Agent skill

Quick Pentest Reference

This skill should be used when the user asks to "perform quick enumeration", "run directory busting", "enumerate DNS", "discover live hosts", "brute force passwords", or "needs a pentest cheat sheet". It provides rapid reference commands for penetration testing.

View SKILL.md on GitHub Repository
Stars 163
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/quick-pentest-reference

SKILL.md

Quick Pentest Reference

Purpose

Provide rapid-access command references for common penetration testing tasks including directory busting, DNS enumeration, host discovery, service scanning, and password brute forcing. This skill serves as a quick reference for CTFs and penetration testing engagements.

Prerequisites

Required Tools

  • Nmap, Gobuster, FFUF
  • Hydra, Nikto
  • dig, nslookup, host
  • SecLists wordlists

Installation

bash
sudo apt update
sudo apt install nmap gobuster ffuf hydra nikto dnsutils
sudo apt install seclists

Core Workflow

Phase 1: Directory Busting

Discover hidden directories and files:

Gobuster Directory Scan

bash
# Basic directory scan
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt

# With extensions
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt -x php,txt,html

# With status codes
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200,301,302

FFUF Directory Scan

bash
# Basic scan
ffuf -u http://10.10.10.10/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# With file extensions
ffuf -u http://10.10.10.10/FUZZ -w /usr/share/wordlists/common.txt -e .php,.txt,.html

# Filter by response size
ffuf -u http://10.10.10.10/FUZZ -w wordlist.txt -fs 4242

# Filter by status code
ffuf -u http://10.10.10.10/FUZZ -w wordlist.txt -fc 404

Phase 2: VHOST Enumeration

Discover virtual hosts and subdomains:

Gobuster VHOST Scan

bash
gobuster vhost -u http://example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

FFUF VHOST Scan

bash
ffuf -u http://example.com -H "Host: FUZZ.example.com" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Filter false positives by size
ffuf -u http://example.com -H "Host: FUZZ.example.com" -w wordlist.txt -fs 0

Phase 3: Digital Certificate Reconnaissance

Passive subdomain discovery via certificates:

Certificate Search Engines

crt.sh Command Line

bash
# Query crt.sh via curl
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sort -u

Phase 4: DNS Enumeration

Query DNS records for intelligence:

DNS Record Types

Type Purpose
A IPv4 address
AAAA IPv6 address
MX Mail servers
NS Name servers
TXT Text records
CNAME Canonical name
SOA Start of authority

Dig Commands

bash
# A record
dig example.com A

# All records
dig example.com ANY

# MX records
dig example.com MX

# Name servers
dig example.com NS

# TXT records (SPF, DKIM)
dig example.com TXT

# Reverse lookup
dig -x 192.168.1.1

# Use specific DNS server
dig @8.8.8.8 example.com

Host Command

bash
# Basic lookup
host example.com

# Specific record type
host -t MX example.com
host -t NS example.com

# Verbose output
host -a example.com

Nslookup

bash
# Interactive mode
nslookup
> server 8.8.8.8
> set type=MX
> example.com

# Direct queries
nslookup example.com
nslookup -type=MX example.com
nslookup -type=NS example.com

Phase 5: Zone Transfer

Attempt DNS zone transfer for full records:

bash
# Dig zone transfer
dig @ns1.example.com example.com AXFR

# Host zone transfer
host -l example.com ns1.example.com

# Nslookup zone transfer
nslookup
> server ns1.example.com
> ls -d example.com

Phase 6: Automated DNS Tools

DNSRecon

bash
# Standard enumeration
dnsrecon -d example.com

# Zone transfer attempt
dnsrecon -d example.com -t axfr

# Brute force subdomains
dnsrecon -d example.com -t brt -D /usr/share/wordlists/subdomains.txt

DNSenum

bash
# Full enumeration
dnsenum example.com

# With wordlist
dnsenum --enum example.com -f /usr/share/wordlists/subdomains.txt

Fierce

bash
# Subdomain enumeration
fierce --domain example.com

# With wordlist
fierce --domain example.com --subdomain-file wordlist.txt

Phase 7: Host Discovery

Identify live hosts on network:

Netdiscover

bash
# Active scan
netdiscover -i eth0

# Passive mode
netdiscover -p -i eth0

# Specific range
netdiscover -r 192.168.1.0/24

ARP Scan

bash
# Local network
arp-scan -l

# Specific interface
arp-scan -I eth0 -l

# Specific range
arp-scan 192.168.1.0/24

Nmap Host Discovery

bash
# Ping sweep
nmap -sn 192.168.1.0/24

# ARP ping (local network)
nmap -sn -PR 192.168.1.0/24

# ICMP echo ping
nmap -sn -PE 192.168.1.0/24

# TCP SYN ping
nmap -sn -PS 192.168.1.0/24

# UDP ping
nmap -sn -PU 192.168.1.0/24

# ICMP timestamp
nmap -sn -PP 192.168.1.0/24

# Mask ping (bypasses ICMP blocks)
nmap -sn -PM 192.168.1.0/24

Phase 8: Service and OS Discovery

Enumerate ports, services, and operating systems:

Nmap Service Scans

bash
# SYN scan with version detection
nmap -sS -sV 192.168.1.1

# Full TCP scan with OS detection
sudo nmap -T4 -p- -A 192.168.1.1

# UDP scan
nmap -sU -T4 192.168.1.1

# Top 1000 ports
nmap -sS -sV --top-ports 1000 192.168.1.1

# All ports aggressive
nmap -sS -sV -sC -O -p- 192.168.1.1

# Banner grabbing
nmap --script=banner 192.168.1.1

# Subnet scan
nmap 192.168.1.0/24

Nikto Web Scanner

bash
# Basic scan
nikto -h http://192.168.1.1

# With SSL
nikto -h https://192.168.1.1 -ssl

# Save output
nikto -h http://192.168.1.1 -o nikto_report.html -Format html

Phase 9: Password Brute Force

Attack authentication services:

Hydra

bash
# SSH brute force
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1

# FTP brute force
hydra -L users.txt -P passwords.txt ftp://192.168.1.1

# HTTP POST form
hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid"

# HTTP Basic Auth
hydra -l admin -P passwords.txt 192.168.1.1 http-get /admin/

# RDP brute force
hydra -l administrator -P passwords.txt rdp://192.168.1.1

# SMB brute force
hydra -L users.txt -P passwords.txt smb://192.168.1.1

Phase 10: Post Exploitation

Actions after gaining access:

Windows Credential Dumping

bash
# Meterpreter
meterpreter> hashdump
meterpreter> getsystem
meterpreter> load kiwi
meterpreter> creds_all

# Mimikatz
mimikatz# sekurlsa::logonpasswords
mimikatz# lsadump::sam

Linux Privilege Escalation

bash
# Check sudo permissions
sudo -l

# Find SUID binaries
find / -perm -4000 2>/dev/null

# Check cron jobs
cat /etc/crontab
ls -la /etc/cron.*

# LinPEAS enumeration
./linpeas.sh

Quick Reference

Essential Wordlists

Path Purpose
/usr/share/wordlists/dirb/common.txt Common directories
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt Medium directory list
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt Subdomains
/usr/share/wordlists/rockyou.txt Passwords

Command Quick Reference

Task Command
Directory bust gobuster dir -u URL -w wordlist
VHOST enum ffuf -H "Host: FUZZ.domain" -u URL -w wordlist
DNS lookup dig domain.com ANY
Zone transfer dig @ns.domain.com domain.com AXFR
Host discovery nmap -sn 192.168.1.0/24
Port scan nmap -sS -sV -p- target
Brute force hydra -l user -P list service://target

Constraints and Limitations

Authorization

  • Only test systems you own or have permission to test
  • Document all testing activities
  • Stay within scope

Tool Limitations

  • Some scans may trigger IDS/IPS
  • Rate limiting may block aggressive scans
  • Firewalls may block certain techniques

Troubleshooting

Scans Returning No Results

Solutions:

  1. Verify target is reachable
  2. Try different scanning techniques
  3. Check for firewall blocks
  4. Use slower scan rates

Didn't find tool you were looking for?

Be as detailed as possible for better results