Monday, February 11, 2019

Gorsair - Docker API Penetration Testing Tool

Gorsair

                is a penetration testing tool for discovering and remotely accessing Docker APIs from vulnerable Docker containers. Once it has access to the docker daemon, you can use Gorsair to directly execute commands on remote containers.

Gorsair hacks its way into remote docker containers that expose their APIs.




Exposing the docker API on the internet is a tremendous risk, as it can let malicious agents get information on all of the other containers, images and system, as well as potentially getting privileged access to the whole system if the image uses the root user.


Install

From a release

Set the:
  • GORSAIR_VERSION to whatever release you are interested in
  • OS to your operating system (linux, windows or darwin)
  • ARCH to your architecture (amd64, arm, or ppc64le)
And then run the following command to install gorsair.
curl https://github.com/Ullaakut/Gorsair/releases/download/$GORSAIR_VERSION/gorsair_$OS_$ARCH --output /usr/local/bin/gorsair

From the sources

  • Make sure that you have a go version that supports modules (versions 1.11 and above)
  • Make sure that your environment contains the GO111MODULE variable set to on
  • Run go build -o /usr/local/bin/gorsair cmd/*.go from the root of this repository

Command line options

  • -t, --targets: Set targets according to the nmap target format. Required. Example: --targets="192.168.1.72,192.168.1.74"
  • -p, --ports: (Default: 2375,2376) Set custom ports.
  • -s, --speed: (Default: 4) Set custom nmap discovery presets to improve speed or accuracy. It's recommended to lower it if you are attempting to scan an unstable and slow network, or to increase it if on a very performant and reliable network. You might also want to keep it low to keep your discovery stealthy. See this for more info on the nmap timing templates.
  • -v, --verbose: Enable more verbose logs.
  • -D, --decoys: List of decoy IP addresses to use (see the decoy section of the nmap documentation)
  • -e, --interface: Network interface to use
  • --proxies: List of HTTP/SOCKS4 proxies to use to deplay connections with (see documentation)
  • -S, --spoof-ip: IP address to use for IP spoofing
  • --spoof-mac: MAC address to use for MAC spoofing
  • -v, --verbose: Enable verbose logging
  • -h, --help: Display the usage information

How can I protect my containers from this attack

  • Avoid putting containers that have access to the docker socket on the internet
  • Avoid using the root account in docker containers
Ref Link: https://github.com/Ullaakut/Gorsair

7 comments:

  1. For a long time me & my friend were searching for informative blogs, but now I am on the
    right place guys, you have made a room in my heart! i have already bookmarking this sites.
    i will back again. i truly motivated by you from blogging.Native Backlink

    ReplyDelete
  2. I can’t imagine how you write these amazing posts, your blog is a great help for us. You are sharing everything which is the best part of this blog. I have learned alot from your blog and I almost read your every post. Govt jobs || find latest Govt jobs

    ReplyDelete
  3. It is Very Useful information, this is both good reading for, have quite a few good key points and I learn some new stuff from it too. It's necessary to know about this. Keep continuing the post.
    india tourist visa

    ReplyDelete
  4. You will get an introduction to the Python programming language and understand the importance of it. How to download and work with Python along with all the basics of Anaconda will be taught. You will also get a clear idea of downloading the various Python libraries and how to use them.
    Topics
    About Excelr Solutions and Innodatatics
    Introduction to Python
    Installation of Anaconda Python
    Difference between Python2 and Python3
    Python Environment
    Operators
    Identifiers
    Exception Handling (Error Handling)

    [url=https://www.excelr.com/data-science-certification-course-training-in-singapore]Excelr Solutions[/url]

    ReplyDelete
  5. I always like to read a quality content having accurate information regarding the subject and the same thing I found in this post. Nice work.
    Click Here :Update Backlinks

    ReplyDelete