Back to Details

reconnaissance

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Reconnaissance

侦察

Domain and web application reconnaissance. Discovers subdomains, open ports, endpoints, APIs, and JavaScript routes to build attack surface inventory.
域名与Web应用侦察。发现子域名、开放端口、端点、API以及JavaScript路由,以构建攻击面清单。

Phases

阶段

Domain Assessment

域名评估

  1. Subdomain Discovery - Passive DNS, certificate transparency, DNS brute-forcing, zone transfers
  2. Port Scanning - nmap/masscan (top 1000/10000/all), service detection, OS fingerprinting
  3. Service Enumeration - Version detection, banner grabbing, protocol-specific enumeration
  1. 子域名发现 - 被动DNS、证书透明度、DNS暴力破解、区域传输
  2. 端口扫描 - nmap/masscan(前1000/10000/全部端口)、服务探测、操作系统指纹识别
  3. 服务枚举 - 版本探测、横幅抓取、特定协议枚举

Web Application Mapping

Web应用映射

  1. Software Inventory - Dependencies, frameworks, SBOM generation
  2. Active Scanning - ffuf, gobuster, nikto, ZAP spider for directories/files
  3. API Discovery - REST, GraphQL, SOAP, WebSocket, Swagger/OpenAPI docs
  4. JavaScript & SPA - Client-side routes, dynamic scripts, browser storage
  5. Surface Analysis - Categorize attack surfaces, prioritize by risk
  1. 软件清单 - 依赖项、框架、SBOM生成
  2. 主动扫描 - ffuf、gobuster、nikto、ZAP爬虫(用于目录/文件)
  3. API发现 - REST、GraphQL、SOAP、WebSocket、Swagger/OpenAPI文档
  4. JavaScript与SPA - 客户端路由、动态脚本、浏览器存储
  5. 攻击面分析 - 对攻击面进行分类,按风险优先级排序

Output

输出

inventory/  - JSON: subdomains, ports, endpoints, APIs, SBOM
analysis/   - MD: attack-surface, testing-checklist
raw/        - Tool outputs (nmap, ffuf, ZAP, subfinder)
inventory/  - JSON: subdomains, ports, endpoints, APIs, SBOM
analysis/   - MD: attack-surface, testing-checklist
raw/        - Tool outputs (nmap, ffuf, ZAP, subfinder)

Tools

工具

subfinder, amass, nmap, masscan, ffuf, gobuster, nikto, ZAP, Playwright MCP
subfinder, amass, nmap, masscan, ffuf, gobuster, nikto, ZAP, Playwright MCP

Related Skills

相关技能

  • /osint
    - Run alongside reconnaissance for repository enumeration, secret scanning, and git history analysis
  • /osint
    - 与侦察并行运行,用于仓库枚举、密钥扫描和Git历史分析

Rules

规则

  1. Passive discovery before active scanning
  2. Always run 
    /osint
    in parallel during Phase 2
  3. Respect rate limits
  4. Verify subdomains are live before port scanning
  5. Save all raw tool outputs
  1. 主动扫描前先进行被动发现
  2. 在阶段2中始终并行运行
    /osint
  3. 遵守速率限制
  4. 端口扫描前验证子域名是否存活
  5. 保存所有原始工具输出