References
2024 - Pass The Salt (PTS) Workshop
KubeHound: Identifying attack paths in Kubernetes clusters at scale with no hustle
The goal of the workshop was to showcase how to use KubeHound to pinpoint security issues in a Kubernetes cluster and get a concrete security posture.
But first, as attackers (or defenders), there's nothing better to understand an attack than to exploit it oneself. So the workshop started with some of the most common attacks (container escape and lateral movement) and let attendees exploit them in our vulnerable cluster.
After doing some introduction around Kubernetes basic and Graph theory, the attendees played with KubeHound to ingest data synchronously and asynchronously (dump and rehydrate the data). Then we covered all the KubeHound DSL and basic gremlin usage. The goal was to go over the possibilities of the KubeHound DSL like:
- List all the port and IP addresses being exposed outside of the k8s cluster
- Enumerate how attacks are present in the cluster
- List all attacks path from endpoints to node
- List all endpoint properties by port with serviceEndpoint and IP addresses that lead to a critical path
- ...
The workshop finished with some "real cases" scenario either from a red teamer or blue teamer point of view. The goal was to show how the tool can be used in different scenarios (initial recon, attack path analysis, assumed breach on compromised resources such as containers or credentials, ...)
All was done using the following notebook which is a step-by-step KubeHound DSL:
- A specific notebook to describe all KubeHound DSL queries and how you can leverage them. Also this notebook describes the basic Gremlin needed to handle the KubeHound DSL for specific cases.
2024 - Troopers presentation
Attacking and Defending Kubernetes Cluster with KubeHound, an Attack Graph Model
Recording Slides Dashboard PoC
This presentation explains the genesis behind the tool. A specific focus was made on the new version KubeHound as a Service or KHaaS which allow using KubeHound with a distributed model across multiple Kuberentes Clusters. We also introduce a new command that allows consultants to use KubeHound asynchronously (dumping and rehydration later, in office for instance).
2 demos were also shown:
- A PoC of a dashboard was created to show how interesting KPI can be extracted easily from KubeHound.
- A specific notebook to show how to shift from a can of worms to the most critical vulnerability in a Kubernetes Cluster with a few KubeHound requests.
Also we showed how the tool has been built and lessons we have learned from the process.
2024 - InsomniHack 2024 presentation
Standing on the Shoulders of Giant(Dog)s: A Kubernetes Attack Graph Model
Recording Slides Dashboard PoC
This presentation explains why the tool was created and what problem it tries to solve. 2 demos were shown:
- A PoC of a dashboard was created to show how interesting KPI can be extracted easily from KubeHound.
- A specific notebook to show how to shift from a can of worms to the most critical vulnerability in a Kubernetes Cluster with a few KubeHound requests.
It also showed how the tool has been built and lessons we have learned from the process.
2023 - Release v1.0 annoucement
KubeHound: Identifying attack paths in Kubernetes clusters
Blog article published on securitylabs as a tutorial 101 on how to use the tools in different use cases:
- Red team: Looking for low-hanging fruit
- Blue team: Assessing the impact of a compromised container
- Blue team: Remediation
- Blue team: Metrics and KPIs
It also explain briefly how the tools works (what is under the hood).