lint fix

* removed old dependency for cap_net_raw, by stop usage of tracerouting when running as a pod

* removed unused imports

.github/workflows/lint.yml

@@ -0,0 +1,12 @@
+name: Lint
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+      - uses: pre-commit/action@v2.0.0

.github/workflows/test.yml

@@ -0,0 +1,54 @@
+name: Test
+
+on: [push, pull_request]
+
+env:
+  FORCE_COLOR: 1
+
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.6", "3.7", "3.8", "3.9"]
+        os: [ubuntu-20.04, ubuntu-18.04, ubuntu-16.04]
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v2
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Get pip cache dir
+        id: pip-cache
+        run: |
+          echo "::set-output name=dir::$(pip cache dir)"
+
+      - name: Cache
+        uses: actions/cache@v2
+        with:
+          path: ${{ steps.pip-cache.outputs.dir }}
+          key:
+            ${{ matrix.os }}-${{ matrix.python-version }}-${{ hashFiles('requirements-dev.txt') }}
+          restore-keys: |
+            ${{ matrix.os }}-${{ matrix.python-version }}-
+
+      - name: Install dependencies
+        run: |
+          python -m pip install -U pip
+          python -m pip install -U wheel
+          python -m pip install -r requirements.txt
+          python -m pip install -r requirements-dev.txt
+
+      - name: Test
+        shell: bash
+        run: |
+          make test
+
+      - name: Upload coverage
+        uses: codecov/codecov-action@v1
+        with:
+          name: ${{ matrix.os }} Python ${{ matrix.python-version }}

docs/_kb/KHV052.md

@@ -0,0 +1,23 @@
+---
+vid: KHV052
+title: Exposed Pods
+categories: [Information Disclosure]
+---
+
+# {{ page.vid }} - {{ page.title }}
+
+## Issue description
+
+An attacker could view sensitive information about pods that are bound to a Node using the exposed /pods endpoint
+This can be done either by accessing the readonly port (default 10255), or from the secure kubelet port (10250)
+
+## Remediation
+
+Ensure kubelet is protected using `--anonymous-auth=false` kubelet flag. Allow only legitimate users using `--client-ca-file` or `--authentication-token-webhook` kubelet flags. This is usually done by the installer or cloud provider.
+
+Disable the readonly port by using `--read-only-port=0` kubelet flag.
+
+## References
+
+- [Kubelet configuration](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/)
+- [Kubelet authentication/authorization](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/)

kube_hunter/modules/discovery/hosts.py

@@ -5,8 +5,7 @@ import requests
 
 from enum import Enum
 from netaddr import IPNetwork, IPAddress, AddrFormatError
-from netifaces import AF_INET, ifaddresses, interfaces
-from scapy.all import ICMP, IP, Ether, srp1
+from netifaces import AF_INET, ifaddresses, interfaces, gateways
 
 from kube_hunter.conf import get_config
 from kube_hunter.core.events import handler
@@ -109,7 +108,7 @@ class FromPodHostDiscovery(Discovery):
             if self.is_azure_pod():
                 subnets, cloud = self.azure_metadata_discovery()
             else:
-                subnets = self.traceroute_discovery()
+                subnets = self.gateway_discovery()
 
             should_scan_apiserver = False
             if self.event.kubeservicehost:
@@ -141,14 +140,9 @@ class FromPodHostDiscovery(Discovery):
             return False
 
     # for pod scanning
-    def traceroute_discovery(self):
-        config = get_config()
-        node_internal_ip = srp1(
-            Ether() / IP(dst="1.1.1.1", ttl=1) / ICMP(),
-            verbose=0,
-            timeout=config.network_timeout,
-        )[IP].src
-        return [[node_internal_ip, "24"]]
+    def gateway_discovery(self):
+        """ Retrieving default gateway of pod, which is usually also a contact point with the host """
+        return [[gateways()["default"][AF_INET][0], "24"]]
 
     # querying azure's interface metadata api | works only from a pod
     def azure_metadata_discovery(self):

kube_hunter/modules/hunting/apiserver.py

@@ -56,16 +56,19 @@ class ServerApiHTTPAccess(Vulnerability, Event):
 
 
 class ApiInfoDisclosure(Vulnerability, Event):
+    """Information Disclosure depending upon RBAC permissions and Kube-Cluster Setup"""
+
     def __init__(self, evidence, using_token, name):
+        category = InformationDisclosure
         if using_token:
-            name += " using service account token"
+            name += " using default service account token"
         else:
             name += " as anonymous user"
         Vulnerability.__init__(
             self,
             KubernetesCluster,
             name=name,
-            category=InformationDisclosure,
+            category=category,
             vid="KHV007",
         )
         self.evidence = evidence

kube_hunter/modules/hunting/certificates.py

@@ -8,11 +8,13 @@ from kube_hunter.core.events import handler
 from kube_hunter.core.events.types import Vulnerability, Event, Service
 
 logger = logging.getLogger(__name__)
-email_pattern = re.compile(rb"([a-z0-9]+@[a-z0-9]+\.[a-z0-9]+)")
+email_pattern = re.compile(rb"([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)")
 
 
 class CertificateEmail(Vulnerability, Event):
-    """Certificate includes an email address"""
+    """The Kubernetes API Server advertises a public certificate for TLS.
+    This certificate includes an email address, that may provide additional information for an attacker on your
+    organization, or be abused for further email based attacks."""
 
     def __init__(self, email):
         Vulnerability.__init__(

kube_hunter/modules/hunting/kubelet.py

@@ -35,10 +35,7 @@ class ExposedPodsHandler(Vulnerability, Event):
 
     def __init__(self, pods):
         Vulnerability.__init__(
-            self,
-            component=Kubelet,
-            name="Exposed Pods",
-            category=InformationDisclosure,
+            self, component=Kubelet, name="Exposed Pods", category=InformationDisclosure, vid="KHV052"
         )
         self.pods = pods
         self.evidence = f"count: {len(self.pods)}"
@@ -347,27 +344,23 @@ class SecureKubeletPortHunter(Hunter):
 
         # need further investigation on websockets protocol for further implementation
         def test_port_forward(self):
-            config = get_config()
-            headers = {
-                "Upgrade": "websocket",
-                "Connection": "Upgrade",
-                "Sec-Websocket-Key": "s",
-                "Sec-Websocket-Version": "13",
-                "Sec-Websocket-Protocol": "SPDY",
-            }
-            pf_url = self.path + KubeletHandlers.PORTFORWARD.value.format(
-                pod_namespace=self.pod["namespace"],
-                pod_id=self.pod["name"],
-                port=80,
-            )
-            self.session.get(
-                pf_url,
-                headers=headers,
-                verify=False,
-                stream=True,
-                timeout=config.network_timeout,
-            ).status_code == 200
+            pass
             # TODO: what to return?
+            # Example starting code:
+            #
+            # config = get_config()
+            # headers = {
+            #     "Upgrade": "websocket",
+            #     "Connection": "Upgrade",
+            #     "Sec-Websocket-Key": "s",
+            #     "Sec-Websocket-Version": "13",
+            #     "Sec-Websocket-Protocol": "SPDY",
+            # }
+            # pf_url = self.path + KubeletHandlers.PORTFORWARD.value.format(
+            #     pod_namespace=self.pod["namespace"],
+            #     pod_id=self.pod["name"],
+            #     port=80,
+            # )
 
         # executes one command and returns output
         def test_run_container(self):
@@ -378,8 +371,9 @@ class SecureKubeletPortHunter(Hunter):
                 container_name="test",
                 cmd="",
             )
-            # if we get a Method Not Allowed, we know we passed Authentication and Authorization.
-            return self.session.get(run_url, verify=False, timeout=config.network_timeout).status_code == 405
+            # if we get this message, we know we passed Authentication and Authorization, and that the endpoint is enabled.
+            status_code = self.session.post(run_url, verify=False, timeout=config.network_timeout).status_code
+            return status_code == requests.codes.NOT_FOUND
 
         # returns list of currently running pods
         def test_running_pods(self):
@@ -1139,11 +1133,16 @@ class ProveSystemLogs(ActiveHunter):
             f"{self.base_url}/" + KubeletHandlers.LOGS.value.format(path="audit/audit.log"),
             verify=False,
             timeout=config.network_timeout,
-        ).text
-        logger.debug(f"Audit log of host {self.event.host}: {audit_logs[:10]}")
-        # iterating over proctitles and converting them into readable strings
-        proctitles = []
-        for proctitle in re.findall(r"proctitle=(\w+)", audit_logs):
-            proctitles.append(bytes.fromhex(proctitle).decode("utf-8").replace("\x00", " "))
-        self.event.proctitles = proctitles
-        self.event.evidence = f"audit log: {proctitles}"
+        )
+
+        # TODO: add more methods for proving system logs
+        if audit_logs.status_code == requests.status_codes.codes.OK:
+            logger.debug(f"Audit log of host {self.event.host}: {audit_logs.text[:10]}")
+            # iterating over proctitles and converting them into readable strings
+            proctitles = []
+            for proctitle in re.findall(r"proctitle=(\w+)", audit_logs.text):
+                proctitles.append(bytes.fromhex(proctitle).decode("utf-8").replace("\x00", " "))
+            self.event.proctitles = proctitles
+            self.event.evidence = f"audit log: {proctitles}"
+        else:
+            self.event.evidence = "Could not parse system logs"

pyinstaller_hooks/hook-prettytable.py

@@ -0,0 +1,3 @@
+from PyInstaller.utils.hooks import collect_all
+
+datas, binaries, hiddenimports = collect_all("prettytable")

setup.py

@@ -41,6 +41,8 @@ class PyInstallerCommand(Command):
         cfg.read("setup.cfg")
         command = [
             "pyinstaller",
+            "--additional-hooks-dir",
+            "pyinstaller_hooks",
             "--clean",
             "--onefile",
             "--name",