Conducts external reconnaissance using Open Source Intelligence (OSINT) techniques to map an organization's external attack surface without directly interacting with target systems. The tester gathers information from public sources including DNS records, certificate transparency logs, search engines, social media, code repositories, and data breach databases to build a comprehensive target profile. Activates for requests involving OSINT reconnaissance, external footprinting, attack surface mapping, or passive information gathering.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionconducting-external-reconnaissance-with-osintExecute the skills CLI command in your project's root directory to begin installation:
Fetches conducting-external-reconnaissance-with-osint from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate conducting-external-reconnaissance-with-osint. Access via /conducting-external-reconnaissance-with-osint in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | conducting-external-reconnaissance-with-osint |
| description | 'Conducts external reconnaissance using Open Source Intelligence (OSINT) techniques to map an organization''s external attack surface without directly interacting with target systems. The tester gathers information from public sources including DNS records, certificate transparency logs, search engines, social media, code repositories, and data breach databases to build a comprehensive target profile. Activates for requests involving OSINT reconnaissance, external footprinting, attack surface mapping, or passive information gathering. ' |
| domain | cybersecurity |
| subdomain | penetration-testing |
| tags | - OSINT - reconnaissance - attack-surface - footprinting - passive-recon |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - ID.RA-01 - ID.RA-06 - GV.OV-02 - DE.AE-07 |
Do not use for stalking, harassment, or unauthorized surveillance of individuals. OSINT gathering must be conducted within the scope of an authorized engagement and comply with applicable privacy laws (GDPR, CCPA).
Enumerate all domains, subdomains, and DNS records associated with the target:
whoxy.com or domaintools.comamass enum -passive -d target.com -o amass_subs.txt for passive subdomain discovery from 40+ data sourcessubfinder -d target.com -all -o subfinder_subs.txt for fast passive enumerationcrt.sh certificate transparency log queries: curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sort -udig target.com ANY, check for SPF, DKIM, DMARC records that reveal email infrastructure, and enumerate MX records to identify email providersdig axfr @ns1.target.com target.com to check for misconfigured DNS serversIdentify internet-facing infrastructure without directly scanning target systems:
shodan search "ssl.cert.subject.cn:target.com" to find all internet-facing services with TLS certificates for the target domain. Also search by organization name and IP ranges.target-com, target-backup, target-dev), Azure Blob storage (target.blob.core.windows.net), and GCP storage using tools like cloud_enumwafw00f target.com to identify web application firewalls and CDN providers that may mask the origin server IPweb.archive.org) to find removed pages, old application versions, and forgotten endpointsGather employee information and email addresses for social engineering preparation:
theHarvester -d target.com -b all -f harvest_results.html to collect emails from search engines, LinkedIn, and data sourceshunter.io to determine the email format (first.last, flast, firstl) and verify deliverabilitySearch for exposed credentials and sensitive data:
haveibeenpwned.com API for breached email addresses associated with the target domainorg:target "password", org:target "api_key", org:target "secret"trufflehog or gitleaks for automated secret scanning across the target's public repositoriesexiftool to reveal internal usernames, software versions, printer names, and file pathssite:target.com filetype:pdf for public documentssite:target.com inurl:admin for admin panelssite:target.com "index of /" for directory listingssite:pastebin.com "target.com" for paste site mentionsIdentify the technologies, frameworks, and services used by the target:
whatweb target.com or Wappalyzer browser extension to identify CMS, frameworks, JavaScript libraries, analytics, and server softwaresslyze target.com or testssl.sh target.com to identify cipher suites, protocol versions, certificate details, and cryptographic weaknessesv=spf1 include:_spf.google.com indicates Google Workspace, MS=msXXXXXX indicates Microsoft 365)apktool (Android) or frida for hardcoded URLs, API endpoints, and embedded credentials| Term | Definition |
|---|---|
| OSINT | Open Source Intelligence; intelligence collected from publicly available sources including websites, social media, public records, and government data |
| Passive Reconnaissance | Information gathering without directly interacting with target systems, leaving no footprint in target logs |
| Active Reconnaissance | Information gathering that involves direct interaction with target systems (scanning, probing) and may be logged |
| Certificate Transparency | Public logs of TLS certificates issued by certificate authorities, queryable to discover subdomains and infrastructure |
| Attack Surface | The sum of all points where an unauthorized user can attempt to enter or extract data from an environment |
| Google Dorking | Using advanced Google search operators to find sensitive information indexed by search engines that was not intended to be public |
| Shadow IT | Technology systems and services deployed by employees or departments without the knowledge or approval of the IT department |
Context: A technology company has contracted a red team assessment. Before active testing begins, the team conducts passive OSINT to map the attack surface and identify potential entry points. The target is a SaaS company with 500 employees and a primary domain of techcorp.io.
Approach:
.env file with AWS access keysPitfalls:
## External Reconnaissance Report - TechCorp.io
### Attack Surface Summary
- **Domains discovered**: 3 (techcorp.io, techcorp.com, techcorpapp.com)
- **Subdomains enumerated**: 147 unique subdomains across all domains
- **Unique IP addresses**: 34 IPs mapped across AWS us-east-1 and us-west-2
- **Email addresses collected**: 89 valid corporate email addresses
- **Exposed services**: 12 internet-facing services identified via Shodan/Censys
### Critical Findings
**1. Unauthenticated Elasticsearch Instance**
- Host: 52.xx.xx.xx:9200 (elastic.techcorp.io)
- Indexed data: Application logs containing user session tokens and PII
- Source: Shodan search "ssl.cert.subject.cn:techcorp.io"
**2. AWS Credentials in Public GitHub Repository**
- Repository: github.com/former-dev/techcorp-scripts
- File: .env containing AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
- Status: Keys appear active (not tested - out of scope for passive recon)
**3. Directory Listing Exposing Internal Documents**
- URL: https://docs.techcorp.io/internal/
- Contents: Architecture diagrams, network topology, runbooks
- Source: Google dork "site:techcorp.io intitle:index.of"
### Recommendations
1. Immediately rotate the exposed AWS credentials and audit CloudTrail logs
2. Restrict Elasticsearch access to internal networks or add authentication
3. Disable directory listings on docs.techcorp.io and audit all web servers
4. Implement GitHub secret scanning across all organization repositories
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Useful defaults in conducting-external-reconnaissance-with-osint — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
conducting-external-reconnaissance-with-osint has been reliable in day-to-day use. Documentation quality is above average for community skills.
We added conducting-external-reconnaissance-with-osint from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Useful defaults in conducting-external-reconnaissance-with-osint — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
We added conducting-external-reconnaissance-with-osint from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Registry listing for conducting-external-reconnaissance-with-osint matched our evaluation — installs cleanly and behaves as described in the markdown.
conducting-external-reconnaissance-with-osint reduced setup friction for our internal harness; good balance of opinion and flexibility.
Keeps context tight: conducting-external-reconnaissance-with-osint is the kind of skill you can hand to a new teammate without a long onboarding doc.
I recommend conducting-external-reconnaissance-with-osint for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Keeps context tight: conducting-external-reconnaissance-with-osint is the kind of skill you can hand to a new teammate without a long onboarding doc.
showing 1-10 of 29