Containers and VMs
Introduction
Nowadays, it is pretty common that applications are being executed inside virtualised environments like containers or Virtual Machines (VMs). In this section, you will learn some techniques to know which type of environment you are in.
Container
There are several ways to detect that you are inside a docker container.
Hostname
If the machine's hostname seems pretty random, it could be a sign that you are inside a docker container.
$ cat /etc/hostname
3fd33d6abec6
.dockerenv
The existence of the .dockerenv
file in the /
path.
www-data@3fd33d6abec6:$ ls -la /
[...]
-rwxr-xr-x 1 root root 0 Aug 2 09:27 .dockerenv
[...]
Processes
Enumerating the process in a normal environment the first process will always be "init".
user@xubuntu:~$ ps -eaf | head -n 2
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 18:29 ? 00:00:00 /sbin/init splash
However, on a container, there is no init process instead the first process is executing the sh command as you can see below.
www-data@3fd33d6abec6:/n$ ps -eaf | head -n 2
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4632 812 pts/0 Ss 09:27 0:00 /bin/sh -c /etc/init.d/apache2 start && /etc/init.d/mysql start && /bin/bash
An alternative would be executing the following command.
kali@kali:~$ cat /proc/1/cgroup
0::/init.scope
root@6cc9fc13945a:/data# cat /proc/1/cgroup
0::/
Tools
An attacker could use the tool deepce not only to enumerate inside a docker container but for privilege escalation and container escapes vectors.
Virtual Machines
Windows
For Windows systems the quickest way to detect if you are inside a virtual machine is through the windows model, obtaining "VMware Virtual Platform" or "VirtualBox".
Systeminfo | findstr /i model
Another alternative will be to list the installed programs on the Windows system, looking for Vbox or Vmware tools.
wmic /OUTPUT:software.txt product get name
Linux
On Linux, you can check if you are inside a VM by printing the kernel ring buffer.
dmesg | grep -i hypervisor
Hypervisor detected: KVM
As on Windows, you can look for the binaries VBoxClient
and vmware-toolbox-cmd
.
Last updated