Integrations

Integrated toolkit optimized for Kali Linux that provides penetration testing capabilities including network reconnaissance, web directory enumeration, vulnerability scanning, and password cracking
Requires Node.js v16+ for ESM support to run the penetration testing toolkit server
Enables installation of the penetration testing toolkit via npm package management

Pentest MCP: Professional Penetration Testing Toolkit

Pentest MCP is a Model Context Protocol server that integrates essential pentesting tools into a unified natural language interface. It allows security professionals to execute, chain, and analyze multiple tools through conversational commands.

Comprehensive Toolkit for Professional Pentesters

This toolkit integrates four core penetration testing utilities under a single, intuitive interface:

Network Reconnaissance with Nmap
Web Directory Enumeration with Gobuster
Web Vulnerability Scanning with Nikto
Password Cracking with John the Ripper

Key Benefits

Workflow Integration: Chain tools together for comprehensive assessments
Natural Language Interface: Run complex commands with simple English descriptions
Automated Reporting: Generate client-ready findings with proper categorization
Time Efficiency: Execute common pentesting sequences with minimal typing
Voice Control Compatible: When paired with speech-to-text, allows hands-free operation
Context Awareness: Tools understand previous scan results and can suggest logical next steps

System Requirements

Platform: Works on any OS, optimized for Kali Linux
Tools: Requires Nmap, John the Ripper, Gobuster, and Nikto in your PATH
Node.js: v16+ (for ESM support)
MCP Support: A local MCP file server for handling log files (mcp-fileserver or equivalent)
Permissions: Root/admin for privileged scans (SYN scan, OS detection)

Installation

npm install -g pentest-mcp

MCP Configuration

Add this to your MCP configuration file:

{
  "servers": [
    {
      "name": "pentest-mcp",
      "command": "npx pentest-mcp -y"
    }
  ]
}

Workflow Examples

Network Discovery & Service Enumeration

Set the working mode to professional.
Scan the target 192.168.1.0/24 using a SYN scan technique with service detection.

Web Application Testing

Use Gobuster to search for hidden directories on http://192.168.1.10 with the common.txt wordlist.
Run Nikto against the target http://192.168.1.10 to check for security issues.

Multi-Tool Assessment Chain

Scan 10.0.1.0/24 for web servers.
For each web server found, use Gobuster to enumerate directories with the directory-list-2.3-medium.txt wordlist.
Then run Nikto against each web server to identify vulnerabilities.
Create a report for client "Acme Corp" summarizing all findings.

Custom Password Cracking

Generate a wordlist from the target's company name "Acme", founder "Smith", and founding date "1984-06-12".

Crack these password hashes using the wordlist I just created:
admin:$1$xyz$anotherFakeHash
user:$1$abc$definitelyNotARealHash

Analysis & Reporting

Create a report for client "Example Corp" titled "Q1 External Assessment" including all scans from today.
Summarize the findings from the scan of 10.0.0.5.
Suggest next steps for this assessment based on all tool results collected so far.

Tool Details

Nmap

The network mapper integration offers full support for:

Port scanning (TCP SYN, TCP Connect, UDP) with custom port ranges
Service and version detection with configurable intensity
OS fingerprinting
NSE script execution
Custom timing templates and scan options

Gobuster

Directory and file enumeration for web applications with options for:

Multiple wordlists and file extension scanning
Authentication options (basic auth, cookies)
Customizable threading and status code filtering
TLS configuration and redirect following

Nikto

Web server vulnerability scanning with support for:

Comprehensive vulnerability checks
Authentication and proxy support
Tunable scan options and timeout configuration
Finding categorization by vulnerability type

John the Ripper

Password cracking utility with enhanced features:

Direct hash cracking with wordlists
Integrated custom wordlist generation
Pattern-based password creation
Leetspeak and case variations

Security Notice

AUTHORIZED USE ONLY: This toolkit is for professional penetration testers operating under a valid scope of work. Use only on systems and networks for which you have explicit, written authorization.

OPERATIONAL SECURITY:

Use VPN for external scanning
Run in isolated environments
Monitor scan intensity on sensitive networks

LEGAL COMPLIANCE: Follow all applicable laws and client agreements

Troubleshooting

Path Issues: Ensure all tools are installed and in your PATH
Privilege Requirements: SYN scans and OS detection require root/admin
Permission Errors: Check that the server can write to scan_logs and temp_wordlists
MCP File Access: Verify that mcp-fileserver (or equivalent) is configured correctly

Contributing

This tool is built for professionals by professionals. Pull requests welcome at the GitHub repository.

You must be authenticated.

A

security – no known vulnerabilities

F

license - not found

A

quality - confirmed to work

Tools

A Model Context Protocol server that integrates essential penetration testing tools (Nmap, Gobuster, Nikto, John the Ripper) into a unified natural language interface, allowing security professionals to execute and chain multiple tools through conversational commands.