recon
The /recon command executes a comprehensive security reconnaissance pipeline against a target domain, automating subdomain enumeration via Chaos API and subfinder, discovering live hosts through DNS resolution and HTTP probing with technology detection, crawling URLs using katana and historical sources like waybackurls, classifying results into vulnerability categories using gf patterns, and running nuclei scans for known CVEs and misconfigurations. Use this when performing initial attack surface mapping and prioritization for penetration testing engagements.
mkdir -p ~/.claude/commands && curl -fsSL https://raw.githubusercontent.com/elementalsouls/Claude-BugHunter/HEAD/commands/recon.md -o ~/.claude/commands/recon.mdrecon.md
# /recon
Run the full recon pipeline on a target and produce a prioritized attack surface.
## What This Does
1. Enumerates subdomains (Chaos API + subfinder + assetfinder)
2. Resolves DNS and finds live hosts (dnsx + httpx with status/title/tech)
3. Crawls URLs (katana deep crawl + waybackurls + gau historical)
4. Classifies URLs by bug class (gf patterns)
5. Runs nuclei for known CVEs and misconfigs
6. Outputs prioritized attack surface summary
## Usage
```
/recon target.com
```
Or with specific focus:
```
/recon target.com --focus api
/recon target.com --focus auth
/recon target.com --fast (skip historical URLs)
```
## Steps
### Step 1: Subdomain Enumeration
```bash
TARGET="$1"
mkdir -p recon/$TARGET
# Chaos API (ProjectDiscovery — most comprehensive)
curl -s "https://dns.projectdiscovery.io/dns/$TARGET/subdomains" \
-H "Authorization: $CHAOS_API_KEY" \
| jq -r '.[]' > recon/$TARGET/subdomains.txt
# subfinder + assetfinder
subfinder -d $TARGET -silent | anew recon/$TARGET/subdomains.txt
assetfinder --subs-only $TARGET | anew recon/$TARGET/subdomains.txt
echo "[+] Subdomains: $(wc -l < recon/$TARGET/subdomains.txt)"
```
### Step 2: Live Host Discovery
```bash
# DNS resolve + HTTP probe with tech detection
cat recon/$TARGET/subdomains.txt \
| dnsx -silent \
| httpx -silent -status-code -title -tech-detect \
| tee recon/$TARGET/live-hosts.txt
echo "[+] Live hosts: $(wc -l < recon/$TARGET/live-hosts.txt)"
```
### Step 3: URL Crawl
```bash
# Active crawl
cat recon/$TARGET/live-hosts.txt | awk '{print $1}' \
| katana -d 3 -jc -kf all -silent \
| anew recon/$TARGET/urls.txt
# Historical URLs
echo $TARGET | waybackurls | anew recon/$TARGET/urls.txt
gau $TARGET --subs | anew recon/$TARGET/urls.txt
echo "[+] Total URLs: $(wc -l < recon/$TARGET/urls.txt)"
```
### Step 4: Classify URLs
```bash
# Bug class classification — gf patterns
cat recon/$TARGET/urls.txt | gf xss > recon/$TARGET/xss-candidates.txt
cat recon/$TARGET/urls.txt | gf ssrf > recon/$TARGET/ssrf-candidates.txt
cat recon/$TARGET/urls.txt | gf idor > recon/$TARGET/idor-candidates.txt
cat recon/$TARGET/urls.txt | gf sqli > recon/$TARGET/sqli-candidates.txt
cat recon/$TARGET/urls.txt | gf redirect > recon/$TARGET/redirect-candidates.txt
cat recon/$TARGET/urls.txt | gf lfi > recon/$TARGET/lfi-candidates.txt
cat recon/$TARGET/urls.txt | gf rce > recon/$TARGET/rce-candidates.txt
cat recon/$TARGET/urls.txt | gf ssti > recon/$TARGET/ssti-candidates.txt
cat recon/$TARGET/urls.txt | gf interestingparams > recon/$TARGET/interesting-candidates.txt
# Open redirect params (extra patterns not in gf)
grep -E "(\?|&)(redirect|next|return|dest|destination|go|forward|target|redir|url|continue|returnTo|returnUrl|callback|out|link)=" \
recon/$TARGET/urls.txt | anew recon/$TARGET/redirect-candidates.txt
# CORS check candidates
grep -E "(\?|&)(callback|jsonp|cb|_callback)=" recon/$TARGET/urls.txt \
> recon/$TARGET/cors-jsonp-candidates.txt
# Host header / password reset candidates
cat recon/$TARGET/urls.txt | grep -E "/(forgot|reset|password|recovery)" \
> recon/$TARGET/host-header-candidates.txt
# File upload candidates
cat recon/$TARGET/urls.txt | grep -E "/(upload|import|attach|file|document|image|avatar|profile)" \
> recon/$TARGET/upload-candidates.txt
# API endpoints
cat recon/$TARGET/urls.txt | grep -E "/api/|/v1/|/v2/|/v3/|/graphql|/rest/|/gql" \
> recon/$TARGET/api-endpoints.txt
# Auth/session endpoints
cat recon/$TARGET/urls.txt | grep -E "/(login|logout|signin|signup|register|auth|oauth|sso|token|session)" \
> recon/$TARGET/auth-endpoints.txt
# Admin panels
cat recon/$TARGET/live-hosts.txt | awk '{print $1}' | while read host; do
for path in /admin /admin/ /dashboard /wp-admin /jenkins /grafana /kibana /phpmyadmin /adminer; do
STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 5 "$host$path")
[ "$STATUS" != "404" ] && [ "$STATUS" != "000" ] && echo "$STATUS $host$path"
done
done > recon/$TARGET/admin-panels.txt
echo "[+] IDOR candidates: $(wc -l < recon/$TARGET/idor-candidates.txt)"
echo "[+] SSRF candidates: $(wc -l < recon/$TARGET/ssrf-candidates.txt)"
echo "[+] LFI candidates: $(wc -l < recon/$TARGET/lfi-candidates.txt)"
echo "[+] Redirect candidates:$(wc -l < recon/$TARGET/redirect-candidates.txt)"
echo "[+] Upload candidates: $(wc -l < recon/$TARGET/upload-candidates.txt)"
echo "[+] API endpoints: $(wc -l < recon/$TARGET/api-endpoints.txt)"
echo "[+] Auth endpoints: $(wc -l < recon/$TARGET/auth-endpoints.txt)"
echo "[+] Admin panels found: $(wc -l < recon/$TARGET/admin-panels.txt)"
```
### Step 5: Nuclei Scan
```bash
# Full severity scan
nuclei -l recon/$TARGET/live-hosts.txt \
-t ~/nuclei-templates/ \
-severity critical,high,medium \
-o recon/$TARGET/nuclei.txt
# Focused CVE scan (critical/high CVEs only)
nuclei -l recon/$TARGET/live-hosts.txt \
-t ~/nuclei-templates/cves/ \
-severity critical,high \
-o recon/$TARGET/nuclei-cves.txt
# Misconfiguration scan
nuclei -l recon/$TARGET/live-hosts.txt \
-t ~/nuclei-templates/misconfiguration/ \
-o recon/$TARGET/nuclei-misconfig.txt
# Exposed panels/services
nuclei -l recon/$TARGET/live-hosts.txt \
-t ~/nuclei-templates/exposed-panels/ \
-t ~/nuclei-templates/exposed-services/ \
-o recon/$TARGET/nuclei-exposed.txt
echo "[+] Nuclei findings: $(wc -l < recon/$TARGET/nuclei.txt)"
echo "[+] CVE findings: $(wc -l < recon/$TARGET/nuclei-cves.txt)"
echo "[+] Misconfig findings: $(wc -l < recon/$TARGET/nuclei-misconfig.txt)"
echo "[+] Exposed panel/svc: $(wc -l < recon/$TARGET/nuclei-exposed.txt)"
```
### Step 6: JS Secret Scan
```bash
# Download and scan JS files for secrets
cat recon/$TARGET/urls.txt | grep "\.js$" | head -200 | \
xargs -I{} curl -s "{}" | \
grep -oE "(api_key|apikey|secret|password|token|access_key|aws_access|private_key|client_secret)['\"]?\s*[:=]\s*['\"]?[A-Za-z0-9+/=_\-]{10,}" \
> recon/$TARGETRun autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]
Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain
Active vulnerability hunting. Two-track dispatcher — asks Red Team vs WAPT, hands off to hunt-dispatch skill and sibling commands. Usage: /hunt target.com | /hunt *.target.com | /hunt targets.txt [--vuln-class X] [--source-code P] [--chrome]
On-demand intelligence fetch for a target — CVEs, disclosed reports, new features. Wraps learn.py + hunt memory context. Usage: /intel target.com
Inspect or rotate hunt-memory JSONL files (audit.jsonl, patterns.jsonl, journal.jsonl). Caps file size and keeps N rotated backups so memory does not grow unbounded.
Pick up a previous hunt on a target — shows hunt history, untested endpoints, and memory-informed suggestions. Usage: /pickup target.com
Log current finding or successful pattern to hunt memory. Auto-fills from /validate output if available. Usage: /remember
Write a submission-ready bug bounty report. Generates H1/Bugcrowd/Intigriti/Immunefi format with CVSS 3.1 score, proof of concept, impact statement, and remediation. Run /validate first. Usage: /report