Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 02. Containers / Container Enumeration

Tools

Container tools speed up enumeration and validation.

Use tools to find leads, then verify the exact precondition manually.


deepce

deepce enumerates Docker/container escape opportunities from inside a container.

Use it to check:

  • Container markers
  • Capabilities
  • Mounts
  • Docker socket
  • Privileged mode clues
  • Common breakout paths

Typical workflow:

chmod +x deepce.sh
./deepce.sh

Review findings manually before acting.


CDK

CDK is a container security testing toolkit for Docker, containerd, and Kubernetes.

Use it for:

  • Container enumeration
  • Capability checks
  • Runtime socket checks
  • Kubernetes service account checks
  • Known escape checks

Typical workflow:

chmod +x cdk
./cdk evaluate

CDK can also run more active checks. Keep lab and authorization boundaries clear.

For this chapter, CDK and deepce are used as accelerators. The student still has to name the primitive:

Docker socket
Docker API
host mount
dangerous capability
host namespace
Kubernetes API permission
kernel/runtime candidate

amicontained

amicontained summarizes container isolation:

  • Capabilities
  • Seccomp
  • AppArmor
  • Namespaces
  • Privileged hints

Useful when deciding whether a container is unusually permissive.


linpeas

linpeas is broad Linux enumeration. It is useful inside containers because it can still find:

  • Mounted secrets
  • Capabilities
  • Writable paths
  • Docker sockets
  • Kernel information
  • Interesting files

Treat it as broad triage.


Docker CLI

If Docker CLI is available and the daemon is reachable:

docker version
docker info
docker ps
docker images
docker inspect CONTAINER

High-value inspect fields:

docker inspect --format '{{ .HostConfig.Privileged }}' CONTAINER
docker inspect --format '{{ json .Mounts }}' CONTAINER
docker inspect --format '{{ .HostConfig.PidMode }}' CONTAINER
docker inspect --format '{{ .HostConfig.NetworkMode }}' CONTAINER
docker inspect --format '{{ json .HostConfig.CapAdd }}' CONTAINER

curl

Use curl when Docker CLI is missing but the socket/API is reachable.

Unix socket:

curl --unix-socket /var/run/docker.sock http://localhost/version
curl --unix-socket /var/run/docker.sock http://localhost/containers/json

TCP API:

curl http://TARGET:2375/version
curl http://TARGET:2375/containers/json

crictl, ctr, nerdctl

Docker may not be present. Hosts may use containerd or CRI-O.

Check:

which crictl
which ctr
which nerdctl
ls -la /run/containerd/containerd.sock
ls -la /var/run/crio/crio.sock

These tools can interact with lower-level runtimes when sockets and permissions allow it.


Kubernetes Tools

If Kubernetes clues exist:

ls -la /var/run/secrets/kubernetes.io/serviceaccount
env | grep -i kubernetes

Tools:

kubectl
kubectl auth can-i
kubectl-who-can
kdigger
kube-hunter
peirates

Kubernetes is its own topic, but the key first step from a container is service account permission enumeration.


Tooling Rule

Tool output is a lead.

Proof requires naming the exact condition:

socket is writable
host path is mounted writable
CAP_SYS_ADMIN is present
host PID namespace is shared
service account can create pods