search
githubEdit

Docker Forensics

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag

hashtag
Container modification

There are suspicions that some docker container was compromised:

docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
cc03e43a052a        lamp-wordpress      "./run.sh"          2 minutes ago       Up 2 minutes        80/tcp              wordpress

You can easily find the modifications done to this container with regards to the image with:

docker diff wordpress
C /var
C /var/lib
C /var/lib/mysql
A /var/lib/mysql/ib_logfile0
A /var/lib/mysql/ib_logfile1
A /var/lib/mysql/ibdata1
A /var/lib/mysql/mysql
A /var/lib/mysql/mysql/time_zone_leap_second.MYI
A /var/lib/mysql/mysql/general_log.CSV
...

In the previous command C means Changed and A, Added. If you find that some interesting file like /etc/shadow was modified you can download it from the container to check for malicious activity with:

You can also compare it with the original one running a new container and extracting the file from it:

If you find that some suspicious file was added you can access the container and check it:

hashtag
Images modifications

When you are given an exported docker image (probably in .tar format) you can use container-diffarrow-up-right to extract a summary of the modifications:

Then, you can decompress the image and access the blobs to search for suspicious files you may have found in the changes history:

hashtag
Basic Analysis

You can get basic information from the image running:

You can also get a summary history of changes with:

You can also generate a dockerfile from an image with:

hashtag
Dive

In order to find added/modified files in docker images you can also use the divearrow-up-right (download it from releasesarrow-up-right) utility:

This allows you to navigate through the different blobs of docker images and check which files were modified/added. Red means added and yellow means modified. Use tab to move to the other view and space to collapse/open folders.

With die you won't be able to access the content of the different stages of the image. To do so you will need to decompress each layer and access it. You can decompress all the layers from an image from the directory where the image was decompressed executing:

hashtag
Credentials from memory

Note that when you run a docker container inside a host you can see the processes running on the container from the host just running ps -ef

Therefore (as root) you can dump the memory of the processes from the host and search for credentials just like in the following example.

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag
PreviousAnti-Forensic TechniquesNextImage Acquisition & Mount

Last updated