recon-dominatorlisted

# Recon Dominator Full-scope reconnaissance orchestrator. From a single domain to a complete attack surface map. ## Important CRITICAL: Only use on domains you have explicit authorization to test. Verify scope before every engagement. ## Instructions ### Step 1: Scope Validation Before ANY reconnaissance activity: 1. Ask the user to confirm they have written authorization to test the target domain(s) 2. Confirm the scope boundaries (wildcard subdomains? specific IPs only? out-of-scope assets?) 3. Document the scope in the output ### Step 2: Passive Subdomain Enumeration Run passive enumeration first (no direct contact with target): ```bash python scripts/passive_recon.py --domain {target_domain} ``` This collects subdomains from: - Certificate Transparency logs (crt.sh) - DNS datasets (SecurityTrails, DNSDumpster) - Search engine results - Wayback Machine archives Expected output: JSON list of discovered subdomains with source attribution. ### Step 3: Active Subdomain Enumeration After passive phase, run active enumeration: ```bash python scripts/active_recon.py --domain {target_domain} --wordlist references/subdomains-wordlist.txt ``` This performs: - DNS brute-force with common subdomain wordlist - DNS zone transfer attempts - Virtual host discovery - Permutation/alteration scanning (dev-, staging-, api-, etc.) ### Step 4: Live Host Detection and Port Scanning ```bash python scripts/port_scanner.py --input {subdomains_file} --top-ports 1000 ``` For each live