Share
## https://sploitus.com/exploit?id=74ED9A4A-A771-5D12-8351-FE96ABF361FE
# Deep Pentest Skill

![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)
![Status: Operational](https://img.shields.io/badge/Status-Operational-green)
![Discipline: Red Team](https://img.shields.io/badge/Discipline-Red%20Team-critical)
![Language: English](https://img.shields.io/badge/Language-English-blue)
![Authorization: Required](https://img.shields.io/badge/Authorization-Required-red)

> **AUTHORIZED TESTING ONLY.** This skill provides methodology for penetration testing against assets you own or are explicitly authorized to test. Unauthorized access to computer systems is a crime in most jurisdictions.

Autonomous deep penetration testing framework. Covers the full kill chain: reconnaissance, vulnerability assessment, exploitation, post-exploitation, and reporting. Structured as a field manual. Written in military operation order format. Framework-agnostic. Tool-agnostic.

---

## Table of Contents

- [Why This Exists](#why-this-exists)
- [What Is Inside](#what-is-inside)
- [Installation](#installation)
- [Quick Start](#quick-start)
- [Operational Phases](#operational-phases)
- [Features](#features)
- [Tool Compatibility Matrix](#tool-compatibility-matrix)
- [Authorization Requirements](#authorization-requirements)
- [Responsible Use Disclaimer](#responsible-use-disclaimer)
- [Examples](#examples)
- [FAQ](#faq)
- [Contributing](#contributing)
- [License](#license)

---

## Why This Exists

Most penetration tests fail for predictable reasons:

- Scope creep. Operators wander outside authorization. Legal exposure.
- Missed vectors. Incomplete recon. Findings discovered after report delivery.
- False positives. Scanner output reported unvalidated. Credibility destroyed.
- Weak evidence. Findings cannot be reproduced. Remediation stalls.
- No chain-of-custody. Evidence inadmissible. Disputes unresolved.
- Report does not drive action. Executives confused. Engineers underserved.

This skill enforces discipline. Each phase has gates. Each finding has evidence. Each report has structure. The operator works the methodology; the methodology produces decision-ready output.

The format is deliberate. Operation order structure mirrors how military and red team units brief missions: SITUATION, MISSION, EXECUTION, SUPPORT, COMMAND SIGNALS. Short sentences. Declarative. No filler.

## What Is Inside

```
deep-pentest-skill/
โ”œโ”€โ”€ SKILL.md                              # Main oporder. Start here.
โ”œโ”€โ”€ README.md                             # This file.
โ”œโ”€โ”€ LICENSE                               # MIT
โ”œโ”€โ”€ .gitignore
โ””โ”€โ”€ references/
    โ”œโ”€โ”€ recon-methodology.md              # Phase 1 TTPs: OSINT, DNS, subdomain, scan, fingerprint
    โ”œโ”€โ”€ vulnerability-classes.md          # Phase 2: OWASP, API Top 10, CVE, cloud, business logic
    โ”œโ”€โ”€ exploit-chains.md                 # Phases 3-4: exploitation, privesc, lateral, persistence
    โ””โ”€โ”€ reporting-standards.md            # Phase 5: report structure, CVSS, evidence, remediation
```

`SKILL.md` is the entry point. It defines Rules of Engagement, phase sequence, and quality gates. Read it first.

Each reference document is doctrine for its phase. Tools, commands, validation steps, and quality gates. They are independent - operators reference the one matching the current phase.

## Installation

Requires a skill-compatible AI assistant that supports custom skill packages.

### Option 1: Clone Direct

```bash
git clone https://github.com/like041123/deep-pentest-skill.git \
  ~/skills/deep-pentest
```

### Option 2: Manual Install

Download the release archive. Unpack into your skills directory:

```bash
mkdir -p ~/.config/skills/deep-pentest
cd ~/.config/skills/deep-pentest
tar xzf ~/Downloads/deep-pentest-skill-1.0.tar.gz
```

### Option 3: Package Manager (if supported)

```bash
skill install like041123/deep-pentest-skill
```

### Verify Install

```bash
ls ~/skills/deep-pentest/
# Should show: SKILL.md  README.md  LICENSE  references/
```

Restart your AI assistant after install. The skill activates on trigger phrases: "penetration test", "security assessment", "vulnerability scan", "exploit chain", "red team", "security audit".

## Quick Start

Once installed, describe your objective. The assistant follows the oporder.

**Example 1 - Scope a web app test.**
```
Help me plan a penetration test of https://example.com.
I have written authorization. White box. Production.
```

The assistant will:
1. Confirm authorization status.
2. Lock scope.
3. Walk Phase 0 planning.
4. Issue Phase 1 recon commands.

**Example 2 - Run recon.**
```
Begin Phase 1 recon on target.tld.
Passive first. Then active. Produce asset inventory.
```

The assistant issues staged recon commands. See `references/recon-methodology.md` for the full pipeline.

**Example 3 - Validate a finding.**
```
I found a potential SQLi in /search?q=test'.
Validate it. Demonstrate impact. Capture evidence.
```

The assistant runs `sqlmap`, captures request/response, scores CVSS, documents for the report.

**Example 4 - Build the report.**
```
Generate the final report from engagement evidence.
Executive summary first. Then technical findings.
```

The assistant assembles the report per `references/reporting-standards.md`.

## Operational Phases

| Phase | Name | Output | Reference |
|-------|------|--------|-----------|
| 0 | Planning + Authorization | Engagement plan, ROE card | SKILL.md |
| 1 | Reconnaissance | Asset inventory, attack surface map | recon-methodology.md |
| 2 | Vulnerability Assessment | Validated finding register | vulnerability-classes.md |
| 3 | Exploitation | Exploit chains, proof of impact | exploit-chains.md |
| 4 | Post-Exploitation | Blast radius map | exploit-chains.md |
| 5 | Reporting | Final report, evidence package | reporting-standards.md |
| 6 | Cleanup + Closure | Restoration confirmation | SKILL.md |

Each phase gates the next. Quality gates must pass before phase transition. No skipping.

## Features

- **Full kill chain coverage.** Recon through reporting. Nothing left to improvise.
- **Authorization-first.** ROE card enforced. No authorization, no action.
- **Evidence-grade output.** Every finding hashed, timestamped, reproducible.
- **Framework-agnostic.** OWASP, PTES, NIST SP 800-115, MITRE ATT&CK referenced. Not locked to one.
- **Tool-agnostic.** Commands for `nmap`, `nuclei`, `sqlmap`, `ffuf`, `burpsuite`, `metasploit`, and more. Use what you have.
- **CVSS v3.1 scoring.** Documented rationale. Consistent across findings.
- **Exploit chain narratives.** Findings tell a story. Executives understand the risk.
- **Python automation.** Recon pipeline, evidence hasher, chain logger, report builder included.
- **Cloud-aware.** AWS, Azure, GCP misconfiguration detection.
- **Business logic testing.** Not scanner-dependent. Manual TTPs documented.
- **Quality gates per phase.** No advancing with gaps.
- **Responsible use baked in.** Legal notes per phase. Default-deny on unauthorized action.

## Tool Compatibility Matrix

The skill references these tools. Most are open source. Some require licenses.

| Function | Primary | Alternate | Open Source |
|----------|---------|-----------|-------------|
| Recon - DNS | `amass` | `subfinder`, `dnsrecon` | Yes |
| Recon - Subdomain | `subfinder` | `assetfinder`, `puredns` | Yes |
| Recon - HTTP probe | `httpx` | `httprobe` | Yes |
| Scanning - TCP | `nmap` | `masscan`, `rustscan` | Yes |
| Scanning - Web | `nikto` | `arachni` | Yes |
| Web fuzz | `ffuf` | `gobuster`, `feroxbuster` | Yes |
| Web vuln templates | `nuclei` | `wpscan` (WordPress) | Yes |
| Proxy | `burpsuite` | `zap`, `mitmproxy` | Burp Pro paid; others free |
| SQLi | `sqlmap` | custom | Yes |
| Exploitation | `metasploit` | custom | Yes (Community) |
| C2 | `sliver` | `havoc`, `cobalt-strike` | Sliver/Havoc free; CS paid |
| Privesc Linux | `linpeas` | manual | Yes |
| Privesc Windows | `winpeas`, `Seatbelt` | `PowerUp` | Yes |
| Cracking | `hashcat` | `john` | Yes |
| Online brute | `hydra` | `medusa` | Yes |
| Cloud - AWS | `prowler`, `pacu` | `scout-suite` | Yes |
| Cloud - Azure | `microbursts` | `roadtools` | Yes |
| Cloud - GCP | `gcp-scanner` | `scout-suite` | Yes |
| SBOM | `syft` | `cyclonedx` | Yes |
| Vuln matching | `grype` | `dependency-check` | Yes |
| Secrets | `trufflehog` | `gitleaks` | Yes |
| Reporting | `pandoc` | custom | Yes |

Install path varies by distribution. On Kali, most are preinstalled. On other systems, use your package manager or the upstream releases.

## Authorization Requirements

**Non-negotiable. Read this twice.**

Before any active testing, the operator must hold:

1. **Written authorization** from the asset owner or authorized delegate.
2. **Scope definition** in writing: IP ranges, domains, applications, accounts, exclusions.
3. **Time window** in writing: start, end, timezone.
4. **Technique allowlist** in writing. Default-deny. If not listed, do not use.
5. **Emergency contact** named on both sides, with response SLA.
6. **Data handling agreement** specifying retention, encryption, destruction.

Verbal authorization is not authorization. Email from a non-authorized party is not authorization. "They said it was fine" is not authorization.

If any element is missing or ambiguous: halt. Escalate. Do not proceed on assumption.

The skill enforces this. It will refuse to advance to active phases without confirmed authorization. This is by design.

## Responsible Use Disclaimer

This skill is provided for **authorized security testing and educational purposes only**.

Unauthorized access to computer systems is illegal under statutes including but not limited to:

- United States: Computer Fraud and Abuse Act (18 U.S.C. 1030)
- United Kingdom: Computer Misuse Act 1990
- European Union: Convention on Cybercrime (Budapest Convention)
- China: Cybersecurity Law of the People's Republic of China
- Australia: Criminal Code Act 1995 (Part 10.7)
- Most other jurisdictions have equivalent laws.

Penalties include criminal prosecution, imprisonment, fines, and civil liability.

By using this skill, you accept sole legal and ethical responsibility for all actions taken. The skill authors and contributors:

- Do not grant authority to test any system.
- Do not warrant the legality of any action in any jurisdiction.
- Are not liable for misuse of the methodology provided.
- Do not endorse testing systems without explicit authorization.

If you are unsure whether an action is authorized, it is not. Stop. Seek written clarification.

This skill provides methodology and tool guidance. It is not a substitute for legal counsel. For commercial engagements, consult qualified legal counsel in the relevant jurisdiction before testing.

## Examples

### Example: Staged Recon Pipeline

```bash
# Passive first - no packets to target
subfinder -d target.tld -all -silent -o subs.txt
amass enum -passive -d target.tld -o amass.txt
curl -s "https://crt.sh/?q=%25.target.tld&output=json" \
  | jq -r '.[].name_value' | sort -u > ct.txt
cat subs.txt amass.txt ct.txt | sort -u > subs_all.txt

# Validate live
httpx -l subs_all.txt -status-code -title -tech-detect -o live.txt

# Active scan - authorization confirmed
nmap -Pn -p- --min-rate 5000 -T4 -oA fulltcp $(cat live.txt | awk '{print $1}')
nmap -sV -sC -p  -oA services $(cat live.txt | awk '{print $1}')
```

### Example: SQLi Validation

```bash
# Confirm
sqlmap -u "https://target.tld/search?q=test" --batch --level=3 --risk=2

# Extract
sqlmap -u "https://target.tld/search?q=test" --batch -D users --tables
sqlmap -u "https://target.tld/search?q=test" --batch -D users -T accounts --dump

# Capture evidence
sqlmap -u "https://target.tld/search?q=test" --output-dir=evidence/V-001
```

### Example: Evidence Hashing

```python
#!/usr/bin/env python3
import hashlib, pathlib, csv, datetime
ROOT = pathlib.Path("evidence")
with (ROOT / "manifest.csv").open("w", newline="") as fh:
    w = csv.writer(fh)
    w.writerow(["file", "sha256", "bytes", "captured_utc"])
    for p in ROOT.rglob("*"):
        if p.is_file() and p.name != "manifest.csv":
            w.writerow([str(p), hashlib.sha256(p.read_bytes()).hexdigest(),
                        p.stat().st_size,
                        datetime.datetime.utcfromtimestamp(p.stat().st_mtime).isoformat()])
```

### Example: Exploit Chain Log

```python
from chain_logger import ChainLogger
chain = ChainLogger("EC-001", "Full web app compromise", "SQLi in /search (V-001)")
chain.step("SQLi extracts users table", "12 admin hashes recovered",
           evidence=pathlib.Path("evidence/V-001/db_dump.txt"))
chain.step("Crack admin hashes", "8/12 cracked in 4 minutes",
           evidence=pathlib.Path("evidence/V-001/cracked.txt"))
chain.step("Admin login", "Authenticated as admin",
           evidence=pathlib.Path("evidence/V-001/screenshot.png"))
chain.finalize(
    impact="Full system compromise, database access, potential PII exposure",
    detection=["WAF on /search", "EDR on webshell execution", "Anomalous admin logins"],
    remediation=["Parameterize SQL queries", "Enforce password policy", "Validate file uploads"]
)
```

## FAQ

**Q: Can I use this for bug bounty?**
A: The methodology overlaps, but bug bounty has different scope rules, disclosure timelines, and reporting norms. Use a bug-bounty-specific methodology for those engagements. This skill targets authorized penetration tests.

**Q: Will this work without internet access?**
A: The methodology works offline. Some tools (OSINT, CT log queries) require internet. Air-gapped targets need offline wordlists and tool mirrors.

**Q: Is this a replacement for a human penetration tester?**
A: No. This is a force multiplier. It structures the work, enforces discipline, and accelerates execution. A qualified human operator still owns authorization, judgment, and accountability.

**Q: Why the military tone?**
A: Operation order format is the most battle-tested structure for planning and executing time-sensitive, high-stakes work. It enforces clarity, sequence, and accountability. It also resists the vague hedging that weakens security reports.

**Q: Does the skill perform tests automatically?**
A: The skill provides methodology, commands, and automation scripts. Execution is the operator's responsibility. The operator runs commands against authorized targets and captures evidence. The skill structures the work; it does not bypass human control.

**Q: What if a finding is borderline illegal to validate?**
A: Do not validate. Document the theoretical impact and stop at the proof that demonstrates the issue exists without crossing into unauthorized access. Example: confirming SQLi with a benign `UNION SELECT 1,2,3` is sufficient; dumping user PII is not.

**Q: How do I report a vulnerability in this skill itself?**
A: Open an issue on the repository. Do not exploit. Responsible disclosure expected.

## Contributing

Pull requests welcome. Format all content as military operation order doctrine. English only. No filler. Every command tested. Every claim sourced.

Before submitting:
- Verify no unauthorized tooling references.
- Verify all commands are reproducible.
- Verify evidence examples are redacted.
- Verify the contribution does not lower authorization barriers.

## License

MIT - see [LICENSE](LICENSE).

Copyright (c) 2026 like041123

---

**Final note.** This skill is a tool. Tools do not grant authority. Authority comes from written authorization, scope, and ROE. If you lack any of these, close this repository and obtain them before proceeding. Test responsibly.