Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/r0binak/MTKPI

🧰 Multi Tool Kubernetes Pentest Image
https://github.com/r0binak/MTKPI

container-security image kubernetes kubernetes-security pentest redteam

Last synced: 3 months ago
JSON representation

🧰 Multi Tool Kubernetes Pentest Image

Awesome Lists containing this project

README 

        
# MTKPI 

[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://github.com/r0binak/MTKPI/blob/master/LICENSE)

[![Github Stars](https://img.shields.io/github/stars/r0binak/MTKPI)](https://github.com/r0binak/MTKPI/stargazers)

[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](https://github.com/r0binak/MTKPI/pulls)

[![Docker Pulls MTKPI](https://img.shields.io/docker/pulls/r0binak/mtkpi?logo=docker)](https://hub.docker.com/r/r0binak/mtkpi)



![Logo](images/logo.jpg)



**MTKPI** – Multi Tool Kubernetes Pentest Image. This docker image contains all the most popular and necessary tools for Kubernetes penetration testing. Everything you need at your fingertips.



*Image was generated by [Kandinsky 2.2](https://www.sberbank.com/promo/kandinsky/)*



Disclaimer

-----



> [!WARNING]  

> **This is a tool for testing purpose only, do not use it for malicious acts. Some tools inside MTKPI can adversely affect the entire cluster, which in turn can lead to data corruption. Test environments with multiple nodes can be deployed with KIND**



## Motivation

When you're pentesting a Kubernetes cluster, you'll certainly use automated tools to perform the checks. But what if your cluster is network-limited and you can't download the tools you need inside the Pod? Or a read-only container file system? In this case, the only solution is to use a ready-to-use image, inside of which there are all the tools you need. This image includes all possible popular tools for pentesting a Kubernetes cluster, including those with automatic checks.



## Threat Matrix for Kubernetes

![Logo](images/matrix.png)

MTKPI covers most of the techniques described in Microsoft Threat Matrix for Kubernetes. This in turn provides a wide range of pentesting possibilities. If necessary, you can add the necessary tools to the image and increase the coverage of the matrix.



## What's inside?

### Shell via web

Often, when pentesting Kubernetes Cluster, you have a developer Service Account with limited permissions. In other words, you don't have sufficient permissions to run `pods/exec`, which means you just can't get inside the container. However, it's more common for developers to have rights to create `port-forward`. This is why I used [ttyd](https://github.com/tsl0922/ttyd) as the base image ― it is a simple command-line tool for sharing terminals over the web.

### Tools

For convenience, I also have made a list of all possible tools that can be useful when pentesting Kubernetes and packed it in an image:



- [botb](https://github.com/brompwnie/botb)

- [kubeletctl](https://github.com/cyberark/kubeletctl)

- [kubesploit agent](https://github.com/cyberark/kubesploit)

- [CDK](https://github.com/cdk-team/CDK)

- [peirates](https://github.com/inguardians/peirates)

- [traitor](https://github.com/liamg/traitor)

- [ctrsploit](https://github.com/ctrsploit/ctrsploit)

- [kdigger](https://github.com/quarkslab/kdigger)

- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/)

- [linuxprivchecker](https://github.com/sleventyeleven/linuxprivchecker)

- [deepce](https://github.com/stealthcopter/deepce)

- [helm](https://helm.sh)

- [kube-hunter](https://github.com/aquasecurity/kube-hunter)

- [kube-bench](https://github.com/aquasecurity/kube-bench)

- [DDexec](https://github.com/carlospolop/DDexec)

- [kubetcd](https://github.com/nccgroup/kubetcd)



### Bypass signature engine

Sometimes, runtime security tools are found in Kubernetes clusters that work on a signature-based approach. Security tools like Falco and Tracee are quite easy to bypass, as their behavior is predefined by rules and signatures. There are quite a few ways to do this, one of the simplest being to rename executables. This is the method used in MTKPI.



For example:



- `kubectl` → `k`

- `python3` → `pton3`

- `curl` → `kurl`

- `wget` → `vget`



You can read more about the ways to bypass Falco [here](https://github.com/blackberry/Falco-bypasses).



## Usage



For fast deployment, run the following command:

```bash

kubectl apply -f https://raw.githubusercontent.com/r0binak/MTKPI/main/deploy/mtkpi.yaml

```



Pod:

```yaml

apiVersion: v1

kind: Pod

metadata:

  name: mtkpi-pod

  labels:

    app: mtkpi

spec:

  containers:

  - name: mtkpi-pod

    image: r0binak/mtkpi:v1

    ports:

    - containerPort: 7681

    securityContext:

      readOnlyRootFilesystem: true

```

Service:

```yaml

apiVersion: v1

kind: Service

metadata:

  name: mtkpi-svc

  labels:

    app: mtkpi

spec:

  type: ClusterIP

  ports:

  - port: 7681

    protocol: TCP

  selector:

    app: mtkpi

```



To access the container, just run the command:



```bash

kubectl port-forward mtkpi-pod 7681:7681

```



Open in your browser:



```

localhost:7681

```

![In action](/images/in-action.png)



## Contributing

If you liked this, I'd appreciate some PR 🙂



## References



* https://github.com/madhuakula/hacker-container

* https://github.com/antitree/cmd_and_kubectl_demos/tree/master/images/botty

* https://github.com/raesene/alpine-containertools