mcp-pentest
by allsmog
Overview
An AI-driven middleware to orchestrate and manage penetration testing tools and engagements.
Installation
python server.pySecurity Notes
CRITICAL security risks identified. The server is highly vulnerable to command injection in its tool plugins (Nmap, Gobuster, Hydra, John, Nikto). The 'options' parameters in `execute_task` methods directly append user/LLM-supplied input to shell commands without sanitization, allowing arbitrary command execution on the host running the MCP server. Additionally, the Metasploit plugin uses hardcoded default credentials ('msf'/'password') for its RPC connection, posing a significant risk if Metasploit is active and exposed. There is also a general lack of robust input validation for parameters passed to external tools.
Similar Servers
MCP-Kali-Server
Enabling AI-driven offensive security testing by bridging AI agents to a Kali Linux terminal for command execution.
burp-mcp-agents
Connects Burp Suite MCP Server to AI backends (Codex, Gemini, Ollama, LM Studio) for assisted, non-destructive vulnerability analysis using real Burp traffic.
VibeShift
VibeShift is an intelligent security agent that integrates with AI coding assistants to analyze AI-generated code for vulnerabilities, suggest remediations, and facilitate web test recording, crawling, and execution.
pentestMCP
This MCP server enables AI agents to perform automated and interactive penetration testing tasks by exposing a suite of security assessment utilities as callable tools.