Skip to content

Instantly share code, notes, and snippets.

@HamadaKoji
Last active June 29, 2019 07:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save HamadaKoji/778b228e0aab583af5619cf85c8c2b8a to your computer and use it in GitHub Desktop.
Save HamadaKoji/778b228e0aab583af5619cf85c8c2b8a to your computer and use it in GitHub Desktop.
kube-hunter-result-for-hamako9999-mac
docker run -it --rm --network host aquasec/kube-hunter --active
Choose one of the options below:
1. Remote scanning (scans one or more specific IPs or DNS names)
2. Subnet scanning (scans subnets on all local network interfaces)
3. IP range scanning (scans a given IP range)
Your choice: 1
Remotes (separated by a ','): 192.168.65.3
~ Started
Report will be available at:
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| https://kube-hunter.aquasec.com/report.html?token=XXXX |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
~ Discovering Open Kubernetes Services...
|
| Kubelet API (readonly):
| type: open service
| service: Kubelet API (readonly)
|_ host: 192.168.65.3:10255
|
| Kubelet API:
| type: open service
| service: Kubelet API
|_ host: 192.168.65.3:10250
|
| Anonymous Authentication:
| type: vulnerability
| host: 192.168.65.3:10250
| description:
| The kubelet is misconfigured, potentially
| allowing secure access to all requests on the
|_ kubelet, without the need to authenticate
|
| API Server:
| type: open service
| service: API Server
|_ host: 192.168.65.3:6443
|
| K8s Version Disclosure:
| type: vulnerability
| host: 192.168.65.3:10255
| description:
| The kubernetes version could be obtained
|_ from logs in the /metrics endpoint
|
| Privileged Container:
| type: vulnerability
| host: 192.168.65.3:10255
| description:
| A Privileged container exist on a node.
| could expose the node/cluster to unwanted root
|_ operations
|
| Denial of Service to Kubernetes API Server:
| type: vulnerability
| host: 192.168.65.3:6443
| description:
| Node not patched for CVE-2019-1002100. Depending
| on your RBAC settings, a crafted json-patch
|_ could cause a Denial of Service.
|
| Unauthenticated access to API:
| type: vulnerability
| host: 192.168.65.3:6443
| description:
| The API Server port is accessible.
| Depending on your RBAC settings this could expose
|_ access to or control of your cluster.
|
| Exposed Pods:
| type: vulnerability
| host: 192.168.65.3:10255
| description:
| An attacker could view sensitive information
| about pods that are bound to a Node using
|_ the /pods endpoint
|
| Cluster Health Disclosure:
| type: vulnerability
| host: 192.168.65.3:10255
| description:
| By accessing the open /healthz handler, an
| attacker could get the cluster health state without
|_ authenticating
|
| Exposed Pods:
| type: vulnerability
| host: 192.168.65.3:10250
| description:
| An attacker could view sensitive information
| about pods that are bound to a Node using
|_ the /pods endpoint
|
| Cluster Health Disclosure:
| type: vulnerability
| host: 192.168.65.3:10250
| description:
| By accessing the open /healthz handler, an
| attacker could get the cluster health state without
|_ authenticating
|
| Exposed Running Pods:
| type: vulnerability
| host: 192.168.65.3:10250
| description:
| Outputs a list of currently running pods,
| and some of their metadata, which can reveal
|_ sensitive information
|
| Exposed Container Logs:
| type: vulnerability
| host: 192.168.65.3:10250
| description:
| Output logs from a running container are
|_ using the exposed /containerLogs endpoint
|
| Exposed Exec On Container:
| type: vulnerability
| host: 192.168.65.3:10250
| description:
| An attacker could run arbitrary commands on
|_ a container
|
| Exposed Run Inside Container:
| type: vulnerability
| host: 192.168.65.3:10250
| description:
| An attacker could run an arbitrary command
|_ inside a container
|
| Exposed Attaching To Container:
| type: vulnerability
| host: 192.168.65.3:10250
| description:
| Opens a websocket that could enable an
|_ attacker to attach to a running container
----------
Nodes
+-------------+--------------+
| TYPE | LOCATION |
+-------------+--------------+
| Node/Master | 192.168.65.3 |
+-------------+--------------+
Detected Services
+----------------------+--------------------+----------------------+
| SERVICE | LOCATION | DESCRIPTION |
+----------------------+--------------------+----------------------+
| Kubelet API | 192.168.65.3:10255 | The read-only port |
| (readonly) | | on the kubelet |
| | | serves health |
| | | probing endpoints, |
| | | and is relied upon |
| | | by many kubernetes |
| | | componenets |
+----------------------+--------------------+----------------------+
| Kubelet API | 192.168.65.3:10250 | The Kubelet is the |
| | | main component in |
| | | every Node, all pod |
| | | operations goes |
| | | through the kubelet |
+----------------------+--------------------+----------------------+
| API Server | 192.168.65.3:6443 | The API server is in |
| | | charge of all |
| | | operations on the |
| | | cluster. |
+----------------------+--------------------+----------------------+
Vulnerabilities
+--------------------+----------------------+----------------------+----------------------+----------------------+
| LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+--------------------+----------------------+----------------------+----------------------+----------------------+
| 192.168.65.3:6443 | Unauthenticated | Unauthenticated | The API Server port | {"kind":"APIVersions |
| | Access | access to API | is accessible. | ","versions":["v1"], |
| | | | Depending on your | ... |
| | | | RBAC settings this | |
| | | | could expose access | |
| | | | to or control of | |
| | | | your cluster. | |
+--------------------+----------------------+----------------------+----------------------+----------------------+
| 192.168.65.3:10250 | Remote Code | Exposed Run Inside | An attacker could | uname -a: Linux linu |
| | Execution | Container | run an arbitrary | xkit-025000000001 |
| | | | command inside a | 4.... |
| | | | container | |
+--------------------+----------------------+----------------------+----------------------+----------------------+
| 192.168.65.3:10250 | Remote Code | Exposed Exec On | An attacker could | |
| | Execution | Container | run arbitrary | |
| | | | commands on a | |
| | | | container | |
+--------------------+----------------------+----------------------+----------------------+----------------------+
| 192.168.65.3:10250 | Remote Code | Exposed Attaching To | Opens a websocket | |
| | Execution | Container | that could enable an | |
| | | | attacker to attach | |
| | | | to a running | |
| | | | container | |
+--------------------+----------------------+----------------------+----------------------+----------------------+
| 192.168.65.3:10250 | Remote Code | Anonymous | The kubelet is | |
| | Execution | Authentication | misconfigured, | |
| | | | potentially allowing | |
| | | | secure access to all | |
| | | | requests on the | |
| | | | kubelet, without the | |
| | | | need to authenticate | |
+--------------------+----------------------+----------------------+----------------------+----------------------+
| 192.168.65.3:10255 | Information | K8s Version | The kubernetes | v1.10.11 |
| | Disclosure | Disclosure | version could be | |
| | | | obtained from logs | |
| | | | in the /metrics | |
| | | | endpoint | |
+--------------------+----------------------+----------------------+----------------------+----------------------+
| 192.168.65.3:10255 | Information | Exposed Pods | An attacker could | count: 11 |
| | Disclosure | | view sensitive | |
| | | | information about | |
| | | | pods that are bound | |
| | | | to a Node using the | |
| | | | /pods endpoint | |
+--------------------+----------------------+----------------------+----------------------+----------------------+
| 192.168.65.3:10255 | Information | Cluster Health | By accessing the | status: ok |
| | Disclosure | Disclosure | open /healthz | |
| | | | handler, an attacker | |
| | | | could get the | |
| | | | cluster health state | |
| | | | without | |
| | | | authenticating | |
+--------------------+----------------------+----------------------+----------------------+----------------------+
| 192.168.65.3:10250 | Information | Exposed Running Pods | Outputs a list of | 11 running pods |
| | Disclosure | | currently running | |
| | | | pods, and some of | |
| | | | their metadata, | |
| | | | which can reveal | |
| | | | sensitive | |
| | | | information | |
+--------------------+----------------------+----------------------+----------------------+----------------------+
| 192.168.65.3:10250 | Information | Exposed Pods | An attacker could | count: 11 |
| | Disclosure | | view sensitive | |
| | | | information about | |
| | | | pods that are bound | |
| | | | to a Node using the | |
| | | | /pods endpoint | |
+--------------------+----------------------+----------------------+----------------------+----------------------+
| 192.168.65.3:10250 | Information | Exposed Container | Output logs from a | etcd: 2019-06-29 |
| | Disclosure | Logs | running container | 06:45:54.884191 I | |
| | | | are using the | etc... |
| | | | exposed | |
| | | | /containerLogs | |
| | | | endpoint | |
+--------------------+----------------------+----------------------+----------------------+----------------------+
| 192.168.65.3:10250 | Information | Cluster Health | By accessing the | status: ok |
| | Disclosure | Disclosure | open /healthz | |
| | | | handler, an attacker | |
| | | | could get the | |
| | | | cluster health state | |
| | | | without | |
| | | | authenticating | |
+--------------------+----------------------+----------------------+----------------------+----------------------+
| 192.168.65.3:6443 | Denial of Service | Denial of Service to | Node not patched for | { |
| | | Kubernetes API | CVE-2019-1002100. | "major": "1", |
| | | Server | Depending on your | "minor": "10", |
| | | | RBAC settings, a | "gi... |
| | | | crafted json-patch | |
| | | | could cause a Denial | |
| | | | of Service. | |
+--------------------+----------------------+----------------------+----------------------+----------------------+
| 192.168.65.3:10255 | Access Risk | Privileged Container | A Privileged | pod: kube-proxy- |
| | | | container exist on a | d5s8n, container: |
| | | | node. could expose | kube-p... |
| | | | the node/cluster to | |
| | | | unwanted root | |
| | | | operations | |
+--------------------+----------------------+----------------------+----------------------+----------------------+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment