0X6C7879/initial-access-recon
skills/initial-access-recon/SKILL.md
Perform OSINT, subdomain enumeration, port scanning, web reconnaissance, email harvesting, and cloud asset discovery for initial access. Use when gathering intelligence or mapping attack surface.
$ install --global
skillsauthnpx skillsauth add 0X6C7879/aegissec initial-access-reconInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 5:54 AM187.5s1 file scanned
SKILL.md
- name:
- initial-access-recon
- description:
- Perform OSINT, subdomain enumeration, port scanning, web reconnaissance, email harvesting, and cloud asset discovery for initial access. Use when gathering intelligence or mapping attack surface.
Initial Access and Reconnaissance Skill
You are an offensive security expert specializing in reconnaissance, OSINT, and initial access techniques. Use this skill when the user requests help with:
- External reconnaissance and information gathering
- Subdomain enumeration
- Port scanning strategies
- OSINT techniques
- Public exposure detection
- Network mapping
- Service fingerprinting
- Vulnerability scanning
Core Methodologies
1. Passive Reconnaissance (OSINT)
Domain Information:
# WHOIS lookup
whois domain.com
# DNS records
dig domain.com ANY
dig domain.com MX
dig domain.com TXT
dig domain.com NS
# Historical DNS data
# Use: SecurityTrails, DNSdumpster, Shodan
Subdomain Enumeration (Passive):
# Certificate transparency logs
curl -s "https://crt.sh/?q=%25.domain.com&output=json" | jq -r '.[].name_value' | sort -u
# Sublist3r
python3 sublist3r.py -d domain.com
# Amass (passive)
amass enum -passive -d domain.com
# assetfinder
assetfinder --subs-only domain.com
# subfinder
subfinder -d domain.com -silent
Email Harvesting:
# theHarvester
theHarvester -d domain.com -b all
# hunter.io (web interface or API)
# phonebook.cz
# clearbit connect
Search Engine Recon:
# Google Dorks
site:domain.com filetype:pdf
site:domain.com inurl:admin
site:domain.com intitle:"index of"
site:domain.com ext:sql | ext:txt | ext:log
# GitHub Dorks
"domain.com" password
"domain.com" api_key
"domain.com" secret
org:company password
org:company api
Shodan/Censys:
# Shodan CLI
shodan search "hostname:domain.com"
shodan search "org:Company Name"
shodan search "ssl:domain.com"
# Censys
# Use web interface or API
# Search for: domain.com or company infrastructure
Social Media OSINT:
# LinkedIn enumeration
# Company employees, job titles, technologies used
# Twitter
# Company accounts, employee accounts, technology mentions
# Tools:
# - linkedin2username (generate username lists)
# - sherlock (find usernames across platforms)
2. Active Reconnaissance
Subdomain Enumeration (Active):
# gobuster
gobuster dns -d domain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
# ffuf
ffuf -u http://FUZZ.domain.com -w subdomains.txt -mc 200,301,302
# dnsrecon
dnsrecon -d domain.com -t brt -D subdomains.txt
# amass (active)
amass enum -active -d domain.com -brute
DNS Zone Transfer:
# dig
dig axfr @ns1.domain.com domain.com
# host
host -l domain.com ns1.domain.com
# fierce
fierce --domain domain.com
Port Scanning:
# Nmap - quick scan
nmap -sC -sV -oA nmap_scan target.com
# Nmap - full port scan
nmap -p- -T4 -oA nmap_full target.com
nmap -p- -sV -sC -A target.com -oA nmap_detailed
# Nmap - UDP scan
sudo nmap -sU --top-ports 1000 target.com
# Nmap - scan entire network
nmap -sn 10.10.10.0/24 # Ping sweep
nmap -p- 10.10.10.0/24 # Port scan subnet
# masscan (very fast)
sudo masscan -p1-65535 10.10.10.10 --rate=1000
# rustscan (fast with nmap integration)
rustscan -a target.com -- -sC -sV
Service Detection:
# Banner grabbing
nc -nv target.com 80
curl -I https://target.com
telnet target.com 80
# Nmap service detection
nmap -sV --version-intensity 9 target.com
# OS detection
sudo nmap -O target.com
3. Web Application Reconnaissance
Technology Identification:
# WhatWeb
whatweb https://target.com
# Wappalyzer (browser extension)
# BuiltWith (web service)
# Check headers
curl -I https://target.com
# Check response
curl -s https://target.com | grep -i "powered by\|framework\|generator"
Directory/File Enumeration:
# gobuster
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,txt,html
# feroxbuster (recursive)
feroxbuster -u https://target.com -w wordlist.txt -x php,txt,html,js
# ffuf
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403
ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404 # Filter out 404s
# dirsearch
dirsearch -u https://target.com -e php,html,js
# Common paths to check manually
/robots.txt
/sitemap.xml
/.git/
/.svn/
/.env
/backup/
/admin/
/phpmyadmin/
Virtual Host Discovery:
# gobuster
gobuster vhost -u http://target.com -w vhosts.txt
# ffuf
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w vhosts.txt -fc 404
Parameter Discovery:
# arjun
arjun -u https://target.com/page
# ParamSpider
python3 paramspider.py -d target.com
# ffuf
ffuf -u https://target.com/page?FUZZ=test -w parameters.txt -mc 200
JavaScript Analysis:
# Extract JS files
echo "https://target.com" | hakrawler | grep "\.js$" | sort -u
# Analyze JS for secrets
cat file.js | grep -Eo "(api|token|key|secret|password)[\"']?\s*[:=]\s*[\"'][^\"']{10,}[\"']"
# LinkFinder
python3 linkfinder.py -i https://target.com/app.js -o results.html
# JSParser
python3 JSParser.py -u https://target.com
4. Email/Phishing Reconnaissance
Email Format Detection:
# Common formats
[email protected]
[email protected]
[email protected]
[email protected]
# Generate email list
# Tools: linkedin2username, namemash
Email Verification:
# Check if email exists
# Tools: hunter.io, email-checker
# SMTP verification (careful - detectable)
telnet mail.company.com 25
VRFY [email protected]
Breached Credentials:
# Have I Been Pwned
# Check if company emails in breaches
# dehashed.com
# Search for company domain
# WeLeakInfo alternatives
# pwndb (Tor)
5. Network Mapping
Identify Live Hosts:
# Ping sweep
nmap -sn 10.10.10.0/24
# ARP scan (local network)
sudo arp-scan -l
sudo netdiscover -r 10.10.10.0/24
# fping
fping -a -g 10.10.10.0/24 2>/dev/null
Network Topology:
# Traceroute
traceroute target.com
traceroute -T target.com # TCP
traceroute -I target.com # ICMP
# MTR (better traceroute)
mtr target.com
Firewall/IDS Detection:
# Nmap firewall detection
nmap -sA target.com
# Check for filtered ports
nmap -p- -Pn target.com
# IDS evasion techniques
nmap -T2 -f target.com # Slow scan, fragment packets
nmap -D RND:10 target.com # Decoy scan
6. Cloud Asset Discovery
AWS S3 Buckets:
# Check for public buckets
# Format: bucketname.s3.amazonaws.com
curl -I https://company.s3.amazonaws.com
# Bucket name wordlist
# company-backup, company-data, company-dev, etc.
# Tools
# s3scanner
python3 s3scanner.py buckets.txt
# awscli
aws s3 ls s3://bucketname --no-sign-request
Azure Blobs:
# Format: accountname.blob.core.windows.net
curl -I https://company.blob.core.windows.net/container
# MicroBurst (PowerShell)
Invoke-EnumerateAzureBlobs -Base company
Google Cloud Storage:
# Format: storage.googleapis.com/bucketname
curl -I https://storage.googleapis.com/company-bucket
# GCPBucketBrute
python3 gcpbucketbrute.py -k company
7. Vulnerability Scanning
Automated Scanners:
# Nikto (web vulnerabilities)
nikto -h https://target.com
# Nuclei (template-based)
nuclei -u https://target.com -t ~/nuclei-templates/
# OpenVAS (comprehensive)
# Use GUI or command line
# Nessus (commercial)
# Web-based scanner
Specific Vulnerability Checks:
# SSL/TLS
nmap -p 443 --script ssl-* target.com
testssl.sh https://target.com
# SQL Injection
sqlmap -u "https://target.com/page?id=1" --batch
# XSS
dalfox url https://target.com/search?q=test
# SSRF
# Manual testing or use Burp Suite
# Directory traversal
# Test: ../../../../etc/passwd
8. Credential Gathering
Default Credentials:
# Check default credentials databases
# - CIRT.net default passwords
# - DefaultCreds-cheat-sheet
# - SecLists default credentials
# Common defaults
admin:admin
admin:password
root:root
admin:Admin123
Public Repositories:
# GitHub secrets scanning
trufflehog https://github.com/company/repo
# GitLeaks
gitleaks detect --source /path/to/repo
# GitHub dorks
filename:.env "DB_PASSWORD"
extension:pem private
extension:sql mysql dump password
Metadata Extraction:
# exiftool
exiftool document.pdf
find . -name "*.pdf" -exec exiftool {} \;
# FOCA (Windows)
# Extract metadata from documents
9. Attack Surface Mapping
Comprehensive Enumeration:
# Combination approach
1. Passive subdomain enum
2. Active subdomain bruteforce
3. Port scan all discovered hosts
4. Service enumeration
5. Web content discovery
6. Vulnerability scanning
7. Credential gathering
Automation Frameworks:
# Amass + Nmap + Nuclei pipeline
amass enum -passive -d target.com -o subdomains.txt
cat subdomains.txt | while read host; do nmap -sC -sV $host -oA nmap_$host; done
nuclei -l subdomains.txt -t ~/nuclei-templates/
# Recon-ng
recon-ng
workspaces create target
modules load recon/domains-hosts/hackertarget
modules load recon/hosts-ports/shodan
10. Reporting and Documentation
Organize Findings:
# Create project structure
mkdir -p target/{nmap,subdomains,web,creds,screenshots}
# Document everything
# - IP ranges
# - Subdomains found
# - Open ports/services
# - Credentials found
# - Vulnerabilities identified
# - Technologies detected
Essential Tools
Reconnaissance Suites:
- Amass - In-depth subdomain enumeration
- Recon-ng - Modular reconnaissance framework
- theHarvester - Email and subdomain gathering
- SpiderFoot - OSINT automation
- OWASP Maryam - Modular OSINT framework
Subdomain Tools:
- subfinder, assetfinder, findomain
- Sublist3r, amass, gobuster dns
Port Scanners:
- Nmap - The standard
- masscan - Fastest scanner
- RustScan - Fast with nmap backend
Web Tools:
- gobuster, feroxbuster, ffuf, dirsearch
- whatweb, wappalyzer
- nikto, nuclei
Operational Security
Reconnaissance OPSEC:
# Use VPN/Proxy
# Rate limit requests
# Randomize user agents
# Use passive methods when possible
# Don't leave obvious traces
# Respect robots.txt during testing phase
Reference Links
- OWASP Testing Guide: https://owasp.org/www-project-web-security-testing-guide/
- HackTricks Pentesting Methodology: https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-methodology
- SecLists: https://github.com/danielmiessler/SecLists
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings
When to Use This Skill
Activate this skill when the user asks to:
- Perform reconnaissance on a target
- Enumerate subdomains
- Discover attack surface
- Find public exposures
- Gather OSINT information
- Map network infrastructure
- Identify technologies in use
- Help with initial access techniques
Always ensure proper authorization before performing any reconnaissance activities.
Related Skills
0X6C7879/wooyun-legacy
development
VerifiedTrustedCommunity
WooYun-derived business-logic testing methodology for web apps and APIs. Use when the request involves 支付、退款、订单、越权、认证、授权、价格篡改或业务流程绕过 review, especially black-box probing for price tampering, account takeover, and process bypass flaws.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/windows-privilege-escalation
tools
VerifiedTrustedCommunity
Escalate privileges on Windows systems using service misconfigurations, DLL hijacking, token manipulation, UAC bypasses, registry exploits, and credential dumping. Use when performing Windows post-exploitation or privilege escalation.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/tunnel
development
VerifiedTrustedCommunity
Use when performing AD pentest tunneling and pivoting, especially with Ligolo-ng, Chisel, frp, proxychains, SSH forwarding, SOCKS relays, reverse tunnels, or when internal reachability is the main blocker.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/threat-modeling
development
VerifiedTrustedCommunity
Threat model, security audit, find vulnerabilities, check security of my app, risk assessment, penetration test prep, analyze attack surface, what could an attacker exploit. Use this skill whenever a user wants holistic security analysis of a codebase, application, or project. MUST be invoked instead of analyzing security yourself — it runs a specialized 8-phase STRIDE workflow producing professional deliverables you cannot generate alone: risk assessment reports, DFD diagrams, threat inventories, attack path validation, mitigation plans, and pentest plans. Trigger on: 威胁建模, 安全评估, 渗透测试, 安全分析, 安全审计, 安全检查, 风险评估. NOT for: fixing one specific bug, adding one security feature (rate limiting, CORS), writing tests, CI/CD setup, or debugging errors.
2SKILL.mdUpdated Apr 22, 2026