kubestalk: discovers Kubernetes and related infrastructure based attack surface


KubeStalk is a tool to discover Kubernetes and related infrastructure-based attack surfaces from a black-box perspective. This tool is a community version of the tool used to probe for unsecured Kubernetes clusters around the internet during Project Resonance – Wave 9.


git clone https://github.com/redhuntlabs/kubestalk
python3 -m pip install -r requirements.txt


Basic Usage

To use the tool, you can pass one or more hosts to the script. All targets passed to the tool must be RFC 3986 compliant, i.e. must contain a scheme and hostname (and port if required).

Basic usage is as below:

$ python3 kubestalk.py https://███.██.██.███:10250

| K U B E S T A L K |
+---------------------+ v0.1

[!] KubeStalk by RedHunt Labs - A Modern Attack Surface (ASM) Management Company
[!] Author: 0xInfection (RHL Research Team)
[!] Continuously Track Your Attack Surface using https://redhuntlabs.com/nvadr.

[+] Loaded 10 signatures to scan.
[*] Processing host: https://███.██.██.██:10250
[!] Found potential issue on https://███.██.██.██:10250: Kubernetes Pod List Exposure
[*] Writing results to output file.
[+] Done.



HTTP Tuning

HTTP requests can be fine-tuned using the -t (to mention HTTP timeouts), -ua (to specify custom user agents), and the –verify-ssl (to validate SSL certificates while making requests).


You can control the number of hosts to scan simultaneously using the –concurrency flag. The default value is set to 5.


The output is written to a CSV file and can be controlled by the –output flag.

A sample of the CSV output rendered in markdown is as below:

host path issue type severity
https://█.█.█.█:10250 /pods Kubernetes Pod List Exposure core-component vulnerability/misconfiguration
https://█.█.█.█:443 /api/v1/pods Kubernetes Pod List Exposure core-component vulnerability/misconfiguration
http://█.█.██.█:80 / etcd Viewer Dashboard Exposure add-on vulnerability/exposure
http://██.██.█.█:80 / cAdvisor Metrics Web UI Dashboard Exposure add-on vulnerability/exposure

Copyright (c) 2022 0xInfection

Source: https://github.com/redhuntlabs/