In the previous chapter, we went through the process of setting up a Microsoft Azure environment for us to practice pentesting and vulnerability scanning in. We then deployed a virtual machine (VM), learned some PowerShell commands, and conducted some scans with some applications using Bash, while in the Azure Cloud Shell CLI.

Sometimes, organizations simply run their applications in Azure from ordinary Windows and Linux VMs. However, very often, organizations need a highly scalable cloud configuration where application components can be launched and shut down quickly and responsively. That’s especially true in DevOps applications, and that’s where containerization comes in.

Because a lot of companies use containerization in their Azure networks, it’s important for you to learn how to pentest them. That’s what this chapter is all about.

In this chapter, I will explain what containerization is, why containerization...

We will work with Microsoft’s infrastructure. Massive Azure data centers will do the bulk of the computer processing work for the exercises in this chapter. So, fortunately, you don’t need to have a top-of-the-line workstation. You will need the following:

• A web browser
• A desktop or laptop PC
• An Android or iPhone mobile
• A good, reliable internet connection

Check out the following video to view the Code in Action: https://bit.ly/3QmGlKX

VMs are simulated computers. Instead of directly running on PC or server machine hardware, a VM imitates all of the hardware components that are needed to run an operating system. So, one physical computer can run several simulated computers, and each simulated computer runs as if it were an application in a hypervisor in a host operating system, or in a hypervisor that runs directly on the hardware.

You can use an application on your own PC, such as Oracle VirtualBox or VMware Workstation Player, to work as a hypervisor for your VMs. All you need is a disk image file of an operating system you’d like to run in your VM and configure it in your hypervisor. The operating systems don’t have to match your host operating system, and very often, they don’t. I could run a Kali Linux VM on my Windows 11 PC. You could run a Windows 11 VM on your MacBook. And I could run a macOS VM on my Ubuntu Linux desktop.

However, it does take a few minutes...

Let’s explore some tools to pentest containers in Azure.

kube-hunter

The first pentesting application we’ll try is kube-hunter by Aqua Security on GitHub. The introduction in the kube-hunter README file at https://github.com/aquasecurity/kube-hunter/blob/main/README.md states the following:

“kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster that you don’t own!”

Absolutely! That’s why we set up our own Kubernetes cluster in our own Azure services in this chapter. When you’re actually doing paid work as a pentester, you will need signed legal permission from the company that owns the Azure network and Kubernetes instance.

There are lots of different kinds of scans you can do with kube-hunter....

Organizations often deploy containerization on their cloud platforms because it is a very responsive and dynamic way to use virtualization to implement rapidly scalable and ever-evolving applications, using DevOps or CI/CD methodologies.

A container contains just the parts of an operating system that are required to execute the code it processes. The load balancing and managing of hardware resources are done by the parent, grandparent, or great-grandparent of the containers within the containerization platform.

Now, we know how to deploy Docker and Kubernetes containerization instances in Azure and test them for security vulnerabilities. Docker and Kubernetes are two of the most used containerization platforms. Kubernetes basically extends Docker’s features further and can even work with Docker images and containers.

In the following chapter, I’ll introduce you to Google Cloud Platform and its various services.

To learn more about the topics covered in this chapter, you can visit the following links:

• Deploy a container instance in Azure using the Azure CLI: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-quickstart
• What is Azure Kubernetes Service?: https://learn.microsoft.com/en-us/azure/aks/intro-kubernetes
• kube-hunter documentation: https://aquasecurity.github.io/kube-hunter/
• kdigger documentation: https://github.com/quarkslab/kdigger