How do I install Red Team Tools and Methodology?

Install Red Team Tools and Methodology with a single command: npx mdskills install sickn33/red-team-tools. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Red Team Tools and Methodology?

Red Team Tools and Methodology works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Red Team Tools and Methodology

Name: Red Team Tools and Methodology: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

SecurityIntermediate

This skill should be used when the user asks to "follow red team methodology", "perform bug bounty hunting", "automate reconnaissance", "hunt for XSS vulnerabilities", "enumerate subdomains", or needs security researcher techniques and tool configurations from top bug bounty hunters.

by @sickn331 installs0Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/red-team-tools

Fork & Edit

Skill Advisor8.0

Comprehensive security testing workflows with proven tools and methodologies for bug bounty research

+Provides detailed command-line workflows for subdomain enumeration and vulnerability scanning
+Includes practical tool chains and automation scripts from established security research practices
+Covers extensive reconnaissance methodology with troubleshooting guidance
-Lacks explicit scope validation checks or warnings before executing potentially harmful commands

SKILL.md

Edit in Browser

1---
2name: Red Team Tools and Methodology
3description: This skill should be used when the user asks to "follow red team methodology", "perform bug bounty hunting", "automate reconnaissance", "hunt for XSS vulnerabilities", "enumerate subdomains", or needs security researcher techniques and tool configurations from top bug bounty hunters.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# Red Team Tools and Methodology
10 
11## Purpose
12 
13Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.
14 
15## Inputs/Prerequisites
16 
17- Target scope definition (domains, IP ranges, applications)
18- Linux-based attack machine (Kali, Ubuntu)
19- Bug bounty program rules and scope
20- Tool dependencies installed (Go, Python, Ruby)
21- API keys for various services (Shodan, Censys, etc.)
22 
23## Outputs/Deliverables
24 
25- Comprehensive subdomain enumeration
26- Live host discovery and technology fingerprinting
27- Identified vulnerabilities and attack vectors
28- Automated recon pipeline outputs
29- Documented findings for reporting
30 
31## Core Workflow
32 
33### 1. Project Tracking and Acquisitions
34 
35Set up reconnaissance tracking:
36 
37```bash
38# Create project structure
39mkdir -p target/{recon,vulns,reports}
40cd target
41 
42# Find acquisitions using Crunchbase
43# Search manually for subsidiary companies
44 
45# Get ASN for targets
46amass intel -org "Target Company" -src
47 
48# Alternative ASN lookup
49curl -s "https://bgp.he.net/search?search=targetcompany&commit=Search"
50```
51 
52### 2. Subdomain Enumeration
53 
54Comprehensive subdomain discovery:
55 
56```bash
57# Create wildcards file
58echo "target.com" > wildcards
59 
60# Run Amass passively
61amass enum -passive -d target.com -src -o amass_passive.txt
62 
63# Run Amass actively
64amass enum -active -d target.com -src -o amass_active.txt
65 
66# Use Subfinder
67subfinder -d target.com -silent -o subfinder.txt
68 
69# Asset discovery
70cat wildcards | assetfinder --subs-only | anew domains.txt
71 
72# Alternative subdomain tools
73findomain -t target.com -o
74 
75# Generate permutations with dnsgen
76cat domains.txt | dnsgen - | httprobe > permuted.txt
77 
78# Combine all sources
79cat amass_*.txt subfinder.txt | sort -u > all_subs.txt
80```
81 
82### 3. Live Host Discovery
83 
84Identify responding hosts:
85 
86```bash
87# Check which hosts are live with httprobe
88cat domains.txt | httprobe -c 80 --prefer-https | anew hosts.txt
89 
90# Use httpx for more details
91cat domains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt
92 
93# Alternative with massdns
94massdns -r resolvers.txt -t A -o S domains.txt > resolved.txt
95```
96 
97### 4. Technology Fingerprinting
98 
99Identify technologies for targeted attacks:
100 
101```bash
102# Whatweb scanning
103whatweb -i hosts.txt -a 3 -v > tech_stack.txt
104 
105# Nuclei technology detection
106nuclei -l hosts.txt -t technologies/ -o tech_nuclei.txt
107 
108# Wappalyzer (if available)
109# Browser extension for manual review
110```
111 
112### 5. Content Discovery
113 
114Find hidden endpoints and files:
115 
116```bash
117# Directory bruteforce with ffuf
118ffuf -ac -v -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
119 
120# Historical URLs from Wayback
121waybackurls target.com | tee wayback.txt
122 
123# Find all URLs with gau
124gau target.com | tee all_urls.txt
125 
126# Parameter discovery
127cat all_urls.txt | grep "=" | sort -u > params.txt
128 
129# Generate custom wordlist from historical data
130cat all_urls.txt | unfurl paths | sort -u > custom_wordlist.txt
131```
132 
133### 6. Application Analysis (Jason Haddix Method)
134 
135**Heat Map Priority Areas:**
136 
1371. **File Uploads** - Test for injection, XXE, SSRF, shell upload
1382. **Content Types** - Filter Burp for multipart forms
1393. **APIs** - Look for hidden methods, lack of auth
1404. **Profile Sections** - Stored XSS, custom fields
1415. **Integrations** - SSRF through third parties
1426. **Error Pages** - Exotic injection points
143 
144**Analysis Questions:**
145- How does the app pass data? (Params, API, Hybrid)
146- Where does the app talk about users? (UID, UUID endpoints)
147- Does the site have multi-tenancy or user levels?
148- Does it have a unique threat model?
149- How does the site handle XSS/CSRF?
150- Has the site had past writeups/exploits?
151 
152### 7. Automated XSS Hunting
153 
154```bash
155# ParamSpider for parameter extraction
156python3 paramspider.py --domain target.com -o params.txt
157 
158# Filter with Gxss
159cat params.txt | Gxss -p test
160 
161# Dalfox for XSS testing
162cat params.txt | dalfox pipe --mining-dict params.txt -o xss_results.txt
163 
164# Alternative workflow
165waybackurls target.com | grep "=" | qsreplace '"><script>alert(1)</script>' | while read url; do
166    curl -s "$url" | grep -q 'alert(1)' && echo "$url"
167done > potential_xss.txt
168```
169 
170### 8. Vulnerability Scanning
171 
172```bash
173# Nuclei comprehensive scan
174nuclei -l hosts.txt -t ~/nuclei-templates/ -o nuclei_results.txt
175 
176# Check for common CVEs
177nuclei -l hosts.txt -t cves/ -o cve_results.txt
178 
179# Web vulnerabilities
180nuclei -l hosts.txt -t vulnerabilities/ -o vuln_results.txt
181```
182 
183### 9. API Enumeration
184 
185**Wordlists for API fuzzing:**
186 
187```bash
188# Enumerate API endpoints
189ffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
190 
191# Test API versions
192ffuf -u https://target.com/api/v1/FUZZ -w api_wordlist.txt
193ffuf -u https://target.com/api/v2/FUZZ -w api_wordlist.txt
194 
195# Check for hidden methods
196for method in GET POST PUT DELETE PATCH; do
197    curl -X $method https://target.com/api/users -v
198done
199```
200 
201### 10. Automated Recon Script
202 
203```bash
204#!/bin/bash
205domain=$1
206 
207if [[ -z $domain ]]; then
208    echo "Usage: ./recon.sh <domain>"
209    exit 1
210fi
211 
212mkdir -p "$domain"
213 
214# Subdomain enumeration
215echo "[*] Enumerating subdomains..."
216subfinder -d "$domain" -silent > "$domain/subs.txt"
217 
218# Live host discovery
219echo "[*] Finding live hosts..."
220cat "$domain/subs.txt" | httpx -title -tech-detect -status-code > "$domain/live.txt"
221 
222# URL collection
223echo "[*] Collecting URLs..."
224cat "$domain/live.txt" | waybackurls > "$domain/urls.txt"
225 
226# Nuclei scanning
227echo "[*] Running Nuclei..."
228nuclei -l "$domain/live.txt" -o "$domain/nuclei.txt"
229 
230echo "[+] Recon complete!"
231```
232 
233## Quick Reference
234 
235### Essential Tools
236 
237| Tool | Purpose |
238|------|---------|
239| Amass | Subdomain enumeration |
240| Subfinder | Fast subdomain discovery |
241| httpx/httprobe | Live host detection |
242| ffuf | Content discovery |
243| Nuclei | Vulnerability scanning |
244| Burp Suite | Manual testing |
245| Dalfox | XSS automation |
246| waybackurls | Historical URL mining |
247 
248### Key API Endpoints to Check
249 
250```
251/api/v1/users
252/api/v1/admin
253/api/v1/profile
254/api/users/me
255/api/config
256/api/debug
257/api/swagger
258/api/graphql
259```
260 
261### XSS Filter Testing
262 
263```html
264<!-- Test encoding handling -->
265<h1><img><table>
266<script>
267%3Cscript%3E
268%253Cscript%253E
269%26lt;script%26gt;
270```
271 
272## Constraints
273 
274- Respect program scope boundaries
275- Avoid DoS or fuzzing on production without permission
276- Rate limit requests to avoid blocking
277- Some tools may generate false positives
278- API keys required for full functionality of some tools
279 
280## Examples
281 
282### Example 1: Quick Subdomain Recon
283 
284```bash
285subfinder -d target.com | httpx -title | tee results.txt
286```
287 
288### Example 2: XSS Hunting Pipeline
289 
290```bash
291waybackurls target.com | grep "=" | qsreplace "test" | httpx -silent | dalfox pipe
292```
293 
294### Example 3: Comprehensive Scan
295 
296```bash
297# Full recon chain
298amass enum -d target.com | httpx | nuclei -t ~/nuclei-templates/
299```
300 
301## Troubleshooting
302 
303| Issue | Solution |
304|-------|----------|
305| Rate limited | Use proxy rotation, reduce concurrency |
306| Too many results | Focus on specific technology stacks |
307| False positives | Manually verify findings before reporting |
308| Missing subdomains | Combine multiple enumeration sources |
309| API key errors | Verify keys in config files |
310| Tools not found | Install Go tools with `go install` |
311

Full transparency — inspect the skill content before installing.