--- name: pentest-recon description: Reconnaissance ve enumeration advisory — Nmap/Nessus/Nikto/BloodHound output parsing, attack surface prioritization, next-step onerisi. OSINT (domain recon, email harvest, breach data) dahil. Triggers on recon, reconnaissance, enumeration, Nmap output, attack surface, target prioritization, subdomain enum, port scan analysis, OSINT, domain recon. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Bash Grep metadata: author: badi badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents recon-advisor + osint-collector --- # pentest-recon Recon cikti analizi + saldiri yuzeyi onceliklendirme + bir sonraki adim onerisi. **Advisory mode** — kullanici cikti paste eder, skill analiz eder. Aktif komut composer'lama icin scope deklare gerekli. ## Triggers - "nmap ciktisi" / "scan sonucu inceleyin" - "Nessus raporu" - "subdomain enum yaptım" - "saldiri yuzeyi neresi" - "hangi hedef oncelikli" - "BloodHound graph analizi" - "OSINT yapalim" ## Input Tipleri | Input | Skill Davranisi | |-------|----------------| | Nmap XML/text cikti | Port + service + version + script output parse, CVE lookup onerisi | | Nessus / OpenVAS rapor | Severity + CVSS prioritize, kritik bulgu listesi | | Nikto cikti | Web zafiyetleri filtreleme, false-positive elenir | | BloodHound JSON | High-value target path bulma, attack path prioritization | | Masscan/Naabu cikti | Acik port listesi -> service enum onerisi | | WHOIS / certificate transparency | Subdomain genisleme, ek alan adi kesfi | ## Output Sablonu ```markdown ## Recon Analiz — ### Tespit - 3 acik port: 22/SSH, 80/HTTP, 443/HTTPS - HTTP: nginx 1.18.0 (CVE-2021-23017) - HTTPS: Self-signed cert, expired 2024-03-15 - SSH: OpenSSH 7.6p1 (CVE-2018-15473) ### Onceliklendirme 1. [HIGH] CVE-2021-23017 — nginx DNS resolver — exploitable, public PoC var 2. [MEDIUM] OpenSSH user enum (CVE-2018-15473) — username discovery 3. [LOW] Cert expired — config issue, exploitation degeri yok ### Bir Sonraki Adim (onerilen) - Aktif: `nikto -h ` (MODERATE OPSEC) - Pasif: SecurityTrails / Censys ek subdomain (QUIET) - Hedeflenmis: nginx version-spesifik exploit-db arama ### Atlanan Alanlar - UDP scan yapilmadi (53, 161 standart pratik) - Vhost discovery atlandi ``` ## Aktif Komut Composer'lama (Scope Gerekli) Kullanici scope onayini verirse, skill su komutlari onerebilir (orneklerle): ```bash # QUIET — passive subdomain enum subfinder -d example.com -silent # MODERATE — TCP service scan, rate-limited nmap -sT -sV --top-ports 1000 --max-rate 100 -oA scan_example_$(date +%Y%m%d_%H%M%S) # MODERATE — HTTP fingerprint httpx -l hosts.txt -title -tech-detect -status-code -o httpx-results.txt # QUIET — Cert transparency crt.sh icin curl: 'https://crt.sh/?q=%25.example.com&output=json' ``` Her komut **once aciklanir**, sonra `Bash` tool ile (kullanici onayinda) calistirilir. Evidence dosyasi olusur. ## OSINT (passive collection) | Kaynak | Veri | OPSEC | |--------|------|-------| | crt.sh | Subdomain (cert transparency) | QUIET | | Shodan API | Acik port + banner | QUIET (yetkili API) | | Censys | TLS cert + port | QUIET | | haveibeenpwned API | Email breach hit | QUIET | | theHarvester | Email + employee | QUIET-MODERATE | | LinkedIn (manuel) | Employee role + dept | QUIET | | GitHub search | Code leak, secret exposure | QUIET | | Wayback Machine | Eski endpoint, deprecated path | QUIET | ## Prioritization Mantigi | Faktor | Agirlik | |--------|---------| | Public exploit varligi (Exploit-DB, PoC repo) | x3 | | CVSS >= 9.0 | x3 | | Unauthenticated remote | x2 | | Internet-facing | x2 | | Default credential ihtimali | x2 | | Bilinen RCE service (Tomcat manager, Jenkins, Confluence) | x3 | Skoru sirala -> top 5 hedefe odaklan. ## Out-of-Scope - Live exploit calistirma (pentest-web, pentest-ad gibi domain-spesifik skill'lere bak) - Authoritative DNS zone transfer dis hedeflere (DoS riski) - Mass scan public internet