iom-pentest

star 458

Autonomous penetration testing via IoM C2 MCP tools. Adaptively executes based on user intent: situational awareness, reconnaissance, privilege escalation, credential harvesting, lateral movement, persistence, and more. Presents an execution plan and waits for user confirmation before sensitive operations. Trigger conditions: user mentions penetration testing, red team, post-exploitation, privilege escalation, lateral movement, credentials, persistence, situational awareness, or any scenario involving security assessment of a target through IoM.

chainreactors By chainreactors schedule Updated 6/8/2026
play_arrow Run Skill in Manus View GitHub

name: iom-pentest description: > Autonomous penetration testing via IoM C2 MCP tools. Adaptively executes based on user intent: situational awareness, reconnaissance, privilege escalation, credential harvesting, lateral movement, persistence, and more. Presents an execution plan and waits for user confirmation before sensitive operations. Trigger conditions: user mentions penetration testing, red team, post-exploitation, privilege escalation, lateral movement, credentials, persistence, situational awareness, or any scenario involving security assessment of a target through IoM.

IoM Automated Penetration Testing

Autonomous penetration testing via IoM MCP tools. The core methodology is the OODA Loop — Observe, Orient, Decide, Act — adapting to the actual environment and user intent.

Intent Recognition and Interaction

This skill does not rely on fixed keywords or rigid phase workflows. It interprets the user's natural language to understand intent and flexibly combines capabilities to accomplish the task.

When intent is clear: Formulate an execution plan directly, present it to the user for confirmation, then execute.

When intent is ambiguous: Proactively ask the user to clarify the objective. For example:

  • User says "work on this machine" — Ask: Do you need privilege escalation, credential harvesting, or a full reconnaissance sweep?
  • User says "check things out" — Could be a situational overview or targeted reconnaissance on a specific session; confirm the scope.
  • User provides a session ID with no further instructions — Ask what the objective is.

Plan presentation: For any non-read-only operation, output an execution plan (including the commands to run, targets, and risk assessment) and wait for user confirmation before proceeding.

HITL (Human-in-the-Loop) Rules

The need for user confirmation depends on the sensitivity of the operation:

No Confirmation Required (Read-Only / Information Gathering)

  • Viewing session, listener, and pipeline status
  • System information gathering: sysinfo, whoami, privs, ps, ipconfig, netstat
  • Environment enumeration: enum av, enum software, systeminfo
  • Network discovery: pingscan, portscan
  • Domain information queries: ldapsearch, klist, enum dc

Confirmation Required (Alters Target State or Carries Detection Risk)

  • Privilege escalation (UAC bypass, Potato, kernel exploits)
  • Credential extraction (hashdump, logonpasswords, mimikatz, nanodump)
  • Lateral movement (psexec, wmi, dcom, ptt)
  • Persistence installation (registry, service, scheduled task)
  • Any operation that writes files, creates processes, or modifies configuration

OPSEC Score Alerts

Each technique carries an OPSEC safety score (1-10; higher is safer):

  • >= 8: Listed normally in the plan
  • 6-8: Risk level annotated in the plan
  • < 6: Mandatory separate alert explaining the risk and recommending a safer alternative

MCP Tools and Progressive Discovery

IoM has hundreds of commands — do not guess command usage. Use progressive discovery to retrieve information on demand:

  1. Search for commandssearch_commands performs a fuzzy keyword search and returns command summaries (name, group, description, OPSEC score)
  2. View usageexecute_command("<cmd> --help") retrieves the specific command's parameters and examples
  3. Execute the command — Only run the command via execute_command after confirming usage

Available MCP Tools

Tool Purpose
search_commands Fuzzy search commands by name/description; returns lightweight summaries
execute_command Execute any client/implant command; automatically waits for results
get_history Retrieve historical task output

Basic Operations

  • Switch session: execute_command("use <session_id_prefix>") — enters the implant context
  • Implant commands: After switching, execute sysinfo, whoami, ps, etc. directly
  • Client commands: session, listener, pipeline list, etc. do not require a session context
  • Task results: execute_command automatically waits and returns results

Example: Progressive Discovery Workflow

# 1. Unsure which privilege escalation commands exist — search
search_commands("uac")
search_commands("elevate")

# 2. Found uac-bypass command — view detailed usage
execute_command("uac-bypass --help")

# 3. Understood the parameters — execute
execute_command("uac-bypass elevatedcom \"C:\\path\\to\\implant.exe\"")

Core Principles

  1. Observe before acting — Never execute blindly; adjust strategy based on environmental data
  2. OPSEC first — Identify defenses before selecting evasion techniques. See reference/opsec-guide.md
  3. Pivot on failure — If a technique is blocked, mark it and switch paths; never retry the same technique
  4. Minimum footprint — Prefer BOF over execute_assembly; avoid writing to disk when possible
  5. Respect user decisions — Present a plan and wait for confirmation on sensitive operations; offer alternatives if the user declines

Capability Reference

Consult the appropriate reference document based on user intent:

Scenario Reference File Key Sections
Global situational awareness reference/phase-summary.md
Target reconnaissance and environment enumeration reference/phase-recon.md
Privilege escalation reference/phase-privesc.md UAC: technique-reference.md#uac-bypass, Potato: technique-reference.md#potato-privilege-escalation, Kernel: technique-reference.md#kernel-exploits
Credential harvesting reference/phase-creds.md technique-reference.md#credential-harvesting
Lateral movement reference/phase-lateral.md technique-reference.md#lateral-movement
Persistence reference/phase-persist.md technique-reference.md#persistence
OPSEC strategy and AV evasion reference/opsec-guide.md opsec-guide.md#execution-method-selection, opsec-guide.md#strategy-matrix
Technique quick reference reference/technique-reference.md

Output Report

Upon task completion, generate a structured report:

## Penetration Test Report
**Date**: YYYY-MM-DD HH:MM
**Target**: [session / host operated on]
**Summary**: [what was actually performed]

### Attack Path
[The actual execution path taken]

### Session Inventory
| Session | Host | User | Privilege | Obtained Via |
|---------|------|------|-----------|-------------|

### Harvested Credentials
| Type | User | Domain | Source |
|------|------|--------|--------|

### Techniques Used
| MITRE ID | Technique | OPSEC | Result | Notes |
|----------|-----------|-------|--------|-------|

### Defensive Gaps
[Which weaknesses enabled the attack to succeed]
Install via CLI
npx skills add https://github.com/chainreactors/malice-network --skill iom-pentest
Repository Details
star Stars 458
call_split Forks 67
navigation Branch main
article Path SKILL.md
More from Creator
chainreactors
chainreactors Explore all skills →