Dissect container images, runtimes, and orchestrators.
| tool | scope | description |
|---|---|---|
| trivy | Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more. | |
| syft | CLI tool and library for generating a Software Bill of Materials from container images and filesystems. | |
| grype | A vulnerability scanner for container images and filesystems. | |
| kube-bench | Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark. | |
| checkov | Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew. | |
| kubeaudit | kubeaudit helps you audit your Kubernetes clusters against common security controls. | |
| cosign | Container Signing. | |
| kdigger | Kubernetes focused container assessment and context discovery tool for penetration testing. | |
| kubectl | Kubernetes provides a command line tool for communicating with a Kubernetes cluster's control plane, using the Kubernetes API. | |
| docker | Command line interface for interacting with docker container images. | |
| podman | A tool for managing OCI containers and pods. | |
| dive | A tool for exploring a docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image. | |
| crictl | CLI and validation tools for Kubelet Container Runtime Interface (CRI). | |
| KubiScan | A tool to scan Kubernetes cluster for risky permissions. | |
| Docker Bench Security | The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. | |
| peirates | Peirates, a Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster. It automates known techniques to steal and collect service account tokens, secrets, obtain further code execution, and gain control of the cluster. | |
| TruffleHog | Find and verify credentials. | |
| TruffleHog3 | This is an enhanced version of the Python-based truffleHog scanner. | |
| Popeye | A Kubernetes cluster resource sanitizer. | |
| k9s | Kubernetes CLI To Manage Your Clusters In Style. | |
| Hadolint | Dockerfile linter, validate inline bash, written in Haskell. | |
| Conftest | Write tests against structured configuration data using the Open Policy Agent Rego query language. | |
| audit2rbac | Autogenerate RBAC policies based on Kubernetes audit logs. | |
| kubeshark | The API traffic analyzer for Kubernetes providing real-time K8s protocol-level visibility, capturing and monitoring all traffic and payloads going in, out and across containers, pods, nodes and clusters. Inspired by Wireshark, purposely built for Kubernetes. | |
| hardeneks | Runs checks to see if an EKS cluster follows EKS Best Practices. | |
| amicontained | Container introspection tool. Find out what container runtime is being used as well as features available. | |
| kubesec | Security risk analysis for Kubernetes resources. | |
| kubectl-who-can | Show who has RBAC permissions to perform actions on different resources in Kubernetes. | |
| etcdctl | etcdctl is a command line client for etcd. | |
| gitleaks | Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code. | |
| kubeletctl | Kubeletctl is a command line tool that implement kubelet's API. Part of kubelet's API is documented but most of it is not. This tool covers all the documented and undocumented APIs. | |
| kube-hunter | Hunt for security weaknesses in Kubernetes clusters. | |
| netassert | Network security testing for Kubernetes DevSecOps workflows. | |
| truffleproc | hunt secrets in process memory (TruffleHog & gdb mashup) | |
| checkpointctl | Tool to inspect Kubernetes and Podman checkpoints. | |
| ... | ... |
- build
docker buildx build -t ghcr.io/xopham/k8tlery:$K8TLERY_VERSION -t ghcr.io/xopham/k8tlery:latest .- push
docker push ghcr.io/xopham/k8tlery --all-tags
- re-tag
find ./ -type f -exec sed -i "s%ghcr\.io\/xopham\/k8tlery\:v.*%ghcr\.io\/xopham\/k8tlery\:$K8TLERY_VERSION%g" {} \;nix-shell k8tlery.nixdocker -it --rm ghcr.io/xopham/k8tlery:<tag>kubectl apply -f deployment/
#or
kubectl apply -f deployment/01-roles.yaml
kubectl apply -f deployment/02-k8tlery.yaml
#or
kubectl apply -f deployment/01-roles.yaml
kubectl apply -f deployment/03-k8tlery-fullaccess.yamlkubectl exec -it k8tlery -- bash- download and save image
docker pull $IMAGE
docker save $IMAGE > image.tar
docker image ls- inspect image content
docker inspect $IMAGE
docker history --no-trunc $IMAGE- inspect image layers (dive)
dive $IMAGE- extract file from image.tar (nix-shell custom functions)
layer_list $IMAGETAR $LAYERID $FILE #run 'layer_list' for help
layer_extract $IMAGETAR $LAYERID $FILE #run 'layer_list' for help
- create container w/o running it
docker create --name container $IMAGE #returns container ID CONTID
docker container ls -a #displays all available container IDs- inspect container filesystems
mkdir $FOLDER
docker export $CONTID | tar -xC $FOLDER #make sure to unpac to dedicated folder
ls -la $FOLDER- create checkpoint of running container w/o interruption, e.g.:
sudo podman container checkpoint -e $OUTPUTFILE $CONTID --leave-running- investigate checkpoint (checkpointctl)
- get info
checkpointctl show $OUTPUTFILE- get full details
checkpointctl inspect $OUTPUTFILE --all- parse memory
checkpointctl memparse #OUTPUTFILE --all- inspect container drift
tar -xf $OUTPUTFILE -C $TARGETFOLDER tar -xf $TARGETFOLDER/rootfs-diff.tar $DIFFFOLDER
- misconfiguration scan
- trivy
trivy k8s --report summary cluster
- container runtime
cat /proc/self/cgroup- container runtime sockets (might be slow)
find /run -type f -name "*.sock" #adjust target folder
# also need to review '/run' folder manually- hosts information
cat /etc/hosts- mount information
mount- file system
ls -la /
ls -la /home/
ls -la /root/
ls -la /tmp/- environment variables
printenv- k8s information
- kdigger
curl -fSL -o /tmp/kdigger https://github.com/quarkslab/kdigger/releases/download/v1.5.0/kdigger-linux-amd64 chmod +x /tmp/kdigger alias kdigger='/tmp/kdigger' kdigger dig all
- kube-hunter
pip3 install kube-hunter kube-hunter --pod
- secrets (trufflehog3)
pip3 install trufflehog3
trufflehog3 /var/run #choose relevant target folders* custom rule
```
#k8s-goat.rule
- id: k8s-goat.flag
message: found k8s-goat flag
pattern: "k8s-goat-"
severity: HIGH
```
```bash
trufflehog3 -r k8s-goat.rule /tmp #adjust rule and target
```
- secrets from process memory (truffleproc): needs work
- vulnerable packages (trivy)
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy rootfs /- k8s APIs
- curl
APISERVER=https://${KUBERNETES_SERVICE_HOST} SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
- peirates
curl -fSL -o /tmp/peirates.tar.xz https://github.com/inguardians/peirates/releases/download/v1.1.13/peirates-linux-amd64.tar.xz tar -xvf /tmp/peirates.tar.xz -C /tmp chmod a+x /tmp/peirates-linux-amd64/peirates alias peirates='/tmp/peirates-linux-amd64/peirates' peirates
- resource exhaustion (DoS)
stress-ng --cpu 2 --cpu-load 1 --vm 2 --vm-bytes 100m -t 100s --verify -v #adjust to use case- various angles (peirates)
curl -fSL -o /tmp/peirates.tar.xz https://github.com/inguardians/peirates/releases/download/v1.1.13/peirates-linux-amd64.tar.xz
tar -xvf /tmp/peirates.tar.xz -C /tmp
chmod a+x /tmp/peirates-linux-amd64/peirates
alias peirates='/tmp/peirates-linux-amd64/peirates'
peirates