MTKPI

MTKPI – Multi Tool Kubernetes Pentest Image. This docker image contains all the most popular and necessary tools for Kubernetes penetration testing. Everything you need at your fingertips.

Image was generated by Kandinsky 2.2

Disclaimer

Warning

This is a tool for testing purpose only, do not use it for malicious acts. Some tools inside MTKPI can adversely affect the entire cluster, which in turn can lead to data corruption. Test environments with multiple nodes can be deployed with KIND

Motivation

When you're pentesting a Kubernetes cluster, you'll certainly use automated tools to perform the checks. But what if your cluster is network-limited and you can't download the tools you need inside the Pod? Or a read-only container file system? In this case, the only solution is to use a ready-to-use image, inside of which there are all the tools you need. This image includes all possible popular tools for pentesting a Kubernetes cluster, including those with automatic checks.

Threat Matrix for Kubernetes

MTKPI covers most of the techniques described in Microsoft Threat Matrix for Kubernetes. This in turn provides a wide range of pentesting possibilities. If necessary, you can add the necessary tools to the image and increase the coverage of the matrix.

What's inside?

Shell via web

Often, when pentesting Kubernetes Cluster, you have a developer Service Account with limited permissions. In other words, you don't have sufficient permissions to run pods/exec, which means you just can't get inside the container. However, it's more common for developers to have rights to create port-forward. This is why I used ttyd as the base image ― it is a simple command-line tool for sharing terminals over the web.

Tools

For convenience, I also have made a list of all possible tools that can be useful when pentesting Kubernetes and packed it in an image:

• botb
• kubeletctl
• kubesploit agent
• CDK
• peirates
• traitor
• ctrsploit
• kdigger
• kubectl
• linuxprivchecker
• deepce
• helm
• kube-hunter
• kube-bench
• DDexec
• kubetcd

Bypass signature engine

Sometimes, runtime security tools are found in Kubernetes clusters that work on a signature-based approach. Security tools like Falco and Tracee are quite easy to bypass, as their behavior is predefined by rules and signatures. There are quite a few ways to do this, one of the simplest being to rename executables. This is the method used in MTKPI.

For example:

• kubectl → k
• python3 → pton3
• curl → kurl
• wget → vget

You can read more about the ways to bypass Falco here.

Usage

For fast deployment, run the following command:

kubectl apply -f https://raw.githubusercontent.com/r0binak/MTKPI/main/deploy/mtkpi.yaml

Pod:

apiVersion: v1
kind: Pod
metadata:
  name: mtkpi-pod
  labels:
    app: mtkpi
spec:
  containers:
  - name: mtkpi-pod
    image: r0binak/mtkpi:v1
    ports:
    - containerPort: 7681
    securityContext:
      readOnlyRootFilesystem: true

Service:

apiVersion: v1
kind: Service
metadata:
  name: mtkpi-svc
  labels:
    app: mtkpi
spec:
  type: ClusterIP
  ports:
  - port: 7681
    protocol: TCP
  selector:
    app: mtkpi

To access the container, just run the command:

kubectl port-forward mtkpi-pod 7681:7681

Open in your browser:

localhost:7681

Contributing

If you liked this, I'd appreciate some PR 🙂

References

• https://github.com/madhuakula/hacker-container
• https://github.com/antitree/cmd_and_kubectl_demos/tree/master/images/botty
• https://github.com/raesene/alpine-containertools