Resources
Audit¶
Automated¶
| Tool | Description |
|---|---|
| kube-bench |
|
| kube-hunter |
|
| kubeaudit |
|
| mkit |
|
| starboard |
|
Manual¶
Containers Running as Privileged User¶
-
On docker (all containers):
# The command returns container username or user ID # If it is blank the container is running as root $ docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: User={{ .Config.User }}' -
On docker:
$ sudo docker ps $ sudo docker exec -it <container id> whoami -
On kubernetes:
# GET CONTAINERS RUNNING IN POD $ kubectl describe pod/test-pod #Â ACCESS CONTAINER $ kubectl exec -it test-pod --container denko -- /bin/bash root@test-pod:/usr/src/app# id uid=0(root) gid=0(root) groups=0(root)
nmap-kube¶
- Nmap alias for scanning a cluster
- Usage:
nmap-kube () { nmap --open -T4 -A -v -Pn -p 443,2379,4194,6782-6784,6443,8443,8080,9099,10250,10255,10256 "${@}" } nmap-kube-discover () { local LOCAL_RANGE=$(ip a | awk '/eth0$/{print $2}' | sed 's,[0-9][0-9]*/.*,*,'); local SERVER_RANGES=" "; SERVER_RANGES+="10.0.0.1 "; SERVER_RANGES+="10.0.1.* "; SERVER_RANGES+="10.*.0-1.* "; nmap-kube ${SERVER_RANGES} "${LOCAL_RANGE}" } nmap-kube-discover
Exploitation¶
| Tool | Description |
|---|---|
| amicontained |
|
| go-pillage-registries | Takes a Docker registry and pillages the manifest and configuration for each image in its catalog |
| botb |
|
Privesc¶
| Tool | Description |
|---|---|
| kubeletmein |
|
| docker-rootplease |
|
| docker-rootshell | Abuses membership in the docker group to drop a root shell in the current working directory |
| deepce |
|
| Manual |
|