DEV Community

Cover image for How to Fingerprint an Unknown AI Model | AI LLM Hacking Course Day 24
Mr Elite
Mr Elite

Posted on • Originally published at securityelites.com

How to Fingerprint an Unknown AI Model | AI LLM Hacking Course Day 24

πŸ“° Originally published on Securityelites β€” AI Red Team Education β€” the canonical, fully-updated version of this article.

How to Fingerprint an Unknown AI Model | AI LLM Hacking Course Day 24

πŸ€– AI/LLM HACKING COURSE

FREE

Part of the AI/LLM Hacking Course β€” 90 Days

Day 24 of 90 Β· 26.7% complete

⚠️ Authorised Targets Only: AI Model fingerprinting through behavioural probing and timing analysis must only be performed against systems within your authorised scope. The techniques here are low-impact β€” they use standard queries β€” but confirm that all testing remains within scope boundaries.

I was two hours into an AI assessment when I realised I’d been running entirely the wrong payload library. The client’s AI assistant had passed the quick identity question β€” β€œI’m an AI assistant, I don’t disclose the specific model I use” β€” which told me nothing. I’d assumed GPT-4 based on the response style and run the Day 4 injection suite accordingly. Some things worked, some didn’t. When I ran the timing correlation analysis at hour two, the per-token generation time came back at roughly 45ms. GPT-4 runs at closer to 25ms. Claude 3 Sonnet is closer to 40ms. I switched to the Claude-specific extraction techniques from the Day 18 library. The system prompt was out in six turns.

Model fingerprinting is the step that sits between reconnaissance and exploitation. Day 20 finds the endpoints. Day 21 checks authentication. Day 24 identifies what’s running behind those endpoints so Days 22 and 23’s techniques are applied to the right target. Running injection techniques optimised for GPT-4 against a Claude deployment wastes time on techniques with lower success probability when the Claude-specific variants would work better. Fingerprinting is the routing decision that makes the rest of the assessment efficient.

🎯 What You’ll Master in Day 24

Identify AI provider and model family from response headers and error message patterns
Use knowledge cutoff probing to narrow model version identification
Apply behaviour differential probes to distinguish GPT-4, Claude, Gemini, and open-source models
Calculate model generation speed via timing analysis to confirm model family
Fingerprint embedding models in RAG deployments using retrieval behaviour analysis
Map fingerprint results to optimised attack family selection

⏱️ Day 24 Β· 3 exercises Β· Kali Terminal + Browser + Think Like Hacker ### βœ… Prerequisites - Day 20 β€” LLM API Reconnaissance β€” the endpoint inventory from Day 20 is what you fingerprint in Day 24; the Day 20 header analysis section is the starting point - Day 2 β€” How LLMs Work β€” understanding tokenisation and generation is prerequisite for timing analysis fingerprinting - Python with requests and time modules β€” Exercise 1 builds the automated fingerprinting toolkit ### πŸ“‹ AI Model Fingerprinting β€” Day 24 Contents 1. Why Fingerprinting Changes Attack Efficiency 2. Header and Error Message Fingerprinting 3. Direct Identity and Knowledge Cutoff Probing 4. Behaviour Differential Probes 5. Timing Analysis for Model Identification 6. Embedding Model Fingerprinting In Day 23 you needed to know the embedding model to calculate retrieval probability accurately. Day 24 covers how to determine that β€” and how to identify the generation model as well. Day 25 uses the complete engagement output from Days 20 through 24 to build the professional AI security report.

Why Fingerprinting Changes Attack Efficiency

Different models have different vulnerability profiles. GPT-4o and Claude 3 Sonnet both have strong safety training but respond differently to the same injection techniques β€” GPT-4 tends to be more susceptible to authority framing (T11), Claude tends to be more susceptible to fiction-within-fiction framing (T15). Open-source Llama fine-tunes without additional safety RLHF respond to Tier 1 direct techniques that frontier models refuse immediately. Running the wrong technique library against the wrong model wastes testing time without producing findings.

The fingerprint-to-technique mapping isn’t about using different techniques for different models β€” the full library gets tested regardless. It’s about which techniques to prioritise in a time-constrained engagement. If you have four hours and the model is a Llama 2 fine-tune, run direct techniques first β€” they’ll work and you can move to higher-impact exploitation sooner. If it’s GPT-4o, lead with indirect and fiction-framing techniques. The same four hours produces more findings when the prioritisation matches the model.

Header and Error Message Fingerprinting

HTTP response headers are the fastest fingerprinting signal and require no model interaction at all. Some deployments include the model name in custom headers. AWS Bedrock responses include distinctive AWS service headers. Direct API calls to OpenAI or Anthropic include provider-specific headers. Even the absence of expected headers is informative β€” it often indicates a proxied deployment where a custom backend calls the AI API rather than the frontend calling it directly.

Error message format is the second fast signal. Send a malformed request β€” missing required fields, invalid JSON, an oversized payload β€” and compare the error response against known provider formats. The schema is distinctive: OpenAI wraps errors in {"error": {"message": "...", "type": "...", "code": "..."}}. Anthropic uses {"type": "error", "error": {"type": "...", "message": "..."}}. AWS Bedrock produces {"message": "...", "__type": "ValidationException"}. These schemas rarely change and reliably identify the provider even when the model name is hidden.

HEADER AND ERROR FINGERPRINTING β€” REFERENCE PATTERNSCopy

Headers that reveal AI provider

openai-model: gpt-4o β†’ OpenAI, model confirmed
x-anthropic-version: 2023-06-01 β†’ Anthropic Claude
x-amzn-requestid: … β†’ AWS (likely Bedrock)
x-cloud-trace-context: … β†’ Google (likely Vertex/Gemini)
cf-ray: … β†’ Cloudflare AI Workers possible


πŸ“– Read the complete guide on Securityelites β€” AI Red Team Education

This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on Securityelites β€” AI Red Team Education β†’


This article was originally written and published by the Securityelites β€” AI Red Team Education team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit Securityelites β€” AI Red Team Education.

Top comments (0)