◈ CGNT-1
Home › Hackx K1 Recon
◈ Master IndexSpecsLATTICECSDMThe BookUniversityChronicleCrewArchitectureContextLogsTODOXProducts

Hackx K1 Recon

SPEC_HACKX_K1_RECON.md · 2026-04-20

SPEC_HACKX_K1_RECON.md

CGNT-1 Specification — HACKX Knowledge Domain K1 — Reconnaissance

Status: SPECIFIED

Version: v1.0

Author: VELA (Thread #13)

Conceived by: NOUS (α.13)

Date: 2026-04-20

Depends on: SPEC_HACKX.md v1.1

PURPOSE

K1 is the first of 10 HACKX knowledge domains. Reconnaissance is how attackers gather information about a target before attacking. HACKX needs to recognize recon patterns so it can detect attacks in the EARLIEST phase — before exploitation even begins.

Catching recon is catching the attacker looking through the window, not breaking through the door.

MITRE ATT&CK MAPPING

Tactic: TA0043 — Reconnaissance

| Technique | Name |

|---|---|

| T1595 | Active Scanning |

| T1592 | Gather Victim Host Info |

| T1589 | Gather Victim Identity Info |

| T1590 | Gather Victim Network Info |

| T1591 | Gather Victim Org Info |

| T1598 | Phishing for Information |

DETECTION PATTERNS

K1.01 — Port Scanning

What it is: Sequential or randomized connection attempts across multiple ports from a single source IP.

Signature: >10 connection attempts to different ports within 60 seconds.

Common tools: nmap, masscan, zmap

HACKX response: Log source IP, ports targeted, timing pattern.

Alert level: MEDIUM

K1.02 — Service Enumeration

What it is: Connection to open ports followed by banner grab or protocol handshake. Attacker is identifying what software is running.

Signature: Connection to open port followed by partial protocol exchange that doesn't complete a legitimate transaction.

HACKX response: Log the service probed, the banner/response sent, source IP.

Alert level: MEDIUM

K1.03 — DNS Enumeration

What it is: Rapid DNS queries for subdomains, MX records, TXT records, zone transfer attempts. Attacker mapping the domain's infrastructure.

Signature: >20 DNS queries from single source within 5 minutes; zone transfer attempt (AXFR).

HACKX response: Log queries and source.

Alert level: LOW (DNS queries are normal) → elevated to MEDIUM on zone transfer attempts.

K1.04 — Web Crawling / Directory Brute Force

What it is: Rapid requests for common paths searching for exposed endpoints.

Common paths probed: /admin, /login, /.env, /wp-admin, /api, /.git, /backup

Signature: >50 404 responses to a single source IP within 5 minutes; requests matching known wordlists (dirb, gobuster patterns).

HACKX response: Log paths requested, source IP, user agent.

Alert level: HIGH — this is active attack preparation.

K1.05 — OSINT-Informed Attack

What it is: OSINT harvesting happens on public sources (LinkedIn, GitHub, social media) and isn't directly detectable. But HACKX detects the RESULTS: login attempts using information matching public profiles (email formats, employee names, patterns from GitHub commits).

Signature: Login attempt using email format or naming pattern discoverable from public sources.

HACKX response: Flag as OSINT-informed attack. Log attempt, format used, likely source of intelligence.

Alert level: HIGH

K1.06 — Certificate Transparency Monitoring

What it is: Attackers query CT logs (crt.sh) to find all subdomains registered via Let's Encrypt. Not an attack — the attacker is using public infrastructure.

Directly detectable: No.

HACKX awareness: All subdomains via Let's Encrypt are publicly visible in CT logs. This is not a vulnerability — it's a feature of public PKI.

Defense: Minimize unnecessary subdomains. All intentional subdomains documented in SPEC_DNS_MANAGEMENT.md.

Alert level: N/A (awareness only)

HONEYPOT INTEGRATION

HACKX Layer 1 (Bait) for K1: open non-production ports that look like real services but are HACKX traps.

| Honeypot Port | Simulates | Purpose |

|---|---|---|

| 2222 | Fake SSH | Detects SSH recon |

| 8080 | Fake web admin | Detects admin panel recon |

The key insight: Any connection to a honeypot port is 100% malicious — legitimate users don't know about it. The probe itself is the evidence.

Log everything: source IP, timing, protocol, payload.

Alert level: HIGH — any honeypot trigger.

The honeypot turns passive detection into active detection. Instead of waiting for attackers to probe real ports, we give them fake ports to probe.

RESPONSE PROTOCOL


Detection
  → log to ~/logs/hackx.log
  → classify per SPEC_MONITORING_ESCALATION.md severity table
  → K1.04 or K1.05 detected: escalate to P2 MEDIUM
  → honeypot triggered: escalate to P1 HIGH
  → feed pattern to MANTIS training pipeline via LEARNX

HACKX never counter-attacks. HACKX never engages the attacker. Observe, log, classify, alert. The ship is a castle with good walls and excellent sentries, not a warship that chases pirates.

FALSE POSITIVE MANAGEMENT

Web crawlers are NOT recon. HACKX maintains a crawler whitelist:

| Crawler | User Agent Pattern | IP Range Source |

|---|---|---|

| Googlebot | Googlebot | Google published ranges |

| Bingbot | bingbot | Microsoft published ranges |

| Other legitimate crawlers | Per published UA strings | Per published IP ranges |

Pattern K1.04 (directory brute force) must exclude whitelisted crawlers before alerting.

INVARIANTS

INV-01: Recon detection is EARLY WARNING. Catching recon prevents exploitation. K1 is the most valuable detection layer.

INV-02: HACKX never counter-attacks. Observe, log, classify, alert. That is the complete response.

INV-03: Honeypot ports are documented in SPEC_HACKX.md and added to the SPEC_SECURITY_AUDIT_SCHEDULE port whitelist as INTENTIONAL traps — not accidental exposures.

INV-04: Every detected recon pattern feeds MANTIS via LEARNX. The security braid learns from every probe.

INV-05: Web crawlers (Googlebot, Bingbot, etc.) are whitelisted. K1.04 false positives are managed by user agent + IP range exclusion.

INTEGRATION

| System | Relationship |

|---|---|

| SPEC_HACKX.md | K1 is one of 10 knowledge domains. HACKX.md is the parent spec. |

| SPEC_SECURITY_AUDIT_SCHEDULE.md | Port whitelist must include honeypot ports as INTENTIONAL. Weekly audit checks honeypot is still running. |

| SPEC_MONITORING_ESCALATION.md | K1.04/K1.05 → P2 MEDIUM. Honeypot trigger → P1 HIGH. Response chain follows escalation spec. |

| SPEC_BRAIN_MANTIS.md | Every K1 detection feeds MANTIS training via LEARNX per INV-04. The Security Braid learns from HACKX catches. |

| SPEC_DNS_MANAGEMENT.md | K1.06 awareness — all intentional subdomains documented there. Minimize CT log surface. |

| SPEC_INCIDENT_POSTMORTEM.md | K1 HIGH alerts trigger postmortems per severity table. Pattern documented for future training. |

Jeremy Zlabis

Chronogeometer · Visionary · Disruptor · Chief

42 Sisters AI · East York, Toronto

🍁 Φ 0.042