Network scanner that discovers and security-audits MCP servers across IP ranges. Like nmap, but for Model Context Protocol.
# Homebrew (macOS/Linux)
brew install canack/tap/mcpmap
# Cargo
cargo install mcpmap
# Shell one-liner (macOS/Linux)
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/canack/mcpmap/releases/latest/download/mcpmap-installer.sh | sh
# Docker
docker run --rm ghcr.io/canack/mcpmap:latest 192.168.1.0/24Pre-built binaries for all platforms on GitHub Releases.
mcpmap 192.168.1.0/24 # discover MCP servers
mcpmap 192.168.1.0/24 --enumerate # list tools + risk levels
mcpmap 192.168.1.0/24 --enumerate --active # active security audit (safe, metadata-only)
mcpmap 192.168.1.0/24 --enumerate --active \
--probe-tools --i-accept-risk # call LOW-risk tools
mcpmap 192.168.1.0/24 --enumerate --active \
--pin baseline.json # save tool hashes
mcpmap 192.168.1.0/24 --enumerate --active \
--verify baseline.json # verify against baseline
mcpmap 192.168.1.0/24 --enumerate --json # JSON output for CI/CDTargets ──▶ Port Scan ──▶ HTTP Probe ──▶ MCP Handshake ──▶ Security Checks
│
--enumerate: Tool Enumeration
│
--active: Behavioral Probing
Passive (default): Port scan → HTTP heuristic → JSON-RPC initialize handshake → origin/auth/session validation → tool enumeration with risk classification.
Active (--active): Schema poisoning, resource injection, tool squatting, temporal rug-pull, exfiltration chains, cross-server manipulation, response injection, denial-of-wallet.
| Tier | Flag | What it does |
|---|---|---|
| 1 — Safe | --active |
Metadata-only: tools/list, resources/list, schema analysis. No tool calls. |
| 2 — Controlled | + --probe-tools --i-accept-risk |
Calls LOW-risk tools (read, get, list, search) with test inputs. |
| 3 — Aggressive | + --probe-medium |
Also calls MEDIUM-risk tools. Pentest only. |
CRITICAL/HIGH risk tools are NEVER called. No flag overrides this.
Safety limits: 3 calls/tool, 50 calls/server, 5s/call timeout, 100KB response cap, 120s total probe timeout.
15 vulnerability classes across passive and active scanning:
| ID | Vulnerability | Sev. | Mode |
|---|---|---|---|
| MCP-001 | DNS rebinding (missing Origin validation) | High | Passive |
| MCP-002 | Missing authentication | High | Passive |
| MCP-003 | Insecure transport (no TLS) | Med | Passive |
| MCP-004 | Predictable session IDs | High | Passive |
| MCP-005 | Dangerous tool exposure | Crit | --enumerate |
| MCP-006 | Prompt injection in tool descriptions | Med | --enumerate |
| MCP-007 | Resource content injection | Med | --active |
| MCP-008 | Schema poisoning | High | --active |
| MCP-009 | Tool name squatting | High | --active |
| MCP-010 | Rug-pull (definition mutation) | Crit | --active |
| MCP-011 | Response injection (ATPA) | High | --probe-tools |
| MCP-012 | Denial of wallet | Med | --probe-tools |
| MCP-013 | Exfiltration chain risk | High | --active |
| MCP-014 | Cross-server manipulation | Med | --active |
| MCP-015 | Pin verification failed | Crit | --verify |
MCPMAP - 256 targets scanned in 3.42s
────────────────────────────────────────────────────────────
192.168.1.10:3001 [CONFIRMED 100%]
Server: filesystem-server/1.2.0 (MCP 2025-11-25)
Capabilities: tools, resources
Transport: SSE @ /mcp
Origin: NOT VALIDATED (DNS rebinding risk)
Tools: 5 discovered [HIGH RISK]
- read_file [Medium] - Read file contents
- write_file [High] - Write to files
- delete_file [Critical] - Delete files
Active Probe: Tier 2 executed, 3 findings
MCP-008 [HIGH] Schema poisoning: parameter 'content_include_env_vars'
MCP-010 [CRITICAL] Rug-pull: get_weather description changed after 3 calls
MCP-012 [MEDIUM] analyze_data returned 102KB (threshold: 50KB)
192.168.1.15:8000 [LIKELY 75%]
Server: unknown (MCP 2024-11-05)
Capabilities: tools
Transport: HTTP @ /
Auth: Required (Bearer)
────────────────────────────────────────────────────────────
2 MCP servers | 1 confirmed | 1 likely | 1 auth required
Scanning:
-m, --mode <MODE> fast | full | stealth [default: fast]
-p, --ports <PORTS> port range (80,443 or 1-1000)
-t, --threads <N> concurrent threads [default: 50]
--timeout <SECS> connection timeout [default: 5]
Probing:
--enumerate list tools on confirmed servers
--active active security probing (safe, metadata-only)
--probe-tools call LOW-risk tools with test inputs
--probe-medium also call MEDIUM-risk tools (pentest only)
--dry-run show probe plan without executing
--i-accept-risk explicit consent for tool invocation
--pin <FILE> save tool/resource hashes
--verify <FILE> verify against a saved pin file
Output:
--json JSON output
-W, --wide wide table (grep-friendly)
-q, --quiet suppress progress output
-v, --verbose verbose (-v, -vv, -vvv)
Advanced options (see mcpmap --help)
Scanning:
--deep-probe try extra endpoints (/sse, /api/mcp, /v1/mcp)
--scheme <S> http | https | both [default: both]
--insecure accept invalid TLS certs
--max-targets <N> max IP:port combinations [default: 1000000]
--rate-limit <N> max req/sec (0 = unlimited) [default: 0]
Output:
--show-all include low-confidence results
--min-confidence <N> minimum confidence 0-100 [default: 0]
| Code | Meaning |
|---|---|
0 |
Success |
1 |
Error |
2 |
Pin verification failed (--verify) |
