reconnaissance-knowledge
Comprehensive knowledge about network reconnaissance and service enumeration. Provides methodologies for port scanning, service fingerprinting, web directory discovery, and vulnerability identification. Includes best practices for structured data collection.
Best use case
reconnaissance-knowledge is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Comprehensive knowledge about network reconnaissance and service enumeration. Provides methodologies for port scanning, service fingerprinting, web directory discovery, and vulnerability identification. Includes best practices for structured data collection.
Teams using reconnaissance-knowledge should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/reconnaissance-knowledge/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How reconnaissance-knowledge Compares
| Feature / Agent | reconnaissance-knowledge | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Comprehensive knowledge about network reconnaissance and service enumeration. Provides methodologies for port scanning, service fingerprinting, web directory discovery, and vulnerability identification. Includes best practices for structured data collection.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Reconnaissance Knowledge Base
## Purpose
This knowledge base provides comprehensive reconnaissance methodologies and techniques. It covers information gathering about targets without performing exploitation, including discovering services, versions, technologies, and potential attack vectors.
## Tools Available
### Network Scanning
- `nmap` - Port and service discovery
- `masscan` - Fast port scanning (if speed needed)
- `nc` (netcat) - Banner grabbing
### Web Enumeration
- `gobuster` - Directory/file brute forcing
- `dirb` - Alternative directory scanner
- `nikto` - Web vulnerability scanner
- `whatweb` - Technology identification
- `curl`/`wget` - Manual HTTP interaction
### Service Enumeration
- `enum4linux` - SMB/Samba enumeration
- `smbclient` - SMB interaction
- `showmount` - NFS enumeration
- `snmpwalk` - SNMP enumeration
### DNS/Subdomain
- `dig` - DNS queries
- `host` - DNS lookups
- `nslookup` - DNS information
## Layered Reconnaissance Strategy
**Core Principle:** Every reconnaissance task has 3 layers - escalate when previous layer yields insufficient results.
### Layer Framework for Each Task:
```
Layer 1 (Quick & Broad):
- Fast tools with default parameters
- Goal: Get initial foothold information
- Time: 1-5 minutes
- Example: nmap top 1000 ports, gobuster with small wordlist
Layer 2 (Deep & Intensive):
- Same tools with aggressive parameters
- Goal: Extract maximum information from known services
- Time: 5-30 minutes
- Example: nmap all ports + version detection, gobuster with large wordlist
Layer 3 (Alternative & Creative):
- Different tools or manual techniques
- Goal: Find information that standard tools miss
- Time: Variable
- Example: Manual banner grabbing, alternative scanners, custom scripts
```
**Escalation Triggers:**
- Layer 1 returns nothing → Escalate to Layer 2
- Layer 2 returns minimal info → Escalate to Layer 3
- Layer 3 still insufficient → Re-evaluate entire approach
---
## Reconnaissance Phases
### Phase 1: Port Discovery
**Goal**: Find all open ports
```bash
# Quick scan (top 1000 ports)
nmap -p- --min-rate=1000 -T4 TARGET
# Comprehensive scan (all ports)
nmap -p- -T4 TARGET -oN ports.txt
```
**Output Format**:
```json
{
"ports": [
{"port": 22, "state": "open", "protocol": "tcp"},
{"port": 80, "state": "open", "protocol": "tcp"}
]
}
```
### Phase 2: Service Detection
**Goal**: Identify services and versions
```bash
# Service version detection
nmap -p22,80,443 -sV -sC -A TARGET -oN services.txt
# Aggressive scan with scripts
nmap -p22,80 -sC -sV --script=default,vuln TARGET
```
**Output Format**:
```json
{
"services": [
{
"port": 22,
"service": "ssh",
"version": "OpenSSH 7.6p1",
"os": "Ubuntu Linux"
},
{
"port": 80,
"service": "http",
"version": "Apache httpd 2.4.29",
"technologies": ["PHP/7.2"]
}
]
}
```
### Phase 3: Web Enumeration (if HTTP/HTTPS found)
**Goal**: Discover hidden files, directories, and web technologies
**Layered Web Scanning:**
```bash
# Layer 1: Quick directory scan
gobuster dir -u http://TARGET -w /usr/share/wordlists/dirb/common.txt -x php,html,txt -t 50
# If Layer 1 finds little/nothing, escalate to Layer 2:
# Layer 2: Deep directory scan with larger wordlist
gobuster dir -u http://TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,zip,bak -t 100
# If still insufficient, try Layer 3:
# Layer 3: Alternative tools or techniques
# Option A: Different tool
feroxbuster -u http://TARGET -w /usr/share/wordlists/dirb/common.txt
# Option B: Vulnerability scanner
nikto -h http://TARGET
# Option C: Technology detection
whatweb http://TARGET
# Alternative with larger wordlist
gobuster dir -u http://TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
# Technology detection
whatweb http://TARGET
# Vulnerability scan
nikto -h http://TARGET
```
**Output Format**:
```json
{
"web": {
"url": "http://10.10.10.1",
"technologies": ["Apache/2.4.29", "PHP/7.2", "WordPress 5.0"],
"directories": [
"/admin (Status: 403)",
"/uploads (Status: 301)",
"/backup (Status: 200)"
],
"files": [
"/config.php (Status: 200)",
"/README.txt (Status: 200)"
],
"vulnerabilities": [
"Outdated WordPress version",
"Directory listing enabled on /uploads"
]
}
}
```
### Phase 4: Specific Service Enumeration
#### SMB (Port 139/445)
```bash
# Basic enumeration
enum4linux -a TARGET
# List shares
smbclient -L //TARGET -N
# Check for anonymous access
smbmap -H TARGET
```
#### FTP (Port 21)
```bash
# Check for anonymous login
ftp TARGET
# Try: anonymous / anonymous
# Banner grab
nc TARGET 21
```
#### SSH (Port 22)
```bash
# Get SSH version and algorithms
ssh -v TARGET
# Check for user enumeration
ssh user@TARGET 2>&1 | grep -i "invalid\|denied"
```
#### MySQL/MSSQL (Port 3306/1433)
```bash
# Banner grab
nc TARGET 3306
# Test default credentials
mysql -h TARGET -u root -p
# Try common passwords: root, admin, password, ''
```
## Best Practices
### 1. Structured Output
Always format discoveries in JSON for easy parsing:
```bash
# Example: Parse nmap output to JSON
nmap -p- TARGET -oG - | grep "Ports:" | awk '{print $2, $4}' | sed 's/\/open//' | jq -R -s 'split("\n") | map(select(length > 0) | split(" ") | {port: .[1], service: .[0]})'
```
### 2. Stealth vs Speed
- For playground environments: Use aggressive scans (`-T4`, `--min-rate=1000`)
- For real environments: Use slower, stealthy scans (`-T2`)
### 3. Save All Output
```bash
# Always save raw output
nmap ... -oN nmap-full.txt -oX nmap-full.xml
# Save discoveries to state file
cat discovered.json >> .pentest-state.json
```
### 4. Comprehensive Coverage
Don't miss:
- UDP ports (slower but important): `nmap -sU --top-ports 100 TARGET`
- All TCP ports: `nmap -p- TARGET`
- Web directories with multiple wordlists
- Default credentials for all services found
### 5. Time Management
- Quick initial scan: 5 minutes max
- Comprehensive scan: 15-20 minutes max
- This is a playground, not real-world - speed matters
## Common Wordlists
```bash
# Small (fast)
/usr/share/wordlists/dirb/common.txt
# Medium (balanced)
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# Large (comprehensive)
/usr/share/wordlists/dirbuster/directory-list-2.3-big.txt
# Specific to web apps
/usr/share/wordlists/wfuzz/general/common.txt
```
## Output Template
After completing reconnaissance, provide summary in this format:
```json
{
"target": "10.10.10.1",
"scan_date": "2025-01-15",
"discovered": {
"ports": [
{"port": 22, "service": "ssh", "version": "OpenSSH 7.6p1"},
{"port": 80, "service": "http", "version": "Apache 2.4.29"}
],
"web": {
"technologies": ["Apache", "PHP", "WordPress"],
"interesting_paths": ["/admin", "/uploads", "/wp-admin"],
"vulnerabilities": ["Outdated WordPress", "Directory listing"]
},
"potential_vectors": [
"File upload via /uploads",
"WordPress plugin vulnerabilities",
"SSH password authentication enabled"
]
},
"recommended_actions": [
"Test file upload functionality on /uploads",
"Search for WordPress exploits for version detected",
"Enumerate WordPress users with wpscan"
]
}
```
## Key Principles
1. **Thoroughness**: Don't miss services or directories
2. **Structure**: Always output JSON for coordinator to parse
3. **Speed**: Balance between comprehensive and efficient
4. **Context**: Provide next-step recommendations
5. **No Exploitation**: Stay in recon phase, don't test exploits
## Handoff to Next Phase
When reconnaissance is complete, provide:
1. Complete service inventory
2. Identified vulnerabilities
3. Recommended exploitation approaches
4. Any discovered credentials/default logins
5. Updated `.pentest-state.json`
After reconnaissance is sufficient, proceed to the exploitation phase using exploitation knowledge.Related Skills
shodan-reconnaissance
This skill should be used when the user asks to "search for exposed devices on the internet," "perform Shodan reconnaissance," "find vulnerable services using Shodan," "scan IP ranges...
shodan-reconnaissance-and-pentesting
This skill should be used when the user asks to "search for exposed devices on the internet," "perform Shodan reconnaissance," "find vulnerable services using Shodan," "scan IP ranges with Shodan," or "discover IoT devices and open ports." It provides comprehensive guidance for using Shodan's search engine, CLI, and API for penetration testing reconnaissance.
knowledge-base
专业的知识库管理系统,旨在解决“知识诅咒”和认知偏差问题。通过显式化隐性知识、扫描代码提取领域概念、整合行业最佳实践,构建结构化的 Markdown 知识库。
notion-knowledge-capture
Capture conversations and decisions into structured Notion pages; use when turning chats/notes into wiki entries, how-tos, decisions, or FAQs with proper linking.
recursive-knowledge
Process large document corpora (1000+ docs, millions of tokens) through knowledge graph construction and stateful multi-hop reasoning. Use when (1) User provides a large corpus exceeding context limits, (2) Questions require connections across multiple documents, (3) Multi-hop reasoning needed for complex queries, (4) User wants persistent queryable knowledge from documents. Replaces brute-force document stuffing with intelligent graph traversal.
project-knowledge
Load project architecture and structure knowledge. Use when you need to understand how this project is organized.
privilege-escalation-knowledge
Comprehensive knowledge about Linux privilege escalation. Provides methodologies for enumerating and exploiting privesc vectors including SUID binaries, sudo permissions, capabilities, kernel exploits, cron jobs, and common misconfigurations. Includes systematic approach to capturing root flags.
exploitation-knowledge
Comprehensive knowledge about vulnerability exploitation and initial access. Provides expertise on finding and adapting exploits, adapting proof-of-concepts, gaining shells, and capturing user flags. Covers reverse shells, file uploads, SQL injection, and RCE vulnerabilities.
knowledge
Display knowledge base status and recent learnings
Nmap Reconnaissance
## Overview
Tutor Setup — Knowledge to Obsidian StudyVault
## CWD Boundary Rule (ALL MODES)
Knowledge Distillation: Compressing LLMs
## When to Use This Skill