mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
GitBook: [master] 3 pages modified
This commit is contained in:
parent
4fc08d65b8
commit
03c979eb55
|
@ -402,6 +402,7 @@
|
|||
* [Wireshark tricks](forensics/pcaps-analysis/wireshark-tricks.md)
|
||||
* [Volatility - CheatSheet](forensics/volatility-examples.md)
|
||||
* [Basic Forensics \(ESP\)](forensics/basic-forensics-esp/README.md)
|
||||
* [Docker Forensics](forensics/basic-forensics-esp/docker-forensics.md)
|
||||
* [Browser Artifacts](forensics/basic-forensics-esp/browser-artifacts.md)
|
||||
* [Linux Forensics](forensics/basic-forensics-esp/linux-forensics.md)
|
||||
* [USB logs analysis](forensics/basic-forensics-esp/usb-logs-analysis.md)
|
||||
|
|
69
forensics/basic-forensics-esp/docker-forensics.md
Normal file
69
forensics/basic-forensics-esp/docker-forensics.md
Normal file
|
@ -0,0 +1,69 @@
|
|||
# Docker Forensics
|
||||
|
||||
## Container modification
|
||||
|
||||
There are suspicions that some docker container was compromised:
|
||||
|
||||
```bash
|
||||
docker ps
|
||||
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
|
||||
cc03e43a052a lamp-wordpress "./run.sh" 2 minutes ago Up 2 minutes 80/tcp wordpress
|
||||
```
|
||||
|
||||
You can easily **find the modifications done to this container respecting to the image** with:
|
||||
|
||||
```bash
|
||||
docker diff wordpress
|
||||
C /var
|
||||
C /var/lib
|
||||
C /var/lib/mysql
|
||||
A /var/lib/mysql/ib_logfile0
|
||||
A /var/lib/mysql/ib_logfile1
|
||||
A /var/lib/mysql/ibdata1
|
||||
A /var/lib/mysql/mysql
|
||||
A /var/lib/mysql/mysql/time_zone_leap_second.MYI
|
||||
A /var/lib/mysql/mysql/general_log.CSV
|
||||
...
|
||||
```
|
||||
|
||||
In the previous command **C** means **Changed** and **A,** **Added**.
|
||||
If you find that some interesting file like `/etc/shadow` was modified you can download it from the container to check for malicious activity with:
|
||||
|
||||
```bash
|
||||
docker cp wordpress:/etc/shadow .
|
||||
```
|
||||
|
||||
You can also **compare it with the original one** running a new container and extracting the file from it:
|
||||
|
||||
```bash
|
||||
docker run -d lamp-wordpress
|
||||
docker cp b5d53e8b468e:/etc/shadow original_shadow #Get the file from the newly created container
|
||||
diff original_shadow shadow
|
||||
```
|
||||
|
||||
If you find that **some suspicious file was added** you can access the container and check it:
|
||||
|
||||
```bash
|
||||
docker exec -it wordpress bash
|
||||
```
|
||||
|
||||
## Images modifications
|
||||
|
||||
When you are given an exported docker image \(probably in `.tar` format\) you can use the following command to **extract the modifications**:
|
||||
|
||||
```bash
|
||||
container-diff analyze -t history image.tar
|
||||
```
|
||||
|
||||
Then, you can **decompress** the image and **access the blobs** to search for suspicious files you may have found in the changes history:
|
||||
|
||||
```bash
|
||||
tar -xf image.tar
|
||||
```
|
||||
|
||||
## Credentials from memory
|
||||
|
||||
Note that when you run a docker container inside a host **you can see the processes running on the container from the host** just running `ps -ef`
|
||||
|
||||
Therefore \(as root\) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-unix/privilege-escalation/#process-memory).
|
||||
|
|
@ -227,6 +227,21 @@ gdb -p <FTP_PROCESS_PID>
|
|||
strings /tmp/mem_ftp #User and password
|
||||
```
|
||||
|
||||
#### GDB Script
|
||||
|
||||
{% code title="dump-memory.sh" %}
|
||||
```bash
|
||||
#!/bin/bash
|
||||
#./dump-memory.sh <PID>
|
||||
grep rw-p /proc/$1/maps \
|
||||
| sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \
|
||||
| while read start stop; do \
|
||||
gdb --batch --pid $1 -ex \
|
||||
"dump memory $1-$start-$stop.dump 0x$start 0x$stop"; \
|
||||
done
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
#### /proc/$pid/maps & /proc/$pid/mem
|
||||
|
||||
For a given process ID, **maps shows how memory is mapped within that processes'** virtual address space; it also shows the **permissions of each mapped region**. The **mem** pseudo file **exposes the processes memory itself**. From the **maps** file we know which **memory regions are readable** and their offsets. We use this information to **seek into the mem file and dump all readable regions** to a file.
|
||||
|
@ -262,6 +277,24 @@ To dump a process memory you could use:
|
|||
|
||||
### Credentials from Process Memory
|
||||
|
||||
#### Manual example
|
||||
|
||||
If you find that the authenticator process is running:
|
||||
|
||||
```bash
|
||||
ps -ef | grep "authenticator"
|
||||
root 2027 2025 0 11:46 ? 00:00:00 authenticator
|
||||
```
|
||||
|
||||
You can dump the process \(see before sections to find different ways to dump the memory of a process\) and search for credentials inside the memory:
|
||||
|
||||
```bash
|
||||
./dump-memory.sh 2027
|
||||
strings *.dump | grep -i password
|
||||
```
|
||||
|
||||
#### mimipenguin
|
||||
|
||||
The tool [**https://github.com/huntergregal/mimipenguin**](https://github.com/huntergregal/mimipenguin) will **steal clear text credentials from memory** and from some **well known files**. It requires root privileges to work properly.
|
||||
|
||||
| Feature | Process Name |
|
||||
|
|
Loading…
Reference in a new issue