Closed revshell0 closed 2 years ago
Hi, what network plugin do you use in your deployment? Also could you attach your complete output?
We use Calico for our K8s deployments, and our service mesh is Istio.
Below is the entire kube-hunter output (I have modified the IPs slightly for security reasons, everything else is as is).
2022-01-18 13:00:24,214 INFO kube_hunter.modules.report.collector Started hunting
2022-01-18 13:00:24,308 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services
2022-01-18 13:00:28,010 INFO kube_hunter.modules.report.collector Found open service "Etcd" at 10.2.192.6:2379
2022-01-18 13:00:29,208 INFO kube_hunter.modules.report.collector Found open service "Etcd" at 10.2.192.8:2379
2022-01-18 13:00:29,414 INFO kube_hunter.modules.report.collector Found open service "Etcd" at 10.2.192.11:2379
2022-01-18 13:00:35,209 INFO kube_hunter.modules.report.collector Found open service "Etcd" at 10.2.192.132:2379
2022-01-18 13:00:37,710 INFO kube_hunter.modules.report.collector Found open service "Etcd" at 10.2.192.133:2379
Nodes
+-------------+--------------+
| TYPE | LOCATION |
+-------------+--------------+
| Node/Master | 10.2.192.133 |
+-------------+--------------+
| Node/Master | 10.2.192.132 |
+-------------+--------------+
| Node/Master | 10.2.192.11 |
+-------------+--------------+
| Node/Master | 10.2.192.8 |
+-------------+--------------+
| Node/Master | 10.2.192.6 |
+-------------+--------------+
Detected Services
+---------+-------------------+----------------------+
| SERVICE | LOCATION | DESCRIPTION |
+---------+-------------------+----------------------+
| Etcd | 10.2.192.8:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current |
| | | state |
| | | information, and |
| | | might contain |
| | | secrets |
+---------+-------------------+----------------------+
| Etcd | 10.2.192.6:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current |
| | | state |
| | | information, and |
| | | might contain |
| | | secrets |
+---------+-------------------+----------------------+
| Etcd | 10.2.192.133:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current |
| | | state |
| | | information, and |
| | | might contain |
| | | secrets |
+---------+-------------------+----------------------+
| Etcd | 10.2.192.132:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current |
| | | state |
| | | information, and |
| | | might contain |
| | | secrets |
+---------+-------------------+----------------------+
| Etcd | 10.2.192.11:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current |
| | | state |
| | | information, and |
| | | might contain |
| | | secrets |
+---------+-------------------+----------------------+
No vulnerabilities were found
Hunter Statistics
+----------------------+----------------------+-----------------+
| NAME | DESCRIPTION | VULNERABILITIES |
+----------------------+----------------------+-----------------+
| Proxy Hunting | Hunts for a | 0 |
| | dashboard behind the | |
| | proxy | |
+----------------------+----------------------+-----------------+
| Pod Capabilities | Checks for default | 0 |
| Hunter | enabled capabilities | |
| | in a pod | |
+----------------------+----------------------+-----------------+
| Mount Hunter - | Hunt pods that have | 0 |
| /var/log | write access to | |
| | host's /var/log. in | |
| | such case, the pod | |
| | can traverse read | |
| | files on the host | |
| | machine | |
+----------------------+----------------------+-----------------+
| Kubelet Secure Ports | Hunts specific | 0 |
| Hunter | endpoints on an open | |
| | secured Kubelet | |
+----------------------+----------------------+-----------------+
| Kubelet Readonly | Hunts specific | 0 |
| Ports Hunter | endpoints on open | |
| | ports in the | |
| | readonly Kubelet | |
| | server | |
+----------------------+----------------------+-----------------+
| Kubectl CVE Hunter | Checks if the | 0 |
| | kubectl client is | |
| | vulnerable to | |
| | specific important | |
| | CVEs | |
+----------------------+----------------------+-----------------+
| Etcd Remote Access | Checks for remote | 0 |
| | availability of | |
| | etcd, its version, | |
| | and read access to | |
| | the DB | |
+----------------------+----------------------+-----------------+
| Dashboard Hunting | Hunts open | 0 |
| | Dashboards, gets the | |
| | type of nodes in the | |
| | cluster | |
+----------------------+----------------------+-----------------+
| Certificate Email | Checks for email | 0 |
| Hunting | addresses in | |
| | kubernetes ssl | |
| | certificates | |
+----------------------+----------------------+-----------------+
| Api Version Hunter | Tries to obtain the | 0 |
| | Api Server's version | |
| | directly from | |
| | /version endpoint | |
+----------------------+----------------------+-----------------+
| Access Secrets | Accessing the | 0 |
| | secrets accessible | |
| | to the pod | |
+----------------------+----------------------+-----------------+
| API Server Hunter | Checks if API server | 0 |
| | is accessible | |
+----------------------+----------------------+-----------------+
| API Server Hunter | Accessing the API | 0 |
| | server using the | |
| | service account | |
| | token obtained from | |
| | a compromised pod | |
+----------------------+----------------------+-----------------+
| AKS Hunting | Hunting Azure | 0 |
| | cluster deployments | |
| | using specific known | |
| | configurations | |
+----------------------+----------------------+-----------------+
Thanks, another question. When you are running as a pod in the cluster. Do you see the same output? If it cant detect the cluster it would very much help if you could run again with --log debug
and attach logs.
Below is the output I got for using --pod
and --log DEBUG
flags. (Heads-up: I have again modified the IPs and masked certain values for security reasons.)
2022-01-19 18:12:21,478 DEBUG root <class 'kube_hunter.modules.report.collector.Collector'> subscribed to <class 'kube_hunter.core.events.types.Vulnerability'>
2022-01-19 18:12:21,478 DEBUG root <class 'kube_hunter.modules.report.collector.Collector'> subscribed to <class 'kube_hunter.core.events.types.Service'>
2022-01-19 18:12:21,478 DEBUG root <class 'kube_hunter.modules.report.collector.SendFullReport'> subscribed to <class 'kube_hunter.core.events.types.HuntFinished'>
2022-01-19 18:12:21,478 DEBUG root <class 'kube_hunter.modules.report.collector.StartedInfo'> subscribed to <class 'kube_hunter.core.events.types.HuntStarted'>
2022-01-19 18:12:21,880 DEBUG root <class 'kube_hunter.modules.discovery.apiserver.ApiServiceDiscovery'> subscribed to <class 'kube_hunter.core.events.types.OpenPortEvent'>
2022-01-19 18:12:21,880 DEBUG root <class 'kube_hunter.modules.discovery.apiserver.ApiServiceClassify'> filter subscribed to <class 'kube_hunter.modules.discovery.apiserver.K8sApiService'>
2022-01-19 18:12:21,880 DEBUG root <class 'kube_hunter.modules.discovery.dashboard.KubeDashboard'> subscribed to <class 'kube_hunter.core.events.types.OpenPortEvent'>
2022-01-19 18:12:21,881 DEBUG root <class 'kube_hunter.modules.discovery.etcd.EtcdRemoteAccess'> subscribed to <class 'kube_hunter.core.events.types.OpenPortEvent'>
2022-01-19 18:12:25,676 DEBUG root <class 'kube_hunter.modules.discovery.hosts.FromPodHostDiscovery'> subscribed to <class 'kube_hunter.modules.discovery.hosts.RunningAsPodEvent'>
2022-01-19 18:12:25,676 DEBUG root <class 'kube_hunter.modules.discovery.hosts.HostDiscovery'> subscribed to <class 'kube_hunter.modules.discovery.hosts.HostScanEvent'>
2022-01-19 18:12:25,677 DEBUG root <class 'kube_hunter.modules.discovery.kubectl.KubectlClientDiscovery'> subscribed to <class 'kube_hunter.core.events.types.HuntStarted'>
2022-01-19 18:12:25,677 DEBUG root <class 'kube_hunter.modules.discovery.kubelet.KubeletDiscovery'> subscribed to <class 'kube_hunter.core.events.types.OpenPortEvent'>
2022-01-19 18:12:25,677 DEBUG root <class 'kube_hunter.modules.discovery.ports.PortDiscovery'> subscribed to <class 'kube_hunter.core.events.types.NewHostEvent'>
2022-01-19 18:12:25,678 DEBUG root <class 'kube_hunter.modules.discovery.proxy.KubeProxy'> subscribed to <class 'kube_hunter.core.events.types.OpenPortEvent'>
2022-01-19 18:12:25,774 DEBUG root <class 'kube_hunter.modules.hunting.kubelet.ReadOnlyKubeletPortHunter'> subscribed to <class 'kube_hunter.modules.discovery.kubelet.ReadOnlyKubeletEvent'>
2022-01-19 18:12:25,775 DEBUG root <class 'kube_hunter.modules.hunting.kubelet.SecureKubeletPortHunter'> subscribed to <class 'kube_hunter.modules.discovery.kubelet.SecureKubeletEvent'>
2022-01-19 18:12:25,775 DEBUG root <class 'kube_hunter.modules.hunting.aks.AzureSpnHunter'> subscribed to <class 'kube_hunter.modules.hunting.kubelet.ExposedPodsHandler'>
2022-01-19 18:12:25,776 DEBUG root <class 'kube_hunter.modules.hunting.apiserver.AccessApiServer'> subscribed to <class 'kube_hunter.modules.discovery.apiserver.ApiServer'>
2022-01-19 18:12:25,776 DEBUG root <class 'kube_hunter.modules.hunting.apiserver.AccessApiServerWithToken'> subscribed to <class 'kube_hunter.modules.discovery.apiserver.ApiServer'>
2022-01-19 18:12:25,776 DEBUG root <class 'kube_hunter.modules.hunting.apiserver.ApiVersionHunter'> subscribed to <class 'kube_hunter.modules.discovery.apiserver.ApiServer'>
2022-01-19 18:12:27,978 DEBUG root <class 'kube_hunter.modules.hunting.capabilities.PodCapabilitiesHunter'> subscribed to <class 'kube_hunter.modules.discovery.hosts.RunningAsPodEvent'>
2022-01-19 18:12:27,978 DEBUG root <class 'kube_hunter.modules.hunting.certificates.CertificateDiscovery'> subscribed to <class 'kube_hunter.core.events.types.Service'>
2022-01-19 18:12:28,073 DEBUG root <class 'kube_hunter.modules.hunting.cves.KubectlCVEHunter'> subscribed to <class 'kube_hunter.modules.discovery.kubectl.KubectlClientEvent'>
2022-01-19 18:12:28,074 DEBUG root <class 'kube_hunter.modules.hunting.dashboard.KubeDashboard'> subscribed to <class 'kube_hunter.modules.discovery.dashboard.KubeDashboardEvent'>
2022-01-19 18:12:28,075 DEBUG root <class 'kube_hunter.modules.hunting.etcd.EtcdRemoteAccess'> subscribed to <class 'kube_hunter.core.events.types.OpenPortEvent'>
2022-01-19 18:12:28,075 DEBUG root <class 'kube_hunter.modules.hunting.mounts.VarLogMountHunter'> subscribed to <class 'kube_hunter.modules.hunting.kubelet.ExposedPodsHandler'>
2022-01-19 18:12:28,075 DEBUG root <class 'kube_hunter.modules.hunting.proxy.KubeProxy'> subscribed to <class 'kube_hunter.modules.discovery.proxy.KubeProxyEvent'>
2022-01-19 18:12:28,076 DEBUG root <class 'kube_hunter.modules.hunting.secrets.AccessSecrets'> subscribed to <class 'kube_hunter.modules.discovery.hosts.RunningAsPodEvent'>
2022-01-19 18:12:28,076 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.core.events.types.HuntStarted'> got published to hunter - <class 'kube_hunter.modules.report.collector.StartedInfo'> with <kube_hunter.core.events.types.HuntStarted object at 0x7f570083b9d0>
2022-01-19 18:12:28,076 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.core.events.types.HuntStarted'> got published to hunter - <class 'kube_hunter.modules.discovery.kubectl.KubectlClientDiscovery'> with <kube_hunter.core.events.types.HuntStarted object at 0x7f570083b9d0>
2022-01-19 18:12:28,076 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.report.collector.StartedInfo'> with {'previous': None, 'hunter': None}
2022-01-19 18:12:28,076 INFO kube_hunter.modules.report.collector Started hunting
2022-01-19 18:12:28,076 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services
2022-01-19 18:12:28,077 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.discovery.kubectl.KubectlClientDiscovery'> with {'previous': None, 'hunter': None}
2022-01-19 18:12:28,077 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.modules.discovery.hosts.RunningAsPodEvent'> got published to hunter - <class 'kube_hunter.modules.discovery.hosts.FromPodHostDiscovery'> with <kube_hunter.modules.discovery.hosts.RunningAsPodEvent object at 0x7f5700458eb0>
2022-01-19 18:12:28,077 DEBUG kube_hunter.modules.discovery.kubectl Attempting to discover a local kubectl client
2022-01-19 18:12:28,077 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.discovery.hosts.FromPodHostDiscovery'> with {'name': 'Running from within a pod', 'client_cert': '-----BEGIN CERTIFICATE-----\nMIIDKzCCAhOg*********************************************************************************************************************************************************************************************************************************************************Xdo53BJeuA6cY4tUL9c=\n-----END CERTIFICATE-----\n', 'namespace': 'security', 'kubeservicehost': '10.1.226.1', 'auth_token': 'eyJh****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************MIXx1u5smlv2lSw'}
2022-01-19 18:12:28,077 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.modules.discovery.hosts.RunningAsPodEvent'> got published to hunter - <class 'kube_hunter.modules.hunting.capabilities.PodCapabilitiesHunter'> with <kube_hunter.modules.discovery.hosts.RunningAsPodEvent object at 0x7f5700458eb0>
2022-01-19 18:12:28,077 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.hunting.capabilities.PodCapabilitiesHunter'> with {'name': 'Running from within a pod', 'client_cert': '-----BEGIN CERTIFICATE-----\nMIIDKzCCAhOg*********************************************************************************************************************************************************************************************************************************************************Xdo53BJeuA6cY4tUL9c=\n-----END CERTIFICATE-----\n', 'namespace': 'security', 'kubeservicehost': '10.1.226.1', 'auth_token': 'eyJh****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************MIXx1u5smlv2lSw'}
2022-01-19 18:12:28,078 DEBUG kube_hunter.modules.discovery.kubernetes_client Attempting to use in cluster Kubernetes config
2022-01-19 18:12:28,078 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.modules.discovery.hosts.RunningAsPodEvent'> got published to hunter - <class 'kube_hunter.modules.hunting.secrets.AccessSecrets'> with <kube_hunter.modules.discovery.hosts.RunningAsPodEvent object at 0x7f5700458eb0>
2022-01-19 18:12:28,081 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.hunting.secrets.AccessSecrets'> with {'name': 'Running from within a pod', 'client_cert': '-----BEGIN CERTIFICATE-----\nMIIDKzCCAhOg*********************************************************************************************************************************************************************************************************************************************************Xdo53BJeuA6cY4tUL9c=\n-----END CERTIFICATE-----\n', 'namespace': 'security', 'kubeservicehost': '10.1.226.1', 'auth_token': 'eyJh****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************MIXx1u5smlv2lSw'}
2022-01-19 18:12:28,082 DEBUG kube_hunter.modules.hunting.capabilities Passive hunter's trying to open a RAW socket
2022-01-19 18:12:28,172 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.modules.hunting.secrets.ServiceAccountTokenAccess'> got published to hunter - <class 'kube_hunter.modules.report.collector.Collector'> with <kube_hunter.modules.hunting.secrets.ServiceAccountTokenAccess object at 0x7f56ff45b7f0>
2022-01-19 18:12:28,173 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.report.collector.Collector'> with {'vid': 'KHV050', 'component': <class 'kube_hunter.core.types.components.KubernetesCluster'>, 'category': <class 'kube_hunter.core.types.vulnerabilities.AccessContainerServiceAccountTechnique'>, 'name': "Read access to pod's service account token", 'evidence': 'eyJh****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************lt5arBtPniRd_ks7_V-nzZXOvqV-yS7haN78Pd7oyzJztrtoses_Wd7swloLo0TM4yUQsOYZTOUvaH0eGjHIC0NaJDdwQIcyLoD2tpD9bXiAO78N05647MzcUieaKRykswJpK9-ck5QPpMfTV39532vcXkIgEsjiQYXQnKt0AvKPMm3gMup2rcq2qgzwQpuqqkPMS5FFeK6gCYLjYNi7TxNSm4bOajx2y4Ru3pcQBAp1OoucpIOUk4v_DKm-jPSsEukUVXiHD27uKYXwuaHwIzNo-VOUgSFVxqU_QXdQ2GROR3X-zrASweMIXx1u5smlv2lSw', 'role': 'Node', 'previous': <kube_hunter.modules.discovery.hosts.RunningAsPodEvent object at 0x7f5700458eb0>, 'hunter': <class 'kube_hunter.modules.hunting.secrets.AccessSecrets'>}
2022-01-19 18:12:28,274 DEBUG kube_hunter.modules.hunting.secrets Trying to access pod's secrets directory
2022-01-19 18:12:28,274 DEBUG kube_hunter.modules.discovery.kubectl Could not find kubectl client
2022-01-19 18:12:28,274 DEBUG kube_hunter.modules.hunting.capabilities Passive hunter's closing RAW socket
2022-01-19 18:12:28,274 INFO kube_hunter.modules.report.collector Found vulnerability "Read access to pod's service account token" in Local to Pod (kube-hunter-1642615920-rl5qp)
2022-01-19 18:12:28,275 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.modules.hunting.capabilities.CapNetRawEnabled'> got published to hunter - <class 'kube_hunter.modules.report.collector.Collector'> with <kube_hunter.modules.hunting.capabilities.CapNetRawEnabled object at 0x7f570046b1f0>
2022-01-19 18:12:28,275 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.report.collector.Collector'> with {'vid': 'None', 'component': <class 'kube_hunter.core.types.components.KubernetesCluster'>, 'category': <class 'kube_hunter.core.types.vulnerabilities.ARPPoisoningTechnique'>, 'name': 'CAP_NET_RAW Enabled', 'evidence': '', 'role': 'Node', 'previous': <kube_hunter.modules.discovery.hosts.RunningAsPodEvent object at 0x7f5700458eb0>, 'hunter': <class 'kube_hunter.modules.hunting.capabilities.PodCapabilitiesHunter'>}
2022-01-19 18:12:28,276 INFO kube_hunter.modules.report.collector Found vulnerability "CAP_NET_RAW Enabled" in Local to Pod (kube-hunter-1642615920-rl5qp)
2022-01-19 18:12:28,277 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.modules.hunting.secrets.SecretsAccess'> got published to hunter - <class 'kube_hunter.modules.report.collector.Collector'> with <kube_hunter.modules.hunting.secrets.SecretsAccess object at 0x7f56ff45ba90>
2022-01-19 18:12:28,277 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.report.collector.Collector'> with {'vid': 'None', 'component': <class 'kube_hunter.core.types.components.KubernetesCluster'>, 'category': <class 'kube_hunter.core.types.vulnerabilities.AccessContainerServiceAccountTechnique'>, 'name': "Access to pod's secrets", 'evidence': ['/var/run/secrets/kubernetes.io/serviceaccount/token', '/var/run/secrets/kubernetes.io/serviceaccount/namespace', '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt', '/var/run/secrets/kubernetes.io/serviceaccount/..2022_01_19_18_12_07.711190250/namespace', '/var/run/secrets/kubernetes.io/serviceaccount/..2022_01_19_18_12_07.711190250/ca.crt', '/var/run/secrets/kubernetes.io/serviceaccount/..2022_01_19_18_12_07.711190250/token'], 'role': 'Node', 'previous': <kube_hunter.modules.discovery.hosts.RunningAsPodEvent object at 0x7f5700458eb0>, 'hunter': <class 'kube_hunter.modules.hunting.secrets.AccessSecrets'>}
2022-01-19 18:12:28,277 INFO kube_hunter.modules.report.collector Found vulnerability "Access to pod's secrets" in Local to Pod (kube-hunter-1642615920-rl5qp)
2022-01-19 18:12:28,376 DEBUG kubernetes.client.rest response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"nodes is forbidden: User \"system:serviceaccount:security:default\" cannot list resource \"nodes\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"nodes"},"code":403}
2022-01-19 18:12:28,377 DEBUG kube_hunter.modules.discovery.kubernetes_client Failed to list nodes from Kubernetes: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': 'fd1ca7fe-73ed-414e-81f3-7cec757eb29c', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': '2994797f-99b3-48b9-85f0-499308c6475e', 'X-Kubernetes-Pf-Prioritylevel-Uid': '928a0b61-b409-411f-aec1-4791dc6d6da7', 'Date': 'Wed, 19 Jan 2022 18:12:28 GMT', 'Content-Length': '278'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"nodes is forbidden: User \"system:serviceaccount:security:default\" cannot list resource \"nodes\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"nodes"},"code":403}
2022-01-19 18:12:28,377 DEBUG kube_hunter.modules.discovery.hosts From pod attempting to access Azure Metadata API
2022-01-19 18:12:28,385 DEBUG kube_hunter.modules.discovery.hosts From pod attempting to access AWS Metadata v1 API
2022-01-19 18:12:28,474 DEBUG kube_hunter.modules.discovery.hosts From pod attempting to access AWS Metadata v2 API
2022-01-19 18:12:28,477 DEBUG kube_hunter.core.events.handler Invalid header value b'Not Found\n'
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/kube_hunter/core/events/handler.py", line 320, in worker
hook.execute()
File "/usr/local/lib/python3.8/site-packages/kube_hunter/modules/discovery/hosts.py", line 137, in execute
elif self.is_aws_pod_v2():
File "/usr/local/lib/python3.8/site-packages/kube_hunter/modules/discovery/hosts.py", line 182, in is_aws_pod_v2
requests.get(
File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 75, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 394, in _make_request
conn.request(method, url, **httplib_request_kw)
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 239, in request
super(HTTPConnection, self).request(method, url, body=body, headers=headers)
File "/usr/local/lib/python3.8/http/client.py", line 1256, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/local/lib/python3.8/http/client.py", line 1297, in _send_request
self.putheader(hdr, value)
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 224, in putheader
_HTTPConnection.putheader(self, header, *values)
File "/usr/local/lib/python3.8/http/client.py", line 1234, in putheader
raise ValueError('Invalid header value %r' % (values[i],))
ValueError: Invalid header value b'Not Found\n'
2022-01-19 18:12:28,480 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.core.events.types.HuntFinished'> got published to hunter - <class 'kube_hunter.modules.report.collector.SendFullReport'> with <kube_hunter.core.events.types.HuntFinished object at 0x7f570071a250>
2022-01-19 18:12:28,480 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.report.collector.SendFullReport'> with {'previous': None, 'hunter': None}
2022-01-19 18:12:28,574 DEBUG kube_hunter.modules.report.dispatchers Dispatching report via stdout
Vulnerabilities
For further information about a vulnerability, search its ID in:
https://avd.aquasec.com/
2022-01-19 18:12:28,574 DEBUG kube_hunter.__main__ Cleaned Queue
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| ID | LOCATION | MITRE CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| None | Local to Pod (kube-h | Lateral Movement // | CAP_NET_RAW Enabled | CAP_NET_RAW is | |
| | unter-1642615920-rl5 | ARP poisoning and IP | | enabled by default | |
| | qp) | spoofing | | for pods. | |
| | | | | If an attacker | |
| | | | | manages to | |
| | | | | compromise a pod, | |
| | | | | they could | |
| | | | | potentially take | |
| | | | | advantage of this | |
| | | | | capability to | |
| | | | | perform network | |
| | | | | attacks on other | |
| | | | | pods running on the | |
| | | | | same node | |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| None | Local to Pod (kube-h | Credential Access // | Access to pod's | Accessing the pod's | ['/var/run/secrets/k |
| | unter-1642615920-rl5 | Access container | secrets | secrets within a | ubernetes.io/service |
| | qp) | service account | | compromised pod | account/token', '/va |
| | | | | might disclose | r/run/secrets/kubern |
| | | | | valuable data to a | etes.io/serviceaccou |
| | | | | potential attacker | ... |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| KHV050 | Local to Pod (kube-h | Credential Access // | Read access to pod's | Accessing the pod | eyJh**************** |
| | unter-1642615920-rl5 | Access container | service account | service account | ******************** |
| | qp) | service account | token | token gives an | ******************** |
| | | | | attacker the option | ******************** |
| | | | | to use the server | *****GMifQ.ey****MiO |
| | | | | API | ... |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
Kube Hunter couldn't find any clusters
Hey @danielsagi, did you get a chance to go through the output? Were you able to figure out what went wrong? I look forward to hearing from you soon. Thanks.
Hi @revshell0 . Thank you for the output! It does seems like there is a bug in the metadata api scanning. which seems to cause the lack of vulnerabilities found.
I'm looking at it and will update you soon for a quick fix.
A new version is now available: https://github.com/aquasecurity/kube-hunter/releases/tag/v0.6.4
If your problem continues, please reach out and reopen :)
We have a GKE cluster in our GCP cloud.
I ran kube-hunter in pod mode i.e using the
--pod
option. It failed to detect the cluster.Then I used the
--interface
option. Again, it failed to detect the cluster.Finally, I used both
--interface
and--k8s-auto-discover-nodes
flags together. It managed to discover and list down all the nodes within the cluster. However, it says - no vulnerabilities were found (despite the fact that my cluster has a few vulnerabilities that I'm already aware of).My goal is to demonstrate the impact that a compromised pod will have, to my management.