-
Notifications
You must be signed in to change notification settings - Fork 544
Home
English | 简体中文
Usage of CDK for attacking targets without prior mutual consent is illegal. CDK is for security testing purposes only.
CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.
Currently still under development, submit issues or mail [email protected] if you need any help.
CDK have three modules:
- Evaluate: gather information inside container to find potential weakness.
- Exploit: for container escaping, persistance and lateral movement
- Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.
Usage
cdk evaluate [--full]
This command will run the scripts below without local file scanning, using --full to enable all.
| Tactics | Script | Supported | Usage/Example |
|---|---|---|---|
| Information Gathering | OS basic info | ✔ | link |
| Information Gathering | Available capabilities | ✔ | link |
| Information Gathering | Available Linux commands | ✔ | link |
| Information Gathering | Mounts | ✔ | link |
| Information Gathering | Sensitive ENV | ✔ | link |
| Information Gathering | Sensitive process | ✔ | link |
| Information Gathering | Sensitive local files | ✔ | link |
| Discovery | K8s api-server info | ✔ | link |
| Discovery | K8s service-account info | ✔ | link |
List all available exploits:
cdk run --list
Run targeted exploit:
cdk run <script-name> [options]
| Tactics | Exploit | Callable Name | Supported | Usage/Example |
|---|---|---|---|---|
| Escaping | docker-runc CVE-2019-5736 | |||
| Escaping | dirtycow CVE-2016-5159 | |||
| Escaping | docker.sock PoC (DIND attack) | docker-sock-check | ✔ | link |
| Escaping | docker.sock Backdoor Image Deploy | docker-sock-deploy | ✔ | link |
| Escaping | Device Mount Escaping | mount-disk | ✔ | link |
| Escaping | Cgroups Escaping | mount-cgroup | ✔ | link |
| Escaping | Procfs Escaping | mount-procfs | ✔ | link |
| Escaping | Ptrace Escaping PoC | check-ptrace | ✔ | link |
| Discovery | K8s Component Probe | service-probe | ✔ | link |
| Lateral Movement | K8s Service Account Control | |||
| Lateral Movement | Attack K8s api-server | |||
| Lateral Movement | Attack K8s Kubelet | |||
| Lateral Movement | Attack K8s Dashboard | |||
| Lateral Movement | Attack K8s Helm | |||
| Lateral Movement | Attack K8s Etcd | |||
| Lateral Movement | Attack Private Docker Registry | |||
| Remote Control | Reverse Shell | reverse-shell | ✔ | link |
| Credential Access | Access Key Scanning | ak-leakage | ✔ | link |
| Credential Access | Dump K8s Secrets | k8s-secret-dump | ✔ | |
| Credential Access | Dump K8s Config | k8s-configmap-dump | ✔ | |
| Persistence | Deploy WebShell | |||
| Persistence | Deploy Backdoor Pod | |||
| Persistence | Deploy Shadow K8s api-server | |||
| Persistence | Deploy K8s Cronbob | |||
| Defense Evasion | Disable K8s Audit |
Running commands like in Linux, little different in input-args, see the usage link.
cdk nc [options]
cdk ps
| Command | Description | Supported | Usage/Example |
|---|---|---|---|
| nc | TCP Tunnel | ✔ | |
| ps | Process Information | ✔ | |
| ifconfig | Network Information | ✔ | |
| vi | Edit Files | ✔ | |
| kcurl | Request to K8s api-server | ✔ | |
| dcurl | Request to Docker HTTP API | ||
| ucurl | Request to Docker Unix Socket | ✔ | |
| rcurl | Request to Docker Registry API | ||
| probe | IP/Port Scanning | ✔ | link |
Drop executable files into target container and start testing.
https://github.com/Xyntax/CDK/tree/main/release
- Echo loader for delivering CDK into target container via Web RCE.
- EDR defense evasion.
- Compile optimization.
- Dev docs