pentest-mcp
NOT for educational purposes: An MCP server for professional penetration testers including STDIO/HTTP/SSE support, nmap, go/dirbuster, nikto, JtR, hashcat, wordlist building, and more.
121stars
27forks
JavaScript
Added 12/27/2025
MCP Serverscybersecuritydirbustergobusterhashcathttp-streaming
Installation
# Add to your Claude Code skills
git clone https://github.com/DMontgomery40/pentest-mcpPentest MCP
Professional penetration-testing MCP server with modern transport/auth support and expanded recon tooling.
What Changed in 0.9.0
- Upgraded MCP SDK to
@modelcontextprotocol/sdk@^1.26.0 - Kept MCP Inspector at the latest release (
@modelcontextprotocol/inspector@^0.20.0) with bundled launcher - Streamable HTTP is now the primary network transport (
MCP_TRANSPORT=http) - SSE is still available only as a deprecated compatibility mode
- Added bearer-token auth with OIDC JWKS and introspection support
- Added first-class tools:
subfinderEnum,httpxProbe,ffufScan,nucleiScan,trafficCapture,hydraBruteforce,privEscAudit,extractionSweep - Added report-admin tools:
listEngagementRecords,getEngagementRecord - Added SoW capture flow for reports using MCP elicitation (
scopeMode=ask) with safe template fallback - Hardened command resolution so web probing uses
httpx-toolkit(preferred) or validated ProjectDiscoveryhttpx, avoiding PythonhttpxCLI collisions - Integrated bundled MCP Inspector launcher (
pentest-mcp inspector) - Runtime baseline is now Node.js 22.7.5+
- Added invocation metadata in new tool outputs when auth/session context is available
Comments (0)
to leave a comment.
No comments yet. Be the first to share your thoughts!