logo
DATABASE RESOURCES PRICING ABOUT US

CDK - Zero Dependency Container Penetration Toolkit

Description

[![](https://1.bp.blogspot.com/-2lJSZ4nVz7c/YAZqglkVwBI/AAAAAAAAVCY/B20ZGieRBygx-iFXzmO6t4YKqS_I8eNXQCNcBGAsYHQ/w640-h360/h.jpg)](<https://1.bp.blogspot.com/-2lJSZ4nVz7c/YAZqglkVwBI/AAAAAAAAVCY/B20ZGieRBygx-iFXzmO6t4YKqS_I8eNXQCNcBGAsYHQ/s1000/h.jpg>) CDK is an open-sourced container penetration toolkit, designed for offering stable [exploitation](<https://www.kitploit.com/search/label/Exploitation> "exploitation" ) in different slimmed [containers](<https://www.kitploit.com/search/label/Containers> "containers" ) without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily. Currently still under development, submit [issues](<https://github.com/cdk-team/CDK/issues> "issues" ) or mail some-email@example.com if you need any help. **Installation** Download latest release in: <https://github.com/cdk-team/CDK/releases/> Drop executable files into target container and start testing. **Usage** Usage: cdk evaluate [--full] cdk run (--list | <exploit> [<args>...]) cdk auto-escape <cmd> cdk <tool> [<args>...] Evaluate: cdk evaluate Gather information to find weakness inside container. cdk evaluate --full Enable file scan during information gathering. Exploit: cdk run --list List all available exploits. cdk run <exploit> [<args>...] Run single exploit, docs in https://github.com/cdk-team/CDK/wiki Auto Escape: cdk auto-escape <cmd> Escape container in different ways then let target execute <cmd>. Tool: vi <file> Edit files in container like "vi" command. ps Show process information like "ps -ef" command. nc [options] Create TCP tunnel. ifconfig Show network information. kcurl <path> (get|post) <uri> <data> Make request to K8s api-server. ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket. probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000 Options: -h --help Show this help msg. -v --version Show version. **Features** CDK have three modules: 1. Evaluate: gather information inside container to find potential weakness. 2. Exploit: for container escaping, persistance and lateral movement 3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management. **Evaluate Module** Usage cdk evaluate [--full] This command will run the scripts below without local file scanning, using `--full` to enable all. Tactics | Script | Supported | Usage/Example ---|---|---|--- Information Gathering | OS Basic Info | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Evaluate:-System-Info> "link" ) Information Gathering | Available Capabilities | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Commands-and-Capabilities> "link" ) Information Gathering | Available Linux Commands | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Commands-and-Capabilities> "link" ) Information Gathering | Mounts | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Mounts> "link" ) Information Gathering | Net Namespace | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Net-Namespace> "link" ) Information Gathering | Sensitive ENV | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Services> "link" ) Information Gathering | Sensitive Process | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Services> "link" ) Information Gathering | Sensitive Local Files | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Sensitive-Files> "link" ) Discovery | K8s Api-server Info | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Evaluate:-K8s-API-Server> "link" ) Discovery | K8s Service-account Info | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Evaluate:-K8s-Service-Account> "link" ) Discovery | Cloud Provider [Metadata](<https://www.kitploit.com/search/label/Metadata> "Metadata" ) API | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Cloud-Provider-Metadata-API> "link" ) **Exploit Module** List all available exploits: cdk run --list Run targeted exploit: cdk run <script-name> [options] Tactic | Technique | CDK Exploit Name | Supported | Doc ---|---|---|---|--- Escaping | docker-runc CVE-2019-5736 | runc-pwn | ✔ | Escaping | docker-cp CVE-2019-14271 | | | Escaping | containerd-shim CVE-2020-15257 | shim-pwn | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-shim-pwn> "link" ) Escaping | dirtycow CVE-2016-5159 | | | Escaping | docker.sock PoC (DIND attack) | docker-sock-check | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-docker-sock-check> "link" ) Escaping | docker.sock [Backdoor](<https://www.kitploit.com/search/label/Backdoor> "Backdoor" ) Image Deploy | docker-sock-deploy | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-docker-sock-deploy> "link" ) Escaping | Device Mount Escaping | mount-disk | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-mount-disk> "link" ) Escaping | Cgroups Escaping | mount-cgroup | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-mount-cgroup> "link" ) Escaping | Procfs Escaping | mount-procfs | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-mount-procfs> "link" ) Escaping | Ptrace Escaping PoC | check-ptrace | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-check-ptrace> "link" ) Discovery | K8s Component Probe | service-probe | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-service-probe> "link" ) Discovery | Dump Istio Sidecar Meta | istio-check | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-check-istio> "link" ) Lateral Movement | K8s Service Account Control | | | Lateral Movement | Attack K8s api-server | | | Lateral Movement | Attack K8s Kubelet | | | Lateral Movement | Attack K8s Dashboard | | | Lateral Movement | Attack K8s Helm | | | Lateral Movement | Attack K8s Etcd | | | Lateral Movement | Attack Private Docker Registry | | | Remote Control | Reverse Shell | reverse-shell | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-reverse-shell> "link" ) Credential Access | Access Key Scanning | ak-leakage | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-ak-leakage> "link" ) Credential Access | Dump K8s Secrets | k8s-secret-dump | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-secret-dump> "link" ) Credential Access | Dump K8s Config | k8s-configmap-dump | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-configmap-dump> "link" ) Persistence | Deploy WebShell | | | Persistence | Deploy Backdoor Pod | k8s-backdoor-daemonset | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-backdoor-daemonset> "link" ) Persistence | Deploy Shadow K8s api-server | k8s-shadow-apiserver | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-shadow-apiserver> "link" ) Persistence | K8s MITM Attack (CVE-2020-8554) | k8s-mitm-clusterip | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Evaluate:-k8s-mitm-clusterip> "link" ) Persistence | Deploy K8s CronJob | | | Defense Evasion | Disable K8s Audit | | | **Tool Module** Running commands like in Linux, little different in input-args, see the usage link. cdk nc [options] cdk ps Command | Description | Supported | Usage/Example ---|---|---|--- nc | TCP Tunnel | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Tool:-nc> "link" ) ps | Process Information | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Tool:-ps> "link" ) ifconfig | Network Information | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Tool:-ifconfig> "link" ) vi | Edit Files | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Tool:-vi> "link" ) kcurl | Request to K8s api-server | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Tool:-kcurl> "link" ) dcurl | Request to Docker HTTP API | | ucurl | Request to Docker Unix Socket | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Tool:-ucurl> "link" ) rcurl | Request to Docker Registry API | | probe | IP/Port Scanning | ✔ | [link](<https://github.com/cdk-team/CDK/wiki/Tool:-probe> "link" ) **Developer Docs** * [run test in container.](<https://github.com/cdk-team/CDK/wiki/Run-Test> "run test in container." ) **TODO** 1. Echo loader for delivering CDK into target container via Web RCE. 2. EDR defense evasion. 3. Compile optimization. 4. Dev docs **[Download CDK](<https://github.com/cdk-team/CDK> "Download CDK" )**


Related