danielsagi
commented
2 years ago Hi, what network plugin do you use in your deployment? Also could you attach your complete output?
Closed revshell0 closed 2 years ago
danielsagi
commented
2 years ago Hi, what network plugin do you use in your deployment? Also could you attach your complete output?
revshell0
commented
2 years ago We use Calico for our K8s deployments, and our service mesh is Istio.
Below is the entire kube-hunter output (I have modified the IPs slightly for security reasons, everything else is as is).
2022-01-18 13:00:24,214 INFO kube_hunter.modules.report.collector Started hunting
2022-01-18 13:00:24,308 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services
2022-01-18 13:00:28,010 INFO kube_hunter.modules.report.collector Found open service "Etcd" at 10.2.192.6:2379
2022-01-18 13:00:29,208 INFO kube_hunter.modules.report.collector Found open service "Etcd" at 10.2.192.8:2379
2022-01-18 13:00:29,414 INFO kube_hunter.modules.report.collector Found open service "Etcd" at 10.2.192.11:2379
2022-01-18 13:00:35,209 INFO kube_hunter.modules.report.collector Found open service "Etcd" at 10.2.192.132:2379
2022-01-18 13:00:37,710 INFO kube_hunter.modules.report.collector Found open service "Etcd" at 10.2.192.133:2379
Nodes
+-------------+--------------+
| TYPE | LOCATION |
+-------------+--------------+
| Node/Master | 10.2.192.133 |
+-------------+--------------+
| Node/Master | 10.2.192.132 |
+-------------+--------------+
| Node/Master | 10.2.192.11 |
+-------------+--------------+
| Node/Master | 10.2.192.8 |
+-------------+--------------+
| Node/Master | 10.2.192.6 |
+-------------+--------------+
Detected Services
+---------+-------------------+----------------------+
| SERVICE | LOCATION | DESCRIPTION |
+---------+-------------------+----------------------+
| Etcd | 10.2.192.8:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current |
| | | state |
| | | information, and |
| | | might contain |
| | | secrets |
+---------+-------------------+----------------------+
| Etcd | 10.2.192.6:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current |
| | | state |
| | | information, and |
| | | might contain |
| | | secrets |
+---------+-------------------+----------------------+
| Etcd | 10.2.192.133:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current |
| | | state |
| | | information, and |
| | | might contain |
| | | secrets |
+---------+-------------------+----------------------+
| Etcd | 10.2.192.132:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current |
| | | state |
| | | information, and |
| | | might contain |
| | | secrets |
+---------+-------------------+----------------------+
| Etcd | 10.2.192.11:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current |
| | | state |
| | | information, and |
| | | might contain |
| | | secrets |
+---------+-------------------+----------------------+
No vulnerabilities were found
Hunter Statistics
+----------------------+----------------------+-----------------+
| NAME | DESCRIPTION | VULNERABILITIES |
+----------------------+----------------------+-----------------+
| Proxy Hunting | Hunts for a | 0 |
| | dashboard behind the | |
| | proxy | |
+----------------------+----------------------+-----------------+
| Pod Capabilities | Checks for default | 0 |
| Hunter | enabled capabilities | |
| | in a pod | |
+----------------------+----------------------+-----------------+
| Mount Hunter - | Hunt pods that have | 0 |
| /var/log | write access to | |
| | host's /var/log. in | |
| | such case, the pod | |
| | can traverse read | |
| | files on the host | |
| | machine | |
+----------------------+----------------------+-----------------+
| Kubelet Secure Ports | Hunts specific | 0 |
| Hunter | endpoints on an open | |
| | secured Kubelet | |
+----------------------+----------------------+-----------------+
| Kubelet Readonly | Hunts specific | 0 |
| Ports Hunter | endpoints on open | |
| | ports in the | |
| | readonly Kubelet | |
| | server | |
+----------------------+----------------------+-----------------+
| Kubectl CVE Hunter | Checks if the | 0 |
| | kubectl client is | |
| | vulnerable to | |
| | specific important | |
| | CVEs | |
+----------------------+----------------------+-----------------+
| Etcd Remote Access | Checks for remote | 0 |
| | availability of | |
| | etcd, its version, | |
| | and read access to | |
| | the DB | |
+----------------------+----------------------+-----------------+
| Dashboard Hunting | Hunts open | 0 |
| | Dashboards, gets the | |
| | type of nodes in the | |
| | cluster | |
+----------------------+----------------------+-----------------+
| Certificate Email | Checks for email | 0 |
| Hunting | addresses in | |
| | kubernetes ssl | |
| | certificates | |
+----------------------+----------------------+-----------------+
| Api Version Hunter | Tries to obtain the | 0 |
| | Api Server's version | |
| | directly from | |
| | /version endpoint | |
+----------------------+----------------------+-----------------+
| Access Secrets | Accessing the | 0 |
| | secrets accessible | |
| | to the pod | |
+----------------------+----------------------+-----------------+
| API Server Hunter | Checks if API server | 0 |
| | is accessible | |
+----------------------+----------------------+-----------------+
| API Server Hunter | Accessing the API | 0 |
| | server using the | |
| | service account | |
| | token obtained from | |
| | a compromised pod | |
+----------------------+----------------------+-----------------+
| AKS Hunting | Hunting Azure | 0 |
| | cluster deployments | |
| | using specific known | |
| | configurations | |
+----------------------+----------------------+-----------------+Thanks, another question. When you are running as a pod in the cluster. Do you see the same output? If it cant detect the cluster it would very much help if you could run again with --log debug and attach logs.
revshell0
commented
2 years ago Below is the output I got for using --pod and --log DEBUG flags. (Heads-up: I have again modified the IPs and masked certain values for security reasons.)
2022-01-19 18:12:21,478 DEBUG root <class 'kube_hunter.modules.report.collector.Collector'> subscribed to <class 'kube_hunter.core.events.types.Vulnerability'>
2022-01-19 18:12:21,478 DEBUG root <class 'kube_hunter.modules.report.collector.Collector'> subscribed to <class 'kube_hunter.core.events.types.Service'>
2022-01-19 18:12:21,478 DEBUG root <class 'kube_hunter.modules.report.collector.SendFullReport'> subscribed to <class 'kube_hunter.core.events.types.HuntFinished'>
2022-01-19 18:12:21,478 DEBUG root <class 'kube_hunter.modules.report.collector.StartedInfo'> subscribed to <class 'kube_hunter.core.events.types.HuntStarted'>
2022-01-19 18:12:21,880 DEBUG root <class 'kube_hunter.modules.discovery.apiserver.ApiServiceDiscovery'> subscribed to <class 'kube_hunter.core.events.types.OpenPortEvent'>
2022-01-19 18:12:21,880 DEBUG root <class 'kube_hunter.modules.discovery.apiserver.ApiServiceClassify'> filter subscribed to <class 'kube_hunter.modules.discovery.apiserver.K8sApiService'>
2022-01-19 18:12:21,880 DEBUG root <class 'kube_hunter.modules.discovery.dashboard.KubeDashboard'> subscribed to <class 'kube_hunter.core.events.types.OpenPortEvent'>
2022-01-19 18:12:21,881 DEBUG root <class 'kube_hunter.modules.discovery.etcd.EtcdRemoteAccess'> subscribed to <class 'kube_hunter.core.events.types.OpenPortEvent'>
2022-01-19 18:12:25,676 DEBUG root <class 'kube_hunter.modules.discovery.hosts.FromPodHostDiscovery'> subscribed to <class 'kube_hunter.modules.discovery.hosts.RunningAsPodEvent'>
2022-01-19 18:12:25,676 DEBUG root <class 'kube_hunter.modules.discovery.hosts.HostDiscovery'> subscribed to <class 'kube_hunter.modules.discovery.hosts.HostScanEvent'>
2022-01-19 18:12:25,677 DEBUG root <class 'kube_hunter.modules.discovery.kubectl.KubectlClientDiscovery'> subscribed to <class 'kube_hunter.core.events.types.HuntStarted'>
2022-01-19 18:12:25,677 DEBUG root <class 'kube_hunter.modules.discovery.kubelet.KubeletDiscovery'> subscribed to <class 'kube_hunter.core.events.types.OpenPortEvent'>
2022-01-19 18:12:25,677 DEBUG root <class 'kube_hunter.modules.discovery.ports.PortDiscovery'> subscribed to <class 'kube_hunter.core.events.types.NewHostEvent'>
2022-01-19 18:12:25,678 DEBUG root <class 'kube_hunter.modules.discovery.proxy.KubeProxy'> subscribed to <class 'kube_hunter.core.events.types.OpenPortEvent'>
2022-01-19 18:12:25,774 DEBUG root <class 'kube_hunter.modules.hunting.kubelet.ReadOnlyKubeletPortHunter'> subscribed to <class 'kube_hunter.modules.discovery.kubelet.ReadOnlyKubeletEvent'>
2022-01-19 18:12:25,775 DEBUG root <class 'kube_hunter.modules.hunting.kubelet.SecureKubeletPortHunter'> subscribed to <class 'kube_hunter.modules.discovery.kubelet.SecureKubeletEvent'>
2022-01-19 18:12:25,775 DEBUG root <class 'kube_hunter.modules.hunting.aks.AzureSpnHunter'> subscribed to <class 'kube_hunter.modules.hunting.kubelet.ExposedPodsHandler'>
2022-01-19 18:12:25,776 DEBUG root <class 'kube_hunter.modules.hunting.apiserver.AccessApiServer'> subscribed to <class 'kube_hunter.modules.discovery.apiserver.ApiServer'>
2022-01-19 18:12:25,776 DEBUG root <class 'kube_hunter.modules.hunting.apiserver.AccessApiServerWithToken'> subscribed to <class 'kube_hunter.modules.discovery.apiserver.ApiServer'>
2022-01-19 18:12:25,776 DEBUG root <class 'kube_hunter.modules.hunting.apiserver.ApiVersionHunter'> subscribed to <class 'kube_hunter.modules.discovery.apiserver.ApiServer'>
2022-01-19 18:12:27,978 DEBUG root <class 'kube_hunter.modules.hunting.capabilities.PodCapabilitiesHunter'> subscribed to <class 'kube_hunter.modules.discovery.hosts.RunningAsPodEvent'>
2022-01-19 18:12:27,978 DEBUG root <class 'kube_hunter.modules.hunting.certificates.CertificateDiscovery'> subscribed to <class 'kube_hunter.core.events.types.Service'>
2022-01-19 18:12:28,073 DEBUG root <class 'kube_hunter.modules.hunting.cves.KubectlCVEHunter'> subscribed to <class 'kube_hunter.modules.discovery.kubectl.KubectlClientEvent'>
2022-01-19 18:12:28,074 DEBUG root <class 'kube_hunter.modules.hunting.dashboard.KubeDashboard'> subscribed to <class 'kube_hunter.modules.discovery.dashboard.KubeDashboardEvent'>
2022-01-19 18:12:28,075 DEBUG root <class 'kube_hunter.modules.hunting.etcd.EtcdRemoteAccess'> subscribed to <class 'kube_hunter.core.events.types.OpenPortEvent'>
2022-01-19 18:12:28,075 DEBUG root <class 'kube_hunter.modules.hunting.mounts.VarLogMountHunter'> subscribed to <class 'kube_hunter.modules.hunting.kubelet.ExposedPodsHandler'>
2022-01-19 18:12:28,075 DEBUG root <class 'kube_hunter.modules.hunting.proxy.KubeProxy'> subscribed to <class 'kube_hunter.modules.discovery.proxy.KubeProxyEvent'>
2022-01-19 18:12:28,076 DEBUG root <class 'kube_hunter.modules.hunting.secrets.AccessSecrets'> subscribed to <class 'kube_hunter.modules.discovery.hosts.RunningAsPodEvent'>
2022-01-19 18:12:28,076 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.core.events.types.HuntStarted'> got published to hunter - <class 'kube_hunter.modules.report.collector.StartedInfo'> with <kube_hunter.core.events.types.HuntStarted object at 0x7f570083b9d0>
2022-01-19 18:12:28,076 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.core.events.types.HuntStarted'> got published to hunter - <class 'kube_hunter.modules.discovery.kubectl.KubectlClientDiscovery'> with <kube_hunter.core.events.types.HuntStarted object at 0x7f570083b9d0>
2022-01-19 18:12:28,076 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.report.collector.StartedInfo'> with {'previous': None, 'hunter': None}
2022-01-19 18:12:28,076 INFO kube_hunter.modules.report.collector Started hunting
2022-01-19 18:12:28,076 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services
2022-01-19 18:12:28,077 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.discovery.kubectl.KubectlClientDiscovery'> with {'previous': None, 'hunter': None}
2022-01-19 18:12:28,077 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.modules.discovery.hosts.RunningAsPodEvent'> got published to hunter - <class 'kube_hunter.modules.discovery.hosts.FromPodHostDiscovery'> with <kube_hunter.modules.discovery.hosts.RunningAsPodEvent object at 0x7f5700458eb0>
2022-01-19 18:12:28,077 DEBUG kube_hunter.modules.discovery.kubectl Attempting to discover a local kubectl client
2022-01-19 18:12:28,077 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.discovery.hosts.FromPodHostDiscovery'> with {'name': 'Running from within a pod', 'client_cert': '-----BEGIN CERTIFICATE-----\nMIIDKzCCAhOg*********************************************************************************************************************************************************************************************************************************************************Xdo53BJeuA6cY4tUL9c=\n-----END CERTIFICATE-----\n', 'namespace': 'security', 'kubeservicehost': '10.1.226.1', 'auth_token': 'eyJh****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************MIXx1u5smlv2lSw'}
2022-01-19 18:12:28,077 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.modules.discovery.hosts.RunningAsPodEvent'> got published to hunter - <class 'kube_hunter.modules.hunting.capabilities.PodCapabilitiesHunter'> with <kube_hunter.modules.discovery.hosts.RunningAsPodEvent object at 0x7f5700458eb0>
2022-01-19 18:12:28,077 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.hunting.capabilities.PodCapabilitiesHunter'> with {'name': 'Running from within a pod', 'client_cert': '-----BEGIN CERTIFICATE-----\nMIIDKzCCAhOg*********************************************************************************************************************************************************************************************************************************************************Xdo53BJeuA6cY4tUL9c=\n-----END CERTIFICATE-----\n', 'namespace': 'security', 'kubeservicehost': '10.1.226.1', 'auth_token': 'eyJh****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************MIXx1u5smlv2lSw'}
2022-01-19 18:12:28,078 DEBUG kube_hunter.modules.discovery.kubernetes_client Attempting to use in cluster Kubernetes config
2022-01-19 18:12:28,078 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.modules.discovery.hosts.RunningAsPodEvent'> got published to hunter - <class 'kube_hunter.modules.hunting.secrets.AccessSecrets'> with <kube_hunter.modules.discovery.hosts.RunningAsPodEvent object at 0x7f5700458eb0>
2022-01-19 18:12:28,081 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.hunting.secrets.AccessSecrets'> with {'name': 'Running from within a pod', 'client_cert': '-----BEGIN CERTIFICATE-----\nMIIDKzCCAhOg*********************************************************************************************************************************************************************************************************************************************************Xdo53BJeuA6cY4tUL9c=\n-----END CERTIFICATE-----\n', 'namespace': 'security', 'kubeservicehost': '10.1.226.1', 'auth_token': 'eyJh****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************MIXx1u5smlv2lSw'}
2022-01-19 18:12:28,082 DEBUG kube_hunter.modules.hunting.capabilities Passive hunter's trying to open a RAW socket
2022-01-19 18:12:28,172 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.modules.hunting.secrets.ServiceAccountTokenAccess'> got published to hunter - <class 'kube_hunter.modules.report.collector.Collector'> with <kube_hunter.modules.hunting.secrets.ServiceAccountTokenAccess object at 0x7f56ff45b7f0>
2022-01-19 18:12:28,173 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.report.collector.Collector'> with {'vid': 'KHV050', 'component': <class 'kube_hunter.core.types.components.KubernetesCluster'>, 'category': <class 'kube_hunter.core.types.vulnerabilities.AccessContainerServiceAccountTechnique'>, 'name': "Read access to pod's service account token", 'evidence': 'eyJh****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************lt5arBtPniRd_ks7_V-nzZXOvqV-yS7haN78Pd7oyzJztrtoses_Wd7swloLo0TM4yUQsOYZTOUvaH0eGjHIC0NaJDdwQIcyLoD2tpD9bXiAO78N05647MzcUieaKRykswJpK9-ck5QPpMfTV39532vcXkIgEsjiQYXQnKt0AvKPMm3gMup2rcq2qgzwQpuqqkPMS5FFeK6gCYLjYNi7TxNSm4bOajx2y4Ru3pcQBAp1OoucpIOUk4v_DKm-jPSsEukUVXiHD27uKYXwuaHwIzNo-VOUgSFVxqU_QXdQ2GROR3X-zrASweMIXx1u5smlv2lSw', 'role': 'Node', 'previous': <kube_hunter.modules.discovery.hosts.RunningAsPodEvent object at 0x7f5700458eb0>, 'hunter': <class 'kube_hunter.modules.hunting.secrets.AccessSecrets'>}
2022-01-19 18:12:28,274 DEBUG kube_hunter.modules.hunting.secrets Trying to access pod's secrets directory
2022-01-19 18:12:28,274 DEBUG kube_hunter.modules.discovery.kubectl Could not find kubectl client
2022-01-19 18:12:28,274 DEBUG kube_hunter.modules.hunting.capabilities Passive hunter's closing RAW socket
2022-01-19 18:12:28,274 INFO kube_hunter.modules.report.collector Found vulnerability "Read access to pod's service account token" in Local to Pod (kube-hunter-1642615920-rl5qp)
2022-01-19 18:12:28,275 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.modules.hunting.capabilities.CapNetRawEnabled'> got published to hunter - <class 'kube_hunter.modules.report.collector.Collector'> with <kube_hunter.modules.hunting.capabilities.CapNetRawEnabled object at 0x7f570046b1f0>
2022-01-19 18:12:28,275 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.report.collector.Collector'> with {'vid': 'None', 'component': <class 'kube_hunter.core.types.components.KubernetesCluster'>, 'category': <class 'kube_hunter.core.types.vulnerabilities.ARPPoisoningTechnique'>, 'name': 'CAP_NET_RAW Enabled', 'evidence': '', 'role': 'Node', 'previous': <kube_hunter.modules.discovery.hosts.RunningAsPodEvent object at 0x7f5700458eb0>, 'hunter': <class 'kube_hunter.modules.hunting.capabilities.PodCapabilitiesHunter'>}
2022-01-19 18:12:28,276 INFO kube_hunter.modules.report.collector Found vulnerability "CAP_NET_RAW Enabled" in Local to Pod (kube-hunter-1642615920-rl5qp)
2022-01-19 18:12:28,277 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.modules.hunting.secrets.SecretsAccess'> got published to hunter - <class 'kube_hunter.modules.report.collector.Collector'> with <kube_hunter.modules.hunting.secrets.SecretsAccess object at 0x7f56ff45ba90>
2022-01-19 18:12:28,277 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.report.collector.Collector'> with {'vid': 'None', 'component': <class 'kube_hunter.core.types.components.KubernetesCluster'>, 'category': <class 'kube_hunter.core.types.vulnerabilities.AccessContainerServiceAccountTechnique'>, 'name': "Access to pod's secrets", 'evidence': ['/var/run/secrets/kubernetes.io/serviceaccount/token', '/var/run/secrets/kubernetes.io/serviceaccount/namespace', '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt', '/var/run/secrets/kubernetes.io/serviceaccount/..2022_01_19_18_12_07.711190250/namespace', '/var/run/secrets/kubernetes.io/serviceaccount/..2022_01_19_18_12_07.711190250/ca.crt', '/var/run/secrets/kubernetes.io/serviceaccount/..2022_01_19_18_12_07.711190250/token'], 'role': 'Node', 'previous': <kube_hunter.modules.discovery.hosts.RunningAsPodEvent object at 0x7f5700458eb0>, 'hunter': <class 'kube_hunter.modules.hunting.secrets.AccessSecrets'>}
2022-01-19 18:12:28,277 INFO kube_hunter.modules.report.collector Found vulnerability "Access to pod's secrets" in Local to Pod (kube-hunter-1642615920-rl5qp)
2022-01-19 18:12:28,376 DEBUG kubernetes.client.rest response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"nodes is forbidden: User \"system:serviceaccount:security:default\" cannot list resource \"nodes\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"nodes"},"code":403}
2022-01-19 18:12:28,377 DEBUG kube_hunter.modules.discovery.kubernetes_client Failed to list nodes from Kubernetes: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': 'fd1ca7fe-73ed-414e-81f3-7cec757eb29c', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': '2994797f-99b3-48b9-85f0-499308c6475e', 'X-Kubernetes-Pf-Prioritylevel-Uid': '928a0b61-b409-411f-aec1-4791dc6d6da7', 'Date': 'Wed, 19 Jan 2022 18:12:28 GMT', 'Content-Length': '278'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"nodes is forbidden: User \"system:serviceaccount:security:default\" cannot list resource \"nodes\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"nodes"},"code":403}
2022-01-19 18:12:28,377 DEBUG kube_hunter.modules.discovery.hosts From pod attempting to access Azure Metadata API
2022-01-19 18:12:28,385 DEBUG kube_hunter.modules.discovery.hosts From pod attempting to access AWS Metadata v1 API
2022-01-19 18:12:28,474 DEBUG kube_hunter.modules.discovery.hosts From pod attempting to access AWS Metadata v2 API
2022-01-19 18:12:28,477 DEBUG kube_hunter.core.events.handler Invalid header value b'Not Found\n'
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/kube_hunter/core/events/handler.py", line 320, in worker
hook.execute()
File "/usr/local/lib/python3.8/site-packages/kube_hunter/modules/discovery/hosts.py", line 137, in execute
elif self.is_aws_pod_v2():
File "/usr/local/lib/python3.8/site-packages/kube_hunter/modules/discovery/hosts.py", line 182, in is_aws_pod_v2
requests.get(
File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 75, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 394, in _make_request
conn.request(method, url, **httplib_request_kw)
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 239, in request
super(HTTPConnection, self).request(method, url, body=body, headers=headers)
File "/usr/local/lib/python3.8/http/client.py", line 1256, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/local/lib/python3.8/http/client.py", line 1297, in _send_request
self.putheader(hdr, value)
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 224, in putheader
_HTTPConnection.putheader(self, header, *values)
File "/usr/local/lib/python3.8/http/client.py", line 1234, in putheader
raise ValueError('Invalid header value %r' % (values[i],))
ValueError: Invalid header value b'Not Found\n'
2022-01-19 18:12:28,480 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.core.events.types.HuntFinished'> got published to hunter - <class 'kube_hunter.modules.report.collector.SendFullReport'> with <kube_hunter.core.events.types.HuntFinished object at 0x7f570071a250>
2022-01-19 18:12:28,480 DEBUG kube_hunter.core.events.handler Executing <class 'kube_hunter.modules.report.collector.SendFullReport'> with {'previous': None, 'hunter': None}
2022-01-19 18:12:28,574 DEBUG kube_hunter.modules.report.dispatchers Dispatching report via stdout
Vulnerabilities
For further information about a vulnerability, search its ID in:
https://avd.aquasec.com/
2022-01-19 18:12:28,574 DEBUG kube_hunter.__main__ Cleaned Queue
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| ID | LOCATION | MITRE CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| None | Local to Pod (kube-h | Lateral Movement // | CAP_NET_RAW Enabled | CAP_NET_RAW is | |
| | unter-1642615920-rl5 | ARP poisoning and IP | | enabled by default | |
| | qp) | spoofing | | for pods. | |
| | | | | If an attacker | |
| | | | | manages to | |
| | | | | compromise a pod, | |
| | | | | they could | |
| | | | | potentially take | |
| | | | | advantage of this | |
| | | | | capability to | |
| | | | | perform network | |
| | | | | attacks on other | |
| | | | | pods running on the | |
| | | | | same node | |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| None | Local to Pod (kube-h | Credential Access // | Access to pod's | Accessing the pod's | ['/var/run/secrets/k |
| | unter-1642615920-rl5 | Access container | secrets | secrets within a | ubernetes.io/service |
| | qp) | service account | | compromised pod | account/token', '/va |
| | | | | might disclose | r/run/secrets/kubern |
| | | | | valuable data to a | etes.io/serviceaccou |
| | | | | potential attacker | ... |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| KHV050 | Local to Pod (kube-h | Credential Access // | Read access to pod's | Accessing the pod | eyJh**************** |
| | unter-1642615920-rl5 | Access container | service account | service account | ******************** |
| | qp) | service account | token | token gives an | ******************** |
| | | | | attacker the option | ******************** |
| | | | | to use the server | *****GMifQ.ey****MiO |
| | | | | API | ... |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
Kube Hunter couldn't find any clustersHey @danielsagi, did you get a chance to go through the output? Were you able to figure out what went wrong? I look forward to hearing from you soon. Thanks.
danielsagi
commented
2 years ago Hi @revshell0 . Thank you for the output! It does seems like there is a bug in the metadata api scanning. which seems to cause the lack of vulnerabilities found.
I'm looking at it and will update you soon for a quick fix.
danielsagi
commented
2 years ago A new version is now available: https://github.com/aquasecurity/kube-hunter/releases/tag/v0.6.4
If your problem continues, please reach out and reopen :)
We have a GKE cluster in our GCP cloud.
I ran kube-hunter in pod mode i.e using the
--podoption. It failed to detect the cluster.Then I used the
--interfaceoption. Again, it failed to detect the cluster.Finally, I used both
--interfaceand--k8s-auto-discover-nodesflags together. It managed to discover and list down all the nodes within the cluster. However, it says - no vulnerabilities were found (despite the fact that my cluster has a few vulnerabilities that I'm already aware of).My goal is to demonstrate the impact that a compromised pod will have, to my management.