Pentesting Docker

By: Riddhi Shree

(DevOn)

CONTENTS

  1. Docker & Containers
  2. Application Security
    • Pentesting Steps
  3. Container Security
    • 7 Fundamental Vulnerabilities & Threats
      • Host & Kernel Security

      • Container Breakout

      • Container Image Authenticity

      • Container Resource Abuse

      • Security Vulnerabilities in Static Images

      • Docker Credentials & Secrets

      • Runtime Security Monitoring

         

History

  • The idea of containers have been around since the early days of Unix with 'chroot' command.
  • Linux Containers, the technology upon which Docker's s/w was originally built, were introduced in 2008.
  • Docker was released in 2013.

What is DOCKER?

  • A company 
  • A software containerisation platform

TopMOST BENEFITs:

  • Separate your applications from infrastructure --> Deliver S/W quickly.
  • Consistency b/w test and production environments.
  • Small & Quick!

Dockerfile

Build images automagically...

  1. Application Security
  2. Container Security

Download NOW!!!

Application Security

PENTESTING STEPS:

  1. Passive Reconnaissance
  2. Active Scanning
  3. Target Enumeration
  4. Vulnerability Identification
  5. Vulnerability Exploitation 
  6. Documentation

Plain Old NMAP

-A: Enable OS detection, version detection

METASPLOIT:

Banner Grabbing

Vulnerability Detection

HYDRA:

SSH Brute Forcing

Port 8000 is serving a WordPress blog.

WPScan:

Enumeration

Sensitive Information

!!!

User Enumeration

HYDRA:

Form Password Cracking

Containerised Application Compromised Successfully!!!

Docker Container

containing A Vulnerable WEB APPLICATION

How bad is it?!

PHP WEBSHELL

ACTIVATED!!!

Docker CONTAINER SECURITY

7 Fundamental Vulnerabilities & Threats: 

  1. Host & Kernel Security
  2. Container Breakout
  3. Container Image Authenticity
  4. Container Resource Abuse
  5. Security Vulnerabilities in Static Images
  6. Docker Credentials & Secrets
  7. Runtime Security Monitoring

1. Host & Kernel Security

*Containers Run on Host Kernel*

Best Practices

  1. Check configuration best practices for host and Docker engine. (Use "Docker Bench for Security" script .)
  2. Use minimal, container-centric host systems, e.g., CoreOS, Red Hat Atomic, RancherOS, etc.
  3. Enforce Mandatory Access Control at kernel level. (Use Seccomp, AppArmor or  SELinux.)

seccomp

  1. Remove actions (syscalls) that are NOT required.
  2. Launch a container using custom seccomp profile.
  3. Check that the restriction is enforce

docker container run --rm -it

--security-opt seccomp=./default.json alpine sh

2. Container Breakout

DOCKER DAEMON RUNS AS ROOT!

BEST PRACTICES

  1. Drop Capabilities (e.g., CAP_SYS_ADMIN)
  2.  Create an isolated user namespace
  3. Keep an eye on dangerous mount-points from the host: the Docker socket (/var/run/docker.sock), /proc, /dev, etc. Limit the processes that can access (Read Only) this privileged information.

By default, the root account of a Docker container can create device files, you may want to restrict this:

Separate User Namespace

3. Container Image AUthenticity

Docker Pull = Running Arbitrary Software

BEST PRACTICES

  1. Do NOT run unverified software from sources you don’t explicitly trust.
  2. Enforce mandatory signature verification for images that are going to be pulled (or run) on your systems.

Sign your Images

4. Container Resource abuse

by DEfault, Limits on resources are disabled.

BEST PRACTICES

  1. Use the resource limitation features bundled with Linux kernel and/or containerization solution. (e.g., cgroups)
  2. Replicate production loads on pre-production
  3. Implement Docker monitoring and alerting

This will limit the container to 2GB main memory, 3GB total (main + swap).

5. vulnerabilities in static images

Update & Rebuild. REPEAT!!!

BEST PRACTICES

  1. Grab the newest security patches.
  2. Keep it simple. Split your containers if they get too complex.
  3. Use a vulnerability scanner.

CoreOS Quay - Image scanning

6. Docker Credentials & Secrets

Say no to --> Environment variables

BEST PRACTICES

  1. Do not use environment variables for secrets!
  2. Do not embed any secrets in the container image!
  3. Deploy Docker credentials management S/W if deployments get complex enough.

Use Docker Swarm's "secrets" feature

7. Runtime security monitoring

*On the lookout for compromised images.*

BEST PRACTICES

  1. Use runtime security as an extra layer (and NOT as replacement for static countermeasures).

  2. Maintain logs from your services & host.

"Docker Security Scanning"

References

  1. https://sysdig.com/blog/7-docker-security-vulnerabilities/
  2. https://www.notsosecure.com/vulnerable-docker-vm/
  3. https://docs.docker.com/docker-cloud/builds/image-scan/
  4. https://blog.appsecco.com/the-story-of-a-shell-f0026561bb25

Thank You!

 

"If you have root on the container, then you have root on the whole box."

Made with Slides.com