๐ HackTricks MCP Server
The HackTricks MCP Server, based on the Model Context Protocol (MCP), enables users to directly search and query the HackTricks pentesting documentation from Claude.
โจ Features
- Quick lookup: Provides one-shot exploitation information with support for aliases such as sqli, xss, ssrf, etc.
- Grouped search results: Aggregates search results by file, including match count, page title, and relevant sections.
- Page outline: Offers a quick table of contents to help identify relevant sections.
- Section extraction: Allows users to read specific sections instead of the full page, which is more token - efficient.
- Cheatsheet mode: Extracts only code blocks and commands from pages.
- Category browsing: Enables users to discover available topics and file paths.
- Fast grep search: Utilizes ripgrep for instant search results.
- Security hardened: Protects against command injection and path traversal attacks.
๐ Quick Start
๐ฆ Installation
npm install -g hacktricks-mcp-server
The post - install script will automatically clone the HackTricks repository, which may take about 2 minutes on the first install.
Configure Claude Desktop
Add the following to your Claude settings (~/.claude/settings.json):
{
"mcpServers": {
"hacktricks": {
"command": "npx",
"args": ["hacktricks-mcp-server"]
}
}
}
Restart Claude Desktop and try the query: "Search HackTricks for SQL injection"
Alternative: Install from Source
git clone https://github.com/Xplo8E/hacktricks-mcp-server.git
cd hacktricks-mcp-server
git submodule update --init --recursive
npm install
npm run build
Configuration for source install:
{
"mcpServers": {
"hacktricks": {
"command": "node",
"args": ["/absolute/path/to/hacktricks-mcp-server/dist/index.js"]
}
}
}
๐ป Usage Examples
After configuring in Claude Desktop, you can ask the following questions:
- "Search HackTricks for SQL injection techniques"
- "Give me SUID privilege escalation commands"
- "Show me XSS payloads"
- "List all pentesting categories in HackTricks"
- "How do I exploit XXE vulnerabilities?"
The server provides 7 specialized tools for efficient HackTricks searching.
๐ Documentation
Available Tools
hacktricks_quick_lookup
โก One - shot exploitation lookup. This tool searches, finds the best - matching page, and returns exploitation sections and code blocks in one call.
Parameters:
topic (string, required): The attack or technique to look up (e.g., 'SUID', 'sqli', 'xss', 'docker escape').category (string, optional): A category filter to get faster results.
Supported aliases: sqli, xss, rce, lfi, rfi, ssrf, csrf, xxe, ssti, idor, jwt, suid, privesc
Example:
hacktricks_quick_lookup("SSRF", category="pentesting-web")
Benefits: Reduces the need for 3 or more tool calls to just 1 for "how do I exploit X" questions.
search_hacktricks
Search through HackTricks documentation. Returns results GROUPED BY FILE along with match count, page title, and relevant section headers.
Parameters:
query (string, required): The search term or regex pattern.category (string, optional): Filter the search to a specific category (e.g., 'pentesting - web').limit (number, optional): The maximum number of grouped results (default: 20).
Example output:
Found matches in 5 files for: "SUID"
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ **Linux Privilege Escalation**
Path: src/linux-hardening/privilege-escalation/README.md
Matches: 12
Sections: SUID Binaries | Finding SUID | GTFOBins
Preview:
L45: Find files with SUID bit set...
L78: Common SUID exploitation techniques...
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
get_hacktricks_outline
Get the table of contents of a page (all section headers). Use this before reading full pages to understand the page structure.
Parameters:
path (string): The relative path to the markdown file.
Example output:
# Linux Privilege Escalation
## Enumeration
### System Information
### Network
## SUID Binaries
### Finding SUID Files
### Exploiting SUID
## Capabilities
Benefits: Allows you to see the page structure in about 20 lines instead of reading 500+ lines.
get_hacktricks_section
Extract a specific section from a page by its header name. This is much more efficient than reading the full page.
Parameters:
path (string): The relative path to the markdown file.section (string): The section header to extract (partial match, case - insensitive).
Example:
get_hacktricks_section("src/linux-hardening/privilege-escalation/README.md", "SUID")
Benefits: Allows you to read just the "SUID Binaries" section (about 200 tokens) instead of the entire page (about 3000 tokens).
get_hacktricks_cheatsheet
Extract only code blocks from a page. This is perfect when you only need commands, payloads, or examples.
Parameters:
path (string): The relative path to the markdown file.
Example output:
find / -perm -4000 2>/dev/null
./vulnerable_suid -p
Benefits: Helps you skip the explanatory text when you only need "give me the command".
get_hacktricks_page
Get the full content of a HackTricks page.
Parameters:
path (string): The relative path to the markdown file.
Warning: Pages can be very long (3000+ tokens). Consider using get_hacktricks_outline + get_hacktricks_section instead.
list_hacktricks_categories
List categories and their contents.
Parameters:
category (string, optional): The category to expand.
Without category: Lists top - level categories.
With category: Shows the full directory tree with file paths.
Efficient Usage Pattern
For optimal token usage, Claude should follow these steps:
- Search with category filter โ Get grouped results with context.
- Get outline of relevant page โ See the page structure before reading.
- Extract specific section โ Read only what's needed.
- Get cheatsheet โ Get a quick command reference.
Before (inefficient):
search_hacktricks("SUID") โ 50 raw lines
get_page(file1) โ 3000 tokens
get_page(file2) โ 2500 tokens
Total: ~5500 tokens, 3 calls
After (efficient):
search_hacktricks("SUID", category="linux-hardening") โ Grouped results
get_outline(best_match) โ 20 lines
get_section(best_match, "SUID") โ 200 tokens
Total: ~400 tokens, 3 calls
๐ง Technical Details
Requirements
- Node.js (v18 or higher)
- ripgrep (
rg) - usually pre - installed on macOS/Linux
- Bun (for package management)
Development
Watch mode:
bun run dev
Test locally:
bun run start
Contributing
Contributions are welcome! If you'd like to improve the server:
- Fork the repository.
- Create a feature branch (
git checkout -b feature/improvement).
- Make your changes and test locally.
- Submit a pull request.
Please ensure your PR includes tests for new features and maintains the existing code style.
๐ License
MIT
Credits
%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
