As An External Attacker…

[lojikil]

Overview

An External Attacker is an attacker who is external to the cluster and is unauthenticated. In our case, that would be an attacker using our Wordpress. I think Jenkins abuse would fall under Malicious Internal User.

Setup

• Wordpress installl
• "Externally facing" (can be restricted to one of our IPs

I would like to fingerprint the system

• can I tell from an external side that we're using k8s?
• by default, can I access any resources within k8s (VHost abuse, some sort of confusion within kube-proxy, &c. and so on).

[btonic]

Scanning the external IP (wordpress which is NodePort accessible) from the configuration node.

ubuntu@ip-172-31-6-71:~$ nmap 3.213.227.81 -Pn -p30000-32767 -T5 -vvv -n

Starting Nmap 7.60 ( https://nmap.org ) at 2019-04-19 16:43 UTC
Initiating Connect Scan at 16:43
Scanning 3.213.227.81 [2768 ports]
Discovered open port 32090/tcp on 3.213.227.81
Completed Connect Scan at 16:43, 2.15s elapsed (2768 total ports)
Nmap scan report for 3.213.227.81
Host is up, received user-set (0.0033s latency).
Scanned at 2019-04-19 16:43:41 UTC for 2s
Not shown: 2767 closed ports
Reason: 2767 conn-refused
PORT      STATE SERVICE REASON
32090/tcp open  unknown syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.19 seconds