NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

← All reference

Reference

Cat-32: AI Gateways

Bill Rondell, Nick Adams & Dade Murphy — reference — 3 min read — 700 words

Source: https://github.com/nuclide-research/AI-LLM-Infrastructure-OSINT/blob/main/shodan/queries/32-ai-gateways

NuClide Research · survey initiated 2026-06-01

Platforms: Portkey, Kong AI Gateway, Bifrost (maximhq), one-api, new-api, sub2api, TensorZero, Helicone, Envoy AI Gateway

Threat model: gateway tier aggregates all upstream provider API keys + logs all traffic. Unauth access = master-key compromise across the operator’s entire LLM portfolio.

Reference intel: data/platform-intel/ai-gateways-osint-2026-06-01.md Favicon hashes: shodan/favicon-hashes.md (AI Gateways section) CT catalog: shodan/ct-log-catalog.md (AI Gateways section)

Dork Catalog

#DorkPlatformSignal typeEst. popRun dateHit countStatus
1"AI Gateway says hey"PortkeyBody string (health endpoint)Low2026-06-010✓ zero — pure API proxy, not publicly indexed
2"Welcome to kong" port:8001Kong Admin APITitle/bodyHigh2026-06-010✓ zero — body string mismatch; try product:kong port:8001
3http.html:"available_on_server" http.html:"ai-proxy" port:8001Kong AI pluginBody (AI plugin enabled)High2026-06-01277✓ 100 IPs harvested
4http.title:"Bifrost AI Gateway"BifrostTitleMedium2026-06-010✓ zero — title differs in deployments; use dork 5+6
5http.html:"getbifrost.ai" port:8080BifrostBody (footer/link)Medium2026-06-0182✓ 82 IPs harvested
6http.favicon.hash:1651823509BifrostFaviconMedium2026-06-01237✓ 97 IPs harvested
7http.title:"One API" port:3000one-apiTitle + portHigh2026-06-012,449✓ 100 IPs harvested (page 1/25)
8http.title:"New API" port:3000new-apiTitle + portCRITICAL2026-06-0113,456✓ 114 IPs harvested (page 1/135) — LARGEST POP
9http.favicon.hash:1318451613one-apiFaviconHigh2026-06-01274✓ 95 IPs harvested
10http.favicon.hash:-1643864359new-apiFaviconHigh2026-06-01251✓ 99 IPs harvested
11port:8585 http.html:"helicone"Helicone (worker)Port + bodyLow2026-06-010✓ zero — tool in maintenance mode
12http.favicon.hash:-794809853Helicone (web UI)FaviconLow2026-06-012✓ 2 IPs harvested
13port:9901 http.html:"config_dump"Envoy AI GW adminPort + bodyHigh2026-06-0189✓ 87 IPs harvested — HIGH PRIORITY
14http.title:"TensorZero"TensorZeroTitleLow2026-06-011✓ 1 IP harvested
15http.favicon.hash:-112038367Kong ManagerFavicon (UI)High2026-06-01268✓ 97 IPs harvested

Execution Notes

JAXEN run order: fire all 15 via Playwright/Shodan. Log hit count in Hit count column above. Zero = result (log in query-log.md).

FP mitigation:

  • Dorks 7+8 (title + port) reduce FP vs title-only (port 3000 narrows to expected deployment port)
  • Dorks 2+3 are complementary: dork 2 catches all Kong, dork 3 specifically confirms AI plugin is active
  • Dorks 6+4+5 are triple-redundant for Bifrost (favicon OR title OR footer link)

Deduplication: one-api and new-api are forks with distinct favicon hashes; if an IP hits both dork 9 and dork 10, investigate whether both are deployed or it’s a hash collision (unlikely — verified distinct in favicon-hashes.md).

Verification priority after harvest:

  1. Kong :8001 (CVE-2020-11710, CVSS 9.8 — highest severity)
  2. one-api / new-api (default creds; active exploitation documented)
  3. Envoy :9901 (config_dump = plaintext credential exposure)
  4. Bifrost (root path bypass)
  5. Portkey (SSRF only if version < v1.14.0)

Verification Primitives (post-harvest, passive-first)

# Kong Admin API -- read-only version check
curl -s http://<IP>:8001/ | jq '{version:.version,tagline:.tagline}'
# Confirmed unauth if: tagline = "Welcome to kong"
# STOP here -- do not POST, do not create resources

# one-api / new-api -- title fingerprint only (no login attempt)
curl -s http://<IP>:3000/ | grep -o '<title>[^<]*'
# Confirmed if: "One API" or "New API"
# Default cred check: log as "default cred state unverified" unless explicitly tasked

# Envoy admin -- config dump (read-only, but contains credentials)
curl -s http://<IP>:9901/config_dump | python3 -c "
import sys, json
cfg = json.load(sys.stdin)
# grep for auth patterns -- enumerate metadata, do not exfiltrate
print('config_dump accessible: YES')
print('clusters:', len(cfg.get('configs',[])))
"
# Log: "config_dump accessible, N clusters enumerated" -- do not log credential values

# Bifrost -- root bypass check
curl -s -o /dev/null -w "%{http_code}" http://<IP>:8080/
# Confirmed bypass if: 200 (not 401/403)

# Portkey -- health check
curl -s http://<IP>:8787/ | grep -c "AI Gateway says hey"
# Confirmed if: 1

aimap Fingerprints Needed

New fingerprints to add before Stage 1 scan:

PlatformPortFingerprint signalStatus
Portkey8787Body: "AI Gateway says hey"Needs aimap spec
Kong Admin API8001Body: "Welcome to kong" + JSON version fieldNeeds aimap spec
Bifrost8080Title: "Bifrost AI Gateway" OR favicon hash 1651823509Needs aimap spec
one-api3000Title: "One API" (distinguish from new-api via favicon)Needs aimap spec
new-api3000Title: "New API" + favicon hash -1643864359Needs aimap spec
Envoy AI GW9901Path: /config_dump accessible + JSON responseNeeds aimap spec

Query Log Reference

All executed dorks logged to: shodan/query-log.md (format: date, dork, hit count)

Dorks Added Post-Reference-Doc Review (2026-06-01)

#DorkPlatformSignal typeCountRun dateIPsStatus
16"Server: kong"Kong (all)Server header70,9242026-06-01pending harvest✓ most durable Kong signal; entire install base
17port:8001 http.html:"Welcome to Kong"Kong Admin APIBody (capital K)6002026-06-01pending harvest✓ FIXED from dork 2 (lowercase k bug)
18http.title:"LiteLLM"LiteLLMTitle65,9762026-06-01pending harvest✓ MISSED PLATFORM — added from reference doc
19port:4000 http.html:"litellm"LiteLLMPort + body2,2902026-06-01pending harvest✓ subset of dork 18

LiteLLM scope note: LiteLLM is an LLM gateway/proxy (proxy for 100+ LLMs, admin UI, virtual keys). Auth enforced on newer versions but older deployments expose /v1/models, /health, and admin UI unauthenticated. 65,976 is a large population — needs aimap fingerprint + verification pass.