{"id":"f5c9ca06-8c6f-4596-ac57-f8fc72576fe0","shortId":"q9AfT2","kind":"skill","title":"red-team-tools","tagline":"Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.","description":"> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.\n\n# Red Team Tools and Methodology\n\n## Purpose\n\nImplement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.\n\n## Inputs/Prerequisites\n\n- Target scope definition (domains, IP ranges, applications)\n- Linux-based attack machine (Kali, Ubuntu)\n- Bug bounty program rules and scope\n- Tool dependencies installed (Go, Python, Ruby)\n- API keys for various services (Shodan, Censys, etc.)\n\n## Outputs/Deliverables\n\n- Comprehensive subdomain enumeration\n- Live host discovery and technology fingerprinting\n- Identified vulnerabilities and attack vectors\n- Automated recon pipeline outputs\n- Documented findings for reporting\n\n## Core Workflow\n\n### 1. Project Tracking and Acquisitions\n\nSet up reconnaissance tracking:\n\n```bash\n# Create project structure\nmkdir -p target/{recon,vulns,reports}\ncd target\n\n# Find acquisitions using Crunchbase\n# Search manually for subsidiary companies\n\n# Get ASN for targets\namass intel -org \"Target Company\" -src\n\n# Alternative ASN lookup\ncurl -s \"https://bgp.he.net/search?search=targetcompany&commit=Search\"\n```\n\n### 2. Subdomain Enumeration\n\nComprehensive subdomain discovery:\n\n```bash\n# Create wildcards file\necho \"target.com\" > wildcards\n\n# Run Amass passively\namass enum -passive -d target.com -src -o amass_passive.txt\n\n# Run Amass actively\namass enum -active -d target.com -src -o amass_active.txt\n\n# Use Subfinder\nsubfinder -d target.com -silent -o subfinder.txt\n\n# Asset discovery\ncat wildcards | assetfinder --subs-only | anew domains.txt\n\n# Alternative subdomain tools\nfindomain -t target.com -o\n\n# Generate permutations with dnsgen\ncat domains.txt | dnsgen - | httprobe > permuted.txt\n\n# Combine all sources\ncat amass_*.txt subfinder.txt | sort -u > all_subs.txt\n```\n\n### 3. Live Host Discovery\n\nIdentify responding hosts:\n\n```bash\n# Check which hosts are live with httprobe\ncat domains.txt | httprobe -c 80 --prefer-https | anew hosts.txt\n\n# Use httpx for more details\ncat domains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt\n\n# Alternative with massdns\nmassdns -r resolvers.txt -t A -o S domains.txt > resolved.txt\n```\n\n### 4. Technology Fingerprinting\n\nIdentify technologies for targeted attacks:\n\n```bash\n# Whatweb scanning\nwhatweb -i hosts.txt -a 3 -v > tech_stack.txt\n\n# Nuclei technology detection\nnuclei -l hosts.txt -t technologies/ -o tech_nuclei.txt\n\n# Wappalyzer (if available)\n# Browser extension for manual review\n```\n\n### 5. Content Discovery\n\nFind hidden endpoints and files:\n\n```bash\n# Directory bruteforce with ffuf\nffuf -ac -v -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt\n\n# Historical URLs from Wayback\nwaybackurls target.com | tee wayback.txt\n\n# Find all URLs with gau\ngau target.com | tee all_urls.txt\n\n# Parameter discovery\ncat all_urls.txt | grep \"=\" | sort -u > params.txt\n\n# Generate custom wordlist from historical data\ncat all_urls.txt | unfurl paths | sort -u > custom_wordlist.txt\n```\n\n### 6. Application Analysis (Jason Haddix Method)\n\n**Heat Map Priority Areas:**\n\n1. **File Uploads** - Test for injection, XXE, SSRF, shell upload\n2. **Content Types** - Filter Burp for multipart forms\n3. **APIs** - Look for hidden methods, lack of auth\n4. **Profile Sections** - Stored XSS, custom fields\n5. **Integrations** - SSRF through third parties\n6. **Error Pages** - Exotic injection points\n\n**Analysis Questions:**\n- How does the app pass data? (Params, API, Hybrid)\n- Where does the app talk about users? (UID, UUID endpoints)\n- Does the site have multi-tenancy or user levels?\n- Does it have a unique threat model?\n- How does the site handle XSS/CSRF?\n- Has the site had past writeups/exploits?\n\n### 7. Automated XSS Hunting\n\n```bash\n# ParamSpider for parameter extraction\npython3 paramspider.py --domain target.com -o params.txt\n\n# Filter with Gxss\ncat params.txt | Gxss -p test\n\n# Dalfox for XSS testing\ncat params.txt | dalfox pipe --mining-dict params.txt -o xss_results.txt\n\n# Alternative workflow\nwaybackurls target.com | grep \"=\" | qsreplace '\"><script>alert(1)</script>' | while read url; do\n    curl -s \"$url\" | grep -q 'alert(1)' && echo \"$url\"\ndone > potential_xss.txt\n```\n\n### 8. Vulnerability Scanning\n\n```bash\n# Nuclei comprehensive scan\nnuclei -l hosts.txt -t ~/nuclei-templates/ -o nuclei_results.txt\n\n# Check for common CVEs\nnuclei -l hosts.txt -t cves/ -o cve_results.txt\n\n# Web vulnerabilities\nnuclei -l hosts.txt -t vulnerabilities/ -o vuln_results.txt\n```\n\n### 9. API Enumeration\n\n**Wordlists for API fuzzing:**\n\n```bash\n# Enumerate API endpoints\nffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt\n\n# Test API versions\nffuf -u https://target.com/api/v1/FUZZ -w api_wordlist.txt\nffuf -u https://target.com/api/v2/FUZZ -w api_wordlist.txt\n\n# Check for hidden methods\nfor method in GET POST PUT DELETE PATCH; do\n    curl -X $method https://target.com/api/users -v\ndone\n```\n\n### 10. Automated Recon Script\n\n```bash\n#!/bin/bash\ndomain=$1\n\nif [[ -z $domain ]]; then\n    echo \"Usage: ./recon.sh <domain>\"\n    exit 1\nfi\n\nmkdir -p \"$domain\"\n\n# Subdomain enumeration\necho \"[*] Enumerating subdomains...\"\nsubfinder -d \"$domain\" -silent > \"$domain/subs.txt\"\n\n# Live host discovery\necho \"[*] Finding live hosts...\"\ncat \"$domain/subs.txt\" | httpx -title -tech-detect -status-code > \"$domain/live.txt\"\n\n# URL collection\necho \"[*] Collecting URLs...\"\ncat \"$domain/live.txt\" | waybackurls > \"$domain/urls.txt\"\n\n# Nuclei scanning\necho \"[*] Running Nuclei...\"\nnuclei -l \"$domain/live.txt\" -o \"$domain/nuclei.txt\"\n\necho \"[+] Recon complete!\"\n```\n\n## Quick Reference\n\n### Essential Tools\n\n| Tool | Purpose |\n|------|---------|\n| Amass | Subdomain enumeration |\n| Subfinder | Fast subdomain discovery |\n| httpx/httprobe | Live host detection |\n| ffuf | Content discovery |\n| Nuclei | Vulnerability scanning |\n| Burp Suite | Manual testing |\n| Dalfox | XSS automation |\n| waybackurls | Historical URL mining |\n\n### Key API Endpoints to Check\n\n```\n/api/v1/users\n/api/v1/admin\n/api/v1/profile\n/api/users/me\n/api/config\n/api/debug\n/api/swagger\n/api/graphql\n```\n\n### XSS Filter Testing\n\n```html\n<!-- Test encoding handling -->\n<h1><img><table>\n<script>\n%3Cscript%3E\n%253Cscript%253E\n%26lt;script%26gt;\n```\n\n## Constraints\n\n- Respect program scope boundaries\n- Avoid DoS or fuzzing on production without permission\n- Rate limit requests to avoid blocking\n- Some tools may generate false positives\n- API keys required for full functionality of some tools\n\n## Examples\n\n### Example 1: Quick Subdomain Recon\n\n```bash\nsubfinder -d target.com | httpx -title | tee results.txt\n```\n\n### Example 2: XSS Hunting Pipeline\n\n```bash\nwaybackurls target.com | grep \"=\" | qsreplace \"test\" | httpx -silent | dalfox pipe\n```\n\n### Example 3: Comprehensive Scan\n\n```bash\n# Full recon chain\namass enum -d target.com | httpx | nuclei -t ~/nuclei-templates/\n```\n\n## Troubleshooting\n\n| Issue | Solution |\n|-------|----------|\n| Rate limited | Use proxy rotation, reduce concurrency |\n| Too many results | Focus on specific technology stacks |\n| False positives | Manually verify findings before reporting |\n| Missing subdomains | Combine multiple enumeration sources |\n| API key errors | Verify keys in config files |\n| Tools not found | Install Go tools with `go install` |\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.","tags":["red","team","tools","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding"],"capabilities":["skill","source-sickn33","skill-red-team-tools","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/red-team-tools","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34583 github stars · SKILL.md body (7,653 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T18:52:07.476Z","embedding":null,"createdAt":"2026-04-18T21:43:27.104Z","updatedAt":"2026-04-22T18:52:07.476Z","lastSeenAt":"2026-04-22T18:52:07.476Z","tsv":"'/api/config':791 '/api/debug':792 '/api/fuzz':636 '/api/graphql':794 '/api/swagger':793 '/api/users':674 '/api/users/me':790 '/api/v1/admin':788 '/api/v1/fuzz':646 '/api/v1/profile':789 '/api/v1/users':787 '/api/v2/fuzz':653 '/bin/bash':682 '/fuzz':382 '/nuclei-templates':598 '/recon.sh':691 '/search?search=targetcompany&commit=search':193 '/usr/share/seclists/discovery/web-content/api/api-endpoints.txt':638 '/usr/share/seclists/discovery/web-content/raft-medium-directories.txt':384 '1':146,433,582,684,693 '10':677 '2':194,443 '3':273,342,451 '4':327,460 '5':363,467 '6':423,473 '7':529 '8':587 '80':292 '9':621 'ac':377 'acquisit':150,168 'activ':220,223 'alert':581 'all_subs.txt':272 'all_urls.txt':401,405,417 'altern':186,247,315,566 'amass':180,208,210,219,221,267,754 'amass_active.txt':228 'amass_passive.txt':217 'analysi':425,479 'anew':245,296 'api':113,452,488,622,626,630,640,783 'api_wordlist.txt':648,655 'app':484,493 'applic':93,424 'area':432 'asn':177,187 'assess':44 'asset':237 'assetfind':241 'attack':32,84,97,134,334 'auth':459 'author':34,42 'autom':24,76,136,530,678,777 'avail':357 'base':96 'bash':155,200,280,335,371,533,590,628,681 'bgp.he.net':192 'bgp.he.net/search?search=targetcompany&commit=search':191 'bounti':22,74,102 'browser':358 'bruteforc':373 'bug':21,73,101 'burp':447,771 'c':291 'cat':239,258,266,288,303,404,416,547,556,715,731 'cd':165 'censi':119 'check':281,601,656,786 'code':312,724 'collect':727,729 'combin':263 'common':25,77,603 'compani':175,184 'complet':747 'comprehens':122,197,592 'content':364,444,766 'control':48 'core':144 'coverag':30,82 'creat':156,201 'crunchbas':170 'curl':189,576,669 'custom':411,465 'custom_wordlist.txt':422 'cve_results.txt':611 'cves':604,609 'd':213,224,232,704 'dalfox':552,558,775 'data':415,486 'defens':45 'definit':89 'delet':666 'depend':108 'detail':302 'detect':309,347,721,764 'dict':562 'directori':372 'discoveri':19,71,127,199,238,276,365,403,710,760,767 'dnsgen':257,260 'document':140 'domain':90,540,683,687,697,705 'domain/live.txt':725,732,742 'domain/nuclei.txt':744 'domain/subs.txt':707,716 'domain/urls.txt':734 'domains.txt':246,259,289,304,325 'done':585,676 'echo':204,583,689,700,711,728,737,745 'educ':49 'effect':16,68 'endpoint':368,499,631,784 'enum':211,222 'enumer':124,196,623,629,699,701,756 'environ':50 'error':474 'essenti':750 'etc':120 'exit':692 'exot':476 'extens':359 'extract':537 'fast':758 'ffuf':375,376,632,642,649,765 'fi':694 'field':466 'file':203,370,434 'filter':446,544,796 'find':141,167,366,393,712 'findomain':250 'fingerprint':130,329 'form':450 'fuzz':627 'gau':397,398 'generat':254,410 'get':176,663 'go':110 'grep':406,570,579 'gxss':546,549 'haddix':427 'handl':521 'heat':429 'hidden':367,455,658 'histor':385,414,779 'host':126,275,279,283,709,714,763 'hosts.txt':297,340,350,596,607,616 'html':798 'httprobe':261,287,290 'https':295 'httpx':299,305,717 'httpx/httprobe':761 'hunt':23,75,532 'hybrid':489 'identifi':131,277,330 'implement':5,57 'inject':438,477 'inputs/prerequisites':86 'instal':109 'integr':468 'intel':181 'ip':91 'jason':426 'kali':99 'key':114,782 'l':349,595,606,615,741 'lack':457 'level':509 'linux':95 'linux-bas':94 'live':125,274,285,708,713,762 'live_hosts.txt':314 'look':453 'lookup':188 'machin':98 'maintain':28,80 'manual':172,361,773 'map':430 'massdn':317,318 'method':428,456,659,661,671 'methodolog':7,55,59 'mine':561,781 'mining-dict':560 'mkdir':159,695 'model':516 'multi':505 'multi-ten':504 'multipart':449 'nuclei':345,348,591,594,605,614,735,739,740,768 'nuclei_results.txt':600 'o':216,227,235,253,313,323,353,542,564,599,610,619,743 'org':182 'output':139 'outputs/deliverables':121 'p':160,550,696 'page':475 'param':487 'paramet':402,536 'params.txt':409,543,548,557,563 'paramspid':534 'paramspider.py':539 'parti':472 'pass':485 'passiv':209,212 'past':527 'patch':667 'path':419 'permut':255 'permuted.txt':262 'pipe':559 'pipelin':138 'point':478 'post':664 'potential_xss.txt':586 'prefer':294 'prefer-http':293 'prioriti':431 'profil':461 'program':103 'project':147,157 'proven':6,58 'purpos':56,753 'put':665 'python':111 'python3':538 'q':580 'qsreplac':571 'question':480 'quick':748 'r':319 'rang':92 'read':573 'recon':137,162,679,746 'reconnaiss':17,69,153 'red':2,51 'red-team-tool':1 'refer':749 'report':143,164 'research':14,66 'resolved.txt':326 'resolvers.txt':320 'respond':278 'review':362 'rubi':112 'rule':104 'run':207,218,738 'scan':337,589,593,736,770 'scope':88,106 'script':680 'search':171 'section':462 'secur':13,43,65 'servic':117 'set':151 'shell':441 'shodan':118 'silent':234,706 'site':502,520,525 'skill':39 'skill-red-team-tools' 'sort':270,407,420 'sourc':265 'source-sickn33' 'src':185,215,226 'ssrf':440,469 'status':311,723 'status-cod':310,722 'store':463 'structur':158 'sub':243 'subdomain':123,195,198,248,698,702,755,759 'subfind':230,231,703,757 'subfinder.txt':236,269 'subs-on':242 'subsidiari':174 'suit':772 'surfac':33,85 'talk':494 'target':87,161,166,179,183,333 'target.com':205,214,225,233,252,381,390,399,541,569,635,645,652,673 'target.com/api/fuzz':634 'target.com/api/users':672 'target.com/api/v1/fuzz':644 'target.com/api/v2/fuzz':651 'target.com/fuzz':380 'task':26,78 'team':3,52 'tech':308,720 'tech-detect':307,719 'tech_nuclei.txt':354 'tech_stack.txt':344 'technolog':129,328,331,346,352 'tee':391,400 'tenanc':506 'test':436,551,555,639,774,797 'third':471 'thorough':29,81 'threat':515 'titl':306,718 'tool':4,9,53,61,107,249,751,752 'top':12,64 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'track':148,154 'txt':268 'type':445 'u':271,379,408,421,633,643,650 'ubuntu':100 'uid':497 'unfurl':418 'uniqu':514 'upload':435,442 'url':386,395,574,578,584,726,730,780 'usag':690 'use':35,37,169,229,298 'user':496,508 'uuid':498 'v':343,378,675 'valid':46 'various':116 'vector':135 'version':641 'vuln':163 'vuln_results.txt':620 'vulner':18,70,132,588,613,618,769 'w':383,637,647,654 'wappalyz':355 'wayback':388 'wayback.txt':392 'waybackurl':389,568,733,778 'web':612 'whatweb':336,338 'wildcard':202,206,240 'wordlist':412,624 'workflow':10,62,145,567 'writeups/exploits':528 'x':670 'xss':464,531,554,776,795 'xss/csrf':522 'xss_results.txt':565 'xxe':439 'z':686","prices":[{"id":"ea85f0f8-4958-436d-8a60-66cfa3622ff9","listingId":"f5c9ca06-8c6f-4596-ac57-f8fc72576fe0","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:43:27.104Z"}],"sources":[{"listingId":"f5c9ca06-8c6f-4596-ac57-f8fc72576fe0","source":"github","sourceId":"sickn33/antigravity-awesome-skills/red-team-tools","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/red-team-tools","isPrimary":false,"firstSeenAt":"2026-04-18T21:43:27.104Z","lastSeenAt":"2026-04-22T18:52:07.476Z"}],"details":{"listingId":"f5c9ca06-8c6f-4596-ac57-f8fc72576fe0","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"red-team-tools","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34583,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-22T06:40:00Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"c475f18de020fe5a9f7022399157e3ae95357633","skill_md_path":"skills/red-team-tools/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/red-team-tools"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"red-team-tools","description":"Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/red-team-tools"},"updatedAt":"2026-04-22T18:52:07.476Z"}}