Recon Dominator
Map attack surface with subdomain enumeration, port scanning, and technology fingerprinting.
Installation
- Make sure Claude is on your device and in your terminal.
Skills load from
~/.claude/skills/when Claude Code starts up — so you need it on your machine first. If you don't have it yet, install it once with the command below, then runclaudein any terminal to verify.One-time setupnpm i -g @anthropic-ai/claude-codeAlready have it? Skip ahead.
- Paste into Claude Code or into your terminal.
This copies the whole skill folder into
~/.claude/skills/recon-dominator-kaqus/— the SKILL.md plus any scripts, reference docs, or templates the skill ships with. Safe default: works for every skill.Faster alternative (instruction-only skills)
Skips the clone and grabs only the SKILL.md file. Don't use this if the skill ships Python scripts, reference markdowns, or asset templates — they won't be downloaded and the skill will fail when it tries to load them.
Quick install (SKILL.md only)Sign up to copy - Restart Claude Code.
Quit and reopen Claude Code (or any other agent that loads from
~/.claude/skills/). New skills are picked up on startup. - Just ask Claude.
Skills auto-activate when your request matches the skill's description — no slash command needed. Trigger phrases live in the skill's own frontmatter; you can read them in the “What this skill does” section above.
Prefer to read the source first? Open on GitHub.
When Claude uses it
Automated full-scope reconnaissance starting from a domain or domain list. Performs subdomain enumeration, port scanning, technology fingerprinting, OSINT correlation, Google dorking, and Wayback analysis. Use when user provides a domain or list of domains and asks for "recon", "reconnaissance", "attack surface mapping", "subdomain enumeration", "footprinting", or "information gathering". Designed for authorized penetration testing and bug bounty.
What this skill does
Recon Dominator
Full-scope reconnaissance orchestrator. From a single domain to a complete attack surface map.
Important
CRITICAL: Only use on domains you have explicit authorization to test. Verify scope before every engagement.
Instructions
Step 1: Scope Validation
Before ANY reconnaissance activity:
- Ask the user to confirm they have written authorization to test the target domain(s)
- Confirm the scope boundaries (wildcard subdomains? specific IPs only? out-of-scope assets?)
- Document the scope in the output
Step 2: Passive Subdomain Enumeration
Run passive enumeration first (no direct contact with target):
python scripts/passive_recon.py --domain {target_domain}
This collects subdomains from:
- Certificate Transparency logs (crt.sh)
- DNS datasets (SecurityTrails, DNSDumpster)
- Search engine results
- Wayback Machine archives
Expected output: JSON list of discovered subdomains with source attribution.
Step 3: Active Subdomain Enumeration
After passive phase, run active enumeration:
python scripts/active_recon.py --domain {target_domain} --wordlist references/subdomains-wordlist.txt
This performs:
- DNS brute-force with common subdomain wordlist
- DNS zone transfer attempts
- Virtual host discovery
- Permutation/alteration scanning (dev-, staging-, api-, etc.)
Step 4: Live Host Detection and Port Scanning
python scripts/port_scanner.py --input {subdomains_file} --top-ports 1000
For each live subdomain:
- HTTP/HTTPS probe (status codes, redirects, titles)
- Top 1000 port scan with service version detection
- Banner grabbing on open ports
- WAF/CDN detection (Cloudflare, Akamai, AWS CloudFront)
Step 5: Technology Fingerprinting
python scripts/tech_fingerprint.py --input {live_hosts_file}
Detect:
- Web server (Apache, Nginx, IIS, etc.)
- Programming language/framework (PHP, Django, Rails, Spring, etc.)
- CMS (WordPress, Drupal, Joomla)
- JavaScript frameworks (React, Angular, Vue)
- Third-party services and integrations
- HTTP security headers (or lack thereof)
Step 6: OSINT Correlation
python scripts/osint_correlator.py --domain {target_domain}
Gather:
- WHOIS history and registrant patterns
- ASN mapping and IP range ownership
- Reverse IP lookups (shared hosting)
- Email addresses associated with the domain
- Social media and GitHub references
- Leaked credentials databases (public sources only)
Step 7: Google Dorking
python scripts/google_dorker.py --domain {target_domain} --dork-file references/dorks-database.txt
Automated searches for:
- Exposed files:
site:{domain} filetype:pdf|doc|xls|sql|bak|log|env - Login panels:
site:{domain} inurl:admin|login|dashboard - Directory listings:
site:{domain} intitle:"index of" - Error messages:
site:{domain} "sql syntax" | "warning" | "error" - Sensitive endpoints:
site:{domain} inurl:api|graphql|swagger|config
Step 8: Wayback Machine Analysis
python scripts/wayback_analyzer.py --domain {target_domain}
Extract:
- Historical endpoints no longer linked but still active
- Removed pages with sensitive information
- Old API versions still responding
- Parameter names from archived URLs
- JavaScript files with hardcoded secrets
Step 9: Output Generation
Compile all findings into a structured report:
python scripts/generate_report.py --project {project_name}
Output format:
- Executive Summary: domain count, subdomain count, live hosts, open ports, technologies
- Asset Inventory: full list with metadata per asset
- Technology Matrix: tech stack per subdomain
- Potential Entry Points: ranked by interest level
- Relationship Graph: JSON graph of domain relationships
- Raw Data: all collected data in JSON for pipeline consumption
Output Files Structure
output/{project_name}/
summary.md # Human-readable report
assets.json # Full asset inventory
subdomains.json # All discovered subdomains
ports.json # Port scan results
technologies.json # Tech fingerprinting
osint.json # OSINT findings
wayback.json # Historical data
graph.json # Relationship graph
dorking_results.json # Google dork findings
Error Handling
Common Issues
Rate Limiting on External APIs
If you see "429 Too Many Requests":
- The scripts have built-in rate limiting and backoff
- If persistent, increase delay:
--delay 5 - For crt.sh: wait 60 seconds between requests
DNS Resolution Failures
If subdomains fail to resolve:
- Try alternative DNS resolvers:
--resolvers 8.8.8.8,1.1.1.1,9.9.9.9 - Check if target uses split-horizon DNS
- Some subdomains may be internal-only
Timeout on Port Scanning
For large scope (100+ subdomains):
- Reduce port count:
--top-ports 100 - Increase timeout:
--timeout 10 - Run in batches:
--batch-size 20
Examples
Example 1: Single Domain Recon
User says: "Run full recon on example.com"
Actions:
- Confirm authorization
- Run all steps sequentially on example.com
- Generate consolidated report
Result: Complete attack surface map with all subdomains, services, and technologies.
Example 2: Multi-Domain Bug Bounty Scope
User says: "I have a bug bounty scope: *.example.com, api.example.org, app.example.io"
Actions:
- Confirm bug bounty program and scope rules
- Run passive + active enum on each wildcard domain
- For specific subdomains, skip enumeration, go directly to port scan
- Cross-correlate findings between domains
- Generate unified report
Example 3: Quick Passive Only
User says: "Do passive recon only on example.com, no active scanning"
Actions:
- Run only Steps 2, 6, 7, 8 (no direct target contact)
- Skip active DNS brute, port scanning, tech fingerprinting
- Generate report with passive findings only
Related skills
Generative Code Art
anthropics
Create algorithmic art with p5.js using randomness and interactive parameters.
Poster & Visual Design
anthropics
Create original posters and visual art in PNG and PDF formats.
Claude API Helper
anthropics
Build, debug, and optimize Claude API applications with caching and model migration support.
MCP Server Builder
anthropics
Build protocol servers that connect language models to external APIs and services.