Skill

pentest-recon

Enumerates subdomains, DNS records, open ports, tech stack, OSINT, and email security on target URL via passive pentest recon commands. For auditing deployed apps.

Bash

security

npx claudepluginhub sabania/pentest-cli --plugin pentest-framework

Tool Access

This skill is limited to using the following tools:

BashAgentRead

Preview

Run a comprehensive passive reconnaissance scan against a target URL to enumerate subdomains, DNS records, open ports, technology stack, and OSINT data.

SKILL.md

Similar Skills

recon

Orchestrates pentest reconnaissance phase: enumerates subdomains via ASN/passive/brute, probes live hosts/ports, mines URLs/JS, dorks GitHub secrets, discovers cloud buckets, detects takeovers, maps attack surface.

14 files

akira

reconnaissance

257

Maps attack surface via subdomain discovery, port scanning, endpoint enumeration, and API discovery. Useful for security assessments and penetration testing.

7 files

communitytools

red-team-tools

37.1k

Implements red team workflows for reconnaissance, subdomain enumeration, live host discovery, technology fingerprinting, and vulnerability discovery in bug bounty hunting.

antigravity-awesome-skills

Stats

Parent Repo Stars5

Parent Repo Forks0

Last CommitMar 20, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

/pentest-recon — Full Reconnaissance Scan

Run a comprehensive passive reconnaissance scan against a target URL to enumerate subdomains, DNS records, open ports, technology stack, and OSINT data.

Input

The target URL is provided via $ARGUMENTS. If no URL is provided, ask the user for one.

Steps

Parse the target URL from $ARGUMENTS.

Delegate to recon-agent using the Agent tool. The agent must run the following commands sequentially, collecting all JSON output:

pentest -k -j -o ./findings recon subdomains <url>
pentest -k -j -o ./findings recon dns <url>
pentest -k -j -o ./findings recon ports <url>
pentest -k -j -o ./findings recon osint <url>
pentest -k -j -o ./findings discover tech <url>
pentest -k -j -o ./findings cloud email <url>

Read the JSON outputs from ./findings/ to gather all results.

Present a summary to the user covering:

Discovered subdomains and their status
DNS records (A, AAAA, MX, TXT, CNAME, NS)
Open ports and services detected
Technology stack (frameworks, libraries, servers, CDNs)
OSINT findings (public exposure, metadata)
Email security (SPF, DKIM, DMARC)

Notes

All recon commands are passive and safe to run without explicit consent.

Use -k to skip SSL verification for targets with self-signed certs.

Use -j for machine-readable JSON output.

Use -o ./findings to persist results for later reporting.

/pentest-recon — Full Reconnaissance Scan

Run a comprehensive passive reconnaissance scan against a target URL to enumerate subdomains, DNS records, open ports, technology stack, and OSINT data.

Input

The target URL is provided via $ARGUMENTS. If no URL is provided, ask the user for one.

Steps

Parse the target URL from $ARGUMENTS.

Delegate to recon-agent using the Agent tool. The agent must run the following commands sequentially, collecting all JSON output:

pentest -k -j -o ./findings recon subdomains <url>
pentest -k -j -o ./findings recon dns <url>
pentest -k -j -o ./findings recon ports <url>
pentest -k -j -o ./findings recon osint <url>
pentest -k -j -o ./findings discover tech <url>
pentest -k -j -o ./findings cloud email <url>

Read the JSON outputs from ./findings/ to gather all results.
Present a summary to the user covering:
- Discovered subdomains and their status
- DNS records (A, AAAA, MX, TXT, CNAME, NS)
- Open ports and services detected
- Technology stack (frameworks, libraries, servers, CDNs)
- OSINT findings (public exposure, metadata)
- Email security (SPF, DKIM, DMARC)

Notes

All recon commands are passive and safe to run without explicit consent.
Use -k to skip SSL verification for targets with self-signed certs.
Use -j for machine-readable JSON output.
Use -o ./findings to persist results for later reporting.