NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

← All engagement records

Case study Jun 7, 2026

Cat-29 Argo Workflows: :2746 probe sweep, 2026-06-07

Bill Rondell, Nick Adams & Dade Murphy — Jun 7, 2026 — case study — 3 min read — 656 words
Sector
Commercial

NuClide Research · 2026-06-07 · Active probe of port 2746 across the 156-host Argo population identified via ssl:"Argo Workflows". All 156 timed out. The dork-population-substitution hypothesis is partially refuted but not fully tested; a complementary port:2746 discovery run is the next step.

Summary

Lane 1A of the 9-item 2026-06-07 plan. Goal: test whether port 2746 hosts an unauthenticated Shodan-dark tier among Argo Workflows operators whose :443 surface is gated by IAP/AzureAD. Method: parallel curl probes (5-second timeout) against https://<ip>:2746/api/v1/version for all 156 IPs surfaced via the ssl:"Argo Workflows" Shodan dork during the 2026-05-31 Cat-29 survey. Result: 156/156 connection timeouts. Zero HTTP responses on :2746.

Interpretation: among hosts with Argo TLS certs visible on :443, none also expose :2746 reachable from the public internet. This is consistent with two non-exclusive explanations:

  1. The Argo Server gRPC/HTTP port (:2746) is firewalled at the same layer (cloud LB, IAP, ingress) that gates :443. The operator who fronts the UI with auth also drops :2746 by default.
  2. Argo deployments do not expose :2746 publicly at all; the port is k8s-internal between Argo Server and the workflow controller.

Both readings are friendly to the auth-on-default thesis (Insight #40) and friendly to the operators in this population.

What this does NOT test

The original dork-population-substitution hypothesis (candidate insight, see reference-dork-population-substitution) is about whether the ssl: dork selects operators who are DNS-configured and security-conscious, and thereby blinds the researcher to a separate Shodan-dark tier of operators who run Argo without a TLS cert on :443 but DO expose :2746 directly.

This probe sampled only the population the dork already produced. To test the substitution hypothesis cleanly, the discovery side has to change:

  • Right test: Shodan port:2746 (or product:"Argo" without ssl:), or Censys services.port:2746 services.software.product:Argo, to find hosts that expose :2746 without the cert-visible :443.
  • Why this matters: the substitution risk is that the entire categorical claim “Argo runs auth-on” rests on the dork-defined population. If a Shodan-dark tier exists, the headline rate is biased.

That second-round discovery run is gated to 2026-06-08 morning when the Shodan/Censys credit budgets reset. It is logged here as the path forward.

Methodology

StepToolResult
Source populationssl:"Argo Workflows" (Cat-29 2026-05-31 survey)156 IPs
Tool requestedtiptoe / zgrab2absent on the host; fallback used
Tool usedparallel curl -k --max-time 5 (n=30 workers)156/156 timeouts
Target URLhttps://<ip>:2746/api/v1/versionport preserved
Outputrecon/cat29-argo-2746-2026-06-07/probe_2746_https.jsonl156 records

The earlier delegated probe by Lane 1A of this session inadvertently dropped the :2746 port from the URL (probe artifacts in probe_results.jsonl and probe_http.jsonl targeted :443 and :80 instead). The re-probe documented in this case study corrected that and explicitly preserved :2746. Future Lane 1A-class agents should be briefed with a port-in-URL invariant check.

Discipline

  • Active probe only on port 2746; no enumeration of workflows, secrets, or sensitive paths.
  • 5-second timeout. A second pass with a longer timeout would not change the result for filter-drop hosts; it would only change the result for genuinely slow but-open hosts, which would still be a single-digit count given the universal-timeout pattern.
  • Names ARE the finding. No further reads attempted.

Status of the candidate insight

reference-dork-population-substitution (candidate, original n=33): the variant “operators who expose :443 with Argo certs also expose :2746” is refuted (0/156). The broader substitution hypothesis is still untested and queued for 06-08 Shodan/Censys credit reset.

Disposition

Lane 1A closed as PARTIAL. Re-dispatch on 06-08 with a Shodan port:2746 discovery run is queued as a follow-up.

DCWF KSAT coverage

  • 672 (AI T&E): T5919 (adversarial probe, op env), T5904 (risk assessment), K7044 (V&V tooling: curl as the fallback tool worth documenting).
  • 733 (AI Risk & Ethics): T5893 (Responsible AI: names-only, no workflow reads), K7051 (blind spots: population-substitution IS a blind spot).
  • Overlap: K22 (network), K1158 (auth surfaces), K7003 (AI security risks).