{"slug": "show-hn-mcpwn-nobody-s-pentesting-their-mcp-servers-so-i-built-a-tool-for-it", "title": "Show HN: Mcpwn – nobody's pentesting their MCP servers, so I built a tool for it", "summary": "A developer released Mcpwn, an open-source CLI tool for red-teaming Model Context Protocol (MCP) servers, after finding no existing pentesting tools for the protocol. The tool supports multiple transports, enumeration, interactive shells, and integration with Burp Suite and sqlmap for security testing. It is intended for authorized research only.", "body_md": "\n\n```\n ███╗ ███╗ ██████╗██████╗ ██╗ ██╗███╗ ██╗\n ████╗ ████║██╔════╝██╔══██╗██║ ██║████╗ ██║\n ██╔████╔██║██║ ██████╔╝██║ █╗ ██║██╔██╗ ██║\n ██║╚██╔╝██║██║ ██╔═══╝ ██║███╗██║██║╚██╗██║\n ██║ ╚═╝ ██║╚██████╗██║ ╚███╔███╔╝██║ ╚████║\n ╚═╝ ╚═╝ ╚═════╝╚═╝ ╚══╝╚══╝ ╚═╝ ╚═══╝\n · MCP server recon & exploitation toolkit ·\n```\n\n**Connect → Enumerate → Call → Proxy → Inject.**\nA fast, aesthetic CLI for red-teaming [Model Context Protocol](https://modelcontextprotocol.io) servers.\n\nWarning\n\n**Research & authorized testing only.** See the [Disclaimer](#-disclaimer) before you run anything.\n\nPoint `mcpwn`\n\nat an MCP server and it will connect over **stdio / HTTP / SSE**,\nenumerate everything the server exposes, let you call tools, render prompts and\nread resources — then take it further: route every request through an\nintercepting proxy (**Burp Suite**) or hand a tool's arguments to **sqlmap** for\nSQL-injection testing.\n\n| Capability | |\n|---|---|\n| 🔌 | Multi-transport — stdio commands, Streamable HTTP, legacy SSE (auto-detected) |\n| 🔎 | Full recon — tools, prompts, resources and resource templates in clean tables |\n| 🛠 | Drive it — call tools, render prompts, read resources, inspect parameter schemas |\n| 🐚 | Interactive shell — one persistent connection, ideal for stateful servers |\n| 🛰 | Proxy-aware — funnel all HTTP/SSE traffic through Burp with one flag |\n| 💉 | sqlmap bridge — auto-build a raw injectable request (with live session id) |\n\nBuilt with [fastmcp](https://gofastmcp.com) · [rich](https://github.com/Textualize/rich) · [typer](https://typer.tiangolo.com) · [httpx](https://www.python-httpx.org).\n\nRequires [ uv](https://docs.astral.sh/uv/) and Python 3.10+.\n\n**Install straight from git** (gets you the `mcpwn`\n\ncommand, isolated):\n\n```\nuv tool install git+https://github.com/D0rs4n/mcpwn\nmcpwn --help\n```\n\nPin a ref with\n\n`@`\n\n, e.g.`uv tool install git+https://github.com/D0rs4n/mcpwn@main`\n\n. Update later with`uv tool upgrade mcpwn`\n\n; remove with`uv tool uninstall mcpwn`\n\n.\n\n**Run without installing** (ephemeral):\n\n```\nuvx --from git+https://github.com/D0rs4n/mcpwn mcpwn enum http://127.0.0.1:8765/mcp/\n```\n\n**Clone for development:**\n\n```\ngit clone https://github.com/D0rs4n/mcpwn && cd mcpwn\nuv sync # create the venv and install deps\nuv run mcpwn --help # run from the source tree\n# or expose the command on your PATH from the local checkout:\nuv tool install .\n```\n\nThe repo ships a deliberately vulnerable MCP server you can practice against.\nSpin it up, then drive it with `mcpwn`\n\n.\n\n**1. Start the example server** (in its own terminal):\n\n```\n# HTTP transport → http://127.0.0.1:8765/mcp/\nuv run python examples/vuln_server.py http\n```\n\nPrefer stdio? Skip this step —\n\n`mcpwn`\n\nwill launch the server itself as a subprocess (see the stdio examples below).\n\n**2. Enumerate everything it exposes** (in a second terminal):\n\n```\nuv run mcpwn enum http://127.0.0.1:8765/mcp/\n```\n\n**3. Drive it** — call a tool, read a resource, render a prompt:\n\n```\nuv run mcpwn call http://127.0.0.1:8765/mcp/ lookup_user -a name=alice\nuv run mcpwn read http://127.0.0.1:8765/mcp/ \"config://app\"\nuv run mcpwn shell http://127.0.0.1:8765/mcp/ # interactive session\n```\n\n**4. Take it further** — route through Burp, or fuzz a tool with sqlmap:\n\n```\nuv run mcpwn -x http://127.0.0.1:8080 enum http://127.0.0.1:8765/mcp/\nuv run mcpwn sqlmap http://127.0.0.1:8765/mcp/ lookup_user --inject name -a name=admin\n```\n\nNo server of your own? The same commands work over\n\nstdiowith no separate terminal —`mcpwn`\n\nstarts the server for you:\n\n```\nuv run mcpwn enum \"python examples/vuln_server.py\"\n```\n\nIf you installed the\n\n`mcpwn`\n\ncommand (via`uv tool install`\n\n), drop the`uv run`\n\nprefix from every command above.\n\nThe `target`\n\nis auto-detected:\n\n| Target | Transport |\n|---|---|\n`http://host:port/mcp/` |\nStreamable HTTP |\n`https://host/sse` |\nSSE (path ends `/sse` ) |\n`python server.py` / `npx -y pkg` |\nstdio (a command) |\n\nOverride with `-t/--transport http|sse|stdio`\n\n.\n\n```\n# Enumerate tools, prompts, resources and templates\nmcpwn enum http://127.0.0.1:8765/mcp/\nmcpwn enum \"python examples/vuln_server.py\" # stdio\nmcpwn enum http://host/mcp/ --only tools # filter\n\n# Inspect one tool / prompt's parameters\nmcpwn info http://host/mcp/ --tool lookup_user\n\n# Call a tool (args parsed as JSON, falling back to string)\nmcpwn call http://host/mcp/ add -a a=2 -a b=40\nmcpwn call http://host/mcp/ search --json '{\"q\":\"test\",\"limit\":5}'\n\n# Render a prompt template\nmcpwn prompt http://host/mcp/ pentest_report -a target=acme.com -a severity=high\n\n# Read a resource (fill in template params directly in the URI)\nmcpwn read http://host/mcp/ \"config://app\"\nmcpwn read http://host/mcp/ \"users://7/email\"\n\n# Connectivity check\nmcpwn ping http://host/mcp/\n\n# Interactive session (one persistent connection — good for stateful servers)\nmcpwn shell http://host/mcp/\nmcpwn> tools\nmcpwn> info lookup_user\nmcpwn> call add a=5 b=5\nmcpwn> call search {\"q\":\"x\",\"limit\":3}\nmcpwn> read config://app\nmcpwn> reconnect\nmcpwn> exit\n```\n\nEvery HTTP/SSE request can be funnelled through an intercepting proxy. Because a\nproxy like Burp presents its own CA, TLS verification is disabled automatically\nwhen `--proxy`\n\nis set (override with `-k/--insecure`\n\nas needed).\n\n```\nmcpwn -x http://127.0.0.1:8080 enum https://target/mcp/\nmcpwn -x http://127.0.0.1:8080 call https://target/mcp/ lookup_user -a name=admin\n```\n\nNow every `initialize`\n\n, `tools/list`\n\n, `tools/call`\n\n… shows up in Burp's proxy\nhistory, ready to repeat, tamper or scan.\n\n`mcpwn sqlmap`\n\nmaterialises a `tools/call`\n\nas a raw HTTP request file with the\nchosen argument marked as an injection point (`*`\n\n), ready for `sqlmap -r`\n\n. It also\nbest-effort negotiates an `Mcp-Session-Id`\n\nso stateful servers accept the replay.\n\n```\n# Write the request file and print the sqlmap command\nmcpwn sqlmap http://127.0.0.1:8765/mcp/ lookup_user --inject name -a name=admin\n\n# Or run sqlmap directly (must be on PATH), passing extra flags through\nmcpwn sqlmap http://host/mcp/ lookup_user -i name --run \\\n -s --dbms=sqlite -s --technique=BEU\n```\n\nGenerated request (`mcpwn_sqlmap.req`\n\n):\n\n```\nPOST /mcp/ HTTP/1.1\nHost: 127.0.0.1:8765\nAccept: application/json, text/event-stream\nContent-Type: application/json\nConnection: close\nMcp-Session-Id: 28f1c7d6...\nContent-Length: 119\n\n{\"jsonrpc\":\"2.0\",\"id\":2,\"method\":\"tools/call\",\"params\":{\"name\":\"lookup_user\",\"arguments\":{\"name\":\"admin*\"}}}\n```\n\nFlags: `--inject/-i `\n\n(required), `-a key=value`\n\nfor other args, `--out/-o`\n\nfor the request file, `--session-id`\n\nto supply one manually, `--no-session`\n\nto\nskip negotiation, `--run`\n\nto execute sqlmap, `--sqlmap-arg/-s`\n\nto pass flags\nthrough. Combine with `-x`\n\nto send sqlmap's traffic through Burp too.\n\n| Flag | Meaning |\n|---|---|\n`-t, --transport` |\n`auto` (default), `http` , `sse` , `stdio` |\n`-H, --header` |\nExtra HTTP header `Name: value` (repeatable) |\n`-e, --env` |\nEnv var `KEY=VALUE` for stdio servers (repeatable) |\n`-x, --proxy` |\nRoute HTTP/SSE through a proxy (e.g. Burp) |\n`-k, --insecure` |\nDisable TLS verification |\n`--timeout` |\nPer-operation timeout (default 30s) |\n`--cwd` |\nWorking directory for stdio servers |\n`--no-banner` / `--no-color` |\nQuieter output |\n\n`examples/vuln_server.py`\n\nis a deliberately vulnerable MCP server (with a SQL-\ninjectable `lookup_user`\n\ntool) for exercising every command:\n\n```\nuv run python examples/vuln_server.py http # http://127.0.0.1:8765/mcp/\nuv run python examples/vuln_server.py # stdio\n```\n\nCaution\n\n`mcpwn`\n\nis provided for security research, education, and authorized\ntesting only.\n\n```\n┌──────────────────────────────────────────────────────────────────────┐\n│ Use only against systems you OWN or have EXPLICIT WRITTEN PERMISSION │\n│ to test. Unauthorized access, scanning, or exploitation of systems │\n│ is illegal and unethical. │\n└──────────────────────────────────────────────────────────────────────┘\n```\n\nThis tool is intended for legitimate purposes such as CTFs, lab environments, and sanctioned penetration-testing engagements (e.g. learning material like HTB's AI Red Teaming track).\n\nThe author(s) provide this software **\"AS IS\", without warranty of any kind,\nexpress or implied**, and accept **no liability** for any damage, data loss,\nservice disruption, legal consequences, or other harm arising from its use or\nmisuse. **You are solely responsible** for how you use it and for ensuring you\nhave proper authorization. By using `mcpwn`\n\nyou agree to these terms.\n\nReleased under the terms in [LICENSE](/D0rs4n/mcpwn/blob/main/LICENSE). The disclaimer above applies in\naddition to, and does not limit, the warranty/liability terms of that license.", "url": "https://wpnews.pro/news/show-hn-mcpwn-nobody-s-pentesting-their-mcp-servers-so-i-built-a-tool-for-it", "canonical_source": "https://github.com/D0rs4n/mcpwn", "published_at": "2026-06-15 13:01:11+00:00", "updated_at": "2026-06-15 13:08:14.393638+00:00", "lang": "en", "topics": ["ai-tools", "ai-safety", "ai-infrastructure", "developer-tools"], "entities": ["Mcpwn", "Model Context Protocol", "Burp Suite", "sqlmap", "fastmcp", "D0rs4n", "GitHub"], "alternates": {"html": "https://wpnews.pro/news/show-hn-mcpwn-nobody-s-pentesting-their-mcp-servers-so-i-built-a-tool-for-it", "markdown": "https://wpnews.pro/news/show-hn-mcpwn-nobody-s-pentesting-their-mcp-servers-so-i-built-a-tool-for-it.md", "text": "https://wpnews.pro/news/show-hn-mcpwn-nobody-s-pentesting-their-mcp-servers-so-i-built-a-tool-for-it.txt", "jsonld": "https://wpnews.pro/news/show-hn-mcpwn-nobody-s-pentesting-their-mcp-servers-so-i-built-a-tool-for-it.jsonld"}}