quarkslab / kdigger Goto Github PK
View Code? Open in Web Editor NEWKubernetes focused container assessment and context discovery tool for penetration testing
License: Apache License 2.0
Kubernetes focused container assessment and context discovery tool for penetration testing
License: Apache License 2.0
Given that kdigger is written in Go it should be fairly straightforward to provide those builds.
While kdigger gen
the namespace flag is missing. It will be good to have the namespace flag during kdigger gen.
One can still use ./kdigger gen | kubectl -n <namespace> apply -f -
but adding a flag will help in generation of manifest along with namespace and then editing the same manifest after that.
/assign
Salut,
first of all great tool, I'm loving it.
I was just testing it and noticed that it failed to retrieve the ServiceAccount token from a privileged pod. I guess that the source of the issue is that in the token.go
file, the tokenPath
is set as /run/secrets/kubernetes.io/serviceaccount
instead of /var/run/secrets/kubernetes.io/serviceaccount
:
kdigger/pkg/plugins/token/token.go
Line 13 in 6b6f01c
Hi,
I enjoy kdigger, it is helpful during pentests.
Would it be possible to extend the gen
command for fuzzing Kubernetes admission controllers?
Wouldn't it be great if it could generate Kubernetes YAML manifests with all cutting edge container spec and security context fields?
This should include pods with privileged initContainer and ephemeralContainers, as well as windows node specific security context fields.
This could be used to test admission controls more thoroughly.
Implementation ideas:
Let me know your opinion about such a feature :-)
While invoking the command kdigger dig mount
we get all the mounted file systems. I tried looking for mounts with read and write permissions.
bash-5.1# kdigger dig mount | grep rw
| overlay | / | overlay | rw,relatime,lowerdir=/var/lib/c |
| proc | /proc | proc | rw,nosuid,nodev,noexec,relatime |
| tmpfs | /dev | tmpfs | rw,nosuid,size=65536k,mode=755 |
| devpts | /dev/pts | devpts | rw,nosuid,noexec,relatime,gid=5 |
| mqueue | /dev/mqueue | mqueue | rw,nosuid,nodev,noexec,relatime |
| shm | /dev/shm | tmpfs | rw,nosuid,nodev,noexec,relatime |
| /dev/sda1 | /dev/termination-log | ext4 | rw,relatime,commit=30 |
| /dev/sda1 | /etc/hosts | ext4 | rw,relatime,commit=30 |
| /dev/sda1 | /etc/hostname | ext4 | rw,nosuid,nodev,relatime,commit |
| /dev/sda1 | /etc/resolv.conf | ext4 | rw,nosuid,nodev,relatime,commit |
| shm | /run/containerd/io.containerd.g | tmpfs | rw,nosuid,nodev,noexec,relatime |
| overlay | /run/containerd/io.containerd.r | overlay | rw,relatime,lowerdir=/var/lib/c |
| overlay | /run/containerd/io.containerd.r | overlay | rw,relatime,lowerdir=/var/lib/c |
| shm | /run/containerd/io.containerd.g | tmpfs | rw,nosuid,nodev,noexec,relatime |
You can notice that some of the longer paths in the second column are getting squeezed. It will be great to have a flag that will only print the rw
mounts.
Another similar flag can be developed for socks as well.
bash-5.1# kdigger dig mount | grep sock
| tmpfs | /run/containerd/containerd.sock | tmpfs | ro,size=804600k,nr_inodes=81920 |
cc @mtardy
aarch64-linux support tracker
Current build issues:
# github.com/quarkslab/kdigger/pkg/plugins/syscalls
pkg/plugins/syscalls/syscalls.go:155:7: undefined: unix.SYS_SELECT
pkg/plugins/syscalls/syscalls.go:156:7: undefined: unix.SYS_PAUSE
pkg/plugins/syscalls/syscalls.go:163:7: undefined: unix.SYS_FORK
pkg/plugins/syscalls/syscalls.go:164:7: undefined: unix.SYS_VFORK
pkg/plugins/syscalls/syscalls.go:173:47: undefined: unix.SYS_SELECT
pkg/plugins/syscalls/syscalls.go:173:72: undefined: unix.SYS_PAUSE
pkg/plugins/syscalls/syscalls.go:183:40: undefined: unix.SYS_FORK
pkg/plugins/syscalls/syscalls.go:183:63: undefined: unix.SYS_VFORK
pkg/plugins/syscalls/syscalls.go:230:12: undefined: unix.SYS_OPEN
pkg/plugins/syscalls/syscalls.go:234:12: undefined: unix.SYS_STAT
pkg/plugins/syscalls/syscalls.go:234:12: too many errors
github.com/quarkslab/kdigger/pkg/plugins/authorization
# github.com/quarkslab/kdigger/pkg/plugins/syscalls
pkg/plugins/syscalls/syscalls.go:155:7: undefined: unix.SYS_SELECT
pkg/plugins/syscalls/syscalls.go:156:7: undefined: unix.SYS_PAUSE
pkg/plugins/syscalls/syscalls.go:163:7: undefined: unix.SYS_FORK
pkg/plugins/syscalls/syscalls.go:164:7: undefined: unix.SYS_VFORK
pkg/plugins/syscalls/syscalls.go:173:47: undefined: unix.SYS_SELECT
pkg/plugins/syscalls/syscalls.go:173:72: undefined: unix.SYS_PAUSE
pkg/plugins/syscalls/syscalls.go:183:40: undefined: unix.SYS_FORK
pkg/plugins/syscalls/syscalls.go:183:63: undefined: unix.SYS_VFORK
pkg/plugins/syscalls/syscalls.go:230:12: undefined: unix.SYS_OPEN
pkg/plugins/syscalls/syscalls.go:234:12: undefined: unix.SYS_STAT
pkg/plugins/syscalls/syscalls.go:234:12: too many errors
github.com/quarkslab/kdigger/pkg/plugins/authorization
on aarch64-linux and x86_64-darwin
are there plans for supporting non-x86_64-linux platforms in the future or no?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.