High-risk tools in Kali Linux Security Tools MCP Server
23 of the 29 tools in Kali Linux Security Tools MCP Server are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
binwalk_analyzeExecuteAnalyze and extract embedded files using Binwalk. Provide file path relative to /output directory.
-
commix_scanExecuteTest for command injection vulnerabilities using Commix. WARNING: Only test authorized applications.
-
crunch_generateExecuteGenerate custom wordlists using Crunch. Output limited to first 100 lines for safety.
-
dirb_scanExecuteBrute force directories and files on web servers using DIRB. WARNING: Only scan authorized web servers.
-
dnsenum_scanExecuteEnumerate DNS information using dnsenum. WARNING: Only scan authorized domains.
-
dnsrecon_scanExecuteDNS reconnaissance using dnsrecon. Types: std, axfr, bing, zonewalk. WARNING: Only scan authorized domains.
-
fierce_scanExecuteDNS reconnaissance and subdomain enumeration using Fierce. WARNING: Only scan authorized domains.
-
gobuster_scanExecuteFast directory and DNS brute forcing using gobuster. Modes: dir, dns, vhost. WARNING: Only scan authorized targets.
-
hydra_crackExecuteBrute force login credentials using Hydra. Services: ssh, ftp, http-get, http-post-form, etc. WARNING: Only test authorized systems.
-
john_crackExecuteCrack password hashes using John the Ripper. Provide hash file path. WARNING: Only crack authorized hashes.
-
lynis_auditExecutePerform security audit using Lynis. Scan types: system, full. Audits local system security.
-
masscan_scanExecuteFast TCP port scanner using masscan. Scans large networks quickly. WARNING: Only scan authorized targets.
-
netcat_connectExecuteConnect to TCP/UDP ports using netcat. WARNING: Only connect to authorized systems.
-
netdiscover_scanExecuteDiscover live hosts on network using ARP. WARNING: Only scan authorized networks.
-
nikto_scanExecuteScan web server for vulnerabilities using Nikto. WARNING: Only scan authorized web servers.
-
nmap_scanExecuteScan network hosts and ports using nmap. Scan types: basic, fast, intense, vuln, service. WARNING: Only scan authorized targets.
-
smtp_user_enumExecuteEnumerate SMTP users. Modes: VRFY, EXPN, RCPT. WARNING: Only test authorized mail servers.
-
sqlmap_scanExecuteTest for SQL injection vulnerabilities using sqlmap. WARNING: Only test authorized applications.
-
sslscan_testExecuteTest SSL/TLS configuration using sslscan. WARNING: Only test authorized servers.
-
testssl_testExecuteComprehensive SSL/TLS testing using testssl.sh. WARNING: Only test authorized servers.
-
wafw00f_scanExecuteDetect Web Application Firewalls (WAF) using wafw00f. WARNING: Only scan authorized sites.
-
whatweb_scanExecuteIdentify web technologies, CMS, frameworks using WhatWeb. Aggression levels: 1-4. WARNING: Only scan authorized sites.
-
wpscan_scanExecuteScan WordPress sites for vulnerabilities. Enumerate options: u (users), p (plugins), t (themes), vp (vulnerable plugins). WARNING: Only scan authorized sites.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.