Container Security
Container security assessment and exploitation techniques including Docker escape, Kubernetes attacks, and container runtime vulnerabilities for red team operations and penetration testing.
Overview
Containers have revolutionized application deployment but introduced new attack surfaces that require specialized security knowledge. Container escapes represent a significant vulnerability class in modern infrastructure—a single misconfigured container can lead to complete host compromise and lateral movement across entire clusters.
Understanding container security is essential for penetration testers and red teamers operating in cloud-native environments, where containerized workloads often handle sensitive data and business-critical operations.
Container Security is Infrastructure Security
Container boundaries are not security boundaries by default. Many organizations deploy containers with dangerous misconfigurations—privileged mode, exposed Docker sockets, excessive capabilities—that provide direct paths to host compromise.
Container Escape Techniques
Docker Security
- Docker Container Escape - Comprehensive guide to breaking out of Docker containers
Primary Attack Vectors
| Vector | Description | Impact |
|---|---|---|
| Privileged Mode | Container runs with full host capabilities | Direct root access to host |
| Docker Socket | Exposed /var/run/docker.sock | Create privileged containers |
| Capabilities | Excessive Linux capabilities granted | Capability-dependent escalation |
| Volume Mounts | Sensitive host paths mounted | Read/write host filesystem |
| Kernel Exploits | Shared kernel vulnerabilities | Escape via kernel bugs |
Misconfiguration Exploits
Privileged Containers
# Detect privileged mode from inside container
cat /proc/1/status | grep CapEff
# Full capabilities: 0000003fffffffff
# Mount host filesystem
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/hostExposed Docker Socket
# Check for socket
ls -la /var/run/docker.sock
# Create privileged container from inside container
curl -s --unix-socket /var/run/docker.sock \
-X POST "http://localhost/containers/create" \
-H "Content-Type: application/json" \
-d '{"Image":"ubuntu","Cmd":["/bin/bash"],"Privileged":true}'Dangerous Capabilities
CAP_SYS_ADMIN- Mount filesystems, load kernel modulesCAP_SYS_PTRACE- Debug processes, read memoryCAP_NET_ADMIN- Network manipulation, packet captureCAP_DAC_READ_SEARCH- Bypass file permission checks
Kubernetes Attack Paths
Pod Security Misconfigurations
hostPID: true- Access host process namespacehostNetwork: true- Access host network stackhostPathvolumes - Mount host directories- Service account token abuse
Cluster Compromise
- Compromise vulnerable pod
- Access Kubernetes API via service account
- Enumerate secrets and configmaps
- Pivot to privileged workloads
- Escape to node, compromise cluster
Security Assessment Checklist
Container Configuration
- Check for privileged mode (
--privileged) - Review capabilities granted (
--cap-add) - Analyze volume mounts for sensitive paths
- Inspect network configuration (
--net=host) - Check for exposed Docker socket
- Review security context (seccomp, AppArmor)
Image Security
- Scan for vulnerable packages
- Check base image age and patches
- Review Dockerfile for hardcoded secrets
- Verify image provenance and signatures
Runtime Security
- Check kernel version and patches
- Verify seccomp/AppArmor profiles enabled
- Review resource limits (prevent DoS)
- Audit container runtime version
Kubernetes Security
- Review Pod Security Standards
- Check RBAC permissions
- Audit service account tokens
- Verify network policies
Essential Tools
| Tool | Purpose |
|---|---|
| deepce | Docker enumeration and escape |
| CDK | Container penetration toolkit |
| PEIRATES | Kubernetes penetration testing |
| kube-hunter | Kubernetes security scanning |
| trivy | Container image vulnerability scanning |
Related Resources
- AWS Security Assessment - Cloud container security (ECS/EKS)
- Linux Capabilities - Capability-based privilege escalation
- Linux Privilege Escalation - Post-escape escalation techniques
- Cloud Security - AWS and Azure container services
Last updated on
NTLM Relay Attacks: Modern Lateral Movement Techniques
In-depth exploration of Net-NTLMv2 relay attacks for lateral movement and privilege escalation, including SMB and LDAP relay scenarios with Responder and ntlmrelayx.
Docker Container Escape Techniques
Docker container escape techniques including privileged containers, exposed Docker sockets, kernel exploits, and misconfiguration exploitation methods.