Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.
- Python 3.5+ is required.
- Docker is required. Note: CCAT is tested with Docker Engine 19.03.1 version.
- AWS named profile is required.
Install CCAT from source
$ git clone https://github.com/RhinoSecurityLabs/ccat.git
$ cd ccat
$ python3 setup.py install
$ python3 ccat.py
Use CCAT's Docker Image
Warning: Running this command will mount your local AWS configuration files into the Docker container when it is launched. This means that any user with access to the container will have access to your host computer's AWS credentials.
Warning: Running this command will mount your local Unix socket that Docker daemon listens on by default into the Docker container when it is launched. This means that users with access to the container will have access to your Docker daemon, meaning they could escape to your host computer with ease.
$ docker run -it -v ~/.aws:/root/.aws/ -v /var/run/docker.sock:/var/run/docker.sock -v ${PWD}:/app/ rhinosecuritylabs/ccat:latest
Below is an example scenario to demonstrate the usage of CCAT.
Starting with compromised AWS credentials, the attacker enumerates and explores ECR repositories. Then, the attacker found that they use NGINX Docker image and pulled that Docker image from ECR. Furthermore, the attacker creates a reverse shell backdoor into the target Docker image. Finally, the attacker pushes the backdoored Docker image to ECR.
If you prefer a video walkthrough, you can find a link to video below this section.
-
The attacker explores the AWS enviroment and discovers they are able to list ECR repositories using compromised AWS credentianls.
-
Enumrate ECR repositories
-
Configure AWS CLI Profile
The first time CCAT is launched, the attacker will be prompted to configure their AWS CLI profile. This profile will be used to run the related AWS attack modules.
-
Then the attacker selects target AWS regions
-
-
Then the attacker lists enumrated ECR repositories with simple table format
-
-
The attacker finds that they use the NGINX Docker image and pulls that Docker image from ECR.
-
Pull ECR repository
-
Then there are two options to pull from ECR repositories so the attacker chooses a single repository with multiple tags option
-
Then the attacker will be promoted to provide AWS region, ECR repository URI, repository tags
-
-
-
The attacker decides to create a reverse shell backdoor into the pulled NGINX Docker image.
-
The attacker starts a listener for reverse shell
-
Then the attacker creates a reverse shell backdoor
This module generates a Dockerfile on the fly and builds new Docker image.
-
Then the attacker will be promoted to provide repository name, tag and new build tag
-
Then the attacker generates a Dockerfile, adds reverse shell configuration, and overwrites the default CMD command
"CMD sets default command and/or parameters, which can be overwritten from command line when docker container runs."
-
Then the attacker reviews a Dockerfile and builds new backdoored NGINX Docker image
-
-
Then the attacker tests the backdoored Docker image
-
Run a backdoored container
-
Test NGINX server
-
Test reverse shell backdoor
-
-
-
Finally, the attacker pushes the backdoored Docker image to ECR.
-
Check AWS Web Console BEFORE pushing the backdoored Docker image
-
Push the backdoored Docker image
-
The attacker will be promoted to provide AWS region, ECR repository URI and repository tag
-
-
Check AWS Web Console AFTER pushing the backdoored Docker image
-
- Container Escape Features
- Image Scanner Features
- Amazon ECS Attack Features
- Amazon EKS Attack Features
- Azure Container Related Attack Features
- GCP Container Related Attack Features
- OpenShift Container Related Attack Features
- IBM Cloud Container Related Attack Features
- Alibaba Cloud Container Related Attack Features
- CCAT is tool that comes with absolutely no warranties whatsoever. By using CCAT, you take full responsibility for any and all outcomes that result.