PentestTools
Penetration Testing Tools. Cyber Security and Technology News.
  • Facebook
  • Twitter
  • YouTube
  • Tumblr
  • Home
  • Tools
    • Cryptography and Encryption
    • Exploitation Tools
    • Information Gathering
    • Man-In-The-Middle
    • Mobile Security
    • Network Tools
    • Password Attacks
    • Pentest Linux Distributions
    • Post Exploitation
    • Reporting Tools
    • Reverse Engineering
    • Stress Testing
    • System Administration
    • Vulnerability Analysis
    • Web Application Security
    • Wireless Attacks
  • Shop
  • Articles
  • Video Tutorials
  • Contact Us
Zmap - A Fast Single Packet Network Scanner Designed For Internet-wide Network Surveys

Zmap – Single Packet Network Scanner Designed For Internet-wide Network Surveys

Sigurlx - A Web Application Attack Surface Mapping Tool

Sigurlx – A Web Application Attack Surface Mapping Tool

MetaFinder - Search For Documents In A Domain Through Google

MetaFinder – Search For Documents In A Domain Through Google

WPCracker - WordPress User Enumeration And Login Brute Force Tool

WPCracker – WordPress User Enumeration And Login Brute Force Tool

CDK - Zero Dependency Container Penetration Toolkit

CDK – Zero Dependency Container Penetration Toolkit

Reconftw - Simple Script For Full Recon

Reconftw – Simple Script For Full Recon

MobileHackersWeapons - Mobile Hacker's Weapons / A Collection Of Cool Tools Used By Mobile Hackers

MobileHackersWeapons – Mobile Hacker’s Weapons / A Collection Of Cool Tools

Git-Wild-Hunt - A Tool To Hunt For Credentials In Github Wild AKA Git*Hunt

Git-Wild-Hunt – A Tool To Hunt For Credentials In Github Wild AKA Git*Hunt

HosTaGe - Low Interaction Mobile Honeypot

HosTaGe – Low Interaction Mobile Honeypot

BigBountyRecon - This Tool Utilises 58 Different Techniques To Expediate The Process Of Intial Reconnaissance On The Target Organisation

BigBountyRecon – Utilises 58 Different Techniques On Intial Reconnaissance On The Target Organisation

Token-Hunter - Collect OSINT For GitLab Groups And Members And Search The Group And Group Members' Snippets, Issues, And Issue Discussions For Sensitive Data That May Be Included In These Assets

Token-Hunter – Collect OSINT For GitLab Groups And Members

ImHex - A Hex Editor For Reverse Engineers, Programmers And People That Value Their Eye Sight When Working At 3 AM.

ImHex – Hex Editor For Reverse Engineers, Programmers

MyJWT - A Cli For Cracking, Testing Vulnerabilities On Json Web Token (JWT)

MyJWT – A Cli For Cracking, Testing Vulnerabilities On Json Web Token (JWT)

SysWhispers2 - AV/EDR Evasion Via Direct System Calls

SysWhispers2 – AV/EDR Evasion Via Direct System Calls

ByteDance-HIDS - A Cloud-Native Host-Based Intrusion Detection Solution Project To Provide Next-Generation Threat Detection And Behavior Audition With Modern Architecture

ByteDance-HIDS – Next-Generation Intrusion Detection Solution Project

PentestTools
  • Home
  • Tools
    • Cryptography and Encryption
    • Exploitation Tools
    • Information Gathering
    • Man-In-The-Middle
    • Mobile Security
    • Network Tools
    • Password Attacks
    • Pentest Linux Distributions
    • Post Exploitation
    • Reporting Tools
    • Reverse Engineering
    • Stress Testing
    • System Administration
    • Vulnerability Analysis
    • Web Application Security
    • Wireless Attacks
  • Shop
  • Articles
  • Video Tutorials
  • Contact Us
PentestTools
  • Home
  • Tools
    • Cryptography and Encryption
    • Exploitation Tools
    • Information Gathering
    • Man-In-The-Middle
    • Mobile Security
    • Network Tools
    • Password Attacks
    • Pentest Linux Distributions
    • Post Exploitation
    • Reporting Tools
    • Reverse Engineering
    • Stress Testing
    • System Administration
    • Vulnerability Analysis
    • Web Application Security
    • Wireless Attacks
  • Shop
  • Articles
  • Video Tutorials
  • Contact Us
  • Facebook
  • Twitter
  • YouTube
  • Tumblr
System Administration

CDK – Zero Dependency Container Penetration Toolkit

May 1, 2021
4 Min Read
CDK - Zero Dependency Container Penetration Toolkit
Mazen Elzanaty MazenElzanatyMazenElzanatyMazenElzanaty
Add Comment

[sc name=”ad_1″]

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

Currently still under development, submit issues or mail [email protected] if you need any help.

Installation

Download latest release in: https://github.com/cdk-team/CDK/releases/

Drop executable files into target container and start testing.

Usage

Usage:
  cdk evaluate [--full]
  cdk run (--list | <exploit> [<args>...])
  cdk auto-escape <cmd>
  cdk <tool> [<args>...]
Evaluate:
cdk evaluate Gather information to find weakness inside container.
cdk evaluate --full Enable file scan during information gathering.

Exploit:
cdk run --list List all available exploits.
cdk run <exploit> [<args>...] Run single exploit, docs in https://github.com/cdk-team/CDK/wiki
Auto Escape:
cdk auto-escape <cmd> Escape container in different ways then let target execute <cmd>.
Tool:
vi <file> Edit files in container like "vi" command.
ps Show process information like "ps -ef" command.
nc [options] Create TCP tunnel.
ifconfig Show network information.
kcurl <path> (get|post) <uri> <data> Make request to K8s api-server.
ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket.
probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000
Options:
-h --help Show this help msg.
-v --version Show version.

Features

CDK have three modules:

  1. Evaluate: gather information inside container to find potential weakness.
  2. Exploit: for container escaping, persistance and lateral movement
  3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]

This command will run the scripts below without local file scanning, using --full to enable all.

Tactics Script Supported Usage/Example
Information Gathering OS Basic Info
✔
link
Information Gathering Available Capabilities
✔
link
Information Gathering Available Linux Commands
✔
link
Information Gathering Mounts
✔
link
Information Gathering Net Namespace
✔
link
Information Gathering Sensitive ENV
✔
link
Information Gathering Sensitive Process
✔
link
Information Gathering Sensitive Local Files
✔
link
Discovery K8s Api-server Info
✔
link
Discovery K8s Service-account Info
✔
link
Discovery Cloud Provider Metadata API
✔
link

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run <script-name> [options]
Tactic Technique CDK Exploit Name Supported Doc
Escaping docker-runc CVE-2019-5736 runc-pwn
✔
Escaping docker-cp CVE-2019-14271
Escaping containerd-shim CVE-2020-15257 shim-pwn
✔
link
Escaping dirtycow CVE-2016-5159
Escaping docker.sock PoC (DIND attack) docker-sock-check
✔
link
Escaping docker.sock Backdoor Image Deploy docker-sock-deploy
✔
link
Escaping Device Mount Escaping mount-disk
✔
link
Escaping Cgroups Escaping mount-cgroup
✔
link
Escaping Procfs Escaping mount-procfs
✔
link
Escaping Ptrace Escaping PoC check-ptrace
✔
link
Discovery K8s Component Probe service-probe
✔
link
Discovery Dump Istio Sidecar Meta istio-check
✔
link
Lateral Movement K8s Service Account Control
Lateral Movement Attack K8s api-server
Lateral Movement Attack K8s Kubelet
Lateral Movement Attack K8s Dashboard
Lateral Movement Attack K8s Helm
Lateral Movement Attack K8s Etcd
Lateral Movement Attack Private Docker Registry
Remote Control Reverse Shell reverse-shell
✔
link
Credential Access Access Key Scanning ak-leakage
✔
link
Credential Access Dump K8s Secrets k8s-secret-dump
✔
link
Credential Access Dump K8s Config k8s-configmap-dump
✔
link
Persistence Deploy WebShell
Persistence Deploy Backdoor Pod k8s-backdoor-daemonset
✔
link
Persistence Deploy Shadow K8s api-server k8s-shadow-apiserver
✔
link
Persistence K8s MITM Attack (CVE-2020-8554) k8s-mitm-clusterip
✔
link
Persistence Deploy K8s CronJob
Defense Evasion Disable K8s Audit

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]
cdk ps
Command Description Supported Usage/Example
nc TCP Tunnel
✔
link
ps Process Information
✔
link
ifconfig Network Information
✔
link
vi Edit Files
✔
link
kcurl Request to K8s api-server
✔
link
dcurl Request to Docker HTTP API
ucurl Request to Docker Unix Socket
✔
link
rcurl Request to Docker Registry API
probe IP/Port Scanning
✔
link

Developer Docs

  • run test in container.

TODO

  1. Echo loader for delivering CDK into target container via Web RCE.
  2. EDR defense evasion.
  3. Compile optimization.
  4. Dev docs
Download CDK


[sc name=”ad-in-article”]

Tagsbackdoor CDK Container Dependency Escape Container K8S Penetration Toolkit Kubernetes linux Metadata MITM Penetration toolkit

You may also like

Wynis - Audit Windows Security With Best Practice
System Administration

Wynis – Audit Windows Security With Best Practice

December 30, 2020
Bheem - Simple Collection Of Small Bash-Scripts Which Runs Iteratively To Carry Out Various Tools And Recon Process
System Administration

Bheem – Bash-Scripts Which Runs Iteratively To Carry Out Various Tools

December 22, 2020
PoshBot - Powershell-based Bot Framework
System Administration

PoshBot – Powershell-based Bot Framework

December 19, 2020

About the author

View All Posts

Mazen Elzanaty

Add Comment

Click here to post a comment

Cancel reply

EvtMute – Filter Events Being Reported By Windows Event Logging
Comment

Topics

  • Articles416
  • Cryptography and Encryption32
  • Exploitation Tools292
  • Forensics Tools23
  • Information Gathering254
  • Man-In-The-Middle19
  • Mobile Security19
  • Network Tools73
  • Password Attacks48
  • Pentest Linux Distributions24
  • Post Exploitation32
  • Reporting Tools11
  • Reverse Engineering44
  • Security Tools99
  • Shop5
  • Stress Testing1
  • System Administration92
  • Video Tutorials74
  • Vulnerability Analysis157
  • Web Application Security56
  • Wireless Attacks29

Archive

  • May 2021 (6)
  • April 2021 (9)
  • January 2021 (25)
  • December 2020 (60)
  • November 2020 (60)
  • October 2020 (62)
  • September 2020 (60)
  • August 2020 (60)
  • July 2020 (65)
  • June 2020 (69)
  • May 2020 (65)
  • April 2020 (2)
  • November 2019 (9)
  • October 2019 (39)
  • September 2019 (42)
  • April 2019 (1)
  • March 2019 (29)
  • February 2019 (58)
  • January 2019 (61)
  • December 2018 (62)
  • November 2018 (44)
  • October 2018 (76)
  • August 2018 (4)
  • July 2018 (27)
  • June 2018 (33)
  • May 2018 (17)
  • April 2018 (22)
  • March 2018 (35)
  • February 2018 (45)
  • January 2018 (58)
  • December 2017 (144)
  • November 2017 (106)
  • October 2017 (184)
Copyright © 2020. PentestTools
July 17, 2025
  • Facebook
  • Twitter
  • YouTube
  • Tumblr