red-team-tools
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseRed Team Tools and Methodology
红队工具与方法论
Purpose
目的
Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.
采用顶尖安全研究人员的成熟方法论和工具工作流,实现高效的侦察、漏洞发现和漏洞赏金狩猎。在保持全面覆盖攻击面的同时,自动化常见任务。
Inputs/Prerequisites
输入/先决条件
- Target scope definition (domains, IP ranges, applications)
- Linux-based attack machine (Kali, Ubuntu)
- Bug bounty program rules and scope
- Tool dependencies installed (Go, Python, Ruby)
- API keys for various services (Shodan, Censys, etc.)
- 目标范围定义(域名、IP范围、应用程序)
- 基于Linux的攻击机器(Kali、Ubuntu)
- 漏洞赏金计划规则与范围
- 已安装工具依赖(Go、Python、Ruby)
- 各类服务的API密钥(Shodan、Censys等)
Outputs/Deliverables
输出/交付成果
- Comprehensive subdomain enumeration
- Live host discovery and technology fingerprinting
- Identified vulnerabilities and attack vectors
- Automated recon pipeline outputs
- Documented findings for reporting
- 全面的子域名枚举
- 存活主机发现与技术指纹识别
- 已识别的漏洞和攻击向量
- 自动化侦察管道输出
- 用于报告的已记录发现结果
Core Workflow
核心工作流
1. Project Tracking and Acquisitions
1. 项目跟踪与资产获取
Set up reconnaissance tracking:
bash
undefined设置侦察跟踪:
bash
undefinedCreate project structure
创建项目结构
mkdir -p target/{recon,vulns,reports}
cd target
mkdir -p target/{recon,vulns,reports}
cd target
Find acquisitions using Crunchbase
使用Crunchbase查找子公司
Search manually for subsidiary companies
手动搜索附属公司
Get ASN for targets
获取目标的ASN
amass intel -org "Target Company" -src
amass intel -org "Target Company" -src
Alternative ASN lookup
备选ASN查询方式
undefinedundefined2. Subdomain Enumeration
2. 子域名枚举
Comprehensive subdomain discovery:
bash
undefined全面的子域名发现:
bash
undefinedCreate wildcards file
创建通配符文件
echo "target.com" > wildcards
echo "target.com" > wildcards
Run Amass passively
被动运行Amass
amass enum -passive -d target.com -src -o amass_passive.txt
amass enum -passive -d target.com -src -o amass_passive.txt
Run Amass actively
主动运行Amass
amass enum -active -d target.com -src -o amass_active.txt
amass enum -active -d target.com -src -o amass_active.txt
Use Subfinder
使用Subfinder
subfinder -d target.com -silent -o subfinder.txt
subfinder -d target.com -silent -o subfinder.txt
Asset discovery
资产发现
cat wildcards | assetfinder --subs-only | anew domains.txt
cat wildcards | assetfinder --subs-only | anew domains.txt
Alternative subdomain tools
备选子域名工具
findomain -t target.com -o
findomain -t target.com -o
Generate permutations with dnsgen
使用dnsgen生成排列组合
cat domains.txt | dnsgen - | httprobe > permuted.txt
cat domains.txt | dnsgen - | httprobe > permuted.txt
Combine all sources
合并所有来源
cat amass_*.txt subfinder.txt | sort -u > all_subs.txt
undefinedcat amass_*.txt subfinder.txt | sort -u > all_subs.txt
undefined3. Live Host Discovery
3. 存活主机发现
Identify responding hosts:
bash
undefined识别响应主机:
bash
undefinedCheck which hosts are live with httprobe
使用httprobe检查哪些主机存活
cat domains.txt | httprobe -c 80 --prefer-https | anew hosts.txt
cat domains.txt | httprobe -c 80 --prefer-https | anew hosts.txt
Use httpx for more details
使用httpx获取更多细节
cat domains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt
cat domains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt
Alternative with massdns
使用massdns的备选方式
massdns -r resolvers.txt -t A -o S domains.txt > resolved.txt
undefinedmassdns -r resolvers.txt -t A -o S domains.txt > resolved.txt
undefined4. Technology Fingerprinting
4. 技术指纹识别
Identify technologies for targeted attacks:
bash
undefined识别技术栈以开展针对性攻击:
bash
undefinedWhatweb scanning
Whatweb扫描
whatweb -i hosts.txt -a 3 -v > tech_stack.txt
whatweb -i hosts.txt -a 3 -v > tech_stack.txt
Nuclei technology detection
Nuclei技术检测
nuclei -l hosts.txt -t technologies/ -o tech_nuclei.txt
nuclei -l hosts.txt -t technologies/ -o tech_nuclei.txt
Wappalyzer (if available)
Wappalyzer(若可用)
Browser extension for manual review
用于手动审查的浏览器扩展
undefinedundefined5. Content Discovery
5. 内容发现
Find hidden endpoints and files:
bash
undefined查找隐藏端点和文件:
bash
undefinedDirectory bruteforce with ffuf
使用ffuf进行目录暴力破解
ffuf -ac -v -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
ffuf -ac -v -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
Historical URLs from Wayback
从Wayback获取历史URL
waybackurls target.com | tee wayback.txt
waybackurls target.com | tee wayback.txt
Find all URLs with gau
使用gau获取所有URL
gau target.com | tee all_urls.txt
gau target.com | tee all_urls.txt
Parameter discovery
参数发现
cat all_urls.txt | grep "=" | sort -u > params.txt
cat all_urls.txt | grep "=" | sort -u > params.txt
Generate custom wordlist from historical data
从历史数据生成自定义词表
cat all_urls.txt | unfurl paths | sort -u > custom_wordlist.txt
undefinedcat all_urls.txt | unfurl paths | sort -u > custom_wordlist.txt
undefined6. Application Analysis (Jason Haddix Method)
6. 应用分析(Jason Haddix方法)
Heat Map Priority Areas:
- File Uploads - Test for injection, XXE, SSRF, shell upload
- Content Types - Filter Burp for multipart forms
- APIs - Look for hidden methods, lack of auth
- Profile Sections - Stored XSS, custom fields
- Integrations - SSRF through third parties
- Error Pages - Exotic injection points
Analysis Questions:
- How does the app pass data? (Params, API, Hybrid)
- Where does the app talk about users? (UID, UUID endpoints)
- Does the site have multi-tenancy or user levels?
- Does it have a unique threat model?
- How does the site handle XSS/CSRF?
- Has the site had past writeups/exploits?
热图优先级区域:
- 文件上传 - 测试注入、XXE、SSRF、Shell上传
- 内容类型 - 在Burp中过滤多部分表单
- API - 查找隐藏方法、缺失的认证
- 个人资料板块 - 存储型XSS、自定义字段
- 集成功能 - 通过第三方实现SSRF
- 错误页面 - 特殊注入点
分析问题:
- 应用如何传递数据?(参数、API、混合方式)
- 应用在哪些地方涉及用户?(UID、UUID端点)
- 站点是否有多租户或用户层级?
- 它是否有独特的威胁模型?
- 站点如何处理XSS/CSRF?
- 站点是否有过往的分析文章/漏洞利用记录?
7. Automated XSS Hunting
7. 自动化XSS狩猎
bash
undefinedbash
undefinedParamSpider for parameter extraction
使用ParamSpider提取参数
python3 paramspider.py --domain target.com -o params.txt
python3 paramspider.py --domain target.com -o params.txt
Filter with Gxss
使用Gxss过滤
cat params.txt | Gxss -p test
cat params.txt | Gxss -p test
Dalfox for XSS testing
使用Dalfox进行XSS测试
cat params.txt | dalfox pipe --mining-dict params.txt -o xss_results.txt
cat params.txt | dalfox pipe --mining-dict params.txt -o xss_results.txt
Alternative workflow
备选工作流
waybackurls target.com | grep "=" | qsreplace '"><script>alert(1)</script>' | while read url; do
curl -s "$url" | grep -q 'alert(1)' && echo "$url"
done > potential_xss.txt
undefinedwaybackurls target.com | grep "=" | qsreplace '"><script>alert(1)</script>' | while read url; do
curl -s "$url" | grep -q 'alert(1)' && echo "$url"
done > potential_xss.txt
undefined8. Vulnerability Scanning
8. 漏洞扫描
bash
undefinedbash
undefinedNuclei comprehensive scan
Nuclei全面扫描
nuclei -l hosts.txt -t ~/nuclei-templates/ -o nuclei_results.txt
nuclei -l hosts.txt -t ~/nuclei-templates/ -o nuclei_results.txt
Check for common CVEs
检查常见CVE
nuclei -l hosts.txt -t cves/ -o cve_results.txt
nuclei -l hosts.txt -t cves/ -o cve_results.txt
Web vulnerabilities
Web漏洞扫描
nuclei -l hosts.txt -t vulnerabilities/ -o vuln_results.txt
undefinednuclei -l hosts.txt -t vulnerabilities/ -o vuln_results.txt
undefined9. API Enumeration
9. API枚举
Wordlists for API fuzzing:
bash
undefined用于API模糊测试的词表:
bash
undefinedEnumerate API endpoints
枚举API端点
ffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
ffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
Test API versions
测试API版本
ffuf -u https://target.com/api/v1/FUZZ -w api_wordlist.txt
ffuf -u https://target.com/api/v2/FUZZ -w api_wordlist.txt
ffuf -u https://target.com/api/v1/FUZZ -w api_wordlist.txt
ffuf -u https://target.com/api/v2/FUZZ -w api_wordlist.txt
Check for hidden methods
检查隐藏方法
for method in GET POST PUT DELETE PATCH; do
curl -X $method https://target.com/api/users -v
done
undefinedfor method in GET POST PUT DELETE PATCH; do
curl -X $method https://target.com/api/users -v
done
undefined10. Automated Recon Script
10. 自动化侦察脚本
bash
#!/bin/bash
domain=$1
if [[ -z $domain ]]; then
echo "Usage: ./recon.sh <domain>"
exit 1
fi
mkdir -p "$domain"bash
#!/bin/bash
domain=$1
if [[ -z $domain ]]; then
echo "Usage: ./recon.sh <domain>"
exit 1
fi
mkdir -p "$domain"Subdomain enumeration
子域名枚举
echo "[*] Enumerating subdomains..."
subfinder -d "$domain" -silent > "$domain/subs.txt"
echo "[*] Enumerating subdomains..."
subfinder -d "$domain" -silent > "$domain/subs.txt"
Live host discovery
存活主机发现
echo "[*] Finding live hosts..."
cat "$domain/subs.txt" | httpx -title -tech-detect -status-code > "$domain/live.txt"
echo "[*] Finding live hosts..."
cat "$domain/subs.txt" | httpx -title -tech-detect -status-code > "$domain/live.txt"
URL collection
URL收集
echo "[*] Collecting URLs..."
cat "$domain/live.txt" | waybackurls > "$domain/urls.txt"
echo "[*] Collecting URLs..."
cat "$domain/live.txt" | waybackurls > "$domain/urls.txt"
Nuclei scanning
Nuclei扫描
echo "[*] Running Nuclei..."
nuclei -l "$domain/live.txt" -o "$domain/nuclei.txt"
echo "[+] Recon complete!"
undefinedecho "[*] Running Nuclei..."
nuclei -l "$domain/live.txt" -o "$domain/nuclei.txt"
echo "[+] Recon complete!"
undefinedQuick Reference
快速参考
Essential Tools
必备工具
| Tool | Purpose |
|---|---|
| Amass | Subdomain enumeration |
| Subfinder | Fast subdomain discovery |
| httpx/httprobe | Live host detection |
| ffuf | Content discovery |
| Nuclei | Vulnerability scanning |
| Burp Suite | Manual testing |
| Dalfox | XSS automation |
| waybackurls | Historical URL mining |
| 工具 | 用途 |
|---|---|
| Amass | 子域名枚举 |
| Subfinder | 快速子域名发现 |
| httpx/httprobe | 存活主机检测 |
| ffuf | 内容发现 |
| Nuclei | 漏洞扫描 |
| Burp Suite | 手动测试 |
| Dalfox | XSS自动化测试 |
| waybackurls | 历史URL挖掘 |
Key API Endpoints to Check
需检查的关键API端点
/api/v1/users
/api/v1/admin
/api/v1/profile
/api/users/me
/api/config
/api/debug
/api/swagger
/api/graphql/api/v1/users
/api/v1/admin
/api/v1/profile
/api/users/me
/api/config
/api/debug
/api/swagger
/api/graphqlXSS Filter Testing
XSS过滤器测试
html
<!-- Test encoding handling -->
<h1><img><table>
<script>
%3Cscript%3E
%253Cscript%253E
%26lt;script%26gt;html
<!-- 测试编码处理 -->
<h1><img><table>
<script>
%3Cscript%3E
%253Cscript%253E
%26lt;script%26gt;Constraints
约束条件
- Respect program scope boundaries
- Avoid DoS or fuzzing on production without permission
- Rate limit requests to avoid blocking
- Some tools may generate false positives
- API keys required for full functionality of some tools
- 遵守计划范围边界
- 未经许可,避免对生产环境进行DoS或模糊测试
- 限制请求速率以避免被封禁
- 部分工具可能产生误报
- 部分工具的完整功能需要API密钥
Examples
示例
Example 1: Quick Subdomain Recon
示例1:快速子域名侦察
bash
subfinder -d target.com | httpx -title | tee results.txtbash
subfinder -d target.com | httpx -title | tee results.txtExample 2: XSS Hunting Pipeline
示例2:XSS狩猎流水线
bash
waybackurls target.com | grep "=" | qsreplace "test" | httpx -silent | dalfox pipebash
waybackurls target.com | grep "=" | qsreplace "test" | httpx -silent | dalfox pipeExample 3: Comprehensive Scan
示例3:全面扫描
bash
undefinedbash
undefinedFull recon chain
完整侦察链
amass enum -d target.com | httpx | nuclei -t ~/nuclei-templates/
undefinedamass enum -d target.com | httpx | nuclei -t ~/nuclei-templates/
undefinedTroubleshooting
故障排除
| Issue | Solution |
|---|---|
| Rate limited | Use proxy rotation, reduce concurrency |
| Too many results | Focus on specific technology stacks |
| False positives | Manually verify findings before reporting |
| Missing subdomains | Combine multiple enumeration sources |
| API key errors | Verify keys in config files |
| Tools not found | Install Go tools with |
| 问题 | 解决方案 |
|---|---|
| 被速率限制 | 使用代理轮换,降低并发数 |
| 结果过多 | 聚焦特定技术栈 |
| 误报 | 报告前手动验证发现结果 |
| 遗漏子域名 | 合并多个枚举来源 |
| API密钥错误 | 验证配置文件中的密钥 |
| 找不到工具 | 使用 |
When to Use
使用场景
This skill is applicable to execute the workflow or actions described in the overview.
当需要执行概述中描述的工作流或操作时,适用此技能。