kubestalk: discovers Kubernetes and related infrastructure based attack surface
KubeStalk
KubeStalk is a tool to discover Kubernetes and related infrastructure-based attack surfaces from a black-box perspective. This tool is a community version of the tool used to probe for unsecured Kubernetes clusters around the internet during Project Resonance – Wave 9.
Install
git clone https://github.com/redhuntlabs/kubestalk
python3 -m pip install -r requirements.txt
Use
Basic Usage
To use the tool, you can pass one or more hosts to the script. All targets passed to the tool must be RFC 3986 compliant, i.e. must contain a scheme and hostname (and port if required).
Basic usage is as below:
[pastacode lang=”markup” manual=”%24%20python3%20kubestalk.py%20https%3A%2F%2F%E2%96%88%E2%96%88%E2%96%88.%E2%96%88%E2%96%88.%E2%96%88%E2%96%88.%E2%96%88%E2%96%88%E2%96%88%3A10250%0A%0A%20%20%20%20%2B———————%2B%0A%20%20%20%20%7C%20%20K%20U%20B%20E%20S%20T%20A%20L%20K%20%20%7C%0A%20%20%20%20%2B———————%2B%20%20%20v0.1%0A%0A%5B!%5D%20KubeStalk%20by%20RedHunt%20Labs%20-%20A%20Modern%20Attack%20Surface%20(ASM)%20Management%20Company%0A%5B!%5D%20Author%3A%200xInfection%20(RHL%20Research%20Team)%0A%5B!%5D%20Continuously%20Track%20Your%20Attack%20Surface%20using%20https%3A%2F%2Fredhuntlabs.com%2Fnvadr.%0A%0A%5B%2B%5D%20Loaded%2010%20signatures%20to%20scan.%0A%5B*%5D%20Processing%20host%3A%20https%3A%2F%2F%E2%96%88%E2%96%88%E2%96%88.%E2%96%88%E2%96%88.%E2%96%88%E2%96%88.%E2%96%88%E2%96%88%3A10250%0A%5B!%5D%20Found%20potential%20issue%20on%20https%3A%2F%2F%E2%96%88%E2%96%88%E2%96%88.%E2%96%88%E2%96%88.%E2%96%88%E2%96%88.%E2%96%88%E2%96%88%3A10250%3A%20Kubernetes%20Pod%20List%20Exposure%0A%5B*%5D%20Writing%20results%20to%20output%20file.%0A%5B%2B%5D%20Done.” message=”” highlight=”” provider=”manual”/]
HTTP Tuning
HTTP requests can be fine-tuned using the -t (to mention HTTP timeouts), -ua (to specify custom user agents), and the –verify-ssl (to validate SSL certificates while making requests).
Concurrency
You can control the number of hosts to scan simultaneously using the –concurrency flag. The default value is set to 5.
Output
The output is written to a CSV file and can be controlled by the –output flag.
A sample of the CSV output rendered in markdown is as below:
| host | path | issue | type | severity |
|---|---|---|---|---|
https://█.█.█.█:10250 |
/pods | Kubernetes Pod List Exposure | core-component | vulnerability/misconfiguration |
https://█.█.█.█:443 |
/api/v1/pods | Kubernetes Pod List Exposure | core-component | vulnerability/misconfiguration |
http://█.█.██.█:80 |
/ | etcd Viewer Dashboard Exposure | add-on | vulnerability/exposure |
http://██.██.█.█:80 |
/ | cAdvisor Metrics Web UI Dashboard Exposure | add-on | vulnerability/exposure |
Copyright (c) 2022 0xInfection
Source: https://github.com/redhuntlabs/
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
