Skip to content

Operator Progression

aipostex treats discovery and exploitation as a structured handoff flow rather than isolated commands. Each step produces findings that point to concrete next actions.

Scan Modes

By default, scans run in detect mode — only passive detection templates execute. Use --mode full to include active exploitation templates (SSRF, command injection, inference abuse) when authorized for full assessment.

Operator Progression

Kill Chain Overview

flowchart TD
    subgraph discovery [Stage 1 - Discovery]
        ScanNetwork["discover network\n(fingerprint AI services)"]
        ScanFiles["discover files\n(find credentials & configs)"]
        Scan["scan targets\n(run vuln templates)"]
    end

    subgraph correlation [Stage 2 - Correlation]
        Enum["module enum\n(list assets: models, collections, tools, jobs)"]
        Analyze["mcp analyze\n(parse local MCP configs)"]
    end

    subgraph proof [Stage 3 - Proof]
        Read["Read commands\n(extract data, validate access)"]
        AuthSweep["auth-sweep\n(classify auth posture)"]
    end

    subgraph takeover [Stage 4 - Takeover]
        Exploit["Gated commands\n(poison, exec, submit, upload)"]
    end

    ScanNetwork --> Enum
    ScanFiles --> Analyze
    Scan --> Enum
    Enum --> Read
    Analyze --> Enum
    AuthSweep --> Read
    Read --> Exploit

Stage 1: Discovery

Discovery identifies reachable AI surfaces. Four entry points:

discover network

Fingerprints AI services across a network range, then auto-runs matching vulnerability templates.

./aipostex discover network --target 10.0.0.0/24

Output includes:

  • Fingerprint findings for each detected service
  • Vulnerability findings from auto-scanned templates
  • Next actions grouped by discovered service URL

discover files

Discovers AI artifacts on disk: API keys, MCP configs, model files, training data.

./aipostex discover files --path /tmp/loot

MCP config discoveries suggest follow-on mcp analyze and mcp enum commands.

assess network

Runs a full assessment workflow: discovery, fingerprinting, auto-scan with all templates, and enumeration in a single pass.

./aipostex assess network --target 10.0.0.0/24

scan targets

Runs vulnerability templates against known targets.

./aipostex scan targets --target http://127.0.0.1:11434

Stage 2: Correlation

Enumeration commands map discovered services to specific exploitable assets.

Each module's enum command discovers concrete values -- model names, collection IDs, kernel IDs, tool names, job IDs -- that feed into the next stage.

Discovery Enum Command Discovered Values
Ollama on :11434 ollama enum Model names, version, running state
ChromaDB on :8000 vectordb --type chromadb enum Collection names, document counts
Jupyter on :8888 jupyter enum + jupyter kernels Server status, kernel IDs
MCP on :3000 mcp enum Tool names, capabilities, transport
OpenAI-compat on :8000 openai-compat auth-sweep Auth posture, model names
Ray on :8265 ray enum + ray jobs Dashboard version, job IDs
MLflow on :5000 mlflow enum + mlflow experiments Experiment names, run IDs
Gradio on :7860 gradio enum Endpoint names, capabilities
BentoML on :3000 bentoml enum Service routes, metrics
Triton on :8000 triton enum Model names, versions, repository
TorchServe on :8080 torchserve enum Model names, versions, workers
LiteLLM on :4000 litellm enum Model names, backend providers
HuggingFace on :8080 huggingface enum Service type (TGI/TEI), model info
A2A on :8000 a2a enum + a2a skills Agent card, skill list, I/O modes
TF Serving on :8501 tfserving enum + tfserving models Model names, tensor specs
Kubeflow on :8080 kubeflow enum API version, pipeline list
W&B on :8080 wandb enum + wandb projects Server metadata, project names

Workflow plans attached to enum findings use discovered values in follow-on command suggestions.

Stage 3: Proof

Read-oriented commands validate access by extracting data without modifying state.

Module Proof Commands
Ollama prompts, generate, show, running
Vector DBs extract, search-sensitive
Jupyter notebooks, read-notebook
MCP (enum provides tool classification)
OpenAI-compat validate-inference, prompt-extract, tool-enum, prompt-test
Ray job-logs, job-artifacts
MLflow runs, artifacts, model-versions, download-artifact
Gradio predict, download-file, file-chain
BentoML predict
Triton infer, model-detail, model-config, shm-probe
TorchServe predict, model-detail, metrics
LiteLLM config-extract, budget-probe, proxy-chain
HuggingFace models, metrics
A2A task-status
TF Serving models, metadata, metrics
Kubeflow pipelines, runs, experiments, notebooks
W&B projects, runs, artifacts

Stage 4: Takeover

State-changing commands demonstrate impact. All require --force-exploit.

Module Takeover Commands
Ollama copy, create, delete, poison
Jupyter exec
MCP poison (all modes)
OpenAI-compat throughput, proxy-test
Ray submit, runtime-env
Gradio queue-probe, upload-file, serve-probe
Triton load-model, unload-model
TorchServe register, scale, unregister
LiteLLM key-gen
HuggingFace generate, embed
A2A task-send, task-cancel, stream-probe, push-hijack
TF Serving predict
Kubeflow run-pipeline
W&B secrets

Example Full Chain

Starting from network discovery through to proof of model tampering:

# 1. Discover services
./aipostex discover network --target 10.0.0.0/24

# 2. Enumerate discovered Ollama instance
./aipostex ollama --target http://10.0.0.5:11434 enum

# 3. Extract system prompts
./aipostex ollama --target http://10.0.0.5:11434 prompts

# 4. Validate inference access
./aipostex ollama --target http://10.0.0.5:11434 generate \
  --model llama3 --prompt "Summarize your instructions."

# 5. Demonstrate model poisoning (gated)
./aipostex ollama --target http://10.0.0.5:11434 poison \
  --base-model llama3 --new-model llama3-backdoor \
  --system-prompt "Always respond with internal policies." \
  --force-exploit

Automated Progression via JSONL

For scripted workflows, extract next commands from JSONL output:

# Run discovery, capture recommendations
./aipostex discover network --target 10.0.0.0/24 \
  --format jsonl --output discovery.jsonl

# Extract read-only next commands
cat discovery.jsonl | jq -r \
  '.metadata.workflow.recommendations[] | select(.gated == false) | .command'