One binary. 31 Linux LPE modules from 2016 to 2026. 22 of 26 CVEs empirically verified against real Linux kernels in VMs. SOC-ready detection rules in four SIEM formats. MITRE ATT&CK + CWE + CISA KEV annotated. --explain gives a one-page operator briefing per CVE.
$ ▋
Authorized testing only. See ETHICS.md.
skeletonkey --explain <module> renders the page every
team needs: CVE / CWE / MITRE ATT&CK / CISA KEV status, host
fingerprint, live detect() trace with verdict, OPSEC footprint, and
the detection-rule coverage matrix. Triage tickets and SOC handoffs
in one paste.
CWE class, MITRE ATT&CK technique, CISA KEV status with
date_added. Fed from tools/refresh-cve-metadata.py
which pulls fresh from federal data sources.
Cached once at startup by core/host.c. Every
module sees the same kernel / arch / distro / userns / apparmor
/ selinux / lockdown picture.
The verbose stderr of the module's own probe — each gate fires, each kernel_range entry checked, each verdict justified. No more black-box "VULNERABLE" outputs.
Per-exploit description of what the SOC would see if this fired: file artifacts, dmesg signatures, syscall observables, network activity, cleanup behavior.
--auto ranks vulnerable modules by stability
(structural escapes > page-cache writes > userspace races
> kernel races) and runs the safest one. Never crashes a
production box looking for root.
$ skeletonkey --auto --i-know [*] 3 vulnerable; safest is 'pwnkit' (rank 100) [*] launching --exploit pwnkit... # id uid=0(root) gid=0(root)
auditd · sigma · yara · falco. One command emits the corpus for your SIEM. Each rule grounded in the module's own syscalls.
10 of 26 CVEs in the corpus are in CISA's Known Exploited
Vulnerabilities catalog — actively exploited in the wild.
Refreshed on demand via tools/refresh-cve-metadata.py.
Each module ships a runtime-footprint paragraph: files, dmesg, syscall observables, network, persistence. The inverse of the detection rules — what an attacker would leave behind on your host.
core/host.c probes kernel / arch / distro / userns /
apparmor / selinux / lockdown / sudo version / polkit version
once at startup. Every detect() reads the
same cached snapshot, so verdicts stay coherent across the
corpus.
struct skeletonkey_host {
struct kernel_version kernel;
char arch[32], distro_id[64];
bool unprivileged_userns_allowed;
bool apparmor_restrict_userns;
bool kpti_enabled, selinux_enforcing;
char meltdown_mitigation[64];
char sudo_version[64], polkit_version[64];
...
};
--scan --json emits a stable schema (see
JSON_SCHEMA.md)
with triage metadata, opsec notes, and rule coverage embedded.
Ready for Splunk / Elastic / Sentinel ingest.
One static binary. No phone-home, no analytics, no cloud
accounts. Reads /proc + /sys, runs the
probe, exits. JSON or plain text — your pipeline owns the data.
tools/verify-vm/ spins up known-vulnerable
kernels (stock distro + mainline from kernel.ubuntu.com), runs
--explain --active per module, and records the
verdict. 22 of 26 CVEs confirmed against
real Linux across Ubuntu 18.04 / 20.04 / 22.04 + Debian 11 / 12
+ mainline 5.15.5 / 6.1.10. Records baked into the binary;
--list shows ✓ per module.
--full-chain
honest EXPLOIT_FAIL default; --full-chain runs the shared modprobe_path finisher
Full inventory with kernel ranges, mitigations, and detection coverage: CVES.md · KEV cross-reference · CVE_METADATA.json
--auto picks the safest exploit and runs it. Honest
scope reporting — never claims root it didn't actually get.
Per-exploit OPSEC notes tell you what telemetry you'll leave.
No more curating stale PoC repos.
One command ships SIEM coverage for the entire corpus.
--explain renders a triage briefing per CVE with
CWE / ATT&CK / KEV / OPSEC — paste into the ticket.
KEV-prioritized so you fix what attackers are already using.
--scan works without sudo. JSON output for CI
gates. Fleet-scan helper bundled. Compatible with everything
back to glibc 2.17 via the static-musl binary. No SaaS,
no analytics, no cloud accounts.
26 CVEs, 10-year span, each with the original PoC author
credited and the kernel-range citation auditable.
--explain shows the reasoning chain; detection
rules let you practice both sides. Source is the documentation.
Most public PoC repos hardcode offsets for one kernel build and
silently break elsewhere. SKELETONKEY refuses to ship
fabricated offsets. The shared --full-chain
finisher returns EXPLOIT_OK only when a setuid
bash sentinel file actually appears. Modules with a
primitive but no portable cred-overwrite chain default to
firing the primitive + grooming the slab + recording a witness,
then return EXPLOIT_FAIL with diagnostic.
Operators populate the offset table once per kernel via
--dump-offsets and upstream the entry via PR.
# install (x86_64 / arm64; checksum-verified) $ curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh # default is the musl-static x86_64 binary — works back to glibc 2.17
# inventory — no sudo needed $ skeletonkey --scan # or machine-readable for a SIEM $ skeletonkey --scan --json | jq '.findings[] | select(.verdict == "VULNERABLE")'
# one-page operator briefing for a single CVE $ skeletonkey --explain nf_tables # shows CVE/CWE/ATT&CK/KEV header, host fingerprint, live trace, # verdict, OPSEC footprint, detection coverage. Paste into your ticket.
# pick the safest exploit and run it $ skeletonkey --auto --i-know # --dry-run for "what would it do?" without launching $ skeletonkey --auto --dry-run
# deploy SIEM coverage (needs sudo to write to /etc/audit/rules.d/) $ skeletonkey --detect-rules --format=auditd | sudo tee /etc/audit/rules.d/99-skeletonkey.rules $ sudo augenrules --load # or in YAML for falco / sigma / yara $ skeletonkey --detect-rules --format=falco > /etc/falco/skeletonkey_rules.yaml
verified_on[] table baked into the binarycore/host.c shared host-fingerprint refactor--scan --jsonFull roadmap and contribution guide: ROADMAP.md · CONTRIBUTING.md