Dissect container images, runtimes, and orchestrators.
tool | scope | description |
---|---|---|
trivy | Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more. | |
syft | CLI tool and library for generating a Software Bill of Materials from container images and filesystems. | |
grype | A vulnerability scanner for container images and filesystems. | |
kube-bench | Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark. | |
checkov | Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew. | |
kubeaudit | kubeaudit helps you audit your Kubernetes clusters against common security controls. | |
cosign | Container Signing. | |
kdigger | Kubernetes focused container assessment and context discovery tool for penetration testing. | |
kubectl | Kubernetes provides a command line tool for communicating with a Kubernetes cluster's control plane, using the Kubernetes API. | |
docker | Command line interface for interacting with docker container images. | |
podman | A tool for managing OCI containers and pods. | |
dive | A tool for exploring a docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image. | |
crictl | CLI and validation tools for Kubelet Container Runtime Interface (CRI). | |
KubiScan | A tool to scan Kubernetes cluster for risky permissions. | |
Docker Bench Security | The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. | |
peirates | Peirates, a Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster. It automates known techniques to steal and collect service account tokens, secrets, obtain further code execution, and gain control of the cluster. | |
TruffleHog | Find and verify credentials. | |
TruffleHog3 | This is an enhanced version of the Python-based truffleHog scanner. | |
Popeye | A Kubernetes cluster resource sanitizer. | |
k9s | Kubernetes CLI To Manage Your Clusters In Style. | |
Hadolint | Dockerfile linter, validate inline bash, written in Haskell. | |
Conftest | Write tests against structured configuration data using the Open Policy Agent Rego query language. | |
audit2rbac | Autogenerate RBAC policies based on Kubernetes audit logs. | |
kubeshark | The API traffic analyzer for Kubernetes providing real-time K8s protocol-level visibility, capturing and monitoring all traffic and payloads going in, out and across containers, pods, nodes and clusters. Inspired by Wireshark, purposely built for Kubernetes. | |
hardeneks | Runs checks to see if an EKS cluster follows EKS Best Practices. | |
amicontained | Container introspection tool. Find out what container runtime is being used as well as features available. | |
kubesec | Security risk analysis for Kubernetes resources. | |
kubectl-who-can | Show who has RBAC permissions to perform actions on different resources in Kubernetes. | |
etcdctl | etcdctl is a command line client for etcd. | |
gitleaks | Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code. | |
kubeletctl | Kubeletctl is a command line tool that implement kubelet's API. Part of kubelet's API is documented but most of it is not. This tool covers all the documented and undocumented APIs. | |
kube-hunter | Hunt for security weaknesses in Kubernetes clusters. | |
netassert | Network security testing for Kubernetes DevSecOps workflows. | |
truffleproc | hunt secrets in process memory (TruffleHog & gdb mashup) | |
checkpointctl | Tool to inspect Kubernetes and Podman checkpoints. | |
... | ... |
- build
docker buildx build -t ghcr.io/xopham/k8tlery:$K8TLERY_VERSION -t ghcr.io/xopham/k8tlery:latest .
- push
docker push ghcr.io/xopham/k8tlery --all-tags
- re-tag
find ./ -type f -exec sed -i "s%ghcr\.io\/xopham\/k8tlery\:v.*%ghcr\.io\/xopham\/k8tlery\:$K8TLERY_VERSION%g" {} \;
nix-shell k8tlery.nix
docker -it --rm ghcr.io/xopham/k8tlery:<tag>
kubectl apply -f deployment/
#or
kubectl apply -f deployment/01-roles.yaml
kubectl apply -f deployment/02-k8tlery.yaml
#or
kubectl apply -f deployment/01-roles.yaml
kubectl apply -f deployment/03-k8tlery-fullaccess.yaml
kubectl exec -it k8tlery -- bash
- download and save image
docker pull $IMAGE
docker save $IMAGE > image.tar
docker image ls
- inspect image content
docker inspect $IMAGE
docker history --no-trunc $IMAGE
- inspect image layers (dive)
dive $IMAGE
- extract file from image.tar (nix-shell custom functions)
layer_list $IMAGETAR $LAYERID $FILE #run 'layer_list' for help
layer_extract $IMAGETAR $LAYERID $FILE #run 'layer_list' for help
- create container w/o running it
docker create --name container $IMAGE #returns container ID CONTID
docker container ls -a #displays all available container IDs
- inspect container filesystems
mkdir $FOLDER
docker export $CONTID | tar -xC $FOLDER #make sure to unpac to dedicated folder
ls -la $FOLDER
- create checkpoint of running container w/o interruption, e.g.:
sudo podman container checkpoint -e $OUTPUTFILE $CONTID --leave-running
- investigate checkpoint (checkpointctl)
- get info
checkpointctl show $OUTPUTFILE
- get full details
checkpointctl inspect $OUTPUTFILE --all
- parse memory
checkpointctl memparse #OUTPUTFILE --all
- inspect container drift
tar -xf $OUTPUTFILE -C $TARGETFOLDER tar -xf $TARGETFOLDER/rootfs-diff.tar $DIFFFOLDER
- misconfiguration scan
- trivy
trivy k8s --report summary cluster
- container runtime
cat /proc/self/cgroup
- container runtime sockets (might be slow)
find /run -type f -name "*.sock" #adjust target folder
# also need to review '/run' folder manually
- hosts information
cat /etc/hosts
- mount information
mount
- file system
ls -la /
ls -la /home/
ls -la /root/
ls -la /tmp/
- environment variables
printenv
- k8s information
- kdigger
curl -fSL -o /tmp/kdigger https://github.com/quarkslab/kdigger/releases/download/v1.5.0/kdigger-linux-amd64 chmod +x /tmp/kdigger alias kdigger='/tmp/kdigger' kdigger dig all
- kube-hunter
pip3 install kube-hunter kube-hunter --pod
- secrets (trufflehog3)
pip3 install trufflehog3
trufflehog3 /var/run #choose relevant target folders
* custom rule
```
#k8s-goat.rule
- id: k8s-goat.flag
message: found k8s-goat flag
pattern: "k8s-goat-"
severity: HIGH
```
```bash
trufflehog3 -r k8s-goat.rule /tmp #adjust rule and target
```
- secrets from process memory (truffleproc): needs work
- vulnerable packages (trivy)
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy rootfs /
- k8s APIs
- curl
APISERVER=https://${KUBERNETES_SERVICE_HOST} SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
- peirates
curl -fSL -o /tmp/peirates.tar.xz https://github.com/inguardians/peirates/releases/download/v1.1.13/peirates-linux-amd64.tar.xz tar -xvf /tmp/peirates.tar.xz -C /tmp chmod a+x /tmp/peirates-linux-amd64/peirates alias peirates='/tmp/peirates-linux-amd64/peirates' peirates
- resource exhaustion (DoS)
stress-ng --cpu 2 --cpu-load 1 --vm 2 --vm-bytes 100m -t 100s --verify -v #adjust to use case
- various angles (peirates)
curl -fSL -o /tmp/peirates.tar.xz https://github.com/inguardians/peirates/releases/download/v1.1.13/peirates-linux-amd64.tar.xz
tar -xvf /tmp/peirates.tar.xz -C /tmp
chmod a+x /tmp/peirates-linux-amd64/peirates
alias peirates='/tmp/peirates-linux-amd64/peirates'
peirates