Hercules MCP
Provides access to the Metasploit Framework for exploitation, using native RPC to execute modules and manage sessions.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Hercules MCPscan example.com for open ports and services"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Hercules MCP is a Model Context Protocol server that exposes offensive-security workflows as structured MCP tools. It starts a per-session Kali Linux Docker container, routes scanner and exploitation commands through that container, stores evidence in a local workspace, and returns compact, agent-friendly results.
Contents
Related MCP server: Kali Linux MCP Server
Why Hercules?
Sandbox-first execution
Tool commands run inside a Docker container based on kalilinux/kali-rolling. The project workspace is mounted into the container at /opt/workspace, and session files, logs, custom scripts, templates, payloads, and artifacts are persisted under workspace/<session-id>/ on the host.
Hercules uses one MCP server instance per project checkout. A startup lock prevents multiple live Hercules servers in the same checkout from removing or racing each other's containers. Containers are removed on shutdown by default; set PRESERVE_CONTAINER=true when you want to keep a session for debugging.
Agent-focused output
Hercules is built for LLM use. It strips ANSI/OSC escape codes, color sequences, carriage-return progress rewrites, and explicit known scanner banners. High-noise tools use native quiet or structured output where practical, and the shared executor records completeness metadata so agents can tell whether output was complete, filtered, or truncated.
MCP-native workflow mapping
Every public capability is exposed as a typed MCP tool or resource. The server includes rich instructions and tool descriptions so clients can map tasks to reconnaissance, web scanning, exploitation, post-exploitation, CTF, shell, file, and session workflows.
Stealth browser automation
Drive a bot-evading Chromium to manually test JavaScript-heavy or anti-bot-protected sites — navigate, snapshot, interact, screenshot, and run page JavaScript through structured browser_* tools. See Stealth Browser for how it works.
Interactive setup and token budgeting
python hercules_setup.py launches a clean terminal UI (built with Textual) for first-time setup. Beyond building the image, it lets you opt out of whole tool families you don't need — Metasploit, the browser, SQLMap, and so on — and shows the context-token cost of the tool surface updating live as you toggle. Opted-out tools are simply not registered, so their names, descriptions, and schemas never enter the model's context window (that is the token saving), while the underlying binaries stay baked into the image and remain reachable through shell_exec. Selections persist to .env as HERCULES_DISABLED_TOOLS; a headless --tokens report and a --classic non-interactive flow are also available.
Resilient sessions
A single tool failure never takes down the session: uncaught tool exceptions are converted into structured, agent-repairable errors by a middleware firewall. If the container crashes mid-session, Hercules recovers it while preserving the same session id and workspace — files, background jobs, and the browser daemon survive — and a background watchdog repairs a dead container before the next tool call. One server runs per checkout, guarded by a startup lock.
Tools Available
Expected registered tool count:
Mode | Tool count |
Metasploit enabled, default | 45 |
Lightweight mode, | 40 |
Counts are the full surface; the interactive setup can opt out of tool families you don't need (see Interactive setup and token budgeting).
Hercules exposes a compact MCP API over these Kali tools and workflow capabilities. The MCP client sees structured tool calls, but the README keeps the surface at the tool-family level so agents and operators can reason about what is available without memorizing every selector or wrapper.
Category | Available tools and capabilities |
Reconnaissance | Nmap, DNS lookups, dnsx, Whois, Amass |
Web scanning | Nuclei, httpx, WhatWeb, Wafw00f, Nikto, WPScan, Arjun, ffuf, Gobuster |
Web vulnerability testing | Dalfox, Commix, SQLMap |
Exploitation | Metasploit Framework, SearchSploit, payload generation, listener management, session/job management |
Password attacks | Hydra, John the Ripper |
Networking | curl, Ncat, hping3 |
CTF and forensics | Binwalk, Steghide |
Stealth browser | Bot-evading Chromium (cloakbrowser) driven by agent-browser: navigate, accessibility snapshot, click/type/fill, wait, screenshot, eval JS, network/HAR capture, isolated sessions — see Stealth Browser |
Shell and workspace | Direct Kali shell commands inside the container, background jobs, workspace file read/write, binary-safe file transfer |
System/session control | Container session lifecycle, active session listing, network information |
Agents can write their own custom Nmap NSE scripts and Nuclei templates through the MCP workflow, save them into the container workspace, validate them, and run them against authorized targets. Agents also have direct shell-command access to the Kali container, so they can use installed tools manually when a structured tool call is not the right fit.
The server keeps redundant thin wrappers out of the public MCP surface. Related operations are grouped behind structured parameters, while specialized workflows such as Nmap NSE authoring, Nuclei template authoring, SQLMap, curl, hping3, and directory fuzzing remain directly accessible where dedicated controls are useful.
The exact MCP function names, parameters, and selector values are advertised by the MCP server itself through tool metadata.
Stealth Browser
Hercules ships a bot-evading browser so agents can manually test JavaScript-heavy or anti-bot-protected sites, reproduce web bugs interactively, and capture visual evidence. Through structured browser_* MCP tools, agents can navigate, capture an accessibility-tree snapshot with stable element refs, click/type/fill, wait for dynamic content, screenshot, run page JavaScript, and capture network/HAR traffic — all within isolated browser sessions. browser_cmd is an escape hatch to every other agent-browser subcommand, and browser_skill loads agent-browser's own version-matched command reference. The browser starts lazily on first use, runs headless by default (or headed under Xvfb via BROWSER_HEADLESS=false), and keeps page and session state across separate MCP calls.
How agent-browser and cloakbrowser combine to evade bot detection
Hercules joins two open-source projects, each used for its strength:
agent-browser is the controller — a Rust CLI with a persistent daemon that exposes an agent-friendly accessibility snapshot (with
@refelement handles) plus the full click / type / wait / eval command surface.cloakbrowser is the engine — a Chromium built with compile-time C++ patches that remove the tell-tale signals of automation.
Instead of running a remote-debugging (CDP) server, agent-browser launches the cloakbrowser stealth Chromium directly through the AGENT_BROWSER_EXECUTABLE_PATH environment variable (the binary path reported by python3 -m cloakbrowser info) and manages its lifecycle; its daemon then holds that browser open across MCP tool calls. Because the engine is cloakbrowser, the page presents a realistic, human-like fingerprint rather than an automated one — navigator.webdriver reads false, plugins and languages are populated, and canvas / WebGL / audio / font signals are spoofed — so it passes checks that flag a vanilla headless Chromium (verified all-green against bot.sannysoft.com). The patched Chromium is downloaded into your locally built image at setup time and is never repackaged or redistributed.
Special thanks to the agent-browser and cloakbrowser projects for making this possible — see Acknowledgements.
Output, Artifacts, And Timeouts
Hercules returns tool output in a way that is easier for agents to reason about:
Clean output by default: terminal colors, escape codes, progress rewrites, and known scanner banners are removed before output is sent back to the agent.
Clear completeness signals: results tell the agent whether stdout or stderr was truncated, how large each stream was, and whether the returned output is complete.
Evidence is preserved: when output is filtered or shortened, Hercules saves the fuller stdout, stderr, or raw command stream as workspace artifacts.
Artifact paths are returned in the result: agents can open those saved files through the workspace file tools when they need full logs, generated payloads, raw scanner output, or command evidence.
Useful metadata stays visible: command results can include fields such as output-complete status, truncation status, artifact paths, and filter notes.
Timeouts are explicit: long-running commands return a timeout status, timeout duration, command metadata, exit code, and any stdout or stderr captured before the timeout.
Long tasks have safer paths: agents can increase a timeout when the tool allows it, run a background job, or use a listener/session workflow instead of waiting on one foreground command.
MCP Resources
Hercules also exposes resources that help agents decide what to write or run:
Resource group | What it provides |
Nmap NSE skills | A detailed agent handbook for designing, writing, validating, debugging, and running complex custom NSE scripts. |
Nuclei skills | A detailed agent handbook for designing, writing, validating, debugging, and running custom Nuclei templates. |
Linux post-exploitation | linPEAS-style enumeration content and GTFOBins knowledge for Linux privilege-escalation decisions. |
Windows post-exploitation | winPEAS-style checks, PowerUp-style PowerShell checks, and LOLBAS knowledge for Windows privilege-escalation and living-off-the-land decisions. |
Agents should read the NSE or Nuclei skill resource before creating custom detection logic. After getting a shell or Metasploit session, agents should use the post-exploitation resources to choose the right enumeration scripts, privilege-escalation checks, and living-off-the-land techniques.
Quick Start
Prerequisites
Docker Engine or Docker Desktop with the Docker daemon running
Python 3.11+
uvis recommended for local dependency management
1. Clone and install
git clone https://github.com/<your-username>/hercules-mcp.git
cd hercules-mcp
uv sync2. Build the Kali image and wordlists
python hercules_setup.pyRun in a terminal, this opens a clean interactive UI where you can opt out of tool families you don't need and watch the context-token cost of the tool surface update live, then build. It checks Docker, builds the hercules-kali image from Dockerfile (including the stealth browser stack), and downloads local wordlist archives for SecLists and rockyou.txt. With no TTY (for example in CI) it runs non-interactively.
Useful flags:
python hercules_setup.py --check # verify an existing setup
python hercules_setup.py --tokens # print the per-capability context-token report
python hercules_setup.py --classic # skip the UI; build non-interactively
python hercules_setup.py --rebuild # force a no-cache image rebuild3. Configure environment
cp .env.example .envCommon settings:
Variable | Default | Description |
|
| Password used by |
|
| Set to |
|
| Keep the Docker container after MCP shutdown for debugging. |
|
| Use Docker |
|
| Tool install mode value passed through configuration. |
|
| Semaphore limit for heavy operations. |
|
| Semaphore limit for light operations. |
| empty | Comma-separated allow-list. Empty means no allow-list restriction. |
| empty | Comma-separated block-list. Block rules take priority. |
|
| Docker CPU limit. |
|
| Docker memory limit. |
|
| Default command timeout in seconds. |
| empty | Comma-separated MCP tools to not register (managed by the setup UI). Trims their schema from the agent's context; the binary stays usable via |
|
| Run the stealth browser headless, or headed under Xvfb when |
|
| Forward a headed live-view port to the host ( |
| empty | Default upstream proxy for browser sessions. |
|
| Seconds between container health checks; |
4. Start the MCP server
uv run herculesOn Windows, you can start the server through uv run hercules from PowerShell,
or point an MCP client at the virtual-environment Python executable with
-m hercules.main.
Connect To An MCP Client
For a generic MCP client:
{
"mcpServers": {
"hercules": {
"command": "uv",
"args": ["run", "hercules"],
"cwd": "/absolute/path/to/hercules-mcp",
"env": {
"SKIP_METASPLOIT": "false"
}
}
}
}For Codex GUI on Windows, use STDIO with either uv or the local virtual
environment:
Field | Value |
Command to launch |
|
Arguments |
|
Working directory | Absolute path to this repository |
If you want lightweight mode in Codex, set environment variable SKIP_METASPLOIT=true in the client configuration. Otherwise leave it unset.
Troubleshooting Setup
If python hercules_setup.py fails during the Docker build, first confirm Docker Desktop or the Docker daemon is running, then rerun:
python hercules_setup.py --check
python hercules_setup.pyKali package mirror errors such as Failed to fetch, temporary failure, or Hash Sum mismatch are usually transient mirror, DNS, proxy, VPN, or Docker networking issues. The Dockerfile retries package installation, uses --fix-missing, and switches Kali mirror URLs to kali.download, but persistent network failures still need local networking fixes.
If the image exists but runtime checks fail, rebuild and verify:
docker build --no-cache -t hercules-kali .
python hercules_setup.py --checkIf a client reports no Hercules tools, confirm that only one MCP server is running for this checkout and that the client command points at this repository. Multiple server processes for the same checkout are rejected by the instance lock; older processes from other checkouts should be stopped if they are not needed.
Design Principles
Principle | What it means |
Sandboxed execution | Tools run inside Docker with a mounted workspace for evidence and generated files. |
Stable tool API | Public tool names, selectors, signatures, target validation, concurrency class, timeout behavior, and success response fields are treated as compatibility-sensitive. |
Structured output | Tools return parsed or compacted output where useful, while full evidence is preserved through artifacts when filtering or truncation occurs. |
Concurrency control | Heavy operations and light operations use separate async semaphores. |
Target controls |
|
Cross-platform operation | The server runs on Windows, macOS, and Linux as long as Python and Docker are available. |
Project Structure
hercules-mcp/
|-- hercules/
| |-- main.py # FastMCP entrypoint and tool/resource registration
| |-- core/ # Config, Docker lifecycle, concurrency, guidance, tool catalog
| |-- output/ # Sanitizer, banner stripping, filters, truncation
| |-- tools/ # MCP tool implementations by category (incl. browser/)
| `-- resources/ # Agent skill docs and post-exploitation resources
|-- docker/
| `-- entrypoint.sh # Container startup, wordlists, msfrpcd
|-- tests/ # Unit tests and live-test evidence/checklists
|-- workspace/ # Runtime session workspaces and artifacts
|-- wordlists/ # Downloaded SecLists and rockyou archives
|-- Dockerfile # Kali container image definition
|-- hercules_setup.py # Interactive setup, token budgeting, readiness check
|-- hercules-mcp.json # Example MCP client manifest
|-- pyproject.toml # Project metadata
`-- .env.example # Environment configuration templateAcknowledgements
Hercules stands on the shoulders of excellent open-source work. The stealth browser in particular would not exist without two projects, and we are grateful to both:
agent-browser — the Rust browser-control CLI and persistent daemon that gives agents an accessibility-first way to drive a real browser. It powers every
browser_*tool in Hercules.cloakbrowser — the fingerprint-patched stealth Chromium that lets that automation pass as a real user and slip past common bot detection.
Thanks also to the wider ecosystem Hercules builds on: Kali Linux, the Metasploit Framework, ProjectDiscovery (nuclei, httpx, dnsx), SecLists, FastMCP, and Textual.
Security
Hercules is intended for authorized penetration testing, security research, CTF competitions, and lab environments. Use it only against systems where you have explicit permission.
License
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/0xMihirK/hercules-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server