ReddRadar
Agent skill
reconnaissance
Domain assessment and web application mapping - subdomain discovery, port scanning, endpoint enumeration, API discovery, and attack surface analysis.
Install this agent skill to your Project
npx add-skill https://github.com/transilienceai/communitytools/tree/main/projects/pentest/.claude/skills/reconnaissance
SKILL.md
Reconnaissance
Domain and web application reconnaissance. Discovers subdomains, open ports, endpoints, APIs, and JavaScript routes to build attack surface inventory.
Phases
Domain Assessment
- Subdomain Discovery - Passive DNS, certificate transparency, DNS brute-forcing, zone transfers
- Port Scanning - nmap/masscan (top 1000/10000/all), service detection, OS fingerprinting
- Service Enumeration - Version detection, banner grabbing, protocol-specific enumeration
Web Application Mapping
- Software Inventory - Dependencies, frameworks, SBOM generation
- Active Scanning - ffuf, gobuster, nikto, ZAP spider for directories/files
- API Discovery - REST, GraphQL, SOAP, WebSocket, Swagger/OpenAPI docs
- JavaScript & SPA - Client-side routes, dynamic scripts, browser storage
- Surface Analysis - Categorize attack surfaces, prioritize by risk
Output
inventory/ - JSON: subdomains, ports, endpoints, APIs, SBOM
analysis/ - MD: attack-surface, testing-checklist
raw/ - Tool outputs (nmap, ffuf, ZAP, subfinder)
Tools
subfinder, amass, nmap, masscan, ffuf, gobuster, nikto, ZAP, Playwright MCP
Related Skills
/osint- Run alongside reconnaissance for repository enumeration, secret scanning, and git history analysis
Rules
- Passive discovery before active scanning
- Always run
/osintin parallel during Phase 2 - Respect rate limits
- Verify subdomains are live before port scanning
- Save all raw tool outputs
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
transilienceai/communitytools
techstack-identification
OSINT-based technology stack identification. Discovers company tech stacks using passive reconnaissance across 17 intelligence domains. Given a company name (and optional domain hint), infers frontend, backend, infrastructure, and security technologies using publicly available signals.
transilienceai/communitytools
conflict_resolver
transilienceai/communitytools
web-archive-analysis
Uses Wayback Machine to detect technology migrations over time
transilienceai/communitytools
evidence_formatter
transilienceai/communitytools
signal_correlator
transilienceai/communitytools
dns-intelligence
Extracts technology signals from DNS records (MX, TXT, NS, CNAME, SRV)
Didn't find tool you were looking for?