recon-kit-mcp 0.2.0

An MCP server that gives AI coding agents (Claude Code, Codex, Cline) safe, structured network & security reconnaissance tools — DNS, WHOIS, TLS, HTTP headers, and port scanning. For authorized testing and education only.

recon-mcp

English | 繁體中文

An MCP server that gives AI coding agents — Claude Code, Codex, Cline, and any MCP client — safe, structured network and security reconnaissance tools.

Most MCP servers wrap CRUD APIs. recon-mcp instead exposes the kind of read-only recon an engineer reaches for when investigating an asset, and returns clean JSON — with a graded verdict — so the agent can reason over results instead of parsing console output.

⚠️ Authorized use only. These tools are for security testing of assets you own or have explicit written permission to assess, for CTF practice, and for education. Do not point them at third-party infrastructure without authorization. You are responsible for how you use this software.

Tools

Tool	What it does
dns_recon	Passive DNS + WHOIS + email-security (SPF/DMARC/DKIM) lookup, with a graded email-security assessment
tls_check	SSL/TLS inspection: certificate, protocol versions, cipher suites, forward secrecy, HSTS, OCSP, known protocol vulnerabilities — graded
http_headers_audit	Audits HTTP security response headers (CSP, HSTS, X-Frame-Options, COEP/COOP/CORP, …) — graded
port_scan	TCP connect scan of a single host (capped at 1024 ports/call), reporting open ports and services

Example

Ask your agent "check the email security of example.com" — it calls dns_recon and gets back a graded verdict it can act on, not raw records:

{
  "email": {
    "assessment": {
      "grade": "A",
      "score": 100,
      "summary": "SPF, DKIM, and DMARC are all configured and enforced.",
      "findings": [
        { "severity": "ok", "check": "SPF",   "message": "SPF present with a hard fail (\"-all\")." },
        { "severity": "ok", "check": "DKIM",  "message": "DKIM present (selector \"default\")." },
        { "severity": "ok", "check": "DMARC", "message": "DMARC enforced (p=reject)." }
      ]
    }
  }
}

A domain missing DMARC comes back as a warning finding with a concrete recommendation, and a lower grade — so the agent can tell the user exactly what to fix.

Install

Requires Python ≥ 3.10.

Recommended — no clone, via uv:

uvx recon-kit-mcp

Or from source (for development):

git clone https://github.com/nan786521/recon-mcp
cd recon-mcp
python -m venv .venv
# Windows
.venv\Scripts\activate
# macOS / Linux
source .venv/bin/activate
pip install -e .

Use with Claude Code

Add the server (stdio transport). With uvx you don't need an absolute path:

claude mcp add recon -- uvx recon-kit-mcp

Or add it manually to any MCP client config:

{
  "mcpServers": {
    "recon": {
      "command": "uvx",
      "args": ["recon-kit-mcp"]
    }
  }
}

(From a source checkout, point the command at /absolute/path/to/.venv/bin/recon-kit-mcp instead.)

Then ask the agent things like "run dns_recon on example.com and tell me if its email security is properly configured" or "audit the TLS and security headers of example.com."

Tool reference

dns_recon(domain, checks?, timeout?) -> dict

• records — A, AAAA, MX, NS, TXT, SOA, CNAME records
• whois — parsed registration fields + raw WHOIS text
• email — SPF, DMARC, and DKIM posture, plus a graded assessment (letter grade A–F, a summary, and per-check findings with severity and a recommended fix)

checks is any subset of ["records", "whois", "email"]; omit it to run all.

tls_check(host, port=443, timeout?) -> dict

Returns grade, certificate (validity / expiry / key algorithm), protocols (flags legacy SSLv3 / TLS 1.0 / 1.1), cipher info, forward_secrecy, hsts, vulnerabilities (each with a vulnerable flag), and a findings list.

http_headers_audit(host, port?, use_ssl=True, timeout?) -> dict

Returns grade, score, the observed security headers, and a findings list with a recommendation per header. Defaults to HTTPS (port 443).

port_scan(host, ports?, timeout?) -> dict

TCP connect scan of a single host. ports is a string — "22,80,443", a range "1-1024", or a mix — and omitting it scans a built-in common-port set. Hard-capped at 1024 ports per call (single-host recon, not mass scanning). Returns host, ip, scanned, open_count, and open_ports (port + service). Scan only hosts you are authorized to assess.

License

MIT