MTKPI – Multi Tool Kubernetes Pentest Image. This docker image contains all the most popular and necessary tools for Kubernetes penetration testing. Everything you need at your fingertips.
Image was generated by Kandinsky 2.2
Warning
This is a tool for testing purpose only, do not use it for malicious acts. Some tools inside MTKPI can adversely affect the entire cluster, which in turn can lead to data corruption. Test environments with multiple nodes can be deployed with KIND
When you're pentesting a Kubernetes cluster, you'll certainly use automated tools to perform the checks. But what if your cluster is network-limited and you can't download the tools you need inside the Pod? Or a read-only container file system? In this case, the only solution is to use a ready-to-use image, inside of which there are all the tools you need. This image includes all possible popular tools for pentesting a Kubernetes cluster, including those with automatic checks.
MTKPI covers most of the techniques described in Microsoft Threat Matrix for Kubernetes. This in turn provides a wide range of pentesting possibilities. If necessary, you can add the necessary tools to the image and increase the coverage of the matrix.
Often, when pentesting Kubernetes Cluster, you have a developer Service Account with limited permissions. In other words, you don't have sufficient permissions to run pods/exec
, which means you just can't get inside the container. However, it's more common for developers to have rights to create port-forward
. This is why I used ttyd as the base image ― it is a simple command-line tool for sharing terminals over the web.
For convenience, I also have made a list of all possible tools that can be useful when pentesting Kubernetes and packed it in an image:
- botb
- kubeletctl
- kubesploit agent
- CDK
- peirates
- traitor
- ctrsploit
- kdigger
- kubectl
- linuxprivchecker
- deepce
- helm
- kube-hunter
- kube-bench
- DDexec
- kubetcd
Sometimes, runtime security tools are found in Kubernetes clusters that work on a signature-based approach. Security tools like Falco and Tracee are quite easy to bypass, as their behavior is predefined by rules and signatures. There are quite a few ways to do this, one of the simplest being to rename executables. This is the method used in MTKPI.
For example:
kubectl
→k
python3
→pton3
curl
→kurl
wget
→vget
You can read more about the ways to bypass Falco here.
For fast deployment, run the following command:
kubectl apply -f https://raw.githubusercontent.com/r0binak/MTKPI/main/deploy/mtkpi.yaml
Pod:
apiVersion: v1
kind: Pod
metadata:
name: mtkpi-pod
labels:
app: mtkpi
spec:
containers:
- name: mtkpi-pod
image: r0binak/mtkpi:v1
ports:
- containerPort: 7681
securityContext:
readOnlyRootFilesystem: true
Service:
apiVersion: v1
kind: Service
metadata:
name: mtkpi-svc
labels:
app: mtkpi
spec:
type: ClusterIP
ports:
- port: 7681
protocol: TCP
selector:
app: mtkpi
To access the container, just run the command:
kubectl port-forward mtkpi-pod 7681:7681
Open in your browser:
localhost:7681
If you liked this, I'd appreciate some PR 🙂