🔍 Pentest Skill

中文 | EN

A black-box web penetration testing framework callable by any AI Agent (Claude Code, Codex, Cursor, WorkBuddy, etc.). Supports the full pentest pipeline from reconnaissance to reporting via standardized CLI interfaces.

---

⚠️ Legal Disclaimer

This tool is for authorized security testing and research only.

• You must obtain explicit written authorization from the target system owner before testing.
• Unauthorized penetration testing is illegal in most jurisdictions.
• The author assumes no liability for any misuse or damages.
• Using this tool constitutes acceptance of this disclaimer and a commitment to use it lawfully and with authorization only.

---

📋 Feature Overview

Phase	Module	Description
0	Fingerprinting	Tech stack / WAF / Security headers / Cookie security detection
1	Subdomain Enumeration	subfinder / crt.sh / DNS brute-force + liveness check
2	DNS Resolution	CNAME chains / IP attribution / Cloud provider identification
3	Port Scanning	Open ports / Service identification / Banner grabbing
4	Deep Rendering	Playwright JS rendering / API discovery / Form extraction
4B	Session Capture	Login detection / Cookie / JWT / Multi-role
5	Directory Enumeration	Path discovery / Response clustering / SPA filtering
6	JS Analysis	14-dimension analysis / Endpoint verification / Key detection
7	Vulnerability Scanning	nuclei scan + Python fallback auto-scan
7A	Auto Verification	False positive elimination / Baseline comparison / Vulnerability confirmation
7B	Auth Vulnerabilities	IDOR / Unauthorized access / Privilege escalation / JWT analysis
7C	Manual Verification	curl + Burp-format verification assistance
7D	SQLi Verification	sqlmap automated injection verification
7E	Evidence Summary	Burp-style packets + HTML report
7F	Framework Vulns	Spring / Django / ThinkPHP specific vulnerabilities
7G	Command Injection	OS command / pipeline / redirect injection
7H	SSRF Detection	Internal network probe / Cloud metadata / Protocol abuse
7I	SSTI Detection	Template engine sandbox escape detection
7J	XXE Detection	External entity / OOB data exfiltration
7K	Deserialization	Java / PHP / Python deserialization detection
7L	File Upload	Extension bypass / Webshell upload detection
7M	Parameter Fuzzing	XSS / SQLi / SSTI / SSRF multi-type injection
7N	Business Logic	Price / Quantity / Race condition / Workflow bypass
7O	JWT Vulnerabilities	alg=none / Weak algorithms / Sensitive claims
7P	GraphQL	Introspection / Batch queries / Hidden fields
7Q	HTTP Smuggling	CL.TE / TE.CL differential detection
8	Report Generation	HTML report (CVSS + MITRE + NIST + D3FEND)

---

🚀 Quick Start

# 1. Clone repository
git clone https://github.com/wudidike/pentest_skill.git
cd pentest_skill

# 2. One-click install (auto-downloads Go tools + Python deps + Payload sync)
bash setup.sh

# 3. Environment check
python scripts/health_check.py

# 4. Start pentesting
python scripts/phase0_fingerprint.py --target https://example.com --output-dir ./output

Optional Installation

bash setup.sh --with-playwright   # Install Playwright (Phase 4 deep rendering)
bash setup.sh --with-sqlmap       # Install sqlmap (Phase 7D SQLi verification)
bash setup.sh --update            # Update all tools to latest version

📖 Usage

AI Agent Usage (Recommended)

1. Load SKILL.md into your AI Agent (Claude Code / Cursor / WorkBuddy)
2. Tell the Agent: "Perform penetration test on https://target.com"
3. The Agent will execute the full pipeline automatically

CLI Usage

# Full pipeline
python scripts/cli.py --target https://example.com --mode url

# Run individual Phase
python scripts/phase0_fingerprint.py --target https://example.com --output-dir ./output

# Recon only
python scripts/phase0_fingerprint.py --target URL --output-dir ./output
python scripts/phase4_render.py --target URL --output-dir ./output --deep
python scripts/phase5_dir_enum.py --target URL --output-dir ./output

---

📁 Project Structure

pentest-skill/
├── README.md
├── LICENSE
├── config.yaml            # Global config (tool paths / proxy / timeout / report language, etc.)
├── setup.sh               # One-click install script
├── SKILL.md               # AI Agent invocation guide (v2.6)
├── MIGRATION.md           # Migration guide
├── scripts/
│   ├── cli.py             # Unified CLI entry (--target/--mode/--phases)
│   ├── core/              # Core infrastructure package (NEW in v2.3)
│   │   ├── __init__.py    # Unified exports (backward compatible)
│   │   ├── config.py      # Configuration management
│   │   ├── logger.py      # Logging system
│   │   ├── constants.py   # Constants definition
│   │   ├── cli_utils.py   # CLI utilities
│   │   ├── result_writer.py # Result writing
│   │   ├── utils.py       # General utilities
│   │   ├── http_client.py # HTTP client
│   │   ├── finding_manager.py # Vulnerability management
│   │   └── evidence.py    # Evidence management
│   ├── vuln/              # Modular vulnerability framework (NEW in v2.3)
│   │   ├── base.py        # VulnModule base class + HttpMixin
│   │   ├── registry.py    # VulnRegistry registration center
│   │   ├── orchestrator.py # VulnOrchestrator orchestration
│   │   ├── adapter.py     # Compatibility layer adapter
│   │   ├── phase7_bridge.py # Phase7 integration bridge
│   │   ├── coverage.py    # Coverage tracking
│   │   ├── sqli/          # SQL injection module
│   │   ├── xss/           # XSS module
│   │   ├── ssrf/          # SSRF module
│   │   ├── ssti/          # SSTI module
│   │   ├── xxe/           # XXE module
│   │   ├── cmdi/          # Command injection module
│   │   ├── auth/          # Auth vulnerability module
│   │   ├── logic/         # Business logic vulnerability module
│   │   ├── upload/        # File upload module
│   │   ├── deserialization/ # Deserialization module
│   │   ├── path/          # Path traversal module
│   │   ├── nosql/         # NoSQL injection module
│   │   ├── framework/     # Framework vulnerability module
│   │   └── tests/         # Vulnerability module test suite
│   ├── tool_manager.py    # Tool management + fallback strategy
│   ├── renderer.py        # Playwright deep rendering
│   ├── fuzz_engine.py     # Directory fuzzing engine
│   ├── js_analyzer.py     # JS 14-dimension analysis
│   ├── param_fuzzer.py    # Parameter fuzzer
│   ├── phase0_fingerprint.py
│   ├── phase1_subdomain.py
│   └── ...                # More Phase scripts
├── wordlists/             # Wordlist files
├── templates/             # Report templates
├── references/            # Reference materials
└── hack-skills/           # Sub-skill modules (knowledge layer integration)

---

⚙️ Unified CLI Interface

All Phase scripts follow the same argument format:

python scripts/phase_X.py --target URL --output-dir DIR [OPTIONS]

Argument	Required	Description
--target	✅	Target URL or domain
--output-dir	No	Output directory (default ./recon-output)
--config	No	Config file path (auto-detected by default)
--proxy	No	HTTP proxy (e.g. http://127.0.0.1:8080)
--timeout	No	Timeout in seconds (default 15)
--verbose	No	Verbose output

---

🛠️ Tool Fallback Strategy

Core scripts automatically fall back when external tools are unavailable:

Go Tool	Fallback
nuclei	Python requests auto-scan
ffuf	Python directory enumeration engine
subfinder	crt.sh + DNS brute-force
httpx	Python fingerprinting
nmap	Python socket port scanning

---

🧪 Testing

# Regression tests
make test
# or
python tests/test_core.py

# Benchmark
make benchmark
# or
python scripts/run_benchmark.py

# Environment check
python scripts/health_check.py

---

⚙️ Configuration

Edit config.yaml to customize behavior:

validation:
  report_language: "en"    # Report language (zh-CN / en)
network:
  proxy: ""                # HTTP proxy
  timeout: 15              # Timeout in seconds
tools:
  nuclei:
    path: ""               # Leave empty for auto-detect

---

🆕 Changelog

v2.6.0

• 7 new standalone Phase entry scripts: All 13 vuln modules now have independent CLI scripts
  • 7G Command Injection, 7H SSRF, 7I SSTI, 7J XXE, 7K Deserialization, 7L File Upload, 7N Business Logic
• constants.py / config.yaml / SKILL.md synchronized with new phases and data flows

v2.4.0

• XSS module enhancement: discover.py 434→1138 lines (+162%), added DOM XSS / CSP bypass / PostMessage / WAF bypass detection
• NoSQL module enhancement: Redis payloads 3→21, new Cassandra CQL injection payloads
• Phase7 VulnOrchestrator enabled by default with --no-orchestrator fallback option
• Knowledge layer linkage table completed with 4 missing hack-skill references
• Version unified to 2.4.0, removed 5 dead code files, 24 new unit tests

v2.3.1

• Removed hardcoded target domain from CLI example, replaced with generic example domain
• Fixed known issues and security detail optimizations

v2.3.0

• 7 Mandatory Enforcement Rules + startup checklist to prevent AI Agents from skipping steps or missing config
• core/ Package Refactor: core.py split into 10 independent modules with backward-compatible wrappers
• vuln/ Modular Vulnerability Framework: 12 vulnerability types with unified base class + registry + orchestrator
• cli.py Unified Entry: --target/--mode/--phases/--list-phases/--dry-run
• P0 Fix: VulnOrchestrator multiple inheritance header injection (MRO init chain)
• SPA Application Note: IDOR findings must be verified via Phase 7A
• Report Output Spec: Phase 7E/8 must use config.yaml report_language

---

🤝 Contributing

Issues and Pull Requests are welcome!

1. Fork this repository
2. Create a feature branch: git checkout -b feature/new-module
3. Commit your changes: git commit -m 'Add new module'
4. Push the branch: git push origin feature/new-module
5. Open a Pull Request

---

📄 License

This project is licensed under the MIT License.

---

🌟 Acknowledgements

Thanks to all contributors in the penetration testing open-source community for their tools and research.