1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
$ ./kube-hunter.py
Choose one of the options below:
1. Remote scanning (scans one or more specific IPs or DNS names)
2. Subnet scanning (scans subnets on all local network interfaces)
3. IP range scanning (scans a given IP range)
Your choice: 1
Remotes (separated by a ','): 1.2.3.4
~ Started
~ Discovering Open Kubernetes Services...
|
| Etcd:
| type: open service
| service: Etcd
|_ host: 1.2.3.4:2379
|
| API Server:
| type: open service
| service: API Server
|_ host: 1.2.3.4:443
|
| API Server:
| type: open service
| service: API Server
|_ host: 1.2.3.4:6443
|
| Etcd Remote version disclosure:
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Remote version disclosure might give an
|_ attacker a valuable data to attack a cluster
|
| Etcd is accessible using insecure connection (HTTP):
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Etcd is accessible using HTTP (without
| authorization and authentication), it would allow a
| potential attacker to
| gain access to
|_ the etcd
|
| Kubelet API (readonly):
| type: open service
| service: Kubelet API (readonly)
|_ host: 1.2.3.4:10255
|
| Etcd Remote Read Access Event:
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Remote read access might expose to an
|_ attacker cluster's possible exploits, secrets and more.
|
| K8s Version Disclosure:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| The kubernetes version could be obtained
|_ from logs in the /metrics endpoint
|
| Privileged Container:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| A Privileged container exist on a node.
| could expose the node/cluster to unwanted root
|_ operations
|
| Cluster Health Disclosure:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| By accessing the open /healthz handler, an
| attacker could get the cluster health state without
|_ authenticating
|
| Exposed Pods:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| An attacker could view sensitive information
| about pods that are bound to a Node using
|_ the /pods endpoint
----------
Nodes
+-------------+---------------+
| TYPE | LOCATION |
+-------------+---------------+
| Node/Master | 1.2.3.4 |
+-------------+---------------+
Detected Services
+----------------------+---------------------+----------------------+
| SERVICE | LOCATION | DESCRIPTION |
+----------------------+---------------------+----------------------+
| Kubelet API | 1.2.3.4:10255 | The read-only port |
| (readonly) | | on the kubelet |
| | | serves health |
| | | probing endpoints, |
| | | and is relied upon |
| | | by many kubernetes |
| | | componenets |
+----------------------+---------------------+----------------------+
| Etcd | 1.2.3.4:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current state |
| | | information, and |
| | | might contain |
| | | secrets |
+----------------------+---------------------+----------------------+
| API Server | 1.2.3.4:6443 | The API server is in |
| | | charge of all |
| | | operations on the |
| | | cluster. |
+----------------------+---------------------+----------------------+
| API Server | 1.2.3.4:443 | The API server is in |
| | | charge of all |
| | | operations on the |
| | | cluster. |
+----------------------+---------------------+----------------------+
Vulnerabilities
+---------------------+----------------------+----------------------+----------------------+----------------------+
| LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:2379 | Unauthenticated | Etcd is accessible | Etcd is accessible | {"etcdserver":"2.3.8 |
| | Access | using insecure | using HTTP (without | ","etcdcluster":"2.3 |
| | | connection (HTTP) | authorization and | ... |
| | | | authentication), it | |
| | | | would allow a | |
| | | | potential attacker | |
| | | | to | |
| | | | gain access to | |
| | | | the etcd | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:2379 | Information | Etcd Remote version | Remote version | {"etcdserver":"2.3.8 |
| | Disclosure | disclosure | disclosure might | ","etcdcluster":"2.3 |
| | | | give an attacker a | ... |
| | | | valuable data to | |
| | | | attack a cluster | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Information | K8s Version | The kubernetes | v1.5.6-rc17 |
| | Disclosure | Disclosure | version could be | |
| | | | obtained from logs | |
| | | | in the /metrics | |
| | | | endpoint | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Information | Exposed Pods | An attacker could | count: 68 |
| | Disclosure | | view sensitive | |
| | | | information about | |
| | | | pods that are bound | |
| | | | to a Node using the | |
| | | | /pods endpoint | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Information | Cluster Health | By accessing the | status: ok |
| | Disclosure | Disclosure | open /healthz | |
| | | | handler, an attacker | |
| | | | could get the | |
| | | | cluster health state | |
| | | | without | |
| | | | authenticating | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:2379 | Access Risk | Etcd Remote Read | Remote read access | {"action":"get","nod |
| | | Access Event | might expose to an | e":{"dir":true,"node |
| | | | attacker cluster's | ... |
| | | | possible exploits, | |
| | | | secrets and more. | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Access Risk | Privileged Container | A Privileged | pod: node-exporter- |
| | | | container exist on a | 1fmd9-z9685, |
| | | | node. could expose | containe... |
| | | | the node/cluster to | |
| | | | unwanted root | |
| | | | operations | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
|