pentesting

Arsenal de pentesting con pipeline Shannon — queue-driven, proof-based, 5 fases paralelas

32 stars

bygonzalezpazmonica

View on GitHub Installation ↓

Best use case

pentesting is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Arsenal de pentesting con pipeline Shannon — queue-driven, proof-based, 5 fases paralelas

Teams using pentesting should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/pentesting/SKILL.md --create-dirs "https://raw.githubusercontent.com/gonzalezpazmonica/pm-workspace/main/.claude/skills/pentesting/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/pentesting/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How pentesting Compares

Feature / Agent	pentesting	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Arsenal de pentesting con pipeline Shannon — queue-driven, proof-based, 5 fases paralelas

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Pentesting Skill — Pipeline Shannon

## §1 — Arsenal (detalle en `checklists.md`)

**Recon**: nmap, dig, whois, subfinder, amass, gobuster, ffuf, whatweb, crt.sh, testssl.sh
**Web**: SQLi (error/blind/time/UNION), XSS (reflected/stored/DOM), SSTI, XXE, SSRF, CSRF, CMDi, path traversal, file upload, deserialization, business logic
**Auth**: brute force, JWT (none/key-confusion/claim-tamper), OAuth abuse, SAML, session fixation
**AuthZ**: IDOR, BOLA/BFLA, priv escalation (H/V), forced browsing, mass assignment
**API**: REST param pollution, GraphQL introspection/DoS, gRPC reflection, WebSocket, rate limit bypass
**Infra**: nmap NSE, mitmproxy, scapy, Redis/Mongo/ES/MySQL, TLS audit
**Container**: Docker socket escape, privileged mode, K8s RBAC/etcd/pod escape, Helm injection
**Cloud**: AWS IMDS/S3/IAM, Azure MI/SAS/RBAC, GCP metadata/SA keys
**Crypto**: MD5/SHA1/ECB detection, padding oracle, hardcoded keys, PRNG prediction

## §2 — Herramientas

```bash
# apt: nmap dnsutils whois nikto dirb tcpdump netcat socat openssl jq
# pip: sqlmap wfuzz mitmproxy scapy requests beautifulsoup4 pyjwt pycryptodome httpx
```

## §3 — Informe final (Fase 5)

```markdown
# Pentest Report — {sistema}
**Fecha:** {fecha} | **Entorno:** {env} | **Scope:** {desc}
## Executive Summary
Riesgo: {level} | Hallazgos probados: C:{n} H:{n} M:{n} L:{n}
Descartados (sin prueba L3): {n}
## Proven Findings (solo L3 — con evidencia)
## Attack Chains (diagramas de cadenas exitosas)
## Failed Attempts (L1/L2 — transparencia, sin contar como hallazgos)
## Remediation Roadmap (P0-P3)
## Positive Findings (controles que funcionaron)
```

## §4 — Reglas por entorno

**DEV**: ✅ todo. Fuzzing agresivo, exploits, brute force, DoS controlado. ⚠️ No destruir datos sin backup.
**PRE**: ✅ OWASP, fuzzing moderado. ❌ No brute force, no DoS, no datos ajenos.
**PROD**: ✅ Solo pasivo (headers, TLS, DNS, auth test). ❌ No exploits, no fuzzing. Todo reversible.

## §5 — Checklists (detalle en `checklists.md`)

**Web**: headers, TLS, cookies, CORS, auth, authz, input validation, upload, errors, rate limit, business logic
**API**: auth, authz/endpoint, validation, mass assignment, rate limit, pagination, content-type, versioning, docs
**Infra**: ports, versions, creds, SSH, firewall, DNS, email security, certs
**Cloud**: non-root, no privileged, pinned images, RBAC, network policies, secrets, IAM, storage

## §6 — MITRE ATT&CK

| Táctica | Técnicas |
|---------|----------|
| Reconnaissance | Active scanning, open websites |
| Initial Access | Exploit public app, valid accounts |
| Execution | Command interpreter, exploitation |
| Persistence | Account manipulation, scheduled task |
| Priv Escalation | Exploitation, token manipulation |
| Credential Access | Brute force, credential dumping |
| Lateral Movement | Remote services, exploitation |
| Exfiltration | Over C2, web service, alt protocol |

## §7 — CVSS v3.1 simplificado

| Factor | Peso | Valores |
|--------|------|---------|
| Attack Vector | 0.3 | Network(1.0) Adjacent(0.7) Local(0.5) Physical(0.2) |
| Complexity | 0.2 | Low(1.0) High(0.5) |
| Privileges | 0.2 | None(1.0) Low(0.6) High(0.3) |
| Impact | 0.3 | High(1.0) Medium(0.6) Low(0.3) |

## §8 — STRIDE quick-ref

| Cat | Pregunta | Controles |
|-----|----------|-----------|
| Spoofing | ¿Suplantar? | Auth, MFA, tokens |
| Tampering | ¿Modificar? | Integridad, HMAC |
| Repudiation | ¿Negar? | Audit logs |
| Info Disclosure | ¿Acceder? | Encryption, ACL |
| DoS | ¿Tumbar? | Rate limiting, WAF |
| Elevation | ¿Escalar? | RBAC, least privilege |

## §9 — Vulnerability Queue Format (Fase 3 → Fase 4)

Cada archivo `03-vuln-{clase}.json` contiene:
```json
{"vulnerabilities": [
  {"id": "INJ-001", "endpoint": "/api/search", "parameter": "q",
   "type": "sqli_error", "sink": "SQL query string interpolation",
   "source_file": "app.py:42", "confidence": "high",
   "suggested_payload": "' OR '1'='1", "notes": "No parameterized query"}
]}
```
Campos requeridos: `id`, `endpoint`, `parameter`, `type`, `confidence`.
Si `confidence` < `medium`, no se intenta exploitation.

Related Skills

zoom-out

from gonzalezpazmonica/pm-workspace

Elevates perspective from trees to forest. Maps architecture, dependencies, and second-order effects before implementation decisions. Use when designing, when evaluating trade-offs, or at the start of design sessions.

workspace-integrity

from gonzalezpazmonica/pm-workspace

Catalogo de integrity auditors — drift CLAUDE.md, rule manifest, orphan rules, agents catalog sync, baseline, agent size

wellbeing-guardian

from gonzalezpazmonica/pm-workspace

Sistema proactivo de bienestar individual

web-research

from gonzalezpazmonica/pm-workspace

Search the web to resolve context gaps — documentation, versions, CVEs, best practices. Auto-starts SearxNG Docker if available, falls back to WebSearch.