Skip to content

feat: integrate CyberSleuth MCP as native Recon skill tooling #1292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Mar8x wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: integrate CyberSleuth MCP as native Recon skill tooling #1292

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 43 additions & 17 deletions Releases/v3.0/.claude/skills/Recon/SKILL.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,13 @@ Active reconnaissance MUST have:

## Available Workflows

### 0. `CyberSleutRecon.md` - MCP-Powered Recon (Preferred when CyberSleuth is active)
Full domain/IP recon using CyberSleuth MCP tools: WHOIS, DNS, certificate transparency, Shodan, VirusTotal, URLScan, BuiltWith, favicon hash, AS intelligence. Richer results than shell-based workflows; no manual parsing.

**Input:** Domain or IP address
**Output:** Structured recon report with reputation, infrastructure, and threat intel
**Authorization:** Passive only (Shodan/VT queries on public data)

### 1. `PassiveRecon.md` - Safe Reconnaissance
Non-intrusive intelligence gathering using public sources:
- WHOIS data
Expand Down Expand Up @@ -237,27 +244,46 @@ ASN and BGP reconnaissance:
- `naabu` - Port scanning
- Note: Requires security MCP profile (`~/.claude/MCPs/swap-mcp security`)

### Future Tool Integration
### CyberSleuth MCP (Recommended)

[CyberSleuth](https://github.com/Mar8x/cybersleuth) is an MCP server that provides Shodan, VirusTotal, URLScan, BuiltWith, WHOIS, DNS, certificate transparency, favicon hashing, and AS intelligence as native MCP tools — replacing the manual shell-based approaches above.

**Shodan** (when API key added)
- Search for exposed services
- Historical scan data
- Vulnerability information
**When CyberSleuth MCP is active, use `Workflows/CyberSleutRecon.md`** instead of DomainRecon for richer, faster results.

**Censys** (when API key added)
- Certificate searches
- Host discovery
- Internet-wide scanning data
**Installation:**
```bash
git clone https://github.com/Mar8x/cybersleuth.git
cd cybersleuth && uv sync
```

**SecurityTrails** (when API key added)
- Historical DNS records
- WHOIS history
- Subdomain discovery
Add to `~/.claude.json` mcpServers:
```json
"cybersleuth": {
"type": "stdio",
"command": "uv",
"args": ["run", "--directory", "/path/to/cybersleuth", "cybersleuth"],
"env": {
"SHODAN_API_KEY": "your-key",
"VIRUSTOTAL_API_KEY": "your-key",
"URLSCAN_API_KEY": "your-key",
"BUILTWITH_API_KEY": "your-key"
}
}
```

**VirusTotal** (when API key added)
- Domain/IP reputation
- Passive DNS
- Malware associations
**Available MCP tools:**
| Tool | Replaces |
|------|---------|
| `whois_lookup` | `whois` shell command (region-aware: RIR for IPs, TLD fallback for domains) |
| `dns_records` | `dig` — all record types in one call |
| `certificate_info` | crt.sh curl + jq pipeline |
| `shodan_search` | Shodan API (was "Future Tool Integration") |
| `vt_domain_report` / `vt_ip_report` | VirusTotal (was "Future Tool Integration") |
| `urlscan_history` / `urlscan_submit` | URLScan.io web scanning |
| `builtwith_lookup` | Technology stack fingerprinting |
| `favicon_hash` | Favicon hash for Shodan `http.favicon.hash:` queries |
| `as_intelligence` | ASN lookup with hosting/cloud detection |
| `reverse_dns` | PTR record lookups |

## TypeScript Utilities

Expand Down
182 changes: 182 additions & 0 deletions Releases/v3.0/.claude/skills/Recon/Workflows/CyberSleutRecon.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,182 @@
# CyberSleuth Recon Workflow

## Voice Notification

```bash
curl -s -X POST http://localhost:8888/notify \
-H "Content-Type: application/json" \
-d '{"message": "Running the CyberSleutRecon workflow in the Recon skill to investigate infrastructure"}' \
> /dev/null 2>&1 &
```

Running the **CyberSleutRecon** workflow in the **Recon** skill to investigate infrastructure...

**Requires:** CyberSleuth MCP server active (`cybersleuth` in mcpServers). See `SKILL.md` for installation.

**Purpose:** MCP-native domain and IP reconnaissance using CyberSleuth tools — richer and faster than shell-based recon. Covers registration, DNS, subdomains, technology stack, reputation, and threat intelligence in a single pass.

---

## Phase 1: Authorization & Scope

- [ ] Explicit authorization confirmed (or passive-only on public data)
- [ ] Target domain(s) or IP(s) defined
- [ ] CyberSleuth MCP tools available in session

**STOP if CyberSleuth is not active** — fall back to `DomainRecon.md` or `IpRecon.md`.

---

## Phase 2: Registration & WHOIS

**Tool:** `whois_lookup(domain)`

Extract:
- Registrar, registration date, expiration date
- Registrant (or privacy proxy detection)
- Name servers
- DNSSEC status
- ⚠️ If `expiration_date < 30 days` → flag HIGH immediately (domain squatting risk)

---

## Phase 3: DNS Enumeration

**Tool:** `dns_records(domain)` — returns all record types in one call (A, AAAA, MX, NS, TXT, SOA, CNAME, CAA)

Analyze:
- A/AAAA → resolved IPs for infrastructure mapping
- MX → mail provider identification
- TXT → decode every SPF `include:` and verification token (full SaaS stack inventory)
- NS → hosting provider or self-managed DNS
- CAA → certificate authority restriction

---

## Phase 4: Certificate Transparency

**Tool:** `certificate_info(domain, wildcard=True)`

Extract:
- All subdomains ever issued certificates
- Certificate issuers (Let's Encrypt vs. commercial CA)
- First certificate date (domain age signal)
- SAN entries (reveals related domains)
- ⚠️ Naming conventions in subdomains decode architecture:
- Environment suffixes (`appname-prod`, `appname-test`) → prod/test split
- Service-role prefixes (`clearingservice.*`, `bankid-idp.*`, `partner-portal.*`) → backend systems
- Auth prefixes (`sso.*`, `auth.*`, `oauth.*`) → identity provider dependencies

---

## Phase 5: AS & Hosting Intelligence

**Tool:** `as_intelligence(domain_or_ip)` — run for each unique IP from Phase 3

Extract:
- ASN, AS org, country
- Hosting/cloud provider flag (if not hosting, AS org = the real organization)
- Group IPs by ASN to map infrastructure segments

**Tool:** `reverse_dns(ip)` — for each IP

---

## Phase 6: Reputation & Threat Intel

Run in parallel for each target domain and key IPs:

**Tool:** `vt_domain_report(domain)`
- Malicious/suspicious detection counts
- Categories and reputation score

**Tool:** `vt_ip_report(ip)` — for each unique IP

**Tool:** `urlscan_history(domain, limit=5)`
- Historical screenshots and technology snapshots
- Maliciousness verdicts

---

## Phase 7: Infrastructure Discovery

**Tool:** `shodan_search(query, limit=10)`

Run multiple queries:
```
org:"[organization name]" → all exposed services
hostname:[domain] → services on discovered hosts
ssl.cert.subject.cn:[domain] → services by certificate
http.favicon.hash:[hash] → clones/mirrors (use favicon_hash first)
```

**Tool:** `favicon_hash(url)` — generate hash for Shodan `http.favicon.hash:` query

For each Shodan result note: open ports, server versions, SNMP engine uptime (if present → patch inference: `uptime_days / 365 ≈ years since last reboot`).

---

## Phase 8: Technology Stack

**Tool:** `builtwith_lookup(domain)`
- Technology groups and categories with last-seen dates
- Correlate with TXT verification records from Phase 3 (cross-validates SaaS stack)

---

## Phase 9: M365 / Azure AD Discovery

Fetch manually (no MCP tool — use WebFetch):
```
https://login.microsoftonline.com/getuserrealm.srf?login=test@[domain]&xml=1
https://login.microsoftonline.com/[domain]/.well-known/openid-configuration
```

Determine: Managed / Federated / Unknown namespace; extract tenant ID if enrolled.

---

## Phase 10: Synthesis

**Infrastructure map:**
- Domain → subdomains → IPs → ASNs → hosting providers
- Technology stack per layer (web, mail, CDN, identity)
- Certificate relationships and first-seen dates

**Security posture:**
- DNSSEC signed/unsigned (critical if hosting BankID, OAuth IDP, or SSO)
- Email security: SPF hardfail vs. softfail; DMARC policy; DKIM selectors
- Domain expiry urgency
- Shodan SNMP uptime findings
- VirusTotal reputation flags

**Report structure:**
1. Executive Summary + Risk Advisory (HIGH/MEDIUM/LOW findings)
2. Registration & WHOIS
3. DNS Infrastructure
4. Subdomain Map (with purpose classification)
5. AS & Hosting Map
6. Technology Stack (BuiltWith + TXT cross-reference)
7. Reputation & Threat Intel (VirusTotal + URLScan)
8. M365 / Identity Infrastructure
9. Shodan Exposure
10. Recommendations

---

## Checklist

- [ ] WHOIS retrieved; expiry checked
- [ ] All DNS records collected; SPF decoded
- [ ] Certificate transparency enumerated; subdomain naming analyzed
- [ ] AS/hosting mapped for all unique IPs
- [ ] VirusTotal checked (domain + key IPs)
- [ ] URLScan history reviewed
- [ ] Shodan queried (org + hostname + favicon)
- [ ] BuiltWith stack retrieved
- [ ] M365 tenant status determined
- [ ] Report drafted with severity-classified findings

---

**Reference:** [CyberSleuth GitHub](https://github.com/Mar8x/cybersleuth) · See `cybersleuth://instructions` MCP resource for full methodology.