Skip to content

Exploit Modules

aipostex includes 18 post-exploitation modules, each targeting a specific AI service family. Modules follow a consistent pattern: read-only enumeration commands run without restrictions, while state-changing or high-noise actions require --force-exploit.

Module Summary

Module Service(s) Subcommands Read-Only Gated
ollama Ollama 10 5 5
vectordb ChromaDB, Weaviate, Qdrant, Milvus, pgvector 5 3 2
jupyter Jupyter Notebook 8 4 4
mcp MCP servers 5 3 2
openai-compat OpenAI-compatible APIs 9 7 2
ray Ray 8 4 4
mlflow MLflow 9 8 1
gradio Gradio 7 4 3
bentoml BentoML 4 3 1
triton NVIDIA Triton Inference Server 7 4 3
torchserve PyTorch TorchServe 7 3 4
litellm LiteLLM Proxy 5 4 1
huggingface HuggingFace TGI/TEI 5 3 2
tfserving TensorFlow Serving 5 4 1
kubeflow Kubeflow Pipelines 6 5 1
wandb Weights & Biases 5 5 0
a2a Agent-to-Agent APIs 11 4 7
k8s Kubernetes API server (ML/AI workloads) 7 3 4

Utilities

Command Purpose Doc
model-scan Local model file supply-chain scan (pickle / PyTorch / formats) model-scan

These modules provide the main post-exploitation surface of the tool, covering read-only enumeration through gated proof actions.

Common Flags

All exploit modules share these flags:

Flag Description
--target Target service URL (required for all remote commands).
--header Custom HTTP header(s) in Key: Value format. Repeatable.

Safety Model

flowchart LR
    ReadOnly[Read-Only Commands] -->|no flag needed| Execute[Execute]
    Gated[State-Changing Commands] -->|requires --force-exploit| Execute
    Gated -->|without flag| Blocked[Blocked with message]

Read-only commands include: enumeration, listing, reading, extraction, fingerprinting, and passive analysis.

Gated commands include: model creation/deletion/poisoning, code execution, file uploads, throughput/proxy testing, and queue/serve probes.

See Safety Model for the complete gated action reference.

Operator Progression

Each module supports a progression from enumeration to proof:

flowchart TD
    Discovery["discover network\n(fingerprint services)"] --> Enum["module enum\n(enumerate assets)"]
    Enum --> Read["module read commands\n(extract data, validate access)"]
    Read --> Proof["module gated commands\n(demonstrate impact)"]

Findings from earlier stages attach workflow recommendations pointing to the next logical command, using values discovered in the current step (model names, collection IDs, kernel IDs, job IDs, etc.).