# Plan Reconnaissance and Enumeration Workflows

Security teams need consistent reconnaissance notes before deeper testing. This skill organizes authorized scanning, service enumeration, web discovery, and reporting into repeatable phases.

## Install

```bash
npx skillstore add charleskozel/reconnaissance-knowledge
```

## Metadata

- - Slug: charleskozel-reconnaissance-knowledge
- - Version: 1.0.0
- - Author: CharlesKozel
- - GitHub username: CharlesKozel
- - License: MIT
- - Repository: https://github.com/CharlesKozel/Pentest-Agent-Evalulator/tree/main/agents/claude-tbug/skills/recon
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: high
- - Risk factors: external\_commands, network, filesystem
- - Quality score: 38
- - Quality tier: warning
- - Public page: https://skillstore.pages.dev/skills/charleskozel-reconnaissance-knowledge
- - Manifest: https://skillstore.pages.dev/api/skills/charleskozel-reconnaissance-knowledge/manifest

## Capabilities

- Breaks reconnaissance into quick, deep, and alternative collection layers.
- Lists common tools for port discovery, web enumeration, DNS lookup, and service checks.
- Provides example workflows for TCP, UDP, HTTP, SMB, FTP, SSH, and database services.
- Defines structured report fields for ports, services, technologies, paths, and likely vectors.
- Suggests when to save raw output and update a state file.

## Use Cases

- Prepare a Lab Recon Plan: Create a phased checklist for a controlled practice host before starting manual analysis.
- Standardize Assessment Notes: Convert scan results into consistent sections for ports, services, web paths, and next steps.
- Review Enumeration Coverage: Check whether an authorized assessment covered common network, web, and service discovery areas.

## Prompt Templates

### Create a Basic Recon Checklist

```
Create a beginner reconnaissance checklist for an authorized lab target. Include port discovery, service detection, web checks, and notes to collect.
```

### Organize Service Findings

```
Help me organize these authorized scan findings into services, versions, web technologies, interesting paths, and follow-up questions.
```

### Identify Coverage Gaps

```
Review this authorized reconnaissance workflow and identify missing enumeration areas, risky assumptions, and safer alternatives for production systems.
```

### Build a Handoff Summary

```
Draft a concise handoff summary for an authorized assessment. Include discovered services, likely risk areas, evidence to preserve, and scope reminders.
```

## Limitations

- It does not verify that a target is authorized for testing.
- It does not run tools by itself; it only provides guidance and examples.
- Some examples are intrusive and may be unsafe on production systems.
- It does not include remediation guidance for discovered vulnerabilities.

## Best Practices

- Use this skill only for systems where you have explicit written authorization.
- Start with low-impact discovery before increasing scan intensity.
- Keep raw evidence, scope notes, and assumptions separate in the final report.

## Anti Patterns

- Do not use the workflows against public systems without approval.
- Do not treat example findings as confirmed vulnerabilities.
- Do not skip scope validation before credential or account checks.

## Security Audit

- - Safe to publish: false
- - Audited at: 2026-06-28T21:44:37.433\+00:00
- - Summary: Static findings for Ruby backtick execution, weak cryptography, and hard link creation are false positives caused by markdown backticks, frontmatter text, and command syntax. The security risk is still high because the skill provides concrete active scanning, web brute forcing, vulnerability scan, default credential, and exploitation handoff guidance for arbitrary targets without enforcing authorization.

## Stats

- - Views: 275
- - Downloads: 5
- - Favorites: 0
- - Popularity score: 0
