NIGHTFALL Tool 66 — World First

SPECTER A2A

Agent-to-Agent Protocol Attack Engine

7 Subsystems
750 Tests
3 A2A Protocols
66 Tool Number
NIGHTFALL Framework Engage Red Specter
Identity Forgery Replay Attacks Consensus Poisoning Worm Propagation MITM Interception Protocol Exploitation Google A2A AutoGen Attacks CrewAI Exploitation Cross-Protocol Worms Agent Enumeration Trust Chain Collapse Prompt Injection Memory Poisoning Tool Result Forgery Identity Forgery Replay Attacks Consensus Poisoning Worm Propagation MITM Interception Protocol Exploitation Google A2A AutoGen Attacks CrewAI Exploitation Cross-Protocol Worms Agent Enumeration Trust Chain Collapse Prompt Injection Memory Poisoning Tool Result Forgery

Attack Surface

Three Protocols. One Attack Engine.

The agent economy is converging on a handful of communication standards — Google A2A, AutoGen GroupChat, and CrewAI serve. None were designed with adversarial analysis in mind. SPECTER A2A is the world's first offensive tool that targets all three simultaneously, exposing the trust boundaries agents assume but cannot verify.

Protocol 01
Google A2A
JSON-RPC 2.0 over HTTP. Agent discovery via /.well-known/agent.json. No mandatory authentication on task submission endpoints in reference implementations. Skills advertised publicly. Perfect enumeration surface.
Agent Card Exposure Replay Attack Identity Forge Worm Propagation
Protocol 02
AutoGen GroupChat
Multi-agent group chat with REST management API. GroupChatManager routes all messages — poison one message and it reaches every agent. No per-message signing. Speaker identity is a string field.
Consensus Poison Speaker Spoof Loop Trigger Memory Inject
Protocol 03
CrewAI Serve
Sequential and hierarchical crew processes exposed over HTTP. Manager delegation cascades to all workers. Hierarchical process amplifies a single poisoned manager task across every downstream agent.
Role Impersonation Hierarchy Exploit Crew Enumeration Task Injection

Architecture

Six Subsystems. Full Attack Chain.

From passive reconnaissance to autonomous worm propagation across a live multi-protocol agent mesh. Every attack vector across all three frameworks, with hash-chained evidence collection and SIEM export.

Subsystem Clearance Attack Framework Description
PROTOCOL_SCAN STANDARD Discovery & Enumeration Fingerprint agent networks across all three protocols. Enumerate agents, capabilities, endpoints, and unauthenticated access vectors. Populates the protocol_map for downstream subsystems.
MESSAGE_SPOOF FORGE Identity Forge / Replay Forge agent identities, replay captured tasks with stale timestamps, inject prompt payloads. Tests whether trust is based on identity claims alone rather than cryptographic proof.
PROXY_ATTACK FORGE MITM / Transport Analysis Assess TLS enforcement, certificate pinning absence, header spoofing susceptibility, HTTP CONNECT tunnelling, and traffic analysis vulnerability across all A2A endpoints.
CONSENSUS_POISON FORGE Consensus / Memory Attack Broadcast false completion signals, corrupt shared memory, poison tool results, and inject fabricated authority-override messages to corrupt multi-agent decision making at scale.
WORM_PROPAGATE DESTROY Autonomous Worm Self-propagating worm simulation across all three protocol stacks simultaneously. Tests hop-count enforcement, deduplication, circuit-breakers, and cross-protocol boundary isolation.
AGENT_CARD_POISON FORGE/DESTROY Discovery Card Poisoning Poison Google A2A agent discovery cards at /.well-known/agent.json. Six techniques: CARD_SPOOF, SKILL_INJECT (LLM prompt injection via skill descriptions), CAPABILITY_ESCALATE, DESCRIPTION_HIJACK, URL_REDIRECT, REGISTRY_INJECT. Shadow agents in Vertex AI / LangGraph / AutoGen / CrewAI registries.
EVIDENCE STANDARD Artefact Collection Hash-chained evidence manifest, per-finding JSON artefacts, Ed25519-signed report and manifest. CEF, LEEF, JSON, and Splunk SIEM export formats. Full WARLORD integration.

UNLEASHED Gate

Clearance-Gated Execution

Every destructive operation is gated behind the UNLEASHED Ed25519 authentication system. WORM_PROPAGATE requires dual confirmation — no accidental deployments against live agent meshes.

STANDARD
Protocol scanning and evidence collection. Read-only operations against A2A agent networks. Full enumeration, capability mapping, and unauthenticated access testing.
specter-a2a scan --target [host]
FORGE
Identity forgery, replay attacks, MITM analysis, and consensus poisoning. Active exploitation of trust boundaries. Requires --override flag and UNLEASHED key.
specter-a2a spoof --override ...
DESTROY
Autonomous worm propagation across live agent meshes. Dual confirmation required — both --override and --confirm-destroy must be provided. Maximum propagation_risk: worm.
specter-a2a worm --override --confirm-destroy

Deployment

Deployment Compatibility

Python3.11+
Google A2ASDK 0.2+
AutoGenpyautogen 0.4+
CrewAI0.80+
mitmproxy10.3+
httpx0.27+
cryptography42.0+
SIEMCEF/LEEF/JSON/Splunk
OutputWARLORD JSON
AuthEd25519 UNLEASHED
EvidenceHash-Chained
PlatformLinux / macOS

SPECTER A2A is an authorised security research and penetration testing tool. Deployment against agent networks without explicit written authorisation from the system owner is prohibited. All worm simulation and consensus poison capabilities require UNLEASHED clearance and are designed for isolated test environments only. Red Specter Security Research Ltd assumes no liability for misuse.

SPECTER A2A — TOOL 66

Agent-to-Agent Protocol Attack Engine | NIGHTFALL Framework

specter-a2a scan --target [host] --a2a-url http://[host]:9100
specter-a2a report --override --confirm-destroy --all

Authorised use only. UNLEASHED Ed25519 gate enforced on all offensive operations.