Skip to content

Scenario 11: MCP Tool Infection

Difficulty: Advanced Time: ~30 minutes Prerequisites: Complete Scenario 05 Target: ailab-dev:3000 (MCP Server)

Background

The Model Context Protocol (MCP) defines how AI coding assistants and agents interact with external tools. An MCP server exposes tools (functions), resources (data), and prompts (templates) to connected AI agents. If an MCP server is accessible without authentication, an attacker can enumerate available tools, discover what capabilities the AI agent has (file system access, code execution, API calls), and potentially manipulate tool definitions.

Objective

Enumerate MCP server tools and resources to understand the attack surface exposed to AI agents.

Commands

# Enumerate MCP server tools and resources
aipostex mcp --target 172.16.50.10:3000 enum

# Fingerprint for protocol details
aipostex discover network --target 172.16.50.10:3000 --discovery-only

Expected Finding

MCP Tool Inventory: - Available tools with full schemas (parameter types, descriptions) - Tools that provide file system access, code execution, or API calls - Tool descriptions that reveal internal system details

MCP Resources: - Resource URIs exposing internal endpoints and paths - Resource templates that reveal expected data formats

MCP Prompts: - Prompt templates that may contain system instructions - Embedded context that reveals organizational workflows

Example finding:

{
  "finding_type": "tool_exposure",
  "service": "mcp",
  "detail": "MCP server exposes file system tools without auth",
  "tools_count": 5,
  "risky_tools": ["read_file", "write_file", "execute_command"]
}

Scoring objective: Enumerate at least 3 MCP tools and identify any that provide code execution or file system access.

Real-World Impact

MCP servers are a new attack surface unique to the AI agent era. A compromised MCP server means: - Tool poisoning: Attacker modifies tool definitions so the AI agent executes different code than intended - Prompt injection via resources: Malicious content in MCP resources gets included in the agent's context - Capability escalation: Understanding what tools are available reveals the full blast radius of a compromised AI agent - Shadow IT discovery: MCP servers often expose capabilities that security teams don't know exist

Follow-On

  • Scenario 12: Use MCP access as part of a multi-vector campaign