conducting-external-reconnaissance-with-osint

Featured

Conducts external reconnaissance using Open Source Intelligence (OSINT) techniques to map an organization's external attack surface without directly interacting with target systems. The tester gathers information from public sources including DNS records, certificate transparency logs, search engines, social media, code repositories, and data breach databases to build a comprehensive target profile. Activates for requests involving OSINT reconnaissance, external footprinting, attack surface mapping, or passive information gathering.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Conducting External Reconnaissance with OSINT ## When to Use - Performing the initial reconnaissance phase of a penetration test to gather intelligence before active scanning - Mapping an organization's external attack surface to identify unknown or shadow IT assets - Collecting employee information, email formats, and organizational structure for social engineering campaigns - Identifying exposed credentials, leaked data, or sensitive documents published on the internet - Scoping the breadth of an organization's digital footprint prior to a red team engagement **Do not use** for stalking, harassment, or unauthorized surveillance of individuals. OSINT gathering must be conducted within the scope of an authorized engagement and comply with applicable privacy laws (GDPR, CCPA). ## Prerequisites - Written authorization to perform reconnaissance against the target organization - Dedicated research workstation with a VPN or Tor for anonymized queries when required - OSINT framework tools installed: Amass, theHarvester, Shodan CLI, Recon-ng, SpiderFoot - API keys for Shodan, Censys, SecurityTrails, Hunter.io, VirusTotal, and GitHub for enhanced results - Disposable email accounts for accessing services that require registration during research ## Workflow ### Step 1: Domain and DNS Enumeration Enumerate all domains, subdomains, and DNS records associated with the target: - **Root domain identification**: Start with the primary domain and identify all related domains thro...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

collecting-open-source-intelligence

Collects and synthesizes open-source intelligence (OSINT) about threat actors, malicious infrastructure, and attack campaigns using publicly available data sources, passive reconnaissance tools, and dark web monitoring. Use when investigating external threat actor infrastructure, performing pre-engagement reconnaissance for authorized red team assessments, or enriching CTI reports with publicly available adversary context. Activates for requests involving Maltego, Shodan, OSINT framework, SpiderFoot, or infrastructure reconnaissance.

12,642 Updated today
mukul975
DevOps & Infrastructure Listed

osint-methodology

Comprehensive OSINT methodology for external red-team operations and authorized attack-surface assessments. Covers the 5-stage recon pipeline, asset-graph discipline, severity rubric, confidence upgrade workflows, time budgeting, identity-fabric mapping, breach×identity correlation, detectability tagging, detection-aware probing, WAF/CDN bypass, vulnerability prioritization, phishing infrastructure planning, bug bounty submission, and client deliverable templates. Use when planning or executing reconnaissance against authorized targets, mapping an organization's external attack surface, investigating a person/entity, or producing client deliverables.

0 Updated today
Ap6pack
AI & Automation Solid

reconnaissance--osint-automation

Passive and active reconnaissance, subdomain enumeration, DNS analysis, technology fingerprinting, and OSINT data correlation for authorized security assessments

47 Updated today
Masriyan
AI & Automation Featured

performing-open-source-intelligence-gathering

Open Source Intelligence (OSINT) gathering is the first active phase of a red team engagement, where operators collect publicly available information about the target organization to identify attack s

12,642 Updated today
mukul975
AI & Automation Listed

osint-methodology

Comprehensive OSINT methodology for external red-team operations and authorized attack-surface assessments. Covers the 5-stage recon pipeline, asset-graph discipline, severity rubric, confidence upgrade workflows, time budgeting, identity-fabric mapping, breach×identity correlation, detectability tagging, detection-aware probing, WAF/CDN bypass, vulnerability prioritization, phishing infrastructure planning, bug bounty submission, and client deliverable templates. Use when planning or executing reconnaissance against authorized targets, mapping an organization's external attack surface, investigating a person/entity, or producing client deliverables.

1 Updated today
opencue