cloud-and-infralisted

# Cloud & Infrastructure OSINT > Sub-skill of `offensive-osint`. Load `osint-methodology` for pipeline and triage context. > Authorized targets only. --- ## BEHAVIORAL CONTRACT **When triggered:** Cloud-native service fingerprinting, Kubernetes/container exposure, CI/CD platform exposure, TLS deep audit, or container registry leak hunting is needed. **Execute:** 1. For each discovered subdomain/IP, match against cloud-native URL patterns (§1). Classify provider and service type. 2. Check public-vs-auth-required on each cloud function endpoint (HEAD/GET). 3. For K8s/container exposure: probe ports from §2 table (Docker 2375/2376, kubelet 10250, etcd 2379, K8s API 6443/8443). Anonymous access = CRITICAL. 4. Check CI/CD platforms (§3) for unauthenticated access. 5. Run TLS deep audit (§4) on every HTTPS endpoint in scope. 6. Check public container registries (§2) for target-owned images. 7. For each finding, emit per `osint-methodology` §3 schema. **Output:** Infrastructure findings with provider, service type, auth posture, severity. All per `osint-methodology` §3 schema. **Severity rules:** Inline per section tables. Docker API unencrypted = CRITICAL. Open kubelet = CRITICAL. Open etcd = CRITICAL. K8s API anonymous = HIGH. TLS 1.0/1.1 = MEDIUM. **Gating rules:** Active port probing is HIGH detectability — confirm authorization. Container image pulls generate logs — note detectability. **Chain to:** Feed discovered cloud endpoints to `web-surface` for HTTP checks. Feed