HackTricks MCP Server
Enables searching and querying HackTricks pentesting documentation directly from Claude, with tools for quick lookup, grouped search results, page outlines, section extraction, and cheatsheet mode.
README
HackTricks MCP Server
MCP (Model Context Protocol) server for searching and querying HackTricks pentesting documentation directly from Claude.
Features
- Quick lookup - One-shot exploitation info with alias support (sqli, xss, ssrf, etc.)
- Grouped search results - Results aggregated by file with match count, title, and relevant sections
- Page outline - Quick table of contents to identify relevant sections
- Section extraction - Read specific sections instead of full pages (token-efficient)
- Cheatsheet mode - Extract only code blocks/commands from pages
- Category browsing - Discover available topics and file paths
- Fast grep search - Uses ripgrep for instant results
- Security hardened - Protection against command injection and path traversal
Quick Start
Installation
npm install -g hacktricks-mcp-server
The postinstall script automatically clones the HackTricks repository (~2 minutes on first install).
Configure Claude Desktop
Add to your Claude settings (~/.claude/settings.json):
{
"mcpServers": {
"hacktricks": {
"command": "npx",
"args": ["hacktricks-mcp-server"]
}
}
}
Restart Claude Desktop and try: "Search HackTricks for SQL injection"
Alternative: Install from Source
git clone https://github.com/Xplo8E/hacktricks-mcp-server.git
cd hacktricks-mcp-server
git submodule update --init --recursive
npm install
npm run build
Configuration for source install:
{
"mcpServers": {
"hacktricks": {
"command": "node",
"args": ["/absolute/path/to/hacktricks-mcp-server/dist/index.js"]
}
}
}
Usage Examples
Once configured in Claude Desktop, you can ask:
- "Search HackTricks for SQL injection techniques"
- "Give me SUID privilege escalation commands"
- "Show me XSS payloads"
- "List all pentesting categories in HackTricks"
- "How do I exploit XXE vulnerabilities?"
The server provides 7 specialized tools for efficient HackTricks searching.
Available Tools
hacktricks_quick_lookup
⚡ One-shot exploitation lookup. Searches, finds best page, and returns exploitation sections + code blocks in one call.
Parameters:
topic(string, required): Attack/technique to look up (e.g., 'SUID', 'sqli', 'xss', 'docker escape')category(string, optional): Category filter for faster results
Supported aliases: sqli, xss, rce, lfi, rfi, ssrf, csrf, xxe, ssti, idor, jwt, suid, privesc
Example:
hacktricks_quick_lookup("SSRF", category="pentesting-web")
Benefits: Reduces 3+ tool calls to 1 for "how do I exploit X" questions.
search_hacktricks
Search through HackTricks documentation. Returns results GROUPED BY FILE with match count, page title, and relevant section headers.
Parameters:
query(string, required): Search term or regex patterncategory(string, optional): Filter to specific category (e.g., 'pentesting-web')limit(number, optional): Max grouped results (default: 20)
Example output:
Found matches in 5 files for: "SUID"
────────────────────────────────────────────────────────────
📄 **Linux Privilege Escalation**
Path: src/linux-hardening/privilege-escalation/README.md
Matches: 12
Sections: SUID Binaries | Finding SUID | GTFOBins
Preview:
L45: Find files with SUID bit set...
L78: Common SUID exploitation techniques...
────────────────────────────────────────────────────────────
get_hacktricks_outline
Get the table of contents of a page (all section headers). Use this BEFORE reading full pages to understand structure.
Parameters:
path(string): Relative path to markdown file
Example output:
# Linux Privilege Escalation
## Enumeration
### System Information
### Network
## SUID Binaries
### Finding SUID Files
### Exploiting SUID
## Capabilities
Benefits: See page structure in ~20 lines vs reading 500+ lines.
get_hacktricks_section
Extract a specific section from a page by header name. Much more efficient than reading the full page.
Parameters:
path(string): Relative path to markdown filesection(string): Section header to extract (partial match, case-insensitive)
Example:
get_hacktricks_section("src/linux-hardening/privilege-escalation/README.md", "SUID")
Benefits: Read just "SUID Binaries" section (~200 tokens) instead of entire page (~3000 tokens).
get_hacktricks_cheatsheet
Extract only code blocks from a page. Perfect when you just need commands, payloads, or examples.
Parameters:
path(string): Relative path to markdown file
Example output:
find / -perm -4000 2>/dev/null
./vulnerable_suid -p
Benefits: Skip explanatory text when you just need "give me the command".
get_hacktricks_page
Get full content of a HackTricks page.
Parameters:
path(string): Relative path to markdown file
Warning: Pages can be very long (3000+ tokens). Consider using get_hacktricks_outline + get_hacktricks_section instead.
list_hacktricks_categories
List categories and their contents.
Parameters:
category(string, optional): Category to expand
Without category: Lists top-level categories With category: Shows full directory tree with file paths
Efficient Usage Pattern
For optimal token usage, Claude should:
- Search with category filter → Get grouped results with context
- Get outline of relevant page → See structure before reading
- Extract specific section → Read only what's needed
- Get cheatsheet → Quick command reference
Before (inefficient):
search_hacktricks("SUID") → 50 raw lines
get_page(file1) → 3000 tokens
get_page(file2) → 2500 tokens
Total: ~5500 tokens, 3 calls
After (efficient):
search_hacktricks("SUID", category="linux-hardening") → Grouped results
get_outline(best_match) → 20 lines
get_section(best_match, "SUID") → 200 tokens
Total: ~400 tokens, 3 calls
Requirements
- Node.js (v18 or higher)
- ripgrep (
rg) - usually pre-installed on macOS/Linux - Bun (for package management)
Development
Watch mode:
bun run dev
Test locally:
bun run start
Contributing
Contributions are welcome! If you'd like to improve the server:
- Fork the repository
- Create a feature branch (
git checkout -b feature/improvement) - Make your changes and test locally
- Submit a pull request
Please ensure your PR includes tests for new features and maintains the existing code style.
License
MIT
Credits
- HackTricks by Carlos Polop
- Built with Model Context Protocol SDK
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.