Offensive MCP Docker · Kali Linux

BUGTROTTER

V 1.0

Full Red Team MCP Server — External Recon through Active Directory Forest Compromise. Claude Code drives the entire attack chain via stdio.

by Gurudeep Mallam · Security Enthusiast · Works with any Claude model

⬡ View on GitHub ◎ Read on Medium

✓ Tested & successfully exploited in authorized vulnerable lab environments

Attack Phases

30+

Tools Baked In

KB Guides

Command to Start

How it works

Architecture & Data Flow

BUGTROTTER is not a wrapper. Claude Code connects directly to the Kali container over stdio (JSON-RPC 2.0). Every command runs inside the container as if you typed it yourself — driven by Claude.

💬

You

Describe what you found in natural language

"port 445 open, what do I check?"

→

🤖

Claude Code

Sonnet 4.6
Reads KB, decides which tool to run, chains MCP calls
JSON-RPC over stdio

→

🐉

MCP Server

mcp_server.py inside container
Receives tool calls, routes to shell / Neo4j / loot
docker exec -i kali-rt

→

🔧

Tool Arsenal

30+ tools running natively: nmap · netexec · impacket · certipy · bloodhound · hydra

→

💾

Loot Volume

Docker named volume — persists creds, hashes, tickets, notes across context resets

📖 KB Read

Claude reads GUIDE.md + attack_index.md. Looks up the open port or technique — no guessing, no hallucination.

🎯 Tool Selection

Claude picks the exact tool and flags from the attack index. Searches by port, CVE, phase, or keyword.

⚡ Execution

run_shell MCP call → command executes inside Kali container → stdout/stderr returned to Claude.

💡 Analysis

Claude reads output, extracts creds/hashes/paths, decides the next step in the kill chain.

💾 Persistence

save_note writes to /opt/loot/notes.jsonl. Creds, phase state, hashes — all survive session resets.

🔁 Loop

Claude chains the next tool automatically. From nmap → enum → exploit → pivot → DA — uninterrupted.

COMPONENT	LOCATION	PURPOSE
mcp_server.py	/opt/kali_ad_mcp/	MCP stdio server — receives JSON-RPC calls from Claude Code
GUIDE.md	/opt/ad_agent/kb/	Full container map — every path, phase, tool and exact command
attack_index.md	/opt/ad_agent/kb/	Attack lookup by port / CVE / phase — Claude searches before acting
notes.jsonl	/opt/loot/ (volume)	Persistent findings — creds, hashes, phase state across restarts
Neo4j	bolt://localhost:7687	BloodHound graph backend — Cypher path queries via bloodhound_query
.mcp.json	repo root	Claude Code config — auto-connects on `claude` with no extra setup

Kill Chain

9-Phase Attack Coverage

From a cold start with only a target subnet to full Enterprise Admin access — every phase automated through Claude MCP.

Phase 01

External Recon

nmap · masscan · whatweb · wafw00f · dnsrecon · netscan

Phase 02

Web Exploitation

gobuster · ffuf · sqlmap · curl command injection · LFI → RCE

Phase 03

Post-Exploitation

bash history · Firefox sqlite logins · .conf / .env cred hunt

Phase 04

Pivoting

Ligolo-ng L3 tunnel · chisel · SOCKS4 via paramiko SSH

Phase 05

Internal AD Recon

BloodHound · netexec spray · LDAP · adrecon · bloodyAD

Phase 06

Lateral Movement

PTH · LSA dump · SAM dump · evil-winrm · PSExec · WMIExec

Phase 07

Child Domain Compromise

impacket-secretsdump krbtgt · lookupsid child + parent SIDs

Phase 08

Forest Compromise

Cross-domain Golden Ticket · Extra SID · getST CIFS · secretsdump parent DC

Phase 09

ADCS Abuse

certipy ESC1–ESC8 · PKINIT cert auth → TGT + NT hash

MCP Capabilities

What Claude Can Do With This Tool

Claude autonomously chains these MCP tools. A single message triggers a full sequence — no manual step-by-step.

run_shell

Execute any bash command inside the Kali container — nmap, netexec, certipy, impacket-*, hashcat, evil-winrm, bloodhound-python

read_file

Read any file — KB guides, loot output, scripts. Claude reads GUIDE.md + attack_index.md before deciding what to run

write_file

Write payloads, configs, wordlists to the container filesystem — stages tools for the next phase

save_note

Persist creds, hashes, tickets, topology and phase state to /opt/loot/notes.jsonl — survives full context resets

get_notes

Restore complete engagement state from disk at session start. Context reset ≠ progress lost

bloodhound_query

Run Cypher queries against Neo4j AD graph — shortest path to Domain Admin, Kerberoastable users, delegation chains

crack_hint

Identify hash type and get the correct hashcat mode + wordlist path — no more looking up -m flags

port_check

TCP connectivity check — verify Ligolo or SOCKS4 tunnel is routing to internal subnet correctly

export_notes

Generate a full markdown session report to /opt/loot/session_report.md — clean handoff at end of engagement

list_dir

Browse container paths — checks loot, wordlists, scripts before executing to avoid duplicate work

Claude Code · kali-redteam MCP · Claude (any model)

you → I found port 445 open on 10.10.10.5. Creds: jsmith:Password1. What's the attack path?

↳ [get_notes] restoring engagement state...

↳ [read_file] GUIDE.md → attack_index.md (tag: smb, port445)

↳ [run_shell] enum4linux-ng -A 10.10.10.5

↳ [FOUND] SMB signing disabled · null session allowed

↳ [run_shell] netexec smb 10.10.10.5 -u jsmith -p 'Password1'

↳ [FOUND] (Pwn3d!) — local admin on 10.10.10.5

↳ [run_shell] netexec smb 10.10.10.5 -u jsmith -p 'Password1' --lsa

↳ [CREDS] administrator:aad3b435...:8f52d4b3...

↳ [save_note] creds + Pwn3d host saved to /opt/loot/notes.jsonl

↳ [run_shell] bloodhound-python -u jsmith -p 'Password1' -d corp.local -c All

→ BloodHound ingested. Running path query...

→ Shortest path: jsmith → WriteDACL on svc_backup → GenericAll → Domain Admins

→ Next: read acl_abuse.md and exploit WriteDACL. Command ready.

Arsenal

30+ Tools, Zero Setup

Every tool ships pre-installed and pre-patched in the Docker image. No dependency hell, no conflicting Python versions.

nmapmasscannetexec impacket-secretsdumpimpacket-ticketerimpacket-getST certipyevil-winrmkerbrute bloodhound-pythonbloodyADpywhisker ffufgobustersqlmap whatwebwafw00fdnsrecon hydrahashcatresponder smbmapenum4linux-ng onesixtyonesnmpwalkredis-cli showmountmysqlpsql smtp-user-enumxfreerdp ligolo-proxyligolo-agentchisel Neo4j

Get Started

4 Commands to Full AD Attack Chain

Prerequisites: Docker Desktop · Node.js 18+ · Claude Code

bash

$ git clone https://github.com/gurudeepmallam-cmd/bugtrotter && cd bugtrotter

Cloning into 'bugtrotter'...

$ docker-compose build && docker-compose up -d

Building kali-rt... (8-12 min first time)

✓ Container started: kali-rt

$ docker exec kali-rt python3 /opt/scripts/resume.py

✓ All tools present · Neo4j running · Loot volume mounted

$ claude

→ MCP: kali-redteam connected

→ Ready. Give me a target.

⬡ GitHub Repository ◎ Read the Write-Up