Skip to main content
Glama

MCP Pentest

by adriyansyah-mf
GitHub
TypeScript
1
OverviewInspectNewEndpointsSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue
service-specific.tsā€¢37.4 kB
import { exec } from 'child_process'; import { promisify } from 'util'; import { ScanResult } from './recon.js'; import * as os from 'os'; const execAsync = promisify(exec); // Platform detection const isWindows = os.platform() === 'win32'; const isLinux = os.platform() === 'linux'; const isMac = os.platform() === 'darwin'; export interface ServiceTestResult { service: string; target: string; port: number; test_type: string; results: any; success: boolean; findings: string[]; recommendations: string[]; } export class ServiceSpecificTools { // Active Directory Comprehensive Testing async testActiveDirectory(target: string, domain?: string): Promise<ScanResult> { try { console.error(`šŸ” Testing Active Directory on ${target}${domain ? ` (domain: ${domain})` : ''}`); const findings: string[] = []; const results: any = {}; // Test 1: LDAP enumeration try { const ldapPort = 389; const { stdout: ldapOutput } = await execAsync(`nmap -p ${ldapPort} --script ldap-rootdse ${target}`, { timeout: 60000 }); results.ldap_enumeration = ldapOutput; if (ldapOutput.includes('domainFunctionality')) { findings.push('Domain Controller detected via LDAP'); } if (ldapOutput.includes('forestFunctionality')) { findings.push('Active Directory Forest detected'); } } catch (e) { console.error('LDAP enumeration failed:', e); } // Test 2: Kerberos enumeration try { const { stdout: kerberosOutput } = await execAsync(`nmap -p 88 --script krb5-enum-users ${target}`, { timeout: 60000 }); results.kerberos_enumeration = kerberosOutput; if (kerberosOutput.includes('KDC')) { findings.push('Kerberos Key Distribution Center detected'); } } catch (e) { console.error('Kerberos enumeration failed:', e); } // Test 3: SMB enumeration for DC try { const { stdout: smbOutput } = await execAsync(`smbclient -L //${target} -N`, { timeout: 60000 }); results.smb_enumeration = smbOutput; if (smbOutput.includes('SYSVOL') || smbOutput.includes('NETLOGON')) { findings.push('Domain Controller shares detected (SYSVOL/NETLOGON)'); } } catch (e) { console.error('SMB enumeration failed:', e); } // Test 4: enum4linux for comprehensive enumeration try { const { stdout: enum4linuxOutput } = await execAsync(`enum4linux -a ${target}`, { timeout: 180000 }); results.enum4linux = enum4linuxOutput; if (enum4linuxOutput.includes('Domain Name:')) { const domainMatch = enum4linuxOutput.match(/Domain Name:\s*([^\n]+)/); if (domainMatch) { findings.push(`Domain Name identified: ${domainMatch[1].trim()}`); } } if (enum4linuxOutput.includes('Users via RID cycling')) { findings.push('User enumeration possible via RID cycling'); } } catch (e) { console.error('enum4linux failed:', e); } // Test 5: BloodHound data collection (if available) if (domain) { try { const { stdout: bloodhoundOutput } = await execAsync(`bloodhound-python -d ${domain} -u anonymous -p '' -ns ${target} --dns-tcp`, { timeout: 300000 }); results.bloodhound_collection = bloodhoundOutput; if (bloodhoundOutput.includes('Resolved collection methods')) { findings.push('BloodHound data collection successful'); } } catch (e) { console.error('BloodHound collection failed:', e); } } // Test 6: Kerberoasting check try { const { stdout: kerberoastOutput } = await execAsync(`nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=${domain || target} ${target}`, { timeout: 120000 }); results.kerberoasting_check = kerberoastOutput; if (kerberoastOutput.includes('SPN')) { findings.push('Service Principal Names detected - potential Kerberoasting targets'); } } catch (e) { console.error('Kerberoasting check failed:', e); } return { target, timestamp: new Date().toISOString(), tool: 'active_directory_test', results: { service: 'Active Directory', domain: domain || 'Unknown', findings, detailed_results: results, recommendations: this.getADRecommendations(findings) }, status: 'success' }; } catch (error) { return { target, timestamp: new Date().toISOString(), tool: 'active_directory_test', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } } // Web Application Comprehensive Testing async testWebApplication(target: string, technologies: string[]): Promise<ScanResult> { try { console.error(`šŸ” Testing Web Application on ${target}`); const findings: string[] = []; const results: any = {}; // Test 1: Technology-specific tests for (const tech of technologies) { const techLower = tech.toLowerCase(); if (techLower.includes('wordpress')) { const wpResults = await this.testWordPress(target); results.wordpress_tests = wpResults; if (wpResults.plugins_detected) { findings.push(`WordPress plugins detected: ${wpResults.plugins_detected.length}`); } } if (techLower.includes('drupal')) { const drupalResults = await this.testDrupal(target); results.drupal_tests = drupalResults; } if (techLower.includes('joomla')) { const joomlaResults = await this.testJoomla(target); results.joomla_tests = joomlaResults; } if (techLower.includes('apache') || techLower.includes('nginx')) { const webServerResults = await this.testWebServer(target, techLower); results.webserver_tests = webServerResults; } } // Test 2: Common web vulnerabilities const webVulnResults = await this.testWebVulnerabilities(target); results.web_vulnerabilities = webVulnResults; findings.push(...webVulnResults.findings); return { target, timestamp: new Date().toISOString(), tool: 'web_application_test', results: { service: 'Web Application', technologies_tested: technologies, findings, detailed_results: results, recommendations: this.getWebAppRecommendations(findings, technologies) }, status: 'success' }; } catch (error) { return { target, timestamp: new Date().toISOString(), tool: 'web_application_test', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } } // SMB/NetBIOS Testing with cross-platform support async testSMB(target: string, port: number = 445): Promise<ScanResult> { try { console.error(`šŸ” Testing SMB service on ${target}:${port}`); const findings: string[] = []; const results: any = {}; // Test 1: SMB enumeration (platform-specific) if (isWindows) { // Windows: Use built-in commands try { const { stdout: netViewOutput } = await execAsync(`net view \\\\${target}`, { timeout: 60000 }); results.net_view = netViewOutput; if (netViewOutput.includes('Shared resources')) { findings.push('SMB shares enumerated successfully via net view'); } } catch (e) { console.error('net view failed:', e); } // Windows: NBTStat for NetBIOS enumeration try { const { stdout: nbtstatOutput } = await execAsync(`nbtstat -A ${target}`, { timeout: 30000 }); results.nbtstat = nbtstatOutput; if (nbtstatOutput.includes('<20>')) { findings.push('NetBIOS file sharing service detected'); } if (nbtstatOutput.includes('<00>')) { findings.push('NetBIOS workstation service detected'); } } catch (e) { console.error('nbtstat failed:', e); } } else { // Linux/Mac: Use traditional tools try { const { stdout: enum4linuxOutput } = await execAsync(`enum4linux -a ${target}`, { timeout: 120000 }); results.enum4linux = enum4linuxOutput; if (enum4linuxOutput.includes('Domain Name:')) { findings.push('Domain information disclosed'); } if (enum4linuxOutput.includes('password policy')) { findings.push('Password policy information disclosed'); } } catch (e) { console.error('enum4linux failed:', e); } try { const { stdout: smbclientOutput } = await execAsync(`smbclient -L ${target} -N`, { timeout: 60000 }); results.smbclient_shares = smbclientOutput; if (smbclientOutput.includes('Sharename')) { findings.push('SMB shares enumerated successfully'); } if (smbclientOutput.includes('IPC$')) { findings.push('IPC$ share accessible'); } } catch (e) { console.error('smbclient enumeration failed:', e); } } // Test 2: CrackMapExec (works on all platforms if installed) try { const cmeCommand = isWindows ? 'python -m crackmapexec' : 'crackmapexec'; const { stdout: cmeOutput } = await execAsync(`${cmeCommand} smb ${target}`, { timeout: 60000 }); results.crackmapexec = cmeOutput; if (cmeOutput.includes('SMBv1:True')) { findings.push('SMBv1 enabled (security risk)'); } if (cmeOutput.includes('signing:False')) { findings.push('SMB signing disabled (security risk)'); } } catch (e) { console.error('CrackMapExec failed:', e); } // Test 3: Check for EternalBlue vulnerability (nmap works on all platforms) try { const { stdout: nmapOutput } = await execAsync(`nmap -p ${port} --script smb-vuln-ms17-010 ${target}`, { timeout: 120000 }); results.eternalblue_check = nmapOutput; if (nmapOutput.includes('VULNERABLE')) { findings.push('CRITICAL: EternalBlue vulnerability detected (CVE-2017-0144)'); } } catch (e) { console.error('EternalBlue check failed:', e); } // Test 4: PowerShell SMB testing (Windows only) if (isWindows) { try { const psScript = ` $target = "${target}" try { $result = Test-NetConnection -ComputerName $target -Port ${port} if ($result.TcpTestSucceeded) { Write-Output "SMB port ${port} is accessible" # Try to enumerate shares $shares = Get-SmbShare -CimSession $target -ErrorAction SilentlyContinue if ($shares) { Write-Output "Available shares:" $shares | ForEach-Object { Write-Output " - $($_.Name)" } } } } catch { Write-Output "Error: $($_.Exception.Message)" } `; const { stdout: psOutput } = await execAsync(`powershell -Command "${psScript}"`, { timeout: 60000 }); results.powershell_smb = psOutput; if (psOutput.includes('is accessible')) { findings.push('SMB service confirmed accessible via PowerShell'); } if (psOutput.includes('Available shares:')) { findings.push('SMB shares enumerated via PowerShell'); } } catch (e) { console.error('PowerShell SMB test failed:', e); } } else { // Test 5: SMB null session test (Linux/Mac) try { const { stdout: nullSessionOutput } = await execAsync(`rpcclient -U "" -N ${target} -c "enumdomusers"`, { timeout: 60000 }); results.null_session = nullSessionOutput; if (nullSessionOutput.includes('user:')) { findings.push('SMB null session allows user enumeration'); } } catch (e) { console.error('Null session test failed:', e); } } return { target, timestamp: new Date().toISOString(), tool: 'smb_comprehensive_test', results: { service: 'SMB', port, findings, detailed_results: results, recommendations: this.getSMBRecommendations(findings) }, status: 'success' }; } catch (error) { return { target, timestamp: new Date().toISOString(), tool: 'smb_comprehensive_test', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } } // SSH Testing async testSSH(target: string, port: number = 22): Promise<ScanResult> { try { console.error(`šŸ” Testing SSH service on ${target}:${port}`); const findings: string[] = []; const results: any = {}; // Test 1: SSH audit try { const { stdout: auditOutput } = await execAsync(`ssh-audit ${target}:${port}`, { timeout: 60000 }); results.ssh_audit = auditOutput; if (auditOutput.includes('WARN')) { findings.push('SSH configuration warnings detected'); } if (auditOutput.includes('FAIL')) { findings.push('SSH configuration failures detected'); } } catch (e) { console.error('SSH audit failed:', e); } // Test 2: Banner grabbing and version detection (cross-platform) try { let bannerCommand = ''; if (isWindows) { // Windows: Use PowerShell bannerCommand = `powershell -Command "try { $client = New-Object System.Net.Sockets.TcpClient('${target}', ${port}); $stream = $client.GetStream(); $buffer = New-Object byte[] 1024; $read = $stream.Read($buffer, 0, 1024); $banner = [System.Text.Encoding]::ASCII.GetString($buffer, 0, $read); Write-Output $banner; $client.Close() } catch { Write-Output 'Connection failed' }"`; } else { // Linux/Mac: Use netcat or telnet bannerCommand = `timeout 10 bash -c "echo '' | nc -w 3 ${target} ${port}" || timeout 10 telnet ${target} ${port} 2>/dev/null | head -n 1`; } const { stdout: bannerOutput } = await execAsync(bannerCommand, { timeout: 15000 }); results.banner = bannerOutput; if (bannerOutput.includes('OpenSSH') || bannerOutput.includes('SSH')) { const versionMatch = bannerOutput.match(/OpenSSH[_\s]*([\d.]+)/i) || bannerOutput.match(/SSH[_\s]*([\d.]+)/i); if (versionMatch) { results.ssh_version = versionMatch[1]; findings.push(`SSH version detected: ${versionMatch[1]}`); } else { findings.push('SSH service detected'); } } } catch (e) { console.error('Banner grab failed:', e); } // Test 3: SSH key algorithms and ciphers try { const { stdout: nmapOutput } = await execAsync(`nmap -p ${port} --script ssh2-enum-algos ${target}`, { timeout: 60000 }); results.ssh_algorithms = nmapOutput; if (nmapOutput.includes('weak')) { findings.push('Weak SSH algorithms detected'); } } catch (e) { console.error('SSH algorithm enumeration failed:', e); } return { target, timestamp: new Date().toISOString(), tool: 'ssh_comprehensive_test', results: { service: 'SSH', port, findings, detailed_results: results, recommendations: this.getSSHRecommendations(findings) }, status: 'success' }; } catch (error) { return { target, timestamp: new Date().toISOString(), tool: 'ssh_comprehensive_test', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } } // FTP Testing async testFTP(target: string, port: number = 21): Promise<ScanResult> { try { console.error(`šŸ” Testing FTP service on ${target}:${port}`); const findings: string[] = []; const results: any = {}; // Test 1: Anonymous FTP access try { const { stdout: anonOutput } = await execAsync(`ftp -n ${target} ${port} << EOF user anonymous anonymous ls quit EOF`, { timeout: 30000 }); results.anonymous_access = anonOutput; if (anonOutput.includes('230')) { findings.push('Anonymous FTP access allowed'); } } catch (e) { console.error('Anonymous FTP test failed:', e); } // Test 2: FTP banner and version detection try { const { stdout: bannerOutput } = await execAsync(`nc -nv ${target} ${port} < /dev/null`, { timeout: 10000 }); results.banner = bannerOutput; if (bannerOutput.includes('220')) { findings.push('FTP banner retrieved'); if (bannerOutput.includes('vsftpd 2.3.4')) { findings.push('CRITICAL: vsftpd 2.3.4 backdoor vulnerability detected'); } } } catch (e) { console.error('FTP banner grab failed:', e); } // Test 3: FTP bounce attack test try { const { stdout: nmapOutput } = await execAsync(`nmap -p ${port} --script ftp-bounce ${target}`, { timeout: 60000 }); results.bounce_attack = nmapOutput; if (nmapOutput.includes('bounce')) { findings.push('FTP bounce attack possible'); } } catch (e) { console.error('FTP bounce test failed:', e); } return { target, timestamp: new Date().toISOString(), tool: 'ftp_comprehensive_test', results: { service: 'FTP', port, findings, detailed_results: results, recommendations: this.getFTPRecommendations(findings) }, status: 'success' }; } catch (error) { return { target, timestamp: new Date().toISOString(), tool: 'ftp_comprehensive_test', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } } // Database Testing (MySQL/PostgreSQL/MSSQL) async testDatabase(target: string, port: number, dbType: 'mysql' | 'postgres' | 'mssql'): Promise<ScanResult> { try { console.error(`šŸ” Testing ${dbType.toUpperCase()} service on ${target}:${port}`); const findings: string[] = []; const results: any = {}; // Test 1: Default credentials test const defaultCreds = this.getDefaultDatabaseCredentials(dbType); for (const cred of defaultCreds) { try { let testCommand = ''; switch (dbType) { case 'mysql': testCommand = `mysql -h ${target} -P ${port} -u ${cred.username} -p${cred.password} -e "SELECT VERSION();"`; break; case 'postgres': testCommand = `PGPASSWORD=${cred.password} psql -h ${target} -p ${port} -U ${cred.username} -d postgres -c "SELECT version();"`; break; case 'mssql': testCommand = `sqlcmd -S ${target},${port} -U ${cred.username} -P ${cred.password} -Q "SELECT @@VERSION"`; break; } const { stdout: credOutput } = await execAsync(testCommand, { timeout: 30000 }); if (credOutput && !credOutput.includes('ERROR') && !credOutput.includes('failed')) { findings.push(`Default credentials work: ${cred.username}/${cred.password}`); results.default_credentials = cred; } } catch (e) { // Expected for wrong credentials } } // Test 2: Database enumeration with nmap scripts try { let scriptName = ''; switch (dbType) { case 'mysql': scriptName = 'mysql-info,mysql-enum'; break; case 'postgres': scriptName = 'pgsql-brute'; break; case 'mssql': scriptName = 'ms-sql-info,ms-sql-empty-password'; break; } const { stdout: nmapOutput } = await execAsync(`nmap -p ${port} --script ${scriptName} ${target}`, { timeout: 120000 }); results.nmap_enumeration = nmapOutput; if (nmapOutput.includes('version')) { findings.push('Database version information disclosed'); } } catch (e) { console.error('Database enumeration failed:', e); } return { target, timestamp: new Date().toISOString(), tool: `${dbType}_comprehensive_test`, results: { service: dbType.toUpperCase(), port, findings, detailed_results: results, recommendations: this.getDatabaseRecommendations(findings, dbType) }, status: 'success' }; } catch (error) { return { target, timestamp: new Date().toISOString(), tool: `${dbType}_comprehensive_test`, results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } } // RDP Testing async testRDP(target: string, port: number = 3389): Promise<ScanResult> { try { console.error(`šŸ” Testing RDP service on ${target}:${port}`); const findings: string[] = []; const results: any = {}; // Test 1: BlueKeep vulnerability check try { const { stdout: bluekeepOutput } = await execAsync(`nmap -p ${port} --script rdp-vuln-ms12-020 ${target}`, { timeout: 120000 }); results.bluekeep_check = bluekeepOutput; if (bluekeepOutput.includes('VULNERABLE')) { findings.push('CRITICAL: BlueKeep vulnerability detected (CVE-2019-0708)'); } } catch (e) { console.error('BlueKeep check failed:', e); } // Test 2: RDP enumeration try { const { stdout: rdpEnumOutput } = await execAsync(`nmap -p ${port} --script rdp-enum-encryption ${target}`, { timeout: 60000 }); results.rdp_enumeration = rdpEnumOutput; if (rdpEnumOutput.includes('CredSSP')) { findings.push('CredSSP supported'); } if (rdpEnumOutput.includes('TLS')) { findings.push('TLS encryption supported'); } } catch (e) { console.error('RDP enumeration failed:', e); } return { target, timestamp: new Date().toISOString(), tool: 'rdp_comprehensive_test', results: { service: 'RDP', port, findings, detailed_results: results, recommendations: this.getRDPRecommendations(findings) }, status: 'success' }; } catch (error) { return { target, timestamp: new Date().toISOString(), tool: 'rdp_comprehensive_test', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } } // SNMP Testing async testSNMP(target: string, port: number = 161): Promise<ScanResult> { try { console.error(`šŸ” Testing SNMP service on ${target}:${port}`); const findings: string[] = []; const results: any = {}; // Test 1: SNMP community string enumeration const commonCommunities = ['public', 'private', 'community', 'admin', 'manager']; for (const community of commonCommunities) { try { const { stdout: snmpOutput } = await execAsync(`snmpwalk -v2c -c ${community} ${target}:${port} 1.3.6.1.2.1.1.1.0`, { timeout: 30000 }); if (snmpOutput && !snmpOutput.includes('Timeout')) { findings.push(`SNMP community string found: ${community}`); results[`community_${community}`] = snmpOutput; } } catch (e) { // Expected for wrong community strings } } // Test 2: SNMP version detection try { const { stdout: versionOutput } = await execAsync(`nmap -p ${port} --script snmp-info ${target}`, { timeout: 60000 }); results.snmp_version = versionOutput; if (versionOutput.includes('SNMPv1')) { findings.push('SNMPv1 detected (insecure)'); } } catch (e) { console.error('SNMP version detection failed:', e); } return { target, timestamp: new Date().toISOString(), tool: 'snmp_comprehensive_test', results: { service: 'SNMP', port, findings, detailed_results: results, recommendations: this.getSNMPRecommendations(findings) }, status: 'success' }; } catch (error) { return { target, timestamp: new Date().toISOString(), tool: 'snmp_comprehensive_test', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } } // Helper methods for recommendations private getSMBRecommendations(findings: string[]): string[] { const recommendations: string[] = []; if (findings.some(f => f.includes('SMBv1'))) { recommendations.push('Disable SMBv1 protocol'); } if (findings.some(f => f.includes('signing:False'))) { recommendations.push('Enable SMB signing'); } if (findings.some(f => f.includes('EternalBlue'))) { recommendations.push('Apply MS17-010 security patch immediately'); } if (findings.some(f => f.includes('null session'))) { recommendations.push('Disable SMB null sessions'); } recommendations.push('Implement strong authentication'); recommendations.push('Use SMBv3 with encryption'); return recommendations; } private getSSHRecommendations(findings: string[]): string[] { const recommendations: string[] = []; if (findings.some(f => f.includes('weak'))) { recommendations.push('Update SSH configuration to use strong algorithms'); } recommendations.push('Disable root login'); recommendations.push('Use key-based authentication'); recommendations.push('Implement fail2ban for brute force protection'); recommendations.push('Change default SSH port'); return recommendations; } private getFTPRecommendations(findings: string[]): string[] { const recommendations: string[] = []; if (findings.some(f => f.includes('Anonymous'))) { recommendations.push('Disable anonymous FTP access'); } if (findings.some(f => f.includes('vsftpd 2.3.4'))) { recommendations.push('URGENT: Update vsftpd to latest version'); } if (findings.some(f => f.includes('bounce'))) { recommendations.push('Disable FTP bounce attacks'); } recommendations.push('Use SFTP instead of FTP'); recommendations.push('Implement strong authentication'); return recommendations; } private getDatabaseRecommendations(findings: string[], dbType: string): string[] { const recommendations: string[] = []; if (findings.some(f => f.includes('Default credentials'))) { recommendations.push('Change default database credentials'); } recommendations.push('Implement strong password policies'); recommendations.push('Use database firewall rules'); recommendations.push('Enable database audit logging'); recommendations.push('Use encrypted connections (SSL/TLS)'); recommendations.push('Implement least privilege access'); return recommendations; } private getRDPRecommendations(findings: string[]): string[] { const recommendations: string[] = []; if (findings.some(f => f.includes('BlueKeep'))) { recommendations.push('URGENT: Apply BlueKeep security patches'); } recommendations.push('Enable Network Level Authentication (NLA)'); recommendations.push('Use strong authentication'); recommendations.push('Implement account lockout policies'); recommendations.push('Use VPN for remote access'); recommendations.push('Change default RDP port'); return recommendations; } private getSNMPRecommendations(findings: string[]): string[] { const recommendations: string[] = []; if (findings.some(f => f.includes('community string'))) { recommendations.push('Change default SNMP community strings'); } if (findings.some(f => f.includes('SNMPv1'))) { recommendations.push('Upgrade to SNMPv3 with authentication and encryption'); } recommendations.push('Implement SNMP access control lists'); recommendations.push('Use strong community strings'); recommendations.push('Disable SNMP if not needed'); return recommendations; } private getDefaultDatabaseCredentials(dbType: string): Array<{username: string, password: string}> { switch (dbType) { case 'mysql': return [ { username: 'root', password: '' }, { username: 'root', password: 'root' }, { username: 'root', password: 'mysql' }, { username: 'admin', password: 'admin' }, { username: 'mysql', password: 'mysql' } ]; case 'postgres': return [ { username: 'postgres', password: '' }, { username: 'postgres', password: 'postgres' }, { username: 'postgres', password: 'admin' }, { username: 'admin', password: 'admin' } ]; case 'mssql': return [ { username: 'sa', password: '' }, { username: 'sa', password: 'sa' }, { username: 'sa', password: 'admin' }, { username: 'admin', password: 'admin' } ]; default: return []; } } private getADRecommendations(findings: string[]): string[] { const recommendations: string[] = []; if (findings.some(f => f.includes('Domain Controller'))) { recommendations.push('Ensure Domain Controller is properly hardened'); recommendations.push('Implement least privilege access controls'); recommendations.push('Enable Advanced Audit Policy Configuration'); } if (findings.some(f => f.includes('SYSVOL') || f.includes('NETLOGON'))) { recommendations.push('Secure SYSVOL and NETLOGON shares with proper permissions'); recommendations.push('Monitor access to domain controller shares'); } if (findings.some(f => f.includes('RID cycling'))) { recommendations.push('CRITICAL: Implement measures to prevent user enumeration'); recommendations.push('Consider disabling null session enumeration'); } if (findings.some(f => f.includes('Kerberoasting'))) { recommendations.push('Review Service Principal Names (SPNs)'); recommendations.push('Use strong passwords for service accounts'); recommendations.push('Consider using Group Managed Service Accounts (gMSA)'); } recommendations.push('Implement Windows Event Forwarding (WEF)'); recommendations.push('Deploy Microsoft Defender for Identity'); recommendations.push('Regular security assessments using BloodHound'); return recommendations; } private getWebAppRecommendations(findings: string[], technologies: string[]): string[] { const recommendations: string[] = []; if (technologies.some(tech => tech.toLowerCase().includes('wordpress'))) { recommendations.push('Keep WordPress core, themes, and plugins updated'); recommendations.push('Use strong admin credentials and two-factor authentication'); recommendations.push('Implement Web Application Firewall (WAF)'); } if (findings.some(f => f.includes('plugin'))) { recommendations.push('Audit and remove unnecessary plugins'); recommendations.push('Implement plugin vulnerability scanning'); } if (findings.some(f => f.includes('SQL injection'))) { recommendations.push('CRITICAL: Fix SQL injection vulnerabilities immediately'); recommendations.push('Implement parameterized queries'); } if (findings.some(f => f.includes('XSS'))) { recommendations.push('Implement proper input validation and output encoding'); recommendations.push('Use Content Security Policy (CSP) headers'); } recommendations.push('Regular security testing and code reviews'); recommendations.push('Implement secure coding practices'); recommendations.push('Monitor application logs for suspicious activity'); return recommendations; } // WordPress-specific testing private async testWordPress(target: string): Promise<any> { try { const results: any = { plugins_detected: [], themes_detected: [], vulnerabilities: [] }; // WPScan integration try { const { stdout: wpscanOutput } = await execAsync(`wpscan --url ${target} --enumerate p,t,u --random-user-agent`, { timeout: 300000 }); // Parse WPScan output for plugins const pluginMatches = wpscanOutput.match(/\[!\] Title: (.+)/g); if (pluginMatches) { results.plugins_detected = pluginMatches.map(m => m.replace('[!] Title: ', '')); } results.wpscan_raw = wpscanOutput; } catch (e) { console.error('WPScan failed:', e); } return results; } catch (error) { return { error: error instanceof Error ? error.message : String(error) }; } } // Drupal-specific testing private async testDrupal(target: string): Promise<any> { try { const results: any = { modules_detected: [], vulnerabilities: [] }; // Drupal enumeration try { const { stdout: drupalOutput } = await execAsync(`droopescan scan drupal -u ${target}`, { timeout: 180000 }); results.droopescan_raw = drupalOutput; } catch (e) { console.error('Droopescan failed:', e); } return results; } catch (error) { return { error: error instanceof Error ? error.message : String(error) }; } } // Joomla-specific testing private async testJoomla(target: string): Promise<any> { try { const results: any = { components_detected: [], vulnerabilities: [] }; // Joomla enumeration try { const { stdout: joomlaOutput } = await execAsync(`joomscan -u ${target}`, { timeout: 180000 }); results.joomscan_raw = joomlaOutput; } catch (e) { console.error('JoomScan failed:', e); } return results; } catch (error) { return { error: error instanceof Error ? error.message : String(error) }; } } // Web server specific testing private async testWebServer(target: string, serverType: string): Promise<any> { try { const results: any = { configuration_issues: [], security_headers: {} }; // Test security headers try { const { stdout: headersOutput } = await execAsync(`curl -I ${target}`, { timeout: 30000 }); const headers = headersOutput.toLowerCase(); results.security_headers = { has_hsts: headers.includes('strict-transport-security'), has_csp: headers.includes('content-security-policy'), has_xframe: headers.includes('x-frame-options'), has_xss_protection: headers.includes('x-xss-protection'), server_header: headers.includes('server:') ? headers.match(/server:\s*([^\r\n]+)/)?.[1] : null }; } catch (e) { console.error('Security headers check failed:', e); } return results; } catch (error) { return { error: error instanceof Error ? error.message : String(error) }; } } // Common web vulnerabilities testing private async testWebVulnerabilities(target: string): Promise<any> { const results: any = { findings: [], tests_performed: [] }; // Test for common web vulnerabilities try { // Nikto scan const { stdout: niktoOutput } = await execAsync(`nikto -h ${target}`, { timeout: 300000 }); if (niktoOutput.includes('OSVDB')) { results.findings.push('Potential vulnerabilities detected by Nikto'); } results.tests_performed.push('nikto_scan'); results.nikto_raw = niktoOutput; } catch (e) { console.error('Nikto scan failed:', e); } return results; } }

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/adriyansyah-mf/mcp-pentest'

If you have feedback or need assistance with the MCP directory API, please join our Discord server