🔍 RFS MCP Pentesting Server

Comprehensive Model Context Protocol server providing extensive pentesting and reconnaissance tools

Total Tools

📚 Tool Categories

Dns (10 tools)

🌐DNS A Record Lookup

Description: Returns IPv4 addresses (A records) for a domain.

Usage: {"domain": "example.com"}

Example Response: {"content": [ { "type": "text", "text": "A records: 93.184.216.34" } ]}

🌐DNS MX Record Lookup

Description: Returns mail exchange (MX) records for a domain.

Usage: {"domain": "example.com"}

Example Response: {"content": [ { "type": "text", "text": "MX records: 10 mail.example.com." } ]}

🌐DNS TXT Record Lookup

Description: Returns TXT records for a domain.

Usage: {"domain": "example.com"}

Example Response: {"content": [ { "type": "text", "text": "TXT records: v=spf1 include:_spf.example.com ~all" } ]}

🌐DNS CNAME Record Lookup

Description: Returns CNAME records for a domain.

Usage: {"domain": "www.example.com"}

Example Response: {"content": [ { "type": "text", "text": "CNAME records: example.com." } ]}

🌐DNS NS Record Lookup

Description: Returns nameserver (NS) records for a domain.

Usage: {"domain": "example.com"}

Example Response: {"content": [ { "type": "text", "text": "NS records: ns1.example.com., ns2.example.com." } ]}

✉️SMTP Record Audit

Description: Checks for SPF, DKIM, and DMARC records for a domain using DNS TXT lookups.

Usage: {"domain": "example.com"}

Example Response: {"content": [ { "type": "text", "text": "SPF: v=spf1 include:_spf.example.com ~all\nDKIM: Not found\nDMARC: v=DMARC1; p=none; rua=mailto:dmarc@example.com" } ]}

🔎Subdomain Enumerator

Description: Checks which subdomains of a given domain resolve.

Usage: {"domain": "example.com", "subdomains": ["www", "mail", "test"]}

Example Response: {"content": [ { "type": "text", "text": "Valid subdomains: www.example.com, mail.example.com" } ]}

🔍Subdomain Takeover Checker

Description: Checks for common takeover risk patterns on a domain.

Usage: {"domain": "example.com"}

Example Response: {"content": [ { "type": "text", "text": "Potential takeover risk: amazonaws.com, herokuapp.com, github.io, azurewebsites.net, cloudfront.net, fastly.net, pages.dev, readthedocs.io, surge.sh, bitbucket.io, pantheonsite.io, zendesk.com, helpjuice.com, desk.com, statuspage.io, wordpress.com, wpengine.com, unbouncepages.com, uservoice.com, campaignmonitor.com, helpscout.docs, cargocollective.com, simplebooklet.com, flywheelstaging.com, aftership.com, intercom.io, myshopify.com, shopify.com, ghost.io, tumblr.com, launchrock.com, instapage.com, smartling.com, teamwork.com, tictail.com, proposify.biz, simplecast.com, feedpress.me" } ]}

🔍Certificate Transparency Search

Description: Searches for subdomains of a given domain from crt.sh.

Usage: {"domain": "example.com"}

Example Response: {"content": [ { "type": "text", "text": "Subdomains: example.com, subdomain.example.com" } ]}

🌐DNS Zone Transfer Tester

Description: Simulates a DNS zone transfer attempt to check for vulnerabilities.

Usage: {"domain": "example.com"}

Example Response: {"content": [ { "type": "text", "text": "AXFR not supported in this environment. Use a local tool for real testing." } ]}

Security (16 tools)

🛡️HTTP Security Header Checker

Description: Reports on the presence/absence of important security headers for a URL.

Usage: {"url": "https://example.com"}

Example Response: {"content": [ { "type": "text", "text": "Security Headers:\ncontent-security-policy: ..." } ]}

🛡️SSL/TLS Certificate Info

Description: Retrieves SSL certificate details for a domain.

Usage: {"domain": "example.com"}

Example Response: {"content": [ { "type": "text", "text": "Subject: ...\nIssuer: ..." } ]}

🔍Port Scanner

Description: Scans common ports on a given host.

Usage: {"host": "example.com", "ports": [21, 22, 23, 25, 53, 80, 110, 143, 443, 445, 8080, 8443]}

Example Response: {"content": [ { "type": "text", "text": "Open ports: 21, 22, 23, 25, 53, 80, 110, 143, 443, 445, 8080, 8443" } ]}

👥HTTP Banner Grabber

Description: Retrieves server and powered-by information from a given URL.

Usage: {"url": "https://example.com"}

Example Response: {"content": [ { "type": "text", "text": "Server: Unknown\nX-Powered-By: Unknown" } ]}

📁Directory Listing Checker

Description: Checks if directory listing is enabled on a given URL.

Usage: {"url": "https://example.com"}

Example Response: {"content": [ { "type": "text", "text": "Directory listing is not enabled." } ]}

🔒Sensitive File Finder

Description: Checks for common sensitive files on a web server.

Usage: {"url": "https://example.com"}

Example Response: {"content": [ { "type": "text", "text": "Sensitive files found: .env, .git/config, backup.zip, config.php, db.sql, admin.bak, wp-config.php, .htpasswd, .htaccess" } ]}

🔄CORS Misconfiguration Tester

Description: Tests if a URL is vulnerable to CORS misconfiguration.

Usage: {"url": "https://example.com"}

Example Response: {"content": [ { "type": "text", "text": "Access-Control-Allow-Origin: Not set\nRisk: Not permissive" } ]}

👁️Clickjacking Test

Description: Tests if a URL is vulnerable to clickjacking.

Usage: {"url": "https://example.com"}

Example Response: {"content": [ { "type": "text", "text": "Not vulnerable to clickjacking." } ]}

🔍TRACE Method Enabled Checker

Description: Checks if a URL is vulnerable to TRACE method enabled.

Usage: {"url": "https://example.com"}

Example Response: {"content": [ { "type": "text", "text": "TRACE method enabled (status: 200)" } ]}

🔗Subresource Integrity (SRI) Checker

Description: Checks if external scripts/styles have integrity attributes.

Usage: {"url": "https://example.com"}

Example Response: {"content": [ { "type": "text", "text": "✔️ example.com/script.js\n❌ example.com/style.css" } ]}

🔄HTTP Method Enumerator

Description: Enumerates allowed HTTP methods for a given URL.

Usage: {"url": "https://example.com"}

Example Response: {"content": [ { "type": "text", "text": "Allowed methods: GET, POST, PUT, DELETE, OPTIONS" } ]}

🔄Host Header Injection Tester

Description: Tests if a URL is vulnerable to host header injection.

Usage: {"url": "https://example.com"}

Example Response: {"content": [ { "type": "text", "text": "No host header injection detected." } ]}

🔑Favicon Hash Calculator

Description: Calculates the hash of a favicon on a given URL.

Usage: {"url": "https://example.com"}

Example Response: {"content": [ { "type": "text", "text": "Favicon hash: 1234567890" } ]}

🌐HTTP/2 Support Checker

Description: Checks if a URL supports HTTP/2.

Usage: {"url": "https://example.com"}

Example Response: {"content": [ { "type": "text", "text": "Likely supports HTTP/2" } ]}

🛡️HTTP Status Code Checker

Description: Fetches a URL and returns its HTTP status code.

Usage: {"url": "https://example.com"}

Example Response: {"content": [ { "type": "text", "text": "Status: 200 OK" } ]}

🛡️Hash Cracker

Description: Attempts to crack a hash using a public hash database API.

Usage: {"hash": "5d41402abc4b2a76b9719d911017c592"}

Example Response: {"content": [ { "type": "text", "text": "Plaintext: hello" } ]}

Osint (9 tools)

📧Email Reputation Check

Description: Analyzes email address reputation and risk factors

Usage: {"email": "user@example.com"}

Example Response: {"content": [ { "type": "text", "text": "Email Reputation Analysis for user@example.com:\n\nScore: 85/100\nRisk Level: LOW\n\nDetails:\nEmail format validation: PASS\nDomain reputation: GOOD\nDisposable email check: PASS\nBreach database check: CLEAN" } ]}

📞Phone Number Lookup

Description: Performs reverse phone number lookup and carrier identification

Usage: {"phone": "5551234567"}

Example Response: {"content": [ { "type": "text", "text": "Phone Number Lookup for 5551234567:\n\nCountry: United States\nCarrier: Verizon Wireless\nLine Type: mobile\nValid: Yes\nFormatted: (555) 123-4567" } ]}

👤Username Search

Description: Searches for username across multiple social media platforms

Usage: {"username": "johndoe"}

Example Response: {"content": [ { "type": "text", "text": "Username Search Results for \"johndoe\":\n\nFound on 3 platforms:\n• GitHub: https://github.com/johndoe\n• Twitter: https://twitter.com/johndoe\n• LinkedIn: https://linkedin.com/in/johndoe\n\nTotal platforms checked: 5" } ]}

🏢Company Information

Description: Gathers comprehensive information about a company

Usage: {"company": "Example Corp"}

Example Response: {"content": [ { "type": "text", "text": "Company Information for \"Example Corp\":\n\nIndustry: Technology\nEmployees: 1,250\nFounded: 2010\nWebsite: https://examplecorp.com\nLocation: San Francisco, CA\nRevenue: $1M - $10M" } ]}

🔒Data Breach Check

Description: Checks if an email address appears in known data breaches

Usage: {"email": "user@example.com"}

Example Response: {"content": [ { "type": "text", "text": "Breach Check Results for user@example.com:\n\nFound in 2 data breaches:\n• Adobe Breach (2013): 153 million records (2013-10-04)\n• LinkedIn Breach (2012): 117 million records (2012-06-05)\n\nRecommendation: Change passwords and enable 2FA" } ]}

🌐Domain Reputation

Description: Analyzes domain reputation and security status

Usage: {"domain": "example.com"}

Example Response: {"content": [ { "type": "text", "text": "Domain Reputation Analysis for example.com:\n\nReputation Score: 85/100\nRisk Level: LOW\nDomain Age: 5 years\nBlacklisted: No\nSSL Certificate: Valid" } ]}

📋WHOIS Lookup

Description: Retrieves domain registration information

Usage: {"domain": "example.com"}

Example Response: {"content": [ { "type": "text", "text": "WHOIS Information for example.com:\n\nRegistrar: GoDaddy.com, LLC\nCreation Date: 2020-01-15\nExpiration Date: 2025-01-15\nLast Updated: 2023-06-20\nStatus: active\nName Servers: ns1.example.com, ns2.example.com\nRegistrant: REDACTED FOR PRIVACY" } ]}

🖼️Reverse Image Search

Description: Performs reverse image search across multiple platforms

Usage: {"imageUrl": "https://example.com/image.jpg"}

Example Response: {"content": [ { "type": "text", "text": "Reverse Image Search Results for https://example.com/image.jpg:\n\nFound 3 platforms with matches:\n• Google Images: 25 matches\n• TinEye: 8 matches\n• Bing Images: 15 matches\n\nTotal matches: 48" } ]}

📝Email Format Finder

Description: Discovers common email formats used by a domain

Usage: {"domain": "example.com"}

Example Response: {"content": [ { "type": "text", "text": "Email Format Discovery for example.com:\n\nCommon email formats:\n• firstname.lastname@domain.com\n• firstname@domain.com\n• f.lastname@domain.com\n• firstname_lastname@domain.com\n\nConfidence: 85%" } ]}

🚀 Getting Started

This MCP server provides a comprehensive suite of pentesting and reconnaissance tools organized into logical categories:

DNS Tools: Domain reconnaissance, record lookups, and subdomain enumeration
Security Tools: Vulnerability assessment, header analysis, and security testing
OSINT Tools: Open source intelligence gathering and analysis
GEOINT Tools: Geospatial intelligence and location-based analysis
BGP Tools: Border Gateway Protocol analysis and routing information
Cloud Tools: Cloud service reconnaissance and configuration analysis
Web Tools: Web application testing and analysis
Red Team Tools: Advanced penetration testing and exploitation tools

⚙️ Configuration

The server supports various API keys for enhanced functionality:

MCP Server API Key: For internal server authentication (default: RFS)
Shodan API Key: For enhanced internet-wide scanning capabilities
Censys API Key: For certificate and host discovery
BinaryEdge API Key: For network reconnaissance
VirusTotal API Key: For malware analysis and reputation checking
SecurityTrails API Key: For historical DNS and domain data

🛡️ Security Features

Rate Limiting: Built-in rate limiting to prevent abuse
Input Validation: Comprehensive parameter validation using Zod schemas
Error Handling: Graceful error handling with detailed error messages
Logging: Comprehensive logging for debugging and monitoring

📊 Performance

Built on Cloudflare Workers for:

Global Distribution: Low-latency access worldwide
High Availability: 99.9% uptime guarantee
Scalability: Automatic scaling based on demand
Security: Built-in DDoS protection and SSL/TLS