원클릭으로
recon-asset-discovery
Subdomain enumeration, CT logs, DNS record catalog, WHOIS/RDAP, and passive reconnaissance for authorized external recon.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Subdomain enumeration, CT logs, DNS record catalog, WHOIS/RDAP, and passive reconnaissance for authorized external recon.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Cloud-native service fingerprints, Kubernetes/container exposure, CI/CD platform exposure, TLS deep audit, and favicon hash pivot for authorized infrastructure recon.
Comprehensive OSINT methodology for external red-team operations and authorized attack-surface assessments. Covers the 5-stage recon pipeline, asset-graph discipline, severity rubric, confidence upgrade workflows, time budgeting, identity-fabric mapping, breach×identity correlation, detectability tagging, detection-aware probing, WAF/CDN bypass, vulnerability prioritization, phishing infrastructure planning, bug bounty submission, and client deliverable templates. Use when planning or executing reconnaissance against authorized targets, mapping an organization's external attack surface, investigating a person/entity, or producing client deliverables.
Probe paths, endpoint scoring, email security analysis, vendor fingerprints, documentation leak hunting, and API endpoint references for authorized web-surface enumeration.
Endpoint interest scoring (0–100), mobile app ownership confidence, attack-path hint patterns (35 templates), severity decision matrix (92 examples), sector severity overrides, and sidecar coordination.
Concrete endpoints, probes, and enumeration techniques for identity provider fingerprinting and auth surface mapping. Covers Microsoft Entra (Azure AD), Okta, ADFS, Google Workspace, generic OIDC (Keycloak/Auth0/Ping/OneLogin/Duo), SAML metadata, AWS account-ID extraction, Microsoft 365 deep enumeration (Teams/SharePoint/OneDrive/OAuth/Power Platform), GraphQL field-suggestion enumeration when introspection is disabled, and LinkedIn employee enumeration with role prioritization. Use when mapping an org's auth architecture, enumerating SSO/IdP surfaces, or building a target employee list.
Router for the Offensive OSINT arsenal. Dispatches to focused sub-skills by task type. Covers the full external red-team surface: asset discovery, web enumeration, identity/SSO, secrets/dorks, post-credential workflows, cloud/infra, people/breach intel, and analysis/reporting. Companion to osint-methodology. Use for any authorized external recon, bug bounty, or ASM engagement.
| name | recon-asset-discovery |
| description | Subdomain enumeration, CT logs, DNS record catalog, WHOIS/RDAP, and passive reconnaissance for authorized external recon. |
| version | 1.0.0 |
| triggers | ["subdomain enumeration","asset discovery","certificate transparency","crt.sh","WHOIS lookup","RDAP","DNS record catalog","passive recon","footprinting"] |
Sub-skill of
offensive-osint. Loadosint-methodologyfor pipeline and triage context. Authorized targets only.
When triggered: Subdomain enumeration, asset discovery, DNS records, CT logs, WHOIS/RDAP, or passive reconnaissance is needed.
Execute:
osint-methodology §2.Output: Asset list with typed keys (subdomain, ip, domain) per osint-methodology §8 taxonomy.
Severity rules: DNS AXFR success = CRITICAL. Missing CAA = LOW.
Gating rules: Passive first. Active prefix sweep only when authorized. Brute-force (puredns) only with explicit operator approval.
Chain to: Feed discovered subdomains to web-surface for probing. Feed discovered emails to people-breach-intel for breach lookup. Feed discovered IPs to cloud-and-infra for infrastructure analysis.
| Source | Tier | Notes |
|---|---|---|
| crt.sh | Free | Best single source; frequently 502s — see fallback chain |
| VirusTotal | Freemium | Domain → passive DNS history |
| AlienVault OTX | Free | Passive DNS + URL data |
| Shodan | Paid (low tier) | Subdomain enum via domain: filter |
| SecurityTrails | Paid | Passive DNS + asset discovery |
| RapidDNS | Free | Public passive DNS |
| Subfinder | Free | Aggregates 30+ free sources |
| Amass | Free | Thorough, slower |
| Recon-ng | Free | Modular framework |
DNS AXFR opportunism:
dig @<ns-host> <target-domain> AXFR
Most NSs reject; those that don't = full zone disclosure (CRITICAL).
Brute-force tier: puredns against assetnote.io wordlists.
D="target.example"
# 1. Censys cert search (free 250 queries/month with key)
censys search "names: ${D}" --index-type certificates --fields names | jq -r '.names[]' | sort -u
# 2. Cert Spotter API (sslmate) — free w/ rate limits
curl -sk "https://api.certspotter.com/v1/issuances?domain=${D}&include_subdomains=true&expand=dns_names" | \
jq -r '.[].dns_names[]' | sort -u
# 3. CertStream archive (Calidog)
curl -sk "https://crt.calidog.io/?q=${D}" | jq -r '.[].name_value' | sort -u
# 4. Subfinder bundled aggregator (30+ sources)
subfinder -d ${D} -all -recursive -silent
# 5. AlienVault OTX — free, no key
curl -sk "https://otx.alienvault.com/api/v1/indicators/domain/${D}/passive_dns" | \
jq -r '.passive_dns[].hostname' | sort -u
# 6. ThreatMiner
curl -sk "https://api.threatminer.org/v2/domain.php?q=${D}&rt=5" | jq -r '.results[]'
# 7. URLScan
curl -sk "https://urlscan.io/api/v1/search/?q=domain:${D}" | \
jq -r '.results[].page.domain' | sort -u
# 8. Anubis-DB (last resort)
curl -sk -A "Mozilla/5.0" "https://anubisdb.com/anubis/subdomains/${D}" | jq -r '.[]'
119 prefixes. Passive enum misses 20-40% of high-value subdomains. Pair with active prefix probe when authorized (detectability: low -- single A-record query per host).
www mail webmail owa autodiscover ftp vpn sslvpn gateway api app portal
login sso idp iam identity accounts oauth auth adfs admin intranet hr
sap erp crm support help status grafana kibana docs wiki jira jenkins
gitlab dev test staging stg qa uat sandbox preprod preview careers jobs
eapps old legacy beta tender suppliers procurement
cdn static img images assets media files download upload search shop
store pay payment billing invoice ticket board chat meet video webinar
register signup sso-proxy proxy relay bounce mx smtp imap pop
ns1 ns2 ns3 dns ntp ldap radius vpn2 remote rdp citrix bastion jump
db mysql postgres redis mongo elastic kafka rabbit queue worker cron
monitor prometheus alertmanager vault consul log syslog splunk
| Source | URL | Notes |
|---|---|---|
| Assetnote Wordlists | https://wordlists.assetnote.io/ | Best-curated; updated regularly |
| SecLists | https://github.com/danielmiessler/SecLists | Subdomains: Discovery/DNS/subdomains-top1million-110000.txt |
| jhaddix all.txt | https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 | Long-running curated |
| OneListForAll | https://github.com/six2dez/OneListForAll | Aggregated; very large |
| raft-large-words.txt | inside SecLists | Time-tested content wordlist |
| commonspeak2 | https://github.com/assetnote/commonspeak2-wordlists | Generated from BigQuery |
| fuzzdb | https://github.com/fuzzdb-project/fuzzdb | Fuzzing payloads + wordlists |
Size guidance:
| Wordlist size | Speed class | Typical runtime | Use case |
|---|---|---|---|
| <10k entries | Fast | 1–2 min | Quick validation, CI/CD gates |
| 10k–100k entries | Standard | 10–30 min | Standard engagement recon |
| 100k–1M entries | Thorough | 1–4 hours | Full-scope pentest |
| >1M entries | Exhaustive | Multi-day | Week-long engagements, red team ops |
whois target.example
curl -sk "https://rdap.org/domain/${D}" | jq .
What to extract: registrant org/email, registrar (pivot for related domains), created/updated dates (bulk registration patterns), nameservers (NS reuse pivot), status flags.
Historical WHOIS: Services like WhoisXMLAPI, SecurityTrails, and DomainTools archive past WHOIS snapshots. Historical records reveal previous registrant info hidden by current privacy services, ownership transfers, and infrastructure changes.
# SecurityTrails historical WHOIS (API key required)
curl -sk "https://api.securitytrails.com/v1/history/${D}/whois" -H "APIKEY: ${ST_KEY}" | jq '.result[] | {date: .first_seen, registrant: .registrant}'
Reverse WHOIS: Pivot from a known registrant name, email, or org to discover all domains they own:
GET /v1/domain/search?filter[whois_email]={email}This is a high-value pivot — a single registrant email can reveal dozens of related domains not discoverable through DNS or CT alone.
D="target.example"
for rtype in A AAAA MX TXT NS SOA CAA SRV CNAME PTR; do
echo "=== ${rtype} ===" && dig +short "${D}" "${rtype}"
done
TXT verification tokens → SaaS tenancy inference (35 patterns):
| TXT pattern | SaaS / service |
|---|---|
google-site-verification=<token> | Google Workspace |
MS=ms<digits> | Microsoft 365 |
adobe-idp-site-verification=<token> | Adobe |
amazonses:<token> | AWS SES (alternate form) |
_amazonses=<token> | AWS SES |
apple-domain-verification=<token> | Apple |
atlassian-domain-verification=<token> | Atlassian Cloud |
calendly-site-verification=<token> | Calendly |
cisco-ci-domain-verification=<token> | Cisco Webex |
citrix-verification-code=<token> | Citrix |
docker-verification=<token> | Docker |
docusign=<token> | DocuSign |
facebook-domain-verification=<token> | Facebook / Meta |
github-verification=<token> | GitHub |
gitlab-domain-verification=<token> | GitLab |
hubspot-developer-verification=<token> | HubSpot (developer) |
hubspot-domain-verification=<token> | HubSpot CRM |
intercom-verification=<token> | Intercom |
logmein-verification-code=<token> | LogMeIn / GoTo |
miro-verification=<token> | Miro |
onetrust-domain-verification=<token> | OneTrust |
pinterest-site-verification=<token> | |
salesforce-domain-verification=<token> | Salesforce |
slack-domain-verification=<token> | Slack Enterprise Grid |
smartsheet-site-validation=<token> | Smartsheet |
sophos-domain-verification=<token> | Sophos |
status-page-domain-verification=<token> | Statuspage / Atlassian |
stripe-verification=<token> | Stripe |
teamviewer-sso-verification=<token> | TeamViewer |
twilio-domain-verification=<token> | Twilio |
workday-domain-verification=<token> | Workday (HR + Finance) |
yandex-verification:<token> | Yandex |
zoho-verification=<token> | Zoho |
zoom_verify_<id> | Zoom |
zscaler-verification-<id>-<date>-<random> | Zscaler (ZIA/ZPA/ZDX) |
Each discovered tenancy is a separate attack surface (own credentials, own MFA posture).
Autodiscover-as-M365-confirmation:
dig +short A "autodiscover.target.example"
If IP lands in 40.96.0.0/13, 52.96.0.0/14, 13.107.0.0/16 → M365_CONFIRMED even when MX is wrapped by Mimecast/Proofpoint.
CAA records (cert issuance control):
dig +short CAA "${D}"
Absence = LOW (any CA can mis-issue). Presence + restrictive list = good posture.