Full Report
Years ago I learnt docker basics because I just couldn’t get that $ruby_tool to install. The bits of progress I’d make usually left my host’s ruby install in shambles. With docker though, I had quick reproducible build & run environments I could clean up easily without leaving a mess behind. The more I used docker, the more I’ve come to love it, and today it’s become a natural part of my daily workflow. It’s not without its flaws though, so in this post I want to show you an experiment of mine where I tried to write a docker pwn tool manager. A “docker-compose for hackers” if you will, called dwn (/don/). You can find it here: https://github.com/sensepost/dwn.
Analysis Summary
# Tool/Technique: dwn (/don/) - Docker Pwn Tool Manager
## Overview
`dwn` is a custom, experimental tool designed to act as a "docker-compose for hackers." It is intended to simplify the management (building, running, configuration mapping) of various penetration testing and security tools packaged within Docker containers, providing quick, reproducible environments that can be easily cleaned up.
## Technical Details
- Type: Tool
- Platform: Linux/macOS (relies on Docker and Docker Python SDK)
- Capabilities: Dynamic port mapping/remap for running containers, context-aware volume mounts, simplified configuration management via YAML "plans."
- First Seen: Published February 08, 2021
## MITRE ATT&CK Mapping
The tool itself is designed to facilitate the execution of offensive tradecraft, rather than being malware. Its usage maps broadly to the Execution and Discovery tactics:
- **TA0002 - Execution** (By running security tools within containers)
- T1059 - Command and Scripting Interpreter (Leveraging Docker commands implicitly)
- **TA0005 - Defense Evasion** (By standardizing tool execution via containers)
- T1564.003 - VM or Container - Use Containerization (The use of Docker)
## Functionality
### Core Capabilities
- **Simplified Configuration:** Uses YAML-formatted "plans" (analogous to `docker-compose.yml` but simpler) to define the image, version, and interaction mode for tools.
- **Dynamic Port Mapping:** Allows for adding or changing port mappings *after* a container has been launched, overcoming a limitation of standard Docker commands (achieved via an attached `socat` container).
- **Context-Aware Volume Mounts:** Automatically mounts the current working directory (`.`) into the container at a specified path (e.g., `/src` or `/data`).
- **Artifact Persistence:** For tools that use dot directories (like `sqlmap` or `CrackMapExec`), artifacts are written back to the current host directory, ensuring persistent, isolated working environments.
- **Wrapper for Docker:** Leverages the Docker Python SDK to provide a lightweight wrapper around standard Docker operations.
### Advanced Features
- **Dynamic Port Remapping via `socat`:** When a port remap is needed for a running container, `dwn` spins up a temporary, lightweight `socat` container attached to the same network. This `socat` container binds the new external port and forwards traffic to the original container's internal port.
- **Toggling TTY:** Supports setting `tty: True` in the plan to allow interactive shell sessions (e.g., for Metasploit).
- **Built-in and Custom Plans:** Ships with built-in plans (e.g., for `nginx`, `metasploitframework/metasploit-framework`, `semgrep-sec`) and allows users to create custom plans defined in `~/.dwn/plans`.
## Indicators of Compromise
*Note: As `dwn` is an offensive/utility tool and not malware, standard IOCs like specific malicious hashes are not applicable unless a threat actor specifically modified or distributed a malicious version.*
- File Hashes: N/A (Tool source code only)
- File Names: `dwn` (executable/script)
- Registry Keys: N/A
- Network Indicators: N/A (Tool connects to Docker daemon, tool specific network activity depends on containers run.)
- Behavioral Indicators: Execution of Docker commands (e.g., `docker run`, `docker network create`) initiated by the `dwn` script to manage ephemeral helper containers (like the `socat` container) for port manipulation.
## Associated Threat Actors
This tool was developed by SensePost for internal/security research workflow enhancement. It is not explicitly associated with known threat actor groups in the provided context.
## Detection Methods
Detection focuses on the execution of the tool itself or the unusual container management patterns employed by it.
- Signature-based detection: Detection for the Python executable or script named `dwn`.
- Behavioral detection: Monitoring for legitimate tools (like `socat`) being initiated by a generic wrapper script to manipulate container networking settings (port manipulation across running services).
- YARA rules: N/A
## Mitigation Strategies
Mitigation focuses on controlling the execution of unauthorized or potentially risky container management tooling.
- Prevention measures: Restrict physical or endpoint access to tools that manage Docker environments.
- Hardening recommendations: Implement Docker daemon security measures (e.g., configuring access control, running containers with reduced privileges) to limit the impact of misused container tools.
## Related Tools/Techniques
- **docker-compose:** Provides the conceptual basis for `dwn`, though `dwn` aims to be more dynamic for pentesting needs.
- **Docker:** The underlying virtualization and containerization technology.
- **socat:** Used internally by `dwn` to achieve dynamic port remapping on running containers.
- **Metasploit Framework:** A tool often packaged and run using `dwn`.
- **CrackMapExec/sqlmap:** Tools whose artifact management is specifically improved by `dwn`'s context-aware volume mapping.