Last active
June 29, 2019 07:50
-
-
Save HamadaKoji/778b228e0aab583af5619cf85c8c2b8a to your computer and use it in GitHub Desktop.
kube-hunter-result-for-hamako9999-mac
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| docker run -it --rm --network host aquasec/kube-hunter --active | |
| Choose one of the options below: | |
| 1. Remote scanning (scans one or more specific IPs or DNS names) | |
| 2. Subnet scanning (scans subnets on all local network interfaces) | |
| 3. IP range scanning (scans a given IP range) | |
| Your choice: 1 | |
| Remotes (separated by a ','): 192.168.65.3 | |
| ~ Started | |
| Report will be available at: | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | |
| | https://kube-hunter.aquasec.com/report.html?token=XXXX | | |
| +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | |
| ~ Discovering Open Kubernetes Services... | |
| | | |
| | Kubelet API (readonly): | |
| | type: open service | |
| | service: Kubelet API (readonly) | |
| |_ host: 192.168.65.3:10255 | |
| | | |
| | Kubelet API: | |
| | type: open service | |
| | service: Kubelet API | |
| |_ host: 192.168.65.3:10250 | |
| | | |
| | Anonymous Authentication: | |
| | type: vulnerability | |
| | host: 192.168.65.3:10250 | |
| | description: | |
| | The kubelet is misconfigured, potentially | |
| | allowing secure access to all requests on the | |
| |_ kubelet, without the need to authenticate | |
| | | |
| | API Server: | |
| | type: open service | |
| | service: API Server | |
| |_ host: 192.168.65.3:6443 | |
| | | |
| | K8s Version Disclosure: | |
| | type: vulnerability | |
| | host: 192.168.65.3:10255 | |
| | description: | |
| | The kubernetes version could be obtained | |
| |_ from logs in the /metrics endpoint | |
| | | |
| | Privileged Container: | |
| | type: vulnerability | |
| | host: 192.168.65.3:10255 | |
| | description: | |
| | A Privileged container exist on a node. | |
| | could expose the node/cluster to unwanted root | |
| |_ operations | |
| | | |
| | Denial of Service to Kubernetes API Server: | |
| | type: vulnerability | |
| | host: 192.168.65.3:6443 | |
| | description: | |
| | Node not patched for CVE-2019-1002100. Depending | |
| | on your RBAC settings, a crafted json-patch | |
| |_ could cause a Denial of Service. | |
| | | |
| | Unauthenticated access to API: | |
| | type: vulnerability | |
| | host: 192.168.65.3:6443 | |
| | description: | |
| | The API Server port is accessible. | |
| | Depending on your RBAC settings this could expose | |
| |_ access to or control of your cluster. | |
| | | |
| | Exposed Pods: | |
| | type: vulnerability | |
| | host: 192.168.65.3:10255 | |
| | description: | |
| | An attacker could view sensitive information | |
| | about pods that are bound to a Node using | |
| |_ the /pods endpoint | |
| | | |
| | Cluster Health Disclosure: | |
| | type: vulnerability | |
| | host: 192.168.65.3:10255 | |
| | description: | |
| | By accessing the open /healthz handler, an | |
| | attacker could get the cluster health state without | |
| |_ authenticating | |
| | | |
| | Exposed Pods: | |
| | type: vulnerability | |
| | host: 192.168.65.3:10250 | |
| | description: | |
| | An attacker could view sensitive information | |
| | about pods that are bound to a Node using | |
| |_ the /pods endpoint | |
| | | |
| | Cluster Health Disclosure: | |
| | type: vulnerability | |
| | host: 192.168.65.3:10250 | |
| | description: | |
| | By accessing the open /healthz handler, an | |
| | attacker could get the cluster health state without | |
| |_ authenticating | |
| | | |
| | Exposed Running Pods: | |
| | type: vulnerability | |
| | host: 192.168.65.3:10250 | |
| | description: | |
| | Outputs a list of currently running pods, | |
| | and some of their metadata, which can reveal | |
| |_ sensitive information | |
| | | |
| | Exposed Container Logs: | |
| | type: vulnerability | |
| | host: 192.168.65.3:10250 | |
| | description: | |
| | Output logs from a running container are | |
| |_ using the exposed /containerLogs endpoint | |
| | | |
| | Exposed Exec On Container: | |
| | type: vulnerability | |
| | host: 192.168.65.3:10250 | |
| | description: | |
| | An attacker could run arbitrary commands on | |
| |_ a container | |
| | | |
| | Exposed Run Inside Container: | |
| | type: vulnerability | |
| | host: 192.168.65.3:10250 | |
| | description: | |
| | An attacker could run an arbitrary command | |
| |_ inside a container | |
| | | |
| | Exposed Attaching To Container: | |
| | type: vulnerability | |
| | host: 192.168.65.3:10250 | |
| | description: | |
| | Opens a websocket that could enable an | |
| |_ attacker to attach to a running container | |
| ---------- | |
| Nodes | |
| +-------------+--------------+ | |
| | TYPE | LOCATION | | |
| +-------------+--------------+ | |
| | Node/Master | 192.168.65.3 | | |
| +-------------+--------------+ | |
| Detected Services | |
| +----------------------+--------------------+----------------------+ | |
| | SERVICE | LOCATION | DESCRIPTION | | |
| +----------------------+--------------------+----------------------+ | |
| | Kubelet API | 192.168.65.3:10255 | The read-only port | | |
| | (readonly) | | on the kubelet | | |
| | | | serves health | | |
| | | | probing endpoints, | | |
| | | | and is relied upon | | |
| | | | by many kubernetes | | |
| | | | componenets | | |
| +----------------------+--------------------+----------------------+ | |
| | Kubelet API | 192.168.65.3:10250 | The Kubelet is the | | |
| | | | main component in | | |
| | | | every Node, all pod | | |
| | | | operations goes | | |
| | | | through the kubelet | | |
| +----------------------+--------------------+----------------------+ | |
| | API Server | 192.168.65.3:6443 | The API server is in | | |
| | | | charge of all | | |
| | | | operations on the | | |
| | | | cluster. | | |
| +----------------------+--------------------+----------------------+ | |
| Vulnerabilities | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | 192.168.65.3:6443 | Unauthenticated | Unauthenticated | The API Server port | {"kind":"APIVersions | | |
| | | Access | access to API | is accessible. | ","versions":["v1"], | | |
| | | | | Depending on your | ... | | |
| | | | | RBAC settings this | | | |
| | | | | could expose access | | | |
| | | | | to or control of | | | |
| | | | | your cluster. | | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | 192.168.65.3:10250 | Remote Code | Exposed Run Inside | An attacker could | uname -a: Linux linu | | |
| | | Execution | Container | run an arbitrary | xkit-025000000001 | | |
| | | | | command inside a | 4.... | | |
| | | | | container | | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | 192.168.65.3:10250 | Remote Code | Exposed Exec On | An attacker could | | | |
| | | Execution | Container | run arbitrary | | | |
| | | | | commands on a | | | |
| | | | | container | | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | 192.168.65.3:10250 | Remote Code | Exposed Attaching To | Opens a websocket | | | |
| | | Execution | Container | that could enable an | | | |
| | | | | attacker to attach | | | |
| | | | | to a running | | | |
| | | | | container | | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | 192.168.65.3:10250 | Remote Code | Anonymous | The kubelet is | | | |
| | | Execution | Authentication | misconfigured, | | | |
| | | | | potentially allowing | | | |
| | | | | secure access to all | | | |
| | | | | requests on the | | | |
| | | | | kubelet, without the | | | |
| | | | | need to authenticate | | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | 192.168.65.3:10255 | Information | K8s Version | The kubernetes | v1.10.11 | | |
| | | Disclosure | Disclosure | version could be | | | |
| | | | | obtained from logs | | | |
| | | | | in the /metrics | | | |
| | | | | endpoint | | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | 192.168.65.3:10255 | Information | Exposed Pods | An attacker could | count: 11 | | |
| | | Disclosure | | view sensitive | | | |
| | | | | information about | | | |
| | | | | pods that are bound | | | |
| | | | | to a Node using the | | | |
| | | | | /pods endpoint | | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | 192.168.65.3:10255 | Information | Cluster Health | By accessing the | status: ok | | |
| | | Disclosure | Disclosure | open /healthz | | | |
| | | | | handler, an attacker | | | |
| | | | | could get the | | | |
| | | | | cluster health state | | | |
| | | | | without | | | |
| | | | | authenticating | | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | 192.168.65.3:10250 | Information | Exposed Running Pods | Outputs a list of | 11 running pods | | |
| | | Disclosure | | currently running | | | |
| | | | | pods, and some of | | | |
| | | | | their metadata, | | | |
| | | | | which can reveal | | | |
| | | | | sensitive | | | |
| | | | | information | | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | 192.168.65.3:10250 | Information | Exposed Pods | An attacker could | count: 11 | | |
| | | Disclosure | | view sensitive | | | |
| | | | | information about | | | |
| | | | | pods that are bound | | | |
| | | | | to a Node using the | | | |
| | | | | /pods endpoint | | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | 192.168.65.3:10250 | Information | Exposed Container | Output logs from a | etcd: 2019-06-29 | | |
| | | Disclosure | Logs | running container | 06:45:54.884191 I | | | |
| | | | | are using the | etc... | | |
| | | | | exposed | | | |
| | | | | /containerLogs | | | |
| | | | | endpoint | | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | 192.168.65.3:10250 | Information | Cluster Health | By accessing the | status: ok | | |
| | | Disclosure | Disclosure | open /healthz | | | |
| | | | | handler, an attacker | | | |
| | | | | could get the | | | |
| | | | | cluster health state | | | |
| | | | | without | | | |
| | | | | authenticating | | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | 192.168.65.3:6443 | Denial of Service | Denial of Service to | Node not patched for | { | | |
| | | | Kubernetes API | CVE-2019-1002100. | "major": "1", | | |
| | | | Server | Depending on your | "minor": "10", | | |
| | | | | RBAC settings, a | "gi... | | |
| | | | | crafted json-patch | | | |
| | | | | could cause a Denial | | | |
| | | | | of Service. | | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ | |
| | 192.168.65.3:10255 | Access Risk | Privileged Container | A Privileged | pod: kube-proxy- | | |
| | | | | container exist on a | d5s8n, container: | | |
| | | | | node. could expose | kube-p... | | |
| | | | | the node/cluster to | | | |
| | | | | unwanted root | | | |
| | | | | operations | | | |
| +--------------------+----------------------+----------------------+----------------------+----------------------+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment