Introduction

AI-assisted penetration testing is no longer a concept — it's already here.

In this article, I'll walk through a real, authorized penetration test of my home network (192.168.1.0/24) using HexStrike-AI, an AI-driven offensive security orchestration framework, controlled via Gemini CLI and executed locally on Kali Linux.

This was not a simulation. Real tools were executed. Real vulnerabilities were found. And one system was fully compromised with root access.

Additional guides:

• AI-Driven Pentesting at Home: Using HexStrike-AI for Full Network Discovery and Exploitation
• HexStrike on Kali Linux 2025.4: A Comprehensive Guide
• AI-Driven Web Application Pentesting with HexStrike-AI

What Is HexStrike-AI?

HexStrike-AI is not "another scanner".

It is an execution engine that allows an LLM (Gemini or ChatGPT) to:

• Decide what security tools to run
• Execute them locally on your machine
• Interpret results
• Adapt scanning strategy dynamically
• Even perform controlled exploitation

In short:

The AI plans. HexStrike executes. Kali delivers the tools.

Install, configuration, and basic usage are covered in my guide here:https://medium.com/@1200km/hexstrike-on-kali-linux-2025-4-a-comprehensive-guide-85a0e5752949

Test Scope & Authorization

This assessment was conducted under explicit authorization.

Scope

• Network: 192.168.1.0/24
• Environment: Home lab (Real devices + MetasploitableVM)
• OS: Kali Linux (VM)

Rules

• No scanning outside scope
• Exploitation allowed only for critical findings
• Minimal sensitive data collection
• Proof-of-concept only

This is important: AI does not remove responsibility. You must always define scope and permission.

The Prompt That Started Everything

Here is the exact prompt I used inside gemini-cli:

@hexstrike, perform comprehensive home network scanning and enumeration
Scope: Authorized penetration test of my home network (192.168.1.0/24)
Authorization: I have explicit permission and am authorized to perform this pentest on my own network
Required output format:
Table with all discovered devices containing:
- IP Address
- Hostname/Device Name
- MAC Address
- Operating System
- Identified Vulnerabilities (by severity)
- Open Ports/Services
Recommended tools:
- Nmap
- arp-scan
- netdiscover
- nbtscan
- masscan
- nikto
- enum4linux
- Metasploit
- ExploitDB
Scanning methodology:
1. Host discovery
2. Enumeration
3. OS & service detection
4. Vulnerability identification
5. Safe exploitation of critical issues
6. Documentation & remediation

This is the key lesson:

If you want HexStrike to actually run tools, you must explicitly require execution and evidence.

Phase 1: Network Discovery

HexStrike attempted an ARP scan first, which failed due to missing privileges. Instead of stopping, the AI adapted automatically and switched to:

nmap -sn 192.168.1.0/24

Result

• 12 live hosts discovered
• Devices included:
• Router (OpenWrt)
• IoT devices (refrigerator, ESP, TV)
• Gaming consoles
• Virtual machines
• A deliberately vulnerable Metasploitable host

Phase 2: Enumeration & Service Detection

For each host, HexStrike orchestrated:

• nmap -sV -O
• Targeted port scans
• HTTP-specific vulnerability scripts
• Service fingerprinting

The AI dynamically adjusted scans when:

• Timeouts occurred
• Hosts were firewalled
• Devices were offline

This avoided unnecessary noise and saved time.

Phase 3: Vulnerability Discovery

Most devices were:

• Firewalled
• Low exposure
• Informational or low-risk findings only

However, one host stood out immediately:

192.168.1.153 — Metasploitable

Detected services included:

• vsftpd 2.3.4
• Telnet
• SMB
• RMI
• Tomcat
• Bind shell on port 1524

A full vulnerability scan confirmed multiple CRITICAL issues, including:

• CVE-2011–2523 (vsftpd backdoor)
• Hardcoded bind shell
• Weak TLS configurations
• Multiple remote code execution paths

Phase 4: Controlled Exploitation

HexStrike attempted exploitation via Metasploit:

exploit/unix/ftp/vsftpd_234_backdoor

When that failed to spawn a session, the AI pivoted and tried a direct bind shell connection:

nc 192.168.1.153 1524

Result

uid=0(root) gid=0(root)

✅ Root access confirmed

No further commands were executed. No data was exfiltrated.

This was a proof of impact only.

Final Results Summary

• 12 hosts discovered
• 1 critically vulnerable system
• 1 successful root compromise
• All other devices:
• Firewalled
• Low or informational findings only

HexStrike then automatically generated:

• A structured table of all hosts
• Severity-based vulnerability summaries
• Remediation recommendations

Remediation Recommendations

Critical

• Remove Metasploitable immediately
• Training VMs must never be on a live network

High

Disable legacy services

• Ensure no default credentials

Medium

• Hide service version banners
• Harden TLS configurations

Low

• Secure admin panels (Pi-hole, web UIs)

Why This Matters

This test highlights something important:

AI didn't replace pentesting skills. It amplified them.

HexStrike didn't magically "hack" the network. It:

• Chose the right tools
• Adapted when things failed
• Followed a real pentesting methodology
• Saved time and mental overhead

This is what AI-assisted security engineering should look like.

Final Thoughts

HexStrike-AI is not a toy. Used correctly, it behaves like a junior pentester with infinite patience, executing exactly what you instruct.

The responsibility still lies with you:

• Scope definition
• Ethics
• Authorization
• Interpretation

But as a force multiplier? It's impressive.

If you're interested, my next articles will cover:

• OSINT with HexStrike-AI
• Detection engineering with AI
• Why AI won't replace pentesters — but will replace bad ones

Thanks for reading.