MCP Pentest

Instructions

Input Schema

Input Schema (JSON Schema)

Implementation Reference

• src/tools/service-specific.ts:27-142 (handler)

  The main handler function implementing the 'test_active_directory' tool. Performs comprehensive AD testing with LDAP, Kerberos, SMB, enum4linux, BloodHound, and Kerberoasting checks.
  async testActiveDirectory(target: string, domain?: string): Promise<ScanResult> { try { console.error(`🔍 Testing Active Directory on ${target}${domain ? ` (domain: ${domain})` : ''}`); const findings: string[] = []; const results: any = {}; // Test 1: LDAP enumeration try { const ldapPort = 389; const { stdout: ldapOutput } = await execAsync(`nmap -p ${ldapPort} --script ldap-rootdse ${target}`, { timeout: 60000 }); results.ldap_enumeration = ldapOutput; if (ldapOutput.includes('domainFunctionality')) { findings.push('Domain Controller detected via LDAP'); } if (ldapOutput.includes('forestFunctionality')) { findings.push('Active Directory Forest detected'); } } catch (e) { console.error('LDAP enumeration failed:', e); } // Test 2: Kerberos enumeration try { const { stdout: kerberosOutput } = await execAsync(`nmap -p 88 --script krb5-enum-users ${target}`, { timeout: 60000 }); results.kerberos_enumeration = kerberosOutput; if (kerberosOutput.includes('KDC')) { findings.push('Kerberos Key Distribution Center detected'); } } catch (e) { console.error('Kerberos enumeration failed:', e); } // Test 3: SMB enumeration for DC try { const { stdout: smbOutput } = await execAsync(`smbclient -L //${target} -N`, { timeout: 60000 }); results.smb_enumeration = smbOutput; if (smbOutput.includes('SYSVOL') || smbOutput.includes('NETLOGON')) { findings.push('Domain Controller shares detected (SYSVOL/NETLOGON)'); } } catch (e) { console.error('SMB enumeration failed:', e); } // Test 4: enum4linux for comprehensive enumeration try { const { stdout: enum4linuxOutput } = await execAsync(`enum4linux -a ${target}`, { timeout: 180000 }); results.enum4linux = enum4linuxOutput; if (enum4linuxOutput.includes('Domain Name:')) { const domainMatch = enum4linuxOutput.match(/Domain Name:\s*([^\n]+)/); if (domainMatch) { findings.push(`Domain Name identified: ${domainMatch[1].trim()}`); } } if (enum4linuxOutput.includes('Users via RID cycling')) { findings.push('User enumeration possible via RID cycling'); } } catch (e) { console.error('enum4linux failed:', e); } // Test 5: BloodHound data collection (if available) if (domain) { try { const { stdout: bloodhoundOutput } = await execAsync(`bloodhound-python -d ${domain} -u anonymous -p '' -ns ${target} --dns-tcp`, { timeout: 300000 }); results.bloodhound_collection = bloodhoundOutput; if (bloodhoundOutput.includes('Resolved collection methods')) { findings.push('BloodHound data collection successful'); } } catch (e) { console.error('BloodHound collection failed:', e); } } // Test 6: Kerberoasting check try { const { stdout: kerberoastOutput } = await execAsync(`nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=${domain || target} ${target}`, { timeout: 120000 }); results.kerberoasting_check = kerberoastOutput; if (kerberoastOutput.includes('SPN')) { findings.push('Service Principal Names detected - potential Kerberoasting targets'); } } catch (e) { console.error('Kerberoasting check failed:', e); } return { target, timestamp: new Date().toISOString(), tool: 'active_directory_test', results: { service: 'Active Directory', domain: domain || 'Unknown', findings, detailed_results: results, recommendations: this.getADRecommendations(findings) }, status: 'success' }; } catch (error) { return { target, timestamp: new Date().toISOString(), tool: 'active_directory_test', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } }
• src/index.ts:366-377 (registration)

  MCP tool registration defining the 'test_active_directory' tool name, description, and input schema.
  name: "test_active_directory", description: "Comprehensive Active Directory penetration testing", inputSchema: { type: "object", properties: { target: { type: "string", description: "Domain Controller IP address" }, domain: { type: "string", description: "Domain name (optional)" } }, required: ["target"] } }, {
• src/index.ts:574-576 (registration)

  Dispatch handler in the main switch statement that routes calls to the testActiveDirectory method.
  case "test_active_directory": return respond(await this.serviceSpecificTools.testActiveDirectory(args.target, args.domain));
• src/tools/service-specific.ts:889-919 (helper)

  Helper method that generates security recommendations based on AD testing findings.
  private getADRecommendations(findings: string[]): string[] { const recommendations: string[] = []; if (findings.some(f => f.includes('Domain Controller'))) { recommendations.push('Ensure Domain Controller is properly hardened'); recommendations.push('Implement least privilege access controls'); recommendations.push('Enable Advanced Audit Policy Configuration'); } if (findings.some(f => f.includes('SYSVOL') || f.includes('NETLOGON'))) { recommendations.push('Secure SYSVOL and NETLOGON shares with proper permissions'); recommendations.push('Monitor access to domain controller shares'); } if (findings.some(f => f.includes('RID cycling'))) { recommendations.push('CRITICAL: Implement measures to prevent user enumeration'); recommendations.push('Consider disabling null session enumeration'); } if (findings.some(f => f.includes('Kerberoasting'))) { recommendations.push('Review Service Principal Names (SPNs)'); recommendations.push('Use strong passwords for service accounts'); recommendations.push('Consider using Group Managed Service Accounts (gMSA)'); } recommendations.push('Implement Windows Event Forwarding (WEF)'); recommendations.push('Deploy Microsoft Defender for Identity'); recommendations.push('Regular security assessments using BloodHound'); return recommendations; }