Zebbern Kali MCP
Provides GraphQL introspection and security analysis tools, including schema fingerprinting and introspection.
Provides direct access to a full Kali Linux penetration testing toolkit, including network scanning, web application scanning, exploitation, and many other tools.
Provides Metasploit Framework integration, allowing AI agents to manage modules, sessions, and exploits.
Provides OpenVPN management, including connection and configuration.
Provides integration with OWASP ZAP for automated web application security scanning.
Provides WireGuard VPN management, including setup and configuration for secure tunnels.
Provides WordPress vulnerability scanning via WPScan, identifying security issues in WordPress installations.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Zebbern Kali MCPnmap scan 192.168.1.1"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Zebbern Kali MCP Server
A Docker-based Model Context Protocol (MCP) server that gives AI agents (GitHub Copilot, Claude, etc.) direct access to a full Kali Linux penetration testing toolkit. The AI agent calls MCP tools, which forward requests to a Flask API running inside a Kali container — every tool executes in an isolated, pre-configured environment.
Architecture
The project is a two-part client → server system:
┌──────────────────────────────────┐ HTTP ┌──────────────────────────────────────┐
│ Windows / Host │ (port 5000) │ Docker Container │
│ │ │ (kalilinux/kali-rolling) │
│ AI Agent (Copilot / Claude) │ │ │
│ │ │ │ Flask API Server │
│ ▼ │ │ ├── api/blueprints/*.py (routes) │
│ MCP Client (mcp_tools/*.py) │ ──── POST /tools/* ───► │ └── core/*.py (logic) │
│ └── KaliToolsClient │ │ │ │
│ (HTTP requests) │ │ ▼ │
│ │ │ Kali tools (nmap, sqlmap, …) │
└──────────────────────────────────┘ └──────────────────────────────────────┘Component | Location | Runs on | Role |
MCP Client |
| Host (Windows/Linux/macOS) | Exposes tool definitions to AI agents via the MCP protocol. Each tool call is translated into an HTTP request to the Flask server. |
Flask Server |
| Inside Docker container | Receives HTTP requests, dispatches them through Flask blueprints ( |
Entrypoint |
| Inside Docker container | Initializes networking (routes, |
Request flow: AI Agent → MCP tool function → KaliToolsClient HTTP request → Flask blueprint → Core logic → tool execution on Kali → JSON response back.
Quick Start
Docker + uvx (Recommended)
1. Start the Kali backend:
# Download just the compose file — no full clone needed
curl -sLO https://raw.githubusercontent.com/zebbern/zebbern-kali-mcp/main/docker-compose.yml
docker compose up -dOr build and run directly:
docker build -t zebbern-kali-mcp .
docker run -d -p 5000:5000 --name zebbern-kali zebbern-kali-mcpLinux host networking: For direct host network access (no port mapping needed), also grab
docker-compose.host.ymland run:docker compose -f docker-compose.yml -f docker-compose.host.yml up -d
2. Add to VS Code (.vscode/mcp.json or global MCP config):
{
"servers": {
"kali-tools": {
"command": "uvx",
"args": ["zebbern-kali-mcp"]
}
}
}Restart VS Code — done. uvx auto-downloads the MCP client from PyPI.
Docker is the supported install path. See the setup sections below for env vars, VPN/SOCKS proxy, image variants, and networking details.
MCP Tool Modules
17 MCP client modules in mcp_tools/, each with a corresponding Flask blueprint in zebbern-kali/api/blueprints/ and core logic in zebbern-kali/core/:
# | Module | Description |
1 |
| Nmap, Nikto, Gobuster, Dirb, WPScan, SQLMap, Hydra, John, enum4linux, Subfinder, httpx, Arjun, Fierce, ssh-audit, FFuf, Nuclei, and more |
2 |
| Active Directory attacks — netexec, BloodHound, impacket, certipy, bloodyAD, Kerberoasting, Pass-the-Hash, LDAP |
3 |
| Arbitrary command execution on the Kali container |
4 |
| SSH session lifecycle — connect, execute, tunnel, disconnect |
5 |
| Reverse shell listeners and session management |
6 |
| Metasploit Framework integration — modules, sessions, exploits |
7 |
| Chisel, Ligolo-ng, SSH tunnels, ProxyChains, SOCKS proxy |
8 |
| WireGuard & OpenVPN management with auto SOCKS5 proxy |
9 |
| GraphQL introspection, JWT analysis, FFUF fuzzing |
10 |
| Technology detection and web fingerprinting |
11 |
| Exploit suggestion based on scan results |
12 |
| Payload generation for various platforms |
13 |
| File upload/download between host and container |
14 |
| Built-in HTTP + DNS callback listener for isolated networks |
15 |
| CTFd & rCTF API — challenges, flags, scoreboard |
16 |
|
|
17 |
| Structured parsing of tool output for AI consumption |
Installed Tools
Everything below is pre-installed in the Docker image — no manual setup required.
Network Scanning
Tool | Description |
nmap | Port scanning, service/version detection, NSE scripts |
masscan | High-speed port scanner |
sslscan | SSL/TLS configuration analysis |
Web Application Scanning
Tool | Description |
nikto | Web server vulnerability scanner |
gobuster | Directory/file/DNS brute-forcing |
dirb | Web content scanner |
wpscan | WordPress vulnerability scanner |
sqlmap | Automated SQL injection |
ffuf | Fast web fuzzer |
nuclei | Template-based vulnerability scanner |
katana | Web crawler (v1.1.0 pre-built binary) |
amass | Attack surface mapping |
commix | Command injection exploitation |
ghauri | Advanced SQL injection detection |
Subdomain & DNS Enumeration
Tool | Description |
subfinder | Passive subdomain discovery |
httpx | HTTP probing and technology detection |
assetfinder | Subdomain discovery via various sources |
waybackurls | Fetch URLs from the Wayback Machine |
amass | DNS enumeration and network mapping |
massdns | High-performance DNS resolver |
fierce | DNS reconnaissance |
mapcidr | CIDR range manipulation |
subzy | Subdomain takeover checking |
Brute Force & Password Cracking
Tool | Description |
hydra | Network login brute-forcer |
john | John the Ripper password cracker |
hashcat | GPU-accelerated hash cracking |
Active Directory
Tool | Description |
netexec | Primary SMB/LDAP/WinRM tool (replaces crackmapexec) |
impacket (0.13.0) | Python AD attack toolkit — ~50 scripts symlinked as |
bloodhound.py | AD relationship graphing — data collector |
bloodyAD | AD privilege escalation framework |
certipy-ad | AD Certificate Services (ADCS) exploitation |
responder | LLMNR/NBT-NS/MDNS poisoner |
evil-winrm | WinRM shell with upload/download |
krbrelayx | Kerberos relay and delegation abuse |
gMSADumper | Group Managed Service Account password dumper |
PetitPotam | NTLM relay coercion via EFS RPC |
coercer | Coerce Windows authentication |
dementor | SpoolService abuse for relay attacks |
winrmexec | WinRM command execution |
pywhisker | Shadow Credentials attack tool |
ldapdomaindump | LDAP domain information dumper |
Exploitation
Tool | Description |
metasploit-framework | Full Metasploit Framework |
commix | Command injection exploitation |
ghauri | Advanced SQL injection |
dalfox | XSS scanning and exploitation |
byp4xx | 403 Forbidden bypass techniques |
exploitdb | Exploit database (searchsploit) |
JavaScript Analysis
Tool | Description |
getJS | Extract JavaScript files from pages |
jsluice | Extract URLs, paths, and secrets from JS |
xnLinkFinder | Link and parameter discovery from JS |
SecretFinder | Find API keys and secrets in JS files |
TruffleHog | Secret scanning across repos and files |
js-beautify | JavaScript deobfuscation/beautification |
webcrack | Webpack bundle unpacking (npm) |
ParamSpider | Parameter discovery from web archives |
API Testing
Tool | Description |
jwt-tool | JWT token analysis and exploitation |
graphw00f | GraphQL engine fingerprinting |
clairvoyance | GraphQL schema introspection |
Proxy & Interception
Tool | Description |
mitmproxy | Scriptable HTTP/HTTPS proxy (mitmdump) |
OWASP ZAP | Automated web app security scanner (zaproxy) |
Caido | Modern web proxy (CLI) |
Forensics & CTF
Tool | Description |
binwalk | Firmware analysis and file extraction |
steghide | Steganography tool |
stegseek | Fast steghide cracker (wordlist-based) |
zsteg | PNG/BMP steganography detector (Ruby) |
exiftool | Metadata reader/writer |
foremost | File carving/recovery |
volatility3 | Memory forensics framework (Python) |
sleuthkit | Disk forensics — |
gdb | GNU Debugger |
radare2 | Reverse engineering framework (disassembly, debugging, patching) |
imagemagick | Image manipulation and analysis |
tesseract-ocr | Optical character recognition |
Binary Analysis (Python)
Tool | Description |
angr | Binary analysis framework |
pwntools | CTF exploitation library |
Crypto & Math (Python)
Tool | Description |
pycryptodome | Cryptographic primitives |
gmpy2 | High-precision math |
z3-solver | SMT constraint solver |
sympy | Symbolic mathematics |
SageMath | Not bundled in the current Kali rolling image |
RsaCtfTool | RSA attack automation ( |
cado-nfs | Integer factorization for large keys ( |
Networking
Tool | Description |
scapy | Packet crafting and sniffing (Python) |
tcpdump | Packet capture |
socat | Multipurpose relay / socket tool |
netcat | TCP/UDP networking utility |
proxychains4 | Proxy routing for arbitrary tools |
openvpn | VPN client |
wireguard-tools | WireGuard VPN |
Pivoting
Tool | Description |
chisel | TCP/UDP tunnel over HTTP (Go binary + Windows .exe in |
ligolo-ng (v0.7.5) | Tunneling — proxy + agents for Linux & Windows (in |
socat | Port forwarding and relay |
Privilege Escalation
Tool | Description | Location |
LinPEAS | Linux privilege escalation audit script |
|
WinPEAS | Windows privilege escalation audit (x64, x86, .bat) |
|
Mimikatz | Windows credential extraction |
|
RunasCs.exe | Windows runas with explicit credentials |
|
Tunneling & Remote Access
Tool | Description |
cloudflared | Cloudflare Tunnel client (expose services without port-forwarding) |
ngrok | Instant public URLs for local services |
Media & Containers
Tool | Description |
ffmpeg | Audio/video processing and conversion |
sox | Sound processing and analysis (+ all format plugins) |
podman | Rootless container engine (needs |
numpy | Numerical computing (Python) |
scipy | Scientific computing (Python) |
Callback Catcher
A custom built-in HTTP + DNS callback listener for isolated networks where external services like webhook.site can't reach your targets. Managed via the callback_catcher MCP module.
Browser Automation
Tool | Description |
Playwright (Chromium) | Headless browser for SPA testing, screenshots, JS-rendered pages |
Wordlists
Pre-installed: rockyou.txt (decompressed), SecLists, and symlinked wordlists at /usr/share/wordlists/dirb/ for tool compatibility.
Python Dependencies
From requirements.txt — installed inside the container:
Flask, Werkzeug # API server
requests # HTTP client
paramiko # SSH
mcp # MCP protocol (client)
playwright # Browser automation
pwntools # Binary exploitation
sympy, gmpy2 # Math
pycryptodome, z3-solver # Crypto & SMT solving
angr # Binary analysis
scapy # Packet crafting
Pillow # Image processing (stego)
beautifulsoup4 # HTML parsing
impacket==0.13.0 # AD attacks (pinned)
ldapdomaindump, pywinrm # AD support
pexpect # Terminal automation
python-dotenv # Environment configAdditional pip packages installed during build: bloodyAD, certipy-ad, bloodhound, pywhisker, coercer, fierce, arjun, dementor, commix, ghauri, jwt-tool, graphw00f, clairvoyance, xnLinkFinder, paramspider, mitmproxy, waymore, ssh-audit, volatility3, numpy, scipy.
Configuration
Environment Variables
Variable | Default | Description |
|
| Flask server port |
|
| Enable debug logging |
|
| Default command timeout (seconds) |
| — | Comma-separated CIDRs to route (e.g. |
| — | Comma-separated |
|
| Host directory mounted at |
|
| MCP client: URL of the Kali Flask server |
Docker Compose
# Standard (bridge networking, port-mapped)
docker compose up -d
# Host networking (Linux only — direct access to host network/VPN interfaces)
docker compose -f docker-compose.yml -f docker-compose.host.yml up -dThe compose file grants NET_RAW + NET_ADMIN capabilities and provides /dev/net/tun for VPN and Ligolo support.
Design Decisions
Decision | Rationale |
Fail-fast build | Dockerfile fails the build if tools can't install — no |
netexec over crackmapexec | crackmapexec is deprecated. netexec is installed from the Kali repos as the primary SMB/LDAP/WinRM tool. |
Custom callback catcher | For isolated CTF/pentest networks where webhook.site or interactsh can't reach your targets. Built-in HTTP + DNS listener. |
AI-agent optimized output |
|
impacket pinned to 0.13.0 | Ensures stable AD tool behavior across rebuilds. |
Separate client/server | MCP client is a lightweight PyPI package ( |
Project Structure
zebbern-kali-mcp/
├── Dockerfile # Multi-layer Kali image build
├── docker-compose.yml # Standard bridge-mode deployment
├── docker-compose.host.yml # Host networking overlay (Linux)
├── entrypoint.sh # Container init (routes, hosts, TUN, IP forwarding)
├── requirements.txt # Python dependencies for the container
├── pyproject.toml # PyPI package config for the MCP client
├── mcp_server.py # MCP client entrypoint (FastMCP server)
│
├── mcp_tools/ # MCP CLIENT (runs on host)
│ ├── _client.py # KaliToolsClient — HTTP transport
│ ├── kali_tools.py # Nmap, Nikto, Gobuster, SQLMap, etc.
│ ├── ad_tools.py # Active Directory tools
│ ├── callback_catcher.py # HTTP/DNS callback listener
│ └── ... (17 modules) # One module per tool category
│
├── zebbern-kali/ # FLASK SERVER (runs in Docker)
│ ├── kali_server.py # Flask app entry point
│ ├── api/
│ │ ├── routes.py # Blueprint registration
│ │ └── blueprints/ # 17 Flask blueprints (one per module)
│ │ ├── tools.py # Scanning tools routes
│ │ ├── ad.py # AD tool routes
│ │ ├── callback.py # Callback catcher routes
│ │ └── ...
│ ├── core/ # Business logic
│ │ ├── config.py # Configuration & constants
│ │ ├── command_executor.py # Subprocess execution
│ │ ├── ad_tools.py # AD tool logic
│ │ └── ...
│ └── tools/
│ └── kali_tools.py # Tool wrappers
│
├── vpn/ # Mount point for VPN configs
└── README.md # Project overview and setup guideUsage
Once installed, ask your AI assistant to use the Kali tools:
"Scan 10.10.10.5 with nmap" "Run nuclei against example.com" "Connect to the HTB VPN and start recon" "Enumerate AD with bloodhound against dc01.corp.local" "Start a callback listener on port 8080"
The assistant calls MCP tools, which make HTTP requests to the Flask API inside Docker — no manual commands needed.
Documentation
This README is the primary source of truth for setup, usage, and tool reference. The separate MkDocs site and legacy VM install docs were removed.
Security Warning
⚠️ This server provides unrestricted access to powerful penetration testing tools.
Never expose to the public internet
Only run on isolated networks or authorized test environments
Use strong authentication if accessible remotely
Ensure you have proper authorization before testing any systems
The container runs as
root— this is intentional for pentest tools but increases risk
Contributing
Contributions welcome! Please open a pull request with a clear summary of changes and any relevant test notes.
Built on the Model Context Protocol · Created by Zebbern
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/zebbern/zebbern-kali-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server