Merge pull request #53 from aquasecurity/access-secrets-hunter

Access secrets hunter
2026-05-13 12:47:20 +00:00 · 2018-11-06 10:30:17 +00:00
parent df5d0bc3f6 1171c8ae20
commit aca2784598
7 changed files with 50 additions and 3 deletions
--- a/kube-hunter.py
+++ b/kube-hunter.py
@@ -111,6 +111,7 @@ def main():

        if not any(scan_options):
            if not interactive_set_config(): return
+
        hunt_started_lock.acquire()
        hunt_started = True
        hunt_started_lock.release()
@@ -136,6 +137,7 @@ def main():
            hunt_started_lock.release()


+
 if __name__ == '__main__':
        main()

--- a/src/core/events/handler.py
+++ b/src/core/events/handler.py
@@ -10,11 +10,11 @@ from __main__ import config
 from ..types import ActiveHunter, Hunter

 from ...core.events.types import HuntFinished
+import threading

 global queue_lock
 queue_lock = Lock()

-
 # Inherits Queue object, handles events asynchronously
 class EventQueue(Queue, object):
    def __init__(self, num_worker=10):
--- a/src/modules/discovery/apiserver.py
+++ b/src/modules/discovery/apiserver.py
@@ -16,6 +16,7 @@ class ApiServer(Service, Event):
    def __init__(self):
        Service.__init__(self, name="API Server")

+
@handler.subscribe(OpenPortEvent, predicate=lambda x: x.port==443 or x.port==6443)
 class ApiServerDiscovery(Hunter):
    """Api Server Discovery
--- a/src/modules/discovery/hosts.py
+++ b/src/modules/discovery/hosts.py
@@ -15,6 +15,10 @@ from ...core.events import handler
 from ...core.events.types import Event, NewHostEvent, Vulnerability
 from ...core.types import Hunter, InformationDisclosure, Azure

+class RunningAsPodEvent(Event):
+    def __init__(self):
+        self.name = 'Running from within a pod'
+

 class AzureMetadataApi(Vulnerability, Event):
    """Access to the Azure Metadata API exposes sensitive information about the machines associated with the cluster"""
@@ -65,6 +69,7 @@ class HostDiscovery(Hunter):
            for host in config.remote:
                self.publish_event(NewHostEvent(host=host, cloud=self.get_cloud(host)))
        elif config.pod:
+            self.publish_event(RunningAsPodEvent())
            if self.is_azure_pod():
                self.azure_metadata_discovery()
            else:
--- a/src/modules/hunting/secrets.py
+++ b/src/modules/hunting/secrets.py
@@ -0,0 +1,40 @@
+import json
+import logging
+import os
+
+
+import requests
+
+from ...core.events import handler
+from ...core.events.types import Vulnerability, Event
+from ...core.types import Hunter, KubernetesCluster, AccessRisk
+from ..discovery.hosts import RunningAsPodEvent
+
+""" Vulnerabilities """
+class SecretsAccess(Vulnerability, Event):
+    """ Accessing the pod's secrets within a compromised pod might disclose valuable data to a potential attacker"""
+
+    def __init__(self, evidence):
+        Vulnerability.__init__(self, KubernetesCluster, name="Accessed to pod's secrets", category=AccessRisk)
+        self.evidence = evidence
+
+
+# Passive Hunter
+@handler.subscribe(RunningAsPodEvent)
+class AccessSecrets(Hunter):
+    """Accessing the secrets accessible to the pod"""
+
+    def __init__(self, event):
+        self.event = event
+        self.secrets_evidence = ''
+
+    def get_services(self):
+        logging.debug(self.event.host)
+        logging.debug('Passive Hunter is attempting to access pod\'s secrets directory')
+        # get all files and subdirectories files:
+        self.secrets_evidence = [val for sublist in [[os.path.join(i[0], j) for j in i[2]] for i in os.walk('/var/run/secrets/')] for val in sublist]
+        return True if (len(self.secrets_evidence) > 0) else False
+
+    def execute(self):
+        if self.get_services():
+            self.publish_event(SecretsAccess(self.secrets_evidence))
--- a/src/modules/report/plain.py
+++ b/src/modules/report/plain.py
@@ -3,7 +3,7 @@ from __future__ import print_function
 from prettytable import ALL, PrettyTable

 from __main__ import config
-from collector import services, vulnerabilities,services_lock, vulnerabilities_lock
+from collector import services, vulnerabilities, services_lock, vulnerabilities_lock

 EVIDENCE_PREVIEW = 40
 MAX_TABLE_WIDTH = 20
--- a/src/modules/report/yaml.py
+++ b/src/modules/report/yaml.py
@@ -4,7 +4,6 @@ from ruamel.yaml import YAML

 from collector import services, vulnerabilities, services_lock, vulnerabilities_lock

-
 class YAMLReporter(object):
    def get_report(self):
        yaml = YAML()