SkillHub
SkillHubagent skills marketplace
Menu
All SkillsStacksKOLHotRankings
Sign inGet Pro
Back to skills
SkillHub ClubShip Full StackFull StackTesting

pentest-network-internal

Internal network penetration testing, Active Directory enumeration, and lateral movement simulation.

Packaged view

This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.

Stars
191
Hot score
97
Updated
March 20, 2026
Overall rating
C3.0
Composite score
3.0
Best-practice grade
B80.4

Install command

npx @skill-hub/cli install jd-opensource-joysafeter-pentest-network-internal

Repository

jd-opensource/JoySafeter

Skill path: skills/pentest-network-internal

Internal network penetration testing, Active Directory enumeration, and lateral movement simulation.

Open repository

Best for

Primary workflow: Ship Full Stack.

Technical facets: Full Stack, Testing.

Target audience: everyone.

License: Unknown.

Original source

Catalog source: SkillHub Club.

Repository owner: jd-opensource.

This is still a mirrored public skill entry. Review the repository before installing into production workflows.

What it helps with

  • Install pentest-network-internal into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
  • Review https://github.com/jd-opensource/JoySafeter before adding pentest-network-internal to shared team environments
  • Use pentest-network-internal for development workflows

Works across

Claude CodeCodex CLIGemini CLIOpenCode

Favorites: 0.

Sub-skills: 0.

Aggregator: No.

Original source / Raw SKILL.md

---
name: pentest-network-internal
description: Internal network penetration testing, Active Directory enumeration, and lateral movement simulation.
---

# Pentest Network Internal

## Purpose
Simulate an internal attacker to identify weak credentials, misconfigured services, and Active Directory paths to high-value assets.

## Core Workflow
1. **Network Discovery**: Map the internal network, live hosts, and open ports using `nmap` and `masscan`.
2. **Service Enumeration**: Identify running services, versions, and potential entry points (SMB, RDP, SSH, etc.).
3. **Vulnerability Scanning**: Check for known service vulnerabilities (e.g., EternalBlue, ZeroLogon) using `nuclei` and `nmap-scripts`.
4. **Credential Auditing**: Test weak passwords and default credentials using `hydra` and `netexec` (CrackMapExec).
5. **Active Directory Enum**: Map AD trust relationships, users, and groups using `bloodhound` and `ldapdomaindump`.
6. **Lateral Movement**: Simulate movement between hosts using valid credentials or exploits.

## References
- `references/tools.md`
- `references/workflows.md`


---

## Referenced Files

> The following files are referenced in this skill and included for context.

### references/tools.md

```markdown
# Tools


<!-- From network-recon -->
# Network Recon Tools (Pentest MCP)

## Common response fields

- success: boolean
- stdout, stderr: command output
- recovery_info: recovery actions applied (when present)
- alternative_tool_suggested: fallback hint (when present)
- human_escalation: manual intervention required (when present)

## Core scanning

- nmap_scan(target, scan_type="-sV", ports="", additional_args=""): baseline service detection; set ports for targeted scans.
- nmap_advanced_scan(target, scan_type="-sS", ports="", timing="T4", nse_scripts="", os_detection=False, version_detection=False, aggressive=False, stealth=False, additional_args=""): deeper NSE/OS fingerprinting; set nse_scripts or aggressive=True for broad coverage.
- rustscan_fast_scan(target, ports="", ulimit=5000, batch_size=4500, timeout=1500, scripts=False, additional_args=""): fast port discovery; set scripts=True to trigger nmap scripts after detection.
- masscan_high_speed(target, ports="1-65535", rate=1000, interface="", router_mac="", source_ip="", banners=False, additional_args=""): large-range sweeps; confirm results with nmap.
- autorecon_comprehensive(target, output_dir="/tmp/autorecon", port_scans="top-100-ports", service_scans="default", heartbeat=60, timeout=300, additional_args=""): automated recon; adjust port_scans to "top-1000-ports" for deeper coverage.
- autorecon_scan(...): low-level wrapper with granular options; use when needing custom tags or reports.

## Host and network enumeration

- arp_scan_discovery(target="", interface="", local_network=False, timeout=500, retry=3, additional_args=""): layer-2 discovery; set local_network=True for local subnet sweep.
- nbtscan_netbios(target, verbose=False, timeout=2, additional_args=""): NetBIOS name enumeration.
- rpcclient_enumeration(target, username="", password="", domain="", commands="enumdomusers;enumdomgroups;querydominfo", additional_args=""): RPC enumeration; set commands as needed.
- enum4linux_scan(target, additional_args="-a"): SMB enumeration; quick baseline.
- enum4linux_ng_advanced(target, username="", password="", domain="", shares=True, users=True, groups=True, policy=True, additional_args=""): deeper SMB enumeration.
- smbmap_scan(target, username="", password="", domain="", additional_args=""): SMB share enumeration and access checks.
- netexec_scan(target, protocol="smb", username="", password="", hash_value="", module="", additional_args=""): SMB auth and module-based enumeration.
- responder_credential_harvest(interface="eth0", analyze=False, wpad=True, force_wpad_auth=False, fingerprint=False, duration=300, additional_args=""): credential capture in authorized environments.

## DNS and subdomain recon

- amass_scan(domain, mode="enum", additional_args=""): active/passive subdomain discovery.
- subfinder_scan(domain, silent=True, all_sources=False, additional_args=""): passive subdomain discovery.
- fierce_scan(domain, dns_server="", additional_args=""): DNS reconnaissance.
- dnsenum_scan(domain, dns_server="", wordlist="", additional_args=""): DNS enumeration with optional wordlist.

## Exploitation helper

- metasploit_run(module, options={}): run Metasploit modules in authorized environments.

## HTTP probing for discovered hosts

- httpx_probe(targets="", target_file="", ports="", methods="GET", status_code="", content_length=False, output_file="", additional_args=""): batch/file probe; use additional_args for tech detection and output tuning.

## AI orchestration

- ai_reconnaissance_workflow(target, depth="standard"): AI-driven recon sequencing.
- intelligent_smart_scan(target, objective="comprehensive", max_tools=5): AI tool selection with budgeted depth.

## Platform operations and recovery

- server_health(): health check for MCP server.
- get_cache_stats(): cache metrics for command/results reuse.
- clear_cache(): clear cached results.
- get_telemetry(): global telemetry snapshot.
- list_active_processes(): list running tool processes.
- get_process_status(pid): inspect tool process details.
- terminate_process(pid): stop a running process.
- pause_process(pid): pause a running process.
- resume_process(pid): resume a paused process.
- get_process_dashboard(): process dashboard output.
- get_live_dashboard(): live system dashboard output.
- display_system_metrics(): CPU/memory/runtime metrics.
- format_tool_output_visual(tool_name, output, success=True): normalize tool output for reporting.
- error_handling_statistics(): error recovery stats.
- test_error_recovery(tool_name, error_type="timeout", target="example.com"): validate recovery behavior.

## Workspace and Python utilities

- create_file(filename, content, binary=False): create files on the server.
- modify_file(filename, content, append=False): edit or append to files.
- delete_file(filename): delete files on the server.
- list_files(directory="."): list server-side files.
- install_python_package(package, env_name="default"): install dependencies in a venv.
- execute_python_script(script, env_name="default", filename=""): run ad-hoc scripts.

## Fallback execution

- execute_command(command, use_cache=True): run tools not exposed as MCP endpoints when installed on the Pentest host.


<!-- From pentest-auth-password -->
# Auth and Password Tools (Pentest MCP)

## Common response fields

- success: boolean
- stdout, stderr: command output
- recovery_info: recovery actions applied (when present)
- human_escalation: manual intervention required (when present)

## Online authentication testing

- hydra_attack(target, service, username="", username_file="", password="", password_file="", additional_args=""): online brute force; tune concurrency in additional_args to respect lockouts.
- netexec_scan(target, protocol="smb", username="", password="", hash_value="", module="", additional_args=""): validate credentials and enumerate access for SMB and related protocols.

## Offline password cracking

- john_crack(hash_file, wordlist="/usr/share/wordlists/rockyou.txt", format_type="", additional_args=""): hash cracking with rules and formats.
- hashcat_crack(hash_file, hash_type, attack_mode="0", wordlist="/usr/share/wordlists/rockyou.txt", mask="", additional_args=""): GPU-accelerated cracking; use mask for targeted attacks.

## Token and crypto analysis

- jwt_analyzer(jwt_token, target_url=""): JWT structure and algorithm checks.
- hashpump_attack(signature, data, key_length, append_data, additional_args=""): hash length extension testing.

## Fallback execution

- execute_command(command, use_cache=True): run tools not exposed as MCP endpoints when installed on the Pentest host.

```

### references/workflows.md

```markdown
# Workflows


<!-- From network-recon -->
# Network Recon Workflows (Pentest patterns)

## AI-assisted selection

1. analyze_target_intelligence(target) to classify target type.
2. select_optimal_tools_ai(target, objective="comprehensive") to get prioritized tools.
3. optimize_tool_parameters_ai(target, tool, context="{}") to tune parameters.
4. Run tools with optimized params and record telemetry.

## Default attack patterns from IntelligentDecisionEngine

- network_discovery:
  - arp-scan: local_network True
  - rustscan: ulimit 5000, scripts True
  - nmap-advanced: scan_type "-sS", os_detection True, version_detection True
  - masscan: rate 1000, ports "1-65535", banners True
  - enum4linux-ng: shares/users/groups True
  - nbtscan: verbose True
  - smbmap: recursive True
  - rpcclient: commands "enumdomusers;enumdomgroups;querydominfo"

- comprehensive_network_pentest:
  - autorecon: port_scans "top-1000-ports", service_scans "default"
  - rustscan: ulimit 5000, scripts True
  - nmap-advanced: aggressive True, nse_scripts "vuln,exploit"
  - enum4linux-ng: shares/users/groups/policy True
  - responder: wpad True, duration 180

## Recovery and reporting

- If output includes recovery_info, record retries and parameter changes.
- If human_escalation is set, pause automation and request approval.
- Use create_scan_summary(target, tools_used, vulnerabilities_found, execution_time, findings) to standardize outputs.


<!-- From pentest-auth-password -->
# Auth and Password Workflows (Pentest patterns)

## AI-assisted selection

1. analyze_target_intelligence(target) to identify target type and auth surface.
2. select_optimal_tools_ai(target, objective="comprehensive") to rank tools.
3. optimize_tool_parameters_ai(target, tool, context="{}") before running high-risk tests.

## Online brute force workflow

1. Enumerate login endpoints and protocols.
2. Run hydra_attack with conservative rate limits.
3. Validate credentials with netexec_scan or a direct login check.
4. If lockouts occur, pause and switch to offline analysis.

## Offline cracking workflow

1. Collect hashes and identify format.
2. Run john_crack or hashcat_crack with targeted wordlists and masks.
3. Record cracked credentials and cracking method.

## Token analysis workflow

1. Run jwt_analyzer to detect algorithm confusion and weak signatures.
2. If applicable, test hash length extension with hashpump_attack.
3. Document exploitability and remediation guidance.

```
pentest-network-internal | SkillHub