feat: add NIST SP 800-115 Technical Guide to Information Security Testing and Assessment skill#39
Open
sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
Open
Conversation
…ting and Assessment skill
PLUGIN: nist-sp-800-115
VERSION: 1.0.0
SOURCE: NIST Special Publication 800-115, September 2008
TITLE: Technical Guide to Information Security Testing and Assessment
PLUGIN STRUCTURE
plugins/nist-sp-800-115/
.claude-plugin/plugin.json
skills/nist-sp-800-115/
SKILL.md
references/
assessment-techniques.md
penetration-testing-phases.md
reporting-templates.md
FRAMEWORK COVERAGE
NIST SP 800-115 provides a systematic methodology for technical security testing,
covering review techniques, target identification, vulnerability validation, and reporting.
1. Assessment Categories (Three)
- Review Techniques: documentation review, log review, ruleset review, system
configuration review, network sniffing (with required safeguards), file integrity
checking — examination-based methods not involving active system interaction
- Target Identification and Analysis: network discovery, port and service scanning,
vulnerability scanning (network-based and credentialed), wireless security scanning
- Target Vulnerability Validation: password cracking, penetration testing, social
engineering testing (phishing, vishing, physical), application security testing
2. Planning Phase
- Assessment scope definition: in-scope and out-of-scope systems, objectives,
authorised assessment types
- Rules of Engagement: scope, authorisation, restrictions, escalation path,
communication, emergency stop, data handling, start/end dates
- Assessment plan structure: objectives, testing types, team roles, schedule,
RoE reference, reporting requirements
- Threat modelling: attacker simulation type, starting position, primary target
3. Testing Approaches
- Black-box: no prior knowledge; simulates external attacker
- Grey-box: partial knowledge (network diagram, user credentials); simulates
insider or partially informed attacker
- White-box: full knowledge (source code, architecture); maximum coverage
4. Discovery Phase
- Passive information gathering: WHOIS, DNS enumeration, OSINT, job postings,
social media, pastebin/GitHub
- Host discovery: ICMP, TCP SYN, ARP, DNS reverse lookup
- Port scanning: TCP SYN/Connect/UDP/FIN; port states (open/closed/filtered);
service version detection; OS fingerprinting
- Service enumeration per service type: HTTP, SSH, SMB, LDAP, RDP, SNMP, DNS, SMTP
- Vulnerability scanning: network-based and credentialed; false positive validation
mandatory for all findings before reporting
5. Attack Phase
- Vulnerability validation: confirm exploitability vs. version-match false positives
- Privilege escalation techniques for Windows (Kerberoasting, Pass-the-Hash,
token impersonation, unquoted service paths, GPO misconfiguration) and
Linux/Unix (SUID binaries, sudo misconfiguration, world-writable cron jobs)
- Lateral movement: Pass-the-Hash/Ticket, SMB enumeration, WMI/PowerShell remoting
- Post-exploitation data access assessment: document access path, not content
- Mandatory cleanup: accounts, tools, registry changes, scheduled tasks, credentials
6. Social Engineering Testing
- Phishing simulation: pretext design, campaign execution, metrics (open/click/
credential/report rates), debrief and training follow-up
- Vishing: telephone pretext, success rate measurement, awareness indicator tracking
- Physical social engineering: tailgating, impersonation; requires explicit senior
management authorisation; clear abort signal required
7. Reporting
- Finding documentation: ID, severity, CVSS, CVE, CWE, affected systems, title,
description, proof-of-exploitation steps, impact, evidence, recommendation,
references
- Severity classification tied to CVSS range and SP 800-30 risk levels
- Remediation roadmap by timeframe and effort
- Report handling: classified distribution, encrypted transmission, destruction
after retention period
- Cleanup log as mandatory appendix
REFERENCE FILES
references/assessment-techniques.md
Detailed descriptions of all SP 800-115 review and assessment techniques.
Review techniques: documentation review checklist, log review indicators, ruleset
review steps (firewall and IDS/IPS), system configuration review approach, network
sniffing safeguards and evidence targets, file integrity checking. Target identification:
host discovery comparison table, port scan type comparison (TCP SYN/Connect/UDP/FIN
with detectability and reliability ratings), service version detection, per-service
enumeration techniques. Vulnerability scanning: limitation of automated scanning,
scan validation requirements. Wireless assessment: passive scanning, WEP/WPA/WPA3
identification, rogue AP detection, management frame protection check.
references/penetration-testing-phases.md
Step-by-step guidance for each of the four SP 800-115 phases. Planning: authorisation
requirements, threat modelling, approach selection table. Discovery: passive info
gathering sources, structured host discovery priority list, port scanning by priority,
per-service enumeration guide. Attack: vulnerability validation steps, initial access
techniques by category, privilege escalation techniques for Windows and Linux, lateral
movement, data access assessment methodology, mandatory cleanup table. Reporting:
full finding documentation format with all required fields.
references/reporting-templates.md
Complete security assessment report template (all six sections plus appendices).
Per-finding template with all required fields including proof-of-exploitation steps.
Severity classification table with CVSS ranges and POA&M requirements. Remediation
roadmap by timeframe. Assessor attestation section. Full Rules of Engagement
template with authorisation statement, in-scope/out-of-scope tables, prohibited
actions checklist, emergency escalation procedure, data handling requirements, and
signature block.
INTEGRATION POINTS
- SP 800-53A Rev 5 (Test method): SP 800-115 provides the technical guidance for the
Test assessment method defined in SP 800-53A; findings feed SAR Other Than Satisfied
determinations
- SP 800-37 Rev 2 (Assess step): Assessment results from 800-115-based testing feed
the authorization package and POA&M
- SP 800-30 Rev 1: Finding severity uses SP 800-30 likelihood x impact risk scales
- SP 800-137 (Continuous Monitoring): 800-115 assessments feed the baseline; periodic
re-testing supports ongoing monitoring requirements
TESTS
Passed: tests/test_plugin_structure.py - 10/10 (nist-sp-800-115)
test_plugin_json_exists PASSED
test_plugin_json_is_valid PASSED
test_plugin_json_required_fields PASSED
test_plugin_version_semver PASSED
test_skills_directory_exists PASSED
test_skills_directory_has_one_skill_folder PASSED
test_skill_md_exists PASSED
test_skill_md_not_empty PASSED
test_no_files_outside_skill_folder PASSED
test_references_are_markdown PASSED
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NIST SP 800-115 — Technical Guide to Information Security Testing and Assessment
Source Publication: NIST Special Publication 800-115, September 2008
CSRC URL: https://csrc.nist.gov/publications/detail/sp/800-115/final
This pull request adds a complete Claude skill plugin for NIST SP 800-115, supporting security assessment teams, penetration testers, ISSOs, and system owners in planning, executing, and reporting on technical security assessments of federal information systems.
Files Added
Framework Coverage
Assessment Categories: Three SP 800-115 categories — Review Techniques (documentation, logs, rulesets, configuration, network sniffing, file integrity); Target Identification and Analysis (network discovery, port/service scanning, vulnerability scanning, wireless); Target Vulnerability Validation (password cracking, penetration testing, social engineering, application security testing).
Planning Phase: Scope definition, Rules of Engagement (all required elements), assessment plan structure, threat modelling, testing approach selection (black-box, grey-box, white-box).
Discovery Phase: Passive information gathering (OSINT sources), structured host discovery, port scanning (type comparison table with detectability and reliability), per-service enumeration, vulnerability scanning (network-based and credentialed), wireless security assessment.
Attack Phase: Vulnerability validation, privilege escalation (Windows and Linux techniques), lateral movement, post-exploitation data access assessment, mandatory cleanup procedures.
Social Engineering Testing: Phishing simulation (metrics, debrief), vishing (telephone pretext), physical social engineering (authorisation requirements, abort signals).
Reporting: Full finding documentation format with proof-of-exploitation requirement, severity classification table (CVSS ranges), remediation roadmap by timeframe, report handling requirements, cleanup log.
Reference Files
references/assessment-techniques.md— All SP 800-115 review and assessment techniques. Review: documentation checklist, log review indicators, ruleset review (firewall and IDS/IPS), configuration review, network sniffing safeguards. Discovery: host discovery comparison, port scan type comparison table, per-service enumeration. Vulnerability scanning validation. Wireless: passive scanning, WEP/WPA/WPA3 identification, rogue AP detection, MFP check. Social engineering methodologies.references/penetration-testing-phases.md— Step-by-step phase guidance. Planning: authorisation requirements, threat modelling, approach selection. Discovery: passive OSINT sources, structured scanning priority, per-service enumeration guide. Attack: validation steps, privilege escalation (Windows and Linux), lateral movement, data access assessment, mandatory cleanup table. Reporting: full finding format.references/reporting-templates.md— Complete security assessment report template (six sections plus appendices). Per-finding template with all required fields. Severity classification with CVSS ranges. Remediation roadmap. Assessor attestation. Full Rules of Engagement template with authorisation statement and all required elements.Integration Points
Tests