Hunting for Insecure Docker Registries

Developer teams love and use Docker and container’s stuff. So there are a lot of tools and projects about efficiently using it.

Therefore, it’s a storage of Docker images. If you used Docker, you know that the image contains your application. In other words — your code (first of all, I’m talking about web applications — Docker is used for PHP, Java, Python web apps). So, if you have access to images from Registry — you have access to the source code.

Okay, someone deployed Registry for private usage and stored his images. Where is the problem?

If the administrator didn’t read the documentation properly — Docker Registry will be deployed without authentication. Everyone who knows about your Registry can access your images and code. It’s a good attack vector with a good impact — disclosing source code.

I wanted to find Docker Registries on the Internet and check its authentication mechanism. But how do it?

Searching for 5000 port is not efficient. Someone deploy it on other ports. Let’s deploy our instance for searching fingerprints.

Example of connection to a local instance

Docker Registry’s fingerprint is Docker-Distribution-Api-Version header. I used this fingerprint for an initial search with Shodan. I have a Developer account in Shodan and I used Shodan API.

Okay, it’s time to write a simple script that will do those things:

I scanned hosts from the Shodan query’s result and got something. If you want some statistics (even if you don’t want😀) there is:

We found 94 open Docker Registries. The next step is researching what repositories of Registries contain.

Many of that contain not interesting for me repositories:

But something was interesting… 🤔

Now we can download something’s images with applications and get the code:

Now we have an image and can inspect it. Let’s run it and inspect filesystem:

I have notified owners of Registries about my finds. Someone paid a bounty, others were ignoring me, but have closed the Registries without any thanks🤨

So, Registry hunting was a good time spending😉 Thanks for reading!

Related posts:

A number of my clients are working in the state of art technology, and two of those areas of AI, and Chatbots. Today lets take a look at what chatbots are, and what value they can add into your…

There are some goals that I had deemed difficult or impossible years ago. I gave them up long before I viscerally understood the inevitability of small steps. Sure, not only is it not going to be…

I hatelove Facebook. Many people I talk to these days seem to express the same sentiment. For God’s sake, I just wanted a service where I could look at cat videos my family and friends posted and be…