Kubernetes Penetration Testing Guide

Yayınlanan by Okan Kurtuluş

Hi everyone,
In this article, I will not dwell on what Kubernetes is and what it is not. I assume you know these. Today, I would like to share with you the steps that I actively follow in Kubernetes Pentest processes.

Reconnaissance:

  • Determine the IP address and port of the Kubernetes API server (typically 6443).
  • Perform a scan of Kubernetes-related services and ports using tools like Nmap or kube-scan.
  • Gather information about namespaces, pods, services, and nodes using tools like kubectl, kubectx, and kubens.
nslookup kubernetes.default
nmap -p- <Kubernetes API IP>
kubectlget namespaces
kubectl get pods -n <namespace>

Authentication and Authorization Testing:

  • Review RBAC configurations, identifying weaknesses in permissions using tools like kubectl, kubectx, and kubens.
  • Attempt to gain access to the Kubernetes API server without authentication or anonymously, using tools like curl or kubectl.
  • Try to bypass authentication mechanisms, e.g., by altering kubeconfig files.
kubectl get roles,rolebindings,clusterroles,clusterrolebindings
curl https://<Kubernetes API IP>:6443

API Server Security:

  • Investigate the security of the API server by examining for weak configurations using tools like kube-hunter, kubei, or kubeletctl.
  • Inspect API server certificates for vulnerabilities using SSL/TLS scanning tools such as sslyze or openssl.
kubectl cluster-info
kubectl get endpoints kube-apiserver -n kube-system -o json

Container Security:

  • Review container images for security vulnerabilities using vulnerability scanning tools like Trivy, Clair, or Anchore.
  • Test for privilege escalation or container breakout vulnerabilities using tools like kubeletctl or kube-bench.
  • Examine misconfigured security contexts in pods using tools like kubectl and kube-hunter.
trivy <image-name>
kubectl get pods -o custom-columns=POD:.metadata.name,NODE:.spec.nodeName,CONTAINERS:.spec.containers[*].name

Network Policies:

  • Review and test network policies to ensure proper segmentation of pods, using tools like kube-hunter or kube-scan.
  • Attempt to bypass network policies and communicate with restricted pods.
kubectl get networkpolicies --all-namespaces
tcpdump -i <interface> host <pod-ip>

Pod Security Policies:

  • Assess PodSecurityPolicies (PSPs) for overly permissive policies using kubectl.
  • Exploit misconfigurations to run privileged containers or escalate privileges.
kubectl get psp
kubectl run -i --tty --image=<image-name> <pod-name> --restart=Never -- bash

Secrets Management:

  • Search for exposed secrets in pods using kubectl or tools like kube-hunter.
  • Exploit vulnerabilities in applications or configurations to gain access to sensitive information.
kubectl get secrets
kubectl describe secret <secret-name>

Ingress and Service Security:

  • Check for insecure Ingress configurations that may expose internal services using tools like kube-scan.
  • Attempt to exploit insecure Services to gain unauthorized access.

ETCD Security:

  • Investigate the etcd cluster for security misconfigurations using etcdctl.
  • Verify etcd access control with etcd-rbac.
  • Check if etcd is publicly accessible or misconfigured.
etcdctl --endpoints=<etcd-server> version
etcdctl --endpoints=<etcd-server> get <key>
etcdctl --endpoints=<etcd-server> put <key> <value>
etcdctl --endpoints=<etcd-server> watch <key>

Node Security:

  • Scan nodes for vulnerabilities or misconfigurations using security scanning tools.
  • Check for open ports, exposed Docker APIs, and other potential security issues.

Logging and Monitoring Evasion:

  • Attempt to disrupt or evade logging and monitoring solutions, such as manipulating logs, to avoid detection.
  • Check if security events are being correctly monitored and logged.

Pod-to-Pod Communication:

  • Intercept and analyze pod-to-pod communication using packet capture tools like Wireshark.
  • Attempt Man-in-the-Middle (MITM) attacks to exploit weak encryption or authentication mechanisms.
wireshark
tcpdump -i <interface> host <pod-IP>
kubectl get networkpolicies --all-namespaces

API Authentication:

  • Exploit vulnerabilities in authentication mechanisms like OIDC or JWT tokens.
  • Use token manipulation tools to test authentication mechanisms.
kubectl --token <JWT Token> get pods

Exploitation and Privilege Escalation:

  • Attempt to exploit discovered vulnerabilities to gain unauthorized access or escalate privileges within the cluster.
  • Use exploitation frameworks and techniques, depending on the vulnerabilities found. (For example, you can use Metasploit, Kubesploit or kubectl tools.)

I hope I was able to help, see you in the next article.

Leave a Reply

Your email address will not be published. Required fields are marked *

Designed By Okan KURTULUS
Yukarı Çık