I had an idea bouncing in my mind for a while. Then, last week I, decided to put it out on Twitter to hear what people thought about it.
This post is part of the “Kubernetes Primer for Security Professionals” series, and is going to cover multiple deployment options for a Kubernetes lab, ranging from more lightweight (like running Kubernetes locally) to more realistic ones (like deploying a multi-node cluster) suitable for security research.
This post is Part 2 of the “Offensive Infrastructure with Modern Technologies” series, and is going to focus on an automated deployment of the HashiCorp stack (i.e., the HashiStack).
Part 1 explained how to
configure Consul in both single and multi node deployments using
while here I’m going to provide a step-by-step walkthrough that will allow you to automatically deploy the full stack with Ansible.
On the 3rd of December 2018, a critical security vulnerability affecting Kubernetes API server has been announced. Without any surprise, this announcement got a lot of traction (especially on Twitter).
More info on CVE-2018-1002105. Recently disclosed Kubernetes vulnerability allows all users, authenticated and unauthenticated, backdoor administrative access to the API server, including the kubelet...and it can't easily be detected in logs. https://t.co/UfdCrajequ— Ian Coldwater 👻🌿 (@IanColdwater) December 3, 2018
In this post I’ll try to dissect the information currently available.
In the past few weeks I’ve been reading “The Hacker Playbook 3: Red Team Edition” from Peter Kim. As the title clearly states, this version focuses on processes and techniques that can be used during a red teaming engagement. Although I’m not going to provide a review of the book here, I highly recommend it to anyone interested in the field.
While going through the book I found myself building a mindmap to link topics (which not always are presented sequentially) together, so to create a high-level methodology as suggested by Peter. In this post I want to share this mind map: I do realise this is not a complete list of all techniques/tools that can be leveraged in a campaign, but it covers what’s in “The Hacker Playbook 3”. I hope you’ll find it useful!