Summary
Connects Claude directly to the HackTricks pentesting knowledge base through seven search and extraction tools. Instead of hunting through GitHub, you can ask Claude for SQL injection techniques or SUID exploitation commands and get back grouped search results, page outlines, specific sections, or just the code blocks. The quick_lookup tool handles common attacks through aliases like sqli, xss, and ssrf, collapsing what would be multiple searches into one call. Uses ripgrep under the hood for speed and includes protections against path traversal. Useful when you're mid-assessment and need to pull specific attack patterns or enumeration commands without context switching to a browser. The section extraction is smart about token efficiency, letting you grab just the SUID chapter instead of an entire privilege escalation guide.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
HackTricks MCP Server
MCP (Model Context Protocol) server for searching and querying HackTricks pentesting documentation directly from Claude.
Features
- Quick lookup - One-shot exploitation info with alias support (sqli, xss, ssrf, etc.)
- Grouped search results - Results aggregated by file with match count, title, and relevant sections
- Page outline - Quick table of contents to identify relevant sections
- Section extraction - Read specific sections instead of full pages (token-efficient)
- Cheatsheet mode - Extract only code blocks/commands from pages
- Category browsing - Discover available topics and file paths
- Fast grep search - Uses ripgrep for instant results
- Security hardened - Protection against command injection and path traversal
Quick Start
Installation
npm install -g hacktricks-mcp-server
The postinstall script automatically clones the HackTricks repository (~2 minutes on first install).
Configure Claude Desktop
Add to your Claude settings (~/.claude/settings.json):
{
"mcpServers": {
"hacktricks": {
"command": "npx",
"args": ["hacktricks-mcp-server"]
}
}
}
Restart Claude Desktop and try: "Search HackTricks for SQL injection"
Alternative: Install from Source
git clone https://github.com/Xplo8E/hacktricks-mcp-server.git
cd hacktricks-mcp-server
git submodule update --init --recursive
npm install
npm run build
Configuration for source install:
{
"mcpServers": {
"hacktricks": {
"command": "node",
"args": ["/absolute/path/to/hacktricks-mcp-server/dist/index.js"]
}
}
}
Usage Examples
Once configured in Claude Desktop, you can ask:
- "Search HackTricks for SQL injection techniques"
- "Give me SUID privilege escalation commands"
- "Show me XSS payloads"
- "List all pentesting categories in HackTricks"
- "How do I exploit XXE vulnerabilities?"
The server provides 7 specialized tools for efficient HackTricks searching.
Available Tools
hacktricks_quick_lookup
⚡ One-shot exploitation lookup. Searches, finds best page, and returns exploitation sections + code blocks in one call.
Parameters:
topic(string, required): Attack/technique to look up (e.g., 'SUID', 'sqli', 'xss', 'docker escape')category(string, optional): Category filter for faster results
Supported aliases: sqli, xss, rce, lfi, rfi, ssrf, csrf, xxe, ssti, idor, jwt, suid, privesc
Example:
hacktricks_quick_lookup("SSRF", category="pentesting-web")
Benefits: Reduces 3+ tool calls to 1 for "how do I exploit X" questions.
search_hacktricks
Search through HackTricks documentation. Returns results GROUPED BY FILE with match count, page title, and relevant section headers.
Parameters:
query(string, required): Search term or regex patterncategory(string, optional): Filter to specific category (e.g., 'pentesting-web')limit(number, optional): Max grouped results (default: 20)
Example output:
Found matches in 5 files for: "SUID"
────────────────────────────────────────────────────────────
📄 **Linux Privilege Escalation**
Path: src/linux-hardening/privilege-escalation/README.md
Matches: 12
Sections: SUID Binaries | Finding SUID | GTFOBins
Preview:
L45: Find files with SUID bit set...
L78: Common SUID exploitation techniques...
────────────────────────────────────────────────────────────
get_hacktricks_outline
Get the table of contents of a page (all section headers). Use this BEFORE reading full pages to understand structure.
Parameters:
path(string): Relative path to markdown file
Example output:
# Linux Privilege Escalation
## Enumeration
### System Information
### Network
## SUID Binaries
### Finding SUID Files
### Exploiting SUID
## Capabilities
Benefits: See page structure in ~20 lines vs reading 500+ lines.
get_hacktricks_section
Extract a specific section from a page by header name. Much more efficient than reading the full page.
Parameters:
path(string): Relative path to markdown filesection(string): Section header to extract (partial match, case-insensitive)
Example:
get_hacktricks_section("src/linux-hardening/privilege-escalation/README.md", "SUID")
Benefits: Read just "SUID Binaries" section (~200 tokens) instead of entire page (~3000 tokens).
get_hacktricks_cheatsheet
Extract only code blocks from a page. Perfect when you just need commands, payloads, or examples.
Parameters:
path(string): Relative path to markdown file
Example output:
find / -perm -4000 2>/dev/null
./vulnerable_suid -p
Benefits: Skip explanatory text when you just need "give me the command".
get_hacktricks_page
Get full content of a HackTricks page.
Parameters:
path(string): Relative path to markdown file
Warning: Pages can be very long (3000+ tokens). Consider using get_hacktricks_outline + get_hacktricks_section instead.
list_hacktricks_categories
List categories and their contents.
Parameters:
category(string, optional): Category to expand
Without category: Lists top-level categories With category: Shows full directory tree with file paths
Efficient Usage Pattern
For optimal token usage, Claude should:
- Search with category filter → Get grouped results with context
- Get outline of relevant page → See structure before reading
- Extract specific section → Read only what's needed
- Get cheatsheet → Quick command reference
Before (inefficient):
search_hacktricks("SUID") → 50 raw lines
get_page(file1) → 3000 tokens
get_page(file2) → 2500 tokens
Total: ~5500 tokens, 3 calls
After (efficient):
search_hacktricks("SUID", category="linux-hardening") → Grouped results
get_outline(best_match) → 20 lines
get_section(best_match, "SUID") → 200 tokens
Total: ~400 tokens, 3 calls
Requirements
- Node.js (v18 or higher)
- ripgrep (
rg) - usually pre-installed on macOS/Linux - Bun (for package management)
Development
Watch mode:
bun run dev
Test locally:
bun run start
Contributing
Contributions are welcome! If you'd like to improve the server:
- Fork the repository
- Create a feature branch (
git checkout -b feature/improvement) - Make your changes and test locally
- Submit a pull request
Please ensure your PR includes tests for new features and maintains the existing code style.
License
MIT
Credits
- HackTricks by Carlos Polop
- Built with Model Context Protocol SDK
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Categories
Registryactive
Packagehacktricks-mcp-server
TransportSTDIO
UpdatedDec 27, 2025
