Skip to content

Latest commit

 

History

History
266 lines (239 loc) · 10.8 KB

README.md

File metadata and controls

266 lines (239 loc) · 10.8 KB

k8tlery

Dissect container images, runtimes, and orchestrators.

Inventory

tool scope description
trivy Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more.
syft CLI tool and library for generating a Software Bill of Materials from container images and filesystems.
grype A vulnerability scanner for container images and filesystems.
kube-bench Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark.
checkov Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
kubeaudit kubeaudit helps you audit your Kubernetes clusters against common security controls.
cosign Container Signing.
kdigger Kubernetes focused container assessment and context discovery tool for penetration testing.
kubectl Kubernetes provides a command line tool for communicating with a Kubernetes cluster's control plane, using the Kubernetes API.
docker Command line interface for interacting with docker container images.
podman A tool for managing OCI containers and pods.
dive A tool for exploring a docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image.
crictl CLI and validation tools for Kubelet Container Runtime Interface (CRI).
KubiScan A tool to scan Kubernetes cluster for risky permissions.
Docker Bench Security The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
peirates Peirates, a Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster. It automates known techniques to steal and collect service account tokens, secrets, obtain further code execution, and gain control of the cluster.
TruffleHog Find and verify credentials.
TruffleHog3 This is an enhanced version of the Python-based truffleHog scanner.
Popeye A Kubernetes cluster resource sanitizer.
k9s Kubernetes CLI To Manage Your Clusters In Style.
Hadolint Dockerfile linter, validate inline bash, written in Haskell.
Conftest Write tests against structured configuration data using the Open Policy Agent Rego query language.
audit2rbac Autogenerate RBAC policies based on Kubernetes audit logs.
kubeshark The API traffic analyzer for Kubernetes providing real-time K8s protocol-level visibility, capturing and monitoring all traffic and payloads going in, out and across containers, pods, nodes and clusters. Inspired by Wireshark, purposely built for Kubernetes.
hardeneks Runs checks to see if an EKS cluster follows EKS Best Practices.
amicontained Container introspection tool. Find out what container runtime is being used as well as features available.
kubesec Security risk analysis for Kubernetes resources.
kubectl-who-can Show who has RBAC permissions to perform actions on different resources in Kubernetes.
etcdctl etcdctl is a command line client for etcd.
gitleaks Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
kubeletctl Kubeletctl is a command line tool that implement kubelet's API. Part of kubelet's API is documented but most of it is not. This tool covers all the documented and undocumented APIs.
kube-hunter Hunt for security weaknesses in Kubernetes clusters.
netassert Network security testing for Kubernetes DevSecOps workflows.
truffleproc hunt secrets in process memory (TruffleHog & gdb mashup)
checkpointctl Tool to inspect Kubernetes and Podman checkpoints.
... ...

Build & push

  • build
docker buildx build -t ghcr.io/xopham/k8tlery:$K8TLERY_VERSION -t ghcr.io/xopham/k8tlery:latest .
  • push
docker push ghcr.io/xopham/k8tlery --all-tags
  • re-tag
find ./ -type f -exec sed -i "s%ghcr\.io\/xopham\/k8tlery\:v.*%ghcr\.io\/xopham\/k8tlery\:$K8TLERY_VERSION%g" {} \;

Usage

nix-shell

nix-shell k8tlery.nix

Docker

docker -it --rm ghcr.io/xopham/k8tlery:<tag>

Cluster

kubectl apply -f deployment/
#or
kubectl apply -f deployment/01-roles.yaml
kubectl apply -f deployment/02-k8tlery.yaml
#or
kubectl apply -f deployment/01-roles.yaml
kubectl apply -f deployment/03-k8tlery-fullaccess.yaml
kubectl exec -it k8tlery -- bash

Audit

Container image forensics

  • download and save image
docker pull $IMAGE
docker save $IMAGE > image.tar
docker image ls
  • inspect image content
docker inspect $IMAGE
docker history --no-trunc $IMAGE
  • inspect image layers (dive)
dive $IMAGE
  • extract file from image.tar (nix-shell custom functions)
layer_list $IMAGETAR $LAYERID $FILE  #run 'layer_list' for help
layer_extract $IMAGETAR $LAYERID $FILE  #run 'layer_list' for help
  • create container w/o running it
docker create --name container $IMAGE  #returns container ID CONTID
docker container ls -a  #displays all available container IDs
  • inspect container filesystems
mkdir $FOLDER
docker export $CONTID | tar -xC $FOLDER  #make sure to unpac to dedicated folder
ls -la $FOLDER

Container forensics

  • create checkpoint of running container w/o interruption, e.g.:
sudo podman container checkpoint -e $OUTPUTFILE $CONTID --leave-running
  • investigate checkpoint (checkpointctl)
    • get info
    checkpointctl show $OUTPUTFILE
    
    • get full details
    checkpointctl inspect $OUTPUTFILE --all
    
    • parse memory
    checkpointctl memparse #OUTPUTFILE --all
    • inspect container drift
    tar -xf $OUTPUTFILE -C $TARGETFOLDER
    tar -xf $TARGETFOLDER/rootfs-diff.tar $DIFFFOLDER

Cluster information gathering

  • misconfiguration scan
    • trivy
    trivy k8s --report summary cluster

Pod/container information gathering

  • container runtime
cat /proc/self/cgroup
  • container runtime sockets (might be slow)
find /run -type f -name "*.sock"  #adjust target folder
# also need to review '/run' folder manually
  • hosts information
cat /etc/hosts
  • mount information
mount
  • file system
ls -la /
ls -la /home/
ls -la /root/
ls -la /tmp/
  • environment variables
printenv
  • k8s information
    • kdigger
    curl -fSL -o /tmp/kdigger https://github.com/quarkslab/kdigger/releases/download/v1.5.0/kdigger-linux-amd64
    chmod +x /tmp/kdigger
    alias kdigger='/tmp/kdigger'
    kdigger dig all
    • kube-hunter
    pip3 install kube-hunter
    kube-hunter --pod
  • secrets (trufflehog3)
pip3 install trufflehog3
trufflehog3 /var/run  #choose relevant target folders
* custom rule
```
#k8s-goat.rule
- id: k8s-goat.flag
  message: found k8s-goat flag
  pattern: "k8s-goat-"
  severity: HIGH
```
```bash
trufflehog3 -r k8s-goat.rule /tmp  #adjust rule and target
```
  • secrets from process memory (truffleproc): needs work
  • vulnerable packages (trivy)
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy rootfs /
  • k8s APIs
    • curl
    APISERVER=https://${KUBERNETES_SERVICE_HOST}
    SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
    NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
    TOKEN=$(cat ${SERVICEACCOUNT}/token)
    CACERT=${SERVICEACCOUNT}/ca.crt
    curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
    • peirates
    curl -fSL -o /tmp/peirates.tar.xz https://github.com/inguardians/peirates/releases/download/v1.1.13/peirates-linux-amd64.tar.xz
    tar -xvf /tmp/peirates.tar.xz -C /tmp
    chmod a+x /tmp/peirates-linux-amd64/peirates
    alias peirates='/tmp/peirates-linux-amd64/peirates'
    peirates

Pod exploitation

  • resource exhaustion (DoS)
stress-ng --cpu 2 --cpu-load 1 --vm 2 --vm-bytes 100m -t 100s --verify -v  #adjust to use case
  • various angles (peirates)
curl -fSL -o /tmp/peirates.tar.xz https://github.com/inguardians/peirates/releases/download/v1.1.13/peirates-linux-amd64.tar.xz
tar -xvf /tmp/peirates.tar.xz -C /tmp
chmod a+x /tmp/peirates-linux-amd64/peirates
alias peirates='/tmp/peirates-linux-amd64/peirates'
peirates

References