GitBook: [master] 3 pages modified

2023-12-14 19:12:55 +01:00 · 2021-01-03 11:59:52 +00:00 · 2021-01-03 11:59:52 +00:00 · 03c979eb55
parent 4fc08d65b8
commit 03c979eb55
3 changed files with 103 additions and 0 deletions
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -402,6 +402,7 @@
  * [Wireshark tricks](forensics/pcaps-analysis/wireshark-tricks.md)
 * [Volatility - CheatSheet](forensics/volatility-examples.md)
 * [Basic Forensics \(ESP\)](forensics/basic-forensics-esp/README.md)
+  * [Docker Forensics](forensics/basic-forensics-esp/docker-forensics.md)
  * [Browser Artifacts](forensics/basic-forensics-esp/browser-artifacts.md)
  * [Linux Forensics](forensics/basic-forensics-esp/linux-forensics.md)
  * [USB logs analysis](forensics/basic-forensics-esp/usb-logs-analysis.md)
--- a/forensics/basic-forensics-esp/docker-forensics.md
+++ b/forensics/basic-forensics-esp/docker-forensics.md
@ -0,0 +1,69 @@
+# Docker Forensics
+
+## Container modification
+
+There are suspicions that some docker container was compromised:
+
+```bash
+docker ps
+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
+cc03e43a052a        lamp-wordpress      "./run.sh"          2 minutes ago       Up 2 minutes        80/tcp              wordpress
+```
+
+You can easily **find the modifications done to this container respecting to the image** with:
+
+```bash
+docker diff wordpress
+C /var
+C /var/lib
+C /var/lib/mysql
+A /var/lib/mysql/ib_logfile0
+A /var/lib/mysql/ib_logfile1
+A /var/lib/mysql/ibdata1
+A /var/lib/mysql/mysql
+A /var/lib/mysql/mysql/time_zone_leap_second.MYI
+A /var/lib/mysql/mysql/general_log.CSV
+...
+```
+
+In the previous command **C** means **Changed** and **A,** **Added**.  
+If you find that some interesting file like `/etc/shadow` was modified you can download it from the container to check for malicious activity with:
+
+```bash
+docker cp wordpress:/etc/shadow .
+```
+
+You can also **compare it with the original one** running a new container and extracting the file from it:
+
+```bash
+docker run -d lamp-wordpress
+docker cp b5d53e8b468e:/etc/shadow original_shadow #Get the file from the newly created container
+diff original_shadow shadow
+```
+
+If you find that **some suspicious file was added** you can access the container and check it:
+
+```bash
+docker exec -it wordpress bash
+```
+
+## Images modifications
+
+When you are given an exported docker image \(probably in `.tar` format\) you can use the following command to **extract the modifications**:
+
+```bash
+container-diff analyze -t history image.tar
+```
+
+Then, you can **decompress** the image and **access the blobs** to search for suspicious files you may have found in the changes history:
+
+```bash
+tar -xf image.tar
+```
+
+## Credentials from memory
+
+Note that when you run a docker container inside a host **you can see the processes running on the container from the host** just running `ps -ef`
+
+Therefore \(as root\) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-unix/privilege-escalation/#process-memory).
+
--- a/linux-unix/privilege-escalation/README.md
+++ b/linux-unix/privilege-escalation/README.md
@ -227,6 +227,21 @@ gdb -p <FTP_PROCESS_PID>
 strings /tmp/mem_ftp #User and password
 ```

+#### GDB Script
+
+{% code title="dump-memory.sh" %}
+```bash
+#!/bin/bash
+#./dump-memory.sh <PID>
+grep rw-p /proc/$1/maps \
+    | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \
+    | while read start stop; do \
+    gdb --batch --pid $1 -ex \
+    "dump memory $1-$start-$stop.dump 0x$start 0x$stop"; \
+done
+```
+{% endcode %}
+
 #### /proc/$pid/maps &  /proc/$pid/mem

 For a given process ID, **maps shows how memory is mapped within that processes'** virtual address space; it also shows the **permissions of each mapped region**. The **mem** pseudo file **exposes the processes memory itself**. From the **maps** file we know which **memory regions are readable** and their offsets. We use this information to **seek into the mem file and dump all readable regions** to a file.
@ -262,6 +277,24 @@ To dump a process memory you could use:

 ### Credentials from Process Memory

+#### Manual example
+
+If you find that the authenticator process is running:
+
+```bash
+ps -ef | grep "authenticator"
+root      2027  2025  0 11:46 ?        00:00:00 authenticator
+```
+
+You can dump the process \(see before sections to find different ways to dump the memory of a process\) and search for credentials inside the memory:
+
+```bash
+./dump-memory.sh 2027
+strings *.dump | grep -i password
+```
+
+#### mimipenguin
+
 The tool [**https://github.com/huntergregal/mimipenguin**](https://github.com/huntergregal/mimipenguin) will **steal clear text credentials from memory** and from some **well known files**. It requires root privileges to work properly.

 | Feature | Process Name |