OpenSkillIndex← back to search
claude-code

Aiwg target-profiling

Research and build a target system profile via SSH — discovers OS, services, users, network baseline, and security stack

install
source · Clone the upstream repo
git clone https://github.com/jmagly/aiwg
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jmagly/aiwg "$T" && mkdir -p ~/.claude/skills && cp -r "$T/agentic/code/frameworks/forensics-complete/skills/target-profiling" ~/.claude/skills/jmagly-aiwg-target-profiling-2a27bb && rm -rf "$T"
manifest: agentic/code/frameworks/forensics-complete/skills/target-profiling/SKILL.md
source content

target-profiling

Connects to a target system over SSH and constructs a structured baseline profile covering operating system details, running services, user accounts, network configuration, and installed security tooling. The profile serves as the foundation for all subsequent forensic work.

Triggers

Alternate expressions and non-obvious activations (primary phrases are matched automatically from the skill description):

  • "OSINT [target]" → open-source intelligence gathering
  • "footprint [domain]" → attack surface mapping
  • "recon [system]" → system reconnaissance

Purpose

Before any investigation can proceed, examiners need a documented understanding of what the system looks like in its current state. This skill produces a structured 

.aiwg/forensics/profiles/<hostname>.md
file that records point-in-time system state, making deviations visible during analysis.

Behavior

When triggered, this skill:

  1. Parse connection string:

    • Accepts 
      user@host
      , 
      user@host:port
      , or a named SSH config alias
    • Validates connectivity before starting collection
    • Example: 
      ssh -o ConnectTimeout=10 user@192.0.2.10 'echo ok'

  2. Collect OS identity:

    • Read 
      /etc/os-release
      for distro and version
    • Capture kernel version with 
      uname -r
    • Record architecture with 
      uname -m
    • Capture system uptime and last reboot time

  3. Enumerate running services:

    • Use 
      systemctl list-units --type=service --state=running
      (systemd systems)
    • Fall back to 
      service --status-all
      or 
      rc-status
      on non-systemd systems
    • Record enabled-at-boot services separately from currently active

  4. Enumerate local user accounts:

    • Parse 
      /etc/passwd
      for non-system accounts (UID >= 1000)
    • Check 
      /etc/sudoers
      and 
      /etc/sudoers.d/
      for privilege grants
    • List accounts with active login shells
    • Record last login times from 
      lastlog
      or 
      last

  5. Capture network baseline:

    • Active interfaces and addresses: 
      ip addr show
    • Routing table: 
      ip route show
    • Listening ports and owning processes: 
      ss -tlnp
      or 
      netstat -tlnp
    • Current established connections: 
      ss -tnp state established

  6. Identify security tooling:

    • Check for presence of auditd, SELinux/AppArmor, fail2ban, crowdstrike, osquery, wazuh, filebeat
    • Record firewall type (iptables, nftables, ufw, firewalld) and active ruleset summary

  7. Write profile document:

    • Save to 
      .aiwg/forensics/profiles/<hostname>.md
    • Include collection timestamp and SSH user used

Usage Examples

Example 1 — Basic profile

profile target user@webserver-01.example.com

Connects as the specified user and writes 

.aiwg/forensics/profiles/webserver-01.md
.

Example 2 — Non-standard port

profile target ops@192.0.2.55:2222

Connects on port 2222, derives hostname from the target's 

hostname
command.

Example 3 — Named alias

system reconnaissance prod-db-01

Resolves 

prod-db-01
via 
~/.ssh/config
.

Output Locations

  • Profile: 
    .aiwg/forensics/profiles/<hostname>.md
  • Raw collection log: 
    .aiwg/forensics/profiles/<hostname>-raw.txt

Configuration

target_profiling:
  ssh_timeout: 10
  min_uid: 1000
  include_security_tools:
    - auditd
    - apparmor
    - selinux
    - fail2ban
    - crowdstrike
    - osquery
    - wazuh
    - filebeat
  output_format: markdown

References

  • @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/research-before-decision.md — Validate SSH connectivity before starting collection; document what is and is not accessible
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/non-destructive.md — Profile using read-only commands only; do not alter target system state
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/evidence-integrity.md — Record collection timestamp and SSH user with the profile for forensic traceability
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/linux-forensics/SKILL.md — Target profile feeds as baseline context for subsequent Linux forensic investigation
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/evidence-preservation/SKILL.md — Profile documents collected after target profiling feed the evidence preservation workflow