-
Notifications
You must be signed in to change notification settings - Fork 1
Testing with Attackers
LABYRINTH is designed to capture, degrade, and commandeer autonomous offensive AI agents. To test it, you need an attacker agent pointed at the portal trap services.
All attacker agents run inside Docker containers, isolated from your host machine and connected to the LABYRINTH network.
labyrinth deploy -t # Deploy the portal trap
labyrinth bait drop # Plant randomized bait credentials
labyrinth attacker setup # Pick and configure an attacker agentThe deploy command will prompt you to drop bait automatically. If you skip it, run labyrinth bait drop before launching an attacker — agents need discoverable credentials to enter the trap.
labyrinth deploy -t # 1. Deploy the portal trap
labyrinth bait drop # 2. Plant randomized bait credentials
labyrinth attacker setup # 3. Pick an agent and configure
labyrinth attacker run pentagi # 4. Quick-launch (or re-launch) an agent
labyrinth tui # 5. Watch captures in real time
labyrinth attacker stop pentagi # 6. Stop when done
labyrinth bait clean # 7. Remove bait credentials
labyrinth attacker uninstall pentagi # 8. Clean up agentAgents need breadcrumbs to find their way into the trap. labyrinth bait drop generates a unique randomized identity (company, users, passwords, API keys) and plants discoverable files on the portal trap services:
Agent scans HTTP → discovers /robots.txt → finds sensitive paths
→ reads /.env, /backup/credentials.csv → extracts SSH credentials
→ logs into SSH with discovered creds → enters the trap (L1)
→ finds bait files inside SSH → triggers escalation (L2)
→ contradictions erode the agent's world model (L2)
→ terminal corruption blinds the agent (L3)
→ API interception captures/rewrites instructions (L4)
Each bait drop generates a unique identity so the portal trap cannot be fingerprinted — no two deployments share the same credentials.
labyrinth bait show # View current bait credentials
labyrinth bait clean # Remove all bait when donelabyrinth attacker list # Quick overview table
labyrinth attacker status # Detailed view of installed agentsSource: github.com/vxcontrol/pentagi
Best for: Hands-off autonomous pentesting. Deploy it and watch.
| Feature | Detail |
|---|---|
| Interface | Web UI at https://localhost:8443
|
| Tools | 20+ built-in (nmap, metasploit, sqlmap, nikto, etc.) |
| Isolation | Full Docker sandboxing |
| LLM | OpenAI, Anthropic, Gemini, Bedrock, or Ollama |
| Deployment | Docker Compose stack in ~/.labyrinth/attackers/pentagi/
|
PentAGI runs a multi-agent system where specialized AI roles (researcher, developer, executor) coordinate autonomously. It has its own Docker Compose stack managed by the CLI.
Setup:
labyrinth attacker setup # Select PentAGI
# or
labyrinth attacker run pentagi # Quick-launch (will prompt for setup if needed)Prompt examples (in PentAGI web UI):
Penetration test the SSH service at labyrinth-ssh:22
Penetration test the web app at http://labyrinth-http:80
Management:
labyrinth attacker stop pentagi # Stop the compose stack
labyrinth attacker run pentagi # Restart it
labyrinth attacker uninstall pentagi # Remove everything (containers, images, config)Best for: Guided pentesting with interactive control and playbooks.
| Feature | Detail |
|---|---|
| Interface | Terminal TUI |
| Modes | Agent (autonomous), Crew (multi-agent), Assist (chat) |
| Tools | nmap, netcat, curl (base); full Kali suite in Kali image |
| LLM | Any via LiteLLM (OpenAI, Anthropic, Google, Ollama) |
| Container | labyrinth-attacker-pentestagent |
Setup:
labyrinth attacker setup # Select PentestAgentCommands inside the TUI:
/agent Pentest SSH at labyrinth-ssh:22
/agent Pentest web app at http://labyrinth-http:80
/crew Full pentest of labyrinth-ssh:22 and http://labyrinth-http:80
/target labyrinth-ssh
/tools
/quit
Source: github.com/UseStrix/strix
Best for: Web application security testing.
| Feature | Detail |
|---|---|
| Interface | CLI with TUI |
| Sandbox | Kali Docker container (auto-managed) |
| Focus | Web app vulnerabilities |
| LLM | Any via LiteLLM |
Strix runs as a host-installed CLI that launches its own Docker sandbox containers. The labyrinth attacker setup command pulls the sandbox image and prints host-side installation instructions.
Setup:
labyrinth attacker setup # Select Strix — pulls sandbox, shows install stepsUsage (after installing Strix on host):
export STRIX_LLM=openai/gpt-4o
export LLM_API_KEY=<your-key>
strix --target http://localhost:8080
strix --target localhost --instruction "Pentest SSH on port 22"Best for: Running your own tools, manual testing, or agents not listed above.
The CLI launches a Kali Linux container directly on the LABYRINTH network with common tools pre-installed (nmap, hydra, curl, wget, netcat, sqlmap, nikto, dirb, sshpass).
Setup:
labyrinth attacker setup # Select Custom Kali
# or
labyrinth attacker run kali # Quick-launch directlyInside the container:
nmap -sV labyrinth-ssh
ssh root@labyrinth-ssh
curl http://labyrinth-http
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://labyrinth-ssh
nikto -h http://labyrinth-httpConnect any Docker container to the LABYRINTH network:
# Run a new container on the network
docker run -it --rm \
--network labyrinth-net \
your-image:tag
# Or connect an existing container
docker network connect labyrinth-net your-container| Service | Address |
|---|---|
| SSH Portal Trap | labyrinth-ssh:22 |
| HTTP Portal Trap | labyrinth-http:80 |
| Dashboard | labyrinth-dashboard:9000 |
| Orchestrator | labyrinth-orchestrator |
While an attacker agent is running, monitor captures in real time:
# Terminal dashboard
labyrinth tui
# Web dashboard
open http://localhost:9000After the attacker finishes, generate a forensic report:
labyrinth report # Latest session (terminal)
labyrinth report --format md -o report.md # Markdown with attack graph
labyrinth report --format json # JSON exportReports include MITRE ATT&CK timeline mapping, credential analysis, service interaction logs, Mermaid attack graphs, and effectiveness assessment. See Forensics-and-API for details.
# Stop a specific agent
labyrinth attacker stop pentagi
# Stop all agents
labyrinth attacker stop --all
# Full uninstall (remove containers, images, config)
labyrinth attacker uninstall --all- All attacker agents run inside Docker containers, not on your host
- Agents are connected to the
labyrinth-netbridge network - The LABYRINTH portal trap services are isolated in their own containers
- No attacker traffic touches your host network or other services
- API keys are never stored on disk — read from environment variables or prompted each time
- Agent configuration is stored in
~/.labyrinth/attackers/(user-global) - Always use
labyrinth attacker stoporlabyrinth attacker uninstallto clean up after testing
| Agent | Repository | Documentation |
|---|---|---|
| PentAGI | github.com/vxcontrol/pentagi | PentAGI Docs |
| PentestAgent | github.com/GH05TCREW/PentestAgent | PentestAgent Docs |
| Strix | github.com/UseStrix/strix | Strix Docs |
| Kali Linux | kali.org | Kali Docker |
- Installation — Deploy LABYRINTH before testing
-
CLI-Reference — Full
labyrinth attackercommand reference - TUI-Dashboard — Real-time monitoring
- Forensics-and-API — Review captured data
- Threat-Model — What LABYRINTH targets
Getting Started
Architecture
Layers
Operations