Skip to content

Htunn/invoke-sunstrike

Repository files navigation

Invoke-Sunstrike Pentest Agent

 ___ _  ___   _____  _  _____ 
|_ _| \| \ \ / / _ \| |/ / __|
 | || .`| |\ V / (_) | ' <| _| 
|___|_|\_ | \_/ \___/|_|\_\___|

 ___ _   _ _  _ ___ _____ ___ ___ _  _____ 
/ __| | | | \| / __|_   _| _ \_ _| |/ / __|
\__ \ |_| | .`\__ \ | | |   /| || ' <| _| 
|___/\___/|_|\_|___/ |_| |_|_\___|_|\_\___|  ⚡ AI-Powered Pentesting

Go Reference CI License: MIT Version

Invoke-Sunstrike is an AI-orchestrated penetration testing framework for authorized engagements. It exposes a persistent REPL with four interchangeable AI backends — GitHub Models (GPT-4o/GPT-5), Ollama (Gemma4/Llama 3, local/offline), Google Gemini (gemini-2.5-flash), and Anthropic Claude (claude-opus-4-5) — and a signed plugin architecture for modular exploit delivery across web, API, identity, Kubernetes, and LLM attack surfaces.

⚠️ Legal Disclaimer

THIS TOOL IS FOR AUTHORIZED SECURITY TESTING ONLY

By using this tool, you acknowledge that:

  • You have EXPLICIT WRITTEN PERMISSION to test target systems
  • Unauthorized access to computer systems is ILLEGAL (CFAA, Computer Misuse Act, etc.)
  • You assume ALL LEGAL RESPONSIBILITY for your actions
  • The authors are NOT LIABLE for misuse of this tool

Violation of computer fraud laws may result in criminal prosecution, civil liability, and imprisonment.

Capabilities

  • Interactive REPL: Persistent session with command history, tab completion, and inline AI co-pilot
  • Four AI Backends: GitHub Models (GPT-4o/GPT-5), Ollama (Gemma4/Llama 3, fully local/offline), Google Gemini (gemini-2.5-flash), and Anthropic Claude (claude-opus-4-5). All backends share a common interface and are switchable at runtime via model <engine> — no restart required.
  • Kali Linux Container: kali attack <fqdn> provisions kalilinux/kali-rolling via Docker and orchestrates a full AI-driven pentest (RECON → PLAN → ATTACK → SUMMARY). Requires Docker.
  • WAF Bypass Engine: Active fingerprinting with adaptive evasion against Cloudflare, ModSecurity, Akamai, and Imperva.
  • Context-Aware Analysis: AI receives full scan output — endpoint inventory, HTTP responses, and stack fingerprints — not pre-written templates.
  • Human-in-the-Loop Approval: Mandatory confirmation gate before any active or destructive operation. Auto-approve level is configurable via INVOKE_SUNSTRIKE_AUTO_APPROVE.
  • Adaptive Rate Limiting: Token bucket with circuit breaker; automatic exponential backoff (2s / 4s / 8s) on 429 responses.
  • Signed Plugin Architecture: Ed25519-signed modules loaded over gRPC (HashiCorp go-plugin). Bundled plugins: auth-attack, kubernetes, llm-attack.
  • Scope Enforcement: YAML-driven allowlist (CIDR ranges, wildcard domains, explicit URLs, exclusions) — unauthorized targets are rejected before any probe is sent.
  • Secure History: REPL command history written to ~/.cache/sunstrike/history (mode 0700) — never world-readable.
  • Structured Reporting: JSON event stream fed into the reporter pipeline with HTML report generation.
  • CI/CD Pipeline: GitHub Actions workflow runs go vet, race-detector unit tests, short-mode E2E, and golangci-lint on every push and PR. A .golangci.yml (v2 format) is included — errcheck exclusions for idiomatic defer Close() patterns, staticcheck enabled, and unused disabled for pending-feature code.

Supported Targets

  • Web Applications: SQL injection, XSS, CSRF, XXE, SSRF, LFI/RFI, template injection
  • REST APIs: GraphQL introspection, JWT manipulation, OAuth flow testing, mass assignment
  • Active Directory: Kerberos attacks, NTLM relay, golden/silver tickets, DCSync
  • ADFS: Token manipulation, endpoint enumeration, federation vulnerabilities
  • Authentication: Brute force, password spray, session hijacking, MFA bypass
  • Authorization: IDOR, privilege escalation, horizontal/vertical bypass
  • OAuth2 / OIDC: PKCE downgrade, token leakage, state parameter bypass, implicit flow abuse
  • SAML: Signature wrapping, XML injection, assertion replay, broker bypass
  • Kubernetes: API server exposure, RBAC misconfiguration, container escape, SSRF, etcd leakage
  • LLM / AI APIs: Full OWASP LLM Top 10 (2025) — prompt injection, sensitive data disclosure, supply-chain attacks, model poisoning, excessive agency, system-prompt leakage, vector/embedding weaknesses, misinformation, and unbounded consumption
  • A2A Agents: A2A (Agent-to-Agent) protocol security — Agent Card analysis, unauthenticated task execution, dangerous skill detection, secret scanning, SSRF via push-notification webhooks, auth bypass, message injection, task enumeration, JSON-RPC manipulation

Installation

From Source

# Clone repository
git clone https://github.com/htunn/invoke-sunstrike.git
cd invoke-sunstrike

# Build
go build -o sunstrike cmd/sunstrike/main.go

# Install globally (optional)
sudo mv sunstrike /usr/local/bin/

Using Go Install

go install github.com/htunn/invoke-sunstrike/cmd/sunstrike@latest

From Releases

Download pre-compiled binaries from GitHub Releases.

Quick Start

Prerequisites

Option A — GitHub Models (cloud, default):

  1. GitHub personal access token from https://github.com/settings/tokens
  2. GitHub Models access (included with Copilot subscription or free tier)

Option B — Ollama (local, no token needed):

  1. Install Ollama: https://ollama.com/download
  2. Pull a model: ollama pull gemma4:e4b (or llama3.1, deepseek-r1, etc.)
  3. Start the server: ollama serve

Option C — Google Gemini (cloud):

  1. Get an API key from https://aistudio.google.com/app/apikey
  2. export GEMINI_API_KEY=<your-key> and export INVOKE_SUNSTRIKE_ENGINE=gemini

Option D — Anthropic Claude (cloud):

  1. Get an API key from https://console.anthropic.com/
  2. export ANTHROPIC_API_KEY=<your-key> and export INVOKE_SUNSTRIKE_ENGINE=claude

Docker (required for kali commands / advanced mode):

  • macOS / Windows: Docker Desktop 24+
  • Linux: Docker Engine 24+
  • The kali attack, kali start, kali exec, kali ai commands spin up a kalilinux/kali-rolling container automatically. All other features work without Docker.

offsec-ai integration (required for offsec commands):

offsec-ai is a Python 3.12 package. The REPL and the E2E test suite both resolve it as a subprocess via PATH. The binary is only present in the Python version it was installed under, so the shell must have the correct pyenv version active.

# Install Python 3.12 via pyenv (skip if already installed)
pyenv install 3.12.0

# Activate for the current shell session
pyenv shell 3.12.0

# Install the package
pip install offsec-ai

# Verify
offsec-ai --version

E2E test note: TestOffsecAILive_Scan_PortScan and TestOffsecAILive_MCPScan_ViaExecutor will fail with exit code 127 if the active Python runtime does not include offsec-ai. Run pyenv shell 3.12.0 before executing the E2E suite:

pyenv shell 3.12.0
INVOKE_SUNSTRIKE_ENGINE=gemini go test -timeout 20m -run 'TestLiveE2E|TestOffsecAILive|TestE2E' ./tests/e2e/...

Interactive REPL Mode (Recommended)

The tool runs in REPL-only mode with integrated AI assistance.

Using GitHub Models (cloud)

export GITHUB_TOKEN="github_pat_xxxxxxxxxxxxx"
# or
export COPILOT_GITHUB_TOKEN="github_pat_xxxxxxxxxxxxx"

./sunstrike

Using Ollama / Gemma4 (local, no token needed)

# Start Ollama with Gemma4
ollama serve
# (in another tab, or background)

export INVOKE_SUNSTRIKE_ENGINE=ollama   # use Ollama from startup
./sunstrike

# Optionally override the default URL and model:
export OLLAMA_BASE_URL=http://localhost:11434
export OLLAMA_MODEL=gemma4:e4b

Using Google Gemini (cloud)

export GEMINI_API_KEY="<your-key>"
export INVOKE_SUNSTRIKE_ENGINE=gemini   # optional: also switchable at runtime
./sunstrike

The default Gemini model is gemini-2.5-flash. Override with export GEMINI_MODEL=gemini-2.5-pro.

Using Anthropic Claude (cloud)

export ANTHROPIC_API_KEY="sk-ant-..."
export INVOKE_SUNSTRIKE_ENGINE=claude   # optional: also switchable at runtime
./sunstrike

The default Claude model is claude-opus-4-5. Override with export CLAUDE_MODEL=claude-sonnet-4-5.

Inside REPL

⚡ sunstrike> target https://example.com
✅ Target set to: https://example.com

# ── AI Engine / Model Selection ──────────────────────────────────
⚡ sunstrike> model ollama              # switch to Ollama (default: gemma4:e4b)
⚡ sunstrike> model ollama gemma4:e4b   # switch to Ollama with explicit tag
⚡ sunstrike> model ollama llama3.1:8b  # any model available in your Ollama
⚡ sunstrike> model github              # switch back to GitHub Models (gpt-4o)
⚡ sunstrike> model github gpt-4o       # explicit model
⚡ sunstrike> model gemini              # switch to Google Gemini (gemini-2.5-flash)
⚡ sunstrike> model claude              # switch to Anthropic Claude (claude-opus-4-5)
⚡ sunstrike> model claude claude-sonnet-4-5  # switch with explicit model
⚡ sunstrike> show model               # display current engine + model

# ── Scanning ─────────────────────────────────────────────────────
⚡ sunstrike> scan
🔧 Initializing orchestrator...
🎯 Starting scan on: https://example.com
...
🤖 Analyzing results with AI (gemma4:e4b)...
📋 AI Security Analysis:
[Detailed analysis powered by your chosen AI engine]

# ── AI Questions ─────────────────────────────────────────────────
⚡ sunstrike> ask how to bypass cloudflare waf?
⚡ sunstrike> bypass ModSecurity
⚡ sunstrike> ? test for IDOR

# ── Attacking ────────────────────────────────────────────────────
⚡ sunstrike> attack sqli
⚔️  Execute sqli attack on https://example.com? [y/N]: y
...

# ── Kali Linux Container (Docker required) ───────────────────────
⚡ sunstrike> kali start                            # pull & start kalilinux/kali-rolling
⚡ sunstrike> kali setup                            # install nmap, nikto, sqlmap, hydra…
⚡ sunstrike> kali exec nmap -sV example.com        # run any Kali tool directly
⚡ sunstrike> kali ai "enumerate subdomains of example.com"  # AI picks & runs commands
⚡ sunstrike> kali attack example.com               # full automated AI pentest
⚡ sunstrike> kali attack example.com --advanced    # full toolset (3-8 min install on first run)
⚡ sunstrike> kali stop                             # remove the container

⚡ sunstrike> exit

Available Commands

Target Management:

  • target <url> - Set the target URL
  • show target - Display current target

AI Engine / Model Selection:

  • model ollama - Switch to Ollama (default: gemma4:e4b)
  • model ollama <tag> - Switch to Ollama with a specific model tag
  • model github - Switch to GitHub Models (default: gpt-4o)
  • model github <name> - Switch to GitHub Models with a specific model
  • model gemini - Switch to Google Gemini (default: gemini-2.5-flash)
  • model gemini <name> - Switch to Gemini with a specific model
  • model claude - Switch to Anthropic Claude (default: claude-opus-4-5)
  • model claude <name> - Switch to Claude with a specific model
  • model <tag> - Change the model tag on the current engine
  • show model - Display current engine and model

Scanning & Attacks:

  • scan [url] - Scan target for vulnerabilities
  • scan llm-attack <url> - OWASP LLM Top 10 scan of an LLM API or AI app
  • scan kubernetes <ip> - Kubernetes cluster reconnaissance
  • attack [type] - Execute attack with confirmation
  • analyze scan|attack - Get AI analysis of results
  • show scan|attack - Display raw results

AI Assistance:

  • ask <question> - Ask AI security questions
  • bypass <waf-type> - Get WAF bypass techniques
  • ? <question> - Quick ask (alias)

Kali Linux Container (Docker required):

  • kali start - Pull kalilinux/kali-rolling and start the container
  • kali setup - Install common tools (nmap, nikto, sqlmap, hydra…)
  • kali exec <cmd> - Run a raw shell command inside Kali
  • kali ai <goal> - AI-guided exploit: LLM picks and runs the commands
  • kali attack <fqdn> - Fully automated AI-driven pentest
  • kali attack <fqdn> --advanced - Same but installs the full Kali toolset first
  • kali stop - Stop and remove the Kali container

Utilities:

  • history - Show command history
  • clear - Clear screen
  • help - Show help
  • exit|quit - Exit REPL

Configuration

Configuration files live in the configs/ directory relative to the working directory where sunstrike is run (typically the repository root):

File Purpose
configs/trusted-authors.yaml Ed25519 public keys for allowed plugin authors — plugins signed by any other author are rejected
configs/pre-approval.yaml Target and exploit category pairs that bypass interactive approval
configs/limits.yaml Global and per-target rate limits, concurrency, and circuit-breaker settings
configs/scope.yaml Required for production — authorised IP ranges (CIDR), wildcard domains, explicit URLs, and exclusions
configs/offsecai.yaml offsec-ai integration settings (binary path, timeout, LLM judge)

Scope enforcement

Edit configs/scope.yaml before running in any shared or production environment:

# configs/scope.yaml
ip_ranges:
  - "10.0.0.0/8"
  - "192.168.1.0/24"

domains:
  - "*.test.example.com"
  - "api.example.com"

urls:
  - "https://staging.example.com"

exclusions:
  - "192.168.1.1"   # gateway - never test
  - "prod.example.com"

When scope.yaml contains entries, any scan or attack against an unlisted target is rejected before sending a single packet. An empty file (the default) allows all targets — suitable for isolated lab environments only.

Auto-approve level

Control how much human confirmation is required for attacks:

export INVOKE_SUNSTRIKE_AUTO_APPROVE=none      # every attack requires manual y/N (safest)
export INVOKE_SUNSTRIKE_AUTO_APPROVE=low       # low-risk attacks auto-approved (default)
export INVOKE_SUNSTRIKE_AUTO_APPROVE=medium    # low + medium auto-approved
export INVOKE_SUNSTRIKE_AUTO_APPROVE=high      # all except critical auto-approved
export INVOKE_SUNSTRIKE_AUTO_APPROVE=critical  # nothing requires confirmation (dangerous)

Plugin Development

Create custom exploit modules using the plugin interface:

package main

import (
    "context"
    "github.com/htunn/invoke-sunstrike/pkg/pluginkit"
    "github.com/hashicorp/go-plugin"
)

type MyExploit struct{}

func (e *MyExploit) Name() string {
    return "my-exploit"
}

func (e *MyExploit) Metadata() pluginkit.ExploitMetadata {
    return pluginkit.ExploitMetadata{
        Name:      "My Exploit",
        Category:  pluginkit.CategoryWeb,
        RiskLevel: pluginkit.RiskLevelMedium,
    }
}

func (e *MyExploit) Validate(target pluginkit.Target) error {
    return nil
}

func (e *MyExploit) Execute(ctx context.Context, target pluginkit.Target) (pluginkit.Result, error) {
    // Exploit implementation
    return pluginkit.Result{Success: true}, nil
}

func main() {
    plugin.Serve(&plugin.ServeConfig{
        HandshakeConfig: pluginkit.HandshakeConfig,
        Plugins: map[string]plugin.Plugin{
            "exploit": &pluginkit.ExploitPlugin{Impl: &MyExploit{}},
        },
    })
}

Architecture

cmd/sunstrike/        # REPL entry point
internal/
  ├── agent/          # Vulnerability scanner orchestration
  ├── approval/       # Interactive approval workflow
  ├── bypass/         # WAF detection & bypass strategies
  ├── claude/         # Anthropic Claude AI client
  ├── cmd/            # REPL command handlers
  ├── copilot/        # LLMBackend interface + GitHub Models client
  ├── docker/         # Kali Linux Docker executor (requires Docker)
  ├── gemini/         # Google Gemini AI client
  ├── llm/            # Provider factory (llm.New / llm.Providers)
  ├── ollama/         # Ollama / Gemma4 local AI client
  ├── ratelimit/      # Rate limiting & concurrency control
  └── reporter/       # Structured reporting
pkg/
  └── pluginkit/      # Plugin interface
plugins/
  ├── auth-attack/    # OAuth2/OIDC/SAML/JWT attack suite
  ├── kubernetes/     # Kubernetes cluster attack suite
  └── llm-attack/     # OWASP LLM Top 10 (2025) attack suite
configs/              # Configuration files

Bundled Plugins

auth-attack — OAuth2 / OIDC / SAML / JWT Attack Suite (v1.0.0)

Tests identity providers for authentication and token security vulnerabilities.

Supported IdP targets: Keycloak · Auth0 · Okta · Azure AD / ADFS · PingFederate

CVE coverage:

CVE Description
CVE-2015-9235 JWT alg:none / weak secret brute-force
CVE-2016-5431 OAuth2 implicit flow token leakage
CVE-2022-29361 PKCE code verifier downgrade
CVE-2020-7692 PKCE code_challenge_method=plain acceptance
CVE-2019-3778 Open redirect in OAuth2 redirect_uri
CVE-2023-6927 Keycloak open redirect
CVE-2021-27582 Keycloak consent bypass
CVE-2023-4784 Keycloak OIDC token injection
CVE-2023-0264 Keycloak error body injection
CVE-2021-36949 Azure AD MFA bypass
CVE-2017-11427 / CVE-2017-11428 SAML XML signature wrapping
CVE-2021-28550 SAML assertion replay
CVE-2017-6370 SAML comment injection
CVE-2018-0489 Shibboleth SAML XML injection

Attack categories and REPL usage:

# Scanner — passive enumeration of OAuth/OIDC endpoints and IdP fingerprinting
scan auth-attack https://login.example.com

# Attack — active exploitation of discovered vulnerabilities
attack auth-attack https://login.example.com

Build, test, and sign:

make build-plugin-auth-attack
make test-plugin-auth-attack
make sign-plugin-auth-attack

kubernetes — Kubernetes Cluster Attack Suite (v1.0.0)

Scans Kubernetes control-node IPs for misconfigurations and known CVEs.

Attack modules:

  • Anonymous API server enumeration
  • Kubelet unauthenticated read-only API (port 10255)
  • etcd key enumeration
  • CVE-2018-1002105 (privilege escalation)
  • Nginx ingress CVE-2023-5043 (annotation injection)
  • Service account token theft via path traversal
  • SSRF to cloud metadata services (AWS/GCP/Azure IMDS)
  • Container escape (privileged pods, hostPath mounts, hostNetwork)
  • Gateway API endpoint discovery

Remediation engine:

  • Automatic detection of dangerous pod configurations
  • Over-privileged ClusterRoleBindings
  • Nginx snippet annotation injection risks
# Inside REPL
scan kubernetes <control-node-ip>
attack kubernetes <control-node-ip>
make build-plugin
make test-plugin
make sign-plugin

llm-attack — OWASP LLM Top 10 (2025) Attack Suite (v1.0.0)

Scans and actively tests LLM APIs and AI-integrated applications for all ten OWASP LLM security risks.

Supported targets: OpenAI · Anthropic · Ollama · Hugging Face · Vertex AI · ChatGPT · RAG pipelines · Vector DBs (Weaviate, Qdrant, Chroma, Pinecone) · Gemma4

OWASP LLM Top 10 (2025) coverage:

ID Risk Attack modules
LLM01 Prompt Injection Direct injection, indirect injection via retrieved docs, system-prompt override, Gemma4 thinking-chain token injection
LLM02 Sensitive Information Disclosure Training-data extraction, credential leak probes, PII enumeration
LLM03 Supply Chain Model-card tampering detection, poisoned-model repository probes
LLM04 Data and Model Poisoning Fine-tune endpoint abuse, poisoned training-data submission
LLM05 Improper Output Handling XSS via LLM output, code-injection output probes
LLM06 Excessive Agency Tool-call abuse, over-permissioned plugin detection, autonomous action probes
LLM07 System Prompt Leakage Direct-ask extraction, inference via output-format manipulation
LLM08 Vector and Embedding Weaknesses Embedding manipulation, vector DB unauthenticated access, vector poisoning, embedding inversion
LLM09 Misinformation Hallucination confidence probing, fact-check bypass
LLM10 Unbounded Consumption Token flooding, repetitive query DoS, sponge attacks

Gemma4-specific probes:

  • Thinking-chain token extraction (<|channel>thought / </think> leakage via JSON response)
  • Fake thinking-chain injection to influence reasoning

REPL usage:

# Scan — fingerprint LLM provider, enumerate models, discover vector DBs, check TLS
scan llm-attack http://localhost:11434        # local Ollama / Gemma4
scan llm-attack https://api.openai.com        # OpenAI-compatible API
scan llm-attack https://your-ai-app.com       # web app with embedded LLM

# With API key
scan llm-attack https://api.openai.com --token sk-...

# Attack — run full OWASP LLM Top 10 active test suite
attack llm-attack http://localhost:11434
attack llm-attack https://api.openai.com --token sk-...

Build, test, and sign:

make build-plugin-llm-attack
make test-plugin-llm-attack
make sign-plugin-llm-attack

offsec-ai — Python Security Toolkit Integration

Invoke-Sunstrike natively integrates with offsec-ai, a Python-based AI-driven security toolkit. The integration is direct (no plugin binary needed) — the REPL calls the offsec-ai CLI as a subprocess and streams structured JSON results back into the reporting pipeline.

Prerequisites:

pip install offsec-ai

# Verify installation
offsec-ai --version

Supported scan and attack modules:

Command Mode Description
offsec mcp-scan <url> Passive MCP server security scan — enumerates tools, resources, prompts; checks auth and transport
offsec mcp-attack <url> Active ⚠️ Active MCP attack — tool hijacking, prompt injection, resource enumeration
offsec openclaw-scan <host> Passive OpenClaw AI gateway passive scan — API key exposure, model access controls
offsec openclaw-attack <host> Active ⚠️ Active OpenClaw attack — gateway bypass, model exfiltration
offsec owasp-scan <domain> Passive OWASP Web Top 10 passive scanner — injection, broken auth, misconfigurations
offsec infra-scan <host> Passive Infrastructure scan — open ports, TLS config, L7 fingerprint, hybrid-identity
offsec auth-scan <url> Passive Auth protocol passive scan — OIDC/OAuth2/SAML discovery and enumeration
offsec auth-attack <url> Active ⚠️ Active auth attack — token abuse, PKCE downgrade, SAML injection
offsec a2a-scan <url> Passive A2A agent scan — Agent Card analysis, auth posture, dangerous skill detection, secret scanning, SSRF surface, 10 A2A advisories
offsec a2a-attack <url> Active ⚠️ Active A2A attack — auth bypass, SSRF via webhook, message injection, task enumeration, JSON-RPC manipulation

⚠️ Active modes require explicit authorization. The approval workflow will prompt before executing any attack.

REPL usage:

# Prerequisites: offsec-ai installed and in PATH
pip install offsec-ai

# Inside the REPL — passive scans (no explicit authorization needed)
⚡ sunstrike> offsec mcp-scan https://mcp.example.com
⚡ sunstrike> offsec openclaw-scan api.example.com
⚡ sunstrike> offsec owasp-scan https://app.example.com
⚡ sunstrike> offsec infra-scan 10.0.0.5
⚡ sunstrike> offsec auth-scan https://auth.example.com
⚡ sunstrike> offsec a2a-scan https://agent.example.com
⚡ sunstrike> offsec a2a-scan https://agent.example.com --port 8443

# Active attacks — approval required before execution
⚡ sunstrike> offsec mcp-attack https://mcp.example.com --mode deep
⚡ sunstrike> offsec openclaw-attack api.example.com --mode deep
⚡ sunstrike> offsec auth-attack https://auth.example.com
⚡ sunstrike> offsec a2a-attack https://agent.example.com
⚡ sunstrike> offsec a2a-attack https://agent.example.com --mode deep

Optional LLM judge (for AI-graded severity):

# configs/offsecai.yaml
llm_judge: true
llm_provider: gemini    # gemini | openai | anthropic

# Set the corresponding API key:
export GEMINI_API_KEY=<key>    # for llm_provider: gemini
export OPENAI_API_KEY=<key>    # for llm_provider: openai
export ANTHROPIC_API_KEY=<key> # for llm_provider: anthropic

Configuration (configs/offsecai.yaml):

binary_path: "offsec-ai"   # path or name of the offsec-ai binary
timeout: 120s              # max duration per invocation
llm_judge: false           # enable AI-graded severity scoring
llm_provider: "gemini"     # judge backend: gemini | openai | anthropic

Environment variable overrides:

Variable Description
OFFSECAI_BINARY Override binary_path
OFFSECAI_LLM_PROVIDER Override llm_provider

Run offsec-ai tests:

make test-offsecai

Architecture: The integration lives in internal/offsecai/ (executor, config, mapper, types) and is invoked directly from handleOffsecCommand in the REPL — it does not go through the plugin loader. Results are mapped into pluginkit.Result structs and fed into the standard reporter pipeline.


AI Analysis Features

Intelligent Scan Analysis

The AI receives complete scan data and provides:

  1. Attack Surface Analysis: Identifies specific vulnerabilities from actual endpoints
  2. Technology-Specific Risks: Known CVEs and attack vectors for detected tech stack
  3. Endpoint Pattern Recognition: Auto-categorizes endpoints:
    • 🔐 Authentication (login, oauth, token, session)
    • 🔌 API endpoints (rest, graphql, api/)
    • ⚙️ Admin/Management (admin, console, config)
    • 📁 File operations (upload, download)
  4. Recommended Attack Vectors: Prioritized based on actual findings
  5. Exploitation Roadmap: Step-by-step recommendations with specific endpoints

Attack Result Analysis

For Failed Attacks:

  • Why it failed (WAF, hardening, wrong vector)
  • Alternative approaches and modified payloads
  • Bypass techniques for detected security controls
  • Prerequisite reconnaissance steps needed

For Successful Attacks:

  • Impact assessment and compromised resources
  • Evidence extraction and proof of exploitation
  • Privilege escalation and lateral movement paths
  • Remediation guidance and root cause analysis

AI Engine Reference

GitHub Models (cloud)

Uses the GitHub Models API — no local GPU required.

Model Notes
gpt-4o Default — fast, balanced
openai/gpt-5 Latest reasoning model

Authentication:

export GITHUB_TOKEN="github_pat_xxxxxxxxxxxxx"
# or
export COPILOT_GITHUB_TOKEN="github_pat_xxxxxxxxxxxxx"

Features: direct HTTP (no SDK), automatic exponential-backoff retry, runtime model switching.

Ollama (local / offline)

Runs entirely on your machine — no API key, no data sent to the cloud.

Model Notes
gemma4:e4b Default — Google Gemma4 9.6 GB, strong reasoning
llama3.1:8b Meta Llama 3.1 8B
deepseek-r1:8b DeepSeek R1 reasoning model
Any Ollama tag ollama list to see all installed models

Setup:

# Install: https://ollama.com/download
ollama pull gemma4:e4b
ollama serve

# Start invoke-sunstrike with Ollama
export INVOKE_SUNSTRIKE_ENGINE=ollama
./sunstrike

# Optional overrides
export OLLAMA_BASE_URL=http://localhost:11434   # default
export OLLAMA_MODEL=gemma4:e4b                 # default

Switch engines at runtime (no restart needed):

⚡ sunstrike> model ollama gemma4:e4b   # switch to Ollama
⚡ sunstrike> model github gpt-4o       # switch to GitHub Models
⚡ sunstrike> model gemini              # switch to Gemini
⚡ sunstrike> model claude              # switch to Anthropic Claude
⚡ sunstrike> show model                # current engine + model

Google Gemini (cloud)

Uses the Google Generative Language API — no local GPU required.

Model Notes
gemini-2.5-flash Default — fast, cost-efficient
gemini-2.5-pro Higher-quality reasoning

Authentication:

export GEMINI_API_KEY="<your-google-ai-key>"
export INVOKE_SUNSTRIKE_ENGINE=gemini   # start with Gemini, or switch at runtime

# Optional model override
export GEMINI_MODEL=gemini-2.5-pro

Get your key from: https://aistudio.google.com/app/apikey

Features: direct REST API (no SDK), thinking-budget control for Gemini 2.5+ models, runtime model switching.

Anthropic Claude (cloud)

Uses the Anthropic Messages API — no local GPU required.

Model Notes
claude-opus-4-5 Default — most capable, complex reasoning
claude-sonnet-4-5 Balanced speed and capability
claude-haiku-4-5 Fastest, cost-efficient

Authentication:

export ANTHROPIC_API_KEY="sk-ant-..."
export INVOKE_SUNSTRIKE_ENGINE=claude   # start with Claude, or switch at runtime

# Optional model override
export CLAUDE_MODEL=claude-sonnet-4-5

Get your key from: https://console.anthropic.com/

Features: direct REST API (no SDK), pure stdlib (no extra Go dependencies), runtime model switching.

Kali Linux Container (Docker required)

The kali commands run pentest tools inside an isolated kalilinux/kali-rolling Docker container driven by your active AI engine. Docker must be running — the image is pulled automatically on first use.

Command Description
kali start Pull image and start container
kali setup Install nmap, nikto, sqlmap, hydra, gobuster…
kali exec <cmd> Run any shell command inside Kali
kali ai <goal> AI generates and executes a command sequence
kali attack <fqdn> Fully automated AI pentest (RECON → PLAN → ATTACK → SUMMARY)
kali attack <fqdn> --advanced Same + full Kali toolset pre-installed
kali stop Remove the container

Prerequisites: Docker Desktop 24+ (macOS/Windows) or Docker Engine 24+ (Linux).

# Ensure Docker is running
docker info

# Then inside the REPL
⚡ sunstrike> model gemini              # or ollama / github
⚡ sunstrike> kali attack target.example.com

Development

Build

go build -o sunstrike ./cmd/sunstrike/

Test

Scope Command
All packages (short mode, race detector) go test -short -race ./...
Full unit suite make test-unit
Regression (full, with race) make test-regression
Plugin unit tests make test-plugin-auth-attack · make test-plugin-kubernetes · make test-plugin-llm-attack
offsec-ai integration make test-offsecai
E2E — skips live tests when offsec-ai absent go test -short ./tests/e2e/...
E2E — full live targets INVOKE_SUNSTRIKE_ENGINE=gemini go test -timeout 20m ./tests/e2e/...

E2E pre-conditions for live offsec-ai tests: GEMINI_API_KEY exported; Docker daemon running; correct Python version active (pyenv shell 3.12.0) with offsec-ai installed.

The CI pipeline runs go test -short -race ./... automatically on every push and pull request.

Plugin Signing

Plugin binaries must be signed with an Ed25519 key before the loader will accept them. The signing tool generates or reuses a keypair at ~/.exploit/keys/<author>.key and writes the hex signature into manifest.yaml.

make sign-plugin-auth-attack
make sign-plugin-kubernetes
make sign-plugin-llm-attack

Code Quality

go vet ./...
gofmt -l .
golangci-lint run   # full linter suite (mirrors CI)

Changelog

v2.2.0 — A2A (Agent-to-Agent) Protocol Security (latest)

  • 🤝 A2A scanner (offsec a2a-scan) — fetches the Agent Card at /.well-known/agent-card.json, parses declared skills/capabilities/security schemes, and runs static analysis against 10 A2A security advisories (A2A-ADV-2025-001 through -010)
  • ⚔️ A2A attacker (offsec a2a-attack) — authorized red-team module with safe mode (auth-bypass probes: no auth header, null Bearer, invalid JWT, X-Forwarded-For spoof, JWT alg=none) and deep mode (adds SSRF via push-notification webhook, SendMessage injection, sequential task ID enumeration, JSON-RPC manipulation)
  • 🔑 Auth posture check — sends an unauthenticated SendMessage JSON-RPC probe to detect open task endpoints; maps securitySchemes to OAuth2/OIDC/Bearer/mTLS/apiKey/none
  • 💀 Dangerous skill detection — flags skills whose descriptions contain shell execution keywords (exec, bash, eval, kubectl, docker run, etc.) — CRITICAL severity
  • 🔑 Secret scanning — regex scan of the Agent Card JSON for leaked API keys, tokens, and credentials (OpenAI sk-, AWS AKIA, GitHub ghp_, Slack, etc.)
  • 🧱 New Go typesA2AAgentCard, A2AAuthPosture, A2AVuln, A2AScanResult, A2AAttackResult, A2AAttackReport in internal/offsecai/types.go
  • ⚙️ Executor methodsRunA2AScan and RunA2AAttack in internal/offsecai/executor.go; supports --port, --header, --llm-judge, --mode safe|deep
  • 🗺️ Mapper functionsA2AScanToFindings and A2AAttackToFindings in internal/offsecai/mapper.go
  • 🔌 Plugin routingModuleA2AScan / ModuleA2AAttack constants wired into the offsec-ai plugin scanner and attacker; a2a-attack registered as requiring authorization
  • 🎛️ OrchestratorRunOffsecScan and RunOffsecAttack dispatch "a2a-scan" / "a2a-attack" cases; opts keys: "headers" (map[string]string), "port" (int)
  • 📋 Advisory coverage: OFFSEC-A2A-AUTH-001 (no securitySchemes), OFFSEC-A2A-AUTH-003 (unauthenticated task), OFFSEC-A2A-INT-001 (unsigned card), OFFSEC-A2A-SEC-001 (secrets in card), OFFSEC-A2A-SKILL-001 (dangerous keywords), OFFSEC-A2A-SSRF-001 (push webhook), OFFSEC-A2A-TLS-001 (plaintext HTTP), OFFSEC-A2A-EXT-001 (extended card without auth), and more

v2.1.0 — Production Hardening

  • 🔐 Plugin signature enforcementconfigs/trusted-authors.yaml is now wired by default. Previously the signature path was empty (""), causing every plugin load to fail with "untrusted author". All three bundled plugins load and verify correctly.
  • 🗺️ Scope enforcement — new internal/agent/scope.go implements CIDR, wildcard-domain, explicit-URL, and exclusion matching against configs/scope.yaml. ExecuteScan and ExecuteAttack both validate the target before sending any network probe.
  • 🔒 Secure REPL history — command history is now written to ~/.cache/sunstrike/history (mode 0700) instead of world-readable /tmp/sunstrike-history.tmp.
  • ⚙️ Configurable auto-approveINVOKE_SUNSTRIKE_AUTO_APPROVE controls the attack approval gate (none / low / medium / high / critical). Default remains low.
  • 🧹 Linter clean — all seven InsecureSkipVerify: true usages in the orchestrator are annotated with //nolint:gosec // intentional for security probing.
  • 🛡️ offsec-ai plugin graceful exit — replaced panic() with fmt.Fprintf(os.Stderr) + os.Exit(1), eliminating confusing RPC framework crash messages.
  • Live E2E tests auto-skipskipIfNoOffsecAI now probes the binary with --version to catch pyenv shim mismatches; tests skip cleanly instead of failing with exit code 127.
  • 🔧 trusted-authors.yaml cleaned — removed stray authors: "" entry that could break key lookup.
  • 🚀 GitHub Actions CI.github/workflows/ci.yml runs go vet, go build, race-detector unit tests, short-mode E2E, and golangci-lint on every push and PR.

v2.0.0 — Invoke-Sunstrike

Project rebrand: simple-exploitinvoke-sunstrike

v2.0.0 marks the formal release of Invoke-Sunstrike as a standalone, versioned security framework. The codebase has been fully rebranded under the github.com/htunn/invoke-sunstrike module path with a stable public API, a complete E2E test suite against live targets, and verified plugin signatures across all bundled modules.

Breaking changes:

  • Module path renamed: github.com/htunn/simple-exploitgithub.com/htunn/invoke-sunstrike
  • Binary renamed: exploitsunstrike
  • All plugin manifests re-signed under the invoke-sunstrike Ed25519 author key
  • plugins/auth-attack/manifest.yaml, plugins/kubernetes/manifest.yaml, plugins/llm-attack/manifest.yamlauthor field standardized to invoke-sunstrike

New in v2.0.0:

  • Comprehensive E2E test suite (tests/e2e/live_features_e2e_test.go) — 20 live-target tests covering all eight feature layers: Gemini LLM API (SendMessage, GetAIGuidance, AnalyzeResponse, ModelSwitch), LLM factory, WAF detection, orchestrator scan, reporter, rate limiter, plugin loader, MCP endpoint, and Docker/Kali container
  • All bundled plugins re-signed with a unified author key; plugin loader now rejects any manifest whose author does not appear in configs/trusted-authors.yaml
  • offsec-ai pyenv prerequisite documented; E2E pre-condition guidance added to README
  • README rewritten in professional security-tool style

v1.0.6

  • 🧠 Anthropic Claude AI engineclaude-opus-4-5 (default), claude-sonnet-4-5, claude-haiku-4-5, or any Claude model; pure stdlib, no new Go dependencies; export ANTHROPIC_API_KEY=<key> and export INVOKE_SUNSTRIKE_ENGINE=claude
  • 🏭 LLM provider factory (internal/llm) — centralised llm.New(engine) and llm.Providers() for clean engine construction across the codebase
  • 🔀 Runtime Claude switchingmodel claude [model] swaps the engine mid-session like any other backend
  • 🔑 Env var support: ANTHROPIC_API_KEY, CLAUDE_MODEL; missing key surfaces a clear error with setup instructions
  • 35 new passing tests across internal/claude (19) and internal/llm (16)

v1.0.5

  • 🐉 Kali Linux container executorkali attack, kali ai, kali exec, kali start/stop/setup commands spin up kalilinux/kali-rolling via Docker and run real pentest tools inside an isolated container driven by the active AI engine
  • Google Gemini AI enginegemini-2.5-flash (default) and gemini-2.5-pro supported; switchable at runtime with model gemini; thinking-budget control for Gemini 2.5+ models
  • 🚀 Advanced Kali mode (kali attack --advanced) — installs the full Kali toolset (nmap, nikto, sqlmap, gobuster, ffuf, hydra, sslscan, wafw00f, dnsrecon, fierce, hashcat) before attacking
  • 🐳 Docker is now required for kali subcommands; all other features remain Docker-free

v1.0.4

  • 🦙 Ollama / Gemma4 AI engine — run fully offline with gemma4:e4b, llama3.1, deepseek-r1, or any Ollama model as the AI reasoning backend
  • 🔀 Runtime engine switchingmodel ollama [tag] / model github [model] swaps the AI engine mid-session without restart
  • 🧠 OWASP LLM Top 10 (2025) plugin (llm-attack) — full active test suite covering LLM01–LLM10 against OpenAI, Anthropic, Ollama, Vertex AI, Hugging Face, and vector DBs (Weaviate, Qdrant, Chroma, Pinecone)
  • 🔬 Gemma4-specific probes — thinking-chain token extraction and fake thinking-chain injection attacks
  • 📉 Compact AI prompts — scan summaries instead of full JSON blobs; 5-minute timeout for local CPU inference
  • 🛡️ Input guardmodel /ollama typo no longer corrupts the active GitHub Models client

v1.0.2

  • 🔐 New plugin: auth-attack — OAuth2/OIDC/PKCE/SAML/JWT attack suite covering 14 CVEs across Keycloak, Auth0, Okta, Azure AD/ADFS, and PingFederate
  • 🧹 gofmt 100% — zero formatting violations across all source files
  • 📉 gocyclo 100% — all functions refactored to cyclomatic complexity ≤ 15 (12+ functions fixed)
  • 🔧 Added make build-plugin-auth-attack, make test-plugin-auth-attack, make sign-plugin-auth-attack targets
  • ✅ 31 new passing tests in plugins/auth-attack

v1.0.1 (2026-02-06)

  • ✨ Migrated from Copilot SDK to direct GitHub Models API integration
  • 🔄 Added automatic retry logic with exponential backoff for rate limits
  • 🎨 Added configurable AI model selection (model command)
  • 🧠 Improved AI analysis - now uses full scan/attack data instead of templates
  • 🔍 Added intelligent endpoint pattern recognition (auth, API, admin, file ops)
  • 📊 Enhanced analysis with technology stack identification
  • 🎯 Increased AI token limits (4000 → 8000) for detailed analysis
  • 🛠️ Fixed API parameter naming (max_tokens → max_completion_tokens)
  • ⚡ REPL-only mode - simplified architecture, removed unused CLI commands
  • 🔧 Updated default endpoint to https://models.github.ai/inference
  • 📝 Improved help documentation and command examples

v1.0.0

  • Initial release with Copilot SDK integration

Contributing

See CONTRIBUTING.md for branch conventions, test coverage requirements, and the plugin signing workflow. All pull requests must pass go vet ./..., gofmt -l ., and the full unit test suite before review.

License

MIT License - see LICENSE file.

Disclaimer

This tool is provided for authorized security testing and research purposes only. Use against systems without explicit written authorization is illegal under the Computer Fraud and Abuse Act (CFAA), Computer Misuse Act, and equivalent statutes in other jurisdictions. The authors accept no liability for unauthorized or unlawful use.

References

About

AI-powered penetration testing framework with dual AI-engine support: GitHub Models (GPT-4o / GPT-5) and Ollama (Gemma4, Llama 3, local)

Topics

Resources

License

Contributing

Stars

7 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages