简体中文 | English
免责声明
未经授权许可使用CDK攻击目标是非法的。 本程序应仅用于安全测试与研究目的。
介绍
CDK是一款为容器环境定制的渗透测试工具,在已攻陷的容器内部提供零依赖的常用命令及PoC/EXP。集成Docker/K8s场景特有的 逃逸、横向移动、持久化利用方式,插件化管理。
目前仍在施工中,欢迎 反馈 及建议 [email protected]。
下载
将可执行文件投递到已攻入的容器内部开始使用
https://github.com/Xyntax/CDK/tree/main/release
使用方法
Container DucK
Zero-dependency docker/k8s penetration toolkit by <[email protected]>
Find tutorial, configuration and use-case in https://github.com/Xyntax/CDK/wiki
Usage:
cdk evaluate [--full]
cdk run (--list | <exploit> [<args>...])
cdk <tool> [<args>...]
Evaluate:
cdk evaluate Gather information to find weekness inside container.
cdk evaluate --full Enable file scan during information gathering.
Exploit:
cdk run --list List all available exploits.
cdk run <exploit> [<args>...] Run single exploit, docs in https://github.com/Xyntax/CDK/wiki
Tool:
vi <file> Edit files in container like "vi" command.
ps Show process information like "ps -ef" command.
nc [options] Create TCP tunnel.
ifconfig Show network information.
kcurl (get|post) <url> <data> Make request to K8s api-server.
ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket.
probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000
Options:
-h --help Show this help msg.
-v --version Show version.
功能
CDK包括三个功能模块
- Evaluate: 容器内部信息收集,以发现潜在的弱点便于后续利用。
- Exploit: 提供容器逃逸、持久化、横向移动等利用方式。
- Tool: 修复渗透过程中常用的linux命令以及与Docker/K8s API交互的命令。
Evaluate 模块
Usage
cdk evaluate [--full]
用于本地信息收集,寻找可用的逃逸点,使用 --full 参数时会包含本地文件扫描。
检测项
| Tactics | Script | Supported | Usage/Example |
|---|---|---|---|
| Information Gathering | OS Basic Info | ✔ | link |
| Information Gathering | Available Capabilities | ✔ | link |
| Information Gathering | Available Linux Commands | ✔ | link |
| Information Gathering | Mounts | ✔ | link |
| Information Gathering | Net Namespace | ✔ | link |
| Information Gathering | Sensitive ENV | ✔ | link |
| Information Gathering | Sensitive Process | ✔ | link |
| Information Gathering | Sensitive Local Files | ✔ | link |
| Discovery | K8s Api-server Info | ✔ | link |
| Discovery | K8s Service-account Info | ✔ | link |
| Discovery | Cloud Provider Metadata API | ✔ | link |
Exploit 模块
列举全部exp
cdk run --list
执行指定的exp
cdk run <script-name> [options]
列表
| Tactic | Technique | CDK Exploit Name | Supported | Doc |
|---|---|---|---|---|
| Escaping | docker-runc CVE-2019-5736 | runc-pwn | ✔ | |
| Escaping | docker-cp CVE-2019-14271 | |||
| Escaping | containerd-shim CVE-2020-15257 | shim-pwn | ✔ | link |
| Escaping | dirtycow CVE-2016-5159 | |||
| Escaping | docker.sock PoC (DIND attack) | docker-sock-check | ✔ | link |
| Escaping | docker.sock Backdoor Image Deploy | docker-sock-deploy | ✔ | link |
| Escaping | Device Mount Escaping | mount-disk | ✔ | link |
| Escaping | Cgroups Escaping | mount-cgroup | ✔ | link |
| Escaping | Procfs Escaping | mount-procfs | ✔ | link |
| Escaping | Ptrace Escaping PoC | check-ptrace | ✔ | link |
| Discovery | K8s Component Probe | service-probe | ✔ | link |
| Lateral Movement | K8s Service Account Control | |||
| Lateral Movement | Attack K8s api-server | |||
| Lateral Movement | Attack K8s Kubelet | |||
| Lateral Movement | Attack K8s Dashboard | |||
| Lateral Movement | Attack K8s Helm | |||
| Lateral Movement | Attack K8s Etcd | |||
| Lateral Movement | Attack Private Docker Registry | |||
| Remote Control | Reverse Shell | reverse-shell | ✔ | link |
| Credential Access | Access Key Scanning | ak-leakage | ✔ | link |
| Credential Access | Dump K8s Secrets | k8s-secret-dump | ✔ | |
| Credential Access | Dump K8s Config | k8s-configmap-dump | ✔ | |
| Persistence | Deploy WebShell | |||
| Persistence | Deploy Backdoor Pod | |||
| Persistence | Deploy Shadow K8s api-server | |||
| Persistence | Deploy K8s CronJob | |||
| Defense Evasion | Disable K8s Audit |
Tool 模块
还原部分常用的Linux命令,解决容器环境缩减的问题。参数略有不同,详见下面文档链接:
cdk nc [options]
cdk ps
列表
| Command | Description | Supported | Usage/Example |
|---|---|---|---|
| nc | TCP Tunnel | ✔ | link |
| ps | Process Information | ✔ | link |
| ifconfig | Network Information | ✔ | link |
| vi | Edit Files | ✔ | link |
| kcurl | Request to K8s api-server | ✔ | link |
| dcurl | Request to Docker HTTP API | ||
| ucurl | Request to Docker Unix Socket | ✔ | link |
| rcurl | Request to Docker Registry API | ||
| probe | IP/Port Scanning | ✔ | link |
TODO
- echo loader便于通过web RCE植入CDK
- EDR检测对抗
- 条件编译
- 开发文档
文章来源: https://github.com/Xyntax/CDK/wiki/CDK-Home-CN
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh