Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Breaking & Pwning Docker Containers & Kubernetes Clusters - All Day DevOps 2019

Madhu Akula
November 07, 2019
Technology
6
2.1k

Breaking & Pwning Docker Containers & Kubernetes Clusters - All Day DevOps 2019

An organization using micro services or any other distributed architecture rely heavily on containers and orchestration engines like Kubernetes and as such its infrastructure security is paramount to its business operations. This talk will focus on how attackers can break into docker container and kubernetes clusters to gain access, escalate privileges to infrastructure by using misconfigurations and application security vulnerabilities. Speaker will share examples of real world security issues found in penetration testing engagements to showcase mapping of the attack usually happens in the real world.

By the end of the talk participants will able to identify and exploit vulnerabilities in applications running on containers inside Kubernetes clusters. The key take away for audience will be learning from these scenarios how they can assess their environments and fix them before attackers gain control over their infrastructure.

Madhu Akula

November 07, 2019
Tweet

More Decks by Madhu Akula

See All by Madhu Akula
Interactive Kubernetes Security Learning Playground - Kubernetes Goat @ Black Hat Asia 2023 Arsenal
madhuakula
0
30
Mastering Kubernetes Security with Kubernetes Goat - Cloud-Native Modernization @ TechTarget
madhuakula
0
47
Kubernetes Security Detection Engineering – Mapping Back To MITRE ATT&CK Matrix | HITB 2023 AMS
madhuakula
0
44
Interactive Playground to Learn Kubernetes and Cloud Native Security - KubeCon + CloudNativeCon EU 2023
madhuakula
1
340
Practical Guide to Kubernetes Security for Developers 🚀
madhuakula
0
44
Scaling Kubernetes Security with Kubernetes Goat - All Day DevOps 2022
madhuakula
0
48
Scaling Kubernetes Security with Kubernetes Goat
madhuakula
0
93
Defenders Guide to Kubernetes Security - Dutch Microsoft & Security NL - Summer Security Night (+BBQ)
madhuakula
0
61
Kubernetes Goat - Interactive Kubernetes Security Playground: 2022 Edition
madhuakula
0
46

Other Decks in Technology

See All in Technology
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
650
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
0
140
ServiceNow Knowledge Learning Rise up
manarobot
0
210
AOAI をきっかけに​ 社内の Azure 管理を見直した話​
recruitengineers
PRO
1
290
IaCジェネレーターとBedrockで詳細設計書を生成してみた
tsukasa_ishimaru
1
230
LLM開発・活用の舞台裏@2024.04.25
yushin_n
1
290
アクセス制御にまつわる改善 / Improving access control
itkq
0
540
DevOpsメトリクスとアウトカムの接続にトライ!開発プロセスを通して計測できるメトリクスの活用方法
ham0215
2
240
DMM.com アルファ室採用案内資料
hsugita
1
150
web-application-security
matsuihidetoshi
0
170
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
1k
JSON攻略法.pdf
miyakemito
8
5k

Featured

See All Featured
A better future with KSS
kneath
231
16k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
1k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
2
3.4k
Optimizing for Happiness
mojombo
370
69k
Building an army of robots
kneath
300
41k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
Infographics Made Easy
chrislema
238
18k
Teambox: Starting and Learning
jrom
128
8.4k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
2
1.3k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
244
20k
Designing the Hi-DPI Web
ddemaree
276
33k
A Philosophy of Restraint
colly
197
16k

Transcript

  1. NOVEMBER 6, 2019 by Madhu Akula Breaking & Pwning Docker

    Containers & Kubernetes Clusters

  2. About - Madhu Akula • Security Automation Engineer at Appsecco

    • Passionate about (Cloud, Containers and Kubernetes) security • Speaker & Trainer @ BlackHat, DEF CON, USENIX LISA, OWASP Appsec EU, All Day DevOps, DevSecCon, Nullcon, null, etc. • Co-author of Security Automation with Ansible2 book • Discovered vulnerabilities in over 200+ organisations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP and Adobe, etc. • Holds industry certifications like OSCP and CKA • Never Ending Learner!

  3. Next 30 minutes, I will talk about • It’s not

    about what is Docker, Kubernetes, etc. • Why container infrastructure security is important • What are the common tools, techniques and procedures for testing • Highlights of different real world attacks mapping with vulnerabilities • Showcase common mistakes and misconfigurations • Case studies and reference resources • Next steps for learning more and more

  4. Would you like to learn Docker & Kubernetes? • https://docs.docker.com

    • https://kubernetes.io/docs/home • https://training.play-with-docker.com • https://labs.play-with-k8s.com • https://training.play-with-kubernetes.com • https://www.katacoda.com/learn • Many more...

  5. Why Container Infrastructure Security? https://blog.madhuakula.com/some-tips-to-review-docker-hub-hack-of-190k-accounts-addcd602aade

  6. Why Container Infrastructure Security? https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers

  7. Why Container Infrastructure Security? https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers

  8. Why Container Infrastructure Security? https://hackerone.com/reports/341876

  9. Why Container Infrastructure Security? Many other vulnerabilities and real world

    impacts...

  10. amicontained - Container Introspection Tool https://github.com/genuinetools/amicontained It helps to find

    out what container runtime is being used as well as features available like capabilities, profiles applied, etc.

  11. trufflehog - Hardcoded sensitive information • Commiting the sensitive information

    to version control systems • Not including the sensitive files in the build process using .dockerignore file • This is one of the common mistake in modern era

  12. Insecurely configured docker service

  13. Insecure docker socket service

  14. Analysing or Understanding unknown image

  15. dive - Exploring each layer in a docker image https://github.com/wagoodman/dive

  16. Inspecting container volumes

  17. Volume analysis for sensitive information

  18. Inspecting container networking

  19. Always look for env variables • This is one of

    the common places most developers and operations teams store secrets, API keys, etc. • Also it contains other information like different service or cluster related information

  20. docker diff - comparing with base image

  21. container escape - extra capability and host pid

  22. container escape - extra capability and host pid

  23. Kubernetes secrets are not encrypted!

  24. Default service account in a Pod

  25. Default service account in a Pod https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0

  26. SSRF in the kubernetes world like a Cluster Pwn •

    In the Google Cloud (GCP), we have to use Metadata-Flavor: Google to obtain the metadata • Now GKE offers to protect kube-env using metadata concealment proxy and workload identity

  27. SSRF in the kubernetes world like a Cluster Pwn

  28. Command Injection to node access (host)

  29. Command Injection to node access (host)

  30. Command Injection to node access (host)

  31. No default security boundary in k8s namespaces

  32. Default misconfigured Helm Tiller = Cluster Pwn https://engineering.bitnami.com/articles/helm-security.html

  33. Default misconfigured Helm Tiller = Cluster Pwn

  34. Trivy - Vulnerability Scanner for Containers https://github.com/aquasecurity/trivy

  35. dockle - Container Image Linter for Security https://github.com/goodwithtech/dockle

  36. docker-bench-security https://github.com/docker/docker-bench-security • A script that checks for dozens of

    common best-practices around deploying Docker containers in production ◦ Host configuration ◦ Docker daemon configuration and files ◦ Docker container images ◦ Docker runtime ◦ Docker security operations ◦ Docker swarm configuration

  37. kube-bench - CIS Kubernetes Benchmark https://github.com/aquasecurity/kube-bench • Master Node Security

    Configuration ◦ API Server ◦ Scheduler ◦ Controller Manager ◦ Configuration Files ◦ etcd ◦ General Security Primitives ◦ PodSecurityPolicices • Worker Node Security Configuration ◦ Kubelet ◦ Configuration Files

  38. kube-hunter • Kube-hunter hunts for security weaknesses in Kubernetes clusters.

    The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster you don't own!

  39. kubesec.io - Risk analysis for k8s resources https://kubesec.io/

  40. kubeaudit - Audit your kubernetes clusters https://github.com/Shopify/kubeaudit

  41. CVE-2018-1002105 https://www.youtube.com/watch?v=4CTK2aUXTHo

  42. https://www.youtube.com/watch?v=4CTK2aUXTHo CVE-2018-1002105

  43. https://github.com/Frichetten/CVE-2019-5736-PoC • This is a Go implementation of CVE-2019-5736, a

    container escape for Docker. The exploit works by overwriting and executing the host systems runc binary from within the container CVE-2019-5736

  44. https://github.com/eoftedal/writings/blob/master/published/CVE-2019-9901-path-traversal.md CVE-2019-9901 - Istio/Envoy Path traversal

  45. docker logs and events

  46. Kubernetes centralised logs in stack driver

  47. Want to explore more? • contained.af • Docker Security •

    CIS Benchmarks Docker • Understanding and Hardening Linux Containers • Abusing Privileged and Unprivileged Linux Containers • Container Security Notes • Linux Container Security • Docker Runtime Privileges and Capabilities • Apparmor Security Profiles on Docker • Seccomp Security Profiles on Docker • Docker Labs Capabilities • Practical SELinux and Containers • Container Security Notes gist • Containers and Operating systems morning paper gist • Kubernetes Security Info • Kubernetes Webinar series • Kubernetes Network Policies
  48. None

  49. Thank You Madhu Akula @madhuakula https://appsecco.com