Containers and VMs

Introduction

Nowadays, it is pretty common that applications are being executed inside virtualised environments like containers or Virtual Machines (VMs). In this section, you will learn some techniques to know which type of environment you are in.

Container

There are several ways to detect that you are inside a docker container.

Hostname

If the machine's hostname seems pretty random, it could be a sign that you are inside a docker container.

$ cat /etc/hostname 
3fd33d6abec6

.dockerenv

The existence of the .dockerenv file in the / path.

www-data@3fd33d6abec6:$ ls -la /
[...]
-rwxr-xr-x   1 root root      0 Aug  2 09:27 .dockerenv
[...]

Processes

Enumerating the process in a normal environment the first process will always be "init".

user@xubuntu:~$ ps -eaf | head -n 2
UID          PID    PPID  C STIME TTY          TIME CMD
root           1       0  0 18:29 ?        00:00:00 /sbin/init splash

However, on a container, there is no init process instead the first process is executing the sh command as you can see below.

www-data@3fd33d6abec6:/n$ ps -eaf | head -n 2
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.0   4632   812 pts/0    Ss   09:27   0:00 /bin/sh -c /etc/init.d/apache2 start && /etc/init.d/mysql start && /bin/bash

An alternative would be executing the following command.

kali@kali:~$ cat /proc/1/cgroup 
0::/init.scope
root@6cc9fc13945a:/data# cat /proc/1/cgroup
0::/

Tools

An attacker could use the tool not only to enumerate inside a docker container but for privilege escalation and container escapes vectors.

Virtual Machines

Windows

For Windows systems the quickest way to detect if you are inside a virtual machine is through the windows model, obtaining "VMware Virtual Platform" or "VirtualBox".

Systeminfo | findstr /i model

Another alternative will be to list the installed programs on the Windows system, looking for Vbox or Vmware tools.

wmic /OUTPUT:software.txt product get name

Linux

On Linux, you can check if you are inside a VM by printing the kernel ring buffer.

dmesg | grep -i hypervisor
Hypervisor detected: KVM

As on Windows, you can look for the binaries VBoxClient and vmware-toolbox-cmd.

Last updated 2 years ago