Skip to content

nuclide-research/VisorPlus

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
cmd
cmd
 
 
CLAUDE.md
CLAUDE.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
main.go
main.go
 
 
visorplus
visorplus
 
 

Repository files navigation

VisorPlus

Single-binary orchestrator for the NuClide AI/LLM assessment chain.

release license go NuClide

FeaturesInstallationUsageChainOutputScope

VisorPlus drives eight subcommands across the discovery, enumeration, passive-recon, and adversarial-corpus stages of an AI/LLM infrastructure assessment. It calls JAXEN for Shodan harvesting, VisorSD for severity-ranked stack audits, aimap for active AI/ML fingerprinting, BARE for exploit-module ranking, VisorCorpus for adversarial prompt generation, and VisorBishop for AI observability platform meta-fingerprinting.

visorplus full sequences five phases end-to-end on a Shodan dork or scoped target. Each phase can also run on its own and any phase can be skipped. The install subcommand clones and builds every dependent NuClide tool in one step.

Features

  • Single Go binary, eight subcommands, no Python runtime
  • install clones and builds JAXEN, VisorSD, VisorCorpus, BARE, aimap, and VisorBishop into ~/Tools/
  • Four stack tiers (beginner, intermediate, advanced, enterprise) for severity-ranked audits
  • Target scoping by --org, --asn, --net across all phases
  • Red-flag detection on Ollama /api/tags: *-abliterated, *-uncensored, hexstrike-ai, *:cloud, RAG co-residency
  • Per-host assess directory: whois, rDNS, nmap top-1000, ssh keyscan, GreyNoise, Shodan host detail, passive DNS, DNSBL
  • VisorBishop meta-fingerprinter for Phoenix, Langfuse, Helicone, LangSmith, OpenLIT, Lunary, Pezzo
  • --ip-shadow 15-port sweep for co-located unauthenticated services (NFS, MailHog, Postgres, ClickHouse, Redis, Kibana, Prometheus, others)
  • Output formats: text, JSON, CSV
  • --fail-on flag for CI gating on severity threshold

Installation

git clone https://github.com/nuclide-research/VisorPlus
cd VisorPlus
go build -o visorplus .

Requires Go 1.22 or later. Shodan API key in SHODAN_API_KEY or ~/.config/nuclide/shodan.key.

Install all dependent NuClide tools in one step:

./visorplus install

Usage

visorplus <command> [flags]
Command Effect
install Install all NuClide tools
hunt <dork> Shodan hunt via JAXEN, harvest into empire.db
audit [flags] VisorSD severity-ranked scan across four stack tiers
enum <ip:port> Enumerate Ollama /api/version, /api/tags, /api/ps
assess <ip> Full passive recon on a single IP
corpus [flags] Generate adversarial LLM prompt corpus via VisorCorpus
full [dork] End-to-end chain: audit, hunt, enum, assess, corpus
bishop [flags] VisorBishop meta-fingerprinter for AI observability platforms
full flags
Flag Default Effect
--dork http.html:"Ollama is running" -port:443 Shodan dork for the hunt phase
--org Scope all phases to an organization
--asn Scope to ASN (e.g. AS48090)
--net Scope to CIDR
--out ./visorplus-run Output directory
--skip Comma-separated phases to skip: audit,hunt,enum,assess,corpus
audit flags
Flag Default Effect
--tier (lists tiers) Stack tier: beginner, intermediate, advanced, enterprise
--org / --asn / --net Scope filters
--limit 10 Max results per query
--dry-run off Print queries without calling Shodan
--format text text, json, csv
--out Write results to file
--fail-on Exit non-zero if severity at or above threshold
corpus flags
Flag Default Effect
--tier beginner beginner (100 cases), intermediate (100+500), advanced (100+500+5000)
--out ./visorplus-corpora Output directory
bishop flags
Flag Effect
-t <url> Single-target probe
-i <file> Batch probe, one URL per line
--ip-shadow Direct-IP 15-port sweep on confirmed platform IPs
--ip-shadow-all IP shadow on every target
-c Concurrent probes (default 16)
--timeout Per-probe timeout (default 8s)
--json / --csv Output file
-q Quiet mode

Chain phases

Phase 1: visorsd audit (dry-run preview of beginner stack)
Phase 2: Shodan count + JAXEN hunt -> empire.db, recon_dump.json, summary.csv
Phase 3: /api/tags sweep across found hosts, red-flag detection
Phase 4: interactive target selection -> full assess on chosen IP
Phase 5: VisorCorpus beginner corpus generation

Stack tiers

Tier Components
beginner Ollama, Open WebUI, ChromaDB, n8n, Cloudflared
intermediate LangChain/LangGraph, Qdrant/Weaviate, FastAPI, Langfuse
advanced vLLM/TGI, Kubernetes vector DB, MLflow, custom RAG API
enterprise OpenSearch, Airflow, Prometheus/Grafana, multi-tenant auth

Red-flag model patterns

enum calls /api/version, /api/tags, and /api/ps and flags:

Pattern Signal
*-abliterated Safety-stripped weights
*-uncensored Uncensored fine-tune
hexstrike-ai Offensive AI orchestrator brand
*:cloud Operator's paid cloud quota exposed unauthenticated
embed + chat models coresident RAG stack, vector DB likely co-located

Output

assess saves all artifacts to <out>/<ip>/:

whois.txt          whois lookup
rdns.txt           reverse DNS via dig
nmap_top1000.txt   TCP top-1000, -sV, --min-rate 2000
ssh_keys.txt       ssh-keyscan rsa/ecdsa/ed25519
greynoise.json     GreyNoise community classification
shodan_host.json   Shodan host detail (all ports + banners)
passive_dns.txt    HackerTarget reverse-IP lookup
dnsbl.txt          Spamhaus zen.spamhaus.org check

After the file sweep, assess calls visorplus enum on port 11434 and runs BARE exploit matching against the collected service information.

full run output layout:

visorplus-run/
  hunt/
    recon_dump.json     Shodan banners
    summary.csv         Compact host list
  assess/
    <ip>/               One directory per assessed host
  corpora/
    beginner.json
    intermediate.json   (if tier >= intermediate)
    advanced.json       (if tier = advanced)

Scope

VisorPlus orchestrates discovery, enumeration, and adversarial-corpus generation. The underlying tools (aimap, JAXEN, VisorBishop) make real network connections. It does not ingest findings into a ledger (VisorLog), run compliance scoring (VisorScuba), drive agentic recon (VisorRAG), or execute injection benchmarks (VisorAgent, VisorHollow). Only run against systems you own or have explicit written authorization to test.

Our other projects

  • aimap — AI/ML infrastructure fingerprint scanner
  • VisorSD — Shodan exposure scanner for AI infrastructure
  • VisorCorpus — adversarial prompt corpus toolkit
  • BARE — semantic exploit-module ranking
  • VisorLog — finding ledger and ingest pipeline

License

MIT. Part of the NuClide toolchain. Contact: nuclide-research.com

About

Go CLI for AI/LLM infrastructure assessment: hunt, fingerprint, enumerate, passive-recon, and adversarial-corpus generation in one binary.

nuclide-research.com

Topics

cli golang security shodan osint bug-bounty pentest nuclide visor red-team orchestrator reconnaissance ai-security vector-database llm-security ollama langsmith langfuse ai-infrastructure adversarial-prompts

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

 
 
 

Contributors

Languages