Hunter
AI-driven penetration testing MCP server that equips Claude with 13 tools for automated reconnaissance, analysis, vulnerability validation, and exploitation.
README
Hunter v7 - AI-Driven Penetration Testing Framework
Overview
Hunter is an AI-driven penetration testing framework that combines automated tools with intelligent analysis. Claude is the brain, and the tools are the hands.
Tool Inventory
Go-based Tools (28 tools)
| Tool | Purpose | Version |
|---|---|---|
| nuclei | Vulnerability scanner | v3.8.0 |
| subfinder | Subdomain discovery | Latest |
| naabu | Port scanner | Latest |
| httpx | HTTP toolkit | Latest |
| katana | Web crawler | Latest |
| gau | URL fetcher | Latest |
| uncover | Host discovery | Latest |
| tlsx | TLS toolkit | Latest |
| cdncheck | CDN detection | Latest |
| mapcidr | CIDR toolkit | Latest |
| ffuf | Web fuzzer | v2.1.0 |
| gobuster | Directory brute-forcer | Latest |
| dnsx | DNS toolkit | Latest |
| dalfox | XSS scanner | Latest |
| notify | Notification tool | Latest |
| amass | Attack surface mapping | Latest |
| waybackurls | Wayback URL fetcher | Latest |
| assetfinder | Asset discovery | Latest |
| httprobe | HTTP prober | Latest |
| unfurl | URL parser | Latest |
| meg | Request sender | Latest |
| anew | Line appender | Latest |
| qsreplace | Query string replacer | Latest |
| subjack | Subdomain takeover | Latest |
| hakrevdns | Reverse DNS | Latest |
| hakrawler | Web crawler | Latest |
| getjs | JS file discovery | Latest |
| subjs | JS file discovery | Latest |
Python Tools (8 tools)
| Tool | Purpose |
|---|---|
| sqlmap | SQL injection |
| wafw00f | WAF detection |
| dirsearch | Directory scanner |
| whatweb | Web technology identifier |
| wpscan | WordPress scanner |
| droopescan | CMS scanner |
| hashid | Hash identifier |
| arjun | Hidden parameter discovery |
System Tools (3 tools)
| Tool | Purpose | Version |
|---|---|---|
| nmap | Network scanner | 7.80 |
| nikto | Web server scanner | Latest |
| curl | HTTP client | Latest |
Special Tools (4 tools)
| Tool | Purpose |
|---|---|
| impacket | Network protocols library |
| jwt_tool | JWT testing |
| perl | Scripting runtime |
| Python 3.14 | Scripting runtime |
Wordlists
Location: C:\Tools\wordlists\
| File | Size | Description |
|---|---|---|
| common.txt | 367 B | Common web paths |
| big.txt | 162.5 KB | Large web paths |
| raft-small-directories.txt | 159.4 KB | Small directory list |
| raft-small-files.txt | 144.9 KB | Small file list |
| raft-medium-directories.txt | 244.6 KB | Medium directory list |
| raft-medium-files.txt | 219.1 KB | Medium file list |
| raft-large-directories.txt | 529.3 KB | Large directory list |
| raft-large-files.txt | 482 KB | Large file list |
| quickhits.txt | 39.2 KB | Quick hits |
| logins.txt | 1.1 KB | Login paths |
| wordpress.txt | 57.6 KB | WordPress paths |
| api-endpoints.txt | 4.3 KB | API endpoints |
| subdomains-top1million-5000.txt | 29.4 KB | Top 5K subdomains |
| subdomains-top1million-110000.txt | 1.3 MB | Top 110K subdomains |
| dns-Jhaddix.txt | 25.3 MB | DNS wordlist |
| usernames.txt | 112 B | Common usernames |
Quick Scan Scripts
Reconnaissance
.\quick_recon.ps1 -Target example.com
Vulnerability Scanning
.\quick_vuln.ps1 -Target https://example.com
Web Application Testing
.\quick_web.ps1 -Target https://example.com
Core Scanner
python hunter_core.py recon example.com
python hunter_core.py vuln https://example.com
python hunter_core.py web https://example.com
MCP Server
from mcp_server import get_hunter
hunter = get_hunter()
# Subdomain enumeration
result = hunter.subfinder_enum("example.com")
# Vulnerability scanning
result = hunter.nuclei_scan("https://example.com", severity="critical,high")
# Port scanning
result = hunter.naabu_scan("example.com", "top-1000")
# XSS testing
result = hunter.dalfox_xss("https://example.com/?id=1")
# SQL injection
result = hunter.sqlmap_test("https://example.com/?id=1", level=3, risk=2)
Environment Variables
$env:GOPROXY = "https://goproxy.cn,direct"
$env:all_proxy = "http://127.0.0.1:7890"
Directory Structure
hunter/
├── SKILL.md # Skill definition
├── TOOLS.md # Tools inventory
├── README.md # This file
└── core/
├── hunter_core.py # Core scanner
├── mcp_server.py # MCP integration
├── tools_config.ps1 # Tools configuration
└── scripts/
├── quick_recon.ps1 # Quick reconnaissance
├── quick_vuln.ps1 # Quick vulnerability scan
└── quick_web.ps1 # Quick web scan
Usage Examples
Full Reconnaissance
# 1. Subdomain enumeration
subfinder -d example.com -o subdomains.txt
# 2. DNS resolution
cat subdomains.txt | dnsx -o resolved.txt
# 3. HTTP probing
cat resolved.txt | httpx -o live.txt
# 4. Port scanning
cat live.txt | naabu -top-ports 1000 -o ports.txt
# 5. URL discovery
gau example.com > urls.txt
katana -u https://example.com -d 3 -jc >> urls.txt
# 6. Vulnerability scanning
nuclei -l live.txt -severity critical,high,medium
Web Application Testing
# 1. Technology detection
httpx -u https://example.com -tech-detect
# 2. Directory enumeration
gobuster dir -u https://example.com -w C:\Tools\wordlists\common.txt
# 3. XSS testing
dalfox url "https://example.com/?id=1"
# 4. SQL injection
sqlmap -u "https://example.com/?id=1" --batch --level=3
# 5. Parameter discovery
arjun -u https://example.com
Network Scanning
# 1. Port scanning
nmap -sV -sC -oA scan example.com
# 2. Service enumeration
nmap -sV -p 80,443,8080 example.com
# 3. Vulnerability scanning
nmap --script vuln example.com
Tool Installation
Go Tools
$env:GOPROXY = "https://goproxy.cn,direct"
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# ... etc
Python Tools
pip install sqlmap wafw00f dirsearch whatweb wpscan droopescan hashid arjun
System Tools
winget install Nmap.Nmap
# nikto - git clone https://github.com/sullo/nikto.git
Contributing
- Add new tools to the inventory
- Update TOOLS.md
- Create wrapper scripts in core/scripts/
- Update MCP server integration
License
For authorized penetration testing only. Always obtain proper authorization before testing.
Disclaimer
本项目仅用于教育和授权安全研究目的。用户必须确保在合法授权范围内操作。使用本项目产生的任何后果由用户自行承担。
See DISCLAIMER.md for the full disclaimer.
Burp Evidence Workflow
- Export your request, response, screenshots, and any JSON notes from Burp into one folder.
- Use
core.burp_adapter.suggest_hunter_prefix(target, vuln_slug)to get a Hunter-friendly prefix. - Use
core.burp_import.import_burp_evidence(source_dir, target, vuln_slug, destination_dir)to copy and rename the files into Hunter's evidence directory. - Let Hunter pick them up automatically in the final report appendix.
One-click Burp import
.\core\scripts\quick_burp_import.ps1 -SourceDir "C:\BurpExports\gnnu" -Target "https://jwgl.gnnu.edu.cn" -VulnSlug "idor"
This copies Burp-exported request/response/screenshots/evidence files into Hunter's evidence directory using Hunter-friendly naming.
Related Projects
- Open-tgtylab — 安全研究工作台,集成逆向工程、CTF、移动安全、Web安全于一体
推荐服务器
Baidu Map
百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。
Playwright MCP Server
一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。
Magic Component Platform (MCP)
一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。
Audiense Insights MCP Server
通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。
VeyraX
一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。
graphlit-mcp-server
模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。
Kagi MCP Server
一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。
e2b-mcp-server
使用 MCP 通过 e2b 运行代码。
Neon MCP Server
用于与 Neon 管理 API 和数据库交互的 MCP 服务器
Exa MCP Server
模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。