Below is some sample output that mainly is here to see what open 10255 will give you and look like. What probably of most interest is the /pods endpoint
or the /metrics endpoint
$ ./kube-hunter.py
Choose one of the options below:
1. Remote scanning (scans one or more specific IPs or DNS names)
2. Subnet scanning (scans subnets on all local network interfaces)
3. IP range scanning (scans a given IP range)
Your choice: 1
Remotes (separated by a ‘,’): 1.2.3.4
~ Started
~ Discovering Open Kubernetes Services…
|
| Etcd:
| type: open service
| service: Etcd
|_ host: 1.2.3.4:2379
|
| API Server:
| type: open service
| service: API Server
|_ host: 1.2.3.4:443
|
| API Server:
| type: open service
| service: API Server
|_ host: 1.2.3.4:6443
|
| Etcd Remote version disclosure:
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Remote version disclosure might give an
|_ attacker a valuable data to attack a cluster
|
| Etcd is accessible using insecure connection (HTTP):
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Etcd is accessible using HTTP (without
| authorization and authentication), it would allow a
| potential attacker to
| gain access to
|_ the etcd
|
| Kubelet API (readonly):
| type: open service
| service: Kubelet API (readonly)
|_ host: 1.2.3.4:10255
|
| Etcd Remote Read Access Event:
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Remote read access might expose to an
|_ attacker cluster’s possible exploits, secrets and more.
|
| K8s Version Disclosure:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| The kubernetes version could be obtained
|_ from logs in the /metrics endpoint
|
| Privileged Container:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| A Privileged container exist on a node.
| could expose the node/cluster to unwanted root
|_ operations
|
| Cluster Health Disclosure:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| By accessing the open /healthz handler, an
| attacker could get the cluster health state without
|_ authenticating
|
| Exposed Pods:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| An attacker could view sensitive information
| about pods that are bound to a Node using
|_ the /pods endpoint
———-
Nodes
+————-+—————+
| TYPE | LOCATION |
+————-+—————+
| Node/Master | 1.2.3.4 |
+————-+—————+
Detected Services
+———————-+———————+———————-+
| SERVICE | LOCATION | DESCRIPTION |
+———————-+———————+———————-+
| Kubelet API | 1.2.3.4:10255 | The read-only port |
| (readonly) | | on the kubelet |
| | | serves health |
| | | probing endpoints, |
| | | and is relied upon |
| | | by many kubernetes |
| | | componenets |
+———————-+———————+———————-+
| Etcd | 1.2.3.4:2379 | Etcd is a DB that |
| | | stores cluster’s |
| | | data, it contains |
| | | configuration and |
| | | current state |
| | | information, and |
| | | might contain |
| | | secrets |
+———————-+———————+———————-+
| API Server | 1.2.3.4:6443 | The API server is in |
| | | charge of all |
| | | operations on the |
| | | cluster. |
+———————-+———————+———————-+
| API Server | 1.2.3.4:443 | The API server is in |
| | | charge of all |
| | | operations on the |
| | | cluster. |
+———————-+———————+———————-+
Vulnerabilities
+———————+———————-+———————-+———————-+———————-+
| LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+———————+———————-+———————-+———————-+———————-+
| 1.2.3.4:2379 | Unauthenticated | Etcd is accessible | Etcd is accessible | {“etcdserver”:”2.3.8 |
| | Access | using insecure | using HTTP (without | “,”etcdcluster”:”2.3 |
| | | connection (HTTP) | authorization and | … |
| | | | authentication), it | |
| | | | would allow a | |
| | | | potential attacker | |
| | | | to | |
| | | | gain access to | |
| | | | the etcd | |
+———————+———————-+———————-+———————-+———————-+
| 1.2.3.4:2379 | Information | Etcd Remote version | Remote version | {“etcdserver”:”2.3.8 |
| | Disclosure | disclosure | disclosure might | “,”etcdcluster”:”2.3 |
| | | | give an attacker a | … |
| | | | valuable data to | |
| | | | attack a cluster | |
+———————+———————-+———————-+———————-+———————-+
| 1.2.3.4:10255 | Information | K8s Version | The kubernetes | v1.5.6-rc17 |
| | Disclosure | Disclosure | version could be | |
| | | | obtained from logs | |
| | | | in the /metrics | |
| | | | endpoint | |
+———————+———————-+———————-+———————-+———————-+
| 1.2.3.4:10255 | Information | Exposed Pods | An attacker could | count: 68 |
| | Disclosure | | view sensitive | |
| | | | information about | |
| | | | pods that are bound | |
| | | | to a Node using the | |
| | | | /pods endpoint | |
+———————+———————-+———————-+———————-+———————-+
| 1.2.3.4:10255 | Information | Cluster Health | By accessing the | status: ok |
| | Disclosure | Disclosure | open /healthz | |
| | | | handler, an attacker | |
| | | | could get the | |
| | | | cluster health state | |
| | | | without | |
| | | | authenticating | |
+———————+———————-+———————-+———————-+———————-+
| 1.2.3.4:2379 | Access Risk | Etcd Remote Read | Remote read access | {“action”:”get”,”nod |
| | | Access Event | might expose to an | e”:{“dir”:true,”node |
| | | | attacker cluster’s | … |
| | | | possible exploits, | |
| | | | secrets and more. | |
+———————+———————-+———————-+———————-+———————-+
| 1.2.3.4:10255 | Access Risk | Privileged Container | A Privileged | pod: node-exporter- |
| | | | container exist on a | 1fmd9-z9685, |
| | | | node. could expose | containe… |
| | | | the node/cluster to | |
| | | | unwanted root | |
| | | | operations | |
+———————+———————-+———————-+———————-+———————-+
