Star 历史趋势
数据来源: GitHub API · 生成自 Stargazers.cn
README.md

🛡️ Recon & Pentest Skill Pack

155 offensive security skills for recon and pentest. Field-validated techniques from 600+ company targets across 45+ sectors. Updated with browser fingerprint evasion, anti-bot bypass, hardcoded credential hunting, SCADA/ICS enumeration.

📖 Blog & research: hiago.sh — Pentest Playbook, field notes, and tooling.


📦 What's Inside (155 skills)

recon-skills/
├── SOUL.md                  — Philosophy & agent operating instructions
├── AGENTS.md                — Complete catalog + HARDLINE skill standards
├── recon/          (34)     — WordPress/CORS/XMLRPC recon, source leaks, JS secrets, web enum, email sec, staging hunt, port scans, hardcoded creds, S3/MinIO XSS, API flow hijack, SCADA Hikvision ISAPI, stealth browser, humanize automation, TLS fingerprint, HTTP/2 headers
├── redteam/        (109)    — 54 hunt-* (xss, sqli, ssrf, rce, ato, idor, cors, firebase, supabase, schema-enum, write-gap, metrics, k8s, etc) + 24 sector recon + 29 methodology/ops
├── meta/           (6)      — Recon playbook, sector methodology, attack patterns, wave delta, google dorks, pentest playbook
├── chains/         (2)      — Cross-attack chaining, WordPress full compromise
├── auth/           (1)      — SAML SSO attacks
├── infra/          (1)      — Docker privilege escalation

🔥 Key Skills

CategorySkillWhat It Does
metarecon-playbook4-phase pipeline: target gen → quick filter → WP deep check → deep invade
reconcors-credential-wordpress8 CORS variants (V1-V8) with real confirmed targets
reconxmlrpc-exploitationSystem.multicall, pingback SSRF, IMDS role guessing, wp.uploadFile
reconweb-enumeration200+ sensitive file paths, .env extraction, path traversal, vhost enum
reconjs-secrets-extraction12 regex patterns for API keys, JWTs, Firebase, Supabase in JS bundles
reconemail-securityDMARC/SPF/DKIM checks, SMTP spoofing, header analysis
chainscross-attack-chainsAttack chain methodology — CORS+XMLRPC→RCE, SSRF→IMDS, etc
chainswordpress-full-compromiseKill chains for full WordPress takeover
metaattack-patterns-reference25 patterns (P-01 to P-25), 18 WP abuse patterns, 8 CORS variants
metacross-wave-delta-analysisCompare waves → NEW / REGRESSION / PERSISTENT / CHANGE
metasector-recon-methodologyTier-based sector selection + per-sector vulnerability baselines
metagoogle-dorks-catalog100+ dork patterns by service type + GitHub code search
redteamhunt-* (54 skills)One per vuln class: xss, sqli, ssrf, rce, ato, idor, cors, firebase, supabase, schema-enum, write-gap, metrics, k8s, llm-ai, etc
redteamhunt-schema-enumerationAPI error hint enumeration — discover hidden tables via PostgREST/Zod/FastAPI validation leaks
redteamhunt-write-gapRead-protected but write-open endpoints — PATCH/POST/DELETE privilege escalation
redteamhunt-metrics-exposurePublic /metrics, /health, actuator — AI usage, DB pools, operational intel
reconhardcoded-credential-huntDetect hardcoded passwords in HTML forms, JavaScript, API config endpoints, debug pages
recons3-minio-content-type-xssContent-Type override on public S3/MinIO buckets → stored XSS on target origin
reconunauth-api-flow-hijackExploit multi-step API flows without auth: start→submit→upload→export
reconscada-hikvision-isapiEnumerate Hikvision ISAPI endpoints, cameras, RTSP on SCADA/IoT web interfaces
reconstealth-browser-launchC++ patched Chromium — 18 fingerprint flags, bypass Cloudflare/reCAPTCHA/FingerprintJS
reconhumanize-automationBézier mouse, mistype keyboard, accel-cruise-decel scroll for behavioral bypass
recontls-fingerprint-impersonation20 browser profiles (Chrome/Firefox/Safari/OkHttp) with JA4 TLS validation
reconhttp2-header-impersonationHTTP/2 SETTINGS spoofing, pseudo-header order, browser sec-ch-ua headers
redteamparallel-recon-triad3 parallel subagents every 20min: Deep Invade + Expand + Skill Evolution
redteamops-proxynsKernel-level proxy via network namespaces — Tor for all traffic
redteamcloud-iam-deepAWS/GCP/Azure IAM enumeration, SA key abuse, Cloud Run, Artifact Registry

📊 Field Results

MetricValue
Unique domains tested600+
Vulnerable companies found80+
Sectors tested45+
CORS variants cataloged8 (V1-V8)
Attack patterns cataloged25 (P-01 to P-25)
WP abuse patterns18 (WP-01 to WP-18)
Attack chains confirmed10
Recon rounds completed12
Executable scripts48 (40 .py, 7 .sh, 1 .js)
Hunt skills expanded (2025-2026)10 (schema-enum, write-gap, metrics, smuggling, mfa, saml, ato, api, llm, race)

Finding Distribution

SeverityCountCommon Patterns
Critical14RLS write gap (tier upgrade, balance injection), MySQL exposed, PHPInfo + open reg, CORS + XMLRPC + upload → RCE, price tampering
High30CORS credential reflection, XMLRPC multicall, staging takeover, schema enumeration, metrics exposure
Medium18WP user enum, WooCommerce API, plugin version disclosure

Top Patterns by Sector

SectorVuln RateTop Finding
Law Firms~25%WP REST API user enumeration
Landscaping~20%CORS credential reflection
Pool Services~20%CORS + XMLRPC open
Pest Control~20%CORS credential reflection
HVAC/Plumbing~14%CORS + WP user enumeration
Locksmiths~33%WP REST API + XMLRPC
Window Cleaning~25%CORS + XMLRPC
Bakeries~18%Source leaks + CORS wildcard
Septic Services~25%Source leaks + CORS

🚀 Getting Started

git clone git@github.com:uphiago/recon-skills.git
cd recon-skills
cat SOUL.md          # Read the philosophy
cat AGENTS.md        # Read the standards & catalog
ls recon/            # Browse recon skills
ls redteam/          # Browse hunt skills

Each skill directory has a SKILL.md with:

  • When to Use
  • Prerequisites
  • How to Run (copy-paste commands)
  • Procedure (numbered steps with exact commands)
  • Pitfalls
  • Verification

🧠 Design Principles

  • Terminal-native — every command runs via curl, nmap, python3. No browser automation.
  • Self-contained — each SKILL.md is a complete operational package.
  • Field-validated — techniques confirmed on real targets before shipping.
  • Chain everything — one finding is Medium. Two chained is Critical.
  • Cross-reference, don't duplicate — hosting tables belong in one place.

⭐ Star History

Star History Chart

📄 License

MIT — Use freely, contribute back.

关于 About

156 offensive security skills for recon and pentest. Field-validated techniques from 600+ targets across 45+ sectors. Updated with browser fingerprint evasion, anti-bot bypass, hardcoded credential hunting, SCADA/ICS enumeration.
bug-bountycloud-securitycors-exploitationfirebase-hackinghermes-agentjwt-attacksoffensive-securitypenetration-testingreconnaissancered-teamsecurity-automationssrfsubdomain-enumerationsupabasewordpress-security

语言 Languages

Python100.0%

提交活跃度 Commit Activity

代码提交热力图
过去 52 周的开发活跃度
35
Total Commits
峰值: 21次/周
Less
More

核心贡献者 Contributors