Container Security
Container security including Docker escape techniques, containerization fundamentals, and hardening best practices for penetration testing and security assessments.
Overview
Containers have revolutionized application deployment, but they also introduce unique security challenges. Understanding container security is essential for modern penetration testing, especially in cloud-native and DevOps environments. This section covers container fundamentals, escape techniques, and hardening strategies.
Container Fundamentals
- Containerization Fundamentals - Core concepts of containers, namespaces, cgroups, and isolation mechanisms
Container Escape Techniques
- Docker Container Escape - Breaking out of Docker containers to compromise the host system
Container Hardening
- Container Hardening - Security best practices for container deployment and orchestration
Attack Methodology
Phase 1: Container Enumeration
- Identify container runtime (Docker, Podman, containerd)
- Check container capabilities and security context
- Review mounted volumes and host paths
- Enumerate container networking
- Check for privileged containers
- Review Docker socket access
Phase 2: Vulnerability Discovery
- Identify misconfigured security settings
- Check for privileged mode or dangerous capabilities
- Look for mounted Docker socket
- Review exposed secrets and environment variables
- Check kernel version for container escape exploits
- Analyze container image for vulnerabilities
Phase 3: Exploitation
- Leverage privileged containers for escape
- Abuse mounted Docker socket
- Exploit dangerous capabilities (CAP_SYS_ADMIN, CAP_SYS_PTRACE)
- Break namespace isolation
- Use kernel exploits if applicable
Phase 4: Post-Escape
- Enumerate host system
- Escalate privileges on host
- Access other containers
- Pivot to orchestration layer (Kubernetes)
- Establish persistence
Common Container Misconfigurations
Dangerous Capabilities
CAP_SYS_ADMIN- Allows mount operations and namespace manipulationCAP_SYS_PTRACE- Process debugging and injectionCAP_SYS_MODULE- Load kernel modulesCAP_DAC_READ_SEARCH- Bypass file permission checks
Dangerous Mounts
/var/run/docker.sock- Docker socket access enables container creation/proc- Host process information/- Full host filesystem access/dev- Device access for low-level operations
Insecure Configurations
- Running containers in privileged mode (
--privileged) - Using
--pid=host(share host PID namespace) - Using
--network=host(share host network) - Running as root user inside container
- Exposing sensitive ports and services
Container Security Tools
| Tool | Primary Use |
|---|---|
| Docker | Container runtime and management |
| kubectl | Kubernetes cluster interaction |
| crictl | Container runtime interface CLI |
| amicontained | Container environment enumeration |
| CDK | Container penetration toolkit |
Kubernetes Considerations
When attacking Kubernetes environments:
- Enumerate service accounts and RBAC permissions
- Check for token mounted in
/var/run/secrets/kubernetes.io/serviceaccount/ - Review pod security policies and admission controllers
- Test for unauthorized API access
- Look for privilege escalation through pods
- Check for exposed Kubernetes dashboard
Related Resources
- Linux Security - Linux privilege escalation applies to container hosts
- Cloud Security - Cloud-native container services (ECS, AKS, GKE)
- Network Protocol Attacks - Container networking attacks
Last updated on
Azure AD (Entra ID) Attacks
Microsoft Entra ID (Azure AD) attacks including enumeration, privilege escalation, token abuse, and hybrid identity exploitation.
Docker Container Escape Techniques
Docker container escape techniques including privileged containers, exposed Docker sockets, kernel exploits, and misconfiguration exploitation methods.