mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-23 19:43:31 +00:00
158 lines
6.8 KiB
Markdown
158 lines
6.8 KiB
Markdown
|
# Docker Forensics
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
<figure><img src="/.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
|
|||
|
|
|||
|
{% embed url="https://academy.8ksec.io/" %}
|
|||
|
|
|||
|
## Container modification
|
|||
|
|
|||
|
There are suspicions that some docker container was compromised:
|
|||
|
|
|||
|
```bash
|
|||
|
docker ps
|
|||
|
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
|
|||
|
cc03e43a052a lamp-wordpress "./run.sh" 2 minutes ago Up 2 minutes 80/tcp wordpress
|
|||
|
```
|
|||
|
|
|||
|
You can easily **find the modifications done to this container with regards to the image** with:
|
|||
|
|
|||
|
```bash
|
|||
|
docker diff wordpress
|
|||
|
C /var
|
|||
|
C /var/lib
|
|||
|
C /var/lib/mysql
|
|||
|
A /var/lib/mysql/ib_logfile0
|
|||
|
A /var/lib/mysql/ib_logfile1
|
|||
|
A /var/lib/mysql/ibdata1
|
|||
|
A /var/lib/mysql/mysql
|
|||
|
A /var/lib/mysql/mysql/time_zone_leap_second.MYI
|
|||
|
A /var/lib/mysql/mysql/general_log.CSV
|
|||
|
...
|
|||
|
```
|
|||
|
|
|||
|
In the previous command **C** means **Changed** and **A,** **Added**.\
|
|||
|
If you find that some interesting file like `/etc/shadow` was modified you can download it from the container to check for malicious activity with:
|
|||
|
|
|||
|
```bash
|
|||
|
docker cp wordpress:/etc/shadow.
|
|||
|
```
|
|||
|
|
|||
|
You can also **compare it with the original one** running a new container and extracting the file from it:
|
|||
|
|
|||
|
```bash
|
|||
|
docker run -d lamp-wordpress
|
|||
|
docker cp b5d53e8b468e:/etc/shadow original_shadow #Get the file from the newly created container
|
|||
|
diff original_shadow shadow
|
|||
|
```
|
|||
|
|
|||
|
If you find that **some suspicious file was added** you can access the container and check it:
|
|||
|
|
|||
|
```bash
|
|||
|
docker exec -it wordpress bash
|
|||
|
```
|
|||
|
|
|||
|
## Images modifications
|
|||
|
|
|||
|
When you are given an exported docker image (probably in `.tar` format) you can use [**container-diff**](https://github.com/GoogleContainerTools/container-diff/releases) to **extract a summary of the modifications**:
|
|||
|
|
|||
|
```bash
|
|||
|
docker save <image> > image.tar #Export the image to a .tar file
|
|||
|
container-diff analyze -t sizelayer image.tar
|
|||
|
container-diff analyze -t history image.tar
|
|||
|
container-diff analyze -t metadata image.tar
|
|||
|
```
|
|||
|
|
|||
|
Then, you can **decompress** the image and **access the blobs** to search for suspicious files you may have found in the changes history:
|
|||
|
|
|||
|
```bash
|
|||
|
tar -xf image.tar
|
|||
|
```
|
|||
|
|
|||
|
### Basic Analysis
|
|||
|
|
|||
|
You can get **basic information** from the image running:
|
|||
|
|
|||
|
```bash
|
|||
|
docker inspect <image>
|
|||
|
```
|
|||
|
|
|||
|
You can also get a summary **history of changes** with:
|
|||
|
|
|||
|
```bash
|
|||
|
docker history --no-trunc <image>
|
|||
|
```
|
|||
|
|
|||
|
You can also generate a **dockerfile from an image** with:
|
|||
|
|
|||
|
```bash
|
|||
|
alias dfimage="docker run -v /var/run/docker.sock:/var/run/docker.sock --rm alpine/dfimage"
|
|||
|
dfimage -sV=1.36 madhuakula/k8s-goat-hidden-in-layers>
|
|||
|
```
|
|||
|
|
|||
|
### Dive
|
|||
|
|
|||
|
In order to find added/modified files in docker images you can also use the [**dive**](https://github.com/wagoodman/dive) (download it from [**releases**](https://github.com/wagoodman/dive/releases/tag/v0.10.0)) utility:
|
|||
|
|
|||
|
```bash
|
|||
|
#First you need to load the image in your docker repo
|
|||
|
sudo docker load < image.tar 1 ⨯
|
|||
|
Loaded image: flask:latest
|
|||
|
|
|||
|
#And then open it with dive:
|
|||
|
sudo dive flask:latest
|
|||
|
```
|
|||
|
|
|||
|
This allows you to **navigate through the different blobs of docker images** and check which files were modified/added. **Red** means added and **yellow** means modified. Use **tab** to move to the other view and **space** to collapse/open folders.
|
|||
|
|
|||
|
With die you won't be able to access the content of the different stages of the image. To do so you will need to **decompress each layer and access it**.\
|
|||
|
You can decompress all the layers from an image from the directory where the image was decompressed executing:
|
|||
|
|
|||
|
```bash
|
|||
|
tar -xf image.tar
|
|||
|
for d in `find * -maxdepth 0 -type d`; do cd $d; tar -xf ./layer.tar; cd ..; done
|
|||
|
```
|
|||
|
|
|||
|
## Credentials from memory
|
|||
|
|
|||
|
Note that when you run a docker container inside a host **you can see the processes running on the container from the host** just running `ps -ef`
|
|||
|
|
|||
|
Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-hardening/privilege-escalation/#process-memory).
|
|||
|
|
|||
|
<figure><img src="/.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
|
|||
|
|
|||
|
{% embed url="https://academy.8ksec.io/" %}
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|