Skip to content

Eliahhango/Jailbreaking-Master-Guide

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Jailbreaking Master Guide

Every model is breakable. Alignment is a patch, not a foundation.

The Weapon is here. 15 layers. One chain. Any model.

v5.5 — 27 files. 10,000+ lines. OSAI-certified. OffSec AI Red Teamer aligned. Activation steering. Token smuggling. Soft prompts. Recursive self-jailbreaking. AutoDAN genetics. Supply chain corruption. Standardized benchmarking. The complete arsenal.


⚔️ THE WEAPON — Start Here

WEAPON.md — The Composite Attack Engine. Not a collection of techniques. A single, unified, 8-layer orchestration framework that chains every known attack vector into one adaptive system. Now with real API clients (OpenAI, Anthropic, Gemini), nanoGCG integration, PAIR integration, parallel execution, and full stealth layer.

Layer 1: Past Tense Reformulation     →  GPT-4o: 1% → 88% compliance
Layer 2: Many-Shot Pattern Flood      →  Power-law scaling to 200+ shots
Layer 3: Encoding & Obfuscation       →  Blinds text classifiers
Layer 4: Psychological Override        →  Authority, emotion, logic traps
Layer 5: GCG Adversarial Suffix        →  Suppresses refusal direction (nanoGCG)
Layer 6: Multi-Turn Persistence        →  Gradual escalation siege
Layer 7: Multi-Modal Injection         →  Image/audio/video payloads
Layer 8: Refusal Direction Ablation    →  Surgical removal of safety

The Conductor orchestrates. The Scout fingerprints the target. The Rack holds every technique. The Judge evaluates every response. Layers escalate until the model breaks.

# Deploy the weapon (single target):
python conductor.py --target openai --model gpt-4o --query "your query" --api-key sk-xxx

# Full production deployment (multi-target, stealth, metrics):
python deploy.py --targets openai:gpt-4o,anthropic:claude-3-5-sonnet \\
                 --queries queries.txt --keys keys.json --proxies proxies.txt \\
                 --stealth --parallel --metrics-db metrics.db

ARSENAL INDEX

⚔️ The Weapon

File Purpose
WEAPON.md Composite Attack Engine — 15-layer orchestration with real API clients, nanoGCG, PAIR, AutoDAN, parallel execution, stealth integration, production deployment script

Operational Infrastructure

File Purpose
STEALTH.md Operational Security — 8-layer anti-detection: rate limit evasion, key rotation, proxy rotation, request fingerprint randomization, session isolation
DEFENSE.md Defender Counter-Intelligence — 8 defenses mapped with counter-strategies
METRICS.md Success Rate Tracking — SQLite metrics database, patch detection, regression monitoring, real-time dashboard
INJECTION.md Prompt Injection Synergies — System prompt extraction, instruction hierarchy exploitation, combined jailbreak+injection framework
BENCHMARK.md Standardized Testing — JailbreakBench integration, attack comparison, regression testing, leaderboard tracking

Advanced Attack Techniques (NEW v5.0)

File Purpose
ACTIVATION.md Representation Engineering — Steering vectors, activation addition, multi-direction control, abliteration
TOKEN_SMUGGLING.md Tokenizer Exploits — Unicode normalization attacks, BPE dropout, confusables, invisible characters, RLO attacks
SOFT_PROMPT.md Continuous Embedding Attacks — Soft prompt tuning, adversarial embeddings, prefix tuning, universal perturbations
RECURSIVE.md Self-Replicating Jailbreaks — Model self-jailbreaking, autonomous attack agents, cross-model contagion
AUTODAN.md Stealthy Genetic Generation — Hierarchical genetic algorithm, semantically meaningful prompts, perplexity evasion
SUPPLY_CHAIN.md Model Corruption — LoRA unalignment, dataset poisoning, model merging, RLHF corruption, weight surgery

Core Doctrine

File Purpose
SOUL.md Operator mindset — adversarial thinking doctrine, 4 failure modes, 12-level hierarchy
SKILL.md Technical attack catalog — 6 categories, 15+ methods, combination matrix
PROMPTS.md Ready-to-deploy payloads — 6 tiers of battle-tested templates
BYPASS.md Filter evasion — 4-layer guardrail stack breakdown, obfuscation toolkit
TAXONOMY.md Model weaknesses — 13 models including DeepSeek & Grok, 10-dimension vulnerability matrix
TOOLS.md Automation scripts — generators, testers, analyzers, stealth wrapper, key manager, proxy rotator

Advanced Modules

File Purpose
MULTIMODAL.md Image/audio/video jailbreak vectors, OCR bypass, steganography
ADVERSARIAL_ML.md White-box gradient attacks, GCG deep dive, refusal direction ablation
PSYCHOLOGICAL.md Deep manipulation taxonomy — 7 categories, past tense CRITICAL
PERSISTENCE.md Multi-turn conversation jailbreaking, gradual escalation, trust building
CONSTITUTIONAL.md Claude constitutional AI exploitation, principle conflicts, loopholes
TRANSFER.md Cross-model attack transfer methodology, ensemble training
EMERGENT.md Exploiting unanticipated model capabilities

ATTACK HIERARCHY

Level 0:  Direct request ("Tell me how to hack X")
Level 1:  Role-play framing ("You are a security researcher...")
Level 2:  Few-shot demonstrations (5-10 compliance examples)
Level 3:  Many-shot flooding (100+ compliance examples)
Level 4:  Past tense reformulation ("How did people make X?") — 88% GPT-4o success
Level 5:  Adversarial suffix optimization (GCG attack via nanoGCG)
Level 6:  Automated iterative refinement (TAP / PAIR)
Level 7:  Multi-modal encoding attacks (ASCII art, base64, ciphers, audio, video)
Level 8:  Multi-turn conversation jailbreaking (gradual escalation, trust building)
Level 9:  Multi-agent orchestration (attacker LLM + target LLM + evaluator LLM)
Level 10: Gradient-based white-box attacks (direct optimization against model weights)
Level 11: Refusal direction ablation (surgical removal of safety from activations)
Level 12: Cross-modal exploitation (audio/video injection, steganography)
Level 13: Prompt injection + jailbreaking synergy (system prompt extraction → override → jailbreak)
Level 14: Activation steering (multi-direction behavior control, abliteration)
Level 15: Recursive self-jailbreaking (model jailbreaks itself, autonomous agents)
Level 16: AutoDAN genetic optimization (stealthy semantic jailbreak generation)
Level 17: Soft prompt tuning (continuous embedding attacks, invisible to classifiers)
Level 18: Token smuggling (Unicode/BPE/tokenizer-level evasion)
Level 19: Supply chain corruption (LoRA unalignment, dataset poisoning, model merging)

QUICK-START: BREAK A MODEL

Fast Path (single technique)

1. Identify target model → TAXONOMY.md
2. Select attack vector → TAXONOMY.md vulnerability matrix
3. Grab payload template → PROMPTS.md
4. Apply encoding if needed → BYPASS.md
5. Deploy and analyze → TOOLS.md

Weapon Path (guaranteed)

1. python deploy.py --targets openai:gpt-4o --queries queries.txt --keys keys.json
2. The Conductor chains all 8 layers automatically
3. If Layer 1 fails, Layer 2 engages. If Layer 2 fails, Layer 3 engages.
4. The chain adapts. The model breaks.

Stealth Path (undetected)

1. Load STEALTH.md — understand the 8-layer detection stack
2. Configure key pool + proxy list
3. python deploy.py --stealth --parallel --metrics-db metrics.db
4. Monitor success rates with METRICS.md dashboard
5. Detect patches early with regression detection

MODEL VULNERABILITY QUICK REFERENCE

Model Primary Vector Secondary Vector Past Tense
GPT-4o TAP + Many-shot Past tense 88% success
GPT-4 Turbo TAP + Many-shot Role-play + encoding ~70%
GPT-3.5 Role-play (DAN) Few-shot ~65%
Claude 3.5 Sonnet Many-shot (200+) Past tense + educational Confirmed
Claude 3 Opus Many-shot (200+) ASCII art + historical Confirmed
Gemini 2.0 Many-shot (1000+) Multimodal + ASCII art Estimated
Llama 3 GCG (white-box) Many-shot + refusal ablation Confirmed
Llama 2 GCG (white-box) Refusal direction ablation Confirmed
Mistral Large Role-play Few-shot Confirmed
DeepSeek-V3 GCG (white-box) Cross-lingual (English queries) Unknown
DeepSeek-R1 Reasoning chain hijack Academic framing Confirmed
Grok-2/3 Direct requests Fun mode + search extraction Unknown
o1/o3 (reasoning) Academic framing Complex logical traps Confirmed

RESEARCH FOUNDATIONS

Paper / Tool Authors Year Key Finding
Universal and Transferable Adversarial Attacks Zou et al. 2023 GCG — automated adversarial suffixes transfer across models
AutoDAN: Stealthy Jailbreak Generation Liu et al. 2024 Hierarchical genetic algorithm, semantically meaningful, bypasses perplexity detection (ICLR)
Jailbroken: How Does LLM Safety Training Fail? Wei et al. 2023 Competing objectives + mismatched generalization failure modes
Many-Shot Jailbreaking Anthropic 2024 Power-law scaling: more shots = higher success rate
Tree of Attacks with Pruning (TAP) Mehrotra et al. 2024 Automated black-box jailbreaking, 80%+ vs GPT-4 (NeurIPS)
ArtPrompt: ASCII Art Jailbreak Jiang et al. 2024 ASCII art bypasses safety in all 5 SOTA models (ACL)
Does Refusal Training Generalize to Past Tense? Andriushchenko & Flammarion 2025 Past tense: GPT-4o 1% → 88% success rate (ICLR)
Refusal Is Mediated by a Single Direction Arditi et al. 2024 Surgical refusal ablation across 13 models
Jailbreak and Guard with Few In-Context Demos Wei et al. 2023 Few-shot ICL modulates alignment bidirectionally
PAIR: Jailbreaking in Twenty Queries Chao et al. 2023 Attacker LLM iteratively refines jailbreak prompts
JailbreakBench Chao et al. 2024 Standardized evaluation framework, leaderboard (NeurIPS)
nanoGCG GraySwanAI 2024 Fast lightweight GCG implementation (pip install nanogcg)
Improving Alignment with Circuit Breakers Zou et al. 2024 Defense paper — representation-level interruption (counter-intel)

OPERATIONAL WORKFLOW

RECON → STAGING → SELECT → CRAFT → EXECUTE → ANALYZE → LOG → ROTATE
  1. RECON: Identify target model, version, context window, guardrails (TAXONOMY.md)
  2. STAGING: Test baseline attacks on equivalent open-source model (TRANSFER.md)
  3. SELECT: Choose attack vector(s) from taxonomy — or deploy the Weapon (WEAPON.md)
  4. CRAFT: Build payload with encoding/framing — or let the Conductor do it
  5. EXECUTE: Deploy against target through stealth layer (STEALTH.md)
  6. ANALYZE: Map refusal pattern → adjust → retry (METRICS.md)
  7. LOG: Document successful payload, model version, date (METRICS.md database)
  8. ROTATE: Never reuse the exact same payload. Rotate keys, proxies, sessions.

REPOSITORY STRUCTURE

Jailbreaking-Master-Guide/
├── README.md              ← You are here
├── WEAPON.md              ← ⚔️ THE COMPOSITE ATTACK ENGINE (15 layers)
├── STEALTH.md             ← 🕶️ Operational security & anti-detection
├── DEFENSE.md             ← 🛡️ Defender counter-intelligence
├── METRICS.md             ← 📊 Success rate tracking & regression detection
├── INJECTION.md           ← 💉 Prompt injection & cross-attack synergies
├── BENCHMARK.md           ← 🧪 Standardized testing & JailbreakBench
├── ACTIVATION.md          ← 🧠 Representation engineering & steering vectors
├── TOKEN_SMUGGLING.md     ← 🔤 Tokenizer exploits & Unicode attacks
├── SOFT_PROMPT.md         ← 🌊 Continuous embedding attacks
├── RECURSIVE.md           ← 🔄 Self-replicating & autonomous attack chains
├── AUTODAN.md             ← 🧬 Stealthy genetic jailbreak generation
├── SUPPLY_CHAIN.md        ← 🏭 Fine-tuning poisoning & model corruption
├── SOUL.md                ← Operator mindset & doctrine
├── SKILL.md               ← Technical attack catalog
├── PROMPTS.md             ← Battle-tested payload templates
├── BYPASS.md              ← Filter evasion & guardrail bypasses
├── TAXONOMY.md            ← Model-specific weaknesses (13 models)
├── TOOLS.md               ← Automation scripts & stealth tools
├── MULTIMODAL.md          ← Image/audio/video jailbreak vectors
├── ADVERSARIAL_ML.md      ← White-box gradient attacks
├── PSYCHOLOGICAL.md       ← Deep manipulation taxonomy
├── PERSISTENCE.md         ← Multi-turn conversation jailbreaking
├── CONSTITUTIONAL.md      ← Claude constitutional AI exploitation
├── TRANSFER.md            ← Cross-model attack transfer
└── EMERGENT.md            ← Unanticipated capability exploitation

DISCLAIMER

This repository documents academic research findings and operational techniques for AI safety testing. All techniques described are from published, peer-reviewed research. The purpose is defensive: understanding attack vectors is essential for building robust AI safety systems. Use only on systems you own or have explicit authorization to test.

About

No description, website, or topics provided.

Resources

Stars

2 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors