{"id":21417985,"url":"https://github.com/esonhugh/k8spider","last_synced_at":"2025-07-14T05:30:33.925Z","repository":{"id":228361143,"uuid":"773054132","full_name":"Esonhugh/k8spider","owner":"Esonhugh","description":"Powerful+Fast Kubernetes service discovery tools via kubernetes DNS service. Currently supported IP-based BruteForce / AXFR Domain Transfer Dump / Coredns WildCard Dump","archived":false,"fork":false,"pushed_at":"2024-03-22T05:28:21.000Z","size":76,"stargazers_count":35,"open_issues_count":2,"forks_count":7,"subscribers_count":1,"default_branch":"Skyworship","last_synced_at":"2024-03-23T05:27:27.116Z","etag":null,"topics":["cloud-security","dns","dnscan","kubernetes","red-team","service-discovery"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Esonhugh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2024-03-16T16:07:37.000Z","updated_at":"2024-04-15T10:47:09.733Z","dependencies_parsed_at":"2024-03-21T05:27:00.818Z","dependency_job_id":"6b68db3e-ca10-4fa0-b947-ea2cb65beaba","html_url":"https://github.com/Esonhugh/k8spider","commit_stats":null,"previous_names":["esonhugh/k8spider"],"tags_count":8,"template":false,"template_full_name":"Esonhugh/go-cli-template-v2","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Esonhugh%2Fk8spider","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Esonhugh%2Fk8spider/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Esonhugh%2Fk8spider/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Esonhugh%2Fk8spider/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Esonhugh","download_url":"https://codeload.github.com/Esonhugh/k8spider/tar.gz/refs/heads/Skyworship","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225950917,"owners_count":17550351,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-security","dns","dnscan","kubernetes","red-team","service-discovery"],"created_at":"2024-11-22T19:18:26.356Z","updated_at":"2025-07-14T05:30:33.913Z","avatar_url":"https://github.com/Esonhugh.png","language":"Go","readme":"# K8Spider \n\n\u003cimg src=\"./K8spider.webp\" width=\"200px\"\u003e\n\n\u003e work like a spider inside your Kubernetes and hunting other service.\n\nK8Spider is a simple tools for Kubernetes Service Discovery. \n\nIt inspired from k8slanparty.com. That dnscan subnet is useful in challenges.\n\nAnd I extended it ability on Kubernetes Service Discovery.\n\nNow it supports to scan all services installed in Kubernetes cluster and all exposed ports in service. \n\n## Build\n\n```bash\nmake \n```\n\n## Download \n\nCheckout the release page. \n\n## Usage\n\n```bash\n# in kubernetes pods\necho $KUBERNETES_SERVICE_HOST\n# if KUBERNETES_SERVICE_HOST is empty, you can use the following command to set it.\n# export KUBERNETES_SERVICE_HOST=x.x.x.x\n# or ./k8spider -c x.x.x.x/16 all\n./k8spider all\n```\n\nUse in the kubernetes\n\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n creationTimestamp: null\n labels:\n run: spider\n name: spider\nspec:\n containers:\n - image: k8spider/k8spider\n name: spider\n resources: {}\n dnsPolicy: ClusterFirst\n restartPolicy: Always\n# kubectl apply -f spider.yaml\n```\n\nor just using kubectl run\n\n```bash\n## just run it! \nkubectl run spider --image k8spider/k8spider \n```\n\nand watch result with\n\n```bash\nkubectl logs spider\n```\n\n## Example\n\n### Normal Attack - all command - ALL IN ONE\n\n```bash\nroot@pod:/var/www/html/tools# env |grep KUBERNETES\nKUBERNETES_SERVICE_PORT_HTTPS=443\nKUBERNETES_SERVICE_PORT=443\nKUBERNETES_PORT_443_TCP=tcp://10.43.0.1:443\nKUBERNETES_PORT_443_TCP_PROTO=tcp\nKUBERNETES_PORT_443_TCP_ADDR=10.43.0.1\nKUBERNETES_SERVICE_HOST=10.43.0.1\nKUBERNETES_PORT=tcp://10.43.0.1:443\nKUBERNETES_PORT_443_TCP_PORT=443\n\nroot@pod:/var/www/html/tools# ./k8spider all # or try ./k8spider all -c 10.43.0.1/16 \nINFO[0000] PTRrecord 10.43.43.87 --\u003e kube-state-metrics.lens-metrics.svc.cluster.local. \nINFO[0000] PTRrecord 10.43.43.93 --\u003e metrics-server.kube-system.svc.cluster.local. \nINFO[0000] SRVRecord: kube-state-metrics.lens-metrics.svc.cluster.local. --\u003e kube-state-metrics.lens-metrics.svc.cluster.local.:8080 \nINFO[0000] SRVRecord: metrics-server.kube-system.svc.cluster.local. --\u003e metrics-server.kube-system.svc.cluster.local.:443 \nINFO[0000] {\"Ip\":\"10.43.43.87\",\"SvcDomain\":\"kube-state-metrics.lens-metrics.svc.cluster.local.\",\"SrvRecords\":[{\"Cname\":\"kube-state-metrics.lens-metrics.svc.cluster.local.\",\"Srv\":[{\"Target\":\"kube-state-metrics.lens-metrics.svc.cluster.local.\",\"Port\":8080,\"Priority\":0,\"Weight\":100}]}]} \n```\n\nThis command will try wildcard (any.any.svc.cluster.local) / Axfr dumping at first and brute force all services in the cluster.\n\n#### Advanced 1: threading mode\n\n```bash\n./k8spider all -t \n# if you want to higher threads, you can use \n./k8spider all -t -n 16\n```\n\n#### Advanced 2: no default Zone (cluster.local) and specific DNS server\n\n```bash\n./k8spider all -z myzone.com -d 10.43.0.10:53\n```\n\n\u003e remember if kubernetes DNS is reachable at remote, you can use it to scan all services under the cluster COMPLETELY REMOTELY.\n\u003e \n\n### Normal Attack - wildcard and axfr command\n\n```bash\n./k8spider axfr \n./k8spider axfr -z myzone.com -d 10.10.0.10:53\n./k8spider wild\n```\n\n### Advanced Conditional Attack - neighbor command\n\n```bash\n./k8spider neighbor -p \u003cpod-cidr check your ifconfig eth0\u003e -n \u003ccurrent-ns\u003e\n```\n\nIf your kubernetes dns sets verified pod mode, it will give your pod ip a DNS name under this namespace, and non allocated\nIP never have.\n\nBut it's non-default option for dns settings. \n\nDefault is insecure pod, and it will respond your any (include invalid/non-exists) pod DNS with given IP.\n\n### Customized Attack - service \n\n```bash\n./k8spider srv -s kubernetes.default \n```\n\nThis command will respond you with registered service ports.\n\n### Customized Attack - subnet\n\n```bash\n./k8spider subnet \u003c-c cidr-srv\u003e \n```\n\nThis command will only scan PTR service in the given subnet.\n\n### helpers - whereisdns \n\nThis command will help you to find out where is the kubernetes DNS server. It uses some specific DNS query to find it in given \ncidr\n\n### helpers - metrics\n\nThis command will help you to parse the kube-state-metrics information and extract all useful information in metrics.\n\nlike \n\n```text\n# HELP kube_service_info [STABLE] Information about service.\n# TYPE kube_service_info gauge\nkube_service_info{namespace=\"default\",service=\"fastgpt-sandbox-service\",uid=\"61b0674c-33c3-4e6d-a7a1-51157491a35a\",cluster_ip=\"10.43.81.90\",external_name=\"\",load_balancer_ip=\"\"} 1\n```\n\nto \n\n```text\n{\"namespace\":\"default\",\"type\":\"service\",\"name\":\"fastgpt-sandbox-service\",\"spec\":{\"cluster_ip\":[\"10.43.81.90\"]}}\n```\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fesonhugh%2Fk8spider","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fesonhugh%2Fk8spider","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fesonhugh%2Fk8spider/lists"}