recon

Customization

Before executing, check for user customizations at: ~/.claude/skills/PAI/USER/SKILLCUSTOMIZATIONS/Recon/

If this directory exists, load and apply any PREFERENCES.md, configurations, or resources found there. These override default behavior. If the directory does not exist, proceed with skill defaults.

recon

Infrastructure and Network Reconnaissance

🚨 MANDATORY: Voice Notification (REQUIRED BEFORE ANY ACTION)

You MUST send this notification BEFORE doing anything else when this skill is invoked.

1. Send voice notification:

   curl -s -X POST http://localhost:8888/notify \
     -H "Content-Type: application/json" \
     -d '{"message": "Running the WORKFLOWNAME workflow in the Recon skill to ACTION"}' \
     > /dev/null 2>&1 &
   

2. Output text notification:

   Running the **WorkflowName** workflow in the **Recon** skill to ACTION...
   

This is not optional. Execute this curl command immediately upon skill invocation.

Purpose

Technical reconnaissance of network infrastructure including domains, IP addresses, netblocks, and ASNs. Combines passive intelligence gathering with authorized active scanning to map attack surfaces and identify assets.

When to Use This Skill

Core Triggers - Use this skill when user says:

Direct Recon Requests

• "do recon on [target]" or "run recon"
• "perform reconnaissance on [target]" or "conduct recon"
• "do infrastructure recon" or "network reconnaissance"
• "basic recon", "quick recon", "simple recon"
• "comprehensive recon", "deep recon", "full reconnaissance"
• "recon [target]" (just recon + target)
• "passive recon", "active recon"

Infrastructure & Network Mapping

• "map infrastructure for [domain]" or "map network"
• "enumerate [domain] infrastructure" or "discover assets"
• "find subdomains of [domain]" or "enumerate subdomains"
• "scan [target]" or "port scan [IP/netblock]"
• "what services are running on [IP]"
• "investigate [IP address/domain/netblock]"

IP & Domain Investigation

• "recon this IP" or "investigate this IP address"
• "look up [IP]" or "IP lookup [address]"
• "what is [IP]" or "who owns [IP]"
• "domain recon" or "domain investigation"
• "DNS recon", "DNS enumeration"
• "WHOIS [domain/IP]"

ASN & Netblock Research

• "investigate [ASN]" or "research ASN"
• "scan [CIDR range/netblock]"
• "find IPs in [netblock]"
• "enumerate netblock" or "netblock scanning"

Passive vs Active Recon

• "passive recon on [target]" (no authorization required)
• "active scan [target]" (requires explicit authorization)
• "safe reconnaissance" (passive only)
• "authorized scan" (active techniques)

Use Case Indicators

• Investigating IP addresses for ownership, location, and services
• Mapping domain infrastructure and DNS configuration
• Scanning netblocks or CIDR ranges for live hosts
• Researching ASN ownership and IP allocations
• Attack surface enumeration and network mapping
• Called by OSINT for infrastructure mapping of entities

Relationship with Other Security Skills

OSINT → recon (Common Pattern):

• OSINT identifies entities, companies, people (social/public records focus)
• Recon maps their technical infrastructure (network/system focus)
• Example flow: OSINT finds company → Recon maps their domains/IPs/infrastructure

recon → webassessment:

• Recon identifies web applications and services
• Web assessment tests those applications for vulnerabilities
• Example: Recon finds subdomain api.target.com → Web assessment fuzzes/tests it

Workflow Integration:

// OSINT skill discovers company infrastructure
const domains = await osintFindCompanyDomains("Acme Corp");

// Calls recon skill to map technical details
const infraMap = await reconDomain(domains[0]);

// Recon identifies web apps
const webApps = infraMap.subdomains.filter(s => s.hasHTTP);

// Calls web assessment for testing
await webAssessment(webApps);

Core Capabilities

Passive Reconnaissance (No Authorization Required)

• WHOIS lookups (domain and IP)
• DNS enumeration (A, AAAA, MX, NS, TXT, CNAME, SOA, etc.)
• Certificate transparency searches (subdomains, certificate history)
• IPInfo API (geolocation, ASN, organization, abuse contacts)
• Reverse DNS lookups
• BGP/ASN information gathering
• Historical DNS data
• Public database searches

Active Reconnaissance (Requires Explicit Authorization)

• Port scanning (naabu MCP)
• Service detection and banner grabbing (httpx MCP)
• Technology fingerprinting
• Live host discovery
• HTTP/HTTPS probing
• SSL/TLS analysis

CRITICAL AUTHORIZATION REQUIREMENTS:

Active reconnaissance MUST have:

1. Explicit user confirmation for each active scan
2. Documented authorization (pentest engagement, bug bounty program, owned assets)
3. Scope validation (ensure target is in-scope)
4. Rate limiting (respectful scanning, no DoS)
5. Session logging (record all active recon for audit trail)

Default behavior is PASSIVE ONLY. Always confirm before active techniques.

Available Workflows

1. PassiveRecon.md - Safe Reconnaissance

Non-intrusive intelligence gathering using public sources:

• WHOIS data
• DNS records
• Certificate transparency
• IPInfo lookups
• Reverse DNS
• No active scanning

Input: Domain, IP, or netblock Output: Passive intelligence report Authorization: None required

2. IpRecon.md - IP Address Investigation

Comprehensive IP address reconnaissance:

• IPInfo lookup (location, ASN, org, abuse contact)
• Reverse DNS
• WHOIS netblock info
• Certificate search (if IP has certs)
• Optional: Port scan (with authorization)
• Optional: Service detection (with authorization)

Input: Single IP address Output: IP reconnaissance report Authorization: Required for active scanning

3. DomainRecon.md - Domain Investigation

Full domain mapping and enumeration:

• WHOIS domain registration
• DNS records (all types)
• Subdomain enumeration (certificate transparency)
• Mail server configuration (MX, SPF, DMARC, DKIM)
• IP addresses behind domain
• Certificate analysis
• Technology stack detection
• Historical data

Input: Domain name Output: Domain reconnaissance report Authorization: Required for active subdomain probing

4. NetblockRecon.md - CIDR Range Scanning

Network range reconnaissance:

• CIDR parsing and validation
• Range size calculation
• WHOIS netblock ownership
• Optional: Live host discovery (with authorization)
• Optional: Port scan range (with authorization)
• ASN/organization mapping
• Interesting host identification

Input: CIDR notation (e.g., 192.168.1.0/24) Output: Netblock scan report Authorization: Required for active scanning

5. AsnRecon.md - Autonomous System Investigation

ASN and BGP reconnaissance:

• ASN to CIDR range mapping
• Organization information
• All IP ranges owned by ASN
• BGP peer relationships
• Geographic distribution
• Hosting/ISP identification

Input: ASN number (e.g., AS15169) Output: ASN mapping report Authorization: None required (passive data)

Tool Integration

Primary Tools

IPInfo API (ipinfo.io)

• API Key: process.env.IPINFO_API_KEY
• Capabilities: Geolocation, ASN, organization, abuse contacts, privacy detection
• Rate limits: Check API plan
• Client: tools/ipinfo-client.ts

System Tools (always available)

• whois - Domain and IP WHOIS lookups
• dig - DNS queries
• nslookup - DNS resolution
• curl - HTTP requests, API calls

MCP Tools (security profile required)

• httpx - HTTP probing and technology detection
• naabu - Port scanning
• Note: Requires security MCP profile (~/.claude/MCPs/swap-mcp security)

Future Tool Integration

Shodan (when API key added)

• Search for exposed services
• Historical scan data
• Vulnerability information

Censys (when API key added)

• Certificate searches
• Host discovery
• Internet-wide scanning data

SecurityTrails (when API key added)

• Historical DNS records
• WHOIS history
• Subdomain discovery

VirusTotal (when API key added)

• Domain/IP reputation
• Passive DNS
• Malware associations

TypeScript Utilities

Located in tools/ directory:

ipinfo-client.ts

• IPInfo API wrapper with error handling
• Batch lookup support
• Rate limiting
• Response parsing

dns-utils.ts

• DNS enumeration helpers
• Record type queries
• Zone transfer attempts
• Subdomain brute forcing

whois-parser.ts

• WHOIS data parsing
• Structured output from raw WHOIS
• Registration date extraction
• Contact information parsing

cidr-utils.ts

• CIDR notation parsing
• IP range calculation
• Range validation
• IP address generation from CIDR

cert-transparency.ts

• crt.sh API client
• Certificate search
• Subdomain extraction from certificates
• Historical certificate data

report-generator.ts

• Markdown report formatting
• JSON output generation
• Structured data presentation
• Integration with OSINT reports

Output Formats

IP Reconnaissance Report

# IP Reconnaissance: 1.2.3.4

## Summary
- IP: 1.2.3.4
- Organization: Example Corp
- ASN: AS12345
- Location: San Francisco, CA, US
- ISP: Example Hosting

## DNS
- Reverse DNS: server.example.com
- Additional PTR: ...

## Network Information
- CIDR: 1.2.3.0/24
- Netblock Owner: Example Corp
- Abuse Contact: abuse@example.com

## Services (Passive)
- Certificates: 3 certificates found
- Historical DNS: ...

## Services (Active - Authorized)
- Open Ports: 22, 80, 443
- Services: SSH (OpenSSH 8.2), HTTP (nginx 1.20.1), HTTPS
- Technologies: nginx, OpenSSH

## Recommendations
- Further investigation areas
- Related assets
- Security observations

Domain Reconnaissance Report

# Domain Reconnaissance: example.com

## Summary
- Domain: example.com
- Registrar: Example Registrar
- Registration: 2010-01-15
- Expiry: 2026-01-15

## DNS Records
### A Records
- 1.2.3.4
- 5.6.7.8

### MX Records
- 10 

---

*Content truncated.*