Seeking community input for the next `host-scanner` release about host-scanner HOT 6 OPEN

@alegrey91 I would love to be a part of this!

Just for some better context, what all is already scheduled to be a part of the upcoming release?

from host-scanner.

@XDRAGON2002 sure!
I'll be out for two weeks, so if in the meantime you have some idea, feel free to share in here.
If there's some juicy information you would like to retrieve from the nodes through host-scanner that can be useful to implement some rule in regolibrary, please share! ✌️

from host-scanner.

Hi @XDRAGON2002, thanks for your interest!

For now, we are collecting some ideas, but nothing really defined. We will probably change the code architecture in order to make it more testable and have more stability.
Additionally, we will probably move from a web-application-oriented approach where we provide endpoints to retrieve information to a CLI that scans the node and send the result to the storage component.
Then, we would also add some functionality that can enhance the host-scanner (eg. I would like to add some information retrieval about the files present on the node, so we can check if the node has some GTFOBins, or something like that). These functionalities act to extend our list of rules in regolibrary.

from host-scanner.

@alegrey91 The changes mentioned are quite interesting to work on.

Just some things that came into my mind reading through your comment.

It's great to move to more of a cli architecture, though in terms of sending the data to the storage object, what protocols are we looking to? Http 1.1 or 2?

Since a CLI would greatly benefit from gRPC over your traditional data transfer.

In terms of adding extra functionalities, building on your example of GTFOBins for PrivEsc, do we expect the tool to crawl through the files to figure out vulns and cves or maybe just check which operations have the sudo bit on the host for the provided user?

Also how interested are we in taking inspiration from other tools operating in a similar space such as metasploit msf and/or cve-bin-tool?

These questions might not make any sense so I'll apologize in advance :)
Thanks!

from host-scanner.

Your questions make sense!

Also how interested are we in taking inspiration from other tools operating in a similar space such as metasploit msf and/or cve-bin-tool?

We might take some inspiration, thinking to our context, so kubernetes security. Keep also in mind that we have other components that can do something similar (kube-vuln, relevancy, etc.). So we should take in mind this to not overlap duties of these components.

In terms of adding extra functionalities, building on your example of GTFOBins for PrivEsc, do we expect the tool to crawl through the files to figure out vulns and cves or maybe just check which operations have the sudo bit on the host for the provided user?

I would say mostly the second option, we don't want to build a new privesc tool, but something useful to have a better feedback about the status of our node cluster.

It's great to move to more of a cli architecture, though in terms of sending the data to the storage object, what protocols are we looking to? Http 1.1 or 2?

I don't know the answer right now, but the storage component is a Kubernetes operator, so we can communicate with it through a CRD I think.

from host-scanner.

Ah, great!

That makes a lot of sense.

Feel free to let me know if I'd be of help in anyway ;)

from host-scanner.