Which integrations are available for this server?

Provides vulnerability detection and exploitation capabilities for Apache web servers, including version fingerprinting and targeted security testing Provides platform-specific exploitation modules and vulnerability assessment tools targeting Linux systems Generates penetration testing reports and documentation in Markdown format for technical findings and remediation guidance Integrates with Metasploit framework for automated exploit search, execution, and advanced penetration testing capabilities Built on Node.js runtime to provide the core MCP server functionality for automated penetration testing workflows Provides specialized vulnerability detection, version identification, and security testing capabilities for WordPress installations

How do I use MCP Pentest?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@MCP Pentest run a full automated penetration test on example.com with active intensity" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

MCP Pentest - Automated Penetration Testing Framework

MCP (Model Context Protocol) server untuk automated penetration testing yang cerdas. Framework ini dapat secara otomatis melakukan reconnaissance, vulnerability scanning, dan controlled exploitation berdasarkan teknologi target yang terdeteksi.

🚀 Features

🔍 Reconnaissance Tools

Port Scanning - Comprehensive Nmap integration dengan berbagai scan modes
Subdomain Enumeration - Certificate transparency logs + DNS bruteforcing
Technology Detection - Automatic web technology fingerprinting
Directory Bruteforcing - Intelligent directory and file discovery

🛡️ Vulnerability Assessment

Nuclei Integration - Automated vulnerability scanning dengan template database
Nikto Scanning - Web server vulnerability detection
SQLMap Integration - SQL injection testing
Custom Web Vulnerability Checks - XSS, Directory Traversal, Command Injection, dll

⚡ Exploitation Modules

Metasploit Integration - Automatic exploit search dan execution
Custom Exploit Attempts - Framework-specific exploitation
Technology-Specific Exploits - Targeted attacks berdasarkan tech stack
Proof-of-Concept Generation - Automated PoC creation

🤖 Intelligent Workflow Engine

Adaptive Decision Making - AI-driven next step recommendations
Risk-Based Prioritization - Smart vulnerability prioritization
Technology-Aware Testing - Customized testing berdasarkan detected technologies
Automated Workflow Management - Sequential phase execution dengan dependency handling

📊 Comprehensive Reporting

Multi-Format Reports - HTML, PDF, JSON, Markdown output
Executive Summaries - Business-friendly risk assessments
Technical Details - Detailed vulnerability descriptions dan remediation
Evidence Collection - Automatic proof collection dan documentation

📋 Prerequisites

Required Tools

Pastikan tools berikut sudah terinstall di sistem:

# Network scanning
sudo apt install nmap

# Web vulnerability scanning
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Web server scanning
sudo apt install nikto

# SQL injection testing
sudo apt install sqlmap

# Optional: Metasploit (untuk advanced exploitation)
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
sudo ./msfinstall

Node.js Dependencies

npm install

🛠️ Installation

Clone repository

git clone <repository-url>
cd mcp-pentest

Install dependencies

npm install

Build project

npm run build

Configure MCP client Tambahkan ke file konfigurasi MCP client Anda:

{
  "mcpServers": {
    "pentest": {
      "command": "node",
      "args": ["path/to/mcp-pentest/dist/index.js"],
      "env": {}
    }
  }
}

🎯 Usage Examples

Basic Automated Pentest

// Full scope automated pentest
await mcp.call("auto_pentest", {
  target: "example.com",
  scope: "full",
  intensity: "active"
});

Reconnaissance Only

// Port scanning
await mcp.call("nmap_scan", {
  target: "192.168.1.1",
  scan_type: "aggressive"
});

// Technology detection
await mcp.call("tech_detection", {
  url: "https://example.com"
});

// Subdomain enumeration
await mcp.call("subdomain_enum", {
  domain: "example.com"
});

Vulnerability Scanning

// Nuclei scan with specific templates
await mcp.call("nuclei_scan", {
  target: "https://example.com",
  templates: ["cves", "vulnerabilities"],
  severity: "high"
});

// SQL injection testing
await mcp.call("sqlmap_scan", {
  url: "https://example.com/login.php",
  data: "username=admin&password=test"
});

Exploitation Attempts

// Search for Metasploit modules
await mcp.call("metasploit_search", {
  service: "Apache 2.4.41",
  platform: "linux"
});

// Attempt exploitation
await mcp.call("exploit_attempt", {
  target: "192.168.1.100",
  vulnerability: "SQL Injection",
  payload: "UNION SELECT"
});

Intelligent Next Steps

// Get AI-powered recommendations
await mcp.call("suggest_next_steps", {
  scan_results: JSON.stringify(previousResults)
});

Report Generation

// Generate comprehensive report
await mcp.call("generate_report", {
  target: "example.com",
  format: "html"
});

🔧 Configuration

Scan Intensity Levels

Passive

Certificate transparency logs
DNS enumeration
Header analysis
Public information gathering

Active

Port scanning
Directory bruteforcing
Vulnerability scanning
Service enumeration

Aggressive

Full port range scanning
Intensive directory bruteforcing
Active exploitation attempts
Comprehensive vulnerability testing

Scope Options

Network

Port scanning
Service enumeration
Network vulnerability assessment

Web

Web application testing
Technology fingerprinting
Web vulnerability scanning

Full

Comprehensive assessment
Network + Web testing
Complete attack surface analysis

🛡️ Security Considerations

Ethical Usage

⚠️ IMPORTANT: Framework ini hanya boleh digunakan untuk:

Authorized penetration testing
Security research dengan permission
Testing terhadap sistem milik sendiri
Educational purposes

Safety Features

Rate limiting - Automatic request throttling
Timeout controls - Prevent long-running scans
Scope validation - Target validation dan restriction
Safe exploitation - Controlled dan reversible tests

Legal Compliance

Pastikan ada written authorization sebelum testing
Comply dengan local laws dan regulations
Respect responsible disclosure practices
Document semua testing activities

📊 Sample Output

Automated Pentest Results

{
  "workflow": {
    "target": "example.com",
    "scope": "full",
    "phases": [
      {
        "name": "reconnaissance",
        "status": "completed",
        "tools": ["nmap_scan", "subdomain_enum", "tech_detection"]
      }
    ],
    "results": {
      "reconnaissance": {
        "open_ports": [
          {"port": 80, "service": "http", "version": "Apache 2.4.41"},
          {"port": 443, "service": "https", "version": "Apache 2.4.41"}
        ],
        "technologies": [
          {"technology": "WordPress", "version": "5.8", "confidence": 95}
        ]
      },
      "vulnerabilities": [
        {
          "name": "Outdated WordPress",
          "severity": "medium",
          "description": "WordPress version 5.8 has known vulnerabilities"
        }
      ],
      "risk_score": 65,
      "threat_level": "medium"
    }
  }
}

🔄 Workflow Engine

Framework menggunakan intelligent workflow engine yang dapat:

Analyze scan results - Automatically interpret findings
Make decisions - Determine next testing steps
Adapt strategy - Modify approach based on discoveries
Prioritize actions - Focus on high-impact vulnerabilities
Generate insights - Provide actionable recommendations

Decision Making Logic

Reconnaissance → Technology Detection → Vulnerability Assessment → Risk Analysis → Exploitation → Reporting
     ↓              ↓                    ↓                    ↓             ↓            ↓
 Port Discovery → CMS/Framework → Targeted Scanning → Priority Queue → Controlled → Evidence
 Subdomain Enum → Version Info → Custom Checks → Risk Scoring → Attempts → Collection

🏗️ Architecture

┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
│   MCP Client    │    │  MCP Protocol    │    │  Pentest Server │
│  (Claude/etc)   │◄──►│   Transport      │◄──►│    (Node.js)    │
└─────────────────┘    └──────────────────┘    └─────────────────┘
                                                        │
                                               ┌─────────────────┐
                                               │ Tool Integration │
                                               │   - Nmap        │
                                               │   - Nuclei      │
                                               │   - Nikto       │
                                               │   - SQLMap      │
                                               │   - Metasploit  │
                                               └─────────────────┘

🤝 Contributing

Fork repository
Create feature branch
Implement changes dengan tests
Submit pull request
Follow security best practices

📜 License

MIT License - See LICENSE file for details

⚠️ Disclaimer

Tool ini dibuat untuk tujuan educational dan authorized security testing. User bertanggung jawab untuk memastikan penggunaan yang legal dan ethical. Developer tidak bertanggung jawab atas penyalahgunaan tool ini.

🆘 Support

📖 Documentation: Wiki
🐛 Bug Reports: Issues
💬 Discussions: Forum
📧 Contact: Email