v0.4.0: offensive refocus — cloud pivots, CVE correlation, tier-0, escape chains#5
Draft
SnailSploit wants to merge 3 commits into
Draft
v0.4.0: offensive refocus — cloud pivots, CVE correlation, tier-0, escape chains#5SnailSploit wants to merge 3 commits into
SnailSploit wants to merge 3 commits into
Conversation
Rewrites the tool from compliance checklist into operator-grade red team
recon. Every finding now carries the PoC command an attacker would run,
the concrete blast radius (impact), exploitability score, and ATT&CK IDs.
New offensive scanners
----------------------
- escapes.py Container escape primitive analysis. Per-pod scoring with
the exact exploit command for privileged+hostPID, docker.sock,
containerd.sock, /var/lib/etcd, /etc/kubernetes, SYS_ADMIN,
SYS_MODULE, SYS_PTRACE (rated easy/hard depending on hostPID),
SYS_RAWIO, DAC_READ_SEARCH, NET_ADMIN, writable
/proc/sys/kernel/core_pattern, hostNetwork, hostIPC, and the
root-no-drop multiplier.
- kubelet.py Active HTTP probes against /pods, /metrics, /configz on
10250 and 10255. Distinguishes anonymous-allow (critical),
anonymous-but-authz (medium), proper 401 (info — good).
- tokens.py JWT decode of SA token Secrets. Flags legacy non-expiring
tokens as persistence risk; surfaces non-default audiences
(IRSA / Workload Identity).
- configmaps.py Credential hunt in ConfigMaps — high-signal regexes for
AWS AKIDs, PEM keys, GCP service-account JSON, GitHub PATs,
Slack tokens, JDBC URLs, Azure connection strings. Redacts
long matches.
- webhooks.py Admission webhook bypass audit — failurePolicy=Ignore,
long timeouts, sideEffects=Unknown, missing caBundle.
New multi-hop attack path module
--------------------------------
- attackpaths/sa_chains.py BFS over an escalation graph with edges for
create-pod-as-SA, exec-into-SA-pod, patch-deployment-as-SA, create/update
RoleBindings, escalate verb, impersonate, and serviceaccounts/token. Emits
one finding per chain with per-hop PoC commands.
Workload coverage
-----------------
- workloads.py Extracts pod templates from Deployment, StatefulSet, DaemonSet,
Job, CronJob, ReplicaSet, ReplicationController. Findings get relabeled
from pod/X to <kind>/X for clear attribution.
Shift-left manifest mode
------------------------
- manifests.py YAML/JSON loader with camelCase→snake_case (including k8s
python client quirks like external_i_ps). --manifests <dir> runs the
same rules without API access.
Finding model
-------------
- New fields: exploitability, exploit, impact, attack_techniques.
CLI
---
- ASCII banner, ANSI colors with NO_COLOR support, --no-color flag,
--version, --min-exploitability filter, --skip-kubelet-probe,
--skip-configmaps, --skip-webhooks, richer --help with examples.
- Text reporter shows severity histogram, exploitability breakdown,
and per-finding PoC blocks.
Tests
-----
- 38 → 134 (3.5×). New suites: test_escapes (24), test_workloads (8),
test_configmaps (17), test_tokens (7), test_webhooks (9), test_sa_chains
(8), test_manifests (11), test_kubelet (12) with a real local HTTP
server so HTTP code paths actually run.
Docs
----
- README rewritten around the operator playbook: sample finding output,
5-minute triage workflow, full scanner table, comparison vs kube-bench
/ kubescape / kube-hunter, snailsploit.com docs link prominent.
https://claude.ai/code/session_01Eq8TDiVnuuVQU2HR9KtCNg
Sharpens the tool toward real assessment tradecraft and cuts the
compliance lint that was burying signal.
De-noise ("no kiddie stuff")
----------------------------
Defense-in-depth findings (POD-NO-LIMITS, POD-NO-APPARMOR, POD-NO-SECCOMP,
POD-SATOKEN, SECRET-TLS-MANUAL, POLICY-NONE, PSS-NOT-ENFORCED) are now
hidden by default behind --include-hygiene. Default scans lead with
escape primitives, escalation chains, cloud pivots, and CVEs.
Cloud-account pivots (scanners/cloud.py)
----------------------------------------
- CLOUD-IMDS-REACHABLE: per-namespace egress posture vs 169.254.169.254.
Auto-detects AWS/GCP/Azure from node providerID and emits the exact
provider-specific IMDS credential-theft curl.
- CLOUD-IRSA / CLOUD-GKE-WI / CLOUD-AZURE-WI: ServiceAccount→cloud-role
federation from SA annotations, with the assume/exchange PoC. Models
the pod -> cloud account pivot as a first-class finding.
CVE correlation (scanners/cve.py + utils/versions.py)
-----------------------------------------------------
Offline, version-aware knowledge base of high-impact escape/escalation
CVEs keyed on apiserver / kubelet / runtime / kernel / ingress-nginx
versions. Carries CISA-KEV status and EPSS (verified against live feeds).
Includes IngressNightmare (CVE-2025-1974, EPSS 0.91), the apiserver-proxy
bug (CVE-2018-1002105), runc Leaky Vessels (CVE-2024-21626), nf_tables
LPE (CVE-2024-1086, KEV), fsconfig (CVE-2022-0185, KEV), containerd-shim,
subPath, and the ingress-nginx annotation-injection chain.
Tier-0 / crown-jewel identification (attackpaths/tier_zero.py)
--------------------------------------------------------------
AP-TIER0 names principals that are effectively cluster-admin without the
literal binding: CSR create+approve (mint a system:masters cert),
nodes/proxy, cluster-wide pods/exec, read-all-secrets,
serviceaccounts/token, webhook config writes, impersonate/escalate/bind,
nodes patch. Skips expected holders (kube-system, system:masters).
Multi-hop chains now route through CSR cert-minting
---------------------------------------------------
sa_chains adds the CSR create+approve -> system:masters edge, so
escalation chains can terminate via certificate minting.
Hardcoded credentials in pod specs (scanners/podsecrets.py)
-----------------------------------------------------------
ENV-LEAK-* / ARG-LEAK-*: literal credentials in container env values and
command/args, reusing the high-signal credential patterns. secretKeyRef
references are never flagged. Values are redacted in output.
CLI / plumbing
--------------
- New flags: --skip-cloud, --skip-cve, --include-hygiene.
- Nodes listed once and reused for probes + cloud + CVE.
- kube.py: serviceaccount, networkpolicy listers + server-version getter;
AdmissionregistrationV1Api + BatchV1Api clients.
Tests
-----
134 -> 200. New suites: test_cloud (16), test_cve (24), test_tier_zero
(11), test_podsecrets (10), test_cli (6, hygiene gating + exit codes).
Docs
----
README reframed around offensive coverage: cloud-pivot and CVE tables,
tier-0, the no-kiddie-stuff default, updated comparison and RBAC needs.
https://claude.ai/code/session_01Eq8TDiVnuuVQU2HR9KtCNg
SnailSploit
changed the title
Control-plane probes (scanners/controlplane.py) ----------------------------------------------- Active, read-only probes of control-plane nodes — the crown jewels that bypass Kubernetes RBAC entirely: - CP-ETCD-NOAUTH (critical): etcd 2379 answers /version unauthenticated → client-cert auth is off → read/write every Secret directly via etcdctl, invisible to API audit logs. Emits the exact etcdctl dump command. - CP-ETCD-REACHABLE (high): etcd client port reachable from the scan origin even when mTLS is enforced — it should never be routable from the workload network. - CP-ETCD-PEER (medium): etcd peer port 2380 reachable. - CP-APISERVER-INSECURE (critical): legacy insecure apiserver port 8080 serves the API unauthenticated → implicit cluster-admin. - CP-PORT-8080-OPEN (low): 8080 open but unconfirmed — identify listener. Probing prefers control-plane-labeled nodes (etcd is co-located on kubeadm/self-managed); on managed control planes (EKS/GKE/AKS) the ports aren't reachable and nothing fires. Reuses the kubelet TCP/HTTP probe helpers; gated by --skip-kubelet-probe (all active HTTP probing). DaemonSet escape amplification (utils/workloads.py) --------------------------------------------------- A DaemonSet runs a pod on every node, so an escape primitive in its template is a foothold on ALL nodes, not one pod. Escape/AttackPath findings sourced from a DaemonSet template now get their impact re-framed to node-wide blast radius. Applied in both cluster and manifest mode. Tests ----- 200 -> 215. New test_controlplane (13) covering etcd noauth/reachable/peer, plain-HTTP etcd, insecure apiserver, target selection, and end-to-end; plus DaemonSet amplification tests in test_workloads. Docs ---- README: new Control-Plane Exposure coverage section, ControlPlane category, DaemonSet-amplification note, updated comparison + architecture. https://claude.ai/code/session_01Eq8TDiVnuuVQU2HR9KtCNg
This was referenced Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Turns KubeRoast into an assessment tool an operator actually wants: concrete attacker primitives, multi-hop escalation chains, cloud-account pivots, and version-aware CVE correlation. Every finding carries the PoC command, blast radius, exploitability, and ATT&CK IDs. Compliance lint is hidden by default so attack paths lead.
Two commits: v0.3.0 (escape primitives, kubelet probes, workload coverage, manifest mode) and v0.4.0 (the offensive refocus below).
v0.4.0 — offensive depth
De-noise — "no kiddie stuff" by default
Defense-in-depth findings (
POD-NO-LIMITS,POD-NO-APPARMOR,POD-NO-SECCOMP,POD-SATOKEN,SECRET-TLS-MANUAL,POLICY-NONE,PSS-NOT-ENFORCED) are hidden by default behind--include-hygiene. Default scans lead with escapes, chains, cloud pivots, and CVEs.Cloud-account pivots (
scanners/cloud.py)The highest-impact real-world escalation — pod → cloud account — modeled as first-class findings:
CLOUD-IMDS-REACHABLE— per-namespace egress posture vs169.254.169.254; auto-detects AWS/GCP/Azure from nodeproviderIDand emits the provider-specific IMDS credential-theftcurl.CLOUD-IRSA/CLOUD-GKE-WI/CLOUD-AZURE-WI— ServiceAccount→cloud-role federation from SA annotations, with the assume/exchange PoC.CVE correlation (
scanners/cve.py+utils/versions.py)Offline, version-aware KB of high-impact escape/escalation CVEs keyed on apiserver / kubelet / runtime / kernel / ingress-nginx versions. CISA-KEV + EPSS tags verified against live feeds:
Tier-0 / crown-jewel identification (
attackpaths/tier_zero.py)AP-TIER0names principals that are effectively cluster-admin without the literal binding: CSR create+approve (mint asystem:masterscert),nodes/proxy, cluster-widepods/exec, read-all-secrets,serviceaccounts/token, webhook config writes,impersonate/escalate/bind,nodespatch. Skips expected holders (kube-system, system:masters).CSR cert-minting in multi-hop chains
sa_chainsadds thecreate CSR + approve → system:mastersedge, so escalation chains can terminate via certificate minting.Hardcoded creds in pod specs (
scanners/podsecrets.py)ENV-LEAK-*/ARG-LEAK-*— literal credentials in container env values and command/args.secretKeyRefreferences are never flagged; values are redacted in output.CLI / plumbing
--skip-cloud,--skip-cve,--include-hygiene. Nodes listed once and reused for probes + cloud + CVE. New listers (serviceaccounts, networkpolicies) + server-version getter; Admissionregistration + Batch API clients.Demo (manifest mode)
A synthetic cluster with an IRSA SA holding
create+approve CSR, an ingress-nginx v1.11.0 deployment, and a pod with hardcoded env creds produces — critical findings first:…and
POD-NO-LIMITS/POD-NO-SECCOMP/POD-NO-APPARMOR/POD-SATOKENare correctly suppressed.Test plan
pytest tests/— 200/200 passing (was 38 at the start of this PR)test_cloud(16),test_cve(24),test_tier_zero(11),test_podsecrets(10),test_cli(6 — hygiene gating + exit codes)--include-hygienebrings it back--fail-on,--min-exploitability,--version,--no-colorexercisedhttps://claude.ai/code/session_01Eq8TDiVnuuVQU2HR9KtCNg