• Bangalore 2019
  • Training
  • Attacking and Auditing Docker Containers and Kubernetes Clusters

Attacking and Auditing Docker Containers and Kubernetes Clusters

Madhu Akula, Appsecco

Register Now

Trainer Name: Madhu Akula, Appsecco
Title: Attacking and Auditing Docker Containers and Kubernetes Clusters
Duration: 3 Days
Dates: 20th - 22th June 2019


This 3 day attack-focused, hands-on training will set you on the path to using common attack techniquesagainst docker, kubernetes, containerized infrastructure. It will help you to learn the approach to follow andthe process for testing and auditing containers and Kubernetes clusters. By the end of the trainingparticipants will able to identify and exploit applications running on containers inside Kubernetes clusters witha hands-on approach.

An organization using micro services or any other distributed architecture rely heavily on containers andcontainer orchestration engines like Kubernetes and as such its infrastructure security is paramount to itsbusiness operations. This course will set the base for security testers and DevOps teams to test for commonsecurity vulnerabilities and configuration weaknesses across containerized environments and distributedsystems. It also helps to understand approach and process to audit the Kubernetes environment for securityposture.

  • The focus is on the security aspects of application and the container infrastructure
  • The participants will learn the common tools and techniques that are used to attack applicationsrunning in containerized environments
  • The participants will be introduced to Docker, Kubernetes and learn to assess the attack surfacesapplicable for a given application on the cluster
  • The participants will learn how to audit for security based on best practices using tools and custom scripts

As part of the course delivery, the trainers will share examples of real world security issues found inpenetration testing engagements to showcase mapping of the concepts with what usually happens in the real world.

Course outline

Student training setup

  • Docker Quick Start
    • Getting started with Docker
    • Docker run
    • Dockerfile
    • Docker Management
  • Docker Advanced Concepts
    • Docker-compose
    • Docker volumes and networks
    • Docker swarm
    • Portainer
  • Namespaces
  • Capabilities
  • Control Groups
  • Scenarios
    • Exploiting docker misconfiguration
    • Attacking Docker Images and Containers
    • Auditing Docker Images and Containers
    • Attacking Private Registry
    • Attacking Docker Volumes and Networks
    • Auditing Docker Volumes and Networks
    • Attacking Container Capabilities
    • Exploiting docker swarm cluster secrets
  • Docker Integrity Checks
  • Container introspection tool - amicontained
  • Auditing docker container runtime
  • Auditing docker container registries
  • LSM - Apparmor Nginx Profile
  • Docker Bench Security Audit
  • Container Logging and Monitoring
    • Docker Logging
    • Docker Events
  • Kubernetes Cluster environments setup
  • Kubernetes 101
    • Getting started with Kubernetes
    • Introduction to Kubernetes
    • Overview & Technical Terms
    • kubectl usage for pentesters
  • Deploying simple application in Kubernetes cluster
    • Using YAML manifest
    • Using helm chart
  • Scenarios
    • Exploiting Private Registry via Misconfiguration
    • Attacking Kubernetes Cluster Metadata using SSRF vulnerability
    • Testing for the sensitive configurations and secrets in Kubernetes cluster
    • Docker escape using Pod Volume Mounts to access the nodes and host system
    • Attacking applications in different namespaces in Kubernetes cluster
    • Attacking Helm tiller without RBAC setup
  • Auditing Kubernetes
    • kube-bench
    • kubesec.io
    • kube-hunter
    • kubeaudit
  • Logging and Monitoring for Security Events
    • Logging and Monitoring
    • Security checks for events using Sysdig Falco (DEMO Only)
  • Advanced Scenario
    • Exploiting Kubernetes API Server Vulnerability CVE-2018-1002105 (DEMO Only)
  • Popular Attacks around Docker and Kubernetes eco system
  • Resources and References

What to bring?

  • At least 8 GB of RAM, 10GB of Diskspace free on the system
  • Laptop should support hardware-based virtualization
    • If your laptop can run a 64-bit virtual machine in Oracle VirtualBox it should work
    • Other virtualization software might work but we will not be able to provide support for that
  • Network Connectivity or USB Ports for copying data
  • Trainer will provide the VM and dedicated Kubernetes cluster configuration for each student with administrative access to have a hand-on experience during the training


  • Basic knowledge of using the Linux command line
  • System administration basics like servers, applications configuration and deployment
  • Familiarity with container environments like Docker would be useful

Who Should Attend?

  • Penetration Testers, Security Engineers and Bug bounty hunters
  • System administrators, DevOps and SecOps Teams
  • Anyone interested in the container infrastructure security

What to expect?

  • Complete hands-on training with a practical approach and real-world scenarios
  • Ebooks of the training covering all hands-on in a step by step guide (HTML, PDF, EPub, Mobi)
  • Git repository of all the custom source code, scripts, playbooks used during the training
  • Resources and references for further learning and practice

What not to expect?

  • A lot of hand holding about basic concepts already mentioned in the things you should be familiar with
  • A lot of theory. This is meant to be a completely hands-on training!!
  • To become an accomplished DevOps or containers expert

About Trainer

Madhu Akula is a security ninja, published author and Security Automation Engineer at Appsecco. He is passionate about Cloud Native, DevOps and security and is an active member of the international Securityand DevOps communities.

Madhu frequently speaks and runs technical sessions at security events and conferences around the world including; DEF CON (24 & 26), Blackhat USA 2018, USENIX LISA 2018, Appsec EU 2018, All Day DevOps(2016, 2017 & 2018), DevSecCon (London, Singapore and Boston: 2016, 2017 & 2018), DevOpsDays India, c0c0n (2017 & 2018), SACON 2019, Serverless Summit, null and multiple others.

His research has identified vulnerabilities in over 200 companies and organisations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress and Adobe, etc. He is co-author of Security Automation with Ansible2(ISBN-13: 978-1788394512), which is listed as a technical resource by Red Hat Ansible.


Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved