Categories: Kali Linux

Terrier : A Image & Container Analysis Tool

Terrier is a Image and Container analysis tool that can be used to scan Images and Containers to identify and verify the presence of specific files according to their hashes.

A detailed writeup of Terrier can be found on the Heroku blog, https://blog.heroku.com/terrier-open-source-identifying-analyzing-containers.

Installation

  • Binaries
    • For installation instructions from binaries please visit the Releases Page.

Via Go

$ go get github.com/heroku/terrier

  • Building from source

Via go

$ go build
or
$ make all

Also Read – Nuclei : A Fast Tool For Configurable Targeted Scanning

Usage

$ ./terrier -h
Usage of ./terrier:
-cfg string
Load config from provided yaml file (default “cfg.yml”)

An OCI TAR of the image to be scanned is required, this is provided to Terrier via the “Image” value in the cfg.yml.

The following Docker command can be used to convert a Docker image to a TAR that can be scanned by Terrier.

#docker save imageid -o image.tar

$ ./terrier
[+] Loading config: cfg.yml
[+] Analysing Image
[+] Docker Image Source: image.tar
[*] Inspecting Layer: 05c3c2c60920f68b506d3c66e0f6148b81a8b0831388c2d61be5ef02190bcd1f
[!] All components were identified and verified: (493/493)

Example YML config

Terrier parses YAML, below is an example config.

  • THIS IS AN EXAMPLE CONFIG, MODIFY TO YOUR NEEDS
    • mode: image
      • image: image.tar
        • #mode: container
        • #path: merged
        • #verbose: true
        • #veryverbose: true
  • Files:
    • name: ‘/usr/bin/curl’ hashes:
      • hash: ‘2353cbb7b47d0782ba8cdd9c7438b053c982eaaea6fbef8620c31a58d1e276e8’
      • hash: ’22e88c7d6da9b73fbb515ed6a8f6d133c680527a799e3069ca7ce346d90649b2aaa’
      • hash: ‘9a43cb726fef31f272333b236ff1fde4beab363af54d0bc99c304450065d9c96’
      • hash: ‘8b7c559b8cccca0d30d01bc4b5dc944766208a53d18a03aa8afe97252207521faa’
    • name: ‘/usr/bin/go’ hashes:
      • hash: ‘2353cbb7b47d0782ba8cdd9c7438b053c982eaaea6fbef8620c31a58d1e276e8’
  • UNCOMMENT TO ANALYZE HASHES
    • hashes:
      • hash: ‘8b7c559b8cccca0d30d01bc4b5dc944766208a53d18a03aa8afe97252207521faa’
      • hash: ’22e88c7d6da9b73fbb515ed6a8f6d133c680527a799e3069ca7ce346d90649b2aa’
      • hash: ’60a2c86db4523e5d3eb41a247b4e7042a21d5c9d483d59053159d9ed50c8aa41aa’

What it do?

It is a CLI tool that allows you to:

  • Scan an OCI image for the presence of one or more files that match one or more provided SHA256 hashes
  • Scan a running Container for the presence of one or more files that match one or more provided SHA256 hashes

Usage

  • Example 1

Terrier is a CLI and makes use of YAML. An example YAML config:

In the example below, Terrier has being instructed via the YAML above to verify multiple files.

Terrier sets its return code depending on the result of the tests, in the case of the test above, the return code will be “0” which indicates a successful test as 1 instance of each provided component was identified and verified.

  • Example 2

Terrier is instructed to identify any files in the provided image that match the provided SHA256 hashes. YAML file cfg.yml

Running Terrier.

  • Example 3

Terrier is instructed to analyze and verify the contents of the container’s merged contents located at “merged” where merged is possibly located at /var/lib/docker/overlay2/..../merged . An example YAML file for this scenario might look like this:

Integrating with CI

Terrier has been designed to assist in the prevention of supply chain attacks. To utilise Terrier with CI’s such as Github actions or CircleCI, the following example configurations might be useful.

  • CircleCI Example

config.yml

  • Version: 2
    • jobs:
    • build:
      • machine: true
        • steps:
          • checkout
          • run:
            • name: Build Docker Image
            • command: |docker build -t builditall .
          • run:
            • name: Save Docker Image Locally
            • command: |docker save builditall -o builditall.tar
          • run:
            • name: Verify Docker Image Binaries
            • command: |./terrier_linux_amd64

Terrier cfg.yml

  • Mode:image
  • Image: builditall.tar
  • Files:
    • name: ‘/bin/wget’
      • hashes:
        • hash: ‘8b7c559b8cccca0d30d01bc4b5dc944766208a53d18a03aa8afe97252207521f’
        • hash: ’22e88c7d6da9b73fbb515ed6a8f6d133c680527a799e3069ca7ce346d90649b2a’
        • hash: ’60a2c86db4523e5d3eb41a247b4e7042a21d5c9d483d59053159d9ed50c8aa41a’
      • name: ‘/sbin/sulogin’
        • hashes:
          • hash: ‘9a43cb726fef31f272333b236ff1fde4beab363af54d0bc99c304450065d9c96aaa’
Download
R K

Share
Published by
R K
Tags: Container Analysis ToolImage Analysis ToolTerrier
4 years ago

Recent Posts

OSINTk.o – Kali Linux Based ISO For OSINT Investigations.

OSINTk.o is a customized Kali Linux-based ISO image with pre-installed packages and scripts. The idea…

1 day ago

Cify – A WiFi Hacking Tool : Streamlining WiFi Security Assessment And Penetration Testing

Cify is a Ruby-based WiFi hacking tool designed for penetration testers, security researchers, and network…

1 day ago

Cify – A WiFi Hacking Tool

Cify is a Ruby-based WiFi hacking tool designed for penetration testers, security researchers, and network…

2 days ago

VisionServices Multi-Tool : A Comprehensive Overview

Dive into the world of cyber security with our exploration of VisionServices Multi-Tool. Developed in…

2 days ago

MobileHackersWeapons – The Arsenal Of Mobile Hackers

A collection of cool tools used by Mobile hackers. Happy hacking , Happy bug-hunting. The…

2 days ago

GoHTools – Your Go-to Golang Hacking Suite

Dive into the world of cybersecurity with GoHTools, a comprehensive collection of hacking utilities crafted…

2 days ago