4: Infrastructure mapping"
|
|
364
|
+
dig "${DOMAIN}" ANY > "${OUTDIR}/infra/dns-any.txt"
|
|
365
|
+
whois "${DOMAIN}" > "${OUTDIR}/infra/whois.txt"
|
|
366
|
+
|
|
367
|
+
echo "[+] Pipeline complete. Output: ${OUTDIR}"
|
|
368
|
+
```
|
|
369
|
+
|
|
370
|
+
**Python Correlation Script — Build Employee Target List**
|
|
371
|
+
|
|
372
|
+
```python
|
|
373
|
+
#!/usr/bin/env python3
|
|
374
|
+
# correlate_employees.py
|
|
375
|
+
# Correlates LinkedIn names with email format to build spray list
|
|
376
|
+
|
|
377
|
+
import sys
|
|
378
|
+
import re
|
|
379
|
+
|
|
380
|
+
def generate_formats(first, last, domain):
|
|
381
|
+
f = first.lower().strip()
|
|
382
|
+
l = last.lower().strip()
|
|
383
|
+
return [
|
|
384
|
+
f"{f}.{l}@{domain}",
|
|
385
|
+
f"{f[0]}{l}@{domain}",
|
|
386
|
+
f"{f}{l[0]}@{domain}",
|
|
387
|
+
f"{f}_{l}@{domain}",
|
|
388
|
+
f"{f}@{domain}",
|
|
389
|
+
f"{l}{f[0]}@{domain}",
|
|
390
|
+
f"{f[0]}.{l}@{domain}",
|
|
391
|
+
]
|
|
392
|
+
|
|
393
|
+
if __name__ == "__main__":
|
|
394
|
+
domain = sys.argv[1]
|
|
395
|
+
names_file = sys.argv[2]
|
|
396
|
+
|
|
397
|
+
with open(names_file) as f:
|
|
398
|
+
for line in f:
|
|
399
|
+
parts = line.strip().split()
|
|
400
|
+
if len(parts) >= 2:
|
|
401
|
+
first, last = parts[0], parts[-1]
|
|
402
|
+
for email in generate_formats(first, last, domain):
|
|
403
|
+
print(email)
|
|
404
|
+
```
|
|
405
|
+
|
|
406
|
+
```bash
|
|
407
|
+
# Usage
|
|
408
|
+
python3 correlate_employees.py TARGET.com output/linkedin-employees.txt | sort -u \
|
|
409
|
+
> output/candidate-emails.txt
|
|
410
|
+
|
|
411
|
+
# Validate emails with verify-email or emailhippo
|
|
412
|
+
cat output/candidate-emails.txt | emailhippo -o output/validated-emails.txt
|
|
413
|
+
```
|
|
414
|
+
|
|
415
|
+
**SpiderFoot — Automated OSINT Framework**
|
|
416
|
+
|
|
417
|
+
```bash
|
|
418
|
+
# Install
|
|
419
|
+
git clone https://github.com/smicallef/spiderfoot
|
|
420
|
+
cd spiderfoot
|
|
421
|
+
pip3 install -r requirements.txt
|
|
422
|
+
|
|
423
|
+
# Launch web UI
|
|
424
|
+
python3 sf.py -l 127.0.0.1:5001
|
|
425
|
+
|
|
426
|
+
# CLI scan — passive modules only
|
|
427
|
+
python3 sfcli.py -s TARGET.com -t INTERNET_NAME -m sfp_dnsresolve,sfp_ssl,sfp_crt,\
|
|
428
|
+
sfp_hunter,sfp_shodan,sfp_passivetotal,sfp_circl,sfp_threatcrowd \
|
|
429
|
+
-o output/spiderfoot-TARGET.json
|
|
430
|
+
```
|
|
431
|
+
|
|
432
|
+
**Maltego Integration**
|
|
433
|
+
|
|
434
|
+
```bash
|
|
435
|
+
# Export structured data for Maltego import
|
|
436
|
+
# Convert theHarvester XML output
|
|
437
|
+
python3 - << 'EOF'
|
|
438
|
+
import xml.etree.ElementTree as ET
|
|
439
|
+
import json
|
|
440
|
+
|
|
441
|
+
tree = ET.parse('output/emails/theharvester.xml')
|
|
442
|
+
root = tree.getroot()
|
|
443
|
+
|
|
444
|
+
entities = []
|
|
445
|
+
for email in root.findall('.//email'):
|
|
446
|
+
entities.append({"type": "Email", "value": email.text})
|
|
447
|
+
for host in root.findall('.//host'):
|
|
448
|
+
entities.append({"type": "Host", "value": host.text})
|
|
449
|
+
|
|
450
|
+
with open('output/maltego-import.json', 'w') as f:
|
|
451
|
+
json.dump(entities, f, indent=2)
|
|
452
|
+
|
|
453
|
+
print(f"Exported {len(entities)} entities for Maltego")
|
|
454
|
+
EOF
|
|
455
|
+
```
|
|
456
|
+
|
|
457
|
+
---
|
|
458
|
+
|
|
459
|
+
## Step-by-Step Workflow
|
|
460
|
+
|
|
461
|
+
1. **Create engagement directory structure**
|
|
462
|
+
|
|
463
|
+
```bash
|
|
464
|
+
ENG_ID="ENG-2024-001"
|
|
465
|
+
DOMAIN="target.com"
|
|
466
|
+
mkdir -p engagements/${ENG_ID}/osint/{subdomains,emails,employees,infra,leaks,docs,social,screenshots}
|
|
467
|
+
cd engagements/${ENG_ID}/osint
|
|
468
|
+
```
|
|
469
|
+
|
|
470
|
+
2. **Run passive DNS and certificate recon**
|
|
471
|
+
|
|
472
|
+
```bash
|
|
473
|
+
dig ${DOMAIN} ANY > infra/dns-any.txt
|
|
474
|
+
whois ${DOMAIN} > infra/whois.txt
|
|
475
|
+
curl -s "https://crt.sh/?q=%.${DOMAIN}&output=json" | \
|
|
476
|
+
python3 -c "import sys,json; [print(c['name_value']) for c in json.load(sys.stdin)]" | \
|
|
477
|
+
sort -u > subdomains/crtsh.txt
|
|
478
|
+
```
|
|
479
|
+
|
|
480
|
+
3. **Run subfinder and amass in parallel**
|
|
481
|
+
|
|
482
|
+
```bash
|
|
483
|
+
subfinder -d ${DOMAIN} -silent -all -recursive -o subdomains/subfinder.txt &
|
|
484
|
+
amass enum -passive -d ${DOMAIN} -o subdomains/amass.txt &
|
|
485
|
+
wait
|
|
486
|
+
cat subdomains/*.txt | sort -u > subdomains/all-subdomains.txt
|
|
487
|
+
```
|
|
488
|
+
|
|
489
|
+
4. **Resolve live hosts and fingerprint technologies**
|
|
490
|
+
|
|
491
|
+
```bash
|
|
492
|
+
cat subdomains/all-subdomains.txt | \
|
|
493
|
+
httpx -silent -status-code -title -tech-detect -json -o subdomains/live-hosts.json
|
|
494
|
+
cat subdomains/live-hosts.json | python3 -c "
|
|
495
|
+
import sys, json
|
|
496
|
+
for line in sys.stdin:
|
|
497
|
+
h = json.loads(line)
|
|
498
|
+
print(h.get('url',''), h.get('status_code',''), h.get('title',''))
|
|
499
|
+
" > subdomains/live-hosts-summary.txt
|
|
500
|
+
```
|
|
501
|
+
|
|
502
|
+
5. **Harvest email addresses**
|
|
503
|
+
|
|
504
|
+
```bash
|
|
505
|
+
theHarvester -d ${DOMAIN} -b all -l 500 -f emails/theharvester
|
|
506
|
+
cat emails/theharvester.json | python3 -c "
|
|
507
|
+
import sys, json
|
|
508
|
+
d = json.load(sys.stdin)
|
|
509
|
+
for e in d.get('emails', []):
|
|
510
|
+
print(e)
|
|
511
|
+
" | sort -u > emails/all-emails.txt
|
|
512
|
+
```
|
|
513
|
+
|
|
514
|
+
6. **Enumerate employees from LinkedIn**
|
|
515
|
+
|
|
516
|
+
```bash
|
|
517
|
+
cd linkedin2username
|
|
518
|
+
python3 linkedin2username.py -u YOUR_LINKEDIN -c "Target Company Name" \
|
|
519
|
+
-o ../employees/linkedin-names.txt -s 1
|
|
520
|
+
cd ..
|
|
521
|
+
python3 /opt/rt-tools/correlate_employees.py ${DOMAIN} employees/linkedin-names.txt \
|
|
522
|
+
> employees/candidate-emails.txt
|
|
523
|
+
```
|
|
524
|
+
|
|
525
|
+
7. **Check for credential leaks**
|
|
526
|
+
|
|
527
|
+
```bash
|
|
528
|
+
curl -H "Accept: application/json" \
|
|
529
|
+
"https://api.dehashed.com/search?query=domain:${DOMAIN}&size=200" \
|
|
530
|
+
-u "EMAIL:API_KEY" | python3 -m json.tool > leaks/dehashed.json
|
|
531
|
+
|
|
532
|
+
cat leaks/dehashed.json | python3 -c "
|
|
533
|
+
import sys, json
|
|
534
|
+
data = json.load(sys.stdin)
|
|
535
|
+
for e in data.get('entries', []):
|
|
536
|
+
pw = e.get('password') or e.get('hashed_password','')
|
|
537
|
+
print(f\"{e.get('email','')}\t{pw}\")
|
|
538
|
+
" > leaks/leaked-creds.txt
|
|
539
|
+
|
|
540
|
+
echo "[+] Found $(wc -l < leaks/leaked-creds.txt) leaked credential entries"
|
|
541
|
+
```
|
|
542
|
+
|
|
543
|
+
8. **Shodan infrastructure scan**
|
|
544
|
+
|
|
545
|
+
```bash
|
|
546
|
+
shodan search "org:\"Target Company\"" --fields ip_str,port,hostnames,os,product \
|
|
547
|
+
> infra/shodan-results.txt
|
|
548
|
+
shodan search "org:\"Target Company\" has_vuln:true" --fields ip_str,port,vulns \
|
|
549
|
+
> infra/shodan-vulns.txt
|
|
550
|
+
```
|
|
551
|
+
|
|
552
|
+
9. **Screenshot all live web services**
|
|
553
|
+
|
|
554
|
+
```bash
|
|
555
|
+
cat subdomains/live-hosts.json | python3 -c "
|
|
556
|
+
import sys, json
|
|
557
|
+
for line in sys.stdin:
|
|
558
|
+
print(json.loads(line).get('url',''))
|
|
559
|
+
" | aquatone -out screenshots/ -threads 5 -timeout 3000
|
|
560
|
+
```
|
|
561
|
+
|
|
562
|
+
10. **Extract document metadata**
|
|
563
|
+
|
|
564
|
+
```bash
|
|
565
|
+
metagoofil -d ${DOMAIN} -t pdf,doc,xls,ppt,docx,xlsx,pptx \
|
|
566
|
+
-l 50 -n 10 -o docs/metagoofil/
|
|
567
|
+
exiftool docs/metagoofil/*.pdf 2>/dev/null | \
|
|
568
|
+
grep -E "Author|Creator|Company|Software" | sort -u > docs/metadata-authors.txt
|
|
569
|
+
```
|
|
570
|
+
|
|
571
|
+
11. **Generate final intelligence summary**
|
|
572
|
+
|
|
573
|
+
```bash
|
|
574
|
+
python3 /opt/rt-tools/osint-summary.py \
|
|
575
|
+
--domain ${DOMAIN} \
|
|
576
|
+
--subdomains subdomains/all-subdomains.txt \
|
|
577
|
+
--live subdomains/live-hosts-summary.txt \
|
|
578
|
+
--emails emails/all-emails.txt \
|
|
579
|
+
--employees employees/candidate-emails.txt \
|
|
580
|
+
--leaks leaks/leaked-creds.txt \
|
|
581
|
+
--output ../reports/osint-summary.md
|
|
582
|
+
```
|
|
583
|
+
|
|
584
|
+
12. **Feed into RTExit autodoc engine**
|
|
585
|
+
|
|
586
|
+
```bash
|
|
587
|
+
# RTExit autodoc integration
|
|
588
|
+
rtx-doc ingest \
|
|
589
|
+
--engagement ${ENG_ID} \
|
|
590
|
+
--phase osint \
|
|
591
|
+
--artifacts ./engagements/${ENG_ID}/osint \
|
|
592
|
+
--tag "passive-recon"
|
|
593
|
+
|
|
594
|
+
# Log OSINT completion event
|
|
595
|
+
rtx-doc event \
|
|
596
|
+
--engagement ${ENG_ID} \
|
|
597
|
+
--type phase-complete \
|
|
598
|
+
--phase osint \
|
|
599
|
+
--notes "$(wc -l < subdomains/all-subdomains.txt) subdomains, $(wc -l < emails/all-emails.txt) emails, $(wc -l < leaks/leaked-creds.txt) leaked credentials"
|
|
600
|
+
```
|
|
601
|
+
|
|
602
|
+
---
|
|
603
|
+
|
|
604
|
+
## Tools Reference
|
|
605
|
+
|
|
606
|
+
| Tool | Purpose | URL |
|
|
607
|
+
|---|---|---|
|
|
608
|
+
| theHarvester | Email, subdomain, and host harvesting | https://github.com/laramies/theHarvester |
|
|
609
|
+
| Amass | Subdomain enumeration and mapping | https://github.com/owasp-amass/amass |
|
|
610
|
+
| Subfinder | Passive subdomain discovery | https://github.com/projectdiscovery/subfinder |
|
|
611
|
+
| httpx | HTTP probing and tech detection | https://github.com/projectdiscovery/httpx |
|
|
612
|
+
| Shodan CLI | Internet-facing asset discovery | https://github.com/achillean/shodan-python |
|
|
613
|
+
| SpiderFoot | Automated multi-source OSINT | https://github.com/smicallef/spiderfoot |
|
|
614
|
+
| linkedin2username | LinkedIn employee enumeration | https://github.com/initstring/linkedin2username |
|
|
615
|
+
| TruffleHog | GitHub secret scanning | https://github.com/trufflesecurity/trufflehog |
|
|
616
|
+
| gitleaks | Git repository secret scanning | https://github.com/gitleaks/gitleaks |
|
|
617
|
+
| Aquatone | Web screenshot utility | https://github.com/michenriksen/aquatone |
|
|
618
|
+
| metagoofil | Document metadata extraction | https://github.com/laramies/metagoofil |
|
|
619
|
+
| ExifTool | Metadata reader/writer | https://github.com/exiftool/exiftool |
|
|
620
|
+
| h8mail | Email breach lookup | https://github.com/khast3x/h8mail |
|
|
621
|
+
| Maltego | Visual link analysis | https://www.maltego.com |
|
|
622
|
+
| WhatWeb | Web technology fingerprinting | https://github.com/urbanadventurer/WhatWeb |
|
|
623
|
+
| SecLists | Wordlists for all phases | https://github.com/danielmiessler/SecLists |
|
|
624
|
+
|
|
625
|
+
**SecLists paths used in this skill:**
|
|
626
|
+
|
|
627
|
+
```
|
|
628
|
+
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
|
|
629
|
+
/usr/share/seclists/Discovery/DNS/fierce-hostlist.txt
|
|
630
|
+
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt
|
|
631
|
+
/usr/share/seclists/Usernames/Names/names.txt
|
|
632
|
+
```
|
|
633
|
+
|
|
634
|
+
---
|
|
635
|
+
|
|
636
|
+
## Output Instructions
|
|
637
|
+
|
|
638
|
+
### File Organization
|
|
639
|
+
|
|
640
|
+
```
|
|
641
|
+
engagements/
|
|
642
|
+
ENG-YYYY-NNN/
|
|
643
|
+
osint/
|
|
644
|
+
subdomains/
|
|
645
|
+
crtsh.txt # Certificate transparency subdomains
|
|
646
|
+
subfinder.txt # Subfinder results
|
|
647
|
+
amass.txt # Amass results
|
|
648
|
+
all-subdomains.txt # Merged, deduplicated
|
|
649
|
+
live-hosts.json # httpx JSON output
|
|
650
|
+
live-hosts-summary.txt # Human-readable live host summary
|
|
651
|
+
emails/
|
|
652
|
+
theharvester.json # Raw theHarvester output
|
|
653
|
+
all-emails.txt # Merged, deduplicated
|
|
654
|
+
employees/
|
|
655
|
+
linkedin-names.txt # Raw names from LinkedIn
|
|
656
|
+
candidate-emails.txt # Generated email format candidates
|
|
657
|
+
validated-emails.txt # Validated live email addresses
|
|
658
|
+
infra/
|
|
659
|
+
dns-any.txt # Full DNS record dump
|
|
660
|
+
whois.txt # WHOIS data
|
|
661
|
+
shodan-results.txt # Shodan host data
|
|
662
|
+
shodan-vulns.txt # Shodan vulnerability findings
|
|
663
|
+
asn-prefixes.txt # ASN IP ranges
|
|
664
|
+
leaks/
|
|
665
|
+
dehashed.json # DeHashed API response
|
|
666
|
+
leaked-creds.txt # Parsed email:password pairs
|
|
667
|
+
hibp-results.json # HaveIBeenPwned results
|
|
668
|
+
docs/
|
|
669
|
+
metagoofil/ # Downloaded documents
|
|
670
|
+
metadata-authors.txt # Extracted author/company metadata
|
|
671
|
+
social/
|
|
672
|
+
github-findings.json # TruffleHog/gitleaks findings
|
|
673
|
+
screenshots/ # Aquatone web screenshots
|
|
674
|
+
reports/
|
|
675
|
+
osint-summary.md # Executive OSINT summary
|
|
676
|
+
```
|
|
677
|
+
|
|
678
|
+
### Naming Convention
|
|
679
|
+
|
|
680
|
+
- All output files use lowercase with hyphens
|
|
681
|
+
- Include date suffix for repeated runs: `all-subdomains-2024-01-15.txt`
|
|
682
|
+
- Raw API responses kept in original format (JSON/XML) for audit trail
|
|
683
|
+
- Parsed/processed output saved separately from raw
|
|
684
|
+
|
|
685
|
+
### RTExit Autodoc Integration
|
|
686
|
+
|
|
687
|
+
After each phase, ingest artifacts into the RTExit autodoc engine:
|
|
688
|
+
|
|
689
|
+
```bash
|
|
690
|
+
# Ingest all OSINT artifacts
|
|
691
|
+
rtx-doc ingest --engagement ENG_ID --phase osint --artifacts ./engagements/ENG_ID/osint
|
|
692
|
+
|
|
693
|
+
# Tag high-value findings
|
|
694
|
+
rtx-doc finding \
|
|
695
|
+
--engagement ENG_ID \
|
|
696
|
+
--title "Leaked credentials discovered for domain" \
|
|
697
|
+
--severity high \
|
|
698
|
+
--evidence leaks/leaked-creds.txt \
|
|
699
|
+
--recommendation "Initiate password reset enforcement and notify SOC"
|
|
700
|
+
|
|
701
|
+
# Generate phase report
|
|
702
|
+
rtx-doc report \
|
|
703
|
+
--engagement ENG_ID \
|
|
704
|
+
--phase osint \
|
|
705
|
+
--template osint-standard \
|
|
706
|
+
--output reports/osint-report.pdf
|
|
707
|
+
```
|
|
708
|
+
|
|
709
|
+
---
|
|
710
|
+
|
|
711
|
+
## Resources
|
|
712
|
+
|
|
713
|
+
### Primary References
|
|
714
|
+
|
|
715
|
+
- OSINT Framework: https://osintframework.com
|
|
716
|
+
- IntelTechniques: https://inteltechniques.com/tools
|
|
717
|
+
- Bellingcat OSINT Guide: https://www.bellingcat.com/resources/how-tos/2023/04/10/open-source-intelligence-osint-tools
|
|
718
|
+
- SANS OSINT Cheat Sheet: https://www.sans.org/blog/getting-started-with-open-source-intelligence
|
|
719
|
+
|
|
720
|
+
### Credential Leak Databases
|
|
721
|
+
|
|
722
|
+
- DeHashed: https://dehashed.com
|
|
723
|
+
- HaveIBeenPwned: https://haveibeenpwned.com
|
|
724
|
+
- IntelX: https://intelx.io
|
|
725
|
+
- LeakIX: https://leakix.net
|
|
726
|
+
- Snusbase: https://snusbase.com
|
|
727
|
+
|
|
728
|
+
### Infrastructure Discovery
|
|
729
|
+
|
|
730
|
+
- Shodan: https://shodan.io
|
|
731
|
+
- Censys: https://censys.io
|
|
732
|
+
- FOFA: https://fofa.info
|
|
733
|
+
- ZoomEye: https://www.zoomeye.org
|
|
734
|
+
- BinaryEdge: https://www.binaryedge.io
|
|
735
|
+
- GreyNoise: https://www.greynoise.io
|
|
736
|
+
|
|
737
|
+
### DNS and Certificate Intelligence
|
|
738
|
+
|
|
739
|
+
- crt.sh: https://crt.sh
|
|
740
|
+
- SecurityTrails: https://securitytrails.com
|
|
741
|
+
- DNSdumpster: https://dnsdumpster.com
|
|
742
|
+
- Passive DNS (CIRCL): https://www.circl.lu/services/passive-dns
|
|
743
|
+
- RiskIQ (now Microsoft Defender TI): https://ti.defender.microsoft.com
|
|
744
|
+
|
|
745
|
+
### Email Harvesting
|
|
746
|
+
|
|
747
|
+
- Hunter.io: https://hunter.io
|
|
748
|
+
- Phonebook.cz: https://phonebook.cz
|
|
749
|
+
- EmailHippo: https://tools.emailhippo.com
|
|
750
|
+
- Clearbit Connect: https://clearbit.com/resources/tools/connect
|
|
751
|
+
|
|
752
|
+
### Social Media and Employee Enumeration
|
|
753
|
+
|
|
754
|
+
- LinkedIn: https://linkedin.com
|
|
755
|
+
- GitHub: https://github.com
|
|
756
|
+
- Twitter/X Advanced Search: https://twitter.com/search-advanced
|
|
757
|
+
- Facebook Graph: https://www.facebook.com/search
|
|
758
|
+
- Pipl: https://pipl.com
|
|
759
|
+
|
|
760
|
+
### Training and Practice
|
|
761
|
+
|
|
762
|
+
- TryHackMe OSINT rooms: https://tryhackme.com/hacktivities?tab=search&value=osint
|
|
763
|
+
- HackTheBox OSINT challenges: https://app.hackthebox.com
|
|
764
|
+
- TraceLabs CTF (OSINT for missing persons): https://www.tracelabs.org
|
|
765
|
+
|
|
766
|
+
---
|
|
767
|
+
|
|
768
|
+
## Notes for Red Team Operators
|
|
769
|
+
|
|
770
|
+
- Always confirm Rules of Engagement (RoE) before querying paid APIs against target data — some queries may be logged by the provider and visible to the target.
|
|
771
|
+
- Certificate transparency and Shodan queries are fully passive and leave no trace on target infrastructure.
|
|
772
|
+
- LinkedIn scraping may violate ToS — use dedicated accounts and rate-limit requests.
|
|
773
|
+
- Leaked credential data must be handled according to engagement data handling policy — encrypt at rest, do not exfiltrate from secure environment.
|
|
774
|
+
- GitHub secret scanning with TruffleHog should be run against all repos discovered in the target org, including forks and archived repos.
|
|
775
|
+
- Employee enumeration output feeds directly into the `rt-phishing` and `rt-password-spray` skills.
|