kdigger

kdigger, short for "Kubernetes digger", is a context discovery tool for Kubernetes penetration testing. This tool is a compilation of various plugins called buckets to facilitate pentesting Kubernetes from inside a pod.

Here is a demo showing kdigger v1.3.0 in action, using only four buckets. Please note that around twenty plugins exist and you can read more about all the features in the following documentation.

Please note that this is not an ultimate pentest tool on Kubernetes. Some plugins perform really simple actions that could be performed manually by calling the mount command or listing all devices present in dev with ls /dev for example. But some others automate scanning processes, such as the admission controller scanner. In the end, this tool aims to humbly speed up the pentesting process.

Table of content

Installation
Usage
Details
Buckets
- Admission
- API Resources
- Authorization
- Capabilities
- Cgroups
- CloudMetadata
- ContainerDetect
- Devices
- Environment
- Mount
- Node
- PIDNamespace
- Processes
- Runtime
- Services
- Syscalls
- Token
- UserID
- UserNamespace
- Version
Contributing
License

Installation

kdigger is available on Linux amd64, arm64 and macOS amd64.

Please note that kdigger should be mostly run inside of pods on not on your host machine.

Via releases

For installation instructions from binaries please visit the releases page.

Please note that these are statically linked binaries (which is often not the case in Go on Linux by default, contrary to what one might think!).

Build from source

Just type make to build with the default build target.

git clone https://github.com/quarkslab/kdigger
make

Then you can move the binary somewhere included in your PATH, for example:

sudo install kdigger /usr/local/bin

Note that you will need golangci-lint to use the release target that will build for the supported architectures. You can use make install-linter to install golangci-lint on the host.

With Nix

You can use Nix with a new shell environments thanks to a contributor PR that added kdigger to nixpkgs.

nix-shell -p kdigger

You can also create docker images with kdigger and other tools easily with nixery.dev:

docker run -it nixery.dev/kubectl/kdigger/bash /bin/bash

Via Go

go install github.com/quarkslab/kdigger@main

Usage

Digging

What you generally want to do is running all the buckets with dig all or just d a:

kdigger dig all

Help is provided by the CLI itself, just type kdigger to see the options:

$ kdigger
kdigger is an extensible CLI tool to dig around when you are in a Kubernetes
cluster. For that you can use multiples buckets. Buckets are plugins that can
scan specific aspects of a cluster or bring expertise to automate the Kubernetes
pentest process.

Usage:
  kdigger [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  dig         Use all buckets or specific ones
  gen         Generate template for pod with security features disabled
  help        Help about any command
  ls          List available buckets or describe specific ones
  version     Print the version information

Flags:
  -h, --help            help for kdigger
  -o, --output string   Output format. One of: human|json. (default "human")
  -w, --width int       Width for the human output (default 140)

Use "kdigger [command] --help" for more information about a command.

Make sure to check out the help on the dig command to see all the available flags:

$ kdigger help dig
This command runs buckets, special keyword "all" or "a" runs all registered
buckets. You can find information about all buckets with the list command. To
run one or more specific buckets, just input their names or aliases as
arguments.

Usage:
  kdigger dig [buckets] [flags]

Aliases:
  dig, d

Flags:
      --admission-create    Actually create pods to scan admission instead of using server dry run. (this flag is specific to the admission bucket)
      --admission-force     Force creation of pods to scan admission even without cleaning rights. (this flag is specific to the admission bucket)
  -c, --color               Enable color in output. (default true if output is human)
  -h, --help                help for dig
      --kubeconfig string   (optional) absolute path to the kubeconfig file (default "/home/vagrant/.kube/config")
  -n, --namespace string    Kubernetes namespace to use. (default to the namespace in the context)
  -s, --side-effects        Enable all buckets that might have side effect on environment.

Global Flags:
  -o, --output string   Output format. One of: human|json. (default "human")
  -w, --width int       Width for the human output (default 140)

Generating

You can also generate useful templates for pods with security features disabled to escalate privileges when you can create such a pod. See the help for this specific command for more information.

$ kdigger help gen
This command generates templates for pod with security features disabled.
You can customize the pods with some of the string flags and activate
boolean flags to disabled security features. Examples:

  # Generate a very simple template in json
  kdigger gen -o json

  # Create a very simple pod
  kdigger gen | kubectl apply -f -

  # Create a pod named mypod with most security features disabled
  kdigger gen -all mypod | kubectl apply -f -

  # Create a custom privileged pod
  kdigger gen --privileged --image bash --command watch --command date | kubectl apply -f -

  # Fuzz the API server admission
  kdigger gen --fuzz-pod --fuzz-init --fuzz-container | kubectl apply --dry-run=server -f -

Usage:
  kdigger gen [name] [flags]

Aliases:
  gen, generate

Flags:
      --all                   Enable everything
      --command stringArray   Container command used (default [sleep,infinitely])
      --fuzz-container        Generate a random container security context. (will override other options)
      --fuzz-init             Generate a random init container security context.
      --fuzz-pod              Generate a random pod security context.
  -h, --help                  help for gen
      --hostnetwork           Add the hostNetwork flag on the whole pod
      --hostpath              Add a hostPath volume to the container
      --hostpid               Add the hostPid flag on the whole pod
      --image string          Container image used (default "busybox")
  -n, --namespace string      Kubernetes namespace to use
      --privileged            Add the security flag to the security context of the pod
      --tolerations           Add tolerations to be schedulable on most nodes

Global Flags:
  -o, --output string   Output format. One of: human|json. (default "human")
  -w, --width int       Width for the human output (default 140)

Fuzzing

You can try to fuzz your API admission with kdigger, find some information in this PR. It can be interesting to see if your sets of custom policies are resistant against randomly generated pod manifest.

See how kdigger can generate random container securityContext:

./kdigger gen --fuzz-container -o json | jq '.spec.containers[].securityContext'

Or generate a dozen:

for _ in {1..12}; do ./kdigger gen --fuzz-container -o json | jq '.spec.containers[].securityContext'; done

Fuzz your admission API with simple commands similar to:

while true; do ./kdigger gen --fuzz-pod --fuzz-init --fuzz-container | kubectl apply --dry-run=server -f -; done

Details

Updates

I updates this tool from time to time, when I have new ideas after reading a book or doing CTF challenges, you can find information in the changelog.

Usage warning

Be careful when running this tool, some checks have side effects, like scanning your available syscalls or trying to create pods to scan the admission control. By default these checks will not run without adding the --side-effects or -s flag.

For example, syscalls scans may succeed to perform some syscalls with empty arguments, and it can alter your environment or configuration. For instance, if the hostname syscall is successful, it will replace the hostname with the empty string. So please, NEVER run wi

Kdigger

Install / Use

README