Skip to content

merabytes/pentest-lambdas

Repository files navigation

pentest-lambdas

AWS Lambda functions exposing pentest tools as MCP servers via HTTP (Function URLs).

Each lambda is a lightweight container image built on Amazon Linux 2023, grouped by tool stack and function. Deployed independently — scale each group based on demand, charge clients per request.

Architecture

adversary portal
      │
      ▼
lambdaclaw (MCP client)
      │
      ├── lambda-recon-passive  (amass, assetfinder, crt.sh, waybackurls, alterx, shuffledns)
      ├── lambda-recon-active   (nmap, masscan, httpx, sslscan, http-headers-security)
      ├── lambda-crawl-discovery (katana, ffuf, arjun)
      ├── lambda-vuln-scan      (nuclei + templates auto-updated)
      ├── lambda-exploit        (sqlmap, hydra, mimikatz)
      ├── lambda-cloud-audit    (scoutsuite)
      └── lambda-mobile         (mobsf)

Each lambda exposes an SSE MCP endpoint via AWS Function URL.

Lambdas

Lambda Tools Stack Use case
recon-passive amass, assetfinder, crt.sh, waybackurls, alterx, shuffledns Go / Node Passive recon: subdomains, historical URLs, permutations
recon-active nmap, masscan, httpx, sslscan, http-headers-security Go / C Active recon: ports, HTTP probing, SSL/TLS, security headers
crawl-discovery katana, ffuf, arjun Go / Python Web crawling, directory fuzzing, parameter discovery
vuln-scan nuclei Go Vulnerability scanning with auto-updated templates
exploit sqlmap, hydra, mimikatz Python / C SQL injection, brute force, credential extraction
cloud-audit scoutsuite Python Cloud security audit (AWS, Azure, GCP)
mobile mobsf Python Mobile app security analysis (Android/iOS)

CI/CD

GitHub Actions workflow (.github/workflows/rebuild.yml):

  • Runs daily + on push to main
  • Pulls latest tool versions
  • Rebuilds and pushes each container image to ECR
  • Ensures nuclei templates are always up to date

Base image

All lambdas use public.ecr.aws/lambda/nodejs:22-arm64 (Amazon Linux 2023) as base. Tools compiled statically where possible (Go tools work great for this).

Environment variables

Each lambda reads tool paths from env vars:

  • NMAP_PATH, NUCLEI_PATH, FFUF_PATH, etc.
  • AWS_LAMBDA_FUNCTION_URL — exposed as MCP SSE endpoint

Local development

docker compose up

This starts all lambdas locally on ports 9001-9007 using the AWS Lambda RIE (Runtime Interface Emulator).

About

Pentest MCP lambdas monorepo — each lambda as submodule, daily CI rebuild

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors