Recon And Methodology
Run systematic bug-bounty-style recon—subdomains, endpoints, fingerprinting, and a structured test plan—before deep vulnerability testing on a scoped target.
Overview
Recon and Methodology is an agent skill most often used in Ship (also Validate, Idea) that provides a systematic bug-bounty recon playbook for assets, endpoints, and structured security testing plans.
Install
npx skills add https://github.com/yaklang/hack-skills --skill recon-and-methodologyWhat is this skill?
- Six-level recon hierarchy from target selection through per-vulnerability testing
- Passive subdomain sources: Subfinder, Amass passive, crt.sh certificate transparency
- Active DNS brute-force patterns with massdns and resolver lists
- Expert bug bounty framing: coverage and systematic surface mapping over clever payloads alone
- Scope-first workflow: define in-scope assets before enumeration
- Six-step recon hierarchy from target selection through vulnerability testing
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You have a new in-scope target but no ordered recon plan, so you miss subdomains and endpoints that other hunters find through systematic coverage.
Who is it for?
Authorized bug bounty hunters, indie founders hardening their own API, or agents assisting structured pentest prep on defined scope.
Skip if: Builders without explicit permission to test a target, or teams wanting automated patch management instead of manual recon methodology.
When should I use this skill?
Mapping assets, discovering endpoints, fingerprinting technology, and building a structured testing plan for a new authorized target.
What do I get? / Deliverables
You get a staged recon hierarchy and tool-oriented steps—from passive subdomains to endpoint discovery—so vulnerability testing starts from a complete surface map.
- Subdomain and asset inventory for in-scope hosts
- Technology fingerprint notes and endpoint attack-surface list
- Structured vulnerability testing plan by category
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship → security because the playbook is written for pre-exploitation recon and methodology on in-scope assets ready for testing. Recon hierarchies and hunter mental models belong in application security testing, not generic idea brainstorming or growth analytics.
Where it fits
Enumerate staging subdomains to decide which hosts belong in the MVP security test plan.
Run passive then active recon on in-scope APIs before structured XSS and auth testing.
Map public asset footprints of adjacent products when competitive research stays within legal and program rules.
Re-audit externally visible subdomains after DNS or CDN changes in production.
How it compares
Use as a hunter methodology skill, not as a substitute for formal compliance frameworks or passive SEO competitor research.
Common Questions / FAQ
Who is recon-and-methodology for?
Security-focused solo builders and bug bounty participants who want agent-guided, systematic asset and endpoint discovery on authorized targets.
When should I use recon-and-methodology?
At Validate when scoping what to test on a prototype or staging URL; at Ship → security before release testing; at Idea → research when mapping competitor or acquisition surface legally in scope.
Is recon-and-methodology safe to install?
The skill describes offensive recon techniques—install only if your use is authorized, and review the Security Audits panel on this Prism page before running commands against live systems.
SKILL.md
READMESKILL.md - Recon And Methodology
# SKILL: Recon and Methodology — Expert Bug Bounty Playbook > **AI LOAD INSTRUCTION**: Systematic recon and bug-finding methodology from top bug hunters. Covers subdomain enumeration, endpoint discovery, tech fingerprinting, and the hunter's mental model for finding bugs that others miss. Key insight: most high-severity bugs are found through systematic coverage, not just clever payloads. --- ## 1. RECON HIERARCHY ``` Target Selection └── Scope Definition (in-scope assets) └── Asset Discovery (subdomains, IPs, domains) └── Tech Fingerprinting (what's running) └── Endpoint Discovery (attack surface) └── Vulnerability Testing (per vulnerability type) ``` --- ## 2. SUBDOMAIN ENUMERATION (CRITICAL FIRST STEP) ### Passive (no DNS queries to target) ```bash # Subfinder (aggregates multiple sources): subfinder -d target.com -o subdomains.txt # Amass passive: amass enum -passive -d target.com # Certsh (certificate transparency): curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u # SecurityTrails API, Shodan: # Web: https://securitytrails.com/list/apex_domain/target.com ``` ### Active (DNS brute force + resolution) ```bash # Massdns + wordlist: massdns -r /path/to/resolvers.txt -t A -o S -w output.txt \ <(cat wordlist.txt | sed 's/$/.target.com/') # ffuf for subdomain brute: ffuf -w subdomains-wordlist.txt -u https://FUZZ.target.com \ -mc 200,301,302,403 -H "Host: FUZZ.target.com" # DNSx for bulk resolution: cat subdomains.txt | dnsx -a -resp -o resolved.txt # Recommended wordlist: SecLists/Discovery/DNS/ ``` ### Virtual Host Discovery ```bash # ffuf vhost mode: ffuf -w wordlist.txt -u https://target.com \ -H "Host: FUZZ.target.com" -mc 200,301,403 # gobuster vhost: gobuster vhost -u https://target.com -w wordlist.txt ``` --- ## 3. SERVICE AND PORT DISCOVERY ```bash # Fast port scan (common ports): nmap -T4 -F target.com -oN ports.txt # Comprehensive scan on resolved subdomains: cat resolved_ips.txt | nmap -iL - --open -p 80,443,8080,8443,8888,3000,5000 -oG scan.txt # httpx for HTTP probing: cat subdomains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt # masscan for speed on large IP ranges: masscan -p 80,443,8080,8443 10.0.0.0/8 --rate=1000 ``` --- ## 4. WEB TECHNOLOGY FINGERPRINTING ```bash # Wappalyzer (browser extension) or: whatweb https://target.com # httpx with tech detection: httpx -u https://target.com -tech-detect # Check headers manually: curl -sI https://target.com | grep -i "server\|x-powered-by\|x-generator\|cf-ray" # Fingerprint from: - Server header: nginx/1.18, Apache/2.4, IIS/10.0 - X-Powered-By: PHP/7.4, ASP.NET - Cookies: PHPSESSID (PHP), JSESSIONID (Java), _rails_session (Rails) - HTML comments: <!-- Drupal 9 --> - Meta generator: <meta name="generator" content="WordPress 6.2"> - JS framework files: /static/js/angular.min.js ``` --- ## 5. ENDPOINT DISCOVERY ### Directory Brute Force ```bash # ffuf (fastest): ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \ -mc 200,301,302,403 -t 50 -o dirs.txt # Gobuster: gobuster dir -u https://target.com -w wordlist.txt -x php,html,js,json # feroxbuster (recursive): feroxbuster -u https://target.com -w wordlist.txt -x php,html,txt -r ``` ### Parameter Discovery ```bash # Arjun (hidden parameter finder): arjun -u https://target.com/api/endpoint # x8: x8 -u https://target.com/api/endpoint -w params-wordlist.txt ``` ### JavaScript Source Mining ```bash # Extract endpoints from JS files: gau target.com | grep '\.js$' | httpx -mc 200 | xargs -I{} curl -s {} | \ grep -oE '"/[a-zA-Z0-9/_-]+"' | sort -u # LinkFinder: python3 linkfinder.py -i https://target.com -d -o output.ht