Red-Kube is a collection of kubectl commands written to evaluate the security posture of Kubernetes clusters from the attacker’s perspective.
The commands are either passive for data collection and information disclosure or active for performing real actions that affect the cluster.
The commands are mapped to MITRE ATT&CK Tactics to help get a sense of where we have most of our gaps and prioritize our findings.
The current version is wrapped with a python orchestration module to run several commands in one run based on different scenarios or tactics.
Please use with care as some commands are active and actively deploy new containers or change the role-based access control configuration.
Prerequisites
python3 requirements
pip3 install -r requirements.txt
kubectl (Ubuntu / Debian)
sudo apt-get update
sudo apt-get install -y apt-transport-https ca-certificates curl
sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
echo “deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main” | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update
sudo apt-get install -y kubectl
kubectl (Red Hat based)
cat < /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF
yum install -y kubectl
jq
sudo apt-get update -y
sudo apt-get install -y jq
Usage
usage: python3 main.py [-h] [–mode active/passive/all] [–tactic TACTIC_NAME] [–show_tactics] [–cleanup]
required arguments:
–mode run kubectl commands which are active / passive / all modes
–tactic choose tactic
other arguments:
-h –help show this help message and exit
–show_tactics show all tactics
Commands by MITRE ATT&CK Tactics
| Tactic | Count |
|---|---|
| Reconnaissance | 2 |
| Initial Access | 0 |
| Execution | 0 |
| Persistence | 2 |
| Privilege Escalation | 4 |
| Defense Evasion | 1 |
| Credential Access | 8 |
| Discovery | 15 |
| Lateral Movement | 0 |
| Collection | 1 |
| Command and Control | 2 |
| Exfiltration | 1 |
| Impact | 0 |
garak checks if an LLM can be made to fail in a way we don't…
Vermilion is a simple and lightweight CLI tool designed for rapid collection, and optional exfiltration…
ADCFFS is a PowerShell script that can be used to exploit the AD CS container…
Tartufo will, by default, scan the entire history of a git repository for any text…
Loco is strongly inspired by Rails. If you know Rails and Rust, you'll feel at…
A data hoarder’s dream come true: bundle any web page into a single HTML file.…