Container tools speed up enumeration and validation.
Use tools to find leads, then verify the exact precondition manually.
deepce
deepce enumerates Docker/container escape opportunities from inside a container.
Use it to check:
- Container markers
- Capabilities
- Mounts
- Docker socket
- Privileged mode clues
- Common breakout paths
Typical workflow:
chmod +x deepce.sh
./deepce.sh
Review findings manually before acting.
CDK
CDK is a container security testing toolkit for Docker, containerd, and Kubernetes.
Use it for:
- Container enumeration
- Capability checks
- Runtime socket checks
- Kubernetes service account checks
- Known escape checks
Typical workflow:
chmod +x cdk
./cdk evaluate
CDK can also run more active checks. Keep lab and authorization boundaries clear.
For this chapter, CDK and deepce are used as accelerators. The student still has to name the primitive:
Docker socket
Docker API
host mount
dangerous capability
host namespace
Kubernetes API permission
kernel/runtime candidate
amicontained
amicontained summarizes container isolation:
- Capabilities
- Seccomp
- AppArmor
- Namespaces
- Privileged hints
Useful when deciding whether a container is unusually permissive.
linpeas
linpeas is broad Linux enumeration. It is useful inside containers because it can still find:
- Mounted secrets
- Capabilities
- Writable paths
- Docker sockets
- Kernel information
- Interesting files
Treat it as broad triage.
Docker CLI
If Docker CLI is available and the daemon is reachable:
docker version
docker info
docker ps
docker images
docker inspect CONTAINER
High-value inspect fields:
docker inspect --format '{{ .HostConfig.Privileged }}' CONTAINER
docker inspect --format '{{ json .Mounts }}' CONTAINER
docker inspect --format '{{ .HostConfig.PidMode }}' CONTAINER
docker inspect --format '{{ .HostConfig.NetworkMode }}' CONTAINER
docker inspect --format '{{ json .HostConfig.CapAdd }}' CONTAINER
curl
Use curl when Docker CLI is missing but the socket/API is reachable.
Unix socket:
curl --unix-socket /var/run/docker.sock http://localhost/version
curl --unix-socket /var/run/docker.sock http://localhost/containers/json
TCP API:
curl http://TARGET:2375/version
curl http://TARGET:2375/containers/json
crictl, ctr, nerdctl
Docker may not be present. Hosts may use containerd or CRI-O.
Check:
which crictl
which ctr
which nerdctl
ls -la /run/containerd/containerd.sock
ls -la /var/run/crio/crio.sock
These tools can interact with lower-level runtimes when sockets and permissions allow it.
Kubernetes Tools
If Kubernetes clues exist:
ls -la /var/run/secrets/kubernetes.io/serviceaccount
env | grep -i kubernetes
Tools:
kubectl
kubectl auth can-i
kubectl-who-can
kdigger
kube-hunter
peirates
Kubernetes is its own topic, but the key first step from a container is service account permission enumeration.
Tooling Rule
Tool output is a lead.
Proof requires naming the exact condition:
socket is writable
host path is mounted writable
CAP_SYS_ADMIN is present
host PID namespace is shared
service account can create pods