A Model Context Protocol (MCP) server that provides comprehensive network scanning capabilities using nmap. Designed for security professionals and penetration testers, this server can execute scans either locally or via SSH on a remote Kali Linux box for security isolation.
- Multiple Scan Types: Port scanning, service detection, OS fingerprinting, vulnerability assessment
- NSE Script Support: Run 600+ Nmap Scripting Engine scripts
- Flexible Execution: Run locally or via SSH to a remote scanning host
- Structured Output: Parsed XML results formatted as readable Markdown
- Security-First: Input validation to prevent command injection
- Stealth Options: Decoys, fragmentation, timing controls for evasive scanning
# Clone the repository
git clone https://github.com/schwarztim/sec-nmap-mcp.git
cd sec-nmap-mcp
# Install dependencies
npm install
# Build
npm run build| Variable | Description | Default |
|---|---|---|
NMAP_SSH_HOST |
SSH host for remote execution | kali |
NMAP_SSH_USER |
SSH username (optional) | Uses SSH config default |
NMAP_SSH_KEY |
Path to SSH private key (optional) | Uses SSH config default |
NMAP_LOCAL |
Set to "true" to run nmap locally |
false |
Add to your claude_desktop_config.json:
{
"mcpServers": {
"nmap": {
"command": "node",
"args": ["/path/to/sec-nmap-mcp/dist/index.js"],
"env": {
"NMAP_SSH_HOST": "kali",
"NMAP_LOCAL": "false"
}
}
}
}For local execution:
{
"mcpServers": {
"nmap": {
"command": "node",
"args": ["/path/to/sec-nmap-mcp/dist/index.js"],
"env": {
"NMAP_LOCAL": "true"
}
}
}
}| Tool | Description |
|---|---|
nmap_scan |
Basic port scan with customizable options |
nmap_quick_scan |
Fast scan of common ports (-F) |
nmap_ping_sweep |
Host discovery without port scanning (-sn) |
| Tool | Description |
|---|---|
nmap_service_scan |
Service version detection (-sV) |
nmap_os_detect |
OS fingerprinting (-O) |
nmap_comprehensive_scan |
Full scan: SYN + version + OS + scripts |
nmap_stealth_scan |
Evasive scan with decoys and fragmentation |
| Tool | Description |
|---|---|
nmap_script_scan |
Run specific NSE scripts |
nmap_vuln_scan |
Vulnerability assessment scripts |
| Tool | Description |
|---|---|
nmap_status |
Check nmap availability and configuration |
nmap_parse_output |
Parse existing nmap XML output |
Scan target 192.168.1.1 for open ports
Run a service scan on 10.0.0.0/24 ports 22,80,443
Run a vulnerability scan on target.example.com
Perform a stealth scan on 192.168.1.100 using random decoys
Find all live hosts on 192.168.1.0/24
Run the http-title and ssl-cert scripts on example.com port 443
Running nmap via SSH to a dedicated Kali Linux box provides:
- Isolation: Scans originate from a controlled environment
- Privilege Management: Root access for advanced scans without local elevation
- Audit Trail: Centralized logging on the scanning host
- Network Segmentation: Scan traffic separated from workstation
The server validates all inputs to prevent command injection:
- Targets are validated against allowed character patterns
- Dangerous shell characters are blocked
- Port specifications are strictly validated
This tool is intended for:
- Security assessments with proper authorization
- Network inventory and management
- Educational purposes
Always ensure you have proper authorization before scanning any network or system.
# Watch mode for development
npm run dev
# Build for production
npm run build
# Run the server
npm start- Node.js 18+
- nmap installed (locally or on SSH target)
- SSH access to remote host (if using remote execution)
MIT License - see LICENSE for details.
Contributions are welcome! Please feel free to submit a Pull Request.
- Nmap - The Network Mapper
- Model Context Protocol - AI tool integration standard