recon-asset-discoverylisted

# Recon — Asset Discovery > Sub-skill of `offensive-osint`. Load `osint-methodology` for pipeline and triage context. > Authorized targets only. --- ## BEHAVIORAL CONTRACT **When triggered:** Subdomain enumeration, asset discovery, DNS records, CT logs, WHOIS/RDAP, or passive reconnaissance is needed. **Execute:** 1. Run the passive subdomain-source stack (§1) in parallel across all listed sources. If crt.sh is down, follow the fallback chain. 2. Complement passive results with common-prefix candidates from the prefix wordlist (§2). 3. Run WHOIS/RDAP (§3) on the root domain. Extract registrant org/email for pivoting. 4. Catalog DNS records (§4) for every discovered domain/subdomain. Parse TXT records for SaaS tenancy inference using the verification token table. 5. Check autodiscover for M365 confirmation (§4). 6. Deduplicate all discovered assets by typed key. Tag each with confidence level per `osint-methodology` §2. **Output:** Asset list with typed keys (subdomain, ip, domain) per `osint-methodology` §8 taxonomy. **Severity rules:** DNS AXFR success = CRITICAL. Missing CAA = LOW. **Gating rules:** Passive first. Active prefix sweep only when authorized. Brute-force (puredns) only with explicit operator approval. **Chain to:** Feed discovered subdomains to `web-surface` for probing. Feed discovered emails to `people-breach-intel` for breach lookup. Feed discovered IPs to `cloud-and-infra` for infrastructure analysis. --- ## 1. Subdomain-Source Stack (Passive) |