Kubernetes: Kube-Hunter 10255

Kubernetes: Kube-Hunter 10255

| | Cloud, devoops, Hacking, Kubernetes, pentesting
Below is some sample output that mainly is here to see what open 10255 will give you and look like. What probably of most interest is the /pods endpointor the /metrics endpointor the /stats endpoint $ ./kube-hunter.pyChoose one of the options below:1. Remote scanning (scans one or more specific IPs ... Read More
Kubernetes: unauth kublet API 10250 token theft & kubectl

Kubernetes: unauth kublet API 10250 token theft & kubectl

| | Cloud, devoops, Hacking, Kubernetes, pentesting
Kubernetes: unauthenticated kublet API (10250) token theft & kubectl access & execkube-hunter output to get us started: do a curl -s https://k8-node:10250/runningpods/ to get a list of running podsWith that data, you can craft your post request to exec within a pod so we can poke around. Example request:curl -k ... Read More
Kubernetes: unauth kublet API 10250 basic code exec

Kubernetes: unauth kublet API 10250 basic code exec

| | Cloud, devoops, Hacking, Kubernetes, pentesting
Unauth API access (10250)Most Kubernetes deployments provide authentication for this port. But it’s still possible to expose it inadvertently and it's still pretty common to find it exposed via the "insecure API service" option.Everybody who has access to the service kubelet port (10250), even without a certificate, can execute any ... Read More
Kubernetes: Kubelet API containerLogs endpoint

Kubernetes: Kubelet API containerLogs endpoint

| | Cloud, devoops, Hacking, Kubernetes, pentesting
How to get the info that kube-hunter reports for open /containerLogs endpointVulnerabilities+---------------+-------------+------------------+----------------------+----------------+| LOCATION CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |+---------------+-------------+------------------+----------------------+----------------++----------------+------------+------------------+----------------------+----------------+| 1.2.3.4:10250 | Information | Exposed Container| Output logs from a | || | Disclosure | Logs | running container | || | | | are using the | || ... Read More
Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman, Symantec

Kubernetes: Master Post

| | Cloud, devoops, Hacking, Kubernetes, pentesting
I have a few Kubernetes posts queued up and will make this the master post to index and give references for the topic. If i'm missing blog posts or useful resources ping me here or twitter.Talks you should watch if you are interested in Kubernetes:Hacking and Hardening Kubernetes Clusters by ... Read More

Kubernetes: kube-hunter.py etcd

| | Cloud, devoops, Hacking, Kubernetes, pentesting
I mentioned in the master post one a few auditing tools that exist. Kube-Hunter is one that is pretty ok. You can use this to quickly scan for multiple kubernetes issues.Example run:$ ./kube-hunter.pyChoose one of the options below:1. Remote scanning (scans one or more specific IPs or DNS names)2. Subnet ... Read More
Kubernetes: open etcd

Kubernetes: open etcd

| | Cloud, devoops, Hacking, Kubernetes, pentesting
Quick post on Kubernetes and open etcd (port 2379)"etcd is a distributed key-value store. In fact, etcd is the primary datastore of Kubernetes; storing and replicating all Kubernetes cluster state. As a critical component of a Kubernetes cluster having a reliable automated approach to its configuration and management is imperative."-from: ... Read More
I found a GCP service account token...now what?

I found a GCP service account token…now what?

| | Cloud, devoops, gcp, Hacking, pentesting
Google Cloud Platform (GCP) is rapidly growing in popularity and i haven't seen too many posts on f**king it up so I'm going to do at least one :-)Google has several ways to do authentication but most likely what you are going to come across shoved into code somewhere or ... Read More
AWS EC2 instance userData

AWS EC2 instance userData

| | aws, Cloud, ec2, pentesting
In the effort to get me blogging again I'll be doing a few short posts to get the juices flowing (hopefully).Today I learned about the userData instance attribute for AWS EC2. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.htmlIn general I thought metadata was only things you can hit from WITHIN the instance via the metadata url: ... Read More
Dark Side Ops I & 2 Review

Dark Side Ops I & 2 Review

| | security bloggers network
Dark Side Ops I https://silentbreaksecurity.com/training/dark-side-ops/https://www.blackhat.com/us-17/training/dark-side-ops-custom-penetration-testing.html A really good overview of the class is here https://www.ethicalhacker.net/features/root/course-review-dark-side-ops-custom-penetration-testingI enjoyed the class. This was actually my second time taking the class and it wasn't nearly as overwhelming the 2nd time :-) I’ll try not to cover what is in Raphael’s article as it is ... Read More
Loading...