PentestThinkingMCP

# PentestThinkingMCP A systematic, AI-powered penetration testing reasoning engine (MCP server) for attack path planning, CTF/HTB solving, and automated pentest workflows. Features Beam Search, MCTS, attack step scoring, and tool recommendations. --- ## What is PentestThinkingMCP? **PentestThinkingMCP** is an advanced Model Context Protocol (MCP) server designed to empower both human and AI pentesters. It provides: - Automated attack path planning using Beam Search and Monte Carlo Tree Search (MCTS) - Step-by-step reasoning for CTFs, Hack The Box (HTB), and real-world pentests - Attack step scoring and prioritization - Tool recommendations for each step (e.g., nmap, metasploit, linpeas) - Critical path highlighting for the most promising exploit chains - Tree-based reasoning for reporting and documentation --- ## Why is it special? - **Brings LLMs to the next level:** Transforms a normal LLM into a structured, methodical pentest planner and advisor - **Automates complex reasoning:** Finds multi-stage attack chains, not just single exploits - **Works for CTFs, HTB, and real-world pentests:** Adapts to any scenario where stepwise attack logic is needed - **Bridges the gap between AI and hacking:** Makes AI a true partner in offensive security --- ## Features - Dual search strategies for attack modeling: - Beam search with configurable width (for methodical exploit chain discovery) - MCTS for complex decision spaces (for dynamic attack scenarios with unknowns) - Evidence/Vulnerability scoring and evaluation - Tree-based attack path analysis - Statistical analysis of potential attack vectors - MCP protocol compliance --- ## How does it work? 1. **Input:** You (or your AI) provide the current attack step/state (e.g., "Enumerate SMB on 10.10.10.10"). 2. **Reasoning:** The server uses Beam Search or MCTS to explore possible next steps, scoring and prioritizing them. 3. **Output:** Returns the next best attack step, the full attack chain, recommended tool, and highlights the critical path. --- ## Example Workflow: Solving an HTB Machine 1. **Recon:** Input: `attackStep: "Start with initial recon on 10.10.10.10"` Output: `Run nmap -p- 10.10.10.10` (recommended tool: nmap) 2. **Enumeration:** Input: `attackStep: "Run nmap -p- 10.10.10.10"` Output: `Enumerate SMB on port 445` (recommended tool: enum4linux) 3. **Vulnerability Analysis:** Input: `attackStep: "Enumerate SMB on port 445"` Output: `Search for public SMB exploits (CVE-2017-0144)` (recommended tool: searchsploit) 4. **Exploitation:** Input: `attackStep: "Search for public SMB exploits (CVE-2017-0144)"` Output: `Exploit SMB with EternalBlue (CVE-2017-0144)` (recommended tool: metasploit) 5. **Privilege Escalation:** Input: `attackStep: "Got shell as user"` Output: `Run winPEAS for privilege escalation checks` (recommended tool: winPEAS) 6. **Root/Flag:** Input: `attackStep: "Found user.txt, need root"` Output: `Check for AlwaysInstallElevated misconfiguration` (recommended tool: manual investigation) --- ## Installation ```sh git clone https://github.com/ibrahimsaleem/PentestThinkingMCP.git cd PentestThinkingMCP npm install npm run build ``` --- ## Usage - Add to your MCP client (Cursor, Claude Desktop, etc.) as a server: ```json { "mcpServers": { "pentestthinkingMCP": { "command": "node", "args": ["path/to/pentestthinkingMCP/dist/index.js"] } } } ``` - Interact with it by sending attack steps and receiving next-step recommendations, tool suggestions, and attack path trees. --- ## Search Strategies for Pentesting ### Beam Search - Maintains a fixed-width set of the most promising attack paths or vulnerability chains. - Optimal for step-by-step exploit development and known vulnerability pattern matching. - Best for: Enumerating attack vectors, methodical vulnerability chaining, logical exploit pathfinding. ### Monte Carlo Tree Search (MCTS) - Simulation-based exploration of the potential attack surface. - Balances exploration of novel attack vectors and exploitation of known weaknesses. - Best for: Complex network penetration tests, scenarios with uncertain outcomes, advanced persistent threat (APT) simulation. --- ## Algorithm Details 1. **Attack Vector Selection** - Beam Search: Evaluates and ranks multiple potential attack paths or exploit chains. - MCTS: Uses UCT for node selection (potential exploit steps) and random rollouts (simulating attack progression). 2. **Evidence/Vulnerability Scoring Based On:** - Likelihood of exploitability - Potential impact (CIA triad) - CVSS scores or similar metrics - Strength of connection in an attack chain (e.g., vulnerability A enables exploit B) 3. **Process Management** - Tree-based state tracking of attack progression - Statistical analysis of successful/failed simulated attack paths - Progress monitoring against pentest objectives --- ## Use Cases - Automated vulnerability identification and chaining - Exploit pathfinding and optimization - Attack scenario simulation and "what-if" analysis - Red teaming strategy development and refinement - Assisting in manual pentesting by suggesting potential avenues - Decision tree exploration for complex attack vectors - Strategy optimization for achieving specific pentest goals (e.g., data exfiltration, privilege escalation) --- ## License MIT