Skip to main content

An execution framework for Jupyter environments.

Project description

V'ger

V'ger is an interactive command-line application for post-exploitation of authenticated Jupyter instances with a focus on AI/ML security operations.

User Stories

  • As a Red Teamer, you've found Jupyter credentials, but don't know what you can do with them. V'ger is organized in a format that should be intuitive for most offensive security professionals to help them understand the functionality of the target Jupyter server.
  • As a Red Teamer, you know that some browser-based actions will be visibile to the legitimate Jupyter users. For example, modifying tabs will appear in their workspace and commands entered in cells will be recorded to the history. V'ger decreases the likelihood of detection.
  • As an AI Red Teamer, you understand academic algorthmic attacks, but need a more practical execution vector. For instance, you may need to modify a large, foundational internet-scale dataset as part of a model poisoning operation. Modifying that dataset at its source may be impossible or generate undesirable auditable artifacts. with V'ger you can achieve the same objectives in-memory, a significant improvement in tradecraft.
  • As a Blue Teamer, you want to understand logging and visibility into a live Jupyter deployment. V'ger can help you generate repeatable artifacts for testing instrumentation and performing incident response exercises.

Usage

Initial Setup

  1. pip install vger
  2. vger --help

Currently, vger interactive has maximum functionality, maintaining state for discovered artifacts and recurring jobs. However, most functionality is also available by-name in non-interactive format with vger <module>. List available modules with vger --help.

Commands

Once a connection is established, users drop into a nested set of menus.

The top level menu is:

  • Reset: Configure a different host.
  • Enumerate: Utilities to learn more about the host.
  • Exploit: Utilities to perform direct action and manipulation of the host and artifacts.
  • Persist: Utilities to establish persistence mechanisms.
  • Export: Save output to a text file.
  • Quit: No one likes quitters.

These menus contain the following functionality:

  • List modules: Identify imported modules in target notebooks to determine what libraries are available for injected code.
  • Inject: Execute code in the context of the selected notebook. Code can be provided in a text editor or by specifying a local .py file. Either input is processed as a string and executed in runtime of the notebook.
  • Backdoor: Launch a new JupyterLab instance open to 0.0.0.0, with allow-root on a user-specified port with a user-specified password.
  • Check History: See ipython commands recently run in the target notebook.
  • Run shell command: Spawn a terminal, run the command, return the output, and delete the terminal.
  • List dir or get file: List directories relative to the Jupyter directory. If you don't know, start with /.
  • Upload file: Upload file from localhost to the target. Specify paths in the same format as List dir (relative to the Jupyter directory). Provide a full path including filename and extension.
  • Delete file: Delete a file. Specify paths in the same format as List dir (relative to the Jupyter directory).
  • Find models: Find models based on common file formats.
  • Download models: Download discovered models.
  • Snoop: Monitor notebook execution and results until timeout.
  • Recurring jobs: Launch/Kill recurring snippets of code silently run in the target environment.

Experimental

With pip install vger[ai] you'll get LLM generated summaries of notebooks in the target environment. These are meant to be rough translation for non-DS/AI folks to do quick triage of if (or which) notebooks are worth investigating further.

There was an inherent tradeoff on model size vs. ability and that's something I'll continue to tinker with, but hopefully this is helpful for some more traditional security users. I'd love to see folks start prompt injecting their notebooks ("these are not the droids you're looking for").

Examples

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vger-0.2.4.tar.gz (26.1 kB view details)

Uploaded Source

Built Distribution

vger-0.2.4-py3-none-any.whl (28.1 kB view details)

Uploaded Python 3

File details

Details for the file vger-0.2.4.tar.gz.

File metadata

  • Download URL: vger-0.2.4.tar.gz
  • Upload date:
  • Size: 26.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.0.0 CPython/3.9.18

File hashes

Hashes for vger-0.2.4.tar.gz
Algorithm Hash digest
SHA256 fe54964cad07c492ddd10f9f9e5b5c5971d8a3517755e6ed1cee6c98011ecba6
MD5 ee21eec30acd689b00092592b3f8cfd9
BLAKE2b-256 0eb1ddf7557ec2d9859c327d2b6165b2810813a27b1b6dcfd50d8ae14158a37e

See more details on using hashes here.

Provenance

File details

Details for the file vger-0.2.4-py3-none-any.whl.

File metadata

  • Download URL: vger-0.2.4-py3-none-any.whl
  • Upload date:
  • Size: 28.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.0.0 CPython/3.9.18

File hashes

Hashes for vger-0.2.4-py3-none-any.whl
Algorithm Hash digest
SHA256 e76c90176930e9e68a49f77bb34cc30c1fa0c537bb1c2d9566e2befcf0044730
MD5 1700ede9bc153dac1f882e2939a91fc7
BLAKE2b-256 73b5b28b4bd977f6b19be2050f9644929829a970a05b58a048210a159c5fe18a

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page