ENNAENNA
📦
Advanced3-6 hours|6 steps, 10 tools

Container & Kubernetes Pentest

Testing containerized environments and Kubernetes clusters for security weaknesses including vulnerable images, misconfigured RBAC, container escape vectors, and exposed cluster services. Covers both offensive testing and defensive hardening validation.

containerskubernetesdockercloud-native
1

Container Image Scanning

Scan all container images in use for known vulnerabilities, embedded secrets, and misconfigurations. Check base images for outdated packages with known CVEs. Analyze Dockerfiles for insecure practices like running as root, using latest tags, or including unnecessary tools. Generate a software bill of materials (SBOM) for each image to understand the full dependency chain.

Tools for this step

TrivySyftDockleGrype

Tip: Trivy scans images, filesystems, and git repos for vulnerabilities and misconfigurations in one tool. Syft generates detailed SBOMs. Dockle audits Dockerfiles against CIS benchmarks. Grype provides fast vulnerability scanning with detailed CVE information. Scan both the images in your registry and the images actually running in the cluster - they may differ.

2

Runtime Security Monitoring

Deploy runtime monitoring to detect suspicious behavior from containers in real time. Watch for unexpected process execution, file system writes outside of expected paths, network connections to unusual destinations, and privilege escalation attempts. This establishes a behavioral baseline and catches attacks that static scanning misses.

Tools for this step

Falco

Tip: Falco uses kernel-level system call monitoring to detect anomalous container behavior. Deploy it with custom rules tailored to your workloads - for example, alert when a web server container spawns a shell process. Review the default Falco rules and tune them to reduce noise for your specific environment.

3

Container Enumeration from Inside

From within a compromised container, enumerate the environment to understand what you can reach and what escape vectors exist. Check for mounted host paths, available Linux capabilities, privileged mode, accessible cloud metadata endpoints, service account tokens, and network access to other containers and the Kubernetes API server.

Tools for this step

DeepceCDK

Tip: deepce automates container environment enumeration and escape checks. CDK (Container penetration toolkit) provides both enumeration and exploitation capabilities. Check if the container has access to the Docker socket (/var/run/docker.sock) - this is an instant escape to the host. Check for cloud metadata at 169.254.169.254.

4

Container Escape Testing

Attempt to escape the container to the underlying host. Test all identified vectors: privileged containers, dangerous capabilities (SYS_ADMIN, SYS_PTRACE), mounted host filesystems, Docker socket access, kernel exploits, and nsenter from privileged containers. Each successful escape demonstrates a critical security boundary failure.

Tools for this step

CDKDeepce

Tip: CDK includes automated exploits for common escape vectors. Privileged containers with SYS_ADMIN capability can mount the host filesystem and write cron jobs or SSH keys. Access to the Docker socket lets you create a new privileged container with host mounts. Document each escape path carefully - the remediation is different for each vector.

5

Kubernetes Cluster Security Audit

Audit the Kubernetes cluster configuration for security issues. Check RBAC policies for overly permissive roles, test for exposed dashboards and API servers, examine network policies for proper segmentation, verify pod security standards are enforced, and look for secrets stored without encryption. Test whether compromised pods can access the Kubernetes API and what actions they can perform.

Tools for this step

kube-hunter

Tip: kube-hunter tests Kubernetes clusters for security issues from both inside and outside the cluster. Run it in pod mode from within the cluster and in remote mode from outside. Check if the default service account in each namespace has excessive permissions. Verify that network policies actually prevent cross-namespace communication where expected.

6

Report and Hardening Recommendations

Document all findings with specific remediation steps. Include the container escape paths, RBAC weaknesses, image vulnerabilities, and network segmentation gaps you discovered. Provide a hardening checklist covering image security, runtime protection, network policies, RBAC least privilege, secrets management, and admission controller recommendations.

Tip: Prioritize container escape vectors and RBAC misconfigurations as critical findings. Include specific Kubernetes manifests or Helm values for fixes. Recommend admission controllers (OPA Gatekeeper, Kyverno) to prevent future misconfigurations. Map findings to the Kubernetes threat matrix for clear risk communication.

Other Workflows

🔎

OSINT Investigation Workflow

A structured approach to open-source intelligence gathering, from target identification through to reporting. Covers passive reconnaissance, social media analysis, email and phone lookups, and data correlation.

🕸

Web Application Penetration Test

A systematic approach to testing web applications for security vulnerabilities. Covers reconnaissance, mapping, vulnerability discovery, exploitation, and reporting.

🔥

Active Directory Attack Path

From initial foothold to domain admin. A step-by-step approach to enumerating and attacking Active Directory environments during authorized penetration tests.