| name | pentest-recon-surface-analysis |
| description | Reconnaissance and attack-surface mapping for endpoint discovery, asset inventory, service enumeration, technology fingerprinting, control-plane surfaces, trust boundaries, and prioritized next tests. |
Recon & Surface Analysis
Use When
- The owner phase is target modeling, endpoint discovery, service enumeration, technology fingerprinting, vhost discovery, subdomain enumeration, or control-plane mapping.
- The next step needs a deduplicated inventory and prioritized validation targets.
Handoff Criteria
- Hand off to mapper, authz, input/protocol, XSS, business-logic, OOB, CVE, exploit, or reporting workflows when the main blocker becomes focused validation or delivery.
Output Schema
- Surface inventory:
asset, interface, auth state, confidence
- Entry-point matrix:
input, trust boundary, initial risk hypothesis
- Prioritized next tests: ordered by likely impact and test cost
Instructions
- Build an explicit target model first: interfaces, trust boundaries, and identity contexts.
- Enumerate only what is necessary to expose actionable attack paths.
- Normalize findings into a deduplicated inventory before deeper testing.
- Label each surface with attacker preconditions and probable abuse class.
- Mark unknowns that block progression and propose the minimum test to resolve each.
- Hand off precise, testable targets to downstream skills.
Should Do
- Keep reconnaissance hypothesis-driven, not tool-driven.
- Capture reproducible evidence for each discovered surface.
- Prioritize externally reachable and privilege-sensitive paths.
- Use up to two controlled pivots per phase; each pivot needs an expected signal and stop condition.
- Treat scanner output as a lead until cross-checked with direct evidence.
Tip: Fuzzing for Virtual Hosts with FFUF
Discover assets not listed in DNS by testing different Host header values. FFUF is the ideal tool for this speed-efficient enumeration.
Quick Guide
- Optimize: Use small wordlists and fast scans to ensure the agent doesn't get stuck.
- Execute:
ffuf -u $TARGET -H "Host: FUZZ.$TARGET" -w /path/to/small_wordlist
- Filter: Identify live hosts by filtering unique response sizes or status codes (e.g.,
-fs [size] or -mc 200).