offensive-osint
Offensive-OSINT is a modular reference arsenal for authorized external reconnaissance, containing 15 on-demand reference files covering subdomain enumeration, cloud bucket discovery, identity provider fingerprinting, secret scanning across 48+ platforms, certificate transparency, vendor detection, breach correlation, and sector-specific probes for healthcare, finance, and industrial control systems. Use it when executing authorized red-team or bug-bounty scoping, asset discovery, attack-path mapping, or secret triage, never for exploitation, post-exploitation, or unverified third-party targets.
git clone --depth 1 https://github.com/elementalsouls/Claude-BugHunter /tmp/offensive-osint && cp -r /tmp/offensive-osint/skills/offensive-osint ~/.claude/skills/offensive-osintSKILL.md
# Offensive OSINT — External Red-Team Arsenal > **v3.0** — Refactored 2026-05-02 from a 4,168-line monolith into a lean SKILL.md (~400 lines) plus 15 modular reference files in `references/`. Detail content loads on demand — Claude reads only the reference files relevant to the current task. ## 0. When to use / When NOT **Use this skill when:** - You need concrete probe paths, wordlists, regexes, payloads, scoring rules, or tool URLs. - You're executing reconnaissance and need the actual technical reference (vs. methodology). - You're building a recon automation and need specific lists to seed it. **Do NOT use this skill when:** - The user is asking for active exploitation, post-exploitation, or anything past reconnaissance. - The user is asking for defensive / blue-team detections. - The target's authorization isn't established — see §1. --- ## 1. Authorization & Legal Posture For assets the operator owns or has written authorization to assess. Soft scope check before acting against an unverified third-party target — see methodology skill §1 for the full posture. --- ## 2. Confidence Levels - **TENTATIVE** — plausible based on indirect evidence (snippet-only dork match, single-source asset, inferred email pattern). - **FIRM** — directly observed (subdomain resolves, HEAD-confirmed bucket exists, banner returned). - **CONFIRMED** — verified via independent corroboration OR direct verification (live PMAK validation, multiple sources agree, listable bucket with object retrieval). --- ## 3. Output Format Conventions Findings should carry: `id`, `module`, `asset_key`, `category`, `severity` (info/low/medium/high/critical), `confidence`, `title`, `description`, `evidence` (url + UTC timestamp + sha256 + raw ≤ 2 KiB), `references`, `remediation`. UTC timestamps everywhere. --- ## 4. Source Hygiene & Citations URL + UTC timestamp + SHA-256 + tool version + run_id, every artifact. PNG screenshots, JSONL run logs, raw HTTP captures capped at 2 KiB body. --- ## 5. Do NOT - Don't paste creds/PII/session tokens into cloud LLMs. - Don't run destructive probes outside DEEP/`--aggressive`. - Don't use validated credentials for anything except read-only liveness check. - Don't single-source attribute. - Don't assume vendor labels are ground truth. --- ## 6. General OSINT (curated tool refs) - [OSINT Bookmarks](https://tools.myosint.training/) — comprehensive bookmarks. - [OSINT Framework](https://osintframework.com/) — tool/resource directory. - [IntelTechniques Tools](https://inteltechniques.com/tools/) — investigative suite. - [Bellingcat Toolkit](https://www.bellingcat.com/resources/2024/09/24/bellingcat-online-investigations-toolkit/) — investigative journalism. - [CyberSudo OSINT Toolkit](https://docs.google.com/spreadsheets/d/1EC0sKA_W9znzsxUt0wye9UYtyATXw5m8) — OSINT websites list. - [Google Dorks](https://dorksearch.com/) — efficient Google searching. - [Distributed Denial of Secrets](https://ddosecrets.com/) — leaked datasets. - [Country-Specific Resources](https://digitaldigging.org/osint/) — country-targeted OSINT. --- ## How to use this skill This skill is a **lean operational index**. Most concrete data (wordlists, regexes, dorks, endpoint catalogs, severity examples) lives in the `references/` subfolder, organized by topic. **Workflow when this skill triggers:** 1. Read this SKILL.md to anchor on principles (§0-5), scoring rubrics (§20-21), attack-path templates (§39), and the references index below. 2. For task-specific data, **read only the reference file(s) you need** — do NOT pull all 15. Each reference is self-contained. 3. Use the `bug-bounty` skill for the local toolkit at `~/security-research/bug-bounty-resources/` and `osint-methodology` for the planning framework. **Loading rules of thumb:** - Single-class question (e.g., "what's the regex for AWS keys?") → load `secret-patterns.md` only. - Multi-class engagement (e.g., "do an external recon on target.com") → load `probes-and-wordlists.md` first, then add others as the engagement narrows. - Severity / triage question → load `severity-matrix.md`. --- ## References Index | File | Coverage | Trigger phrases | |---|---|---| | `probes-and-wordlists.md` | API/Swagger/GraphQL paths, cloud-bucket arsenal, JS guess-paths, vendor & cloud-native fingerprints, K8s/CI-CD exposure, doc/wiki leaks, WHOIS/RDAP, DNS catalog, Wayback CDX, copy-paste curl probes, email security analysis, origin/CDN bypass | swagger discovery, graphql introspection, subdomain takeover, cloud bucket enum, S3/GCS/Azure enum, kubernetes exposure, CI CD exposure, vendor fingerprint, WHOIS RDAP, Wayback CDX, copy paste probes, curl one-liner | | `identity-fabric.md` | Concrete endpoints for Entra/Okta/ADFS/Google/SAML, M365 deep (Teams federation, SharePoint, OneDrive), GraphQL field-suggestion enumeration, user-enum patterns | identity fabric, SSO discovery, IdP fingerprinting, okta enum, entra enum, azure AD enum, ADFS enum, SAML metadata, Microsoft 365 deep, Teams federation, SharePoint enum, OneDrive enum, graphql field suggestion | | `secret-patterns.md` | 48-pattern secret-regex catalog (AWS, GCP, GitHub PATs, Stripe, Slack, JWT, private keys, Anthropic/OpenAI/HuggingFace, Cloudflare, DigitalOcean, npm, PyPI, Docker Hub, Atlassian, DataDog, Sentry, ngrok) with severity & FP notes | secret scanning, secret leak, leaked credential, JWT triage, AWS key triage, Anthropic API key, OpenAI API key | | `secret-validators.md` | 9 read-only secret validators + post-discovery enumeration workflows for AWS/GitHub/Slack/Postman/JWT/Anthropic/OpenAI/npm/Atlassian/DataDog | secret validation, post discovery workflow, AWS key triage, JWT triage | | `dork-corpus.md` | 80+ Google/Bing/DDG dork templates across 9 categories + 13 GitHub code-search dorks tailored for targets | google dorking, bing dorking, github dorking, dork corpus | | `recon-stack.md` | Subdomain-source stack (passive & active), infrastructure & attack-surface OSINT (Shodan/Censys/
Run autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]
Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain
Active vulnerability hunting. Two-track dispatcher — asks Red Team vs WAPT, hands off to hunt-dispatch skill and sibling commands. Usage: /hunt target.com | /hunt *.target.com | /hunt targets.txt [--vuln-class X] [--source-code P] [--chrome]
On-demand intelligence fetch for a target — CVEs, disclosed reports, new features. Wraps learn.py + hunt memory context. Usage: /intel target.com
Inspect or rotate hunt-memory JSONL files (audit.jsonl, patterns.jsonl, journal.jsonl). Caps file size and keeps N rotated backups so memory does not grow unbounded.
Pick up a previous hunt on a target — shows hunt history, untested endpoints, and memory-informed suggestions. Usage: /pickup target.com
Run full recon pipeline on a target — subdomain enum (Chaos API + subfinder), live host discovery (dnsx + httpx), URL crawl (katana + waybackurls + gau), gf pattern classification, nuclei scan. Outputs to recon/<target>/ directory. Usage: /recon target.com
Log current finding or successful pattern to hunt memory. Auto-fills from /validate output if available. Usage: /remember