added minimal dashboard hunting

2026-05-11 11:47:15 +00:00 · 2018-07-19 14:42:50 +03:00
parent 0d6b16acd8
commit 174d93804c
3 changed files with 23 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 *.pyc
 Dockerfile
-.dockerignore
+.dockerignore
+*aqua*
--- a/src/modules/discovery/dashboard.py
+++ b/src/modules/discovery/dashboard.py
@@ -1,11 +1,13 @@
 import json
+import logging

 import requests

 from ...core.events import handler
-from ...core.events.types import Event, Service, OpenPortEvent
+from ...core.events.types import Event, OpenPortEvent, Service
 from ...core.types import Hunter

+
 class KubeDashboardEvent(Service, Event):
    """A web-based Kubernetes user interface. allows easy usage with operations on the cluster"""
    def __init__(self, **kargs):
@@ -15,15 +17,13 @@ class KubeDashboardEvent(Service, Event):
 class KubeDashboard(Hunter):
    def __init__(self, event):
        self.event = event
-        self.host = event.host
-        self.port = event.port 

    @property
    def secure(self):
-        default = json.loads(requests.get("http://{}:{}/api/v1/service/default".format(self.host, self.port)).text)
-        if "errors" in default and len(default["errors"]) == 0:
+        r = requests.get("http://{}:{}/api/v1/service/default".format(self.event.host, self.event.port))
+        if "listMeta" in r.text and len(json.loads(r.text)["errors"]) == 0:
            return False
-        return False
+        return True

    def execute(self):
        if not self.secure:
--- a/src/modules/hunting/dashboard.py
+++ b/src/modules/hunting/dashboard.py
@@ -1,16 +1,28 @@
 import logging
-from ...core.types import Hunter
+import json
+from ...core.types import Hunter, RemoteCodeExec, KubernetesCluster

 import requests

 from ...core.events import handler
+from ...core.events.types import Vulnerability, Event
 from ..discovery.dashboard import KubeDashboardEvent

+class DashboardExposed(Vulnerability, Event):
+    """All oprations on the cluster are exposed"""
+    def __init__(self, nodes):
+        Vulnerability.__init__(self, KubernetesCluster, "Dashboard Exposed", category=RemoteCodeExec)
+        self.evidence = "nodes: {}".format(' '.join(nodes)) if nodes else None
+
@handler.subscribe(KubeDashboardEvent)
 class KubeDashboard(Hunter):
    def __init__(self, event):
        self.event = event

+    def get_nodes(self):
+        r = requests.get("http://{}:{}/api/v1/node".format(self.event.host, self.event.port))
+        if r.status_code == 200 and "nodes" in r.text:
+            return list(map(lambda node: node["objectMeta"]["name"], json.loads(r.text)["nodes"]))
+        
    def execute(self):
-        # TODO: implement dashboard hunting
-        pass
+        self.publish_event(DashboardExposed(nodes=self.get_nodes()))