# Containers and VMs

## Introduction

Nowadays, it is pretty common that applications are being executed inside virtualised environments like containers or Virtual Machines (VMs). In this section, you will learn some techniques to know which type of environment you are in.

## Container

There are several ways to detect that you are inside a docker container.

### Hostname

If the machine's hostname seems pretty random, it could be a sign that you are inside a docker container.

```bash
$ cat /etc/hostname 
3fd33d6abec6
```

### .dockerenv

The existence of the `.dockerenv` file in the `/` path.

```bash
www-data@3fd33d6abec6:$ ls -la /
[...]
-rwxr-xr-x   1 root root      0 Aug  2 09:27 .dockerenv
[...]
```

### Processes

Enumerating the process in a normal environment the first process will always be "init".

```bash
user@xubuntu:~$ ps -eaf | head -n 2
UID          PID    PPID  C STIME TTY          TIME CMD
root           1       0  0 18:29 ?        00:00:00 /sbin/init splash
```

However, on a container, there is no init process instead the first process is executing the sh command as you can see below.

```bash
www-data@3fd33d6abec6:/n$ ps -eaf | head -n 2
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.0   4632   812 pts/0    Ss   09:27   0:00 /bin/sh -c /etc/init.d/apache2 start && /etc/init.d/mysql start && /bin/bash
```

An alternative would be executing the following command.

```bash
kali@kali:~$ cat /proc/1/cgroup 
0::/init.scope
root@6cc9fc13945a:/data# cat /proc/1/cgroup
0::/
```

### Tools

An attacker could use the tool [deepce](https://github.com/stealthcopter/deepce) not only to enumerate inside a docker container but for privilege escalation and container escapes vectors.

## Virtual Machines

### Windows

For Windows systems the quickest way to detect if you are inside a virtual machine is through the windows model, obtaining "VMware Virtual Platform" or "VirtualBox".

```bash
Systeminfo | findstr /i model
```

Another alternative will be to list the installed programs on the Windows system, looking for Vbox or Vmware tools.

```bash
wmic /OUTPUT:software.txt product get name
```

### Linux

On Linux, you can check if you are inside a VM by printing the kernel ring buffer.

```bash
dmesg | grep -i hypervisor
Hypervisor detected: KVM
```

As on Windows, you can look for the binaries `VBoxClient` and `vmware-toolbox-cmd`.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-pentesting-guide.marmeus.com/situational_awareness/containers-and-vms.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.