Skip to content

aipostex

AI Infrastructure Offensive Security Framework

aipostex is a single-binary Go tool for discovering, assessing, and exploiting AI infrastructure. Built for penetration testers, red teams, and adversary emulation operators, it combines YAML-based vulnerability scanning, file scanning, and deep post-exploitation capabilities across the AI service landscape.


What It Does

  • Vulnerability Scanning

    131 YAML vulnerability templates (85 detection, 46 exploit) targeting AI-specific misconfigurations and advisories across Ollama, MCP, A2A, Kubernetes, Jupyter, Ray, MLflow, Gradio, BentoML, Triton, TorchServe, vLLM, LangChain, and more.

  • File Discovery

    File scanning for AI artifacts such as API keys, MCP configs, model files, vector database data, and fine-tuning datasets.

  • Network Fingerprinting

    30 HTTP-based service probes detecting AI services on a network with automatic template matching and CIDR range scanning.

  • Post-Exploitation

    18 dedicated exploit modules covering Ollama, vector databases (ChromaDB, Weaviate, Qdrant, Milvus, pgvector), Jupyter, MCP, OpenAI-compatible APIs, LiteLLM, Ray, MLflow, Gradio, BentoML, Triton, TorchServe, HuggingFace TGI/TEI, TensorFlow Serving, Kubeflow, W&B, A2A agents, and Kubernetes API servers.

Quick Start

# Build
make build

# Discover AI services on a network
./aipostex discover network --target 10.0.0.0/24

# Scan a target for vulnerabilities
./aipostex scan targets --target http://127.0.0.1:11434

# Scan files for AI credentials and artifacts
./aipostex discover files --path /tmp/loot

# Enumerate an Ollama instance
./aipostex ollama --target http://127.0.0.1:11434 enum

See the Quickstart guide for a full walkthrough.

Key Design Principles

Operator progression -- Discovery commands hand off into concrete follow-on commands. discover network finds services, attaches module-specific next steps, and the operator walks a discovery-to-proof chain.

Safe by default -- Scans run in detect mode, executing only passive detection templates. Active exploitation templates (SSRF, command injection, inference) require explicit --mode full. State-changing exploit module actions require --force-exploit. The operator is always in control.

Single binary -- Templates and discovery rules are embedded. No external files required. Custom templates and rules layer on top via --templates-dir and --rules-dir.

OPSEC-aware -- Built-in stealth mode with request jitter, User-Agent rotation, concurrency caps, and full proxy support (HTTP/HTTPS/SOCKS5).

Current Status

aipostex includes scanning, file discovery, reporting, and 18 exploit modules with staged workflow guidance. Advisory coverage includes 24 CVE-specific templates, 2 GHSA templates, and 1 TRA template across MCP, Ollama, MLflow, Gradio, Ray, vLLM, LangChain, and related AI infrastructure. See the Coverage Matrix for the full breakdown.

Category Commands
Workflow CLI discover network, discover files, scan targets, assess network, report render, report summary, report graph, engagement merge, engagement bundle
Templates templates list, templates info
Ollama enum, prompts, generate, show, running, copy, create, delete, poison, exfiltrate
Vector DBs enum, extract, search-sensitive, inject, metadata-inject
Jupyter enum, kernels, notebooks, read-notebook, exec, start-kernel, reverse-shell-proof, pip-proof
MCP analyze, enum, poison, env-extract, chain
OpenAI-Compatible auth-sweep, enum, validate-inference, prompt-extract, tool-enum, prompt-test, throughput, proxy-test, litellm-probe
LiteLLM enum, config-extract, budget-probe, proxy-chain
Ray enum, jobs, job-logs, job-artifacts, submit, runtime-env, pip-inject, cluster-info
MLflow enum, experiments, runs, artifacts, registry, model-versions, model-artifacts, download-artifact, tamper-proof
Gradio enum, predict, queue-probe, upload-file, download-file, file-chain, serve-probe
BentoML enum, routes, predict, metrics
Triton enum, models, model-config, infer, model-load, model-unload, shm-probe
TorchServe enum, models, predict, register, scale, unregister, metrics
HuggingFace TGI/TEI enum, metrics, generate, embed, validate-inference
TF Serving enum, model-metadata, model-signature, metrics, infer
Kubeflow enum, pipelines, runs, experiments, notebooks, run-submit
W&B enum, projects, runs, artifacts, secrets
A2A enum, skills, auth-probe, msg-integrity, sender-spoof, delegate-probe, card-spoof, task-send, task-status, task-cancel, stream-probe, push-hijack, mcp-pivot, scrape-loop, tool-inject, replay
Kubernetes rbac-probe, access-review, enum, secret-read, artifact-read, pod-exec, sa-loot

Deferred

  • validate (finding validation)
  • SQLite output format