Show HN: Mcpwn – nobody's pentesting their MCP servers, so I built a tool for it

A developer released Mcpwn, an open-source CLI tool for red-teaming Model Context Protocol (MCP) servers, after finding no existing pentesting tools for the protocol. The tool supports multiple transports, enumeration, interactive shells, and integration with Burp Suite and sqlmap for security testing. It is intended for authorized research only.

███╗ ███╗ ██████╗██████╗ ██╗ ██╗███╗ ██╗ ████╗ ████║██╔════╝██╔══██╗██║ ██║████╗ ██║ ██╔████╔██║██║ ██████╔╝██║ █╗ ██║██╔██╗ ██║ ██║╚██╔╝██║██║ ██╔═══╝ ██║███╗██║██║╚██╗██║ ██║ ╚═╝ ██║╚██████╗██║ ╚███╔███╔╝██║ ╚████║ ╚═╝ ╚═╝ ╚═════╝╚═╝ ╚══╝╚══╝ ╚═╝ ╚═══╝ · MCP server recon & exploitation toolkit · Connect → Enumerate → Call → Proxy → Inject. A fast, aesthetic CLI for red-teaming Model Context Protocol https://modelcontextprotocol.io servers. Warning Research & authorized testing only. See the Disclaimer -disclaimer before you run anything. Point mcpwn at an MCP server and it will connect over stdio / HTTP / SSE , enumerate everything the server exposes, let you call tools, render prompts and read resources — then take it further: route every request through an intercepting proxy Burp Suite or hand a tool's arguments to sqlmap for SQL-injection testing. | Capability | | |---|---| | 🔌 | Multi-transport — stdio commands, Streamable HTTP, legacy SSE auto-detected | | 🔎 | Full recon — tools, prompts, resources and resource templates in clean tables | | 🛠 | Drive it — call tools, render prompts, read resources, inspect parameter schemas | | 🐚 | Interactive shell — one persistent connection, ideal for stateful servers | | 🛰 | Proxy-aware — funnel all HTTP/SSE traffic through Burp with one flag | | 💉 | sqlmap bridge — auto-build a raw injectable request with live session id | Built with fastmcp https://gofastmcp.com · rich https://github.com/Textualize/rich · typer https://typer.tiangolo.com · httpx https://www.python-httpx.org . Requires uv https://docs.astral.sh/uv/ and Python 3.10+. Install straight from git gets you the mcpwn command, isolated : uv tool install git+https://github.com/D0rs4n/mcpwn mcpwn --help Pin a ref with @ , e.g. uv tool install git+https://github.com/D0rs4n/mcpwn@main . Update later with uv tool upgrade mcpwn ; remove with uv tool uninstall mcpwn . Run without installing ephemeral : uvx --from git+https://github.com/D0rs4n/mcpwn mcpwn enum http://127.0.0.1:8765/mcp/ Clone for development: git clone https://github.com/D0rs4n/mcpwn && cd mcpwn uv sync create the venv and install deps uv run mcpwn --help run from the source tree or expose the command on your PATH from the local checkout: uv tool install . The repo ships a deliberately vulnerable MCP server you can practice against. Spin it up, then drive it with mcpwn . 1. Start the example server in its own terminal : HTTP transport → http://127.0.0.1:8765/mcp/ uv run python examples/vuln server.py http Prefer stdio? Skip this step — mcpwn will launch the server itself as a subprocess see the stdio examples below . 2. Enumerate everything it exposes in a second terminal : uv run mcpwn enum http://127.0.0.1:8765/mcp/ 3. Drive it — call a tool, read a resource, render a prompt: uv run mcpwn call http://127.0.0.1:8765/mcp/ lookup user -a name=alice uv run mcpwn read http://127.0.0.1:8765/mcp/ "config://app" uv run mcpwn shell http://127.0.0.1:8765/mcp/ interactive session 4. Take it further — route through Burp, or fuzz a tool with sqlmap: uv run mcpwn -x http://127.0.0.1:8080 enum http://127.0.0.1:8765/mcp/ uv run mcpwn sqlmap http://127.0.0.1:8765/mcp/ lookup user --inject name -a name=admin No server of your own? The same commands work over stdiowith no separate terminal — mcpwn starts the server for you: uv run mcpwn enum "python examples/vuln server.py" If you installed the mcpwn command via uv tool install , drop the uv run prefix from every command above. The target is auto-detected: | Target | Transport | |---|---| http://host:port/mcp/ | Streamable HTTP | https://host/sse | SSE path ends /sse | python server.py / npx -y pkg | stdio a command | Override with -t/--transport http|sse|stdio . Enumerate tools, prompts, resources and templates mcpwn enum http://127.0.0.1:8765/mcp/ mcpwn enum "python examples/vuln server.py" stdio mcpwn enum http://host/mcp/ --only tools filter Inspect one tool / prompt's parameters mcpwn info http://host/mcp/ --tool lookup user Call a tool args parsed as JSON, falling back to string mcpwn call http://host/mcp/ add -a a=2 -a b=40 mcpwn call http://host/mcp/ search --json '{"q":"test","limit":5}' Render a prompt template mcpwn prompt http://host/mcp/ pentest report -a target=acme.com -a severity=high Read a resource fill in template params directly in the URI mcpwn read http://host/mcp/ "config://app" mcpwn read http://host/mcp/ "users://7/email" Connectivity check mcpwn ping http://host/mcp/ Interactive session one persistent connection — good for stateful servers mcpwn shell http://host/mcp/ mcpwn tools mcpwn info lookup user mcpwn call add a=5 b=5 mcpwn call search {"q":"x","limit":3} mcpwn read config://app mcpwn reconnect mcpwn exit Every HTTP/SSE request can be funnelled through an intercepting proxy. Because a proxy like Burp presents its own CA, TLS verification is disabled automatically when --proxy is set override with -k/--insecure as needed . mcpwn -x http://127.0.0.1:8080 enum https://target/mcp/ mcpwn -x http://127.0.0.1:8080 call https://target/mcp/ lookup user -a name=admin Now every initialize , tools/list , tools/call … shows up in Burp's proxy history, ready to repeat, tamper or scan. mcpwn sqlmap materialises a tools/call as a raw HTTP request file with the chosen argument marked as an injection point , ready for sqlmap -r . It also best-effort negotiates an Mcp-Session-Id so stateful servers accept the replay. Write the request file and print the sqlmap command mcpwn sqlmap http://127.0.0.1:8765/mcp/ lookup user --inject name -a name=admin Or run sqlmap directly must be on PATH , passing extra flags through mcpwn sqlmap http://host/mcp/ lookup user -i name --run \ -s --dbms=sqlite -s --technique=BEU Generated request mcpwn sqlmap.req : POST /mcp/ HTTP/1.1 Host: 127.0.0.1:8765 Accept: application/json, text/event-stream Content-Type: application/json Connection: close Mcp-Session-Id: 28f1c7d6... Content-Length: 119 {"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"lookup user","arguments":{"name":"admin "}}} Flags: --inject/-i <arg required , -a key=value for other args, --out/-o for the request file, --session-id to supply one manually, --no-session to skip negotiation, --run to execute sqlmap, --sqlmap-arg/-s to pass flags through. Combine with -x to send sqlmap's traffic through Burp too. | Flag | Meaning | |---|---| -t, --transport | auto default , http , sse , stdio | -H, --header | Extra HTTP header Name: value repeatable | -e, --env | Env var KEY=VALUE for stdio servers repeatable | -x, --proxy | Route HTTP/SSE through a proxy e.g. Burp | -k, --insecure | Disable TLS verification | --timeout | Per-operation timeout default 30s | --cwd | Working directory for stdio servers | --no-banner / --no-color | Quieter output | examples/vuln server.py is a deliberately vulnerable MCP server with a SQL- injectable lookup user tool for exercising every command: uv run python examples/vuln server.py http http://127.0.0.1:8765/mcp/ uv run python examples/vuln server.py stdio Caution mcpwn is provided for security research, education, and authorized testing only. ┌──────────────────────────────────────────────────────────────────────┐ │ Use only against systems you OWN or have EXPLICIT WRITTEN PERMISSION │ │ to test. Unauthorized access, scanning, or exploitation of systems │ │ is illegal and unethical. │ └──────────────────────────────────────────────────────────────────────┘ This tool is intended for legitimate purposes such as CTFs, lab environments, and sanctioned penetration-testing engagements e.g. learning material like HTB's AI Red Teaming track . The author s provide this software "AS IS", without warranty of any kind, express or implied , and accept no liability for any damage, data loss, service disruption, legal consequences, or other harm arising from its use or misuse. You are solely responsible for how you use it and for ensuring you have proper authorization. By using mcpwn you agree to these terms. Released under the terms in LICENSE /D0rs4n/mcpwn/blob/main/LICENSE . The disclaimer above applies in addition to, and does not limit, the warranty/liability terms of that license.