Pentest MCP: Professional Penetration Testing Toolkit
@DMontgomery40
Pentest MCP: Professional Penetration Testing Toolkit について
NOT for educational purposes: An MCP server for professional penetration testers including STDIO/HTTP/SSE support, nmap, go/dirbuster, nikto, JtR, hashcat, wordlist building, and more.
基本情報
設定
ツール
ツールは検出されませんでした
ツールは README から自動的に抽出されます。メンテナーは ## Tools という見出しの下に記載することで、このタブに反映できます。
概要
What is Pentest MCP: Professional Penetration Testing Toolkit?
A professional penetration-testing MCP server that integrates with common security tools (nmap, John the Ripper, hashcat, gobuster, nikto, subfinder, httpx, ffuf, nuclei, hydra, sqlmap, tcpdump) and provides an agent-friendly interface for reconnaissance, exploitation, reporting, and engagement management. It targets penetration testers and red teams who want to automate tool orchestration via MCP.
How to use Pentest MCP: Professional Penetration Testing Toolkit?
Install globally with npm install -g pentest-mcp. Run locally over stdio with pentest-mcp, or over the network with MCP_TRANSPORT=http MCP_SERVER_HOST=0.0.0.0 MCP_SERVER_PORT=8000 pentest-mcp. Use pentest-mcp inspector to launch the bundled MCP Inspector. Tools are invoked via MCP tool calls (e.g., subfinderEnum, nucleiScan). Auth can be enabled with bearer tokens and OIDC when using HTTP transport.
Key features of Pentest MCP: Professional Penetration Testing Toolkit
- 20+ penetration testing tools including nmap, John the Ripper, hashcat, gobuster, nikto, subfinder, httpx, ffuf, nuclei, hydra, sqlmap, tcpdump
- Modern transport support: stdio (default), Streamable HTTP (recommended), and deprecated SSE
- Bearer-token authentication with optional OIDC JWKS and introspection support
- Engagement record tracking and automated report generation with scope-of-work (SoW) handling
- Built-in MCP Inspector launcher – no separate install required
- Docker deployment with all tools pre-installed
- Supports interactive and template-based SoW capture for client reports
Use cases of Pentest MCP: Professional Penetration Testing Toolkit
- Automate subdomain enumeration and live host probing for external network assessments
- Fuzz web content paths, run template-based vulnerability scanning, and test for SQL injection
- Perform brute-force checks on services (SSH, etc.) and capture network traffic for analysis
- Generate post-engagement reports with structured engagement records and scope-of-work notes
FAQ from Pentest MCP: Professional Penetration Testing Toolkit
What transport modes are supported?
stdio is the default for local MCP clients; Streamable HTTP (set MCP_TRANSPORT=http) is the recommended network transport. SSE is available only as a deprecated compatibility mode and will be removed in a future major release.
How do I enable authentication?
Set MCP_AUTH_ENABLED=true and MCP_AUTH_MODE=bearer when using HTTP (or deprecated SSE) transport. Configure OIDC with MCP_OIDC_ISSUER, MCP_OIDC_JWKS_URL, and optionally MCP_OIDC_INTROSPECTION_URL. Legacy aliases (MCP_OAUTH_ENABLED, etc.) are temporarily accepted.
What tools must be installed locally for non-Docker runs?
Ensure these binaries are in PATH: nmap, john, hashcat, gobuster, nikto, subfinder, httpx-toolkit (or validated ProjectDiscovery httpx as fallback), ffuf, nuclei, hydra, sqlmap, tcpdump.
How do I provide a scope of work for a report?
Use createClientReport with scopeMode=ask (elicits from user interactively), scopeMode=provided (paste SoW text directly into scopeOfWork), or scopeMode=template (uses a built-in generic authorized-testing template). Elicitation is recommended; if unavailable, the template is used as fallback.
Is this server safe for unpermissioned use?
No. The README states "Authorized use only. Run against systems/networks where you have explicit written permission." Prompt injection risks are documented, and mitigations like least privilege, allowlists, and human confirmation for destructive actions are recommended.
「開発者ツール」の他のコンテンツ
Serena
oraiosA powerful MCP toolkit for coding, providing semantic retrieval and editing capabilities - the IDE for your agent
Unity MCP (Server + Plugin)
IvanMurzakAI Skills, MCP Tools, and CLI for Unity Engine. Full AI develop and test loop. Use cli for quick setup. Efficient token usage, advanced tools. Any C# method may be turned into a tool by a single line. Works with Claude Code, Gemini, Copilot, Cursor and any other absolutely for fr
Test
x1xhlolFULL Augment Code, Claude Code, Cluely, CodeBuddy, Comet, Cursor, Devin AI, Junie, Kiro, Leap.new, Lovable, Manus, NotionAI, Orchids.app, Perplexity, Poke, Qoder, Replit, Same.dev, Trae, Traycer AI, VSCode Agent, Warp.dev, Windsurf, Xcode, Z.ai Code, Dia & v0. (And other Open Sou
Deepwiki MCP Server
regenrek📖 MCP server for fetch deepwiki.com and get latest knowledge in Cursor and other Code Editors
Grafana MCP server
grafanaMCP server for Grafana
コメント