AbsolutelySkilled penetration-testing

Name: penetration-testing
Author: AbsolutelySkilled

install

source · Clone the upstream repo

git clone https://github.com/AbsolutelySkilled/AbsolutelySkilled

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/AbsolutelySkilled/AbsolutelySkilled "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/penetration-testing" ~/.claude/skills/absolutelyskilled-absolutelyskilled-penetration-testing && rm -rf "$T"

manifest: skills/penetration-testing/SKILL.md

Penetration Testing

A structured framework for conducting authorized security assessments. This skill covers the full pentest lifecycle - from scoping and reconnaissance through exploitation and reporting - with an uncompromising emphasis on authorized testing only. Every technique, tool, and tactic here is applied exclusively within written engagement agreements, sanctioned CTF competitions, or controlled lab environments.

Security testing without explicit written authorization is illegal under the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act (UK), and equivalent laws in virtually every jurisdiction. There are no exceptions.

When to use this skill

Trigger this skill when the user:

Plans or scopes an authorized penetration test engagement
Conducts a web application security assessment following the OWASP Testing Guide
Performs network vulnerability scanning (Nmap, Nessus, OpenVAS)
Tests authentication, session management, or access control weaknesses
Writes a professional pentest report with findings and remediation guidance
Prioritizes vulnerabilities using CVSS scoring or risk-based frameworks
Practices in a CTF competition, HackTheBox, TryHackMe, or personal lab environment

Do NOT trigger this skill for:

Any activity targeting systems the user does not have explicit written authorization to test - this is unauthorized access, not security testing
Attacks on production systems outside a defined and agreed engagement scope, regardless of intent or claimed ownership

Key principles

Always have written authorization - A signed statement of work, rules of engagement document, or CTF registration is non-negotiable before any testing begins. Verbal permission is legally meaningless. If you do not have written authorization, you do not have authorization.
Follow scope strictly - The engagement scope defines exactly which IP ranges, domains, applications, and test types are in bounds. Scope creep - even "accidental" pivoting to out-of-scope systems - carries legal liability. When in doubt, stop and clarify with the client.
Document everything - Log every command run, every finding discovered, and every timestamp. Detailed records protect the tester legally, enable accurate reporting, and provide the client with a reproducible audit trail.
Responsible disclosure - Critical findings (RCE, credential exposure, data exfiltration paths) must be reported to the client immediately, not at the end of the engagement. Do not hold back critical vulnerabilities to make the final report look more impressive.
Minimize impact - Testing should never cause unnecessary disruption. Avoid destructive exploits, denial-of-service techniques, or mass data extraction unless explicitly authorized. The goal is to demonstrate a vulnerability exists, not to fully exploit it.

Core concepts

Pentest phases

The Penetration Testing Execution Standard (PTES) defines five phases that form a repeatable methodology for every engagement:

Phase	Goal	Key activities
Reconnaissance	Understand the target's attack surface	Passive OSINT (WHOIS, Shodan, Google dorks), active scanning, subdomain enumeration
Scanning & Enumeration	Map live hosts, open ports, services, and versions	Nmap, Nessus, Nikto, banner grabbing, service fingerprinting
Exploitation	Demonstrate that a vulnerability can be leveraged	Metasploit, manual exploit development, web app attacks (SQLi, XSS, SSRF)
Post-Exploitation	Assess impact depth after initial compromise	Privilege escalation, lateral movement, credential harvesting, persistence (within scope)
Reporting	Communicate risk to the client in actionable terms	Executive summary, technical findings, CVSS scores, remediation steps

Vulnerability severity - CVSS

The Common Vulnerability Scoring System (CVSS v3.1) provides a standardized numerical score (0.0-10.0) used to communicate severity:

Score	Severity	Typical examples
9.0-10.0	Critical	Unauthenticated RCE, pre-auth SQL injection with DBA access
7.0-8.9	High	Authenticated RCE, significant privilege escalation, SSRF to metadata
4.0-6.9	Medium	Stored XSS, IDOR exposing other users' data, weak TLS config
0.1-3.9	Low	Informational disclosure, missing security headers, verbose errors
0.0	Informational	Best-practice gaps with no direct exploitability

CVSS scores are a communication tool, not the final word on business risk. A medium-severity finding in a payment card system may carry higher business risk than a high-severity finding on a low-value internal tool. Always contextualize scores for the client.

Rules of engagement

Rules of engagement (ROE) define the guardrails for a test. A well-formed ROE document covers:

Scope: IP ranges, domains, applications in-scope and out-of-scope
Test types: Allowed techniques (e.g., is social engineering in scope? DoS testing?)
Time windows: Permitted testing hours (avoid peak business hours for network tests)
Emergency contacts: Who to call if testing causes unintended disruption
Data handling: How captured credentials and PII must be stored and destroyed
Exclusions: Specific systems, third-party services, or shared infrastructure that must not be touched

Common tasks

Plan a pentest engagement

Before any technical work begins, define:

Scope document - list every IP range, CIDR block, domain, and application explicitly authorized for testing. Write a separate exclusion list.
Rules of engagement - cover testing windows, allowed techniques, emergency contacts, and data handling requirements (see ROE section above).
Timeline - reconnaissance phase, active testing phase, reporting phase, and remediation validation window.
Test type - black-box (no prior knowledge), grey-box (limited knowledge like a standard user account), or white-box (full source code and architecture access).

Always get ROE signed before the first Nmap packet leaves your machine.

Conduct a web application assessment

Follow the OWASP Testing Guide (OTG) v4 methodology:

1. Information Gathering
   - OTG-INFO-001: Fingerprint web server and technology stack
   - OTG-INFO-003: Review webserver metafiles (robots.txt, sitemap.xml)
   - OTG-INFO-007: Map application entry points

2. Authentication Testing
   - OTG-AUTHN-001: Test credentials over encrypted transport
   - OTG-AUTHN-003: Test account lockout and brute-force protections
   - OTG-AUTHN-006: Test for default credentials

3. Authorization Testing
   - OTG-AUTHZ-001: Directory traversal / file inclusion
   - OTG-AUTHZ-002: Bypass authorization schema (IDOR, privilege escalation)

4. Session Management Testing
   - OTG-SESS-001: Test cookie attributes (Secure, HttpOnly, SameSite)
   - OTG-SESS-005: Test for CSRF

5. Input Validation Testing
   - OTG-INPVAL-001: Reflected/stored/DOM XSS
   - OTG-INPVAL-005: SQL injection
   - OTG-INPVAL-017: SSRF

6. Business Logic Testing
   - OTG-BUSLOGIC-004: Test for process timing attacks
   - OTG-BUSLOGIC-009: Test for upload of malicious files

Tools: Burp Suite (proxy and scanner), OWASP ZAP, SQLMap (authorized use only), ffuf (directory brute-forcing), Nikto (initial reconnaissance).

Perform a network vulnerability scan

A repeatable Nmap scanning workflow for authorized network assessments:

# Phase 1: Host discovery (fast, low noise)
nmap -sn 10.0.0.0/24 -oG hosts-up.txt

# Phase 2: Service version scan on live hosts
nmap -sV -sC -p- --open -iL hosts-up.txt -oA nmap-full

# Phase 3: Targeted UDP scan for key services
nmap -sU -p 53,67,161,500 -iL hosts-up.txt -oA nmap-udp

# Phase 4: Vulnerability scripts (NSE) - authorized only
nmap --script vuln -iL hosts-up.txt -oA nmap-vuln

Follow up with Nessus or OpenVAS for CVE-matched vulnerability detection. Always save raw scan output - it is evidence in the report.

Set scan rate limits (
--max-rate
) to avoid triggering IDS alerts or causing unintended service disruption on fragile systems.

Test authentication and session management

Authentication testing checklist:

Credentials transmitted over TLS only (no HTTP fallback)
Account lockout triggers after N failed attempts (test: 10-20 rapid attempts)
Password reset tokens are single-use, expire quickly, and are not guessable
Session tokens have sufficient entropy (min 128 bits)
Session cookies set with
```
Secure
```
,
```
HttpOnly
```
, and
```
SameSite=Strict
```
Session invalidated on logout (server-side, not just client-side cookie deletion)
No session fixation (new token issued after successful login)
MFA bypass paths tested (fallback flows, recovery codes, API endpoint parity)

Write a pentest report

A professional report structure:

1. Executive Summary (1-2 pages, non-technical audience)

Engagement scope and objectives
Overall risk rating with one-sentence rationale
Top 3 most critical findings in plain language
Recommended prioritization order for remediation

2. Technical Findings (one page per finding minimum)

Each finding must include:

Field	Content
Title	Short, descriptive vulnerability name
Severity	CVSS v3.1 score + vector string
Affected component	URL, IP, service, and version
Description	What the vulnerability is and why it exists
Evidence	Screenshots, request/response pairs, tool output
Impact	What an attacker can achieve if exploited
Remediation	Specific, actionable fix with code examples where applicable
References	CVE, CWE, OWASP reference

3. Remediation Summary - table of all findings sorted by severity with estimated remediation effort.

4. Appendices - raw tool output, full scope definition, methodology reference.

Prioritize vulnerabilities by risk

CVSS score alone is not sufficient for prioritization. Apply this framework:

Risk = Severity x Exploitability x Business Impact

For each finding, score 1-5:
  Severity:           CVSS base score (normalize: Critical=5, High=4, Med=3, Low=1)
  Exploitability:     1=requires physical access, 3=authenticated remote, 5=unauthenticated remote
  Business Impact:    1=no sensitive data/system, 5=production PII or financial system

Priority 1 (fix in 24-48h): Risk score 60+
Priority 2 (fix in 1-2 weeks): Risk score 30-59
Priority 3 (fix in next sprint): Risk score 10-29
Priority 4 (fix when convenient): Risk score <10

Always review with the client - they know which systems are business-critical.

Set up a testing lab for practice

Build a safe, isolated practice environment:

Virtualization: VirtualBox or VMware Workstation, host-only or NAT networking
Vulnerable targets: DVWA, Metasploitable 2/3, VulnHub VMs, HackTheBox machines, TryHackMe rooms
Attacker OS: Kali Linux or Parrot OS (come pre-loaded with pentest tooling)
Network isolation: Never bridge your lab network to a production or corporate network
Snapshots: Snapshot VM state before each exploitation attempt for easy revert

Practice only on systems you own or platforms that grant explicit authorization (HTB, THM, VulnHub). Setting up a lab is the correct path when you want to develop skills without an engagement in hand.

Anti-patterns

Anti-pattern	Why it's wrong	What to do instead
Testing without written authorization	Illegal under CFAA and equivalent laws worldwide, regardless of intent or claimed ownership	Obtain signed statement of work and ROE before any testing begins
Scope creep during exploitation	Pivoting to out-of-scope systems creates legal exposure even if discovered accidentally	Stop immediately, document the out-of-scope system found, notify the client, get written scope extension if needed
Running destructive exploits without explicit authorization	Can cause data loss, service outages, or permanent system damage	Demonstrate exploitability with a PoC that proves the vulnerability without causing harm (e.g., `id` vs full shell)
Saving client credentials or PII beyond the engagement	Creates data liability and breaches engagement agreement	Destroy captured credentials per the data-handling terms in the ROE; never store them after the engagement closes
Reporting only exploited vulnerabilities	Misses the full attack surface - un-exploited vulnerabilities still carry risk	Report all findings including those that could not be exploited in the test window, with CVSS-based risk scores
Vague remediation advice ("fix the SQL injection")	Developers cannot act on generic advice	Provide specific remediation - parameterized query example, library recommendation, configuration change - for every finding

Gotchas

Scope creep via pivoting to discovered out-of-scope systems is a legal exposure - During exploitation or enumeration, you will discover systems adjacent to your scope. Even if pivoting there would demonstrate greater impact, touching them is unauthorized access regardless of intent. When you discover an out-of-scope system that is critical (e.g., a connected production DB), stop, document, and notify the client immediately - do not test it.
Nmap aggressive scans (
```
-A
```
) without rate limiting will trigger IDS and disrupt fragile services - The default aggressive scan sends thousands of packets per second and will trigger intrusion detection, fill firewall logs, and crash UDP-sensitive services on older hardware. Always set
```
--max-rate 100-500
```
for initial scans in production environments and increase only after confirming stability.
Storing captured credentials or PII beyond engagement close is a data liability - Pentest tooling (Responder, Metasploit loot, Burp history) accumulates real credentials, session tokens, and PII. Many testers forget to purge this data after the engagement. The ROE data-handling clause applies: destroy all captured data per the agreed method on the day the engagement closes.
CVSS base scores do not account for business context - A CVSS 9.8 on an internal dev tool with no external access is genuinely lower risk than a CVSS 6.5 IDOR on a payment API. Presenting raw CVSS scores to clients without contextualizing for their environment creates misplaced remediation priorities. Always add a business risk statement to each finding that reflects the actual environment.
Password spraying without lockout testing first triggers account lockouts at scale - Testing a list of 500 accounts with one password attempt each can lock out a significant fraction of users if the lockout threshold is low (e.g., 3 attempts in 30 minutes from any source). Always test the lockout policy on a single test account before running any spray, and confirm spray scope with the client.

References

For detailed methodology and patterns, load the relevant references file:

```
references/methodology.md
```
- PTES and OWASP Testing Guide methodology, phase-by-phase breakdown, tool reference, and reporting templates

Only load references files when the current task requires them - they are long and will consume context.

Companion check

On first activation of this skill in a conversation: check which companion skills are installed by running
ls ~/.claude/skills/ ~/.agent/skills/ ~/.agents/skills/ .claude/skills/ .agent/skills/ .agents/skills/ 2>/dev/null
. Compare the results against the
recommended_skills
field in this file's frontmatter. For any that are missing, mention them once and offer to install:
npx skills add AbsolutelySkilled/AbsolutelySkilled --skill <name>
Skip entirely if
recommended_skills
is empty or all companions are already installed.