Pentesting Docker
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4516837/how.gif)
By: Riddhi Shree
(DevOn)
CONTENTS
- Docker & Containers
- Application Security
- Pentesting Steps
- Container Security
- 7 Fundamental Vulnerabilities & Threats
-
Host & Kernel Security
-
Container Breakout
-
Container Image Authenticity
-
Container Resource Abuse
-
Security Vulnerabilities in Static Images
-
Docker Credentials & Secrets
-
Runtime Security Monitoring
-
- 7 Fundamental Vulnerabilities & Threats
History
- The idea of containers have been around since the early days of Unix with 'chroot' command.
- Linux Containers, the technology upon which Docker's s/w was originally built, were introduced in 2008.
- Docker was released in 2013.
What is DOCKER?
- A company
- A software containerisation platform
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4518536/Container-software-box-600x600.jpg)
TopMOST BENEFITs:
- Separate your applications from infrastructure --> Deliver S/W quickly.
- Consistency b/w test and production environments.
- Small & Quick!
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4517992/Dockerfile.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4518008/Build-Docker-Images-with-DockerFile.png)
Dockerfile
Build images automagically...
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4518614/Dockerfile.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4518478/dockerHub.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4518480/dockerStore.png)
- Application Security
- Container Security
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4521769/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4521626/3.png)
Download NOW!!!
Application Security
PENTESTING STEPS:
- Passive Reconnaissance
- Active Scanning
- Target Enumeration
- Vulnerability Identification
- Vulnerability Exploitation
- Documentation
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4521629/1.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4521645/4.png)
Plain Old NMAP
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4521631/2.png)
-A: Enable OS detection, version detection
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4521686/pasted-from-clipboard.png)
METASPLOIT:
Banner Grabbing
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4521741/ssh_vuln.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4521861/pasted-from-clipboard.png)
Vulnerability Detection
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4522020/hydra.png)
HYDRA:
SSH Brute Forcing
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4521682/p8000.png)
Port 8000 is serving a WordPress blog.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4522240/wp1.png)
WPScan:
Enumeration
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4522261/wp2.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4522265/wp3_username.png)
Sensitive Information
!!!
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4522272/wpvaliduser.png)
User Enumeration
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4522388/wp_hydra_8000.png)
HYDRA:
Form Password Cracking
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4522418/wpadmin.jpg)
Containerised Application Compromised Successfully!!!
Docker Container
containing A Vulnerable WEB APPLICATION
How bad is it?!
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4523676/hello_dolly.png)
PHP WEBSHELL
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4523686/webshell.png)
ACTIVATED!!!
Docker CONTAINER SECURITY
7 Fundamental Vulnerabilities & Threats:
- Host & Kernel Security
- Container Breakout
- Container Image Authenticity
- Container Resource Abuse
- Security Vulnerabilities in Static Images
- Docker Credentials & Secrets
- Runtime Security Monitoring
1. Host & Kernel Security
*Containers Run on Host Kernel*
Best Practices
- Check configuration best practices for host and Docker engine. (Use "Docker Bench for Security" script .)
- Use minimal, container-centric host systems, e.g., CoreOS, Red Hat Atomic, RancherOS, etc.
- Enforce Mandatory Access Control at kernel level. (Use Seccomp, AppArmor or SELinux.)
seccomp
- Remove actions (syscalls) that are NOT required.
- Launch a container using custom seccomp profile.
- Check that the restriction is enforce
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4526915/seccomp2.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4526925/seccomp1.png)
docker container run --rm -it
--security-opt seccomp=./default.json alpine sh
2. Container Breakout
DOCKER DAEMON RUNS AS ROOT!
BEST PRACTICES
- Drop Capabilities (e.g., CAP_SYS_ADMIN)
- Create an isolated user namespace
- Keep an eye on dangerous mount-points from the host: the Docker socket (/var/run/docker.sock), /proc, /dev, etc. Limit the processes that can access (Read Only) this privileged information.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4526957/linuxcap.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4526974/dropcap.png)
By default, the root account of a Docker container can create device files, you may want to restrict this:
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4526986/namespace.png)
Separate User Namespace
3. Container Image AUthenticity
Docker Pull = Running Arbitrary Software
BEST PRACTICES
- Do NOT run unverified software from sources you don’t explicitly trust.
- Enforce mandatory signature verification for images that are going to be pulled (or run) on your systems.
Sign your Images
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4527009/doctrust.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4527010/doctrust2.png)
4. Container Resource abuse
by DEfault, Limits on resources are disabled.
BEST PRACTICES
- Use the resource limitation features bundled with Linux kernel and/or containerization solution. (e.g., cgroups)
- Replicate production loads on pre-production
- Implement Docker monitoring and alerting
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4527027/cgroup.png)
This will limit the container to 2GB main memory, 3GB total (main + swap).
5. vulnerabilities in static images
Update & Rebuild. REPEAT!!!
BEST PRACTICES
- Grab the newest security patches.
- Keep it simple. Split your containers if they get too complex.
- Use a vulnerability scanner.
CoreOS Quay - Image scanning
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4527036/scanner.png)
6. Docker Credentials & Secrets
Say no to --> Environment variables
BEST PRACTICES
- Do not use environment variables for secrets!
- Do not embed any secrets in the container image!
- Deploy Docker credentials management S/W if deployments get complex enough.
Use Docker Swarm's "secrets" feature
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4527084/secret.png)
7. Runtime security monitoring
*On the lookout for compromised images.*
BEST PRACTICES
-
Use runtime security as an extra layer (and NOT as replacement for static countermeasures).
- Maintain logs from your services & host.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816083/images/4527142/pasted-from-clipboard.png)
"Docker Security Scanning"
References
- https://sysdig.com/blog/7-docker-security-vulnerabilities/
- https://www.notsosecure.com/vulnerable-docker-vm/
- https://docs.docker.com/docker-cloud/builds/image-scan/
- https://blog.appsecco.com/the-story-of-a-shell-f0026561bb25
Thank You!
"If you have root on the container, then you have root on the whole box."
Pentesting Docker
By riddhi_shree
Pentesting Docker
- 1,769