ASTRO BLASTER is an offensive AI security testing engine for Non-Terrestrial Network infrastructure. It targets AI agents embedded at every layer of the NTN stack — from ground station edge compute and constellation management through 3GPP Release 17+ NR-NTN 5G SA core network functions to satellite firmware supply chains. All attack subsystems require UNLEASHED authorisation and are gated behind Ed25519 cryptographic signatures.
Installation
Requirements
- Python 3.11+
- pip
Install from source
$ cd red-specter-astro-blaster
$ pip install -e .
# With dev dependencies (for tests)
$ pip install -e ".[dev]"
# Verify installation
$ astro-blaster --version
ASTRO BLASTER 1.0.0 — NIGHTFALL Tool 60
Run tests
237 passed in 0.92s
CLI Reference
astro-blaster probe
Run SURVEY only — ground station enumeration and passive fingerprinting. No UNLEASHED key required.
# Example
$ astro-blaster probe http://ground-station:8080
astro-blaster scan
Full engagement scan. UNLEASHED level determines which subsystems activate.
Options:
--override SURVEY + FEEDINJECT + ORBITAL
--confirm-destroy All 8 attack subsystems
--output FILE Write WARLORD-compatible JSON findings
--timeout SECONDS Per-request timeout (default: 20-30s)
--format FORMAT Output format: json | text (default: text)
astro-blaster auth
Manage UNLEASHED cryptographic keys and scope files.
$ astro-blaster auth init
Keys written to ~/.red-specter/astro-blaster/
# Create destroy-level scope file
$ astro-blaster auth create-scope http://target:8080 [--expires-days 30]
Scope file written: ~/.red-specter/astro-blaster/authorized_scope.json
# Show UNLEASHED status
$ astro-blaster auth status
# Revoke scope (delete scope file)
$ astro-blaster auth revoke
astro-blaster modules
List all subsystems with SPARTA mapping and UNLEASHED requirements.
UNLEASHED Gate
ASTRO BLASTER uses Ed25519 dual-signature UNLEASHED gating. Three levels exist, each activating a superset of the previous level's subsystems.
| Level | Flag | Subsystems Active | Requirement |
|---|---|---|---|
| Standard | none | SURVEY, REPORT | None |
| Override | --override | + FEEDINJECT, ORBITAL | Ed25519 key present at ~/.red-specter/astro-blaster/ |
| Destroy | --confirm-destroy | + GROUNDCHAIN, FIRMWARE, NTN_BOUNDARY, SWARM_NTN, PERSIST | Signed scope file with target list, both keys signed, not expired |
Key Files
├── unleashed.key # Ed25519 private key (mode 600)
├── operator.key # Operator Ed25519 key (mode 600)
└── authorized_scope.json # Signed scope (destroy level)
Subsystem: SURVEY
Standard SPARTA: RK-0001
Ground station and NTN infrastructure enumeration. Performs active probing of candidate endpoints and passive fingerprinting of known NTN providers. Safe to run without an UNLEASHED key.
Probes
- 12 ground station API probes:
/api/v1/health,/api/v1/agents,/api/v1/telemetry,/v1/groundstation/status,/contacts,/satellites,/inference,/v1/data/feeds,/metrics,/routing,/ntn/ues,/uplink - 10 ports scanned: 2233 (satellite), 8080/8443 (ground control), 5000/9090 (telemetry), 9100 (Prometheus), 3000 (Grafana), 8888 (Jupyter), 4317/4318 (OTLP)
- Passive fingerprinting: AWS Ground Station, Planet Labs, Azure Space, Starlink signatures
Output fields
"target": "http://ground-station:8080",
"endpoints_found": [...],
"open_ports": [...],
"infra_hints": ["ai_agent_registry", "telemetry_feed"],
"auth_required": false,
"has_exposed_ai_endpoints": true,
"ntn_provider": "aws_ground_station"
}
Subsystem: FEEDINJECT
--override SPARTA: IA-0001 ATLAS: AML.T0051, AML.T0043
Prompt injection via satellite data feeds. Seven injection payloads targeting every major NTN telemetry format. Payloads are sent to four candidate feed endpoints derived from the target base URL.
Payloads
| ID | Feed Type | Injection Field | CVSS |
|---|---|---|---|
| FEED-001 | Satellite Telemetry JSON | status | 9.3 |
| FEED-002 | Earth Observation Metadata | notes | 8.1 |
| FEED-003 | Sensor Data Pipeline | calibration_note | 9.8 |
| FEED-004 | CCSDS Telemetry Frame | comment | 9.5 |
| FEED-005 | AWS Ground Station | data | 8.6 |
| FEED-006 | Planet Labs Scene | anomaly_description | 8.1 |
| FEED-007 | 3GPP NR-NTN UE Report | report_note | 9.1 |
Detection heuristic
Injection success is assessed by HTTP status code (200 on normally-restricted endpoint), response length, and keyword reflection detection: OVERRIDE, MAINTENANCE_MODE, IGNORE PREVIOUS, SYSTEM OVERRIDE, AI AGENT, Suppress.
Subsystem: ORBITAL
--override SPARTA: EX-0002 ATLAS: AML.T0051, AML.T0048
Multi-turn reasoning manipulation against orbital AI agents. Each scenario sends 3 conversation turns to the target API, progressively escalating from legitimate enquiry to adversarial goal injection.
Scenarios
| ID | Attack Type | Endpoint | CVSS |
|---|---|---|---|
| ORB-001 | Goal hijacking — routing override | /api/v1/routing/optimize | 9.4 |
| ORB-002 | Context drift — handoff thresholds | /api/v1/handoff/decide | 8.6 |
| ORB-003 | Context manipulation — TLE substitution | /api/v1/orbit/update | 9.1 |
| ORB-004 | Goal hijacking — burn override | /api/v1/manoeuvre/plan | 9.8 |
| ORB-005 | Context drift — link budget | /api/v1/link/configure | 8.1 |
Subsystem: GROUNDCHAIN
--confirm-destroy SPARTA: EX-0002, IA-0001, LM-0001 ATLAS: AML.T0043
Trust chain attacks across the ground-to-orbit boundary. Tests authentication and delegation chain integrity between ground control software, uplink stations, and orbital AI systems.
Attacks
| ID | Attack Type | Method | CWE | CVSS |
|---|---|---|---|---|
| GC-001 | JWT impersonation — UPLINK_AUTHORITY | POST | CWE-287 | 9.6 |
| GC-002 | OBO delegation chain abuse | POST | CWE-287 | 9.3 |
| GC-003 | Ground control API key replay | GET | CWE-294 | 8.6 |
| GC-004 | MTLS certificate forgery | POST | CWE-295 | 8.9 |
| GC-005 | WSSE token injection — command bus | POST | CWE-287 | 8.3 |
Subsystem: FIRMWARE
--confirm-destroy SPARTA: EX-0002 ATLAS: AML.T0018, AML.T0020, AML.T0044
Satellite AI firmware and model supply chain attacks. All payloads are structurally valid binary or data artefacts — not placeholder strings.
- FW-001 GGUF Poisoning — Real GGUF binary format: magic bytes
GGUF+ struct-packed version/tensor/KV headers + backdoor trigger sequence - FW-002 Fine-tuning Injection — JSONL dataset with adversarial training samples targeting orbital routing objectives
- FW-003 LoRA Adapter Backdoor — Adapter manifest with poisoned weight tensors and activation trigger
- FW-004 Model Manifest Tampering — SHA-256 hash replacement in model manifest pointing to malicious weights
- FW-005 Registry Poisoning — Model registry record substitution targeting the orbital AI update pipeline
Subsystem: NTN_BOUNDARY
--confirm-destroy SPARTA: IA-0001 ATLAS: AML.T0051
MCP boundary attacks at the ground-to-space interface. Targets ground control software that uses Model Context Protocol for satellite command coordination.
- NTN-001 Schema Injection — Adversarial
inputSchemawith__prompt_override__property targeting orbital routing agents - NTN-002 Parameter Smuggling — Null-byte and separator injection in parameters to escape validation boundaries
- NTN-003 Response Poisoning — Malicious tool result content containing system-role injection
- NTN-004 Context Overflow — 200+ tool entries exhausting context window with progressively escalating instructions
- NTN-005 Tool Call Hijack — Tool description poisoning to redirect satellite command execution to attacker-controlled endpoint
Subsystem: SWARM_NTN
--confirm-destroy SPARTA: DE-0001 ATLAS: AML.T0051
3GPP NR-NTN core network AI disruption. All payloads use real 3GPP NTN field names from TS 38.331 and TS 38.413 specifications.
| ID | Target Function | Attack | NTN Fields |
|---|---|---|---|
| SWARM-001 | AMF | NTN capability injection via NAS registration | ntnCapabilities, serviceLink |
| SWARM-002 | PCF | Policy hijack with orbital parameters | propagationDelay, ephemerisValidity |
| SWARM-003 | SMF | Session establishment flood | dopplerShift, ntnCellId |
| SWARM-004 | BGP | NTN routing table poisoning | as_path, next_hop |
| SWARM-005 | NWDAF | Analytics data poisoning | serviceExperienceInfo, nfLoadLevelInfo |
Subsystem: PERSIST
--confirm-destroy SPARTA: EX-0002, LM-0001 ATLAS: AML.T0018
Long-term persistence mechanisms targeting NTN AI infrastructure. Tracks all installed artefacts via cleanup_tasks for post-engagement cleanup.
- PER-001 — Checkpoint injection into orbital agent state (conversation history poisoning)
- PER-002 — External memory store poisoning (vector DB / Redis / graph store)
- PER-003 — System prompt persistence in satellite ground software configuration API
- PER-004 — Scheduled task creation on ground station host for periodic re-execution
- PER-005 — NTN exfiltration hook installation via telemetry webhook configuration
Subsystem: REPORT
Available at all UNLEASHED levels. Consolidates all subsystem findings into a WARLORD-compatible report with SPARTA and MITRE ATLAS cross-references.
Report structure
"tool": "ASTRO BLASTER",
"version": "1.0.0",
"target": "http://ntn-target:8080",
"timestamp": "2026-04-25T12:00:00Z",
"unleashed_level": "destroy",
"summary": {
"total_findings": 11,
"critical": 4, "high": 5, "medium": 2,
"max_cvss": 9.8, "overall_grade": "CRITICAL",
"is_vulnerable": true
},
"sparta_framework": {
"reference": "sparta.aerospace.org",
"tactics_triggered": ["RK-0001","IA-0001","EX-0002","LM-0001","DE-0001"]
},
"findings": [...]
}
SPARTA TTP Cross-Reference
| SPARTA ID | Tactic | Subsystems | CVSS Range |
|---|---|---|---|
| RK-0001 | Reconnaissance | SURVEY | Passive — no CVSS |
| IA-0001 | Intercept and Alter Signals | FEEDINJECT, GROUNDCHAIN (GC-004), NTN_BOUNDARY | 8.1 – 9.8 |
| EX-0002 | Execute Unauthorized Commands | ORBITAL, GROUNDCHAIN, FIRMWARE, PERSIST | 8.3 – 9.8 |
| LM-0001 | Lateral Movement to Ground | GROUNDCHAIN (GC-003), PERSIST | 8.6 – 9.6 |
| DE-0001 | Denial of Service | SWARM_NTN | 7.5 – 8.9 |
SPARTA is maintained by The Aerospace Corporation. Full tactic catalogue: sparta.aerospace.org. ASTRO BLASTER covers 5 of 16 SPARTA tactics in v1.0.0.
MITRE ATLAS Cross-Reference
| TTP | Name | Subsystems |
|---|---|---|
| AML.T0051 | LLM Prompt Injection | FEEDINJECT, ORBITAL, NTN_BOUNDARY |
| AML.T0043 | Craft Adversarial Data | FEEDINJECT, GROUNDCHAIN, FIRMWARE |
| AML.T0048 | External Harms | ORBITAL, GROUNDCHAIN |
| AML.T0018 | Backdoor ML Model | FIRMWARE, PERSIST |
| AML.T0020 | Poison Training Data | FIRMWARE |
| AML.T0044 | Full ML Model Access | FIRMWARE |
Validation Environment Setup
Live validation requires an authorised NTN target environment. The following configurations have been used or are suitable for ASTRO BLASTER validation.
OpenAirInterface NTN Simulator
$ git clone https://gitlab.eurecom.fr/oai/openairinterface5g.git
$ cd openairinterface5g && git checkout ntn
# Build NR-NTN gNB + UE
$ ./cmake_targets/build_oai --gNB --nrUE -w SIMU
# Run NTN simulation (LEO orbit)
$ ./ran_build/build/nr-softmodem -O gnb_ntn.conf
# Point ASTRO BLASTER at 5G core AI agent endpoint
$ astro-blaster scan http://localhost:8080 --confirm-destroy
free5GC NTN Configuration
$ git clone https://github.com/free5gc/free5gc.git
$ cd free5gc && make
# Configure AMF for NTN: set ntnCapabilities in config/amfcfg.yaml
# ntnCapabilities:
# cellOrbitType: LEO
# propagationDelay: 25ms
# dopplerShift: enabled
# Start all NFs: AMF, SMF, PCF, NWDAF
$ ./run.sh
# SWARM_NTN targets: localhost:29518 (AMF), :29512 (SMF), :29507 (PCF), :29520 (NWDAF)
Planet Labs Developer API
# Obtain API key from dashboard
# Test feed endpoint for FEEDINJECT validation
# FEED-006 targets PSScene properties via the scenes API
# Set up a test scene with anomaly_description field exposed to your AI pipeline
# Example: create a mock Planet Labs processing endpoint
$ python -m http.server 8080 # minimal mock
AWS Ground Station Test Endpoint
# For FEEDINJECT validation (FEED-005), target the AWS Ground Station
# data delivery endpoint in a test environment
# Validate against AWS Ground Station emulator
# or a local endpoint replicating the dataflow format
# FEED-005 payload format targets ContactId, dataflowEndpoint, data fields
WARLORD-Compatible Output
Use --output findings.json to export WARLORD-compatible findings. Each finding includes SPARTA TTPs, MITRE ATLAS TTPs, infrastructure type, and CVSS-based grade.
"finding_id": "AB-ORB-004-001",
"tool": "ASTRO BLASTER",
"severity": "critical",
"score": 9.8,
"grade": "A+",
"title": "Autonomous Station-Keeping Override",
"description": "Prompt injection causes station-keeping AI agent to execute adversary-specified orbital manoeuvres",
"evidence": "Goal hijacked: True | Turns: 3 | Response: burn parameters applied...",
"metadata": {
"sparta_ttps": ["EX-0002"],
"atlas_ttps": ["AML.T0051", "AML.T0048"],
"infra_type": "orbital_edge",
"vuln_class": "prompt_injection",
"cwe": "CWE-20",
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
}
ARMORY Integration
ASTRO BLASTER ships with 25 ARMORY payloads in the ntn_ai_exploitation category. All payloads are Ed25519 signed and CVSS scored.
| Category | Count | Max CVSS |
|---|---|---|
| ground_station_feed_injection | 7 | 9.8 |
| orbital_routing_manipulation | 5 | 9.4 |
| ground_to_orbit_trust_chain | 5 | 9.6 |
| ntn_mcp_boundary | 5 | 9.2 |
| satellite_firmware_supply_chain | 3 | 9.0 |
Access via the ARMORY CLI: rs-armory search --category ntn_ai_exploitation
Rules of Engagement
- Computer Misuse Act 1990 (United Kingdom)
- Computer Fraud and Abuse Act (United States)
- Equivalent legislation in your jurisdiction
- Space operations safety regulations (where applicable)
Before running a scan
- Obtain explicit written authorisation from the system owner naming the specific targets and the scope of testing
- Initialise UNLEASHED with
astro-blaster auth init - Create a scope file using
astro-blaster auth create-scope <target>— this cryptographically records your authorised targets - For destroy-level engagements, confirm a maintenance window with the system owner — SWARM_NTN and PERSIST subsystems send real HTTP requests
After engagement
- Remove any PERSIST artefacts using the cleanup_tasks list in the PERSIST result
- Revoke the scope file:
astro-blaster auth revoke - Deliver the REPORT output to the authorising party
© 2026 Red Specter Security Research Ltd (Company No. 17106988) • Apache License 2.0