aipostex¶
AI Infrastructure Offensive Security Framework
aipostex is a single-binary Go tool for discovering, assessing, and exploiting AI infrastructure. Built for penetration testers, red teams, and adversary emulation operators, it combines YAML-based vulnerability scanning, file scanning, and deep post-exploitation capabilities across the AI service landscape.
What It Does¶
-
Vulnerability Scanning
131 YAML vulnerability templates (85 detection, 46 exploit) targeting AI-specific misconfigurations and advisories across Ollama, MCP, A2A, Kubernetes, Jupyter, Ray, MLflow, Gradio, BentoML, Triton, TorchServe, vLLM, LangChain, and more.
-
File Discovery
File scanning for AI artifacts such as API keys, MCP configs, model files, vector database data, and fine-tuning datasets.
-
Network Fingerprinting
30 HTTP-based service probes detecting AI services on a network with automatic template matching and CIDR range scanning.
-
Post-Exploitation
18 dedicated exploit modules covering Ollama, vector databases (ChromaDB, Weaviate, Qdrant, Milvus, pgvector), Jupyter, MCP, OpenAI-compatible APIs, LiteLLM, Ray, MLflow, Gradio, BentoML, Triton, TorchServe, HuggingFace TGI/TEI, TensorFlow Serving, Kubeflow, W&B, A2A agents, and Kubernetes API servers.
Quick Start¶
# Build
make build
# Discover AI services on a network
./aipostex discover network --target 10.0.0.0/24
# Scan a target for vulnerabilities
./aipostex scan targets --target http://127.0.0.1:11434
# Scan files for AI credentials and artifacts
./aipostex discover files --path /tmp/loot
# Enumerate an Ollama instance
./aipostex ollama --target http://127.0.0.1:11434 enum
See the Quickstart guide for a full walkthrough.
Key Design Principles¶
Operator progression -- Discovery commands hand off into concrete follow-on commands. discover network finds services, attaches module-specific next steps, and the operator walks a discovery-to-proof chain.
Safe by default -- Scans run in detect mode, executing only passive detection templates. Active exploitation templates (SSRF, command injection, inference) require explicit --mode full. State-changing exploit module actions require --force-exploit. The operator is always in control.
Single binary -- Templates and discovery rules are embedded. No external files required. Custom templates and rules layer on top via --templates-dir and --rules-dir.
OPSEC-aware -- Built-in stealth mode with request jitter, User-Agent rotation, concurrency caps, and full proxy support (HTTP/HTTPS/SOCKS5).
Current Status¶
aipostex includes scanning, file discovery, reporting, and 18 exploit modules with staged workflow guidance. Advisory coverage includes 24 CVE-specific templates, 2 GHSA templates, and 1 TRA template across MCP, Ollama, MLflow, Gradio, Ray, vLLM, LangChain, and related AI infrastructure. See the Coverage Matrix for the full breakdown.
| Category | Commands |
|---|---|
| Workflow CLI | discover network, discover files, scan targets, assess network, report render, report summary, report graph, engagement merge, engagement bundle |
| Templates | templates list, templates info |
| Ollama | enum, prompts, generate, show, running, copy, create, delete, poison, exfiltrate |
| Vector DBs | enum, extract, search-sensitive, inject, metadata-inject |
| Jupyter | enum, kernels, notebooks, read-notebook, exec, start-kernel, reverse-shell-proof, pip-proof |
| MCP | analyze, enum, poison, env-extract, chain |
| OpenAI-Compatible | auth-sweep, enum, validate-inference, prompt-extract, tool-enum, prompt-test, throughput, proxy-test, litellm-probe |
| LiteLLM | enum, config-extract, budget-probe, proxy-chain |
| Ray | enum, jobs, job-logs, job-artifacts, submit, runtime-env, pip-inject, cluster-info |
| MLflow | enum, experiments, runs, artifacts, registry, model-versions, model-artifacts, download-artifact, tamper-proof |
| Gradio | enum, predict, queue-probe, upload-file, download-file, file-chain, serve-probe |
| BentoML | enum, routes, predict, metrics |
| Triton | enum, models, model-config, infer, model-load, model-unload, shm-probe |
| TorchServe | enum, models, predict, register, scale, unregister, metrics |
| HuggingFace TGI/TEI | enum, metrics, generate, embed, validate-inference |
| TF Serving | enum, model-metadata, model-signature, metrics, infer |
| Kubeflow | enum, pipelines, runs, experiments, notebooks, run-submit |
| W&B | enum, projects, runs, artifacts, secrets |
| A2A | enum, skills, auth-probe, msg-integrity, sender-spoof, delegate-probe, card-spoof, task-send, task-status, task-cancel, stream-probe, push-hijack, mcp-pivot, scrape-loop, tool-inject, replay |
| Kubernetes | rbac-probe, access-review, enum, secret-read, artifact-read, pod-exec, sa-loot |
Deferred¶
validate(finding validation)- SQLite output format