CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/linux/gather/enum_containers.rb
Views: 11702
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Linux Container Enumeration',

14
        'Description' => %q{

15
          This module attempts to enumerate containers on the target machine and optionally run a command on each active container found.

16
          Currently it supports Docker, LXC and RKT.

17
        },

18
        'License' => MSF_LICENSE,

19
        'Author' => ['stealthcopter'],

20
        'Platform' => ['linux'],

21
        'SessionTypes' => ['shell', 'meterpreter'],

22
        'Notes' => {

23
          'Stability' => [CRASH_SAFE],

24
          'SideEffects' => [IOC_IN_LOGS],

25
          'Reliability' => []

26
        }

27
      )

28
    )

29
    register_options(

30
      [

31
        OptString.new('CMD', [false, 'Optional command to run on each running container', ''])

32
      ]

33
    )

34
  end

35


36
  def cmd

37
    datastore['CMD']

38
  end

39


40
  # Check if a container program is installed and usable by current user

41
  def runnable(container_type)

42
    case container_type

43
    when 'docker'

44
      command = 'docker >/dev/null 2>&1 && echo true'

45
    when 'lxc'

46
      command = 'lxc >/dev/null 2>&1 && echo true'

47
    when 'rkt'

48
      # Apparently rkt doesn't play nice with 2>&1 for most commands, though `rkt help`

49
      # seems to be fine so this is why its used here vs just 'rkt'

50
      command = 'rkt help >/dev/null 2>&1 && echo true'

51
    else

52
      print_error("Invalid container type #{container_type}")

53
      return false

54
    end

55
    cmd_exec(command) =~ /true$/

56
  end

57


58
  # Count the number of currently running containers

59
  def count_containers(container_type, count_inactive: true)

60
    case container_type

61
    when 'docker'

62
      command = if count_inactive

63
                  'docker container ls --format "{{.Names}}" | wc -l'

64
                else

65
                  'docker container ls -a --format "{{.Names}}" | wc -l'

66
                end

67
    when 'lxc'

68
      command = if count_inactive

69
                  'lxc list -c n --format csv | wc -l'

70
                else

71
                  'lxc list -c n,s --format csv | grep ,RUNNING | wc -l'

72
                end

73
    when 'rkt'

74
      command = if count_inactive

75
                  'rkt list | tail -n +2 | wc -l'

76
                else

77
                  'rkt list | tail -n +2 | grep running | wc -l'

78
                end

79
    else

80
      print_error("Invalid container type '#{container_type}'")

81
      return 0

82
    end

83


84
    result = cmd_exec(command)

85
    if result =~ /denied/

86
      print_error("Was unable to enumerate the number of #{container_type} containers due to a lack of permissions!")

87
      return 0

88
    else

89
      result.to_i

90
    end

91
  end

92


93
  # List containers

94
  def list_containers(container_type)

95
    case container_type

96
    when 'docker'

97
      result = cmd_exec('docker container ls -a')

98
    when 'lxc'

99
      # LXC does some awful table formatting, lets try and fix it to be more uniform

100
      result = cmd_exec('lxc list').each_line.reject { |st| st =~ /^\+--/ }.map.with_index.map do |s, i|

101
        if i == 0

102
          s.split('| ').map { |t| t.strip.ljust(t.size, ' ').gsub(/\|/, '') }.join + "\n"

103
        else

104
          s.gsub(/\| /, '').gsub(/\|/, '')

105
        end

106
      end.join.strip

107
    when 'rkt'

108
      result = cmd_exec('rkt list')

109
    else

110
      print_error("Invalid container type '#{container_type}'")

111
      return nil

112
    end

113
    result

114
  end

115


116
  # List running containers identifiers

117
  def list_running_containers_id(container_type)

118
    case container_type

119
    when 'docker'

120
      command = 'docker container ls --format "{{.Names}}"'

121
    when 'lxc'

122
      command = 'lxc list -c n,s --format csv 2>/dev/null | grep ,RUNNING|cut -d, -f1'

123
    when 'rkt'

124
      command = 'rkt list | tail -n +2 | cut -f1'

125
    else

126
      print_error("Invalid container type '#{container_type}'")

127
      return nil

128
    end

129
    cmd_exec(command).each_line.map(&:strip)

130
  end

131


132
  # Execute a command on a container

133
  def container_execute(container_type, container_identifier, command)

134
    case container_type

135
    when 'docker'

136
      command = "docker exec '#{container_identifier}' #{command}"

137
    when 'lxc'

138
      command = "lxc exec '#{container_identifier}' -- #{command}"

139
    when 'rkt'

140
      print_error("RKT containers do not support command execution\nUse the command \"rkt enter '#{container_identifier}'\" to manually enumerate this container")

141
      return nil

142
    else

143
      print_error("Invalid container type '#{container_type}'")

144
      return nil

145
    end

146
    vprint_status("Running #{command}")

147
    cmd_exec(command)

148
  end

149


150
  # Run Method for when run command is issued

151
  def run

152
    platforms = %w[docker lxc rkt].select { |p| runnable(p) }

153


154
    if platforms.empty?

155
      print_error('No container software appears to be installed or runnable by the current user')

156
      return

157
    end

158


159
    platforms.each do |platform|

160
      print_good("#{platform} was found on the system!")

161
      num_containers = count_containers(platform, count_inactive: false)

162


163
      if num_containers == 0

164
        print_error("No active or inactive containers were found for #{platform}\n")

165
      else

166
        num_running_containers = count_containers(platform, count_inactive: true)

167
        print_good("#{platform}: #{num_running_containers} Running Containers / #{num_containers} Total")

168
      end

169


170
      next unless num_containers > 0

171


172
      containers = list_containers(platform)

173
      next if containers.nil?

174


175
      # Using print so not to mess up table formatting

176
      print_line(containers.to_s)

177


178
      p = store_loot("host.#{platform}_containers", 'text/plain', session, containers, "#{platform}_containers.txt", "#{platform} Containers")

179
      print_good("Results stored in: #{p}\n")

180


181
      next if cmd.blank?

182


183
      running_container_ids = list_running_containers_id(platform)

184
      next if running_container_ids.nil?

185


186
      running_container_ids.each do |container_id|

187
        print_status("Executing command on #{platform} container #{container_id}")

188
        command_result = container_execute(platform, container_id, cmd)

189
        next if command_result.nil?

190


191
        print_good(command_result)

192
        p = store_loot("host.#{platform}_command_results", 'text/plain', session, command_result, "#{platform}_containers_command_results.txt", "#{platform} Containers Command Results")

193
        print_good("Command execution results stored in: #{p}\n")

194
      end

195
    end

196
  end

197
end

198


199