duriandurino/pentest-essentials

Penetration Testing Essentials

Use this skill to ground work in a safe, repeatable pentest methodology. This skill is for teaching, framing, and discipline. It helps both the main assistant and pentest sub-agents stay methodical.

When to Use

✅ USE this skill when:

• "Teach me penetration testing basics"
• "What are the phases of a pentest?"
• "What's the difference between scanning and enumeration?"
• "How should I practice pentesting safely?"
• "What should I document during a pentest?"
• A pentest task needs a methodology reminder before action
• A sub-agent should be reminded to prioritize authorization, evidence, and reporting

When NOT to Use

❌ DON'T use this skill when:

• Running passive recon only → use recon
• Running active scans / enumeration → use enum
• Matching CVEs / vulnerability analysis → use vuln
• Exploiting a target → use exploit
• Doing post-exploitation → use post
• Writing the actual final pentest report → use reporting or specter-report
• Orchestrating a full engagement end-to-end → use pentest-orchestrator

Core Rules

1. Authorization first

   • Never actively test a target without explicit scope and permission.
   • Treat pre-engagement and ROE as a gate, not paperwork.

2. Phases over random tooling

   • Follow a sequence: pre-engagement → recon → scanning → enumeration → vulnerability analysis → exploitation → post-exploitation → reporting.
   • Do not jump to exploitation just because a tool exists.

3. Verify before claiming

   • Re-check live before calling something a finding.
   • Separate confirmed facts from hypotheses and leads.

4. Document as you go

   • Save commands, timestamps, outputs, evidence paths, and interpretations.
   • A result you cannot reproduce or explain is not finished work.

5. Reporting is part of testing

   • Every meaningful finding should be explainable in terms of evidence, impact, and remediation.
   • If you cannot write the finding clearly, you do not understand it well enough yet.

Phase Model

0. Pre-Engagement

Confirm:

• authorization
• in-scope assets
• exclusions
• allowed techniques
• stop conditions
• data handling expectations

1. Reconnaissance

Goal: learn what exists with minimal interaction.

Examples:

# Passive recon examples vary by target and scope
# Start with asset lists, DNS, public footprint, and target inventory

Output:

• target list
• attack surface notes
• assumptions to validate later

2. Scanning

Goal: find hosts, ports, and exposed services.

Examples:

nmap -sn 192.168.56.0/24
nmap -sV -p 1-1024 <target>

Output:

• live hosts
• open ports
• initial service/version clues

3. Enumeration

Goal: go deeper on discovered services.

Examples:

nmap -sC -sV <target>
nc -vz <target> 80

Output:

• service behaviors
• versions, banners, protocols
• auth requirements
• shares/endpoints/parameters/users where in scope

4. Vulnerability Analysis

Goal: validate whether enumerated services imply real weaknesses.

Checklist:

• map versions/configuration to candidate vulnerabilities
• eliminate false positives
• distinguish confirmed issues from unverified CVE hypotheses
• decide whether exploitation is justified and authorized

5. Exploitation

Goal: prove impact with minimal necessary action.

Rules:

• stay inside ROE
• prefer the least disruptive proof
• capture evidence immediately
• stop once impact is sufficiently demonstrated

6. Post-Exploitation

Goal: assess how far access goes and what business impact exists.

Examples:

• privilege level
• accessible data
• lateral movement potential
• persistence risk (document, do not deploy unless explicitly authorized)

7. Reporting

Goal: turn technical evidence into a useful deliverable.

Every report-ready finding should answer:

• what is affected?
• how was it verified?
• what can an attacker achieve?
• how should it be fixed?
• what should be hardened beyond the direct fix?

Beginner Tool Stack

Start with a small set and learn what each tool is for.

| Tool | Purpose | Beginner note | |------|---------|---------------| | Nmap | Host, port, and service discovery | Learn scan flags and outputs before fancy NSE use | | Netcat | Quick reachability/banner checks | Good for validating a single port hypothesis | | Burp Suite | Intercept and inspect web traffic | Best for learning web request/response flow | | Wireshark | Understand packets and protocol behavior | Useful when you need to see what the tools are doing | | Nikto | Web misconfig clue generator | Treat results as leads, not findings | | sqlmap | SQLi validation in labs | Use only in safe, authorized lab scenarios | | Metasploit | Controlled exploitation framework | Start with auxiliary/scanner workflows first |

Safe Practice Labs

Recommended beginner labs:

• Metasploitable 2 — host/service scanning and enumeration
• OWASP Juice Shop — modern web testing with Burp
• DVWA — classic web vuln practice with strong safety boundaries
• WebGoat — guided learning exercises
• PortSwigger Web Security Academy — structured web labs

Safety rules for labs:

# Prefer localhost or isolated VM/Docker networks
# Do not expose intentionally vulnerable labs to the internet
# Keep practice separate from real environments

Reporting Discipline

Minimum structure for a useful finding:

Title
Severity
Affected Asset
Description
Evidence
Impact
Remediation
Hardening
References

Minimum evidence habit during testing:

- command used
- timestamp
- output file path
- what the result means
- what to test next

Sub-Agent Guidance

When a pentest sub-agent uses this skill, it should:

• check scope and authorization before active work
• stay in its assigned phase unless explicitly told to pivot
• produce a handoff document for the next phase
• mark findings as verified, not verified, or hypothesis
• avoid conflating scanner output with confirmed vulnerability
• prioritize evidence quality and remediation value

Decision Heuristics

Use these rules of thumb:

• Open port ≠ vulnerability
• Service version ≠ confirmed CVE
• Scanner warning ≠ report-ready finding
• One reproduced exploit > ten unverified guesses
• Clean reporting is part of the technical work, not admin overhead

References

Load on demand:

• references/examples.md — concrete trigger phrases and expected use
• references/report-template.md — compact report structure and finding template
• references/roe-template.md — beginner-friendly authorization and ROE outline
• references/lab-path.md — safe beginner practice progression