An Attacker Looks at Docker: Approaching Multi-Container Applications

Video thumbnail (Frame 0) Video thumbnail (Frame 4314) Video thumbnail (Frame 12147) Video thumbnail (Frame 19980) Video thumbnail (Frame 21359) Video thumbnail (Frame 23979) Video thumbnail (Frame 26701) Video thumbnail (Frame 31598) Video thumbnail (Frame 36972) Video thumbnail (Frame 39077) Video thumbnail (Frame 40023) Video thumbnail (Frame 41699) Video thumbnail (Frame 42547) Video thumbnail (Frame 44209) Video thumbnail (Frame 45027) Video thumbnail (Frame 46632) Video thumbnail (Frame 51007) Video thumbnail (Frame 52921) Video thumbnail (Frame 54521) Video thumbnail (Frame 56027) Video thumbnail (Frame 60220)
Video in TIB AV-Portal: An Attacker Looks at Docker: Approaching Multi-Container Applications

Formal Metadata

An Attacker Looks at Docker: Approaching Multi-Container Applications
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Containerization, such as that provided by Docker, is becoming very popular among developers of large-scale applications. The good news: this is likely to make your life easier as an attacker. While exploitation and manipulation of traditional monolithic applications might require specialized experience and training in the target languages and execution environment, applications made up of services distributed among multiple containers can be effectively explored and exploited "from within" using many of the system- and network-level techniques that attackers, such as penetration testers, already know. The goal of this talk is to provide a hacker experienced in exploitation and post-exploitation of networks and systems with an exposure to containerization and the implications it has on offensive operations. Docker is used as a concrete example for the case study. A hacker can expect to leave this presentation with a practical exposure to multi-container application post-exploitation.
Service (economics) Cybersex Client (computing) Mereology Number Front and back ends Medical imaging Thermodynamisches System Different (Kate Ryan album) Operator (mathematics) Computer programming Energy level Software testing Reverse engineering Information security Multiplication Social class Vulnerability (computing) Covering space Cybersex Personal identification number Operations research Multiplication Block (periodic table) CAE Inc. Computer Non-standard analysis Computer network Bit Cartesian coordinate system Exploit (computer security) Virtual machine Data management Malware Penetrationstest Interface (computing) Video game Software testing Quicksort Information security Abstraction Reverse engineering
Computer program Scripting language Machine code Model theory System administrator Virtualization Client (computing) Neuroinformatik Medical imaging Web service Virtual reality Different (Kate Ryan album) Kernel (computing) Single-precision floating-point format Personal digital assistant Computer engineering Abstraction Information security Error message Exception handling Software developer Structural load Binary code Electronic mailing list Instance (computer science) Category of being Web application Arithmetic mean Thermodynamisches System Buffer solution System programming Acoustic shadow Quicksort Cycle (graph theory) Hacker (term) Spacetime Point (geometry) Proxy server Computer-generated imagery Smith chart Number Goodness of fit Crash (computing) Hacker (term) Term (mathematics) Computer programming Computer hardware Energy level Implementation Computing platform Computer architecture Focus (optics) Scaling (geometry) Surface Code Computer network Cartesian coordinate system Exploit (computer security) Video game Software Personal digital assistant Video game HTTP cookie Library (computing) Building Run time (program lifecycle phase) State of matter Code Euler angles Interior (topology) Multiplication sign Set (mathematics) Stack (abstract data type) Machine code Formal language Virtual memory Bit rate Semiconductor memory File system Cuboid Flag Software framework Diagram Vulnerability (computing) Service (economics) Cycle (graph theory) Physicalism Virtualization Variable (mathematics) Connected space Degree (graph theory) Type theory Moore's law Computer science Self-organization output Right angle Energy level Remote procedure call Information security Resultant Electric current Asynchronous Transfer Mode Classical physics Laptop Implementation Functional (mathematics) Server (computing) Enterprise architecture Service (economics) Software developer Virtual machine Hypercube Field (computer science) Twitter Wave packet 2 (number) Thermodynamisches System Read-only memory Natural number Operator (mathematics) Spacetime Software testing Default (computer science) Vulnerability (computing) Multiplication Debugger Kernel (computing) Pointer (computer programming) Computer hardware Computing platform Communications protocol Abstraction
Complex (psychology) Scripting language Code Direction (geometry) Formal language Front and back ends Web 2.0 Different (Kate Ryan album) Object model Logic Diagram Software framework Abstraction Control system Scripting language Email Computer-generated imagery Software developer Digital signal Formal language Web application Thermodynamisches System Software framework Website Right angle Quicksort Hacker (term) Surface Mobile app Computer-generated imagery Web browser Binary file Template (C++) Latent heat Hacker (term) Computer programming Energy level Software testing Communications protocol Dimensional analysis Code Database Directory service Binary file Cartesian coordinate system Software Web-Designer Computing platform Communications protocol Abstraction
Scripting language Multiplication Touchscreen Computer file Constructor (object-oriented programming) Code Multiplication sign Software developer Cartesian coordinate system Formal language Wave packet Formal language Web application Medical imaging Latent heat Wave Software Videoconferencing Energy level Configuration space Quicksort Abstraction Information security
Complex (psychology) Building Code State of matter Orientation (vector space) Multiplication sign Stack (abstract data type) Neuroinformatik Formal language Front and back ends Web 2.0 Medical imaging Web service Sign (mathematics) Malware Mixed reality Semiconductor memory Different (Kate Ryan album) Core dump Videoconferencing Abstraction Information security Multiplication Vulnerability (computing) Service (economics) Block (periodic table) Building Software developer Staff (military) Control flow Variable (mathematics) Formal language Web application Type theory Thermodynamisches System Malware Natural number Self-organization Normal (geometry) Software testing Right angle Energy level Quicksort Hacker (term) Block (periodic table) Information security Point (geometry) Surface Mobile app Statistics Game controller Software developer .NET Framework Mathematical analysis Average Expert system Shift operator Wave packet Revision control Frequency Thermodynamisches System Read-only memory Computer programming Software Queue (abstract data type) Integrated development environment Software testing Data structure Backdoor (computing) Multiplication Key (cryptography) Assembly language Surface Debugger Expert system Mathematical analysis Code Computer network Binary file Cartesian coordinate system Cryptography Software maintenance Exploit (computer security) Shareware Pointer (computer programming) Software Web-Designer Personal digital assistant Mixed reality Social class Communications protocol Local ring Abstraction Buffer overflow
Surface Functional (mathematics) Implementation Computer-generated imagery Virtualization Analogy Exploit (computer security) Limit (category theory) Pivot element Medical imaging Thermodynamisches System Semiconductor memory Software Gastropod shell Videoconferencing Cuboid Energy level Software testing Communications protocol Abstraction Multiplication Compilation album Arithmetic progression Service (economics) Scaling (geometry) Surface Computer network Line (geometry) Cartesian coordinate system Limit (category theory) Exploit (computer security) Thermodynamisches System Software Order (biology) System programming Software testing Figurate number Quicksort Musical ensemble
Surface Link (knot theory) Computer-generated imagery Exploit (computer security) Limit (category theory) Pivot element Formal language Front and back ends Wave packet Voting Coefficient of determination Repository (publishing) Queue (abstract data type) Videoconferencing Data structure Computer-assisted translation Multiplication Multiplication Interface (computing) Electronic mailing list Computer network Database Cartesian coordinate system Exploit (computer security) Thermodynamisches System Voting Personal digital assistant Cube Energy level Musical ensemble
Multitier architecture Game controller Mobile app Server (computing) Touchscreen Surface Database Drop (liquid) Cartesian coordinate system Mereology Flow separation Front and back ends Medical imaging Voting Software Queue (abstract data type) Videoconferencing Resultant Vulnerability (computing)
Logarithm Server (computing) Interface (computing) Database Database transaction Local Group Medical imaging Voting Connected space Thermodynamisches System Voting Error message Finitary relation Query language Daylight saving time HTTP cookie Resultant
Email Greatest element Group action Total S.A. IP address Medical imaging Interpreter (computing) Befehlsprozessor File system Source code UDP <Protokoll> Multiplication Link (knot theory) Touchscreen Mapping Moment (mathematics) Multitier architecture Computer Chaos (cosmogony) Instance (computer science) Price index Port scanner Variable (mathematics) Statistics Type theory Fluid statics Order (biology) Quicksort Resultant Electric current Multitier architecture Server (computing) Service (economics) Exploit (computer security) Average Content (media) Number Local Group Revision control Voting Thermodynamisches System Gastropod shell Computer worm MiniDisc Loop (music) Capability Maturity Model Default (computer science) Module (mathematics) User interface Default (computer science) Information Interface (computing) Debugger State of matter Database Binary file Cartesian coordinate system Dressing (medical) Kernel (computing) Broadcasting (networking) Software Web service Interpreter (computing) Gastropod shell Local ring Library (computing)
Authentication Default (computer science) Multitier architecture Service (economics) Server (computing) State of matter Virtual machine Insertion loss Database Line (geometry) Instance (computer science) Port scanner Regular graph Medical imaging Voting Voting Software Web service Finitary relation Configuration space Musical ensemble Video game console Local ring Data type
Voting Multiplication sign Interactive television Exploit (computer security) Database Process (computing) Musical ensemble Local ring Asynchronous Transfer Mode
User interface Debugger XML Cartesian coordinate system Mereology Voting Voting Malware Computer programming Intrusion detection system Motion blur Source code Right angle Gastropod shell Quicksort HTTP cookie Loop (music)
Surface Link (knot theory) Software developer Multiplication sign Cybersex Materialization (paranormal) Client (computing) Regular graph Voting Goodness of fit Term (mathematics) Repository (publishing) Energy level Software testing Information Abstraction Information security Multiplication Position operator Social class Multiplication Information Structural load Software developer Web page Plastikkarte Computer network Stack (abstract data type) Instance (computer science) Cartesian coordinate system Exploit (computer security) Shareware Thermodynamisches System Pointer (computer programming) Software Point cloud Right angle Musical ensemble Abstraction Electric current
Musical ensemble
for our next talk we have less McGrew he's going to talk to us about post exploitation of docker containers thank you so the the target audience for this talk is unapologetically red team members people who are doing red teaming engagements other offense oriented services such as penetration testing application security testing and the title that talk always have long titles for my talks there's the clever bit and then there's the actual part of it and so it's a look at multi container applications so building nowadays with the with containerization technology and darker which I'll cover in a little more detail you can build an application basically out of these Lego blocks of docker images or other containers that you find on the Internet and and and so portions of your application can be made up of these immutable containers and what that means is that the you're working at a higher level of abstraction and all of your vulnerabilities come from these lower levels of abstraction where these docker images have vulnerabilities and the way they talk to each other and an unauthenticated way on the backend can cause issues and so the goal of this talk is to give a penetration testing practitioner who's not already familiar with docker a or is facing multi container applications a little bit of tactics and tools to use to examine these systems and so I'm a my title at horn cyber solutions is is director of cyber operations and so the what that means is that I oversee all offense oriented services I run teams that do multiple teams that are simultaneously doing pin tests red teaming engagements and application security testing for a number of different clients and so you know I try to get hands-on with it as much as I can but really I'm more interested in the management of all of these sorts of things and make sure that that all the teams were up to date on the latest tools and techniques in a previous life I was a professor at Mississippi State University I still adjunct there I teach a class every semester and there I worked on industrial control systems developed a reverse engineering program therefore getting the NSA CAE and research education cyber operations and so basically most of my research most of my work has been on the offense side of things and so if your your blue team in here you might find things a little bit lean but but you know you can learn how to break these things and say that you can then look out for these tactics and techniques the intention for this deck
really is to make a strong point about the relationship between an attacker skill level your skill set that they the set of things that you know as an attacker and your development as an attacker over time versus developer trends and so this talk isn't just about attacking docker containers specifically or even multi container applications specifically it's really about how do you develop your skills over time as an attacker whether malicious or not right and so how do we leverage what you already know and how to look at learning new technologies moving forward and the sort of attitude to approach it with we want to provide a hacker that's experienced in exploitation and post exploitation of networks of systems and so if you think of a penetration testament organization you're given the scope and you you're-you're scanning that scope and you have a set of systems that interact with each other that's your attack surface the set of things that you can interact with how do you move and take your rate your your most of your training as a penetration test or a red teamer has been in that mode looking at that attack surface looking at protocols between services looking at vulnerabilities on the outside edge of each of those individual systems how do you move and take that skill set and apply it to an application and so historically applications have been monolithic and so the monolithic application is something that's it's made up of primarily a single binary or single service running on a single sis or a single virtual machine and sew with a monolithic application if you're wanting to inspect the state of internal things to the application how functions call each other how data is stored in memory you're looking at it attaching as a debugger you're looking at setting breakpoints you're looking at exploitation in terms of memory corruption or other sorts of remote code execution to get to the point that you can examine these things and then you're in this sort of environment of a debugger or something where you're limited and how you move with multi container applications where you're building your application of these immutable images talking to each other a lot of times your variable storage and your function calls wind up taking the place of tcp/ip connections wind up taking the place of things like Redis databases that actually store what would normally be a local variable and so it allows you to explore the internals of an application in the same way that you penetration tested network so I'm going to demonstrate this with some doc some concrete docker example with a edweb a doc concrete doctor example the white paper for this talk has a set of different things to sort of step up to this but I'm going to show you the cool one first and the inspiration for this approach in this talk is as a what I consider a classic talk by H PhD more in Val Smith from Def Con 15 tactical exploitation and it's quite an old talk I guess now that it's actually it's well worth going back and looking at if you're a pen test we need everyone never saw it all of the work in any kind of field is is built on the shoulders of giants built on the shoulders of people who have come before you in doing this sort of work there's been a number of talks on docker and containers over all there's entire you know there's dr. Khan and general purpose doctor talks out there and research but specifically in security and in previous def cons and blackcats we have here a list of good references good material to read to prepare yourself for this sort of thing you've got Mortman gratifi ori the tini journey dolce and the and these are all great works but they all focus on different things than what we're focusing on here they either are in focus on the underlying implementation or architecture of doctor the way it's implemented at a kernel level which for the purposes of this talk isn't exactly the most important thing and having some advice for that low level security sorts of things and then there's vulnerabilities in the platform itself and your docker runtimes and your docker infrastructure and the way that developers use docker and how you can target dark docker developers the thing is if I get on stage here and I present a a docker talk that has dr. zero-day well in a couple weeks everybody will have updated most everybody except for that one client right all right they'll have they'll have updated their docker instances and those vulnerabilities don't work anymore so really you want something more timeless and so what you're looking at really here is is post exploitation as being something more useful to learn in the long term because you're always gonna find a way into one of these applications through vulnerability and its outer attack surface and so the focus of all those other talks has been on defense as well or at least on specific attacks and so this is more of a general tactics for red teamers type thing so when we're looking at containerization and dr if you if you haven't fooled around with it a lot and i don't think a lot of penetration testers have it's getting more and more
popular but as a means of developing an application what you're looking at here is a essentially an operating system-level virtualization that's versus VMware where it's a simulating the hardware of a system we're talking about simulating the the the user space and file systems and libraries and networks for this container that's running but everything all the containers are sharing a single kernel and and so that means it's a lot more lightweight if you want to spin up a new docker container from an image that just takes a matter of seconds to do that and it's it's very quick to do this because it's a very lightweight type system and so due to it being lightweight and do it to being dynamic and if you tagged on something like Ku Burnett or darker swarm on to this to to have these things scale dynamically with load or size of data what you wind up with is a really easy way of developing applications out of these pre-built containers and it eases deployment and development so if I develop and I know the reason why I'm doing this talk is I started developing an intelligence collection platform that used this to scale for large sets of data and and the useful thing for me for it was that when I developed it on my laptop I could push it push that image out to the server and it worked exactly the same as it did on my laptop and that was that's a very solid guaranteed thing as far as dock is concerned so development and deployment of these things winds up being relatively easy when we look at vulnerabilities in these systems it's important to look and I think this is one of the most important overall themes for this talk is to look at the concept of vulnerabilities and layers of abstraction I've talked about this in some of my previous talks when I talk about security of penetration testing basically OPSEC for pen testers that's my previous few years of talks you know I see vulnerabilities the lifecycle it doesn't begin with discovery so you see these vulnerabilities lifecycle diagrams and they begin with you know to discovery the vulnerability and then notification and then patching and on and so forth and the cycle the cycle of life begins again it really begins with a mistake developer made a mistake in the development of an application they either didn't design security in they made a typo in their programming they they they have some they committed some error that becomes exploitable and in sergej browses weird machines terminology it's essentially it's an unexpected execution it's a unexpected functionality in a program that allows you to inject turing-complete code or to overwrite a flag saying that you're an admin or something that nature and to me I think that these vulnerabilities are mostly the result of not understanding layer of abstraction directly beneath you and so if you're if you're a web application developer are not understanding that the HTTP protocol that's underneath you as you're working in JavaScript and api's and frameworks and things like that if you're if you don't understand how cookies work but you're relying on your framework to do that for you you know there can be an issue there textbook example of this is with C programmers if your c programming you learned in a college course that didn't you know really dive into the implementation of c you know you might think that that these buffers are just gonna be you i said i had 20 bytes for this buffer why is it even let me put any more in there right well let's see well happily let you do that obviously we all know this and and even if you know that and you know your program is gonna crash you don't really understand the implications of it you write a c program and it crashes when the inputs wrong segmentation fault well I screwed up and you go and you compete recompiling it until it stops doing that thing right and but what you don't understand is what's really happening is you go and pass that buffer and you're running over things on the program stack if you don't understand that there's a program stack that's holding your local variables then you didn't understand you know what's happening in that segmentation fault base pointers return pointers all that sort of thing that you can manipulate and so all that's the sort of thing that if you go a level lower than C and you're looking at assembly and and machine code and stepping through things with a debug you learn to understand those sorts of things but that's not at the layer of that stretching that you're developing and so you have your user experience your which is your end user pointing clicky type things your scripting languages your high-level little compiled languages machine code things like hard what you think of as low-level things like machine code and virtual memory and things like that but underneath it at some point it becomes a magic box you you have an understanding of how that computer works at a basic level but it may not be the case and even for myself you know I think sometimes well maybe I should have done a degree in computer engineering instead of computer science because when it gets down to like the transistors and this physical properties of silicon right you know it's there's probably something to that that I don't understand it will bite me one day and so for a hacker to keep up with
these sorts of things you've got two different directions to look in one is in your layer of abstraction higher or lower and and as a hacker you tend to want to start learning lower and lower and lower so that you can get further underneath that developers understanding of things but horizontally you've got different technologies like this in this diagram you've got you've got languages on the left hand side and protocols on the and protocols and medium on the on the right hand side and so there's different there's there's lots of different things and it's hard to keep up with this and so you have things that you specialize in for our pentesting teams we have we have folks that are very good at web applications we have folks that are very good at at network based attacks we have folks that are very good at at looking at embedded control systems and things like that and so you have your specializations but you always want to be broadening this if
you're a developer you usually move upwards in the stack yeah so we're we're moving downwards as as penetration testers red teamers and things like that that a developer is typically moving upwards and so if you were a web developer in the late nineties you might have been rewriting your code and see I've written a I've written sand web applications in C++ CGI and it's not something I'm proud of but and it's not something that I would deploy on anything internet-facing nowadays if I found the code I need to find that code but you know you used to you could you could compile a program that that outputted HTTP headers in HTML and stick it in a CGI bin directory and then wait to get on right and then you know well that's not so smart so we start putting scripts out there and so that's a higher level of abstraction and then we have like web specific languages okay things like like regretably PHP and and and things like that that are designed for the web right and then on top of that we have frameworks thinking thinking things like Django that do a lot of things for you so like anga you've got your object model that handles all your database stuff you've you've got all these connectors and everything's where you don't have to understand HTTP you just write the code that backends your website and you have some templates for the front-end and it's all it's kind of hiding things from you but it's making it easier for the develop apps as you go up this way these layers of abstraction it becomes easier for you to develop applications and then nowadays it seems that most most web applications are strictly running in JavaScript in your browser then hitting web AP is on the back end and so that's a that's another way of developing another way of hiding some of this complexity when we look at
containerization it's as if we can take any specific web application that's been developed almost and you can look on the docker hub out there and pull down an image of it and have them talk to each other and you can you can build a serviceable app out of these things with just some connecting code and some configuration files and some scripts to spin up the containers for them and to have them talk to each other and so essentially this is the next and sort of made a level of developing an application and so your mindset as an
attacker versus a developer after you learn hello world for something you learn these things by looking at their tutorials you look at learn them by a reading the the most basic introductory book that you can find on the topic you you learn them from from trainings and tutorials and videos and things like that nobody sits down with like when everybody sits down with K NRC and learns C anymore right they they're gonna go through some tutorials first so if there's a developer what you're gonna learn after you learn hello where is what can I build with these language constructs if I go through the tutorials everything that I build is going to look like that tutorial software with modifications to fit my needs I'm gonna use the same approaches and the same practices and the problem with security for that is that most of time tutorials sort of hand wave security for things in favor of getting something up and running in like a couple of screens worth of text on a website if you're an attacker the first thing that you do like first thing I did after I started looking at doing hello world and docker so I could build a multi container application it's like well how does this work how does this hello world work and so you start digging into well how to do these docker containers look at each other and so and
so so if you're if you're at an attacker or developer this abstraction allows for more efficient development that's basically we're talking about here these these these layers of abstraction essentially that the idea of having these building block containers you can have mix technology in them it doesn't matter if this one application is written in dotnet doesn't matter if this one's written in Python will actually look an example in the video of an application like this and the way they talk to each other they have to at that point speak over common protocols like TCP IP they can't rely on them being PHP talking to PHP or C talking to C these are these are technologies that have to communicate over the same sorts of networks that organized organizations operate on and an interesting example of this is if you look at a lot of multi container applications use Redis and and I might not be pronouncing it correctly but it's a it's essentially when I saw it in an application I was like what is this thing and it's essentially it's a key value store so it's essentially the variable storage container or a service you can run it outside of a container but you connect to it and you say this variable name assign it to this value and you have some complex data structures in there - you can have some queues and stacks and and things like that in there and so instead of storing things and local variables and your container applications since your containers are immutable they're they can't maintain state if they go away and then come back they'll store State inside of these Redis containers where other applications can come in and look at that data and use it and so we'll look at some examples of that but so instead of having a stat a program staff can see for example where you'd have storage memory that pointers are pointing to locally you now have them on this network based service and so what this means is the the developers are moving up the stack in an abstraction and as attackers are moving down there's a few things happening one there's there's things higher on the stack that the attackers need to learn that to work with things like containerization and and and and you know modern web development technologies and things like that that we might not be very interested in the good news however is that our existing techniques for penetration testing networks of systems apply directly to penetration testing inside of a multi container app and so your existing now you might be a penetration tester today but once you start looking at web applications now now congratulations you're an application security expert right and so so your current tool set your current skill set becomes more lucrative over time because you're going relatively lower in the stack to the developers so think of somebody in the 70s or 80s who is writing assembly language code and that's what they had to do just to write an application for a computer back then well now you know they're very good they would that person would be very well suited towards embedded systems development or other lower-level things
and so when we're looking at these sort of these multi container applications and application internals we want to have things like control over execution the opportunity to turn code against itself things like Rob and web api's and C surf and things like that all these sorts of things especially in this in case of malware analysis and return oriented programming and C surf you know these things requires very specialized tools and sometimes you you you might even be internal to an application right to exploit a monolithic binary application you're you're looking at you know having to attach this thing to a debugger just to get an understanding of how to develop an exploit for it the skillset for this you know it's different so in an internal application security expert somebody who who analyzes application for vulnerabilities needs to have a very strong understanding of the language that they're targeting and and and methods of exploitation and some of those can get quite arcane but a penetration tester generally works on the outside attack surface they're using known vulnerabilities are relatively easy to find vulnerabilities because they're targeting the attack surface of an entire organization at once and so you might have been trained in you know doing some very simple buffer overflow exploits as a penetration tester but if you're writing them every day and your daily work as a penetration tester I'm going to be very surprised right you know if you're connecting to a remote service on a client and you're you're you know throwing the A's in until it crashes type of thing and you're able to develop that exploit sort of blindly without seeing the other side of it you know that's a that's that's a you mean kudos to you but that's just not not the norm in pen testing it's more of an application security thing and so there's a training gap there but the nice news is is with this containerization is that your existing skills of system the system pentesting apply much easier so containerization allows for the design of applications that are composing many of these things and so we're democratizing post exploitation manipulations so essentially after you gain access to one of these multi container applications and so there's lots of vulnerabilities in these things so if you look on the docker hub there'll be official docker images for different web applications but there are also be a lot of docker images that people made one-off for web applications that at some point may not have had official docker images and so somebody will take it upon themselves to create an image for their own use push it to their docker hub so that they can use it and about the fault that's available for anybody else to go and grab and using theirs but they didn't sign up to be a package maintainer right they didn't sign up to to maintain this thing over long periods of time and so there's use of it may have been over or they may not care about the vulnerabilities in it and so you'll see in the demo there's a there's a Joomla image out there that you can grab and and it's a it's an old version of Joomla there's an official abduch Joomla image out there but there's also a lot of the dart that isn't vulnerable there's also a lot of backdoored images and there's a new star core fall back on on somebody that crypto miners embedded in these images and so there's lots of things and that's smart I wish I'd have thought that the so there's lots of vulnerability in the images themselves that can give you that entrance into the backend Network for
these things and so you essentially have this docker network underneath the horizontal line there where your containers all work and can talk to each other and then there's an outside attack surface of ports that are forwarded to the outside world from the host and those ports are and you specify those ports but once you're on the inside of this network it's they can it's kind of free-for-all they can all kind of talk to each other no matter what they've specified and so essentially a test of an application becomes a comp microcosm of an organization-wide test your your actual your actual a post exploitation of this sort of thing is going to involve identifying that your own on docker network which will be pretty simple because you're gonna find yourself on a system that doesn't have a lot of tools it's purpose-built for that one application and so you might be getting a busy box shell or something and in the videos I actually show you another technique that you can look at very quickly to see that you're on docker container network and so that your idea is once I gained access to one of these things let's enumerate the rest of them let's find out what's on the rest of them let's figure out how they talk to each other and see if we can move around and this is all analogous to two on a monolithic application function hooking and breakpoints in an inspection of memory but it's at a network scale
[Music] and so the implementation of this is so you have access through conventional exploits it's familiar territory for attackers with system or network level attack spirits experience the limitations of this is you're living off the land you're gonna have to transfer your own tools in and just kind of like statically compiled them and hope for the best that they'll work once they're on there it's it's challenging because the images are quite minimalistic you're gonna be doing a lot of port forwarding in order to get your tools on your system to to reach in there and look at those other hosts and
so the the demonstration video for this is a demonstration of exploitation and post exploitation of multi container application this is a this is a docker multi container application that's used frequently in in public docker trainings it's on gets out on their own github the links are all in the white paper for the talk this is used to teach people about docker and it's a it's a voting application it's meant for cats versus dogs but I've changed it to the blue team versus red team so we can have some fun and we're gonna attack this thing we're gonna look at how different aspects of it like the voting interface is written in one language the backend takes the votes there's another language the database is a postgrads database and then there's a Redis queue that the votes get stuffed into and popped out of it's like a stack or a cue actually in this case you have a data structure or a list in Redis where the votes are being pushed onto the left-hand side and then popped off the right-hand side is a cube and so we'll bump over to our video here
I can get my controls okay it's my controls were hidden under the bar there alright okay so this is a tour through the application itself the voting app at the top there is a is written in Python pump out a full screen on me
the the result server is written and we've node in JavaScript there's a Joomla image I in the tutorial of this there's not really much external attack surface drop that X that vulnerable Joomla image in there just for the purposes of adamant of demonstration you see in the networks there that's showing frontier bacteria for some of these some of them are only back tier containers there's that that those are two separate docker networks and it's essentially like a DMZ and then the the internal network that we're talkin on there's a worker node that that depends on Redis and it's simply popping votes off of the Redis queue and then pushing them into a database there's the reddest queue itself on the backend and then a database that the votes actually wind up in and it's good that this is a video because there's a lot of moving parts to this that it can go wrong it took a few takes for this and so we can start this thing up using docker docker swarm as instrumentation
and the details of all this are in the white paper and so I'm moving through this quickly but it's it is all them so
there's your voting interface there's
the results off of a nut served off of
another port and there's that uh that that juicy Joomla image they're waiting
to get popped we can punch in votes and see the results and we can even change
over it we get a cookie that our that
our vote is associated with and so it can flip and flop as time changes so we
want to break it right and luckily you know this this particular Joomla image there's a there's a module in Metasploit that can they can take care of hitting this thing that's just making note of the local IP address the attacker you can see at the bottom of screen the attacker target designation there that I Asterix designates which screen we're looking at at any moment right now we're looking at target we're loading up that particular attack module we're setting our target up which we identified from the web interface you know boring mature Metasploit stuff type faster old wesley setting our localhost because that PHP interpreter is going to phone back to our to us and it's a quick exploit it just goes ahead and works you're you're sitting in the
PHP interpreter right now you get some information about the system that you're on it's the and it'll be the same kernel version for every container because they're all sharing the kernel we can draw up to a shell and this is showing you in the proc file system in the seed groups you can actually a without going into what all that means you see a lot of references to docker and so that that's first indication that we're we're on such a system now we're doing IP information for this docker container that we're inside of and there's an internal and an external network there there's the 170 219 and 172 18 that are these both that are those front tier and back to your networks we can background that meterpreter session and and so we have that session sitting there we have that persistence on on that that Joomla server we're grabbing a statically compiled version of nmap off of github in order to be able to scan that internal network statically compiled because we want to upload that which is what we're doing right now into a temp folder onto that compromised container so that we can start working from there we have to have it statically compiled because we don't have a lot of libraries Kord on that target and certainly in maps not already there unless you unless you've broken into a Cali a image container they they make they're fantastic I like working with them I think the actual attacker pain on this interfaces is running in a Cali container and so here we're in mapping the this 172 dot eighteen Network which is the external network the front tier network all ports on the first ten hosts by these default configurations of docker there'd sort of incrementally assigned IP address numbers and so you see and there's actually good naming for most of them except for that Joomla server that I didn't really give a good name for and also the docker host is the first one up there so that gives you an idea of those three HTTP services that we're looking at the front end voting interface the intern are the the results application in the Joomla now the scan is going across the back tier because now we have access to one of these containers now I can start scanning the back to your network and seeing what's that was there it's gonna be a lot more interesting stuff it's gonna be stuff that we can play around with and so you've got the Redis server down at the bottom the next one up is the is the joomla instance the the postgrads database there we've got and again the docker the docker host up there at the top at dot one and so now we've got a database and Retta server we can that's written that so now we can start manipulating local variables
so we're back into our meterpreter console of running on our Joomla instance and we'll need to set up we're going to set up some port forwarding so that we can interact with those services directly basically creating the tunnel from our external attacker image or container or virtual machine are your local instance of Kali Metasploit and and so we set a port forward here to where we can get at that database and we can just use the regular ole postgrads command line to interact with it and the thing is is by default with all these docker images is they're they're meant to get up and running very quickly so many of them are configured to just have defaults or no credentials no authentication nothing because they're all sitting on those back to your networks where nobody can get out them directly and so once you are in there you're usually good to talk to each other and let some guys done a lot of special configuration which is not in the tutorials and so here we're looking at the tables and and looking at the boats that are in there the boats take the form of an ID associated with that voter and and also the which one they voted a is red and B is blue I guess I don't quite remember but then we've also done some inserts to see more votes
being put in for blue so blue team members can can celebrate for now [Music]
now as past whistle you just pause their brain farting and guess alright now we're back into a show and we're going to since we since we're just doing netcat for the reddit's we don't really need to set up a port for we can netcat from we can netcat from that host a lot of times you'll have busybox which will have netcat built in here we've gone into monitor mode on Retta so once you tell that into a reticence since all the commands are plaintext and monitor allows you to see what's going on in live feed of interactions and so all those pops are that worker container continuously looking is their new vote is their new vote is in your new vote because when it finds a new vote it will pop it and throw it into the database and so it's continuously doing that and as I hid the votes here you'll see
things changing and they'll move the
window out of the way there so you can see it and so you see votes being pushed onto the right hand side and popped off the left hand side and so now that we know how this works we kind of got in a feel for that it's almost like watching an instrumented in a debugger to see how how does this how does this part of the program talk to this other part of the program we can now start playing with it directly and so so now that we're in there I'm copying and pasting a bunch of push commands into here so that we can push a bunch of arbitrary votes into this thing and it's just as good as pushing them from the web interface and so I posted in a ton of votes there with unique IDs of just alphabetic letters it doesn't verify that they're valid or associated with any cookie or anything it's just sort of there it's a toy application and so now the red team's
winning of course [Music] and there I am rubbing it in by highlighting it all right and so the
takeaway from this is that your existing offense or in skills but none of that was very difficult right like this is not zero day this is just regular old tactical post exploitation stuff that you'll learn as a pen tester if you haven't already learned if you're getting started these are things that will be in classes and stuff but these existing offense skills become moot useful at a lower relative position in the stack of abstraction from developers as they're using higher and our abstracted technologies and so developers are moving up and so the new load no the new low-level moves up and so it's a but it's important that you update yourself and so if for us you know we don't want the first we don't want the first multi container application we encounter to be on a client gig we don't want to have to learn it on the spot then we want to have some familiarization with things like docker and kubernetes and other technologies for newer development methodologies so that we are familiar with these things when we see them and we don't freak out when we break into a joomla instance and see that there are no tools in place and that it and and don't even think to look to see if there's another back in network that this thing can talk to and so it's important to update yourself and not only move down the stack in terms of getting lower and lower level skills for exploitation but work up the stack as well if something seems cool and trendy like cloud or containerization or blockchain or anything like that it's it's really easy to turn your nose up at it right because it's trendy and you don't want to be trendy but ultimately your clients are going to wind up using these technologies and you need to understand them and so it represents a good a good entrance into application security testing for existing penetration testers there's a white paper available in the conference materials it has all the information about the demo and a couple other demos there's a lot of discussion in that that's not in this talk and a lot of links to resources that I use when I was learning about this stuff previous work that's being done in security of these things and also some pointers to some information on how to how to secure these applications if that's your thing but appreciate your time and I'll be down here ready for questions and hand out cards and trade contact information thank you [Applause]