Skip to content

Resources

Audit

Automated

Tool Description
kube-bench
  • Checks whether Kubernetes is deployed according to security best practices
  • kube-bench-exporter can export reports to remote targets like S3
kube-hunter
  • Hunt for security weaknesses in Kubernetes clusters (even remote)
  • Usage:
    • From docker: docker run -it --rm --network host aquasec/kube-hunter
    • From kubectl: kubectl run --rm -it kube-hunter --image=aquasec/kube-hunter --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostNetwork\": true } }"
kubeaudit
  • Audit clusters against common security controls
  • Run from kubectl (as plugin): kubectl audit all
mkit
  • Managed Kubernetes Inspection Tool that validates several common security-related configuration settings of managed Kubernetes clusters
  • It runs entirely from a local Docker container and queries your cloud provider's APIs and the Kubernetes API to determine if certain misconfigurations are found
starboard
  • Integrates security tools into a Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way
  • kubectl-compatible command-line tool and an Octant plug-in

Manual

Containers Running as Privileged User

  • On docker (all containers):

    # The command returns container username or user ID
    # If it is blank the container is running as root
    $ docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: User={{ .Config.User }}'
    

  • On docker:

    $ sudo docker ps
    $ sudo docker exec -it <container id> whoami
    

  • On kubernetes:

    # GET CONTAINERS RUNNING IN POD
    $ kubectl describe pod/test-pod
    
    # ACCESS CONTAINER
    $ kubectl exec -it test-pod --container denko -- /bin/bash
    root@test-pod:/usr/src/app# id
    uid=0(root) gid=0(root) groups=0(root)
    

nmap-kube

  • Nmap alias for scanning a cluster
  • Usage:
    nmap-kube () {
       nmap --open -T4 -A -v -Pn -p 443,2379,4194,6782-6784,6443,8443,8080,9099,10250,10255,10256 "${@}"
    }
    nmap-kube-discover () {
      local LOCAL_RANGE=$(ip a | awk '/eth0$/{print $2}' | sed 's,[0-9][0-9]*/.*,*,');
      local SERVER_RANGES=" ";
      SERVER_RANGES+="10.0.0.1 ";
      SERVER_RANGES+="10.0.1.* ";
      SERVER_RANGES+="10.*.0-1.* ";
      nmap-kube ${SERVER_RANGES} "${LOCAL_RANGE}"
    }
    nmap-kube-discover
    

Exploitation

Tool Description
amicontained
  • Find out what container runtime is being used as well as features available
  • Usage:
    • $ docker run --rm -it r.j3ss.co/amicontained
    • $ docker run --rm -it --pid host r.j3ss.co/amicontained
    • $ docker run --rm -it --security-opt "apparmor=unconfined" r.j3ss.co/amicontained
go-pillage-registries Takes a Docker registry and pillages the manifest and configuration for each image in its catalog
botb
  • Container analysis and exploitation tool
  • Allows to:
    • Exploit common container vulnerabilities
    • Perform common container post exploitation actions
    • Provide capability when certain tools or binaries are not available in the Container
    • Use BOtB's capabilities with CI/CD technologies to test container deployments
    • Perform the above in either a manual or automated approach

Privesc

Tool Description
kubeletmein
docker-rootplease
  • Gives you root on the hostOS, if you're a member of the docker group
  • Usage: docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
docker-rootshell Abuses membership in the docker group to drop a root shell in the current working directory
deepce
  • Docker Enumeration, Escalation of Privileges and Container Escapes
Manual