cubetiq/pentest-skill

Penetration Testing Skill

Purpose

Provide structured guidance for authorized penetration testing engagements following the Penetration Testing Execution Standard (PTES). This skill assists with planning reconnaissance, identifying vulnerabilities, guiding exploitation strategies, and producing professional pentest reports.

When to Use

• Planning or executing an authorized penetration test
• Performing reconnaissance on in-scope targets
• Identifying and validating vulnerabilities during an engagement
• Writing a professional penetration test report
• Selecting tools and techniques for specific testing scenarios
• Reviewing rules of engagement and scoping documents

Instructions

1. STOP — Before proceeding, confirm the user has explicit authorization for penetration testing on the target system. Request evidence of a signed rules-of-engagement document, scope agreement, or written authorization because unauthorized testing is illegal and unethical regardless of intent.

2. Define and validate the engagement scope — Confirm in-scope IP ranges, domains, applications, and any exclusions (production databases, third-party services) because testing outside scope exposes the tester to legal liability and can cause unintended damage.

3. Establish rules of engagement — Document testing windows, emergency contacts, escalation procedures, and data handling requirements because clear rules prevent misunderstandings and protect both tester and client.

4. Conduct passive reconnaissance — Gather OSINT including DNS records, WHOIS data, certificate transparency logs, public code repositories, and employee information because passive recon builds target knowledge without generating detectable traffic.

5. Conduct active reconnaissance — Perform port scanning (nmap), service enumeration, banner grabbing, and directory brute-forcing because active recon identifies the live attack surface that passive methods cannot fully reveal.

6. Enumerate services and technologies — Fingerprint web servers, frameworks, CMS platforms, API endpoints, and authentication mechanisms because accurate technology identification drives exploit selection.

7. Identify vulnerabilities — Cross-reference enumerated services against CVE databases, run vulnerability scanners (Nessus, OpenVAS, Nuclei), and perform manual testing for logic flaws because automated scanners miss business-logic and chained vulnerabilities.

8. Validate and prioritize vulnerabilities — Confirm each finding is exploitable in context, eliminate false positives, and rank by CVSS score adjusted for business impact because validated findings carry credibility in the final report.

9. Plan exploitation carefully — For each validated vulnerability, prepare the exploit, set up a safe test environment if possible, and document the expected outcome because uncontrolled exploitation can crash services or corrupt data.

10. Execute exploitation with minimal impact — Achieve proof of concept without causing denial of service, data destruction, or persistent backdoors because the goal is to demonstrate risk, not to cause harm.

11. Perform post-exploitation assessment — If authorized, pivot to assess lateral movement possibilities, privilege escalation paths, and data access scope because post-exploitation demonstrates the true business impact of a breach.

12. Document every action with timestamps — Maintain a detailed testing log including commands, outputs, screenshots, and timing because reproducibility and evidence are essential for the report and for legal protection.

13. Clean up testing artifacts — Remove shells, test accounts, uploaded files, and any persistent changes because leaving artifacts behind creates new vulnerabilities and violates professional standards.

14. Write the penetration test report — Produce an executive summary, methodology section, findings with evidence and severity, and remediation recommendations because the report is the primary deliverable and must be actionable for both technical and executive audiences.

15. Conduct a findings debrief — Walk the client through critical and high findings, demonstrate exploitation where appropriate, and discuss remediation priorities because interactive debriefs drive faster remediation than reports alone.

16. Plan remediation verification — Schedule a retest window and define success criteria for each finding because verification confirms that fixes actually address the root cause rather than masking symptoms.

Output Format

## Penetration Test Report

### Engagement Overview
[Client, scope, dates, methodology (PTES), authorization reference]

### Executive Summary
[Business risk narrative, critical finding count, overall risk rating]

### Methodology
[Phases completed, tools used, testing approach]

### Findings Summary

| # | Title | Severity | CVSS | Category | Status |
|---|-------|----------|------|----------|--------|
| 1 | ...   | Critical | 9.8  | RCE      | Open   |

### Detailed Findings
[For each: description, steps to reproduce, evidence/screenshots,
 impact analysis, remediation recommendation, references]

### Attack Narrative
[Chain of findings that demonstrate business impact]

### Remediation Roadmap
[Priority-ordered fixes with effort estimates]

### Appendix
[Testing log, tool output, scope documentation]

References

| Topic | Reference | Load When | |-------|-----------|-----------| | Reconnaissance Techniques | references/reconnaissance.md | Planning or executing recon phase | | Vulnerability Scanning | references/vulnerability-scanning.md | Running scanners or triaging results | | Exploitation Guidance | references/exploitation.md | Planning or executing exploitation | | Report Writing | references/reporting.md | Drafting the pentest report | | PTES Methodology | references/methodology.md | Understanding engagement phases |