MCP Pentest

Instructions

Implementation Reference

• src/tools/recon.ts:356-437 (handler)

  Core handler function that performs directory and file brute-force enumeration on a web target using HTTP HEAD requests with configurable wordlists and extensions.
  async directoryBruteforce(url: string, wordlist?: string, extensions?: string[], useSecLists?: boolean): Promise<ScanResult> { try { const foundPaths: string[] = []; const baseUrl = new URL(url); // Default directory wordlist const defaultDirs = [ 'admin', 'administrator', 'login', 'dashboard', 'panel', 'config', 'backup', 'test', 'dev', 'staging', 'api', 'uploads', 'files', 'images', 'css', 'js', 'assets', 'static', 'public', 'private', 'secure', 'hidden', 'secret', 'wp-admin', 'wp-content', 'wp-includes', 'phpmyadmin', 'mysql', 'database' ]; let dirs: string[] = defaultDirs; if (wordlist) { dirs = await this.loadWordlist(wordlist); } else if (useSecLists) { const candidates = [ '/usr/share/seclists/Discovery/Web-Content/common.txt', '/usr/share/seclists/Discovery/Web-Content/raft-small-words.txt', '/usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt' ]; for (const path of candidates) { try { const loaded = await this.loadWordlist(path); if (loaded.length > 0) { dirs = loaded; break; } } catch (_) {} } } const exts = extensions || ['php', 'html', 'asp', 'aspx', 'jsp', 'txt', 'xml', 'json']; // Check directories for (const dir of dirs) { try { const testUrl = `${baseUrl.origin}/${dir}/`; const response = await axios.head(testUrl, { timeout: 5000 }); if (response.status === 200 || response.status === 403) { foundPaths.push(testUrl); } } catch (e) { // Path not found or error } } // Check files with extensions for (const dir of dirs) { for (const ext of exts) { try { const testUrl = `${baseUrl.origin}/${dir}.${ext}`; const response = await axios.head(testUrl, { timeout: 5000 }); if (response.status === 200) { foundPaths.push(testUrl); } } catch (e) { // File not found or error } } } return { target: url, timestamp: new Date().toISOString(), tool: 'directory_bruteforce', results: { found_paths: foundPaths, total_found: foundPaths.length, wordlist_size: dirs.length, extensions_tested: exts }, status: 'success' }; } catch (error) { return { target: url, timestamp: new Date().toISOString(), tool: 'directory_bruteforce', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } }
• src/index.ts:120-133 (schema)

  Input schema definition for the directory_bruteforce tool, specifying parameters like url, wordlist, extensions, and use_seclists.
  { name: "directory_bruteforce", description: "Bruteforce directories and files on web server", inputSchema: { type: "object", properties: { url: { type: "string", description: "Target URL" }, wordlist: { type: "string", description: "Wordlist to use" }, extensions: { type: "array", items: { type: "string" }, description: "File extensions to check" }, use_seclists: { type: "boolean", description: "Use SecLists common lists if no wordlist provided" } }, required: ["url"] } },
• src/index.ts:514-515 (registration)

  Tool dispatch/registration in the main switch statement that routes calls to the ReconTools.directoryBruteforce handler.
  case "directory_bruteforce": return respond(await this.reconTools.directoryBruteforce(args.url, args.wordlist, args.extensions, args.use_seclists));
• src/engines/workflow.ts:316-318 (helper)

  Usage of directoryBruteforce in the automated pentest workflow during web discovery phase.
  // Directory brute force const dirResult = await this.reconTools.directoryBruteforce(webTarget); phase.results!.push(dirResult);
• src/utils/validation.ts:298-299 (helper)

  directory_bruteforce listed in allowed tools for security validation.
  const allowedTools = [ 'nmap_scan', 'subdomain_enum', 'tech_detection', 'directory_bruteforce',