The SACON 2020 event focused on hacking and securing Kubernetes and Docker, featuring hands-on demonstrations by Apoorv Raj Saxena, a red team researcher. The agenda included discussions on Docker and Kubernetes insecurities, high-risk attacks, and mitigation methods to raise awareness among organizations. Key findings revealed vulnerabilities affecting over 200 organizations, including major financial services and technology companies.

1. SACON
SACON International
2020
India | Bangalore | February 21 - 22 | Taj
Yeshwantpur
Hacking and Securing Kubernetes and docker in cloud
Hands-on demo - get all low hanging fruits
Apoorv Raj Saxena
Fire Compass
Red Team Researcher
https://twitter.com/
secxena

2. SACON 2020
Previously:
SDE - Airstacks
Head of Engineering - VItt.ai
Recently:
Red Team Researcher - Fire Compass
Cloud Infrastructure Penetration Testing
Research on Containerized system
Past Year:
Bug Bounty Hunting
CTFs
https://twitter.com/secxena
About secxena

3. SACON 2020
● Introduction
● Docker + Kubernetes inSecurity
● Exploitation
● Demos
● Mitigations
Agenda

4. SACON 2020
! Raise awareness of high-risk
attacks possible in default installs
! Demonstrate the attacks “live”
! Provide hardening methods
! Share additional hardening tips
Goal

5. SACON 2020
Docker Image: The basic of a Docker container. Represents a full
application.
Docker Container: The standard unit in which the application service
resides and executes
Docker Engine: Creates, ships and runs Docker containers deployable on a
physical or virtual, host locally, in a data center or cloud service provider
Registry Service: Cloud or server based storage and distribution service for
your images
Terminology

6. SACON 2020
• Docker Engine
• Port 2375
• Port 2376
• Unauthenticated Access
• Docker Registry
• Default Image Creds
• Unauthenticated API endpoint
Low hanging fruits

7. SACON 2020
1. POD
2. NODE
3. CLUSTER
4. CONTROL PLANE
5. KUBERNETES API
6. MASTER
7. kube-apiserver
Terminology

8. SACON 2020
Low Hanging Fruits - High Rewards
Unauthenticated API
server
Kubeletexploit
Kernel level exploit
Network Isolation
Pod Security
Policy

9. SACON 2020
Access the Kubernetes API Without Credentials?
$ curl -s http://
10.5.5.5:8080

10. SACON 2020
Unauthenticated Kubelet API ? Directly
Demo ?
$ curl -sk https://
10.5.6.7:10250/runningpods/

11. SACON 2020
1. Auth
2. Both way TLS
3. No-defaults
4. CIS Audit Framework
5. Internal - external audits
Mitigation

12. SACON 2020
1. More than 200 Vulnerable organizations
2. 20+ Financial Services
3. NASA, EASA, ORACLE, Microsoft, Zoomcar etc
4. Bank third party vendor 95 Banks affected.
Research results

13. SACON 2020
Questions ?