AgentSkillsCN

penetration-testing

适用于规划或开展针对 Web 应用程序、API、网络以及移动应用的授权渗透测试。涵盖渗透测试方法论(OWASP、PTES、OSSTMM)、范围界定与行为准则、工具选择、报告撰写以及修复效果的验证。 适用场景:渗透测试、渗透测试方法论、PTES、OSSTMM、OWASP 测试指南、Web 应用渗透测试、API 渗透测试、网络渗透测试、移动渗透测试、漏洞评估、漏洞赏金计划、负责任的披露、行为准则。 不适用场景:CI/CD 中的自动化安全扫描(应使用安全测试相关技能)、实施前的威胁建模(应使用威胁建模相关技能)、AI/LLM 特有的对抗性测试(应使用 AI 安全或红队测试相关技能)。

SKILL.md
--- frontmatter
name: penetration-testing
description: |
    Use when planning or conducting authorized penetration tests against web applications, APIs, networks, and mobile apps. Covers pen testing methodologies (OWASP, PTES, OSSTMM), scoping and rules of engagement, tool selection, reporting, and remediation verification.
    USE FOR: penetration testing, pen test methodology, PTES, OSSTMM, OWASP Testing Guide, web app pen testing, API pen testing, network pen testing, mobile pen testing, vulnerability assessment, bug bounty, responsible disclosure, rules of engagement
    DO NOT USE FOR: automated security scanning in CI/CD (use security-testing), threat modeling before implementation (use threat-modeling), AI/LLM-specific adversarial testing (use ai-security or red-teaming)
license: MIT
metadata:
  displayName: "Penetration Testing"
  author: "Tyler-R-Kendrick"
compatibility: claude, copilot, cursor

Penetration Testing

Overview

Penetration testing is the authorized practice of simulating attacks against a system to discover exploitable vulnerabilities before malicious actors do. Unlike automated security scanning (SAST/DAST), pen testing involves human expertise to chain vulnerabilities, test business logic flaws, and assess real-world exploitability. Pen tests are conducted under a clear scope and rules of engagement, and results are reported with severity ratings and remediation guidance.

Important: Penetration testing must always be performed with explicit written authorization. Unauthorized testing is illegal in virtually every jurisdiction. Ensure you have a signed rules of engagement document before beginning any testing.

Key References

TitleAuthor(s)Focus
The Web Application Hacker's HandbookStuttard & PintoWeb app vulnerability discovery and exploitation
Penetration TestingGeorgia WeidmanHands-on pen testing methodology
The Hacker Playbook 3Peter KimRed team tactics and techniques
OWASP Testing Guide v4.2OWASP FoundationComprehensive web application testing methodology
PTES (Penetration Testing Execution Standard)PTES.orgIndustry-standard pen testing framework

Methodologies

MethodologyScopePhasesBest For
OWASP Testing GuideWeb applicationsInformation gathering, configuration testing, identity management, authentication, authorization, session management, input validation, error handling, cryptography, business logic, client-sideWeb app and API pen tests
PTESGeneralPre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, reportingFull-scope engagements
OSSTMMNetworks and systemsScope, channel, index, vectors, verification, resolutionNetwork and infrastructure testing
NIST SP 800-115Technical securityPlanning, discovery, attack, reportingGovernment and regulatory compliance
CRESTGeneral (UK-focused)Certified methodology for regulated industriesUK/EU regulated environments

Pen Test Types

TypeTargetTechniquesCommon Findings
Web ApplicationHTTP endpoints, UI, business logicAuthentication bypass, injection, XSS, IDOR, privilege escalation, SSRFOWASP Top 10 vulnerabilities
APIREST/GraphQL/gRPC endpointsBOLA, broken auth, excessive data exposure, mass assignment, rate limit bypassOWASP API Top 10 vulnerabilities
Network / InfrastructureHosts, services, protocolsPort scanning, service enumeration, exploit known CVEs, lateral movement, privilege escalationUnpatched services, weak configs, default credentials
MobileiOS/Android appsBinary analysis, certificate pinning bypass, local storage review, API interception, reverse engineeringInsecure storage, hardcoded secrets, weak transport
CloudAWS/Azure/GCP resourcesMisconfiguration audits, IAM review, storage bucket enumeration, metadata service abuseOver-permissioned roles, public resources, SSRF to metadata
WirelessWi-Fi, BluetoothRogue AP, WPA cracking, evil twin, Bluetooth sniffingWeak encryption, rogue access points
Social EngineeringPeople and processesPhishing campaigns, pretexting, physical access testingCredential harvesting, policy violations

Testing Approaches

ApproachKnowledge GivenSimulatesBest For
Black BoxNo internal knowledgeExternal attackerRealistic external threat assessment
Gray BoxPartial knowledge (credentials, architecture docs)Authenticated attacker or insider threatMost common; best efficiency-to-realism ratio
White BoxFull source code, architecture, credentialsComprehensive auditMaximum coverage; code-assisted testing

Pen Testing Tools

Reconnaissance and Enumeration

ToolPurposeType
NmapPort scanning, service detection, OS fingerprintingOpen source
AmassSubdomain enumeration, DNS mappingOpen source (OWASP)
ShodanInternet-connected device searchCommercial (free tier)
Recon-ngOSINT framework for reconnaissanceOpen source
theHarvesterEmail, subdomain, and IP harvestingOpen source

Web Application Testing

ToolPurposeType
Burp Suite ProfessionalIntercepting proxy, scanner, manual testingCommercial
OWASP ZAPIntercepting proxy, automated scanningOpen source
SQLMapAutomated SQL injection detection and exploitationOpen source
NiktoWeb server vulnerability scannerOpen source
ffuf / GobusterDirectory and parameter fuzzingOpen source
NucleiTemplate-based vulnerability scanningOpen source

Network and Infrastructure

ToolPurposeType
Metasploit FrameworkExploitation framework with modules for known CVEsOpen source (+ Pro)
NessusVulnerability scanning and assessmentCommercial
OpenVASVulnerability scanningOpen source
CrackMapExec / NetExecActive Directory and SMB exploitationOpen source
ImpacketNetwork protocol attack toolkitOpen source
ResponderLLMNR/NBT-NS/mDNS poisoningOpen source

Post-Exploitation

ToolPurposeType
BloodHoundActive Directory attack path mappingOpen source
MimikatzCredential extraction from WindowsOpen source
Chisel / Ligolo-ngTunneling and pivotingOpen source
LinPEAS / WinPEASPrivilege escalation enumerationOpen source

Mobile

ToolPurposeType
FridaDynamic instrumentation and hookingOpen source
objectionRuntime mobile exploration (built on Frida)Open source
MobSFAutomated mobile static/dynamic analysisOpen source
JadxAndroid APK decompilationOpen source

Cloud

ToolPurposeType
ScoutSuiteMulti-cloud security auditingOpen source
ProwlerAWS/Azure/GCP security assessmentOpen source
PacuAWS exploitation frameworkOpen source
CloudSploitCloud misconfiguration detectionOpen source

Scoping and Rules of Engagement

Every pen test must begin with a formal scoping and rules of engagement agreement:

ElementDescription
ScopeSpecific IP ranges, domains, applications, or environments to be tested
Out of scopeSystems, networks, or actions explicitly excluded
Testing windowDates and hours when testing is permitted
AuthorizationWritten permission from system owner (get-out-of-jail letter)
Communication planEmergency contacts, escalation procedures, status reporting
Data handlingHow sensitive data discovered during testing will be handled and destroyed
RulesNo denial of service, no data destruction, no social engineering (unless scoped), notification on critical findings
DeliverablesReport format, debrief meeting, retest timeline

Severity Rating

SeverityCVSS RangeDescriptionExample
Critical9.0 - 10.0Immediate exploitation possible with severe impactUnauthenticated RCE, SQL injection to database dump
High7.0 - 8.9Exploitation likely with significant impactAuthentication bypass, privilege escalation to admin
Medium4.0 - 6.9Exploitation possible with moderate impactStored XSS, IDOR with limited data exposure
Low0.1 - 3.9Exploitation difficult or limited impactInformation disclosure, verbose error messages
Informational0.0No direct security impact but worth notingMissing security headers, outdated software versions

Reporting

A pen test report should include:

  1. Executive Summary — non-technical overview of findings, risk level, and key recommendations for leadership
  2. Scope and Methodology — what was tested, how, and testing approach (black/gray/white box)
  3. Findings — each vulnerability with: title, severity (CVSS), description, affected asset, evidence (screenshots, request/response), business impact, remediation steps
  4. Risk Summary — findings grouped by severity with counts
  5. Remediation Roadmap — prioritized list of fixes with effort estimates
  6. Appendices — tool output, raw scan results, methodology details

Bug Bounty and Responsible Disclosure

Program TypeDescriptionRewardBest For
Bug Bounty (managed)Ongoing program via HackerOne/Bugcrowd/IntigritiMonetary bountiesContinuous external testing at scale
Bug Bounty (self-hosted)Company-run program with security@ emailMonetary or swagCompanies wanting control over process
VDP (Vulnerability Disclosure Policy)Published policy inviting responsible reportsRecognition (no monetary)Minimum baseline for any company

Responsible Disclosure Process

  1. Researcher discovers vulnerability
  2. Researcher reports via designated channel
  3. Company acknowledges receipt (target: 1 business day)
  4. Company triages and validates (target: 5 business days)
  5. Company remediates (target: 90 days for standard, 7 days for actively exploited)
  6. Coordinated public disclosure after fix

Best Practices

  • Always obtain written authorization before testing — unauthorized pen testing is a criminal offense regardless of intent.
  • Scope tightly — clearly define what is in and out of scope to protect both the tester and the organization.
  • Use gray-box testing as the default for most engagements — it provides the best balance of realism and coverage.
  • Report findings with business impact, not just technical severity — help stakeholders understand the real-world risk.
  • Verify remediations with a retest engagement after fixes are deployed — do not assume fixes are complete.
  • Maintain a vulnerability disclosure policy (VDP) even if you do not run a bug bounty — it gives researchers a safe way to report issues.
  • Separate pen testing from automated scanning — automated tools find known patterns; human testers find business logic flaws and chained exploits.
  • Conduct pen tests at least annually and after major releases or architecture changes.
  • Treat pen test reports as confidential — they contain detailed exploitation instructions for your systems.
  • Rotate pen testing firms periodically to get fresh perspectives and avoid blind spots from familiarity.