1a3fea615a
New persona variants: - forge/frontend-design — DESIGN.md methodology, 58-brand reference, UI/UX intelligence - oracle/source-verification — 5-section forensic verification protocol (ethos/pathos/context/intent/logos) - sentinel/c2-hunting — 6-phase C2 hunting with beaconing detection, detection engineering Enhanced existing personas: - neo: Added Active Directory exploitation (Kerberoasting, DCSync, delegation), network pivoting, cloud attacks - frodo: Added response mode auto-detection, claim extraction, Devil's Advocate, explicit uncertainty tracking - ghost: Added cognitive warfare expertise (behavioral science weaponization, algorithmic amplification) Build system enhancements: - Cross-persona escalation graph auto-extracted → generated/_index/escalation_graph.json - Trigger→persona routing index → generated/_index/trigger_index.json - Quality validation with warnings for thin/missing sections - Section word counts injected into every output - Richer CATALOG.md with depth stats, escalation paths, trigger index Platform auto-install: - python3 build.py --install claude — 111 slash commands → ~/.claude/commands/ - python3 build.py --install antigravity — personas → ~/.config/antigravity/personas/ - python3 build.py --install gemini — Gems → generated/_gems/ - python3 build.py --install openclaw — IDENTITY.md + personas → generated/_openclaw/ - python3 build.py --install all — deploy to all platforms Shared reference library: - personas/_shared/kali-tools/ — 16 Kali Linux tool reference docs - personas/_shared/osint-sources/ — OSINT master reference - personas/_shared/ad-attack-tools/ — AD attack chain reference Stats: 29 personas, 111 variants, 59,712 words Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
8.9 KiB
8.9 KiB
OSINT & Reconnaissance Tools
theHarvester
Read proxies.yaml from /etc/theHarvester/proxies.yaml
*******************************************************************
* _ _ _ *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| _ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* theHarvester 4.10.1 *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
* *
*******************************************************************
usage: theHarvester [-h] -d DOMAIN [-l LIMIT] [-S START] [-p] [-s]
[--screenshot SCREENSHOT] [-e DNS_SERVER] [-t]
[-r [DNS_RESOLVE]] [-n] [-c] [-f FILENAME] [-w WORDLIST]
[-a] [-q] [-b SOURCE]
theHarvester is used to gather open source intelligence (OSINT) on a company
or domain.
options:
-h, --help show this help message and exit
-d, --domain DOMAIN Company name or domain to search.
-l, --limit LIMIT Limit the number of search results, default=500.
-S, --start START Start with result number X, default=0.
-p, --proxies Use proxies for requests, enter proxies in
proxies.yaml.
-s, --shodan Use Shodan to query discovered hosts.
--screenshot SCREENSHOT
Take screenshots of resolved domains specify output
directory: --screenshot output_directory
-e, --dns-server DNS_SERVER
DNS server to use for lookup.
-t, --take-over Check for takeovers.
-r, --dns-resolve [DNS_RESOLVE]
Perform DNS resolution on subdomains with a resolver
list or passed in resolvers, default False.
-n, --dns-lookup Enable DNS server lookup, default False.
-c, --dns-brute Perform a DNS brute force on the domain.
-f, --filename FILENAME
Save the results to an XML and JSON file.
-w, --wordlist WORDLIST
Specify a wordlist for API endpoint scanning.
-a, --api-scan Scan for API endpoints.
-q, --quiet Suppress missing API key warnings and reading the api-
keys file.
-b, --source SOURCE baidu, bevigil, bitbucket, brave, bufferoverun,
builtwith, censys, certspotter, chaos, commoncrawl,
criminalip, crtsh, dehashed, dnsdumpster, duckduckgo,
fofa, fullhunt, github-code, gitlab, hackertarget,
haveibeenpwned, hudsonrock, hunter, hunterhow, intelx,
leakix, leaklookup, netlas, onyphe, otx, pentesttools,
projectdiscovery, rapiddns, robtex, rocketreach,
securityscorecard, securityTrails, shodan,
subdomaincenter, subdomainfinderc99, thc, threatcrowd,
tomba, urlscan, venacus, virustotal, waybackarchive,
whoisxml, windvane, yahoo, zoomeye
amass
Checking for new libpostal data file...
New libpostal data file available
address_expansions/
address_expansions/address_dictionary.dat
numex/
numex/numex.dat
transliteration/
transliteration/transliteration.dat
Checking for new libpostal parser data file...
New libpostal parser data file available
Downloading multipart: https://github.com/openvenues/libpostal/releases/download/v1.0.0/parser.tar.gz, num_chunks=12
Downloading part 1: filename=/var/lib/libpostal/parser.tar.gz.1, offset=0, max=67108863
Downloading part 2: filename=/var/lib/libpostal/parser.tar.gz.2, offset=67108864, max=134217727
Downloading part 3: filename=/var/lib/libpostal/parser.tar.gz.3, offset=134217728, max=201326591
Downloading part 4: filename=/var/lib/libpostal/parser.tar.gz.4, offset=201326592, max=268435455
Downloading part 5: filename=/var/lib/libpostal/parser.tar.gz.5, offset=268435456, max=335544319
Downloading part 6: filename=/var/lib/libpostal/parser.tar.gz.6, offset=335544320, max=402653183
Downloading part 7: filename=/var/lib/libpostal/parser.tar.gz.7, offset=402653184, max=469762047
Downloading part 8: filename=/var/lib/libpostal/parser.tar.gz.8, offset=469762048, max=536870911
Downloading part 10: filename=/var/lib/libpostal/parser.tar.gz.10, offset=603979776, max=671088639
Downloading part 9: filename=/var/lib/libpostal/parser.tar.gz.9, offset=536870912, max=603979775
Downloading part 11: filename=/var/lib/libpostal/parser.tar.gz.11, offset=671088640, max=738197503
Downloading part 12: filename=/var/lib/libpostal/parser.tar.gz.12, offset=738197504, max=805306367
address_parser/
address_parser/address_parser_crf.dat
address_parser/address_parser_phrases.dat
address_parser/address_parser_postal_codes.dat
address_parser/address_parser_vocab.trie
Checking for new libpostal language classifier data file...
New libpostal language classifier data file available
language_classifier/
language_classifier/language_classifier.dat
whois
Usage: whois [OPTION]... OBJECT...
-h HOST, --host HOST connect to server HOST
-p PORT, --port PORT connect to PORT
-I query whois.iana.org and follow its referral
-H hide legal disclaimers
--verbose explain what is being done
--no-recursion disable recursion from registry to registrar servers
--help display this help and exit
--version output version information and exit
These flags are supported by whois.ripe.net and some RIPE-like servers:
-l find the one level less specific match
-L find all levels less specific matches
-m find all one level more specific matches
-M find all levels of more specific matches
-c find the smallest match containing a mnt-irt attribute
-x exact match
-b return brief IP address ranges with abuse contact
-B turn off object filtering (show email addresses)
-G turn off grouping of associated objects
-d return DNS reverse delegation objects too
-i ATTR[,ATTR]... do an inverse look-up for specified ATTRibutes
-T TYPE[,TYPE]... only look for objects of TYPE
-K only primary keys are returned
-r turn off recursive look-ups for contact information
-R force to show local copy of the domain object even
if it contains referral
-a also search all the mirrored databases
-s SOURCE[,SOURCE]... search the database mirrored from SOURCE
-g SOURCE:FIRST-LAST find updates from SOURCE from serial FIRST to LAST
-t TYPE request template for object of TYPE
-v TYPE request verbose template for object of TYPE
-q [version|sources|types] query specified server info
exiftool
Syntax: exiftool [OPTIONS] FILE
Consult the exiftool documentation for a full list of options.
fierce
usage: fierce [-h] [--domain DOMAIN] [--connect] [--wide]
[--traverse TRAVERSE] [--search SEARCH [SEARCH ...]]
[--range RANGE] [--delay DELAY]
[--subdomains SUBDOMAINS [SUBDOMAINS ...] |
--subdomain-file SUBDOMAIN_FILE]
[--dns-servers DNS_SERVERS [DNS_SERVERS ...] |
--dns-file DNS_FILE] [--tcp]
A DNS reconnaissance tool for locating non-contiguous IP space.
options:
-h, --help show this help message and exit
--domain DOMAIN domain name to test
--connect attempt HTTP connection to non-RFC 1918 hosts
--wide scan entire class c of discovered records
--traverse TRAVERSE scan NUMBER IPs before and after discovered records. This respects Class C boundaries and won't enter adjacent subnets.
--search SEARCH [SEARCH ...]
filter on these domains when expanding lookup
--range RANGE scan an internal IP range, use cidr notation
--delay DELAY time to wait between lookups
--subdomains SUBDOMAINS [SUBDOMAINS ...]
use these subdomains
--subdomain-file SUBDOMAIN_FILE
use subdomains specified in this file (one per line)
--dns-servers DNS_SERVERS [DNS_SERVERS ...]
use these dns servers for reverse lookups
--dns-file DNS_FILE use dns servers specified in this file for reverse lookups (one per line)
--tcp use TCP instead of UDP