You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From an attackers perspective it's very interesting to know where is it possible to find access and refresh tokens when for example the PC of a victim is compromised:
214
+
215
+
- Inside **`<HOME>/.Azure`**
216
+
-**`azureProfile.json`** contains info about logged in users from the past
217
+
-**`clouds.config contains`** info about subscriptions
218
+
-**`service_principal_entries.json`** contains applications credentials (tenant id, clients and secret). Only in Linux & macOS
219
+
-**`msal_token_cache.json`** contains contains access tokens and refresh tokens. Only in Linux & macOS
220
+
-**`service_principal_entries.bin`** and msal_token_cache.bin are used in Windows and are encrypted with DPAPI
221
+
-**`msal_http_cache.bin`** is a cache of HTTP request
222
+
- Load it: `with open("msal_http_cache.bin", 'rb') as f: pickle.load(f)`
223
+
-**`AzureRmContext.json`** contains information about previous logins using Az PowerShell (but no credentials)
224
+
- Inside **`C:\Users\<username>\AppData\Local\Microsoft\IdentityCache\*`** are several `.bin` files with **access tokens**, ID tokens and account information encrypted with the users DPAPI.
225
+
- It’s possible to find more **access tokens** in the `.tbres` files inside **`C:\Users\<username>\AppData\Local\Microsoft\TokenBroken\Cache\`** which contain a base64 encrypted with DPAPI with access tokens.
226
+
- In Linux and macOS you can get **access tokens, refresh tokens and id tokens** from Az PowerShell (if used) running `pwsh -Command "Save-AzContext -Path /tmp/az-context.json"`
227
+
- In Windows this just generates id tokens.
228
+
- Possible to see if Az PowerShell was used in Linux and macSO checking is `$HOME/.local/share/.IdentityService/` exists (although the contained files are empty and useless)
229
+
- If the user is **logged inside Azure with the browser**, according to this [**post**](https://www.infosecnoodle.com/p/obtaining-microsoft-entra-refresh?r=357m16&utm_campaign=post&utm_medium=web) it's possible to start the authentication flow with a **redirect to localhost**, make the browser automatically authorize the login, and receive the resh token. Note that there are only a few FOCI applications that allow redicet to localhost (like az cli or the powershell module), so these applications must be allowed.
[**Popeye**](https://github.com/derailed/popeye) is a utility that scans live Kubernetes cluster and **reports potential issues with deployed resources and configurations**. It sanitizes your cluster based on what's deployed and not what's sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches. It aims at reducing the cognitive \_over_load one faces when operating a Kubernetes cluster in the wild. Furthermore, if your cluster employs a metric-server, it reports potential resources over/under allocations and attempts to warn you should your cluster run out of capacity.
The tool [**kube-bench**](https://github.com/aquasecurity/kube-bench) is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [**CIS Kubernetes Benchmark**](https://www.cisecurity.org/benchmark/kubernetes/).\
[**Popeye**](https://github.com/derailed/popeye) is a utility that scans live Kubernetes cluster and **reports potential issues with deployed resources and configurations**. It sanitizes your cluster based on what's deployed and not what's sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches. It aims at reducing the cognitive \_over_load one faces when operating a Kubernetes cluster in the wild. Furthermore, if your cluster employs a metric-server, it reports potential resources over/under allocations and attempts to warn you should your cluster run out of capacity.
103
-
104
104
### [**KICS**](https://github.com/Checkmarx/kics)
105
105
106
106
[**KICS**](https://github.com/Checkmarx/kics) finds **security vulnerabilities**, compliance issues, and infrastructure misconfigurations in the following **Infrastructure as Code solutions**: Terraform, Kubernetes, Docker, AWS CloudFormation, Ansible, Helm, Microsoft ARM, and OpenAPI 3.0 specifications
@@ -208,6 +208,13 @@ You should update your Kubernetes environment as frequently as necessary to have
208
208
- cloud controller manager, if you use one.
209
209
- Upgrade the Worker Node components such as kube-proxy, kubelet.
210
210
211
+
## Kubernetes monitoring & security:
212
+
213
+
- Kyverno Policy Engine
214
+
- Cilium Tetragon - eBPF-based Security Observability and Runtime Enforcement
Copy file name to clipboardExpand all lines: src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,6 +2,7 @@
2
2
3
3
**The original author of this page is**[**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
4
4
5
+
5
6
## Abusing policies misconfiguration
6
7
7
8
### Enumerate rules
@@ -59,5 +60,7 @@ Another way to bypass policies is to focus on the ValidatingWebhookConfiguration
59
60
../kubernetes-validatingwebhookconfiguration.md
60
61
{{#endref}}
61
62
63
+
## More info
62
64
65
+
For more info check [https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/](https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/)
0 commit comments