danielmiessler
Security reconnaissance. USE WHEN recon, reconnaissance, bug bounty, attack surface. SkillSearch('recon') for docs.
bunx add-skill danielmiessler/personal_ai_infrastructure -s ReconLoadingβ¦
Before executing, check for user customizations at:
~/.claude/skills/CORE/USER/SKILLCUSTOMIZATIONS/Recon/
If this directory exists, load and apply any PREFERENCES.md, configurations, or resources found there. These override default behavior. If the directory does not exist, proceed with skill defaults.
Infrastructure and Network Reconnaissance
You MUST send this notification BEFORE doing anything else when this skill is invoked.
Send voice notification:
curl -s -X POST http://localhost:8888/notify \
-H "Content-Type: application/json" \
-d '{"message": "Running the WORKFLOWNAME workflow in the Recon skill to ACTION"}' \
> /dev/null 2>&1 &
Output text notification:
Running the **WorkflowName** workflow in the **Recon** skill to ACTION...
This is not optional. Execute this curl command immediately upon skill invocation.
Technical reconnaissance of network infrastructure including domains, IP addresses, netblocks, and ASNs. Combines passive intelligence gathering with authorized active scanning to map attack surfaces and identify assets.
Core Triggers - Use this skill when user says:
OSINT β recon (Common Pattern):
recon β webassessment:
Workflow Integration:
// OSINT skill discovers company infrastructure
const domains = await osintFindCompanyDomains("Acme Corp");
// Calls recon skill to map technical details
const infraMap = await reconDomain(domains[0]);
// Recon identifies web apps
const webApps = infraMap.subdomains.filter(s => s.hasHTTP);
// Calls web assessment for testing
await webAssessment(webApps);
CRITICAL AUTHORIZATION REQUIREMENTS:
Active reconnaissance MUST have:
Default behavior is PASSIVE ONLY. Always confirm before active techniques.
PassiveRecon.md - Safe ReconnaissanceNon-intrusive intelligence gathering using public sources:
Input: Domain, IP, or netblock Output: Passive intelligence report Authorization: None required
IpRecon.md - IP Address InvestigationComprehensive IP address reconnaissance:
Input: Single IP address Output: IP reconnaissance report Authorization: Required for active scanning
DomainRecon.md - Domain InvestigationFull domain mapping and enumeration:
Input: Domain name Output: Domain reconnaissance report Authorization: Required for active subdomain probing
NetblockRecon.md - CIDR Range ScanningNetwork range reconnaissance:
Input: CIDR notation (e.g., 192.168.1.0/24) Output: Netblock scan report Authorization: Required for active scanning
AsnRecon.md - Autonomous System InvestigationASN and BGP reconnaissance:
Input: ASN number (e.g., AS15169) Output: ASN mapping report Authorization: None required (passive data)
IPInfo API (ipinfo.io)
process.env.IPINFO_API_KEYtools/ipinfo-client.tsSystem Tools (always available)
whois - Domain and IP WHOIS lookupsdig - DNS queriesnslookup - DNS resolutioncurl - HTTP requests, API callsMCP Tools (security profile required)
httpx - HTTP probing and technology detectionnaabu - Port scanning~/.claude/MCPs/swap-mcp security)Shodan (when API key added)
Censys (when API key added)
SecurityTrails (when API key added)
VirusTotal (when API key added)
Located in tools/ directory:
ipinfo-client.ts
dns-utils.ts
whois-parser.ts
cidr-utils.ts
cert-transparency.ts
report-generator.ts
# IP Reconnaissance: 1.2.3.4
## Summary
- IP: 1.2.3.4
- Organization: Example Corp
- ASN: AS12345
- Location: San Francisco, CA, US
- ISP: Example Hosting
## DNS
- Reverse DNS: server.example.com
- Additional PTR: ...
## Network Information
- CIDR: 1.2.3.0/24
- Netblock Owner: Example Corp
- Abuse Contact: abuse@example.com
## Services (Passive)
- Certificates: 3 certificates found
- Historical DNS: ...
## Services (Active - Authorized)
- Open Ports: 22, 80, 443
- Services: SSH (OpenSSH 8.2), HTTP (nginx 1.20.1), HTTPS
- Technologies: nginx, OpenSSH
## Recommendations
- Further investigation areas
- Related assets
- Security observations
# Domain Reconnaissance: example.com
## Summary
- Domain: example.com
- Registrar: Example Registrar
- Registration: 2010-01-15
- Expiry: 2026-01-15
## DNS Records
### A Records
- 1.2.3.4
- 5.6.7.8
### MX Records
- 10 mail.example.com
## Subdomains
- www.example.com (1.2.3.4)
- api.example.com (1.2.3.5)
- admin.example.com (1.2.3.6)
## Email Security
- SPF: Configured
- DMARC: Configured
- DKIM: Configured
## Technologies
- Web Server: nginx
- Framework: React
- CDN: Cloudflare
## Recommendations
- Interesting subdomains: admin.example.com, api.example.com
- Attack surface: 15 web applications identified
Reports saved to:
~/.claude/MEMORY/WORK/{current_work}/scratch/) - For iterative artifacts during investigation~/.claude/MEMORY/RESEARCH/YYYY-MM/) - For pentest engagements and formal assessmentsFor passive recon: No special MCP profile needed
For active recon: Requires security MCP profile
# Switch to security profile
~/.claude/MCPs/swap-mcp security
# Restart Claude Code to apply
# Then run active reconnaissance
Security profile includes:
CRITICAL RULES:
Authorization Types:
Never scan:
When in doubt: Ask for explicit confirmation and documented authorization.
User: "Do passive recon on example.com"
Assistant: Activating recon skill with passive-recon workflow.
Target: example.com
Mode: Passive only (no active scanning)
[Performs WHOIS, DNS, cert transparency, IPInfo]
[Generates report in scratchpad]
Report: ~/.claude/MEMORY/WORK/{current_work}/scratch/recon-example-com/
User: "Investigate IP 1.2.3.4 - I own this server"
Assistant: Activating recon skill with ip-recon workflow.
Target: 1.2.3.4
Authorization check: You confirmed this is an owned asset.
Proceeding with passive + active reconnaissance.
[Performs IPInfo, reverse DNS, WHOIS, port scan, service detection]
[Generates comprehensive report]
Report: Open ports found (22, 80, 443)
Services: SSH, HTTP, HTTPS
Technologies: nginx 1.20.1, OpenSSH 8.2
User: "Do OSINT on Acme Corp and map their infrastructure"
Assistant: Activating OSINT skill...
Found domains: acme.com, acmecorp.com, acme.io
Now calling recon for infrastructure mapping...
[Recon skill maps each domain]
[Discovers subdomains, IPs, netblocks]
[Creates comprehensive infrastructure map]
Report: Complete OSINT + Infrastructure report
15 domains, 47 subdomains, 3 netblocks identified
Automatic workflow selection based on input:
IpRecon.mdDomainRecon.mdNetblockRecon.mdAsnRecon.mdPassiveRecon.mdUser can override:
"Use passive-recon workflow on 1.2.3.4"
"Run domain-recon on example.com with active scanning"
Passive Recon Success:
Active Recon Success:
Security Skills:
~/.claude/skills/OSINT/ - Entity and people reconnaissance~/.claude/skills/Webassessment/ - Web application testingTool Documentation:
Best Practices:
Remember: Start passive, confirm authorization before going active, document everything, and be respectful of target systems.
Use when you need to run Flow type checking, or when seeing Flow type errors in React code.
Use when you want to validate changes before committing, or when you need to check all React contribution requirements.
Use when feature flag tests fail, flags need updating, understanding @gate pragmas, debugging channel-specific test failures, or adding new flags to React.
Use when you need to check feature flag states, compare channels, or debug why a feature behaves differently across release channels.