Attacking and Auditing Docker Containers & Kubernetes Clusters

Trainer Names: Abhisek Datta
Title: Attacking and Auditing Docker Containers & Kubernetes Clusters
Duration: 4 Days
Dates: 13^th - 16^th August 2020 IST
Time: 10.00 AM to 2.00 PM
Type: Online Training on Zoom platform

Introduction

This 16 hours, delivered over a period of 4 days, attacker focused hands-on training will set the students to the path of using common attack techniques against containarized workloads running as Docker containers in a Kubernetes cluster.

It will help students to learn the approach and methodology for testing and auditing a Kubernetes clusters. By end of the training, participants will be able to identify and exploit containarized workloads running inside Kubernetes clusters.

Training Overview

An organization using microservices or any other distributed architecture rely heavily on containers and container orchestration engines like Kubernetes and as such its infrastructure security is paramount to its business operations.

This course will set the base for security testers and DevOps teams to test for common security vulnerabilities and configuration weaknesses across containerised environments and distributed systems. It also helps to understand approach and process to audit the Kubernetes environment for security posture.

The focus is on the security aspects of application and the container infrastructure

• The participants will learn common tools and techniques that are used to attack applications running in containerized environments
• The participants will be introduced to Docker, Kubernetes and learn to assess the attack surfaces applicable for a given application on the cluster
• The participants will learn how to audit for security based on best practices using tools and custom scripts

As part of the course delivery, the trainers will share examples of real world security issues found in penetration testing engagements to showcase mapping of the concepts with what usually happens in the real world.

Course Outline

Module-1: Attacker's Introduction to Docker and Kubernetes

• Introduction to Docker Containers
  • Using Docker containers, networks, volumes, port mapping
  • Using Docker Compose for multi-container workloads
  • Docker registry
  • Container isolation - Namespace and Control Groups
• Introduction to Kubernetes
  • Overview of container orchestration platform
  • Kubernetes resources - Pod, Deployment, Service, ConfigMap, Secret, Volume
  • Using Kubernetes Manifests and Helm charts
  • kubectl for Pentration Testers
• Container Runtime & Orchestrator Threat Model

Learning Outcome

• Hands-on knowledge of Docker and Kubernetes
• Understanding of Docker and Kubernetes attack surface

Module-2: Attacking Docker Runtime

• Docker escapes
  • Insecure volume mount
  • Privileged containers
  • Secrets hunting
• Exploiting insecure Docker registry
• Auditing Docker containers
  • CIS Benchmark for Docker
  • Dockerfile security scanning
  • Vulnerability scanning for Docker containers

Learning Outcome

• Hands-on attack on Docker runtime
• Auditing Dockerfile and containers in build stage
• Understanding of real-world attacks against Docker containers

Module-3: Attacking Kubernetes Clusters

• Recon & discovery on Kubernetes cluster
• Attack scenarios
  • Exploiting cluster meta-data using SSRF vulnerability
  • Testing for the sensitive configurations and secrets in Kubernetes cluster
  • Docker escape using Pod Volume Mounts to access the nodes and host system
  • Discovering and attacking applications across namespaces
  • Attacking Helm tiller without RBAC setup

Learning Outcome

• Hands-on attacking Kubernetes cluster workloads
• Understanding of real-world attacks against Kubernetes clusters

Module-4: Advanced Attacks and Persistence

• Namespace breakout using hostPath volume mount
• Attacker in a Pod
  • SSRF on Kubernetes Control Plane
  • Attacks against Kubelet
  • Attacks on CNI Plugin
• Persistence on Kubernetes - How to retain access
• Capture the Flag (Online CTF)

Learning Outcome

• Understand latest attacks against Docker containers and Kubernetes clusters
• Practice skills acquired during the training in a online CTF

Student Hardware Requirement

• Laptop with 8GB+ RAM
• Laptop should support hardware-based virtualization
  • If your laptop can run a 64-bit virtual machine in Oracle VirtualBox it should work
  • Other virtualization software might work but we will not be able to provide support for that
• Network Connectivity or USB Ports for copying data

Prerequisites:

• Basic knowledge of using the Linux command line
• System administration basics like servers, applications configuration and deployment
• Familiarity with container environments like Docker would be useful

Who should attend

• Penetration Testers, Security Engineers and Bug bounty hunters
• System administrators, DevOps and SecOps Teams
• Anyone interested in the container infrastructure security

What to expect

• Hands-on training with a practical approach and real-world scenarios
• Lab manual with full documentation of scenarios in PDF format

What not to expect

• Basic concepts already mentioned in the prerequisites
• To become an accomplished DevOps or container security practitioner immediate after the training

About Trainer

Abhisek Datta is an accomplished security professional with over a decade of experience in information security solution engineering, services, vulnerability research, reverse engineering and security tools development.

Experienced in security solution development using cloud-native and Kubernetes native technologies. Developed and released KubeSecO, an open-source solution for OSINT and AppSec workflow automation using Docker containers running in a Kubernetes cluster.

A participant of NULL – India’s largest open security community as a core team member responsible for technology development.

As a security researcher, he is credited with multiple vulnerability discovery across enterprise products with CVEs to his name such as CVE- 2015-0085, CVE-2015-1650, CVE-2015-1682, CVE-2015-2376, CVE-2015- 2555, CVE-2014-4117, CVE- 2014-6113.

• Open source code: https://github.com/abhisek
• Twitter: https://twitter.com/abh1sek