CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.
Currently still under development, submit issues or mail i@cdxy.me if you need any help.
Download latest release in: https://github.com/cdk-team/CDK/releases/
Drop executable files into target container and start testing.
Usage
Usage:
cdk evaluate [--full]
cdk run (--list | <exploit> [<args>...])
cdk auto-escape <cmd>
cdk <tool> [<args>...]
Evaluate:
cdk evaluate Gather information to find weakness inside container.
cdk evaluate --full Enable file scan during information gathering.
Exploit:
cdk run --list List all available exploits.
cdk run <exploit> [<args>...] Run single exploit, docs in https://github.com/cdk-team/CDK/wiki
Auto Escape:
cdk auto-escape <cmd> Escape container in different ways then let target execute <cmd>.
Tool:
vi <file> Edit files in container like "vi" command.
ps Show process information like "ps -ef" command.
nc [options] Create TCP tunnel.
ifconfig Show network information.
kcurl <path> (get|post) <uri> <data> Make request to K8s api-server.
ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket.
probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000
Options:
-h --help Show this help msg.
-v --version Show version.
Features
CDK have three modules:
- Evaluate: gather information inside container to find potential weakness.
- Exploit: for container escaping, persistance and lateral movement
- Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.
Evaluate Module
Usage
cdk evaluate [--full]
This command will run the scripts below without local file scanning, using --full to enable all.
| Tactics | Script | Supported | Usage/Example |
|---|---|---|---|
| Information Gathering | OS Basic Info |
✔
|
link |
| Information Gathering | Available Capabilities |
✔
|
link |
| Information Gathering | Available Linux Commands |
✔
|
link |
| Information Gathering | Mounts |
✔
|
link |
| Information Gathering | Net Namespace |
✔
|
link |
| Information Gathering | Sensitive ENV |
✔
|
link |
| Information Gathering | Sensitive Process |
✔
|
link |
| Information Gathering | Sensitive Local Files |
✔
|
link |
| Discovery | K8s Api-server Info |
✔
|
link |
| Discovery | K8s Service-account Info |
✔
|
link |
| Discovery | Cloud Provider Metadata API |
✔
|
link |
Exploit Module
List all available exploits:
cdk run --list
Run targeted exploit:
cdk run <script-name> [options]
| Tactic | Technique | CDK Exploit Name | Supported | Doc |
|---|---|---|---|---|
| Escaping | docker-runc CVE-2019-5736 | runc-pwn |
✔
|
|
| Escaping | docker-cp CVE-2019-14271 | |||
| Escaping | containerd-shim CVE-2020-15257 | shim-pwn |
✔
|
link |
| Escaping | dirtycow CVE-2016-5159 | |||
| Escaping | docker.sock PoC (DIND attack) | docker-sock-check |
✔
|
link |
| Escaping | docker.sock Backdoor Image Deploy | docker-sock-deploy |
✔
|
link |
| Escaping | Device Mount Escaping | mount-disk |
✔
|
link |
| Escaping | Cgroups Escaping | mount-cgroup |
✔
|
link |
| Escaping | Procfs Escaping | mount-procfs |
✔
|
link |
| Escaping | Ptrace Escaping PoC | check-ptrace |
✔
|
link |
| Discovery | K8s Component Probe | service-probe |
✔
|
link |
| Discovery | Dump Istio Sidecar Meta | istio-check |
✔
|
link |
| Lateral Movement | K8s Service Account Control | |||
| Lateral Movement | Attack K8s api-server | |||
| Lateral Movement | Attack K8s Kubelet | |||
| Lateral Movement | Attack K8s Dashboard | |||
| Lateral Movement | Attack K8s Helm | |||
| Lateral Movement | Attack K8s Etcd | |||
| Lateral Movement | Attack Private Docker Registry | |||
| Remote Control | Reverse Shell | reverse-shell |
✔
|
link |
| Credential Access | Access Key Scanning | ak-leakage |
✔
|
link |
| Credential Access | Dump K8s Secrets | k8s-secret-dump |
✔
|
link |
| Credential Access | Dump K8s Config | k8s-configmap-dump |
✔
|
link |
| Persistence | Deploy WebShell | |||
| Persistence | Deploy Backdoor Pod | k8s-backdoor-daemonset |
✔
|
link |
| Persistence | Deploy Shadow K8s api-server | k8s-shadow-apiserver |
✔
|
link |
| Persistence | K8s MITM Attack (CVE-2020-8554) | k8s-mitm-clusterip |
✔
|
link |
| Persistence | Deploy K8s CronJob | |||
| Defense Evasion | Disable K8s Audit |
Tool Module
Running commands like in Linux, little different in input-args, see the usage link.
cdk nc [options]
cdk ps
| Command | Description | Supported | Usage/Example |
|---|---|---|---|
| nc | TCP Tunnel |
✔
|
link |
| ps | Process Information |
✔
|
link |
| ifconfig | Network Information |
✔
|
link |
| vi | Edit Files |
✔
|
link |
| kcurl | Request to K8s api-server |
✔
|
link |
| dcurl | Request to Docker HTTP API | ||
| ucurl | Request to Docker Unix Socket |
✔
|
link |
| rcurl | Request to Docker Registry API | ||
| probe | IP/Port Scanning |
✔
|
link |
Developer Docs
TODO
- Echo loader for delivering CDK into target container via Web RCE.
- EDR defense evasion.
- Compile optimization.
- Dev docs
from KitPloit - PenTest & Hacking Tools https://ift.tt/2Mdf2nH
via hacking
This is dummy text. It is not meant to be read. Accordingly, it is difficult to figure out when to end it. But then, this is dummy text. It is not meant to be read. Period.
ConversionConversion EmoticonEmoticon