recon

by @Anshin-Health-Solutions in Security

# Install this skill:

npx skills add Anshin-Health-Solutions/superpai --skill "recon"

Install specific skill from multi-skill repository

# Description

Security reconnaissance for authorized targets. Map attack surface, discover assets, enumerate services.

# SKILL.md

name: recon
description: "Security reconnaissance for authorized targets. Map attack surface, discover assets, enumerate services."
triggers:
- recon
- reconnaissance
- bug bounty
- attack surface
- asset discovery

Recon Skill

Security reconnaissance for authorized targets. This skill provides a phased methodology for discovering and mapping the attack surface of web applications, APIs, and infrastructure. Every engagement MUST have explicit written authorization (bug bounty program scope, pentesting contract, or equivalent).

Phase Methodology

Phase 1: Passive Recon (No Target Interaction)

Gather intelligence without sending any traffic to the target.

Task	Tool	Command Example
Subdomain enumeration	subfinder	`subfinder -d target.com -o subs.txt`
DNS records	dig / dnsx	`dnsx -l subs.txt -a -resp -o dns.txt`
Certificate transparency	crt.sh	`curl -s "https://crt.sh/?q=%.target.com&output=json" \\| jq '.[] .name_value' \\| sort -u`
WHOIS lookup	whois	`whois target.com`
Archived URLs	waybackurls	`waybackurls target.com > wayback.txt`
GitHub/GitLab dorking	manual / trufflehog	Search for exposed secrets, config files, internal URLs
Technology profiling	Wappalyzer / BuiltWith	Identify frameworks, CDNs, hosting providers from public data

Phase 2: Active Recon (Direct Target Interaction)

Send controlled traffic to discover live assets and services.

Task	Tool	Command Example
HTTP probing	httpx	`httpx -l subs.txt -status-code -title -tech-detect -o live.txt`
Port scanning	nmap	`nmap -sV -sC -T4 -p- -oN ports.txt target.com`
Service fingerprinting	nmap / whatweb	`whatweb -v target.com`
Directory brute-force	ffuf / feroxbuster	`ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt`
Parameter discovery	Arjun	`arjun -u https://target.com/api/endpoint`
API endpoint enumeration	manual / katana	`katana -u https://target.com -d 3 -o endpoints.txt`

Phase 3: Vulnerability Mapping

Correlate discovered assets against known vulnerability patterns.

Automated scanning — Run nuclei against live hosts: nuclei -l live.txt -t cves/ -t exposures/ -o vulns.txt
Technology-specific checks — Match identified technologies (from httpx/Wappalyzer) against CVE databases
Configuration review — Check for exposed admin panels, default credentials, open redirects, CORS misconfigurations
SSL/TLS analysis — testssl.sh target.com or sslyze target.com for certificate and cipher issues

Phase 4: Reporting

Compile all findings into a structured report with evidence and risk ratings.

Scope Rules

ONLY test assets explicitly listed in the authorization scope
Respect rate limits and do not cause denial of service
Do NOT access, modify, or exfiltrate user data
Stop and report immediately if you encounter sensitive PII or credentials
Log all tools and commands executed for audit trail

Output Format

## Recon Report: {Target}

### Metadata
- Target scope: {domains, IPs, or CIDR ranges}
- Authorization: {bug bounty program URL or engagement reference}
- Date: {YYYY-MM-DD}
- Phases completed: {1-4}

### Asset Inventory

| Asset | Type | Status | Technologies | Notes |
|-------|------|--------|--------------|-------|
| app.target.com | Web App | Live (200) | React, Nginx, Node.js | Main application |
| api.target.com | API | Live (200) | Express, PostgreSQL | REST API |
| admin.target.com | Admin Panel | Live (403) | Django | Requires auth |

### Open Ports & Services

| Host | Port | Service | Version | Notes |
|------|------|---------|---------|-------|
| target.com | 443 | HTTPS | Nginx 1.25 | TLS 1.3 |
| target.com | 22 | SSH | OpenSSH 9.0 | Key-only auth |

### Vulnerability Findings

| # | Finding | Severity | Asset | Evidence |
|---|---------|----------|-------|----------|
| 1 | {description} | {Critical/High/Med/Low} | {asset} | {proof} |

### Recommendations
1. {Actionable recommendation with priority}

Example Recon Workflow

Engagement: Bug bounty for example.com (scope: *.example.com).

Run subfinder -d example.com -silent -- found 47 subdomains
Probe with httpx -l subs.txt -sc -title -- 12 live hosts
Scan interesting hosts with nmap -sV -p 80,443,8080,8443
Content discovery with ffuf on main app and API endpoints
Run nuclei -l live.txt -severity critical,high -- found 2 high-severity issues
Compile report with asset inventory, port table, and vulnerability details
Submit findings through the bug bounty platform

When to Use

Authorized bug bounty engagements with defined scope
Penetration testing with a signed statement of work
Internal security assessments of your own infrastructure

When NOT to Use

No written authorization exists
Target is out of scope or belongs to a third party
You are unsure whether testing is permitted -- ask first

# Supported AI Coding Agents

This skill is compatible with the SKILL.md standard and works with all major AI coding agents:

⚡ Amp 🚀 Antigravity 🤖 Claude Code 🦀 Clawdbot 📝 Codex ▶️ Cursor 🤖 Droid 💎 Gemini CLI 🐙 GitHub Copilot 🪿 Goose 📊 Kilo Code 🔧 Kiro CLI 💻 OpenCode 🦘 Roo Code 🌲 Trae 🏄 Windsurf

Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.