recon-skills: An Open‑Source Library of 156 Penetration‑Testing Skills
recon-skills is a community‑maintained open‑source repository that bundles 156 offensive security skills—validated on over 600 real targets across more than 45 industries—covering information gathering, vulnerability discovery, attack‑chain construction, and anti‑detection techniques, with full manuals and quick‑start instructions.
Tool Background
recon-skills is an open‑source penetration‑testing skill library created and maintained by security researcher uphiago. It originated from the author’s experience in multiple real‑world engagements and now contains 156 executable offensive security skills spanning reconnaissance, vulnerability discovery, and attack‑chain construction.
Each skill entry includes applicable scenarios, prerequisites, concrete commands, and verification steps, allowing direct use in live assessments.
Core Capabilities
Scale and Real‑World Validation
The project comprises 156 structured skills that have been confirmed effective on more than 600 real targets. Coverage spans over 45 industries and includes ten verified attack chains such as CORS + XMLRPC → RCE and SSRF → IMDS.
Anti‑Detection and Fingerprint Evasion
Using a custom C++ modification of Chromium, the library implements 18 browser‑fingerprint markers to bypass Cloudflare, reCAPTCHA, and similar defenses. Automated behavior simulation covers Bayesian mouse‑movement curves, keystroke emulation, and variable scrolling patterns. TLS/HTTP2 fingerprint simulation supports 20 browser profiles, including JA4 TLS validation.
Industry Attack Templates
The repo provides 54 vulnerability‑discovery skills (hunt‑* series), 24 industry‑specific reconnaissance templates, 48 executable scripts (40 Python, 7 Shell, 1 JavaScript), 18 WordPress attack patterns, and deep cloud‑IAM enumeration capabilities.
Skill Catalog Overview
Skills are organized into six categories:
recon (information gathering) : 34 skills covering CORS exploits, XMLRPC penetration, JS sensitive data extraction, mail security, S3/MinIO XSS, Hikvision SCADA enumeration, browser‑fingerprint evasion, etc.
redteam (red‑team skills) : 109 skills including 54 vulnerability‑discovery modules, 24 industry‑specific reconnaissance modules, and 29 operational/methodology skills.
meta (meta‑methodology) : 6 skills offering reconnaissance manuals, attack‑pattern references, cross‑wave analysis, Google Dorks catalog, and industry reconnaissance methodology.
chains (attack chains) : 2 skills for cross‑chain techniques and a complete WordPress takeover chain.
auth (authentication attacks) : 1 skill supporting SAML SSO attacks.
infra (infrastructure) : 1 skill for Docker privilege escalation.
Vulnerability Statistics
By Severity
Critical: 14 vulnerabilities (e.g., RLS write‑gap privilege escalation, MySQL exposure, PHPInfo + open registration, CORS + XMLRPC + upload → RCE).
High: 30 vulnerabilities (e.g., CORS credential reflection, XMLRPC multicall, staging takeover, schema enumeration, metric exposure).
Medium: 18 vulnerabilities (e.g., WordPress user enumeration, WooCommerce API leaks, plugin version disclosures).
Industry Distribution
Locksmith services show the highest vulnerability rate at 33%, primarily WP REST API + XMLRPC issues. Legal firms have a 25% rate, dominated by WP REST API user enumeration. Pool services, landscaping, and pest control each hover around 20%, mainly CORS credential reflection. HVAC/Piping sectors exhibit a 14% rate, often a combination of CORS and WordPress user enumeration.
Quick Start
recon-skills runs on Linux, with Kali Linux recommended. Required tools include Python 3.x, nmap, curl, Bash, and optionally Docker and Wireshark for traffic analysis.
Deployment is straightforward: clone the repository, read SOUL.md and AGENTS.md for methodology, then explore the recon/ and redteam/ directories for applicable modules.
# Clone the repository
git clone [email protected]:uphiago/recon-skills.git
cd recon-skills
# Read methodology documents
cat SOUL.md
cat AGENTS.md
# List skill directories
ls recon/
ls redteam/Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
