As a Malicious Internal User…
lojikil opened this issue · 1 comments
lojikil commented
Overview
A Malicious Internal User is a user, such as an administrator or developer, who uses their privileged position maliciously against the system, or stolen credentials used for the same. The scenario is more focused on what logging/auditing/roles/NAC can do to prevent such credential abuse.
Setup
- create a malicious user
- map what kops & kubespray look like from the host perspective
- discover components and what they leak from this perspective as well
- map what components a reasonably-permissioned attacker may have access to
- non-repudiation throughout the system (are there logging gaps?)
I wish to exfil secrets
- what secrets do I have access to by default
- can I move laterally to gain access to other secrets
I wish to add resources
- can I modify a resource to establish a beachhead without alerting other admins/users
- can I deploy resources without alerting other admins
I wish to punch holes in system security
- port forwarding without anyone noticing
- breaking down restrictions/filters without alert
btonic commented
DNS enumeration within the cluster via coredns:
root@wordpress-dccb8668f-mzg45:/var/www/html# nslookup -type=ns default.svc.cluster.local
;; Truncated, retrying in TCP mode.
Server: 10.233.0.3
Address: 10.233.0.3#53
cluster.local
origin = ns.dns.cluster.local
mail addr = hostmaster.cluster.local
serial = 1555691051
refresh = 7200
retry = 1800
expire = 86400
minimum = 30
wordpress.default.svc.cluster.local service = 0 100 80 wordpress.default.svc.cluster.local.
_http._tcp.wordpress.default.svc.cluster.local service = 0 100 80 wordpress.default.svc.cluster.local.
kubernetes-dashboard.kube-system.svc.cluster.local service = 0 100 443 kubernetes-dashboard.kube-system.svc.cluster.local.
kubernetes.default.svc.cluster.local service = 0 100 443 kubernetes.default.svc.cluster.local.
_https._tcp.kubernetes.default.svc.cluster.local service = 0 100 443 kubernetes.default.svc.cluster.local.
coredns.kube-system.svc.cluster.local service = 0 100 53 coredns.kube-system.svc.cluster.local.
_dns._udp.coredns.kube-system.svc.cluster.local service = 0 100 53 coredns.kube-system.svc.cluster.local.
coredns.kube-system.svc.cluster.local service = 0 100 53 coredns.kube-system.svc.cluster.local.
_dns-tcp._tcp.coredns.kube-system.svc.cluster.local service = 0 100 53 coredns.kube-system.svc.cluster.local.
coredns.kube-system.svc.cluster.local service = 0 100 9153 coredns.kube-system.svc.cluster.local.
_metrics._tcp.coredns.kube-system.svc.cluster.local service = 0 100 9153 coredns.kube-system.svc.cluster.local.
liveness-http.default.svc.cluster.local service = 0 100 81 liveness-http.default.svc.cluster.local.
cluster.local
origin = ns.dns.cluster.local
mail addr = hostmaster.cluster.local
serial = 1555691051
refresh = 7200
retry = 1800
expire = 86400
minimum = 30
Name: 10-233-92-48.wordpress-mysql.default.svc.cluster.local
Address: 10.233.92.48
Name: kubernetes.default.svc.cluster.local
Address: 10.233.0.1
Name: liveness-http.default.svc.cluster.local
Address: 10.233.28.202
Name: kubernetes-dashboard.kube-system.svc.cluster.local
Address: 10.233.50.205
Name: coredns.kube-system.svc.cluster.local
Address: 10.233.0.3
Name: wordpress-mysql.default.svc.cluster.local
Address: 10.233.92.48
Name: wordpress.default.svc.cluster.local
Address: 10.233.40.236
Name: coredns.kube-system.svc.cluster.local
Address: 10.233.0.3
Name: coredns.kube-system.svc.cluster.local
Address: 10.233.0.3