___ _ ___ _____ _ _____
|_ _| \| \ \ / / _ \| |/ / __|
| || .`| |\ V / (_) | ' <| _|
|___|_|\_ | \_/ \___/|_|\_\___|
___ _ _ _ _ ___ _____ ___ ___ _ _____
/ __| | | | \| / __|_ _| _ \_ _| |/ / __|
\__ \ |_| | .`\__ \ | | | /| || ' <| _|
|___/\___/|_|\_|___/ |_| |_|_\___|_|\_\___| ⚡ AI-Powered Pentesting
Invoke-Sunstrike is an AI-orchestrated penetration testing framework for authorized engagements. It exposes a persistent REPL with four interchangeable AI backends — GitHub Models (GPT-4o/GPT-5), Ollama (Gemma4/Llama 3, local/offline), Google Gemini (gemini-2.5-flash), and Anthropic Claude (claude-opus-4-5) — and a signed plugin architecture for modular exploit delivery across web, API, identity, Kubernetes, and LLM attack surfaces.
THIS TOOL IS FOR AUTHORIZED SECURITY TESTING ONLY
By using this tool, you acknowledge that:
- You have EXPLICIT WRITTEN PERMISSION to test target systems
- Unauthorized access to computer systems is ILLEGAL (CFAA, Computer Misuse Act, etc.)
- You assume ALL LEGAL RESPONSIBILITY for your actions
- The authors are NOT LIABLE for misuse of this tool
Violation of computer fraud laws may result in criminal prosecution, civil liability, and imprisonment.
- Interactive REPL: Persistent session with command history, tab completion, and inline AI co-pilot
- Four AI Backends: GitHub Models (GPT-4o/GPT-5), Ollama (Gemma4/Llama 3, fully local/offline), Google Gemini (gemini-2.5-flash), and Anthropic Claude (claude-opus-4-5). All backends share a common interface and are switchable at runtime via
model <engine>— no restart required. - Kali Linux Container:
kali attack <fqdn>provisionskalilinux/kali-rollingvia Docker and orchestrates a full AI-driven pentest (RECON → PLAN → ATTACK → SUMMARY). Requires Docker. - WAF Bypass Engine: Active fingerprinting with adaptive evasion against Cloudflare, ModSecurity, Akamai, and Imperva.
- Context-Aware Analysis: AI receives full scan output — endpoint inventory, HTTP responses, and stack fingerprints — not pre-written templates.
- Human-in-the-Loop Approval: Mandatory confirmation gate before any active or destructive operation. Auto-approve level is configurable via
INVOKE_SUNSTRIKE_AUTO_APPROVE. - Adaptive Rate Limiting: Token bucket with circuit breaker; automatic exponential backoff (2s / 4s / 8s) on 429 responses.
- Signed Plugin Architecture: Ed25519-signed modules loaded over gRPC (HashiCorp go-plugin). Bundled plugins:
auth-attack,kubernetes,llm-attack. - Scope Enforcement: YAML-driven allowlist (CIDR ranges, wildcard domains, explicit URLs, exclusions) — unauthorized targets are rejected before any probe is sent.
- Secure History: REPL command history written to
~/.cache/sunstrike/history(mode0700) — never world-readable. - Structured Reporting: JSON event stream fed into the reporter pipeline with HTML report generation.
- CI/CD Pipeline: GitHub Actions workflow runs
go vet, race-detector unit tests, short-mode E2E, andgolangci-linton every push and PR. A.golangci.yml(v2 format) is included — errcheck exclusions for idiomaticdefer Close()patterns, staticcheck enabled, andunuseddisabled for pending-feature code.
- Web Applications: SQL injection, XSS, CSRF, XXE, SSRF, LFI/RFI, template injection
- REST APIs: GraphQL introspection, JWT manipulation, OAuth flow testing, mass assignment
- Active Directory: Kerberos attacks, NTLM relay, golden/silver tickets, DCSync
- ADFS: Token manipulation, endpoint enumeration, federation vulnerabilities
- Authentication: Brute force, password spray, session hijacking, MFA bypass
- Authorization: IDOR, privilege escalation, horizontal/vertical bypass
- OAuth2 / OIDC: PKCE downgrade, token leakage, state parameter bypass, implicit flow abuse
- SAML: Signature wrapping, XML injection, assertion replay, broker bypass
- Kubernetes: API server exposure, RBAC misconfiguration, container escape, SSRF, etcd leakage
- LLM / AI APIs: Full OWASP LLM Top 10 (2025) — prompt injection, sensitive data disclosure, supply-chain attacks, model poisoning, excessive agency, system-prompt leakage, vector/embedding weaknesses, misinformation, and unbounded consumption
- A2A Agents: A2A (Agent-to-Agent) protocol security — Agent Card analysis, unauthenticated task execution, dangerous skill detection, secret scanning, SSRF via push-notification webhooks, auth bypass, message injection, task enumeration, JSON-RPC manipulation
# Clone repository
git clone https://github.com/htunn/invoke-sunstrike.git
cd invoke-sunstrike
# Build
go build -o sunstrike cmd/sunstrike/main.go
# Install globally (optional)
sudo mv sunstrike /usr/local/bin/go install github.com/htunn/invoke-sunstrike/cmd/sunstrike@latestDownload pre-compiled binaries from GitHub Releases.
Option A — GitHub Models (cloud, default):
- GitHub personal access token from https://github.com/settings/tokens
- GitHub Models access (included with Copilot subscription or free tier)
Option B — Ollama (local, no token needed):
- Install Ollama: https://ollama.com/download
- Pull a model:
ollama pull gemma4:e4b(orllama3.1,deepseek-r1, etc.) - Start the server:
ollama serve
Option C — Google Gemini (cloud):
- Get an API key from https://aistudio.google.com/app/apikey
export GEMINI_API_KEY=<your-key>andexport INVOKE_SUNSTRIKE_ENGINE=gemini
Option D — Anthropic Claude (cloud):
- Get an API key from https://console.anthropic.com/
export ANTHROPIC_API_KEY=<your-key>andexport INVOKE_SUNSTRIKE_ENGINE=claude
Docker (required for kali commands / advanced mode):
- macOS / Windows: Docker Desktop 24+
- Linux: Docker Engine 24+
- The
kali attack,kali start,kali exec,kali aicommands spin up akalilinux/kali-rollingcontainer automatically. All other features work without Docker.
offsec-ai integration (required for offsec commands):
offsec-ai is a Python 3.12 package. The REPL and the E2E test suite both resolve it as a subprocess via PATH. The binary is only present in the Python version it was installed under, so the shell must have the correct pyenv version active.
# Install Python 3.12 via pyenv (skip if already installed)
pyenv install 3.12.0
# Activate for the current shell session
pyenv shell 3.12.0
# Install the package
pip install offsec-ai
# Verify
offsec-ai --versionE2E test note:
TestOffsecAILive_Scan_PortScanandTestOffsecAILive_MCPScan_ViaExecutorwill fail with exit code 127 if the active Python runtime does not includeoffsec-ai. Runpyenv shell 3.12.0before executing the E2E suite:pyenv shell 3.12.0 INVOKE_SUNSTRIKE_ENGINE=gemini go test -timeout 20m -run 'TestLiveE2E|TestOffsecAILive|TestE2E' ./tests/e2e/...
The tool runs in REPL-only mode with integrated AI assistance.
export GITHUB_TOKEN="github_pat_xxxxxxxxxxxxx"
# or
export COPILOT_GITHUB_TOKEN="github_pat_xxxxxxxxxxxxx"
./sunstrike# Start Ollama with Gemma4
ollama serve
# (in another tab, or background)
export INVOKE_SUNSTRIKE_ENGINE=ollama # use Ollama from startup
./sunstrike
# Optionally override the default URL and model:
export OLLAMA_BASE_URL=http://localhost:11434
export OLLAMA_MODEL=gemma4:e4bexport GEMINI_API_KEY="<your-key>"
export INVOKE_SUNSTRIKE_ENGINE=gemini # optional: also switchable at runtime
./sunstrikeThe default Gemini model is gemini-2.5-flash. Override with export GEMINI_MODEL=gemini-2.5-pro.
export ANTHROPIC_API_KEY="sk-ant-..."
export INVOKE_SUNSTRIKE_ENGINE=claude # optional: also switchable at runtime
./sunstrikeThe default Claude model is claude-opus-4-5. Override with export CLAUDE_MODEL=claude-sonnet-4-5.
⚡ sunstrike> target https://example.com
✅ Target set to: https://example.com
# ── AI Engine / Model Selection ──────────────────────────────────
⚡ sunstrike> model ollama # switch to Ollama (default: gemma4:e4b)
⚡ sunstrike> model ollama gemma4:e4b # switch to Ollama with explicit tag
⚡ sunstrike> model ollama llama3.1:8b # any model available in your Ollama
⚡ sunstrike> model github # switch back to GitHub Models (gpt-4o)
⚡ sunstrike> model github gpt-4o # explicit model
⚡ sunstrike> model gemini # switch to Google Gemini (gemini-2.5-flash)
⚡ sunstrike> model claude # switch to Anthropic Claude (claude-opus-4-5)
⚡ sunstrike> model claude claude-sonnet-4-5 # switch with explicit model
⚡ sunstrike> show model # display current engine + model
# ── Scanning ─────────────────────────────────────────────────────
⚡ sunstrike> scan
🔧 Initializing orchestrator...
🎯 Starting scan on: https://example.com
...
🤖 Analyzing results with AI (gemma4:e4b)...
📋 AI Security Analysis:
[Detailed analysis powered by your chosen AI engine]
# ── AI Questions ─────────────────────────────────────────────────
⚡ sunstrike> ask how to bypass cloudflare waf?
⚡ sunstrike> bypass ModSecurity
⚡ sunstrike> ? test for IDOR
# ── Attacking ────────────────────────────────────────────────────
⚡ sunstrike> attack sqli
⚔️ Execute sqli attack on https://example.com? [y/N]: y
...
# ── Kali Linux Container (Docker required) ───────────────────────
⚡ sunstrike> kali start # pull & start kalilinux/kali-rolling
⚡ sunstrike> kali setup # install nmap, nikto, sqlmap, hydra…
⚡ sunstrike> kali exec nmap -sV example.com # run any Kali tool directly
⚡ sunstrike> kali ai "enumerate subdomains of example.com" # AI picks & runs commands
⚡ sunstrike> kali attack example.com # full automated AI pentest
⚡ sunstrike> kali attack example.com --advanced # full toolset (3-8 min install on first run)
⚡ sunstrike> kali stop # remove the container
⚡ sunstrike> exitTarget Management:
target <url>- Set the target URLshow target- Display current target
AI Engine / Model Selection:
model ollama- Switch to Ollama (default: gemma4:e4b)model ollama <tag>- Switch to Ollama with a specific model tagmodel github- Switch to GitHub Models (default: gpt-4o)model github <name>- Switch to GitHub Models with a specific modelmodel gemini- Switch to Google Gemini (default: gemini-2.5-flash)model gemini <name>- Switch to Gemini with a specific modelmodel claude- Switch to Anthropic Claude (default: claude-opus-4-5)model claude <name>- Switch to Claude with a specific modelmodel <tag>- Change the model tag on the current engineshow model- Display current engine and model
Scanning & Attacks:
scan [url]- Scan target for vulnerabilitiesscan llm-attack <url>- OWASP LLM Top 10 scan of an LLM API or AI appscan kubernetes <ip>- Kubernetes cluster reconnaissanceattack [type]- Execute attack with confirmationanalyze scan|attack- Get AI analysis of resultsshow scan|attack- Display raw results
AI Assistance:
ask <question>- Ask AI security questionsbypass <waf-type>- Get WAF bypass techniques? <question>- Quick ask (alias)
Kali Linux Container (Docker required):
kali start- Pullkalilinux/kali-rollingand start the containerkali setup- Install common tools (nmap, nikto, sqlmap, hydra…)kali exec <cmd>- Run a raw shell command inside Kalikali ai <goal>- AI-guided exploit: LLM picks and runs the commandskali attack <fqdn>- Fully automated AI-driven pentestkali attack <fqdn> --advanced- Same but installs the full Kali toolset firstkali stop- Stop and remove the Kali container
Utilities:
history- Show command historyclear- Clear screenhelp- Show helpexit|quit- Exit REPL
Configuration files live in the configs/ directory relative to the working directory where sunstrike is run (typically the repository root):
| File | Purpose |
|---|---|
configs/trusted-authors.yaml |
Ed25519 public keys for allowed plugin authors — plugins signed by any other author are rejected |
configs/pre-approval.yaml |
Target and exploit category pairs that bypass interactive approval |
configs/limits.yaml |
Global and per-target rate limits, concurrency, and circuit-breaker settings |
configs/scope.yaml |
Required for production — authorised IP ranges (CIDR), wildcard domains, explicit URLs, and exclusions |
configs/offsecai.yaml |
offsec-ai integration settings (binary path, timeout, LLM judge) |
Edit configs/scope.yaml before running in any shared or production environment:
# configs/scope.yaml
ip_ranges:
- "10.0.0.0/8"
- "192.168.1.0/24"
domains:
- "*.test.example.com"
- "api.example.com"
urls:
- "https://staging.example.com"
exclusions:
- "192.168.1.1" # gateway - never test
- "prod.example.com"When scope.yaml contains entries, any scan or attack against an unlisted target is rejected before sending a single packet. An empty file (the default) allows all targets — suitable for isolated lab environments only.
Control how much human confirmation is required for attacks:
export INVOKE_SUNSTRIKE_AUTO_APPROVE=none # every attack requires manual y/N (safest)
export INVOKE_SUNSTRIKE_AUTO_APPROVE=low # low-risk attacks auto-approved (default)
export INVOKE_SUNSTRIKE_AUTO_APPROVE=medium # low + medium auto-approved
export INVOKE_SUNSTRIKE_AUTO_APPROVE=high # all except critical auto-approved
export INVOKE_SUNSTRIKE_AUTO_APPROVE=critical # nothing requires confirmation (dangerous)Create custom exploit modules using the plugin interface:
package main
import (
"context"
"github.com/htunn/invoke-sunstrike/pkg/pluginkit"
"github.com/hashicorp/go-plugin"
)
type MyExploit struct{}
func (e *MyExploit) Name() string {
return "my-exploit"
}
func (e *MyExploit) Metadata() pluginkit.ExploitMetadata {
return pluginkit.ExploitMetadata{
Name: "My Exploit",
Category: pluginkit.CategoryWeb,
RiskLevel: pluginkit.RiskLevelMedium,
}
}
func (e *MyExploit) Validate(target pluginkit.Target) error {
return nil
}
func (e *MyExploit) Execute(ctx context.Context, target pluginkit.Target) (pluginkit.Result, error) {
// Exploit implementation
return pluginkit.Result{Success: true}, nil
}
func main() {
plugin.Serve(&plugin.ServeConfig{
HandshakeConfig: pluginkit.HandshakeConfig,
Plugins: map[string]plugin.Plugin{
"exploit": &pluginkit.ExploitPlugin{Impl: &MyExploit{}},
},
})
}cmd/sunstrike/ # REPL entry point
internal/
├── agent/ # Vulnerability scanner orchestration
├── approval/ # Interactive approval workflow
├── bypass/ # WAF detection & bypass strategies
├── claude/ # Anthropic Claude AI client
├── cmd/ # REPL command handlers
├── copilot/ # LLMBackend interface + GitHub Models client
├── docker/ # Kali Linux Docker executor (requires Docker)
├── gemini/ # Google Gemini AI client
├── llm/ # Provider factory (llm.New / llm.Providers)
├── ollama/ # Ollama / Gemma4 local AI client
├── ratelimit/ # Rate limiting & concurrency control
└── reporter/ # Structured reporting
pkg/
└── pluginkit/ # Plugin interface
plugins/
├── auth-attack/ # OAuth2/OIDC/SAML/JWT attack suite
├── kubernetes/ # Kubernetes cluster attack suite
└── llm-attack/ # OWASP LLM Top 10 (2025) attack suite
configs/ # Configuration files
Tests identity providers for authentication and token security vulnerabilities.
Supported IdP targets: Keycloak · Auth0 · Okta · Azure AD / ADFS · PingFederate
CVE coverage:
| CVE | Description |
|---|---|
| CVE-2015-9235 | JWT alg:none / weak secret brute-force |
| CVE-2016-5431 | OAuth2 implicit flow token leakage |
| CVE-2022-29361 | PKCE code verifier downgrade |
| CVE-2020-7692 | PKCE code_challenge_method=plain acceptance |
| CVE-2019-3778 | Open redirect in OAuth2 redirect_uri |
| CVE-2023-6927 | Keycloak open redirect |
| CVE-2021-27582 | Keycloak consent bypass |
| CVE-2023-4784 | Keycloak OIDC token injection |
| CVE-2023-0264 | Keycloak error body injection |
| CVE-2021-36949 | Azure AD MFA bypass |
| CVE-2017-11427 / CVE-2017-11428 | SAML XML signature wrapping |
| CVE-2021-28550 | SAML assertion replay |
| CVE-2017-6370 | SAML comment injection |
| CVE-2018-0489 | Shibboleth SAML XML injection |
Attack categories and REPL usage:
# Scanner — passive enumeration of OAuth/OIDC endpoints and IdP fingerprinting
scan auth-attack https://login.example.com
# Attack — active exploitation of discovered vulnerabilities
attack auth-attack https://login.example.comBuild, test, and sign:
make build-plugin-auth-attack
make test-plugin-auth-attack
make sign-plugin-auth-attackScans Kubernetes control-node IPs for misconfigurations and known CVEs.
Attack modules:
- Anonymous API server enumeration
- Kubelet unauthenticated read-only API (port 10255)
- etcd key enumeration
- CVE-2018-1002105 (privilege escalation)
- Nginx ingress CVE-2023-5043 (annotation injection)
- Service account token theft via path traversal
- SSRF to cloud metadata services (AWS/GCP/Azure IMDS)
- Container escape (privileged pods, hostPath mounts, hostNetwork)
- Gateway API endpoint discovery
Remediation engine:
- Automatic detection of dangerous pod configurations
- Over-privileged ClusterRoleBindings
- Nginx snippet annotation injection risks
# Inside REPL
scan kubernetes <control-node-ip>
attack kubernetes <control-node-ip>make build-plugin
make test-plugin
make sign-pluginScans and actively tests LLM APIs and AI-integrated applications for all ten OWASP LLM security risks.
Supported targets: OpenAI · Anthropic · Ollama · Hugging Face · Vertex AI · ChatGPT · RAG pipelines · Vector DBs (Weaviate, Qdrant, Chroma, Pinecone) · Gemma4
OWASP LLM Top 10 (2025) coverage:
| ID | Risk | Attack modules |
|---|---|---|
| LLM01 | Prompt Injection | Direct injection, indirect injection via retrieved docs, system-prompt override, Gemma4 thinking-chain token injection |
| LLM02 | Sensitive Information Disclosure | Training-data extraction, credential leak probes, PII enumeration |
| LLM03 | Supply Chain | Model-card tampering detection, poisoned-model repository probes |
| LLM04 | Data and Model Poisoning | Fine-tune endpoint abuse, poisoned training-data submission |
| LLM05 | Improper Output Handling | XSS via LLM output, code-injection output probes |
| LLM06 | Excessive Agency | Tool-call abuse, over-permissioned plugin detection, autonomous action probes |
| LLM07 | System Prompt Leakage | Direct-ask extraction, inference via output-format manipulation |
| LLM08 | Vector and Embedding Weaknesses | Embedding manipulation, vector DB unauthenticated access, vector poisoning, embedding inversion |
| LLM09 | Misinformation | Hallucination confidence probing, fact-check bypass |
| LLM10 | Unbounded Consumption | Token flooding, repetitive query DoS, sponge attacks |
Gemma4-specific probes:
- Thinking-chain token extraction (
<|channel>thought/</think>leakage via JSON response) - Fake thinking-chain injection to influence reasoning
REPL usage:
# Scan — fingerprint LLM provider, enumerate models, discover vector DBs, check TLS
scan llm-attack http://localhost:11434 # local Ollama / Gemma4
scan llm-attack https://api.openai.com # OpenAI-compatible API
scan llm-attack https://your-ai-app.com # web app with embedded LLM
# With API key
scan llm-attack https://api.openai.com --token sk-...
# Attack — run full OWASP LLM Top 10 active test suite
attack llm-attack http://localhost:11434
attack llm-attack https://api.openai.com --token sk-...Build, test, and sign:
make build-plugin-llm-attack
make test-plugin-llm-attack
make sign-plugin-llm-attackInvoke-Sunstrike natively integrates with offsec-ai, a Python-based AI-driven security toolkit. The integration is direct (no plugin binary needed) — the REPL calls the offsec-ai CLI as a subprocess and streams structured JSON results back into the reporting pipeline.
Prerequisites:
pip install offsec-ai
# Verify installation
offsec-ai --versionSupported scan and attack modules:
| Command | Mode | Description |
|---|---|---|
offsec mcp-scan <url> |
Passive | MCP server security scan — enumerates tools, resources, prompts; checks auth and transport |
offsec mcp-attack <url> |
Active |
Active MCP attack — tool hijacking, prompt injection, resource enumeration |
offsec openclaw-scan <host> |
Passive | OpenClaw AI gateway passive scan — API key exposure, model access controls |
offsec openclaw-attack <host> |
Active |
Active OpenClaw attack — gateway bypass, model exfiltration |
offsec owasp-scan <domain> |
Passive | OWASP Web Top 10 passive scanner — injection, broken auth, misconfigurations |
offsec infra-scan <host> |
Passive | Infrastructure scan — open ports, TLS config, L7 fingerprint, hybrid-identity |
offsec auth-scan <url> |
Passive | Auth protocol passive scan — OIDC/OAuth2/SAML discovery and enumeration |
offsec auth-attack <url> |
Active |
Active auth attack — token abuse, PKCE downgrade, SAML injection |
offsec a2a-scan <url> |
Passive | A2A agent scan — Agent Card analysis, auth posture, dangerous skill detection, secret scanning, SSRF surface, 10 A2A advisories |
offsec a2a-attack <url> |
Active |
Active A2A attack — auth bypass, SSRF via webhook, message injection, task enumeration, JSON-RPC manipulation |
⚠️ Active modes require explicit authorization. The approval workflow will prompt before executing any attack.
REPL usage:
# Prerequisites: offsec-ai installed and in PATH
pip install offsec-ai
# Inside the REPL — passive scans (no explicit authorization needed)
⚡ sunstrike> offsec mcp-scan https://mcp.example.com
⚡ sunstrike> offsec openclaw-scan api.example.com
⚡ sunstrike> offsec owasp-scan https://app.example.com
⚡ sunstrike> offsec infra-scan 10.0.0.5
⚡ sunstrike> offsec auth-scan https://auth.example.com
⚡ sunstrike> offsec a2a-scan https://agent.example.com
⚡ sunstrike> offsec a2a-scan https://agent.example.com --port 8443
# Active attacks — approval required before execution
⚡ sunstrike> offsec mcp-attack https://mcp.example.com --mode deep
⚡ sunstrike> offsec openclaw-attack api.example.com --mode deep
⚡ sunstrike> offsec auth-attack https://auth.example.com
⚡ sunstrike> offsec a2a-attack https://agent.example.com
⚡ sunstrike> offsec a2a-attack https://agent.example.com --mode deepOptional LLM judge (for AI-graded severity):
# configs/offsecai.yaml
llm_judge: true
llm_provider: gemini # gemini | openai | anthropic
# Set the corresponding API key:
export GEMINI_API_KEY=<key> # for llm_provider: gemini
export OPENAI_API_KEY=<key> # for llm_provider: openai
export ANTHROPIC_API_KEY=<key> # for llm_provider: anthropicConfiguration (configs/offsecai.yaml):
binary_path: "offsec-ai" # path or name of the offsec-ai binary
timeout: 120s # max duration per invocation
llm_judge: false # enable AI-graded severity scoring
llm_provider: "gemini" # judge backend: gemini | openai | anthropicEnvironment variable overrides:
| Variable | Description |
|---|---|
OFFSECAI_BINARY |
Override binary_path |
OFFSECAI_LLM_PROVIDER |
Override llm_provider |
Run offsec-ai tests:
make test-offsecaiArchitecture: The integration lives in internal/offsecai/ (executor, config, mapper, types) and is invoked directly from handleOffsecCommand in the REPL — it does not go through the plugin loader. Results are mapped into pluginkit.Result structs and fed into the standard reporter pipeline.
The AI receives complete scan data and provides:
- Attack Surface Analysis: Identifies specific vulnerabilities from actual endpoints
- Technology-Specific Risks: Known CVEs and attack vectors for detected tech stack
- Endpoint Pattern Recognition: Auto-categorizes endpoints:
- 🔐 Authentication (login, oauth, token, session)
- 🔌 API endpoints (rest, graphql, api/)
- ⚙️ Admin/Management (admin, console, config)
- 📁 File operations (upload, download)
- Recommended Attack Vectors: Prioritized based on actual findings
- Exploitation Roadmap: Step-by-step recommendations with specific endpoints
For Failed Attacks:
- Why it failed (WAF, hardening, wrong vector)
- Alternative approaches and modified payloads
- Bypass techniques for detected security controls
- Prerequisite reconnaissance steps needed
For Successful Attacks:
- Impact assessment and compromised resources
- Evidence extraction and proof of exploitation
- Privilege escalation and lateral movement paths
- Remediation guidance and root cause analysis
Uses the GitHub Models API — no local GPU required.
| Model | Notes |
|---|---|
gpt-4o |
Default — fast, balanced |
openai/gpt-5 |
Latest reasoning model |
Authentication:
export GITHUB_TOKEN="github_pat_xxxxxxxxxxxxx"
# or
export COPILOT_GITHUB_TOKEN="github_pat_xxxxxxxxxxxxx"Features: direct HTTP (no SDK), automatic exponential-backoff retry, runtime model switching.
Runs entirely on your machine — no API key, no data sent to the cloud.
| Model | Notes |
|---|---|
gemma4:e4b |
Default — Google Gemma4 9.6 GB, strong reasoning |
llama3.1:8b |
Meta Llama 3.1 8B |
deepseek-r1:8b |
DeepSeek R1 reasoning model |
| Any Ollama tag | ollama list to see all installed models |
Setup:
# Install: https://ollama.com/download
ollama pull gemma4:e4b
ollama serve
# Start invoke-sunstrike with Ollama
export INVOKE_SUNSTRIKE_ENGINE=ollama
./sunstrike
# Optional overrides
export OLLAMA_BASE_URL=http://localhost:11434 # default
export OLLAMA_MODEL=gemma4:e4b # defaultSwitch engines at runtime (no restart needed):
⚡ sunstrike> model ollama gemma4:e4b # switch to Ollama
⚡ sunstrike> model github gpt-4o # switch to GitHub Models
⚡ sunstrike> model gemini # switch to Gemini
⚡ sunstrike> model claude # switch to Anthropic Claude
⚡ sunstrike> show model # current engine + modelUses the Google Generative Language API — no local GPU required.
| Model | Notes |
|---|---|
gemini-2.5-flash |
Default — fast, cost-efficient |
gemini-2.5-pro |
Higher-quality reasoning |
Authentication:
export GEMINI_API_KEY="<your-google-ai-key>"
export INVOKE_SUNSTRIKE_ENGINE=gemini # start with Gemini, or switch at runtime
# Optional model override
export GEMINI_MODEL=gemini-2.5-proGet your key from: https://aistudio.google.com/app/apikey
Features: direct REST API (no SDK), thinking-budget control for Gemini 2.5+ models, runtime model switching.
Uses the Anthropic Messages API — no local GPU required.
| Model | Notes |
|---|---|
claude-opus-4-5 |
Default — most capable, complex reasoning |
claude-sonnet-4-5 |
Balanced speed and capability |
claude-haiku-4-5 |
Fastest, cost-efficient |
Authentication:
export ANTHROPIC_API_KEY="sk-ant-..."
export INVOKE_SUNSTRIKE_ENGINE=claude # start with Claude, or switch at runtime
# Optional model override
export CLAUDE_MODEL=claude-sonnet-4-5Get your key from: https://console.anthropic.com/
Features: direct REST API (no SDK), pure stdlib (no extra Go dependencies), runtime model switching.
The kali commands run pentest tools inside an isolated kalilinux/kali-rolling Docker container driven by your active AI engine. Docker must be running — the image is pulled automatically on first use.
| Command | Description |
|---|---|
kali start |
Pull image and start container |
kali setup |
Install nmap, nikto, sqlmap, hydra, gobuster… |
kali exec <cmd> |
Run any shell command inside Kali |
kali ai <goal> |
AI generates and executes a command sequence |
kali attack <fqdn> |
Fully automated AI pentest (RECON → PLAN → ATTACK → SUMMARY) |
kali attack <fqdn> --advanced |
Same + full Kali toolset pre-installed |
kali stop |
Remove the container |
Prerequisites: Docker Desktop 24+ (macOS/Windows) or Docker Engine 24+ (Linux).
# Ensure Docker is running
docker info
# Then inside the REPL
⚡ sunstrike> model gemini # or ollama / github
⚡ sunstrike> kali attack target.example.comgo build -o sunstrike ./cmd/sunstrike/| Scope | Command |
|---|---|
| All packages (short mode, race detector) | go test -short -race ./... |
| Full unit suite | make test-unit |
| Regression (full, with race) | make test-regression |
| Plugin unit tests | make test-plugin-auth-attack · make test-plugin-kubernetes · make test-plugin-llm-attack |
| offsec-ai integration | make test-offsecai |
E2E — skips live tests when offsec-ai absent |
go test -short ./tests/e2e/... |
| E2E — full live targets | INVOKE_SUNSTRIKE_ENGINE=gemini go test -timeout 20m ./tests/e2e/... |
E2E pre-conditions for live offsec-ai tests: GEMINI_API_KEY exported; Docker daemon running; correct Python version active (pyenv shell 3.12.0) with offsec-ai installed.
The CI pipeline runs
go test -short -race ./...automatically on every push and pull request.
Plugin binaries must be signed with an Ed25519 key before the loader will accept them. The signing tool generates or reuses a keypair at ~/.exploit/keys/<author>.key and writes the hex signature into manifest.yaml.
make sign-plugin-auth-attack
make sign-plugin-kubernetes
make sign-plugin-llm-attackgo vet ./...
gofmt -l .
golangci-lint run # full linter suite (mirrors CI)- 🤝 A2A scanner (
offsec a2a-scan) — fetches the Agent Card at/.well-known/agent-card.json, parses declared skills/capabilities/security schemes, and runs static analysis against 10 A2A security advisories (A2A-ADV-2025-001 through -010) - ⚔️ A2A attacker (
offsec a2a-attack) — authorized red-team module with safe mode (auth-bypass probes: no auth header, null Bearer, invalid JWT,X-Forwarded-Forspoof, JWT alg=none) and deep mode (adds SSRF via push-notification webhook,SendMessageinjection, sequential task ID enumeration, JSON-RPC manipulation) - 🔑 Auth posture check — sends an unauthenticated
SendMessageJSON-RPC probe to detect open task endpoints; mapssecuritySchemesto OAuth2/OIDC/Bearer/mTLS/apiKey/none - 💀 Dangerous skill detection — flags skills whose descriptions contain shell execution keywords (
exec,bash,eval,kubectl,docker run, etc.) — CRITICAL severity - 🔑 Secret scanning — regex scan of the Agent Card JSON for leaked API keys, tokens, and credentials (OpenAI
sk-, AWSAKIA, GitHubghp_, Slack, etc.) - 🧱 New Go types —
A2AAgentCard,A2AAuthPosture,A2AVuln,A2AScanResult,A2AAttackResult,A2AAttackReportininternal/offsecai/types.go - ⚙️ Executor methods —
RunA2AScanandRunA2AAttackininternal/offsecai/executor.go; supports--port,--header,--llm-judge,--mode safe|deep - 🗺️ Mapper functions —
A2AScanToFindingsandA2AAttackToFindingsininternal/offsecai/mapper.go - 🔌 Plugin routing —
ModuleA2AScan/ModuleA2AAttackconstants wired into theoffsec-aiplugin scanner and attacker;a2a-attackregistered as requiring authorization - 🎛️ Orchestrator —
RunOffsecScanandRunOffsecAttackdispatch"a2a-scan"/"a2a-attack"cases; opts keys:"headers"(map[string]string),"port"(int) - 📋 Advisory coverage: OFFSEC-A2A-AUTH-001 (no securitySchemes), OFFSEC-A2A-AUTH-003 (unauthenticated task), OFFSEC-A2A-INT-001 (unsigned card), OFFSEC-A2A-SEC-001 (secrets in card), OFFSEC-A2A-SKILL-001 (dangerous keywords), OFFSEC-A2A-SSRF-001 (push webhook), OFFSEC-A2A-TLS-001 (plaintext HTTP), OFFSEC-A2A-EXT-001 (extended card without auth), and more
- 🔐 Plugin signature enforcement —
configs/trusted-authors.yamlis now wired by default. Previously the signature path was empty (""), causing every plugin load to fail with "untrusted author". All three bundled plugins load and verify correctly. - 🗺️ Scope enforcement — new
internal/agent/scope.goimplements CIDR, wildcard-domain, explicit-URL, and exclusion matching againstconfigs/scope.yaml.ExecuteScanandExecuteAttackboth validate the target before sending any network probe. - 🔒 Secure REPL history — command history is now written to
~/.cache/sunstrike/history(mode0700) instead of world-readable/tmp/sunstrike-history.tmp. - ⚙️ Configurable auto-approve —
INVOKE_SUNSTRIKE_AUTO_APPROVEcontrols the attack approval gate (none/low/medium/high/critical). Default remainslow. - 🧹 Linter clean — all seven
InsecureSkipVerify: trueusages in the orchestrator are annotated with//nolint:gosec // intentional for security probing. - 🛡️ offsec-ai plugin graceful exit — replaced
panic()withfmt.Fprintf(os.Stderr) + os.Exit(1), eliminating confusing RPC framework crash messages. - ✅ Live E2E tests auto-skip —
skipIfNoOffsecAInow probes the binary with--versionto catch pyenv shim mismatches; tests skip cleanly instead of failing with exit code 127. - 🔧 trusted-authors.yaml cleaned — removed stray
authors: ""entry that could break key lookup. - 🚀 GitHub Actions CI —
.github/workflows/ci.ymlrunsgo vet,go build, race-detector unit tests, short-mode E2E, andgolangci-linton every push and PR.
Project rebrand: simple-exploit → invoke-sunstrike
v2.0.0 marks the formal release of Invoke-Sunstrike as a standalone, versioned security framework. The codebase has been fully rebranded under the github.com/htunn/invoke-sunstrike module path with a stable public API, a complete E2E test suite against live targets, and verified plugin signatures across all bundled modules.
Breaking changes:
- Module path renamed:
github.com/htunn/simple-exploit→github.com/htunn/invoke-sunstrike - Binary renamed:
exploit→sunstrike - All plugin manifests re-signed under the
invoke-sunstrikeEd25519 author key plugins/auth-attack/manifest.yaml,plugins/kubernetes/manifest.yaml,plugins/llm-attack/manifest.yaml—authorfield standardized toinvoke-sunstrike
New in v2.0.0:
- Comprehensive E2E test suite (
tests/e2e/live_features_e2e_test.go) — 20 live-target tests covering all eight feature layers: Gemini LLM API (SendMessage, GetAIGuidance, AnalyzeResponse, ModelSwitch), LLM factory, WAF detection, orchestrator scan, reporter, rate limiter, plugin loader, MCP endpoint, and Docker/Kali container - All bundled plugins re-signed with a unified author key; plugin loader now rejects any manifest whose author does not appear in
configs/trusted-authors.yaml offsec-aipyenv prerequisite documented; E2E pre-condition guidance added to README- README rewritten in professional security-tool style
- 🧠 Anthropic Claude AI engine —
claude-opus-4-5(default),claude-sonnet-4-5,claude-haiku-4-5, or any Claude model; pure stdlib, no new Go dependencies;export ANTHROPIC_API_KEY=<key>andexport INVOKE_SUNSTRIKE_ENGINE=claude - 🏭 LLM provider factory (
internal/llm) — centralisedllm.New(engine)andllm.Providers()for clean engine construction across the codebase - 🔀 Runtime Claude switching —
model claude [model]swaps the engine mid-session like any other backend - 🔑 Env var support:
ANTHROPIC_API_KEY,CLAUDE_MODEL; missing key surfaces a clear error with setup instructions - ✅ 35 new passing tests across
internal/claude(19) andinternal/llm(16)
- 🐉 Kali Linux container executor —
kali attack,kali ai,kali exec,kali start/stop/setupcommands spin upkalilinux/kali-rollingvia Docker and run real pentest tools inside an isolated container driven by the active AI engine - ✨ Google Gemini AI engine —
gemini-2.5-flash(default) andgemini-2.5-prosupported; switchable at runtime withmodel gemini; thinking-budget control for Gemini 2.5+ models - 🚀 Advanced Kali mode (
kali attack --advanced) — installs the full Kali toolset (nmap, nikto, sqlmap, gobuster, ffuf, hydra, sslscan, wafw00f, dnsrecon, fierce, hashcat) before attacking - 🐳 Docker is now required for
kalisubcommands; all other features remain Docker-free
- 🦙 Ollama / Gemma4 AI engine — run fully offline with
gemma4:e4b,llama3.1,deepseek-r1, or any Ollama model as the AI reasoning backend - 🔀 Runtime engine switching —
model ollama [tag]/model github [model]swaps the AI engine mid-session without restart - 🧠 OWASP LLM Top 10 (2025) plugin (
llm-attack) — full active test suite covering LLM01–LLM10 against OpenAI, Anthropic, Ollama, Vertex AI, Hugging Face, and vector DBs (Weaviate, Qdrant, Chroma, Pinecone) - 🔬 Gemma4-specific probes — thinking-chain token extraction and fake thinking-chain injection attacks
- 📉 Compact AI prompts — scan summaries instead of full JSON blobs; 5-minute timeout for local CPU inference
- 🛡️ Input guard —
model /ollamatypo no longer corrupts the active GitHub Models client
- 🔐 New plugin:
auth-attack— OAuth2/OIDC/PKCE/SAML/JWT attack suite covering 14 CVEs across Keycloak, Auth0, Okta, Azure AD/ADFS, and PingFederate - 🧹 gofmt 100% — zero formatting violations across all source files
- 📉 gocyclo 100% — all functions refactored to cyclomatic complexity ≤ 15 (12+ functions fixed)
- 🔧 Added
make build-plugin-auth-attack,make test-plugin-auth-attack,make sign-plugin-auth-attacktargets - ✅ 31 new passing tests in
plugins/auth-attack
- ✨ Migrated from Copilot SDK to direct GitHub Models API integration
- 🔄 Added automatic retry logic with exponential backoff for rate limits
- 🎨 Added configurable AI model selection (
modelcommand) - 🧠 Improved AI analysis - now uses full scan/attack data instead of templates
- 🔍 Added intelligent endpoint pattern recognition (auth, API, admin, file ops)
- 📊 Enhanced analysis with technology stack identification
- 🎯 Increased AI token limits (4000 → 8000) for detailed analysis
- 🛠️ Fixed API parameter naming (max_tokens → max_completion_tokens)
- ⚡ REPL-only mode - simplified architecture, removed unused CLI commands
- 🔧 Updated default endpoint to https://models.github.ai/inference
- 📝 Improved help documentation and command examples
- Initial release with Copilot SDK integration
See CONTRIBUTING.md for branch conventions, test coverage requirements, and the plugin signing workflow. All pull requests must pass go vet ./..., gofmt -l ., and the full unit test suite before review.
MIT License - see LICENSE file.
This tool is provided for authorized security testing and research purposes only. Use against systems without explicit written authorization is illegal under the Computer Fraud and Abuse Act (CFAA), Computer Misuse Act, and equivalent statutes in other jurisdictions. The authors accept no liability for unauthorized or unlawful use.