Kube-dnsspoof is a POC for DNS spoofing in kubernetes clusters. This exploit runs with minimum capabilities, on default installations of kuberentes. This repository contains all files and related code for running this exploit.
The following video demonstrates how onw can use this to intercept traffic for specifc domains in a cluster: Further read on this subject can be done on this blog post
A Kubernetes cluster
Run the exploit
First, create the pods by:
$ kubectl create -f pods/ pod/hacker created pod/victim created
After the pod was created, exec into the hacker pod. it will contain the exploit and hosts file inside the /dnsspoof folder.
$ kubectl exec -it hacker zsh ➜ hacker /dnsspoof ls exploit.py hosts ➜ hacker /dnsspoof
Next, edit the hosts file to contain your spoofed domains. The script will proxy all DNS requests to the real kube-dns pod, except for the entries in the hosts file.
Example for successful run of the exploit:
➜ hacker /dnsspoof ./exploit.py [*] starting attack on indirect mode Bridge: 172.17.0.1 c0:0f:fe:eb:4b:e0 Kube-dns: 172.17.0.4 02:42:bb:76:74:f8 [+] Taking over DNS requests from kube-dns. press Ctrl+C to stop
When proxying alot of requests, the code can hang. to control this, you can pass a timeout via
The steps of the exploit:
- Deciding whether it can run
- Discovering relevant mac/ip addresses
- ARP spoofing the bridge (and kube-dns in case of direct attack mode)
- DNS proxy requests, and spoofing relevant entries
- Restoring all network on CTRL+C interrupt