红队工具与方法论：自动化渗透测试与漏洞赏金狩猎完整指南

Red Team Tools and Methodology by sickn33/antigravity-awesome-skills

27,400 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill 'Red Team Tools and Methodology'

方法论自动化安全

🇨🇳中文介绍

红队工具与方法论

目的

实施来自顶尖安全研究人员的成熟方法论和工具工作流，以实现有效的侦察、漏洞发现和漏洞赏金狩猎。自动化常见任务，同时保持对攻击面的全面覆盖。

输入/先决条件

目标范围定义（域名、IP 范围、应用程序）
基于 Linux 的攻击机（Kali、Ubuntu）
漏洞赏金计划规则和范围
已安装的工具依赖项（Go、Python、Ruby）
各种服务的 API 密钥（Shodan、Censys 等）

输出/交付成果

全面的子域名枚举
存活主机发现和技术指纹识别
已识别的漏洞和攻击向量
自动化侦察流水线输出
用于报告的有文档记录的发现结果

核心工作流

1. 项目跟踪与资产获取

设置侦察跟踪：

# 创建项目结构
mkdir -p target/{recon,vulns,reports}
cd target

# 使用 Crunchbase 查找资产
# 手动搜索子公司

# 获取目标的 ASN
amass intel -org "Target Company" -src

# 替代的 ASN 查找方法
curl -s "https://bgp.he.net/search?search=targetcompany&commit=Search"

2. 子域名枚举

全面的子域名发现：

# 创建通配符文件
echo "target.com" > wildcards

# 被动运行 Amass
amass enum -passive -d target.com -src -o amass_passive.txt

# 主动运行 Amass
amass enum -active -d target.com -src -o amass_active.txt

# 使用 Subfinder
subfinder -d target.com -silent -o subfinder.txt

# 资产发现
cat wildcards | assetfinder --subs-only | anew domains.txt

# 替代的子域名工具
findomain -t target.com -o

# 使用 dnsgen 生成排列组合
cat domains.txt | dnsgen - | httprobe > permuted.txt

# 合并所有来源
cat amass_*.txt subfinder.txt | sort -u > all_subs.txt

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

3. 存活主机发现

识别响应主机：

# 使用 httprobe 检查哪些主机存活
cat domains.txt | httprobe -c 80 --prefer-https | anew hosts.txt

# 使用 httpx 获取更多详细信息
cat domains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt

# 使用 massdns 的替代方法
massdns -r resolvers.txt -t A -o S domains.txt > resolved.txt

4. 技术指纹识别

识别技术栈以进行针对性攻击：

# Whatweb 扫描
whatweb -i hosts.txt -a 3 -v > tech_stack.txt

# Nuclei 技术检测
nuclei -l hosts.txt -t technologies/ -o tech_nuclei.txt

# Wappalyzer（如果可用）
# 用于手动审查的浏览器扩展

查找隐藏的端点和文件：

# 使用 ffuf 进行目录暴力破解
ffuf -ac -v -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

# 从 Wayback 获取历史 URL
waybackurls target.com | tee wayback.txt

# 使用 gau 查找所有 URL
gau target.com | tee all_urls.txt

# 参数发现
cat all_urls.txt | grep "=" | sort -u > params.txt

# 从历史数据生成自定义单词列表
cat all_urls.txt | unfurl paths | sort -u > custom_wordlist.txt

6. 应用程序分析（Jason Haddix 方法）

热图优先级区域：

文件上传 - 测试注入、XXE、SSRF、Shell 上传
内容类型 - 在 Burp 中筛选 multipart 表单
API - 查找隐藏方法、缺少认证
个人资料部分 - 存储型 XSS、自定义字段
集成功能 - 通过第三方的 SSRF
错误页面 - 特殊的注入点

应用程序如何传递数据？（参数、API、混合方式）
应用程序在何处提及用户？（UID、UUID 端点）
网站是否有多租户或用户级别？
它是否有独特的威胁模型？
网站如何处理 XSS/CSRF？
网站过去是否有过分析文章/漏洞利用？

7. 自动化 XSS 狩猎

# 使用 ParamSpider 提取参数
python3 paramspider.py --domain target.com -o params.txt

# 使用 Gxss 过滤
cat params.txt | Gxss -p test

# 使用 Dalfox 进行 XSS 测试
cat params.txt | dalfox pipe --mining-dict params.txt -o xss_results.txt

# 替代工作流
waybackurls target.com | grep "=" | qsreplace '"><script>alert(1)</script>' | while read url; do
    curl -s "$url" | grep -q 'alert(1)' && echo "$url"
done > potential_xss.txt

# Nuclei 全面扫描
nuclei -l hosts.txt -t ~/nuclei-templates/ -o nuclei_results.txt

# 检查常见 CVE
nuclei -l hosts.txt -t cves/ -o cve_results.txt

# Web 漏洞
nuclei -l hosts.txt -t vulnerabilities/ -o vuln_results.txt

用于 API 模糊测试的单词列表：

# 枚举 API 端点
ffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt

# 测试 API 版本
ffuf -u https://target.com/api/v1/FUZZ -w api_wordlist.txt
ffuf -u https://target.com/api/v2/FUZZ -w api_wordlist.txt

# 检查隐藏方法
for method in GET POST PUT DELETE PATCH; do
    curl -X $method https://target.com/api/users -v
done

10. 自动化侦察脚本

#!/bin/bash
domain=$1

if [[ -z $domain ]]; then
    echo "Usage: ./recon.sh <domain>"
    exit 1
fi

mkdir -p "$domain"

# 子域名枚举
echo "[*] Enumerating subdomains..."
subfinder -d "$domain" -silent > "$domain/subs.txt"

# 存活主机发现
echo "[*] Finding live hosts..."
cat "$domain/subs.txt" | httpx -title -tech-detect -status-code > "$domain/live.txt"

# URL 收集
echo "[*] Collecting URLs..."
cat "$domain/live.txt" | waybackurls > "$domain/urls.txt"

# Nuclei 扫描
echo "[*] Running Nuclei..."
nuclei -l "$domain/live.txt" -o "$domain/nuclei.txt"

echo "[+] Recon complete!"

工具	用途
Amass	子域名枚举
Subfinder	快速子域名发现
httpx/httprobe	存活主机检测
ffuf	内容发现
Nuclei	漏洞扫描
Burp Suite	手动测试
Dalfox	XSS 自动化
waybackurls	历史 URL 挖掘

需要检查的关键 API 端点

/api/v1/users
/api/v1/admin
/api/v1/profile
/api/users/me
/api/config
/api/debug
/api/swagger
/api/graphql

<!-- Test encoding handling -->
<h1><img><table>
<script>
%3Cscript%3E
%253Cscript%253E
%26lt;script%26gt;

尊重计划范围边界
未经许可，避免对生产环境进行 DoS 或模糊测试
限制请求速率以避免被阻止
某些工具可能会产生误报
某些工具需要 API 密钥才能完全发挥功能

示例 1：快速子域名侦察

subfinder -d target.com | httpx -title | tee results.txt

示例 2：XSS 狩猎流水线

waybackurls target.com | grep "=" | qsreplace "test" | httpx -silent | dalfox pipe

示例 3：全面扫描

# 完整的侦察链
amass enum -d target.com | httpx | nuclei -t ~/nuclei-templates/

问题	解决方案
速率限制	使用代理轮换，降低并发数
结果过多	专注于特定的技术栈
误报	在报告前手动验证发现结果
缺少子域名	结合多个枚举来源
API 密钥错误	在配置文件中验证密钥
找不到工具	使用 `go install` 安装 Go 工具

🇺🇸English

Red Team Tools and Methodology

Purpose

Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.

Inputs/Prerequisites

Target scope definition (domains, IP ranges, applications)
Linux-based attack machine (Kali, Ubuntu)
Bug bounty program rules and scope
Tool dependencies installed (Go, Python, Ruby)
API keys for various services (Shodan, Censys, etc.)

Outputs/Deliverables

Comprehensive subdomain enumeration
Live host discovery and technology fingerprinting
Identified vulnerabilities and attack vectors
Automated recon pipeline outputs
Documented findings for reporting

Core Workflow

1. Project Tracking and Acquisitions

Set up reconnaissance tracking:

# Create project structure
mkdir -p target/{recon,vulns,reports}
cd target

# Find acquisitions using Crunchbase
# Search manually for subsidiary companies

# Get ASN for targets
amass intel -org "Target Company" -src

# Alternative ASN lookup
curl -s "https://bgp.he.net/search?search=targetcompany&commit=Search"

2. Subdomain Enumeration

Comprehensive subdomain discovery:

# Create wildcards file
echo "target.com" > wildcards

# Run Amass passively
amass enum -passive -d target.com -src -o amass_passive.txt

# Run Amass actively
amass enum -active -d target.com -src -o amass_active.txt

# Use Subfinder
subfinder -d target.com -silent -o subfinder.txt

# Asset discovery
cat wildcards | assetfinder --subs-only | anew domains.txt

# Alternative subdomain tools
findomain -t target.com -o

# Generate permutations with dnsgen
cat domains.txt | dnsgen - | httprobe > permuted.txt

# Combine all sources
cat amass_*.txt subfinder.txt | sort -u > all_subs.txt

3. Live Host Discovery

Identify responding hosts:

# Check which hosts are live with httprobe
cat domains.txt | httprobe -c 80 --prefer-https | anew hosts.txt

# Use httpx for more details
cat domains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt

# Alternative with massdns
massdns -r resolvers.txt -t A -o S domains.txt > resolved.txt

4. Technology Fingerprinting

Identify technologies for targeted attacks:

# Whatweb scanning
whatweb -i hosts.txt -a 3 -v > tech_stack.txt

# Nuclei technology detection
nuclei -l hosts.txt -t technologies/ -o tech_nuclei.txt

# Wappalyzer (if available)
# Browser extension for manual review

5. Content Discovery

Find hidden endpoints and files:

# Directory bruteforce with ffuf
ffuf -ac -v -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

# Historical URLs from Wayback
waybackurls target.com | tee wayback.txt

# Find all URLs with gau
gau target.com | tee all_urls.txt

# Parameter discovery
cat all_urls.txt | grep "=" | sort -u > params.txt

# Generate custom wordlist from historical data
cat all_urls.txt | unfurl paths | sort -u > custom_wordlist.txt

6. Application Analysis (Jason Haddix Method)

Heat Map Priority Areas:

File Uploads - Test for injection, XXE, SSRF, shell upload
Content Types - Filter Burp for multipart forms
APIs - Look for hidden methods, lack of auth
Profile Sections - Stored XSS, custom fields
Integrations - SSRF through third parties
Error Pages - Exotic injection points

Analysis Questions:

How does the app pass data? (Params, API, Hybrid)
Where does the app talk about users? (UID, UUID endpoints)
Does the site have multi-tenancy or user levels?
Does it have a unique threat model?
How does the site handle XSS/CSRF?
Has the site had past writeups/exploits?

7. Automated XSS Hunting

# ParamSpider for parameter extraction
python3 paramspider.py --domain target.com -o params.txt

# Filter with Gxss
cat params.txt | Gxss -p test

# Dalfox for XSS testing
cat params.txt | dalfox pipe --mining-dict params.txt -o xss_results.txt

# Alternative workflow
waybackurls target.com | grep "=" | qsreplace '"><script>alert(1)</script>' | while read url; do
    curl -s "$url" | grep -q 'alert(1)' && echo "$url"
done > potential_xss.txt

8. Vulnerability Scanning

# Nuclei comprehensive scan
nuclei -l hosts.txt -t ~/nuclei-templates/ -o nuclei_results.txt

# Check for common CVEs
nuclei -l hosts.txt -t cves/ -o cve_results.txt

# Web vulnerabilities
nuclei -l hosts.txt -t vulnerabilities/ -o vuln_results.txt

9. API Enumeration

Wordlists for API fuzzing:

# Enumerate API endpoints
ffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt

# Test API versions
ffuf -u https://target.com/api/v1/FUZZ -w api_wordlist.txt
ffuf -u https://target.com/api/v2/FUZZ -w api_wordlist.txt

# Check for hidden methods
for method in GET POST PUT DELETE PATCH; do
    curl -X $method https://target.com/api/users -v
done

10. Automated Recon Script

#!/bin/bash
domain=$1

if [[ -z $domain ]]; then
    echo "Usage: ./recon.sh <domain>"
    exit 1
fi

mkdir -p "$domain"

# Subdomain enumeration
echo "[*] Enumerating subdomains..."
subfinder -d "$domain" -silent > "$domain/subs.txt"

# Live host discovery
echo "[*] Finding live hosts..."
cat "$domain/subs.txt" | httpx -title -tech-detect -status-code > "$domain/live.txt"

# URL collection
echo "[*] Collecting URLs..."
cat "$domain/live.txt" | waybackurls > "$domain/urls.txt"

# Nuclei scanning
echo "[*] Running Nuclei..."
nuclei -l "$domain/live.txt" -o "$domain/nuclei.txt"

echo "[+] Recon complete!"

Quick Reference

Essential Tools

Tool	Purpose
Amass	Subdomain enumeration
Subfinder	Fast subdomain discovery
httpx/httprobe	Live host detection
ffuf	Content discovery
Nuclei	Vulnerability scanning
Burp Suite	Manual testing
Dalfox	XSS automation
waybackurls	Historical URL mining

Key API Endpoints to Check

/api/v1/users
/api/v1/admin
/api/v1/profile
/api/users/me
/api/config
/api/debug
/api/swagger
/api/graphql

XSS Filter Testing

<!-- Test encoding handling -->
<h1><img><table>
<script>
%3Cscript%3E
%253Cscript%253E
%26lt;script%26gt;

Constraints

Respect program scope boundaries
Avoid DoS or fuzzing on production without permission
Rate limit requests to avoid blocking
Some tools may generate false positives
API keys required for full functionality of some tools

Examples

Example 1: Quick Subdomain Recon

subfinder -d target.com | httpx -title | tee results.txt

Example 2: XSS Hunting Pipeline

waybackurls target.com | grep "=" | qsreplace "test" | httpx -silent | dalfox pipe

Example 3: Comprehensive Scan

# Full recon chain
amass enum -d target.com | httpx | nuclei -t ~/nuclei-templates/

Troubleshooting

Issue	Solution
Rate limited	Use proxy rotation, reduce concurrency
Too many results	Focus on specific technology stacks
False positives	Manually verify findings before reporting
Missing subdomains	Combine multiple enumeration sources
API key errors	Verify keys in config files
Tools not found	Install Go tools with `go install`

Weekly Installs

–

Repository

sickn33/antigra…e-skills

GitHub Stars

27.4K

First Seen

–

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

GitHub Actions 官方文档查询助手 - 精准解答 CI/CD 工作流问题

27,800 周安装