Expand Claude Playbook with detailed task guidance and template selection#73
Merged
Expand Claude Playbook with detailed task guidance and template selection#73
Conversation
…afety clause - Phase 1 (Recon): added specific techniques — DNS record types (A/AAAA/MX/TXT/NS/SOA/SRV), infrastructure mapping, CT log lookups, subdomain categorization - Phase 2 (Scanning): added high-speed port sweep, WAF/CDN detection, NSE scripts, service banner collection, traffic capture rationale - Phase 3A (Enumeration): expanded from 6 generic tasks to 10 specific ones — API endpoint enumeration (OWASP API Top 10), security header/SSL analysis, CMS-specific scanning, SQL injection testing, web/bug bounty recon - Phase 3B (Exploitation): added SSTI and NoSQL injection vulnerability classes - Phase 3C (Post-exploitation): expanded lateral movement to list specific services, added element-level screenshots and annotation guidance - Exploitation Decision Tree: added destructive exploit safety branch — exploits involving data deletion, ransomware, disk wipe, or DoS are documented as PoC-only without live execution to prevent irreversible damage - Template reference table: replaced 2-column table with 4-column table (template, use case, phases, key differentiator) with detailed descriptions from each template - Added "When to Use Which Template" decision table mapping 10 common scenarios to the recommended template with rationale https://claude.ai/code/session_015HDuXoH7ZqS8wiuENg7A8e
- Added "Engagement Documentation & Report Storage" section with: - Path mapping table for Docker container, host, and local environments - Date-stamped engagement folder structure (output/reports/[TARGET]-DDMMYYYY/) - Three required documents: final report, engagement log, issues log - Storage checklist for end-of-engagement verification - Created output/ directory structure with subdirectories: - output/reports/ — pentest reports (mounted at /root/reports in container) - output/sessions/ — session JSON data (mounted at /root/results in container) - output/screenshots/ — screenshot evidence (mounted at /tmp/screenshots) - Updated .gitignore to preserve output/ directory structure (.gitkeep files) while still ignoring generated content https://claude.ai/code/session_015HDuXoH7ZqS8wiuENg7A8e
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Enhanced the Claude Playbook documentation with comprehensive task details, improved phase descriptions, and a new template selection guide. This update provides clearer execution guidance for each reconnaissance, scanning, and exploitation phase while adding a decision matrix to help users choose the right assessment template for their use case.
Key Changes
Phase 1 (Recon): Converted task list to detailed table with specific instructions for subdomain enumeration, DNS intelligence, WHOIS lookups, OSINT harvesting, certificate transparency, infrastructure mapping, and AI-driven analysis. Added clarification that this phase uses passive techniques only.
Phase 2 (Scanning): Enhanced with detailed guidance on high-speed port sweeps, service detection, WAF/CDN detection, NSE vulnerability scripts, exploit module searching, auxiliary scanning, and network traffic capture. Added note that this is the first active phase with packets sent to target.
Phase 3A (Enumeration & Vulnerability Discovery): Expanded task descriptions to include technology fingerprinting, web vulnerability scanning, directory/content discovery, HTTP parameter discovery, XSS scanning, SQL injection testing, CMS-specific scanning, API endpoint enumeration, security header analysis, and web reconnaissance agents.
Phase 3B (Active Exploitation): Added two new exploitation techniques to the mandatory testing table:
Post-Exploitation Guidance: Enhanced lateral movement instructions to test credentials against ALL discovered services (SSH, FTP, admin panels, databases, APIs, Redis, MongoDB, MSSQL, PostgreSQL). Improved traffic capture and screenshot documentation requirements with specific guidance on element-level screenshots and annotation.
Exploitation Decision Tree: Restructured the vulnerability exploitation flowchart to add a critical safety gate: destructive exploits (data deletion, ransomware, DoS) must be documented as Proof-of-Concept only without live execution, while non-destructive exploits proceed with full exploitation and data extraction.
Template Reference: Completely redesigned the template section with:
Notable Implementation Details
https://claude.ai/code/session_015HDuXoH7ZqS8wiuENg7A8e