Resources
Audit¶
Automated¶
Tool | Description |
---|---|
kube-bench |
|
kube-hunter |
|
kubeaudit |
|
mkit |
|
starboard |
|
Manual¶
Containers Running as Privileged User¶
-
On docker (all containers):
# The command returns container username or user ID # If it is blank the container is running as root $ docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: User={{ .Config.User }}'
-
On docker:
$ sudo docker ps $ sudo docker exec -it <container id> whoami
-
On kubernetes:
# GET CONTAINERS RUNNING IN POD $ kubectl describe pod/test-pod # ACCESS CONTAINER $ kubectl exec -it test-pod --container denko -- /bin/bash root@test-pod:/usr/src/app# id uid=0(root) gid=0(root) groups=0(root)
nmap-kube¶
- Nmap alias for scanning a cluster
- Usage:
nmap-kube () { nmap --open -T4 -A -v -Pn -p 443,2379,4194,6782-6784,6443,8443,8080,9099,10250,10255,10256 "${@}" } nmap-kube-discover () { local LOCAL_RANGE=$(ip a | awk '/eth0$/{print $2}' | sed 's,[0-9][0-9]*/.*,*,'); local SERVER_RANGES=" "; SERVER_RANGES+="10.0.0.1 "; SERVER_RANGES+="10.0.1.* "; SERVER_RANGES+="10.*.0-1.* "; nmap-kube ${SERVER_RANGES} "${LOCAL_RANGE}" } nmap-kube-discover
Exploitation¶
Tool | Description |
---|---|
amicontained |
|
go-pillage-registries | Takes a Docker registry and pillages the manifest and configuration for each image in its catalog |
botb |
|
Privesc¶
Tool | Description |
---|---|
kubeletmein |
|
docker-rootplease |
|
docker-rootshell | Abuses membership in the docker group to drop a root shell in the current working directory |
deepce |
|
Manual |
|