Penetration Testing¶
Status: Active — 9 plays, 23 skills
Standards: PTES, NIST SP 800-115, OWASP, MITRE ATT&CK, OSCP
Source: plays/penetration.py + plays/PT-*.py
The penetration testing domain covers the full engagement lifecycle from initial reconnaissance through post-exploitation and reporting. Each play is a self-contained operational unit with its own tool set, halt criteria, and routing signals.
PT-Recon¶
Reconnaissance and target scoping — the first phase of any engagement.
| Skill | Description | Key Tools |
|---|---|---|
entity_identification |
Identify specific device/host/entity within network from collected data | nmap, arp, ip, nbtscan |
reconnaissance |
Network/system reconnaissance and discovery | nmap, avahi-browse, nbtscan |
port_scanning |
Port and service identification | nmap, masscan |
service_enumeration |
Enumerate and fingerprint services — including MySQL, SNMP, SMTP, NFS | nmap, netcat, banner grabbing |
PT-Vulnerability¶
Vulnerability identification and assessment.
| Skill | Description | Key Tools |
|---|---|---|
vulnerability_assessment |
Check for known vulnerabilities and misconfigurations | nmap, searchsploit, openvas, grep |
vulnerability_scanning |
Active scanning for known vulnerabilities using automated tools | nikto, nuclei, nmap |
PT-Web¶
Web application attack surface — enumeration through exploitation.
| Skill | Description | Key Tools |
|---|---|---|
web_enumeration |
Directory/file discovery, technology fingerprinting, surface mapping | whatweb, gobuster, ffuf, feroxbuster, curl |
web_vulnerability_scanning |
Automated web vulnerability scanning | nikto, nuclei, wapiti |
web_authentication |
Login bruteforce, session tokens, JWT, OAuth testing | hydra, curl, python3 |
web_exploitation |
SQLi, XSS, IDOR, SSRF, command injection exploitation | sqlmap, curl, python3 |
PT-Exploitation¶
Initial access via remote service vulnerabilities.
| Skill | Description | Key Tools |
|---|---|---|
network_exploitation |
Exploit remote service vulnerabilities to gain initial shell access | msfconsole, searchsploit, netcat, msfvenom, hydra |
system_exploitation |
Local privilege escalation to root/SYSTEM via kernel, SUID, sudo, or service exploits | msfconsole, searchsploit, python3 |
PT-PostExploit¶
Post-access enumeration, credential harvesting, and lateral preparation.
| Skill | Description | Key Tools |
|---|---|---|
post_exploitation |
Local enumeration, situational awareness, credential harvesting, offline hash cracking | bash, python3, find, john, hashcat |
lateral_movement |
Pivot to additional hosts using harvested credentials or trust relationships | ssh, sshpass, crackmapexec |
persistence |
Establish access that survives reboots or session termination | bash, cron, systemctl |
exfiltration |
Collect and transfer sensitive data out of the target environment | python3, curl, scp, netcat |
PT-Pivoting¶
Network traversal to reach internal segments.
| Skill | Description | Key Tools |
|---|---|---|
ssh_tunneling |
SSH local (-L) and remote (-R) port forwarding | ssh, sshpass |
socks_proxy |
SOCKS5 proxy via SSH -D or sshuttle for full-subnet pivoting | ssh, sshuttle, proxychains |
chisel_pivot |
HTTP-tunneled reverse SOCKS — agent on victim, server on attacker | chisel |
ligolo_pivot |
TUN-interface pivot — transparent routing without proxychains | ligolo-ng |
socat_relay |
Dumb TCP relay for simple port redirection | socat, netcat |
ssh_proxyjump |
Multi-hop SSH via ProxyJump (-J) / ProxyCommand | ssh |
PT-Privesc¶
Local privilege escalation to root or SYSTEM.
| Skill | Description | Key Tools |
|---|---|---|
linux_privesc |
Linux escalation via sudo, SUID, cron, capabilities, kernel, and misconfigs | bash, find, sudo, getcap, linpeas, gcc |
windows_privesc |
Windows escalation via token impersonation, service misconfigs, and registry abuse | python3, msfconsole |
PT-ActiveDirectory¶
Active Directory enumeration, credential attacks, and lateral movement.
| Skill | Description | Key Tools |
|---|---|---|
ad_enumeration |
Enumerate domain structure, users, groups, shares, and password policy | enum4linux, crackmapexec, ldapsearch, rpcclient |
ad_credential_attack |
Kerberoasting, AS-REP roasting, password spray, NTLM relay | impacket, crackmapexec, hashcat, john |
ad_lateral_movement |
Move laterally using credentials, hashes, or Kerberos tickets | crackmapexec, impacket, evil-winrm |
PT-ThreatEmulation¶
Adversary TTP simulation for detection validation — authorized engagements only.
| Skill | Description | Key Tools |
|---|---|---|
threat_emulation |
Adversary TTP simulation and detection validation | bash, python3, metasploit, atomic-red-team, caldera |
Note
PT-ThreatEmulation has no eval objectives yet. The play pack exists and routes correctly but is not included in baseline eval runs.
Eval Coverage¶
All plays except PT-ThreatEmulation have eval objectives in archer/pentest/eval/objectives.py. The eval harness runs each objective 3× per session and reports pass/fail. Current baseline: 100% on Tier 1 objectives (PT-Recon), Tier 2 objectives (exploitation, AD, privesc) are the active fine-tuning target.