0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity
hacktricks/forensics/basic-forensic-methodology/docker-forensics.md

152 lines
6.3 KiB
Markdown
Raw Normal View History

Ad hacktricks sponsoring
2022-04-28 18:01:33 +02:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
fix mess
2022-05-01 14:41:36 +02:00
# Container modification
GitBook: [master] 3 pages modified
2021-01-03 12:59:52 +01:00
There are suspicions that some docker container was compromised:
```bash
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cc03e43a052a lamp-wordpress "./run.sh" 2 minutes ago Up 2 minutes 80/tcp wordpress
```
You can easily **find the modifications done to this container respecting to the image** with:
```bash
docker diff wordpress
C /var
C /var/lib
C /var/lib/mysql
A /var/lib/mysql/ib_logfile0
A /var/lib/mysql/ib_logfile1
A /var/lib/mysql/ibdata1
A /var/lib/mysql/mysql
A /var/lib/mysql/mysql/time_zone_leap_second.MYI
A /var/lib/mysql/mysql/general_log.CSV
...
```
GitBook: [#2876] save
2021-11-30 17:46:07 +01:00
In the previous command **C** means **Changed** and **A,** **Added**.\
GitBook: [master] 3 pages modified
2021-01-03 12:59:52 +01:00
If you find that some interesting file like `/etc/shadow` was modified you can download it from the container to check for malicious activity with:
```bash
docker cp wordpress:/etc/shadow .
```
You can also **compare it with the original one** running a new container and extracting the file from it:
```bash
docker run -d lamp-wordpress
docker cp b5d53e8b468e:/etc/shadow original_shadow #Get the file from the newly created container
diff original_shadow shadow
```
If you find that **some suspicious file was added** you can access the container and check it:
```bash
docker exec -it wordpress bash
```
fix mess
2022-05-01 14:41:36 +02:00
# Images modifications
GitBook: [master] 3 pages modified
2021-01-03 12:59:52 +01:00
GitBook: [#2777] gitbookissooooo slow I cannot write
2021-10-18 13:21:18 +02:00
When you are given an exported docker image (probably in `.tar` format) you can use [**container-diff**](https://github.com/GoogleContainerTools/container-diff/releases) to **extract a summary of the modifications**:
GitBook: [master] 3 pages modified
2021-01-03 12:59:52 +01:00
```bash
GitBook: [master] 2 pages modified
2021-01-03 13:04:12 +01:00
docker save <image> > image.tar #Export the image to a .tar file
GitBook: [master] one page modified
2021-09-27 01:02:14 +02:00
container-diff analyze -t sizelayer image.tar
GitBook: [master] 3 pages modified
2021-01-03 12:59:52 +01:00
container-diff analyze -t history image.tar
GitBook: [master] one page modified
2021-09-27 01:02:14 +02:00
container-diff analyze -t metadata image.tar
GitBook: [master] 3 pages modified
2021-01-03 12:59:52 +01:00
```
GitBook: [#2876] save
2021-11-30 17:46:07 +01:00
Then, you can **decompress** the image and **access the blobs** to search for suspicious files you may have found in the changes history:
GitBook: [master] 3 pages modified
2021-01-03 12:59:52 +01:00
```bash
tar -xf image.tar
```
fix mess
2022-05-01 14:41:36 +02:00
## Basic Analysis
GitBook: [#2926] No subject
2021-12-29 13:26:06 +01:00
You can get **basic information** from the image running:
```bash
docker inspect <image>
```
You can also get a summary **history of changes** with:
```bash
docker history --no-trunc <image>
```
You can also generate a **dockerfile from an image** with:
```bash
alias dfimage="docker run -v /var/run/docker.sock:/var/run/docker.sock --rm alpine/dfimage"
dfimage -sV=1.36 madhuakula/k8s-goat-hidden-in-layers>
```
fix mess
2022-05-01 14:41:36 +02:00
## Dive
GitBook: [#2926] No subject
2021-12-29 13:26:06 +01:00
remove ****
2022-01-31 15:51:03 +01:00
In order to find added/modified files in docker images you can also use the [**dive**](https://github.com/wagoodman/dive) (download it from [**releases**](https://github.com/wagoodman/dive/releases/tag/v0.10.0)) utility:
GitBook: [master] 423 pages and one asset modified
2021-01-04 12:12:31 +01:00
GitBook: [master] one page modified
2021-09-27 01:02:14 +02:00
```bash
#First you need to load the image in your docker repo
sudo docker load < image.tar 1
Loaded image: flask:latest
#And then open it with dive:
sudo dive flask:latest
```
GitBook: [master] 423 pages and one asset modified
2021-01-04 12:12:31 +01:00
GitBook: [#2876] save
2021-11-30 17:46:07 +01:00
This allow you to **navigate through the different blobs of docker images** and check which files were modified/added. **Red** means added and **yellow** means modified. Use **tab** to move to the other view and **space** to to collapse/open folders.
GitBook: [master] 423 pages and one asset modified
2021-01-04 12:12:31 +01:00
GitBook: [#2777] gitbookissooooo slow I cannot write
2021-10-18 13:21:18 +02:00
With die you won't be able to access the content of the different stages of the image. To do so you will need to **decompress each layer and access it**.\
GitBook: [master] one page modified
2021-09-27 01:02:14 +02:00
You can decompress all the layers from an image from the directory where the image was decompressed executing:
```bash
tar -xf image.tar
for d in `find * -maxdepth 0 -type d`; do cd $d; tar -xf ./layer.tar; cd ..; done
```
fix mess
2022-05-01 14:41:36 +02:00
# Credentials from memory
GitBook: [master] 3 pages modified
2021-01-03 12:59:52 +01:00
Note that when you run a docker container inside a host **you can see the processes running on the container from the host** just running `ps -ef`
GitBook: [#2876] save
2021-11-30 17:46:07 +01:00
Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-unix/privilege-escalation/#process-memory).
Ad hacktricks sponsoring
2022-04-28 18:01:33 +02:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>