An MCP server that gives AI coding agents (Claude Code, Codex, Cline) safe, structured network & security reconnaissance tools — DNS, WHOIS, TLS, HTTP headers, and port scanning. For authorized testing and education only.
Project description
recon-mcp
English | 繁體中文
An MCP server that gives AI coding agents — Claude Code, Codex, Cline, and any MCP client — safe, structured network and security reconnaissance tools.
Most MCP servers wrap CRUD APIs. recon-mcp instead exposes the kind of
read-only recon an engineer reaches for when investigating an asset, and returns
clean JSON — with a graded verdict — so the agent can reason over results
instead of parsing console output.
⚠️ Authorized use only. These tools are for security testing of assets you own or have explicit written permission to assess, for CTF practice, and for education. Do not point them at third-party infrastructure without authorization. You are responsible for how you use this software.
Tools
| Tool | What it does |
|---|---|
recon_report |
Start here. One call → DNS, TLS, and HTTP headers checked together, with an overall grade |
dns_recon |
DNS + WHOIS + email security (SPF/DMARC/DKIM), graded |
subdomain_enum |
Discover subdomains via DNS brute-force and/or Certificate Transparency logs |
subdomain_takeover |
Check subdomains for a dangling-CNAME takeover risk against known services |
tls_check |
Certificate, protocols, ciphers, and known TLS vulnerabilities, graded |
http_headers_audit |
HTTP security headers (CSP, HSTS, X-Frame-Options, …), graded |
cookie_audit |
Redirect chain + cookie flags (Secure / HttpOnly / SameSite), graded |
cors_check |
CORS policy probe — flags arbitrary-Origin reflection and wildcard misuse |
well_known_audit |
Fetches & parses security.txt (RFC 9116) and robots.txt |
ip_info |
Resolves the host and enriches its IP via RDAP (owner, country, CIDR, abuse) |
port_scan |
TCP port scan of one host (≤1024 ports/call), open ports + services |
Example
Just ask your agent: "run a security recon report on example.com." It calls
recon_report once and gets a graded overview it can act on:
{
"domain": "example.com",
"overall_grade": "F",
"summary": "Overall posture F: email A, TLS B, headers F; 13 actionable issue(s).",
"components": {
"email": { "grade": "A", "issues": [] },
"tls": { "grade": "B", "issues": [] },
"headers": { "grade": "F", "issues": [
{ "severity": "high", "label": "Missing Content-Security-Policy", "detail": "CSP not set; cannot restrict resource load sources" }
] }
}
}
Need more detail on one area? The agent can call dns_recon, subdomain_enum,
subdomain_takeover, tls_check, http_headers_audit, cookie_audit,
cors_check, well_known_audit, ip_info, or port_scan directly.
Install
Requires Python ≥ 3.10. Runs on Linux, macOS, and Windows (tested in CI).
Recommended — no clone, via uv:
uvx recon-kit-mcp
Or from source (for development):
git clone https://github.com/nan786521/recon-mcp
cd recon-mcp
python -m venv .venv
# Windows
.venv\Scripts\activate
# macOS / Linux
source .venv/bin/activate
pip install -e .
Use with Claude Code
Add the server (stdio transport). With uvx you don't need an absolute path:
claude mcp add recon -- uvx recon-kit-mcp
Or add it manually to any MCP client config:
{
"mcpServers": {
"recon": {
"command": "uvx",
"args": ["recon-kit-mcp"]
}
}
}
(From a source checkout, point the command at /absolute/path/to/.venv/bin/recon-kit-mcp instead.)
Then just ask: "run a security recon report on example.com" — or target one area, e.g. "check the email security of example.com."
The server also ships a security_recon prompt: pick it from your client's
prompt menu and pass a domain for a guided, severity-sorted audit.
Tool reference
recon_report(domain, timeout?) -> dict
Runs DNS/email, TLS, and HTTP-header checks together and returns overall_grade
(as weak as the weakest component), a one-line summary, and components
(email / tls / headers), each with its grade and actionable issues.
Uses a fast single-handshake TLS check for speed — call tls_check for the full
cipher/vulnerability analysis. The best starting point; use the tools below for
raw detail.
dns_recon(domain, checks?, timeout?) -> dict
- records — A, AAAA, MX, NS, TXT, SOA, CNAME, CAA records
- whois — parsed registration fields + raw WHOIS text
- email — SPF, DMARC, and DKIM posture, plus a graded
assessment(letter grade A–F, a summary, and per-check findings with severity and a recommended fix)
checks is any subset of ["records", "whois", "email"]; omit it to run all.
subdomain_enum(domain, wordlist?, source="dns", timeout?) -> dict
Discovers subdomains from two complementary sources:
source="dns"(default) — resolves candidate labels via DNS.wordlistis comma-separated labels ("www,api,dev"); omit it for a built-in common list. Capped at 512 candidates per call. Returns resolvedips.source="ct"— queries public Certificate Transparency logs (crt.sh) for every name ever certified for the domain. Fully passive; finds real hosts no wordlist would guess.source="both"— runs both and merges, recording which source(s) saw each host.
Returns sources, found_count, and found (each with subdomain, the
sources that saw it, and ips when resolved).
subdomain_takeover(hosts, timeout?) -> dict
Checks subdomains for a dangling-CNAME takeover — a subdomain that CNAMEs to
a third-party service (GitHub Pages, S3, Heroku, Azure, Fastly, Shopify, …)
whose resource was deleted or never claimed, letting anyone who registers that
resource serve content on the victim's subdomain. For each host it resolves the
CNAME, recognizes known takeover-prone services, fetches the page, and flags
the provider's "unclaimed resource" fingerprint and/or a CNAME target that no
longer resolves. hosts is one hostname or a comma-separated list (capped at
100). Read-only — DNS lookups plus one HTTP GET per host. Pair it with
subdomain_enum: enumerate first, then check the interesting hosts.
Returns checked, vulnerable_count, and results (each with host, cname,
service, status, vulnerable, severity, and detail). status is one of
not_applicable, not_vulnerable, potential, dangling_cname, or
vulnerable.
tls_check(host, port=443, timeout?) -> dict
Returns grade, certificate (validity / expiry / key algorithm),
protocols (flags legacy SSLv3 / TLS 1.0 / 1.1), cipher info,
forward_secrecy, hsts, vulnerabilities (each with a vulnerable flag),
and a findings list.
http_headers_audit(host, port?, use_ssl=True, timeout?) -> dict
Returns grade, score, the observed security headers, and a findings
list with a recommendation per header. Defaults to HTTPS (port 443).
cookie_audit(host, port?, use_ssl=True, timeout?) -> dict
Follows the redirect chain from the host (capped at 10 hops, flagging any
HTTPS→HTTP downgrade) and audits every Set-Cookie seen for the Secure,
HttpOnly, and SameSite flags. Returns redirect_chain, final_url,
cookies (flags only — values are never returned), cookie_grade,
cookie_score, and a findings list.
cors_check(host, port?, use_ssl=True, timeout?) -> dict
Sends one GET with an untrusted Origin and inspects the
Access-Control-Allow-Origin / -Allow-Credentials response. Reflecting an
arbitrary Origin with credentials is high severity (any site can read
authenticated responses); a wildcard or trusted null origin are lesser issues.
Returns acao, allows_credentials, reflects_origin, wildcard, severity,
and findings.
well_known_audit(host, timeout?) -> dict
Fetches and parses security.txt (RFC 9116, tried at /.well-known/ then the
legacy path) and robots.txt. Returns security_txt (parsed fields, structural
issues, location) and robots_txt (sitemaps, disallow/allow paths,
user_agents), each with a present flag.
ip_info(host, timeout?) -> dict
Resolves the host's IP and looks it up in the public RDAP registry (via
rdap.org's bootstrap to the right RIR). Returns ip and rdap (handle,
name, country, cidr, org, abuse_email).
port_scan(host, ports?, timeout?) -> dict
TCP connect scan of a single host. ports is a string — "22,80,443", a
range "1-1024", or a mix — and omitting it scans a built-in common-port set.
Hard-capped at 1024 ports per call (single-host recon, not mass scanning).
Returns host, ip, scanned, open_count, and open_ports (port +
service). Scan only hosts you are authorized to assess.
License
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file recon_kit_mcp-0.9.0.tar.gz.
File metadata
- Download URL: recon_kit_mcp-0.9.0.tar.gz
- Upload date:
- Size: 66.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
51dfbfb33239a940e5bb38d9c82ff1bb43872934e1687e90730d2c22abc63b10
|
|
| MD5 |
64a9e1c33536daf41bf5799c42b74bd4
|
|
| BLAKE2b-256 |
bbe80f4c068bc46928bceac72270d7c75bce076a3e0b15b01a3714a3a95393ae
|
Provenance
The following attestation bundles were made for recon_kit_mcp-0.9.0.tar.gz:
Publisher:
publish.yml on nan786521/recon-mcp
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
recon_kit_mcp-0.9.0.tar.gz -
Subject digest:
51dfbfb33239a940e5bb38d9c82ff1bb43872934e1687e90730d2c22abc63b10 - Sigstore transparency entry: 1908012915
- Sigstore integration time:
-
Permalink:
nan786521/recon-mcp@23c4e846586f835f3593fe1981e3a86d5435b8c3 -
Branch / Tag:
refs/tags/v0.9.0 - Owner: https://github.com/nan786521
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@23c4e846586f835f3593fe1981e3a86d5435b8c3 -
Trigger Event:
push
-
Statement type:
File details
Details for the file recon_kit_mcp-0.9.0-py3-none-any.whl.
File metadata
- Download URL: recon_kit_mcp-0.9.0-py3-none-any.whl
- Upload date:
- Size: 55.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ad6151c48c73ed3a99c91173dddb52b7bb1f0c7e875b36114fd7360cb3fb5cb3
|
|
| MD5 |
8fa4ae6eb1dd6c0bf9e52ac5960f93ab
|
|
| BLAKE2b-256 |
68389f82e9c7c286958a240b6dacb18ce8391b82e2fc18933ff86d91402655da
|
Provenance
The following attestation bundles were made for recon_kit_mcp-0.9.0-py3-none-any.whl:
Publisher:
publish.yml on nan786521/recon-mcp
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
recon_kit_mcp-0.9.0-py3-none-any.whl -
Subject digest:
ad6151c48c73ed3a99c91173dddb52b7bb1f0c7e875b36114fd7360cb3fb5cb3 - Sigstore transparency entry: 1908013101
- Sigstore integration time:
-
Permalink:
nan786521/recon-mcp@23c4e846586f835f3593fe1981e3a86d5435b8c3 -
Branch / Tag:
refs/tags/v0.9.0 - Owner: https://github.com/nan786521
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@23c4e846586f835f3593fe1981e3a86d5435b8c3 -
Trigger Event:
push
-
Statement type: