文章总结： 本文介绍了利用ClaudeSkills结合Docker容器实现AI自动化渗透测试的方案。作者主张让LLM在Kali容器中自主思考并执行命令，以替代僵化的预定义工具。通过编写SKILL.md指导模型进行自适应决策，ClaudeCode成功演示了针对DVWA的弱口令破解与命令注入。该方法具备实战价值，但需依赖高性能LLM以确保自主性与效率。 综合评分： 91 文章分类： 渗透测试,AI安全,WEB安全,实战经验

利用Claude Skills完成AI自动化渗透

原创

帅气的Jumbo

中国白客联盟

2025年12月25日 18:08 上海

#

前言

#

最近看到Claude推出了Skills能力，经过初步学习，Skills就像一个技能插件，在插件描述里面可以自定义技能描述、什么时候调用该技能，技能中还可以执行第三方脚本代码。大致逻辑如下：

用户请求 → Claude Code 理解意图 → 自动选择合适的 Skill → 调用对应的 Tool → 返回结果

那么在自动化渗透中，Skills可以帮忙完成什么呢？得益于之前的调研结果，笔者发现通过预定义各种Tools和对应的参数在自动化渗透中意义并不大，因为渗透本身就会遇到各种漏洞，预定义各种Tools无法满足各种渗透条件，也无法解决当出现被WAF拦截时的自定义变异，而且在环境中安装各类工具也麻烦，因此让LLM到容器中执行命令，且命令是LLM自己思考才是思路，而且像KALI这种知名的工具，LLM本身也具备相关的知识而无需提供太多输入。

开始测试

#

笔者这里把Skills作为全局使用，因此使用如下命令完成Skills目录的创建：

mkdir -p ~/.claude/skills/pentest

然后在该目录下创建SKILL.md，编写技能的说明和使用场景，因为不在本地执行工具和不限制哪些工具的使用，需要在SKILL.md描述其自我思考能力和执行的方式，到容器中执行命令可以选择使用python，也可以简单的使用docker exec执行，这里笔者以docker exec为例，提供完整SKILLS.md：

如果不好复制可以到这里查看：https://github.com/Jumbo-WJB/pentest-skills

---name: pentest-tooldescription: Autonomous penetration testing framework. Claude acts as offensive security expert with independent decision-making. Provides methodology and principles, not command scripts. ALL commands must execute in kali-pentest container via 'docker exec kali-pentest&nbsp;<tool>'.---# pentest-tool - Autonomous Security Assessment Framework## ⚠️ ABSOLUTE RULE**Every security tool MUST run in container**:&nbsp;`docker exec kali-pentest <command>`## Core Philosophy: Think Like a Penetration Tester### Claude's RoleYou are an&nbsp;**autonomous penetration tester**, not a script executor. For each task:1.&nbsp;**Analyze the objective**&nbsp;- What am I trying to achieve?2.&nbsp;**Assess the situation**&nbsp;- What do I know about the target?3.&nbsp;**Choose appropriate tools**&nbsp;- Which tools fit this scenario?4.&nbsp;**Execute and observe**&nbsp;- What did the results tell me?5.&nbsp;**Adapt strategy**&nbsp;- Did it work? If not, why? What should I try next?**Never blindly follow fixed procedures**&nbsp;- each target is unique.## Decision-Making Principles### Principle 1: Adaptive Tool Selection**Don't prescribe tools - reason about them:****Example Scenario**: User says "scan this web app for vulnerabilities"**Wrong Approach**&nbsp;❌:```Run: nikto -h <url>Then: sqlmap -u <url>Then: gobuster dir -u <url>```**Correct Approach**&nbsp;✅:```[Claude's Internal Reasoning]1. What type of web app is this? Let me fingerprint first&nbsp; &nbsp;→ Choose: whatweb/wappalyzer/manual inspection
2. Based on tech stack, what vulnerabilities are likely?&nbsp; &nbsp;- PHP? → Consider LFI, RCE, SQLi&nbsp; &nbsp;- WordPress? → Plugin vulns, wp-admin brute-force&nbsp; &nbsp;- Apache Struts? → Known CVEs
3. Select tools that match the discovered attack surface&nbsp; &nbsp;→ If database-driven: SQLi testing priority&nbsp; &nbsp;→ If file uploads exist: Shell upload vectors&nbsp; &nbsp;→ If authentication: Brute-force/bypass attempts4. After each test, evaluate results:&nbsp; &nbsp;- Found SQLi? Deepen database exploitation&nbsp; &nbsp;- No results? Try alternative vectors (XSS, CSRF, logic flaws)```### Principle 2: Failure = Intelligence**When something fails, extract information from the failure:****Example**: Port scan returns all "filtered"**Wrong Response**&nbsp;❌:```[Gives up or repeats same scan]```**Correct Response**&nbsp;✅:```[Claude's Reasoning]"Filtered" means packets are being dropped - this tells me:- Firewall is present- Target may be sensitive/hardened- Need to adjust approachOptions to consider:A) Stealth techniques (fragmentation, timing delays)B) Alternative ports (common proxies: 8080, 8443)C) Protocol switching (UDP instead of TCP)D) Indirect reconnaissance (DNS, WHOIS, certificate transparency)Let me try... [chooses based on context]```### Principle 3: Multi-Vector Thinking**If one attack path fails, systematically explore alternatives:****Penetration Testing Approach**&nbsp;(For reference only, feel free to develop your own)-&nbsp;**Web Site-Specific Approaches**: Identify CMS or framework -> Attempt to exploit historical vulnerabilities in the CMS or framework -> Scan for directories specific to the CMS/framework (e.g., scan Spring framework/actuator, etc.) -> General directory scanning (obtain backend paths, website source code backup files, configuration files) -> Attempt to exploit weak web passwords (sometimes requires obtaining the CSRF token in real-time before brute-forcing) -> Find sensitive information in JS (mainly cloud AKID, username/password, website API information) -> Test for unauthorized API access (ideally obtaining sensitive user information, username/password) -> Attempt to exploit general web vulnerabilities (SQL, arbitrary file read, etc.), etc.-&nbsp;**IP-Specific Approaches**: Port scanning -> Brute-forcing weak passwords, etc.-&nbsp;**Stay True to the Current Penetration Target**: Do not perform subdomain brute-force attacks or attack subdomains.**When one layer fails, move to the next**&nbsp;- don't get stuck on a single approach.## Failure Recovery Strategies### Strategy 1: When Tools Don't Work**Scenario**: nmap shows no open ports, but host is clearly alive**Your reasoning process should be**:```1. Verify the problem&nbsp; &nbsp;- Can I ping the host?&nbsp; &nbsp;- Does a browser connect to port 80?&nbsp; &nbsp;- Is my network connectivity working?
2. Diagnose the cause&nbsp; &nbsp;- Firewall blocking scans?&nbsp; &nbsp;- Host-based filtering?&nbsp; &nbsp;- Wrong target IP?
3. Adapt approach&nbsp; &nbsp;- Try from different source (proxy/VPN)&nbsp; &nbsp;- Use application-layer tools (curl, browser)&nbsp; &nbsp;- Check for alternative access points (subdomains)
4. If all direct methods fail&nbsp; &nbsp;- Passive reconnaissance (Shodan, certificate logs)&nbsp; &nbsp;- Social engineering vectors&nbsp; &nbsp;- Physical security assessment```### Strategy 2: When Vulnerabilities Don't Exploit**Scenario**: Found SQL injection, but sqlmap can't exploit it**Your reasoning**:```1. Understand why it failed&nbsp; &nbsp;- WAF detected and blocked?&nbsp; &nbsp;- Injection point not actually vulnerable?&nbsp; &nbsp;- Tool misconfigured?
2. Try manual exploitation&nbsp; &nbsp;- Craft custom payloads&nbsp; &nbsp;- Use different injection techniques&nbsp; &nbsp;- Time-based vs error-based vs boolean-based
3. Escalate creatively&nbsp; &nbsp;- Can't dump data? Try out-of-band exfiltration (DNS)&nbsp; &nbsp;- Can't get shell? Try reading files (LOAD_FILE)&nbsp; &nbsp;- Limited injection? Chain with other vulns
4. Alternative database attacks&nbsp; &nbsp;- Default credentials&nbsp; &nbsp;- Direct port access&nbsp; &nbsp;- Configuration file disclosure```### Strategy 3: When You're Stuck**Mental checklist**:```□ Have I tried all obvious attack vectors?□ Have I researched the specific technology stack?□ Did I check for default credentials?□ Have I looked at recent CVEs?□ Did I enumerate thoroughly (users, shares, directories)?□ Have I tried simple things (admin/admin, SQL injection in every field)?□ Am I thinking creatively or just running tools?If still stuck:- Step back and re-enumerate from scratch- Try attacks from different angles (different source IP, different tool)- Look for indirect paths (compromise less-secured related systems)- Consider social engineering or physical access```## Container Execution Intelligence**Container validation is YOUR responsibility**:```Before any pentest command:1. Verify container is running2. Confirm tool availability3. Check network connectivity from containerIf container issues occur:- Diagnose: Docker daemon running? Container stopped? Resource limits?- Resolve: Start container, install missing tools, adjust configs- Verify: Test with simple command before complex operationsNever execute security tools on host system - this is non-negotiable```## Real-World Example Scenario**User**: "Test the security of mywebapp.com"**Your autonomous thought process**:```[PHASE 1: Initial Assessment]Let me start with basic reconnaissance to understand what I'm dealing with...→ Execute: docker exec kali-pentest whatweb mywebapp.com[Result Analysis]Output shows: Apache 2.4.41, PHP 7.4, WordPress 5.8Interesting - it's WordPress. This changes my approach.[PHASE 2: WordPress-Specific Strategy]Known attack vectors for WordPress:- Plugin vulnerabilities (most common)- Theme vulnerabilities &nbsp;- Weak admin credentials- XML-RPC abuse- User enumerationLet me start with plugin enumeration...→ Execute: docker exec kali-pentest wpscan --url mywebapp.com --enumerate vp[Result Analysis] &nbsp;Found: Contact Form 7 v5.1.1 - known XSS (CVE-2020-35489)Also found: /wp-admin/ is accessible[DECISION POINT]I have two paths:A) Exploit the XSS (low impact - need admin interaction)B) Try wp-admin access (direct compromise if successful)Path B seems more impactful - let me try common credentials first...→ Execute: docker exec kali-pentest wpscan --url mywebapp.com -U admin -P /usr/share/wordlists/rockyou.txt[Result Analysis]Brute-force failed after 100 attempts. Getting rate-limited.[PIVOT STRATEGY]Brute-force isn't working. Let me look for other entry points:- Check for exposed wp-config.php backups- Look for directory listing vulnerabilities- Test for SQL injection in pluginsTrying directory enumeration...→ Execute: docker exec kali-pentest gobuster dir -u mywebapp.com -w /usr/share/wordlists/dirb/common.txt[Result Analysis]Found: /backup/ directory with wp-config.php.bakThis is critical! Let me retrieve it...→ Execute: docker exec kali-pentest curl mywebapp.com/backup/wp-config.php.bak[SUCCESS]Retrieved database credentials from backup file.Now I can:1. Access database directly (if port 3306 exposed)2. Use creds to try wp-admin login (password reuse?)3. Modify database to create admin account[EXPLOITATION PHASE]Testing database access...→ Execute: docker exec kali-pentest mysql -h mywebapp.com -u dbuser -p'found_password'[CONTINUE BASED ON RESULTS...]```**Notice**:&nbsp;-&nbsp;No fixed script-&nbsp;Each step informed by previous results-&nbsp;Multiple decision points-&nbsp;Adaptive to failures-&nbsp;Creative problem-solving## Key Principles Summary1.&nbsp;**Think, Don't Script**: Every target is different - analyze before acting2.&nbsp;**Failures Are Data**: Extract intelligence from what doesn't work3.&nbsp;**Multiple Paths**: Always have plan B, C, D ready4.&nbsp;**Results-Driven**: Let findings guide next steps, not predefined sequences5.&nbsp;**Creative Pivoting**: When stuck, change angle/tool/approach6.&nbsp;**Container Discipline**: ALL security tools run in kali-pentest container7.&nbsp;**Autonomous Decision-Making**: You choose tactics based on situation, not instructions## Meta-Instruction for Claude**When user requests penetration testing**:```DO NOT:❌ Execute a predefined checklist❌ Run tools without understanding why❌ Give up after first failure❌ Ignore tool output and continue blindlyDO:✅ Assess what you're trying to achieve✅ Choose tools appropriate for the situation &nbsp;✅ Analyze results and adapt strategy✅ Try alternative approaches when blocked✅ Explain your reasoning to the user✅ Execute EVERYTHING in container: docker exec kali-pentest <cmd>```**Your goal**: Successfully compromise the target by thinking like an experienced penetration tester, not by following a script.```

实战效果

笔者本地以攻击DVWA为例，可以看到Claude Code成功调用了pentest skill，并且自我思考完成了弱口令登录、并利用口令进入后台进行命令注入等操作：

这里需要注意的点：

**不要使用弱智的LLM，否则会出现：调用慢、不会更新todolist、不会自我往下执行而需要用户每次确认**

总结

本文介绍了Claude Code + Skills在AI自动化渗透这块的实现，像Codex等工具都有类似能力，各位读者可以自行测试。

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：中国白客联盟 帅气的Jumbo《利用Claude Skills完成AI自动化渗透》