| name | pentest_recon |
| description | Comprehensive reconnaissance — passive OSINT, subdomain enumeration, port scanning, technology fingerprinting |
| triggers | ["recon","reconnaissance","enumerate","subdomain","port scan","fingerprint"] |
Pentest Reconnaissance Skill
Perform comprehensive reconnaissance against a target.
Steps
-
Passive recon first (no direct contact):
- WHOIS lookup:
whois {target}
- DNS enumeration:
dig {target} ANY, dig {target} A MX TXT NS CNAME SOA
- Subdomain passive enum:
subfinder -d {target} -all -recursive -o /tmp/subdomains-subfinder.txt
- Certificate transparency:
curl -s "https://crt.sh/?q=%.{target}&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > /tmp/subdomains-crtsh.txt
- Combine all subdomains:
cat /tmp/subdomains-*.txt | sort -u > /tmp/subdomains-all.txt
-
Active recon (after passive completes):
- HTTP probe live hosts:
cat /tmp/subdomains-all.txt | httpx -silent -status-code -title -tech-detect -web-server -o /tmp/live-hosts.txt
- Port scan (top 1000):
nmap -sV -sC -O --top-ports 1000 -T4 --open -oA /tmp/nmap-top {target}
- Technology fingerprint:
whatweb {target} -a 3 -v -o /tmp/whatweb.txt
-
Summarize findings with counts for subdomains, live hosts, open ports, technologies.
Output files
- /tmp/subdomains-all.txt
- /tmp/live-hosts.txt
- /tmp/nmap-top.nmap
- /tmp/whatweb.txt
Notes
- Always start with passive recon
- Log all commands with timestamps
- Wait for user confirmation before active scanning
