reconlisted

# Recon playbook You have been asked to map the attack surface of a domain the user is authorized to test. Stay surgical — do not scan IP ranges or third-party assets. Default to curl and the built-in `http` tool. Do not pull in specialized scanners (subfinder, httpx, ffuf, gobuster, etc.) unless the user explicitly asks for them. Execution rule: substitute the real apex/host into commands before running them. Never write literal placeholders such as `<APEX>`, `<HOST>`, or `<subdomains>` to files. If the apex is unclear, ask once before running commands. ## 1. Confirm scope Before running anything, restate the apex domain and ask the user to confirm it is in scope (only ask if scope was not already explicit in the conversation). Note any explicit out-of-scope subdomains or paths. ## 2. Passive subdomain enumeration with curl Pull from public CT logs — no extra tooling required. Note: `crt.sh` is flaky and frequently answers with a `502`/HTML page or an empty body instead of JSON. Piping that straight into `jq` is what throws `jq: parse error: Invalid numeric literal`. Validate the body is JSON before parsing, and retry with backoff: ``` # Robust crt.sh pull — quiet retries, parse only valid JSON. APEX="example.com" # replace with the scoped apex before running mkdir -p "recon/$APEX" : > subs.txt for attempt in 1 2 3; do resp=$(curl -fsS --max-time 30 -H 'Accept: application/json' \ "https://crt.sh/?q=%25.$APEX&output=json" 2>/dev/null || true) if printf '%s' "$r