From communitytools
Performs domain reconnaissance and web app mapping: subdomain discovery, port scanning, endpoint/API enumeration, and attack surface analysis for security assessment.
npx claudepluginhub transilienceai/communitytoolsThis skill uses the workspace's default tool permissions.
Domain and web application reconnaissance. Discovers subdomains, open ports, endpoints, APIs, and JavaScript routes to build attack surface inventory.
Automates red team recon workflows: subdomain enum with Amass/Subfinder, live hosts via httpx/httprobe, tech fingerprinting with WhatWeb/Nuclei. For authorized pentests.
Performs API inventory and discovery to identify documented, undocumented, shadow, zombie, and deprecated endpoints using passive traffic analysis, active scanning, DNS enumeration, JavaScript analysis, and cloud inventory. For security audits and OWASP API9:2023 compliance.
Orchestrates pentest reconnaissance phase: enumerates subdomains via ASN/passive/brute, probes live hosts/ports, mines URLs/JS, dorks GitHub secrets, discovers cloud buckets, detects takeovers, maps attack surface.
Share bugs, ideas, or general feedback.
Domain and web application reconnaissance. Discovers subdomains, open ports, endpoints, APIs, and JavaScript routes to build attack surface inventory.
inventory/ - JSON: subdomains, ports, endpoints, APIs, SBOM
analysis/ - MD: attack-surface, testing-checklist
raw/ - Tool outputs (nmap, ffuf, ZAP, subfinder)
subfinder, amass, nmap, masscan, ffuf, gobuster, nikto, ZAP, Playwright MCP
/osint - Run alongside reconnaissance for repository enumeration, secret scanning, and git history analysis/osint in parallel during Phase 2curl -sI http://IP/). Headers like X-Backend-Server, X-Forwarded-Host, X-Served-By, X-Upstream often leak internal hostnames/vhosts not discoverable via DNS or brute-force. Add discovered hostnames to /etc/hosts immediately.*.domain.tld in SAN) = strong indicator of hidden vhosts. Always run vhost brute-force with ffuf -u https://IP -k -H "Host: FUZZ.domain.tld" -w subdomains.txt -mc all -fs <default_size> when wildcard SAN detected. Compare response size/status vs default vhost to identify valid subdomains.for sub in admin dev api portal dashboard staging git; do code=$(curl -s -o /dev/null -w "%{http_code}:%{size_download}" -H "Host: ${sub}.DOMAIN" http://IP); echo "$sub: $code"; done — filter by response size difference from default page.manifest.json → "Nginx UI"), Cockpit, Webmin, phpMyAdmin. These often have unauthenticated API endpoints or known CVEs. Check /api/backup, /api/settings, /api/install for Nginx UI specifically.-p- and run a focused scan over the 13 AD-relevant ports first — it finishes in seconds and covers everything that matters.
nmap -Pn -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,5986,9389 -oA recon/ad-focused TARGET
skills/authentication/reference/password-attacks.md "WinRM with Cert-Based Authentication"). Only fall back to -p- if (a) no flag-yielding service surfaces in the focused scan, or (b) you suspect a non-standard app on a high port (custom web service, RDP-on-non-3389, etc.). Don't burn 30 minutes on full TCP sweeps when the AD archetype is obvious.