gobuster-mcp
Enumerate open Amazon S3 buckets using Gobuster's S3 bucket enumeration mode.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@gobuster-mcpScan example.com for hidden directories"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
gobuster-mcp
A Model Context Protocol (MCP) server for Gobuster - a powerful directory/file, DNS, virtual host, S3 bucket, and TFTP enumeration tool written in Go.
This MCP server enables AI assistants to perform security reconnaissance and enumeration tasks by executing Gobuster commands on a remote Kali Linux host via SSH.
Features
Directory/File Enumeration (
gobuster_dir) - Discover hidden directories and files on web serversDNS Subdomain Enumeration (
gobuster_dns) - Find subdomains for target domainsVirtual Host Discovery (
gobuster_vhost) - Enumerate virtual hosts by brute-forcing Host headersFuzzing (
gobuster_fuzz) - Replace FUZZ keyword in URLs, headers, or POST dataS3 Bucket Enumeration (
gobuster_s3) - Discover open Amazon S3 bucketsTFTP Enumeration (
gobuster_tftp) - Find files on TFTP serversAsync Scan Support - Run long scans in background with status tracking
Wordlist Discovery - List available wordlists on the Kali host
Related MCP server: Arsenal MCP
Prerequisites
Node.js 18+
SSH access to a Kali Linux host with Gobuster installed
SSH key-based authentication configured (no password prompts)
Installation
# Clone the repository
git clone https://github.com/schwarztim/sec-gobuster-mcp.git
cd sec-gobuster-mcp
# Install dependencies
npm install
# Build
npm run buildConfiguration
Environment Variables
Variable | Default | Description |
|
| SSH hostname or alias for the Kali Linux host |
SSH Setup
Ensure your SSH config (~/.ssh/config) has an entry for your Kali host:
Host kali
HostName 192.168.1.100
User root
IdentityFile ~/.ssh/id_rsaClaude Desktop Configuration
Add to your Claude Desktop config (~/.config/claude/claude_desktop_config.json on Linux or ~/Library/Application Support/Claude/claude_desktop_config.json on macOS):
{
"mcpServers": {
"gobuster": {
"command": "node",
"args": ["/path/to/sec-gobuster-mcp/dist/index.js"],
"env": {
"KALI_HOST": "kali"
}
}
}
}Available Tools
gobuster_dir
Directory/file enumeration mode - discovers hidden directories and files on web servers.
{
"url": "https://example.com",
"extensions": "php,html,txt",
"threads": 20,
"status_codes": "200,204,301,302",
"exclude_status": "404,403"
}gobuster_dns
DNS subdomain enumeration - discovers subdomains for a target domain.
{
"domain": "example.com",
"resolver": "8.8.8.8",
"show_ips": true,
"show_cname": true
}gobuster_vhost
Virtual host enumeration - discovers virtual hosts by brute-forcing Host header values.
{
"url": "https://example.com",
"domain": "example.com",
"exclude_length": "1234"
}gobuster_fuzz
Fuzzing mode - replaces FUZZ keyword in URLs, headers, or POST data.
{
"url": "https://example.com/api?param=FUZZ",
"method": "GET",
"exclude_status": "404,500"
}gobuster_s3
Amazon S3 bucket enumeration.
{
"wordlist": "/usr/share/wordlists/bucket-names.txt",
"max_files": 10
}gobuster_tftp
TFTP file enumeration.
{
"server": "192.168.1.50",
"timeout": 5
}Async Operations
All scan tools support an async parameter to run scans in the background:
{
"url": "https://example.com",
"async": true
}Use these tools to manage async scans:
gobuster_status- Check scan status and retrieve outputgobuster_stop- Stop a running scangobuster_list_scans- List all active and recent scans
gobuster_wordlists
List available wordlists on the Kali host.
{
"category": "dirb"
}Categories: all, dirb, dirbuster, wfuzz, seclists, subdomains
Common Options
Most scan tools support these common options:
Option | Description |
| Path to wordlist file on Kali |
| Number of concurrent threads (default: 10) |
| Request timeout in seconds |
| Suppress banner output |
| Cookies to include in requests |
| Custom headers array |
| Custom User-Agent string |
| Skip TLS certificate verification |
| Follow HTTP redirects |
Security Considerations
This tool is intended for authorized security testing only. Always ensure you have proper authorization before scanning any systems.
Use only against systems you own or have explicit permission to test
Be aware of rate limiting and server load
Consider legal implications in your jurisdiction
Use responsibly and ethically
Development
# Watch mode for development
npm run dev
# Build
npm run build
# Run
npm startLicense
MIT License - see LICENSE file for details.
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
Related Projects
Gobuster - The underlying enumeration tool
Model Context Protocol - The protocol specification
MCP SDK - TypeScript SDK for MCP
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/schwarztim/sec-gobuster-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server