Containers and VMs

Introduction

Nowadays, it is pretty common that applications are being executed inside virtualised environments like containers or Virtual Machines (VMs). In this section, you will learn some techniques to know which type of environment you are in.

Container

There are several ways to detect that you are inside a docker container.

Hostname

If the machine's hostname seems pretty random, it could be a sign that you are inside a docker container.

$ cat /etc/hostname 
3fd33d6abec6

.dockerenv

The existence of the .dockerenv file in the / path.

www-data@3fd33d6abec6:$ ls -la /
[...]
-rwxr-xr-x   1 root root      0 Aug  2 09:27 .dockerenv
[...]

Processes

Enumerating the process in a normal environment the first process will always be "init".

However, on a container, there is no init process instead the first process is executing the sh command as you can see below.

An alternative would be executing the following command.

Tools

An attacker could use the tool deepce not only to enumerate inside a docker container but for privilege escalation and container escapes vectors.

Virtual Machines

Windows

For Windows systems the quickest way to detect if you are inside a virtual machine is through the windows model, obtaining "VMware Virtual Platform" or "VirtualBox".

Another alternative will be to list the installed programs on the Windows system, looking for Vbox or Vmware tools.

Linux

On Linux, you can check if you are inside a VM by printing the kernel ring buffer.

As on Windows, you can look for the binaries VBoxClient and vmware-toolbox-cmd.