nunenuh/pentest-kit

# pentest-kit [](https://github.com/nunenuh/pentest-kit/releases) [](LICENSE) [](https://ghcr.io/nunenuh/pentest-kit) [](https://github.com/nunenuh/pentest-kit/actions/workflows/release.yml) 为 [Claude Code](https://docs.anthropic.com/en/docs/claude-code) 构建的工具编排渗透测试框架。执行器（Executor）不直接发起攻击——它们运行免费的外部工具，解析输出，并将结果链接起来。 ## 安装 ``` curl -sSL https://get.nunenuh.me/pentest-kit | bash ``` 或者手动克隆： ``` git clone https://github.com/nunenuh/pentest-kit.git cd pentest-kit ./install.sh ``` ## 工作原理 | | 直接渗透测试 | pentest-kit | |---|---|---| | 执行器操作 | 构造 payload，发送请求 | 通过 Bash 运行 nmap/nuclei/sqlmap | | XSS 测试 | 注入 `` | 运行 `dalfox url "..." --format json` | | SQL 注入 | 发送 `' OR '1'='1` | 运行 `sqlmap -u "..." --batch` | | 端口扫描 | curl/netcat | 运行 `nmap -sV --top-ports 1000` | | 源代码分析 | — | 运行 `semgrep --config auto` | | 依赖扫描 | — | 运行 `trivy fs` | | 手动测试 | Playwright 点击应用 | 用户使用 Caido，导出 → 工具处理 | ## 工具栈 (100% 免费) | 类别 | 工具 | |----------|-------| | 侦察 (Recon) | subfinder, dnsx, httpx, nmap | | 发现 | ffuf | | 扫描 | nuclei, OWASP ZAP | | 注入 | sqlmap, dalfox | | 认证 | jwt_tool | | SAST | semgrep (多语言), bandit (Python) | | SCA | trivy (依赖, 容器, IaC), grype | | SSL/TLS | testssl.sh | | 手动代理 | Caido (在主机上) | | 脚本代理 | mitmproxy | | 字典 | SecLists (6000+ 文件) | | 报告 | pandoc (DOCX/PDF) | ## 快速开始 ### 选项 1: Docker (推荐) 所有 23 个工具已预装在一个加固的 Kali 容器中。 ``` git clone https://github.com/nunenuh/pentest-kit.git cd pentest-kit # 从 GHCR 拉取预构建镜像 (最快) docker compose pull # 或者本地构建 docker compose build # 运行并挂载源代码 (用于 SAST/SCA) TARGET_PATH=/path/to/your/app docker compose up -d # 进入容器 docker compose exec pentest-kit bash # 容器内部 — 所有工具就绪 bash tools/preflight.sh semgrep --config auto /pentest-kit/target/ # SAST trivy fs /pentest-kit/target/ # SCA nuclei -u https://target.com # DAST ``` ### 选项 2: 本地安装 ``` git clone https://github.com/nunenuh/pentest-kit.git cd pentest-kit # 安装工具 bash tools/kali/install.sh --all # 全局安装 skill ./install.sh --no-docker # 验证 bash tools/preflight.sh ``` ### 选项 3: 仅安装 Skill (无工具) ``` curl -sSL https://get.nunenuh.me/pentest-kit | PENTEST_KIT_NO_DOCKER=1 bash ``` 仅安装 Claude Code skill 和 agents。自带工具。 ### 选项 4: 仅 Docker (无克隆) ``` docker pull ghcr.io/nunenuh/pentest-kit:latest docker run -it --rm \ --network host \ -v /path/to/source:/pentest-kit/target:ro \ -v /path/to/outputs:/pentest-kit/outputs \ ghcr.io/nunenuh/pentest-kit:latest ``` ## Docker 架构 ``` Your Laptop (HOST) ├── pentest-kit/ │ ├── target/ ──────────────┐ mounted read-only │ ├── outputs/ ─────────────┤ mounted writable │ └── docker-compose.yml │ │ │ │ Caido (on host) │ ← manual proxy │ │ └──────────────────────────────┘ │ Docker Container ──────────┘ ├── root (inside container only) ├── nmap, nuclei, sqlmap, ffuf, ZAP ← DAST ├── semgrep, bandit ← SAST ├── trivy, grype ← SCA ├── mitmproxy, testssl.sh ← proxy + SSL ├── /pentest-kit/target (read-only) ← your code └── /pentest-kit/outputs (writable) ← findings Host isolation: ✅ Can't modify your source code (read-only mount) ✅ Can't escalate to host root (no-new-privileges) ✅ Isolated process/memory namespaces ⚠️ Shares host network (required for scanning) ``` ## 测试覆盖范围 ``` Black-Box (no source): DAST only → nuclei, ZAP, sqlmap, dalfox, ffuf, nmap Gray-Box (some access): DAST + SCA → add trivy (deps), semgrep (if source shared) White-Box (full source): DAST + SAST + SCA → semgrep, bandit, trivy, grype, testssl.sh Container Assessment: trivy image, grype + nmap, nuclei CI/CD Integration: semgrep ci, trivy fs, nuclei, testssl.sh ``` ## 流水线 9 个预定义的工具链： | 流水线 | 工具 | 触发条件 | |----------|-------|---------| | recon | subfinder → httpx → nmap → ffuf → nuclei | 每次任务 | | webapp-scan | ZAP + nuclei + dalfox | 发现 Web 应用 | | injection | ffuf + sqlmap | 发现参数 | | auth | jwt_tool + ffuf + Playwright | 认证端点 | | caido-loop | Caido 导出 → nuclei + sqlmap | 手动测试 | | cve | nuclei + nmap --script vuln | 发现技术版本 | | sast | semgrep + bandit | 源代码可用 | | sca | trivy + grype | 依赖/容器 | | ssl | testssl.sh | HTTPS 端点 | ## 工作流程 ``` Phase 1: Init → Gather scope, start container, run preflight Phase 2: Recon → subfinder → httpx → nmap → ffuf → nuclei Phase 3: Planning → Analyze recon, select pipelines, get USER APPROVAL Phase 4: Testing → Deploy tool-based executors in parallel Phase 5: Aggregate → Merge tool outputs, deduplicate, score (CVSS) Phase 6: Report → Generate .docx via pandoc ``` ## 手动 + 自动化 pentest-kit 将手动测试（主机上的 Caido）与自动化工具（容器内）连接起来： ``` Browse in Caido (host) → Export HAR → Container parses → Runs nuclei/sqlmap → Results → Verify in Caido ``` ## 结构 ``` pentest-kit/ ├── .claude/ │ ├── agents/ │ │ ├── orchestrator.md # Coordinates tool-based executors │ │ └── executor.md # Runs tools, parses output, chains results │ └── skills/ │ └── pentest-kit/ │ ├── SKILL.md # Skill definition │ ├── attacks/ # 151 attack docs (9 categories) │ └── reference/ # 5 reference docs ├── tools/ │ ├── REGISTRY.md # Tool catalog │ ├── PIPELINES.md # 9 tool chains │ ├── preflight.sh # Tool checker │ ├── kali/install.sh # CLI tool installer │ ├── playwright/install.sh # Browser installer │ ├── wrappers/ # 6 Python output normalizers │ └── addons/ # 3 mitmproxy scripts ├── Dockerfile # Kali-based container ├── docker-compose.yml # Hardened config ├── install.sh # Local installer ├── install-remote.sh # Remote installer (curl | bash) └── uninstall.sh # Clean removal ``` ## 卸载 ``` # 如果是通过 clone 安装 ./uninstall.sh # 如果是通过 curl 安装 rm -rf ~/.claude/skills/pentest-kit rm -f ~/.claude/agents/orchestrator.md ~/.claude/agents/executor.md ``` ## 致谢 取材自 [transilienceai/communitytools](https://github.com/transilienceai/communitytools) 渗透测试框架，并针对定制目的重新创建：在加固的 Docker 容器中使用免费工具进行外部工具编排，覆盖 DAST+SAST+SCA。

标签：AI 安全工具, CISA项目, Claude Code, DAST, DevSecOps, Docker 容器, Google, LLM 插件, Nmap, Nuclei, OWASP ZAP, SAST, Semgrep, Sqlmap, SQL 注入检测, WordPress安全扫描, XSS 检测, 上游代理, 依赖扫描, 子域名挖掘, 安全专业人员, 密码管理, 工具编排, 应用安全, 开源安全工具, 恶意软件分析, 插件系统, 数据统计, 模型提供商, 渗透测试框架, 盲注攻击, 端口扫描, 网络安全, 虚拟驱动器, 请求拦截, 足迹分析, 逆向工具, 逆向工程平台, 防御, 隐私保护