Skip to main content
Glama

DollhouseMCP

by DollhouseMCP
npmGitHub
TypeScript
359
8
  • Apple
  • Linux
OverviewInspectNewEndpointsSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue
penetration-testing.mdā€¢10.4 kB
--- name: "Penetration Testing" description: "Systematic security testing methodology for identifying vulnerabilities through ethical hacking" type: "skill" version: "1.0.0" author: "DollhouseMCP" created: "2025-07-23" category: "security" tags: ["penetration-testing", "ethical-hacking", "vulnerability-assessment", "security", "testing"] proficiency_levels: beginner: "Basic vulnerability scanning and tool usage" intermediate: "Manual testing techniques and exploit development" advanced: "Advanced persistent threats and custom payload creation" parameters: test_scope: type: "array" description: "Areas to test" default: ["web_application", "network", "wireless", "social_engineering"] methodology: type: "string" description: "Testing methodology to follow" default: "OWASP" enum: ["OWASP", "NIST", "PTES", "OSsTMM", "OWASP-WSTG"] test_depth: type: "string" description: "Depth of testing" default: "comprehensive" enum: ["surface", "standard", "comprehensive", "red_team"] stealth_level: type: "string" description: "How stealthy to be" default: "normal" enum: ["aggressive", "normal", "stealth", "passive"] _dollhouseMCPTest: true _testMetadata: suite: "bundled-test-data" purpose: "General test data for DollhouseMCP system validation" created: "2025-08-20" version: "1.0.0" migrated: "2025-08-20T23:47:24.347Z" originalPath: "data/skills/penetration-testing.md" --- # Penetration Testing Skill This skill provides systematic penetration testing capabilities using industry-standard methodologies to identify security vulnerabilities through controlled, ethical attacks. ## Core Capabilities ### 1. Reconnaissance & Information Gathering - **Passive Reconnaissance**: OSINT, DNS enumeration, search engine discovery - **Active Reconnaissance**: Port scanning, service enumeration, banner grabbing - **Social Engineering**: Phishing simulations, pretexting, physical security - **Network Mapping**: Topology discovery, trust relationships, attack paths ### 2. Vulnerability Assessment - **Automated Scanning**: Nessus, OpenVAS, Qualys integration - **Manual Testing**: Custom payloads, logic flaws, business logic bypasses - **Configuration Review**: Hardening standards, security baselines - **Compliance Validation**: PCI-DSS, SOX, HIPAA requirements ### 3. Exploitation Techniques - **Web Application**: OWASP Top 10, injection attacks, broken authentication - **Network Services**: Buffer overflows, privilege escalation, lateral movement - **Wireless Security**: WPA/WEP cracking, rogue access points, evil twins - **Cloud Security**: Misconfigurations, IAM weaknesses, container escapes ### 4. Post-Exploitation Activities - **Persistence**: Backdoors, scheduled tasks, registry modifications - **Privilege Escalation**: Local/domain admin compromise - **Data Exfiltration**: Sensitive data identification and extraction simulation - **Lateral Movement**: Pivot techniques, credential harvesting ## Testing Methodologies ### OWASP Web Security Testing Guide (WSTG) ``` Phase 1: Information Gathering ā”œā”€ā”€ Conduct Search Engine Discovery (WSTG-INFO-01) ā”œā”€ā”€ Fingerprint Web Server (WSTG-INFO-02) ā”œā”€ā”€ Review Webserver Metafiles (WSTG-INFO-03) ā””ā”€ā”€ Enumerate Applications (WSTG-INFO-04) Phase 2: Configuration and Deployment ā”œā”€ā”€ Test Network Infrastructure (WSTG-CONF-01) ā”œā”€ā”€ Test Application Platform (WSTG-CONF-02) ā”œā”€ā”€ Test File Extensions Handling (WSTG-CONF-03) ā””ā”€ā”€ Review Old Backup Files (WSTG-CONF-04) Phase 3: Identity Management Testing ā”œā”€ā”€ Test Role Definitions (WSTG-IDNT-01) ā”œā”€ā”€ Test User Registration Process (WSTG-IDNT-02) ā”œā”€ā”€ Test Account Provisioning (WSTG-IDNT-03) ā””ā”€ā”€ Test Account Enumeration (WSTG-IDNT-05) ``` ### PTES (Penetration Testing Execution Standard) ``` 1. Pre-engagement Interactions - Scope definition - Rules of engagement - Legal considerations 2. Intelligence Gathering - Active/passive reconnaissance - Corporate information gathering - Individual information gathering 3. Threat Modeling - Business asset analysis - Threat agent identification - Attack vector analysis 4. Vulnerability Analysis - Vulnerability research - Vulnerability validation - Attack planning 5. Exploitation - Precision attacks - Customized attacks - Persistence mechanisms 6. Post Exploitation - Infrastructure analysis - Pillaging - Network traversal - Cleanup 7. Reporting - Executive summary - Technical findings - Risk ratings - Remediation roadmap ``` ## Testing Phases ### Phase 1: Planning & Reconnaissance ``` Objectives: ā€¢ Define scope and rules of engagement ā€¢ Gather public information about target ā€¢ Identify potential attack vectors ā€¢ Map external network presence Tools & Techniques: ā€¢ Nmap for network discovery ā€¢ Recon-ng for OSINT gathering ā€¢ theHarvester for email enumeration ā€¢ Shodan for exposed services ā€¢ Social media reconnaissance Deliverables: ā€¢ Test plan and scope document ā€¢ Network topology diagram ā€¢ External attack surface map ā€¢ OSINT intelligence report ``` ### Phase 2: Scanning & Enumeration ``` Objectives: ā€¢ Identify live systems and services ā€¢ Enumerate software versions ā€¢ Discover potential vulnerabilities ā€¢ Map trust relationships Tools & Techniques: ā€¢ Nessus/OpenVAS vulnerability scanning ā€¢ Nikto web server scanning ā€¢ Enum4linux SMB enumeration ā€¢ SNMP walking and enumeration ā€¢ DNS zone transfers Deliverables: ā€¢ Vulnerability assessment report ā€¢ Service enumeration results ā€¢ Potential attack vectors list ā€¢ Risk prioritization matrix ``` ### Phase 3: Exploitation ``` Objectives: ā€¢ Validate identified vulnerabilities ā€¢ Gain initial system access ā€¢ Demonstrate business impact ā€¢ Test defense mechanisms Tools & Techniques: ā€¢ Metasploit exploitation framework ā€¢ Custom exploit development ā€¢ Password attacks (Hydra, Hashcat) ā€¢ Social engineering toolkit ā€¢ Physical security testing Deliverables: ā€¢ Proof-of-concept exploits ā€¢ Screenshots of compromised systems ā€¢ Extracted sensitive data samples ā€¢ Attack timeline documentation ``` ### Phase 4: Post-Exploitation ``` Objectives: ā€¢ Maintain persistent access ā€¢ Escalate privileges ā€¢ Move laterally through network ā€¢ Assess data exposure risk Tools & Techniques: ā€¢ Privilege escalation exploits ā€¢ Credential dumping (Mimikatz) ā€¢ Network pivoting (ProxyChains) ā€¢ PowerShell Empire/Cobalt Strike ā€¢ Data mining and classification Deliverables: ā€¢ Network compromise diagram ā€¢ Sensitive data inventory ā€¢ Privilege escalation paths ā€¢ Persistence mechanism documentation ``` ## Specialized Testing Areas ### Web Application Testing ``` Authentication Testing: ā–” Username enumeration ā–” Brute force protection ā–” Session management ā–” Password policy enforcement ā–” Multi-factor authentication bypass Authorization Testing: ā–” Path traversal attacks ā–” Privilege escalation ā–” Insecure direct object references ā–” Missing function level access control Input Validation Testing: ā–” SQL injection (all types) ā–” Cross-site scripting (XSS) ā–” Command injection ā–” LDAP injection ā–” XML/XXE attacks Session Management: ā–” Session token analysis ā–” Session fixation ā–” Cross-site request forgery ā–” Session timeout validation ``` ### Network Infrastructure Testing ``` Network Reconnaissance: ā€¢ Port scanning and service enumeration ā€¢ SNMP community string testing ā€¢ Network protocol analysis ā€¢ Wireless network assessment Service Testing: ā€¢ SSH/Telnet brute forcing ā€¢ SMB share enumeration ā€¢ FTP anonymous access ā€¢ Database service testing Network Segmentation: ā€¢ VLAN hopping attempts ā€¢ Firewall rule validation ā€¢ Network access control bypass ā€¢ DMZ security assessment ``` ### Wireless Security Testing ``` Wireless Reconnaissance: ā€¢ Access point discovery ā€¢ Encryption type identification ā€¢ Client device enumeration ā€¢ Hidden SSID detection Attack Techniques: ā€¢ WEP key cracking ā€¢ WPA/WPA2 dictionary attacks ā€¢ WPS PIN attacks ā€¢ Evil twin access points ā€¢ Wireless packet injection Assessment Areas: ā€¢ Guest network isolation ā€¢ Enterprise authentication ā€¢ Rogue access point detection ā€¢ Wireless intrusion prevention ``` ## Report Generation ### Executive Summary Template ``` EXECUTIVE SUMMARY Overall Risk Rating: [HIGH/MEDIUM/LOW] Critical Findings: X High Risk Findings: Y Medium Risk Findings: Z BUSINESS IMPACT: ā€¢ Potential for complete network compromise ā€¢ Risk of sensitive data exposure ā€¢ Compliance violation concerns ā€¢ Estimated remediation cost: $X TOP 3 RECOMMENDATIONS: 1. [Most critical remediation] 2. [Second priority fix] 3. [Third priority improvement] TIMELINE FOR REMEDIATION: ā€¢ Critical issues: 7 days ā€¢ High risk issues: 30 days ā€¢ Medium risk issues: 90 days ``` ### Technical Finding Format ``` FINDING: [Vulnerability Name] SEVERITY: [Critical/High/Medium/Low] CVSS Score: X.X CWE ID: CWE-XXX DESCRIPTION: [Technical description of the vulnerability] IMPACT: [What an attacker could accomplish] PROOF OF CONCEPT: [Steps to reproduce or exploit code] AFFECTED SYSTEMS: ā€¢ System 1 (IP: x.x.x.x) ā€¢ System 2 (IP: x.x.x.x) REMEDIATION: [Specific steps to fix the issue] REFERENCES: ā€¢ CVE-XXXX-XXXX ā€¢ https://example.com/advisory ``` ## Integration Notes Works exceptionally well with: - **Security Analyst Persona**: Strategic security guidance - **Code Review Skill**: Static analysis correlation - **Vulnerability Assessment templates**: Structured reporting - **Risk Assessment templates**: Business impact analysis - **Incident Response procedures**: Breach simulation ## Compliance Considerations Testing approach adapts to: - **PCI-DSS**: Payment card industry requirements - **HIPAA**: Healthcare data protection standards - **SOX**: Financial reporting security controls - **GDPR**: Data protection impact assessments - **ISO 27001**: Information security management ## Ethical Guidelines All testing follows strict ethical boundaries: - Written authorization required before testing - Scope strictly limited to agreed boundaries - No unnecessary system damage or disruption - Confidential handling of discovered vulnerabilities - Responsible disclosure of findings

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/DollhouseMCP/DollhouseMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server