pentest-recon-surface-analysis
Recon & Surface Analysis
Activation Triggers (Positive)
reconenumeratesurface mapasset inventoryendpoint discoverytechnology fingerprintingcontrol plane mappingffufvhost fuzzingsubdomain enumeration
Exclusion Triggers (Negative)
build exploitweaponize payloadwrite final reportonly validate known vulnerability
Output Schema
- Surface inventory:
asset,interface,auth state,confidence - Entry-point matrix:
input,trust boundary,initial risk hypothesis - Prioritized next tests: ordered by likely impact and test cost
Instructions
- Build an explicit target model first: interfaces, trust boundaries, and identity contexts.
- Enumerate only what is necessary to expose actionable attack paths.
- Normalize findings into a deduplicated inventory before deeper testing.
- Label each surface with attacker preconditions and probable abuse class.
- Mark unknowns that block progression and propose the minimum test to resolve each.
- Hand off precise, testable targets to downstream skills.
Should Do
- Keep reconnaissance hypothesis-driven, not tool-driven.
- Capture reproducible evidence for each discovered surface.
- Prioritize externally reachable and privilege-sensitive paths.
Tip: Fuzzing for Virtual Hosts with FFUF
Discover assets not listed in DNS by testing different Host header values. FFUF is the ideal tool for this speed-efficient enumeration.
Quick Guide
- Optimize: Use small wordlists and fast scans to ensure the agent doesn't get stuck.
- Execute:
ffuf -u $TARGET -H "Host: FUZZ.$TARGET" -w /path/to/small_wordlist - Filter: Identify live hosts by filtering unique response sizes or status codes (e.g.,
-fs [size]or-mc 200).
More from crtvrffnrt/skills
pentest-xss
Security assessment skill for Cross-Site Scripting (XSS) vulnerabilities. Use when investigating input sanitization, reflected, stored, DOM, or blind XSS. Focuses on discovery, exploitation, and payload optimization. Do not use for generic network recon or non-web injection types.
37pentest-exploit-execution-payload-control
Security assessment skill for deterministic exploit execution from validated primitives. Use when prompts include exploit implementation, payload hardening, chaining confirmed weaknesses, post-exploitation proof, or controlled impact demonstration. Do not use for early-stage reconnaissance, speculative hypothesis generation, or report-only requests.
31pentest-business-logic-abuse
Security assessment skill for business workflow abuse, state-machine manipulation, and control-plane logic flaws. Use when prompts include workflow bypass, race condition, replay, quota abuse, order-of-operations flaws, delegated execution abuse, or unauthorized state transitions. Do not use for pure input injection fuzzing, broad recon, or standalone report formatting tasks.
27pentest-gemini-az
Use when users need an Azure, Microsoft 365, or Entra ID companion that reads, lists, changes, and manages resources using the current Azure CLI session, with `az rest` as the default execution path.
26pentest-outbound-interaction-oob-detection
Security assessment skill for outbound interaction and out-of-band (OOB) validation. Use when prompts include SSRF callback confirmation, blind XSS beacons, webhook abuse, XXE/OOB behavior, DNS/HTTP callback correlation, or asynchronous server-side interaction proof. Do not use when vulnerabilities are fully in-band and require no external callback correlation.
25pentest-evidence-structuring-report-synthesis
Security assessment skill for structuring evidence, deduplicating findings, and producing decision-ready security reports. Use when prompts include write report, consolidate findings, severity ranking, remediation guidance, executive summary, or technical appendix generation. Do not use for live exploit execution, reconnaissance, or payload experimentation tasks.
25