Merge branch 'master' into fix_audit_log_proving

.github/workflows/lint.yml

@@ -1,12 +0,0 @@
-name: Lint
-
-on: [push, pull_request]
-
-jobs:
-  build:
-    runs-on: ubuntu-20.04
-
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-      - uses: pre-commit/action@v2.0.0

.github/workflows/test.yml

@@ -1,54 +0,0 @@
-name: Test
-
-on: [push, pull_request]
-
-env:
-  FORCE_COLOR: 1
-
-jobs:
-  build:
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        python-version: ["3.6", "3.7", "3.8", "3.9"]
-        os: [ubuntu-20.04, ubuntu-18.04, ubuntu-16.04]
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - name: Get pip cache dir
-        id: pip-cache
-        run: |
-          echo "::set-output name=dir::$(pip cache dir)"
-
-      - name: Cache
-        uses: actions/cache@v2
-        with:
-          path: ${{ steps.pip-cache.outputs.dir }}
-          key:
-            ${{ matrix.os }}-${{ matrix.python-version }}-${{ hashFiles('requirements-dev.txt') }}
-          restore-keys: |
-            ${{ matrix.os }}-${{ matrix.python-version }}-
-
-      - name: Install dependencies
-        run: |
-          python -m pip install -U pip
-          python -m pip install -U wheel
-          python -m pip install -r requirements.txt
-          python -m pip install -r requirements-dev.txt
-
-      - name: Test
-        shell: bash
-        run: |
-          make test
-
-      - name: Upload coverage
-        uses: codecov/codecov-action@v1
-        with:
-          name: ${{ matrix.os }} Python ${{ matrix.python-version }}

kube_hunter/modules/discovery/hosts.py

@@ -5,7 +5,8 @@ import requests
 
 from enum import Enum
 from netaddr import IPNetwork, IPAddress, AddrFormatError
-from netifaces import AF_INET, ifaddresses, interfaces, gateways
+from netifaces import AF_INET, ifaddresses, interfaces
+from scapy.all import ICMP, IP, Ether, srp1
 
 from kube_hunter.conf import get_config
 from kube_hunter.core.events import handler
@@ -108,7 +109,7 @@ class FromPodHostDiscovery(Discovery):
             if self.is_azure_pod():
                 subnets, cloud = self.azure_metadata_discovery()
             else:
-                subnets = self.gateway_discovery()
+                subnets = self.traceroute_discovery()
 
             should_scan_apiserver = False
             if self.event.kubeservicehost:
@@ -140,9 +141,14 @@ class FromPodHostDiscovery(Discovery):
             return False
 
     # for pod scanning
-    def gateway_discovery(self):
-        """ Retrieving default gateway of pod, which is usually also a contact point with the host """
-        return [[gateways()["default"][AF_INET][0], "24"]]
+    def traceroute_discovery(self):
+        config = get_config()
+        node_internal_ip = srp1(
+            Ether() / IP(dst="1.1.1.1", ttl=1) / ICMP(),
+            verbose=0,
+            timeout=config.network_timeout,
+        )[IP].src
+        return [[node_internal_ip, "24"]]
 
     # querying azure's interface metadata api | works only from a pod
     def azure_metadata_discovery(self):

kube_hunter/modules/hunting/apiserver.py

@@ -56,19 +56,16 @@ class ServerApiHTTPAccess(Vulnerability, Event):
 
 
 class ApiInfoDisclosure(Vulnerability, Event):
-    """Information Disclosure depending upon RBAC permissions and Kube-Cluster Setup"""
-
     def __init__(self, evidence, using_token, name):
-        category = InformationDisclosure
         if using_token:
-            name += " using default service account token"
+            name += " using service account token"
         else:
             name += " as anonymous user"
         Vulnerability.__init__(
             self,
             KubernetesCluster,
             name=name,
-            category=category,
+            category=InformationDisclosure,
             vid="KHV007",
         )
         self.evidence = evidence

kube_hunter/modules/hunting/certificates.py

@@ -8,13 +8,11 @@ from kube_hunter.core.events import handler
 from kube_hunter.core.events.types import Vulnerability, Event, Service
 
 logger = logging.getLogger(__name__)
-email_pattern = re.compile(rb"([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)")
+email_pattern = re.compile(rb"([a-z0-9]+@[a-z0-9]+\.[a-z0-9]+)")
 
 
 class CertificateEmail(Vulnerability, Event):
-    """The Kubernetes API Server advertises a public certificate for TLS.
-    This certificate includes an email address, that may provide additional information for an attacker on your
-    organization, or be abused for further email based attacks."""
+    """Certificate includes an email address"""
 
     def __init__(self, email):
         Vulnerability.__init__(

kube_hunter/modules/hunting/kubelet.py

@@ -344,23 +344,27 @@ class SecureKubeletPortHunter(Hunter):
 
         # need further investigation on websockets protocol for further implementation
         def test_port_forward(self):
-            pass
+            config = get_config()
+            headers = {
+                "Upgrade": "websocket",
+                "Connection": "Upgrade",
+                "Sec-Websocket-Key": "s",
+                "Sec-Websocket-Version": "13",
+                "Sec-Websocket-Protocol": "SPDY",
+            }
+            pf_url = self.path + KubeletHandlers.PORTFORWARD.value.format(
+                pod_namespace=self.pod["namespace"],
+                pod_id=self.pod["name"],
+                port=80,
+            )
+            self.session.get(
+                pf_url,
+                headers=headers,
+                verify=False,
+                stream=True,
+                timeout=config.network_timeout,
+            ).status_code == 200
             # TODO: what to return?
-            # Example starting code:
-            #
-            # config = get_config()
-            # headers = {
-            #     "Upgrade": "websocket",
-            #     "Connection": "Upgrade",
-            #     "Sec-Websocket-Key": "s",
-            #     "Sec-Websocket-Version": "13",
-            #     "Sec-Websocket-Protocol": "SPDY",
-            # }
-            # pf_url = self.path + KubeletHandlers.PORTFORWARD.value.format(
-            #     pod_namespace=self.pod["namespace"],
-            #     pod_id=self.pod["name"],
-            #     port=80,
-            # )
 
         # executes one command and returns output
         def test_run_container(self):
@@ -371,9 +375,8 @@ class SecureKubeletPortHunter(Hunter):
                 container_name="test",
                 cmd="",
             )
-            # if we get this message, we know we passed Authentication and Authorization, and that the endpoint is enabled.
-            status_code = self.session.post(run_url, verify=False, timeout=config.network_timeout).status_code
-            return status_code == requests.codes.NOT_FOUND
+            # if we get a Method Not Allowed, we know we passed Authentication and Authorization.
+            return self.session.get(run_url, verify=False, timeout=config.network_timeout).status_code == 405
 
         # returns list of currently running pods
         def test_running_pods(self):