TSEC NEWS: 06.05.21 Cron-Job Fehlerhaft nach PHP Update + PWA mobile + Desktop / 04.05.21 - Android App von TSECURITY 28.04.21 - NEUER SERVER // 26.04.21 ++ Download the Electron-App für tsecurity.de // Über 550 Feed-Quellen


❈ CDK - Zero Dependency Container Penetration Toolkit

IT Security Nachrichten feedproxy.google.com


CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

Currently still under development, submit issues or mail [email protected] if you need any help.


Installation

Download latest release in: https://github.com/cdk-team/CDK/releases/

Drop executable files into target container and start testing.


Usage
Usage:
cdk evaluate [--full]
cdk run (--list | <exploit> [<args>...])
cdk auto-escape <cmd>
cdk <tool> [<args>...]

Evaluate:
cdk evaluate Gather information to find weakness inside container.
cdk evaluate --full Enable file scan during information gathering.

Exploit:
cdk run --list List all available exploits.
cdk run <exploit> [<args>...] Run single exploit, docs in https://github.com/cdk-team/CDK/wiki

Auto Escape:
cdk auto-escape <cmd> Escape container in different ways then let target execute <cmd>.

Tool:
vi <file> Edit files in container like "vi" command.
ps Show process information like "ps -ef" command.
nc [options] Create TCP tunnel.
ifconfig Show network information.
kcurl <path> (get|post) <uri> <data> Make request to K8s api-server.
ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket.
probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000

Options:
-h --help Show this help msg.
-v --version Show version.

Features

CDK have three modules:

  1. Evaluate: gather information inside container to find potential weakness.
  2. Exploit: for container escaping, persistance and lateral movement
  3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]

This command will run the scripts below without local file scanning, using --full to enable all.

Tactics Script Supported Usage/Example
Information Gathering OS Basic Info
link
Information Gathering Available Capabilities
link
Information Gathering Available Linux Commands
link
Information Gathering Mounts
link
Information Gathering Net Namespace
link
Information Gathering Sensitive ENV
link
Information Gathering Sensitive Process
link
Information Gathering Sensitive Local Files
link
Discovery K8s Api-server Info
link
Discovery K8s Service-account Info
link
Discovery Cloud Provider Metadata API
link

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run <script-name> [options]
Tactic Technique CDK Exploit Name Supported Doc
Escaping docker-runc CVE-2019-5736 runc-pwn
Escaping docker-cp CVE-2019-14271
Escaping containerd-shim CVE-2020-15257 shim-pwn
link
Escaping dirtycow CVE-2016-5159
Escaping docker.sock PoC (DIND attack) docker-sock-check
link
Escaping docker.sock Backdoor Image Deploy docker-sock-deploy
link
Escaping Device Mount Escaping mount-disk
link
Escaping Cgroups Escaping mount-cgroup
link
Escaping Procfs Escaping mount-procfs
link
Escaping Ptrace Escaping PoC check-ptrace
link
Discovery K8s Component Probe service-probe
link
Discovery Dump Istio Sidecar Meta istio-check
link
Lateral Movement K8s Service Account Control
Lateral Movement Attack K8s api-server
Lateral Movement Attack K8s Kubelet
Lateral Movement Attack K8s Dashboard
Lateral Movement Attack K8s Helm
Lateral Movement Attack K8s Etcd
Lateral Movement Attack Private Docker Registry
Remote Control Reverse Shell reverse-shell
link
Credential Access Access Key Scanning ak-leakage
link
Credential Access Dump K8s Secrets k8s-secret-dump
link
Credential Access Dump K8s Config k8s-configmap-dump
link
Persistence Deploy WebShell
Persistence Deploy Backdoor Pod k8s-backdoor-daemonset
link
Persistence Deploy Shadow K8s api-server k8s-shadow-apiserver
link
Persistence K8s MITM Attack (CVE-2020-8554) k8s-mitm-clusterip
link
Persistence Deploy K8s CronJob
Defense Evasion Disable K8s Audit

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]
cdk ps
Command Description Supported Usage/Example
nc TCP Tunnel
link
ps Process Information
link
ifconfig Network Information
link
vi Edit Files
link
kcurl Request to K8s api-server
link
dcurl Request to Docker HTTP API
ucurl Request to Docker Unix Socket
link
rcurl Request to Docker Registry API
probe IP/Port Scanning
link

Developer Docs

TODO
  1. Echo loader for delivering CDK into target container via Web RCE.
  2. EDR defense evasion.
  3. Compile optimization.
  4. Dev docs


...


Kompletten Artikel lesen (externe Quelle: http://feedproxy.google.com/~r/PentestTools/~3/ghyncCO0qqs/cdk-zero-dependency-container.html)

Zur Startseite

➤ Weitere Beiträge von Team Security | IT Sicherheit (tsecurity.de)

CDK - Zero Dependency Container Penetration Toolkit

vom 2980.87 Punkte
CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and

DependencyCheck v3.3.1 - A Software Composition Analysis Utility That Detects Publicly Disclosed Vulnerabilities In Application Dependencies

vom 494.65 Punkte
Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a gi

The Evolving Infrastructure of .NET Core

vom 410.77 Punkte
With .NET Core 3.0 Preview 6 out the door, we thought it would be useful to take a brief look at the history of our infrastructure systems and the significant improvements that have been made in the last year or so. This post will be interesting if yo

Which is more Important: Vulnerability Scans Or Penetration Tests?

vom 234.17 Punkte
Which Is Better? A Vulnerability Scan Or A Penetration Test?Vulnerability scanning and penetration tests are two very different ways to test your system for any vulnerabilities. Despite this, they are often confused about the same service, which leads to

Botb - A Container Analysis And Exploitation Tool For Pentesters And Engineers

vom 215.83 Punkte
BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.What does it do?BOtB is a CLI tool which allows you to: Exploit common container vulnerabilities

CentOS Seven blog: Status update for CentOS Container Pipeline

vom 197.33 Punkte
The goal of CentOS Container Pipeline project is to let any open-source project build container images on the CentOS Linux and additionally provide them with: Dockerfile lint report Container scanner reports that: Scan the image for RPM updates Scan

Grapl - Graph Platform For Detection And Response

vom 191.55 Punkte
Grapl is a Graph Platform for Detection and Response.For a more in depth overview of Grapl, read this.In short, Grapl will take raw logs, convert them into graphs, and merge those graphs into a Master Graph. It will then orchestrate the execution of your

Using multi-stage containers for C++ development

vom 191.17 Punkte
Containers are a great tool for configuring reproducible build environments. It’s fairly easy to find Dockerfiles that provide various C++ environments. Unfortunately, it is hard to find guidance on how to use newer techniques like multi-stage builds. Th

Sharing Pixelopolis, a self-driving car demo from Google I/O built with TF-Lite

vom 185 Punkte
Posted by Miguel de Andrés-Clavera, Product Manager, Google PIIn this post, I’d like to share with you a demo we built for (and had planned to show at) Google I/O this year with TensorFlow Lite. I wish we had the opportunity to meet in person, but

Profiling template metaprograms with C++ Build Insights

vom 181.31 Punkte
The use of templates in C++ programs can sometimes lead to longer builds. C++ Build Insights puts tools at your disposal for analyzing template usage patterns and their associated impact on build time. In this article, we show you how to use the vcper

We made Windows Server Core container images &#062;40% smaller

vom 178.83 Punkte
Over the past year, we’ve been working with the Windows Server team to make Windows Server Core container images a lot smaller. They are now >40% smaller! The Windows Server team has already published the new images in the Server Core Insider Docker

Build C++ Applications in a Linux Docker Container with Visual Studio

vom 177.6 Punkte
Docker containers provide a consistent development environment for building, testing, and deployment. The virtualized OS, file system, environment settings, libraries, and other dependencies are all encapsulated and shipped as one image that can be sh

Team Security Diskussion über CDK - Zero Dependency Container Penetration Toolkit