modules/post/linux/gather/enum_containers.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::File

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Linux Container Enumeration',
        'Description' => %q{
          This module attempts to enumerate containers on the target machine and optionally run a command on each active container found.
          Currently it supports Docker, LXC and RKT.
        },
        'License' => MSF_LICENSE,
        'Author' => ['stealthcopter'],
        'Platform' => ['linux'],
        'SessionTypes' => ['shell', 'meterpreter'],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        }
      )
    )
    register_options(
      [
        OptString.new('CMD', [false, 'Optional command to run on each running container', ''])
      ]
    )
  end

  def cmd
    datastore['CMD']
  end

  # Check if a container program is installed and usable by current user
  def runnable(container_type)
    case container_type
    when 'docker'
      command = 'docker >/dev/null 2>&1 && echo true'
    when 'lxc'
      command = 'lxc >/dev/null 2>&1 && echo true'
    when 'rkt'
      # Apparently rkt doesn't play nice with 2>&1 for most commands, though `rkt help`
      # seems to be fine so this is why its used here vs just 'rkt'
      command = 'rkt help >/dev/null 2>&1 && echo true'
    else
      print_error("Invalid container type #{container_type}")
      return false
    end
    cmd_exec(command) =~ /true$/
  end

  # Count the number of currently running containers
  def count_containers(container_type, count_inactive: true)
    case container_type
    when 'docker'
      command = if count_inactive
                  'docker container ls --format "{{.Names}}" | wc -l'
                else
                  'docker container ls -a --format "{{.Names}}" | wc -l'
                end
    when 'lxc'
      command = if count_inactive
                  'lxc list -c n --format csv | wc -l'
                else
                  'lxc list -c n,s --format csv | grep ,RUNNING | wc -l'
                end
    when 'rkt'
      command = if count_inactive
                  'rkt list | tail -n +2 | wc -l'
                else
                  'rkt list | tail -n +2 | grep running | wc -l'
                end
    else
      print_error("Invalid container type '#{container_type}'")
      return 0
    end

    result = cmd_exec(command)
    if result =~ /denied/
      print_error("Was unable to enumerate the number of #{container_type} containers due to a lack of permissions!")
      return 0
    else
      result.to_i
    end
  end

  # List containers
  def list_containers(container_type)
    case container_type
    when 'docker'
      result = cmd_exec('docker container ls -a')
    when 'lxc'
      # LXC does some awful table formatting, lets try and fix it to be more uniform
      result = cmd_exec('lxc list').each_line.reject { |st| st =~ /^\+--/ }.map.with_index.map do |s, i|
        if i == 0
          s.split('| ').map { |t| t.strip.ljust(t.size, ' ').gsub(/\|/, '') }.join + "\n"
        else
          s.gsub(/\| /, '').gsub(/\|/, '')
        end
      end.join.strip
    when 'rkt'
      result = cmd_exec('rkt list')
    else
      print_error("Invalid container type '#{container_type}'")
      return nil
    end
    result
  end

  # List running containers identifiers
  def list_running_containers_id(container_type)
    case container_type
    when 'docker'
      command = 'docker container ls --format "{{.Names}}"'
    when 'lxc'
      command = 'lxc list -c n,s --format csv 2>/dev/null | grep ,RUNNING|cut -d, -f1'
    when 'rkt'
      command = 'rkt list | tail -n +2 | cut -f1'
    else
      print_error("Invalid container type '#{container_type}'")
      return nil
    end
    cmd_exec(command).each_line.map(&:strip)
  end

  # Execute a command on a container
  def container_execute(container_type, container_identifier, command)
    case container_type
    when 'docker'
      command = "docker exec '#{container_identifier}' #{command}"
    when 'lxc'
      command = "lxc exec '#{container_identifier}' -- #{command}"
    when 'rkt'
      print_error("RKT containers do not support command execution\nUse the command \"rkt enter '#{container_identifier}'\" to manually enumerate this container")
      return nil
    else
      print_error("Invalid container type '#{container_type}'")
      return nil
    end
    vprint_status("Running #{command}")
    cmd_exec(command)
  end

  # Run Method for when run command is issued
  def run
    platforms = %w[docker lxc rkt].select { |p| runnable(p) }

    if platforms.empty?
      print_error('No container software appears to be installed or runnable by the current user')
      return
    end

    platforms.each do |platform|
      print_good("#{platform} was found on the system!")
      num_containers = count_containers(platform, count_inactive: false)

      if num_containers == 0
        print_error("No active or inactive containers were found for #{platform}\n")
      else
        num_running_containers = count_containers(platform, count_inactive: true)
        print_good("#{platform}: #{num_running_containers} Running Containers / #{num_containers} Total")
      end

      next unless num_containers > 0

      containers = list_containers(platform)
      next if containers.nil?

      # Using print so not to mess up table formatting
      print_line(containers.to_s)

      p = store_loot("host.#{platform}_containers", 'text/plain', session, containers, "#{platform}_containers.txt", "#{platform} Containers")
      print_good("Results stored in: #{p}\n")

      next if cmd.blank?

      running_container_ids = list_running_containers_id(platform)
      next if running_container_ids.nil?

      running_container_ids.each do |container_id|
        print_status("Executing command on #{platform} container #{container_id}")
        command_result = container_execute(platform, container_id, cmd)
        next if command_result.nil?

        print_good(command_result)
        p = store_loot("host.#{platform}_command_results", 'text/plain', session, command_result, "#{platform}_containers_command_results.txt", "#{platform} Containers Command Results")
        print_good("Command execution results stored in: #{p}\n")
      end
    end
  end
end
Added enum containers module 2020-07-13 11:22:16 +01:00			`##`
			`# This module requires Metasploit: https://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class MetasploitModule < Msf::Post`
			`include Msf::Post::File`

			`def initialize(info = {})`
Linted and added better message when no containers found 2020-07-25 12:29:37 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Linux Container Enumeration',`
			`'Description' => %q{`
Add further corrections from review and update calls to count_containers so we properly print out the actual number of running containers and the number of total containers (logic was correct but order was backwards)) 2020-08-05 18:59:24 -05:00			`This module attempts to enumerate containers on the target machine and optionally run a command on each active container found.`
			`Currently it supports Docker, LXC and RKT.`
Linted and added better message when no containers found 2020-07-25 12:29:37 +01:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => ['stealthcopter'],`
			`'Platform' => ['linux'],`
Add missing module notes for stability reliability and side effects 2023-02-03 18:12:53 +00:00			`'SessionTypes' => ['shell', 'meterpreter'],`
			`'Notes' => {`
			`'Stability' => [CRASH_SAFE],`
			`'SideEffects' => [IOC_IN_LOGS],`
			`'Reliability' => []`
			`}`
Linted and added better message when no containers found 2020-07-25 12:29:37 +01:00			`)`
			`)`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`register_options(`
Linted and added better message when no containers found 2020-07-25 12:29:37 +01:00			`[`
			`OptString.new('CMD', [false, 'Optional command to run on each running container', ''])`
			`]`
			`)`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`end`

			`def cmd`
			`datastore['CMD']`
Added enum containers module 2020-07-13 11:22:16 +01:00			`end`

			`# Check if a container program is installed and usable by current user`
			`def runnable(container_type)`
			`case container_type`
			`when 'docker'`
Update 'runnable' command so that it can enumerate if container software is installed on the host even if the user isn't the 'root' user. 2020-08-05 16:38:39 -05:00			`command = 'docker >/dev/null 2>&1 && echo true'`
Added enum containers module 2020-07-13 11:22:16 +01:00			`when 'lxc'`
Update 'runnable' command so that it can enumerate if container software is installed on the host even if the user isn't the 'root' user. 2020-08-05 16:38:39 -05:00			`command = 'lxc >/dev/null 2>&1 && echo true'`
Added enum containers module 2020-07-13 11:22:16 +01:00			`when 'rkt'`
More RuboCop fixes... 2020-08-05 21:14:24 -05:00			# Apparently rkt doesn't play nice with 2>&1 for most commands, though `rkt help`
Add further corrections from review and update calls to count_containers so we properly print out the actual number of running containers and the number of total containers (logic was correct but order was backwards)) 2020-08-05 18:59:24 -05:00			`# seems to be fine so this is why its used here vs just 'rkt'`
			`command = 'rkt help >/dev/null 2>&1 && echo true'`
Added enum containers module 2020-07-13 11:22:16 +01:00			`else`
			`print_error("Invalid container type #{container_type}")`
			`return false`
			`end`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`cmd_exec(command) =~ /true$/`
Added enum containers module 2020-07-13 11:22:16 +01:00			`end`

			`# Count the number of currently running containers`
Rubocop recently landed modules continued 2021-02-24 20:24:57 +00:00			`def count_containers(container_type, count_inactive: true)`
Added enum containers module 2020-07-13 11:22:16 +01:00			`case container_type`
			`when 'docker'`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`command = if count_inactive`
Reorder some logic, replace some print_good statements with print_error, and generally make code changes to ensure that we print out if a container system exists on a target, but if we don't have permissions to list what its running that we alert the user of this and print a properly highlighted message that informs them of this, without storing information into any loot files 2020-08-05 17:46:18 -05:00			`'docker container ls --format "{{.Names}}" \| wc -l'`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`else`
Reorder some logic, replace some print_good statements with print_error, and generally make code changes to ensure that we print out if a container system exists on a target, but if we don't have permissions to list what its running that we alert the user of this and print a properly highlighted message that informs them of this, without storing information into any loot files 2020-08-05 17:46:18 -05:00			`'docker container ls -a --format "{{.Names}}" \| wc -l'`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`end`
Added enum containers module 2020-07-13 11:22:16 +01:00			`when 'lxc'`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`command = if count_inactive`
Reorder some logic, replace some print_good statements with print_error, and generally make code changes to ensure that we print out if a container system exists on a target, but if we don't have permissions to list what its running that we alert the user of this and print a properly highlighted message that informs them of this, without storing information into any loot files 2020-08-05 17:46:18 -05:00			`'lxc list -c n --format csv \| wc -l'`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`else`
Reorder some logic, replace some print_good statements with print_error, and generally make code changes to ensure that we print out if a container system exists on a target, but if we don't have permissions to list what its running that we alert the user of this and print a properly highlighted message that informs them of this, without storing information into any loot files 2020-08-05 17:46:18 -05:00			`'lxc list -c n,s --format csv \| grep ,RUNNING \| wc -l'`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`end`
Added enum containers module 2020-07-13 11:22:16 +01:00			`when 'rkt'`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`command = if count_inactive`
Reorder some logic, replace some print_good statements with print_error, and generally make code changes to ensure that we print out if a container system exists on a target, but if we don't have permissions to list what its running that we alert the user of this and print a properly highlighted message that informs them of this, without storing information into any loot files 2020-08-05 17:46:18 -05:00			`'rkt list \| tail -n +2 \| wc -l'`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`else`
Fix up code to appropriately handle cases where container_execute, list_running_containers_id, and list_containers might fail due to an invalid container type 2020-08-05 19:40:22 -05:00			`'rkt list \| tail -n +2 \| grep running \| wc -l'`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`end`
Added enum containers module 2020-07-13 11:22:16 +01:00			`else`
			`print_error("Invalid container type '#{container_type}'")`
			`return 0`
			`end`
Reorder some logic, replace some print_good statements with print_error, and generally make code changes to ensure that we print out if a container system exists on a target, but if we don't have permissions to list what its running that we alert the user of this and print a properly highlighted message that informs them of this, without storing information into any loot files 2020-08-05 17:46:18 -05:00
			`result = cmd_exec(command)`
			`if result =~ /denied/`
			`print_error("Was unable to enumerate the number of #{container_type} containers due to a lack of permissions!")`
			`return 0`
			`else`
			`result.to_i`
			`end`
Added enum containers module 2020-07-13 11:22:16 +01:00			`end`

Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`# List containers`
Added enum containers module 2020-07-13 11:22:16 +01:00			`def list_containers(container_type)`
			`case container_type`
			`when 'docker'`
Added loot and lxc table formatting 2020-07-30 16:52:41 +01:00			`result = cmd_exec('docker container ls -a')`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`when 'lxc'`
Added loot and lxc table formatting 2020-07-30 16:52:41 +01:00			`# LXC does some awful table formatting, lets try and fix it to be more uniform`
			`result = cmd_exec('lxc list').each_line.reject { \|st\| st =~ /^\+--/ }.map.with_index.map do \|s, i\|`
			`if i == 0`
			`s.split('\| ').map { \|t\| t.strip.ljust(t.size, ' ').gsub(/\\|/, '') }.join + "\n"`
			`else`
			`s.gsub(/\\| /, '').gsub(/\\|/, '')`
			`end`
			`end.join.strip`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`when 'rkt'`
Added loot and lxc table formatting 2020-07-30 16:52:41 +01:00			`result = cmd_exec('rkt list')`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`else`
			`print_error("Invalid container type '#{container_type}'")`
Fix up code to appropriately handle cases where container_execute, list_running_containers_id, and list_containers might fail due to an invalid container type 2020-08-05 19:40:22 -05:00			`return nil`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`end`
Added loot and lxc table formatting 2020-07-30 16:52:41 +01:00			`result`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`end`

			`# List running containers identifiers`
			`def list_running_containers_id(container_type)`
			`case container_type`
			`when 'docker'`
			`command = 'docker container ls --format "{{.Names}}"'`
			`when 'lxc'`
			`command = 'lxc list -c n,s --format csv 2>/dev/null \| grep ,RUNNING\|cut -d, -f1'`
			`when 'rkt'`
Fix up code to appropriately handle cases where container_execute, list_running_containers_id, and list_containers might fail due to an invalid container type 2020-08-05 19:40:22 -05:00			`command = 'rkt list \| tail -n +2 \| cut -f1'`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`else`
			`print_error("Invalid container type '#{container_type}'")`
Fix up code to appropriately handle cases where container_execute, list_running_containers_id, and list_containers might fail due to an invalid container type 2020-08-05 19:40:22 -05:00			`return nil`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`end`
			`cmd_exec(command).each_line.map(&:strip)`
			`end`

			`# Execute a command on a container`
Given that the current code skips the command execution part if a command is not supplied, there is no need to supply a default command. 2020-08-05 20:18:10 -05:00			`def container_execute(container_type, container_identifier, command)`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`case container_type`
			`when 'docker'`
			`command = "docker exec '#{container_identifier}' #{command}"`
Added enum containers module 2020-07-13 11:22:16 +01:00			`when 'lxc'`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`command = "lxc exec '#{container_identifier}' -- #{command}"`
Added enum containers module 2020-07-13 11:22:16 +01:00			`when 'rkt'`
Add in support so that if a command is specified, we store its results for the host in the loot. 2020-08-05 20:47:06 -05:00			`print_error("RKT containers do not support command execution\nUse the command \"rkt enter '#{container_identifier}'\" to manually enumerate this container")`
			`return nil`
Added enum containers module 2020-07-13 11:22:16 +01:00			`else`
			`print_error("Invalid container type '#{container_type}'")`
Fix up code to appropriately handle cases where container_execute, list_running_containers_id, and list_containers might fail due to an invalid container type 2020-08-05 19:40:22 -05:00			`return nil`
Added enum containers module 2020-07-13 11:22:16 +01:00			`end`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`vprint_status("Running #{command}")`
			`cmd_exec(command)`
Added enum containers module 2020-07-13 11:22:16 +01:00			`end`

			`# Run Method for when run command is issued`
			`def run`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`platforms = %w[docker lxc rkt].select { \|p\| runnable(p) }`
Added enum containers module 2020-07-13 11:22:16 +01:00
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`if platforms.empty?`
			`print_error('No container software appears to be installed or runnable by the current user')`
			`return`
Added enum containers module 2020-07-13 11:22:16 +01:00			`end`

Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`platforms.each do \|platform\|`
Reorder some logic, replace some print_good statements with print_error, and generally make code changes to ensure that we print out if a container system exists on a target, but if we don't have permissions to list what its running that we alert the user of this and print a properly highlighted message that informs them of this, without storing information into any loot files 2020-08-05 17:46:18 -05:00			`print_good("#{platform} was found on the system!")`
Rubocop recently landed modules continued 2021-02-24 20:24:57 +00:00			`num_containers = count_containers(platform, count_inactive: false)`
Linted and added better message when no containers found 2020-07-25 12:29:37 +01:00
			`if num_containers == 0`
Reorder some logic, replace some print_good statements with print_error, and generally make code changes to ensure that we print out if a container system exists on a target, but if we don't have permissions to list what its running that we alert the user of this and print a properly highlighted message that informs them of this, without storing information into any loot files 2020-08-05 17:46:18 -05:00			`print_error("No active or inactive containers were found for #{platform}\n")`
Linted and added better message when no containers found 2020-07-25 12:29:37 +01:00			`else`
Rubocop recently landed modules continued 2021-02-24 20:24:57 +00:00			`num_running_containers = count_containers(platform, count_inactive: true)`
Linted and added better message when no containers found 2020-07-25 12:29:37 +01:00			`print_good("#{platform}: #{num_running_containers} Running Containers / #{num_containers} Total")`
			`end`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00
Reorder some logic, replace some print_good statements with print_error, and generally make code changes to ensure that we print out if a container system exists on a target, but if we don't have permissions to list what its running that we alert the user of this and print a properly highlighted message that informs them of this, without storing information into any loot files 2020-08-05 17:46:18 -05:00			`next unless num_containers > 0`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00
			`containers = list_containers(platform)`
Fix up code to appropriately handle cases where container_execute, list_running_containers_id, and list_containers might fail due to an invalid container type 2020-08-05 19:40:22 -05:00			`next if containers.nil?`

Added loot and lxc table formatting 2020-07-30 16:52:41 +01:00			`# Using print so not to mess up table formatting`
Apply RuboCop updates to the module. 2020-08-05 18:01:14 -05:00			`print_line(containers.to_s)`
Added loot and lxc table formatting 2020-07-30 16:52:41 +01:00
			`p = store_loot("host.#{platform}_containers", 'text/plain', session, containers, "#{platform}_containers.txt", "#{platform} Containers")`
			`print_good("Results stored in: #{p}\n")`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00
			`next if cmd.blank?`

			`running_container_ids = list_running_containers_id(platform)`
Fix up code to appropriately handle cases where container_execute, list_running_containers_id, and list_containers might fail due to an invalid container type 2020-08-05 19:40:22 -05:00			`next if running_container_ids.nil?`
rubocop changes 2020-08-06 09:31:17 +01:00
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`running_container_ids.each do \|container_id\|`
			`print_status("Executing command on #{platform} container #{container_id}")`
Fix up code to appropriately handle cases where container_execute, list_running_containers_id, and list_containers might fail due to an invalid container type 2020-08-05 19:40:22 -05:00			`command_result = container_execute(platform, container_id, cmd)`
rubocop changes 2020-08-06 09:31:17 +01:00			`next if command_result.nil?`

			`print_good(command_result)`
			`p = store_loot("host.#{platform}_command_results", 'text/plain', session, command_result, "#{platform}_containers_command_results.txt", "#{platform} Containers Command Results")`
			`print_good("Command execution results stored in: #{p}\n")`
Review changes and added optional CMD arg 2020-07-18 12:11:35 +01:00			`end`
Added enum containers module 2020-07-13 11:22:16 +01:00			`end`
			`end`
			`end`