Recon & Surface Analysis

Activation Triggers (Positive)

• recon
• enumerate
• surface map
• asset inventory
• endpoint discovery
• technology fingerprinting
• control plane mapping
• ffuf
• vhost fuzzing
• subdomain enumeration

Exclusion Triggers (Negative)

• build exploit
• weaponize payload
• write final report
• only validate known vulnerability

Output Schema

• Surface inventory: asset, interface, auth state, confidence
• Entry-point matrix: input, trust boundary, initial risk hypothesis
• Prioritized next tests: ordered by likely impact and test cost

Instructions

1. Build an explicit target model first: interfaces, trust boundaries, and identity contexts.
2. Enumerate only what is necessary to expose actionable attack paths.
3. Normalize findings into a deduplicated inventory before deeper testing.
4. Label each surface with attacker preconditions and probable abuse class.
5. Mark unknowns that block progression and propose the minimum test to resolve each.
6. Hand off precise, testable targets to downstream skills.

Should Do

• Keep reconnaissance hypothesis-driven, not tool-driven.
• Capture reproducible evidence for each discovered surface.
• Prioritize externally reachable and privilege-sensitive paths.

Should Not Do

• Do not claim vulnerabilities at recon stage without abuse validation.
• Do not perform heavy fuzzing or exploit attempts here.
• Don't include organization-specific URLs, identifiers, or credentials in reusable guidance.

Tip: Fuzzing for Virtual Hosts with FFUF

Discover assets not listed in DNS by testing different Host header values. FFUF is the ideal tool for this speed-efficient enumeration.

Quick Guide

1. Optimize: Use small wordlists and fast scans to ensure the agent doesn't get stuck.
2. Execute: ffuf -u $TARGET -H "Host: FUZZ.$TARGET" -w /path/to/small_wordlist
3. Filter: Identify live hosts by filtering unique response sizes or status codes (e.g., -fs [size] or -mc 200).