Docker for Pentesters: Part 1
As a penetration tester, you’re going to run into Docker. A lot. Whether it’s powering the web application you’re testing, hiding secrets in a containerized CI/CD pipeline, or quietly offering root access through a misconfigured socket — Docker is everywhere in modern infrastructure.
So before we exploit it, let’s understand it.
This post covers:
- What Docker is
- Why it’s used over traditional VMs
- How containers work under the hood
- Why they matter in a pentesting context
What is Docker?
Docker is a containerization platform. It allows developers to package applications — and everything they need to run — into isolated environments called containers.
Think of a Docker container like a mini virtual machine:
- It has its own filesystem, libraries, environment, and processes
- But it shares the host’s kernel
This makes containers extremely fast and lightweight.
Why Use Docker Instead of Virtual Machines?
| Feature | Virtual Machine | Docker Container |
|---|---|---|
| Startup time | Slow (30–90 seconds) | Fast (milliseconds) |
| Size | Gigabytes (full OS) | Megabytes (just app + deps) |
| Performance | Slower (hardware emulated) | Near-native speed |
| Resource usage | High (each VM has full OS) | Low (shared kernel) |
| Isolation level | Strong (hypervisor) | Medium (namespaces/cgroups) |
Summary:
Docker wins in speed, scalability, and efficiency. That’s why it’s a go-to tool for DevOps, developers, and cloud-native teams.
How Docker Works (Under the Hood)
Core Concepts
- Images: The blueprint (e.g.
ubuntu:18.04) - Containers: Running instances of images
- Dockerfile: A script used to build images
- Volumes: Used to persist or share data
- Docker daemon (
dockerd): Background service managing containers - Docker socket: Local UNIX socket used to interact with Docker (
/var/run/docker.sock)
Isolation Mechanisms
Docker containers use:
- Namespaces for process, network, and filesystem isolation
- Control Groups (cgroups) to limit resource usage
- Capabilities to fine-tune privileges (e.g.,
CAP_NET_ADMIN,CAP_SYS_ADMIN)
But here’s the catch: they all rely on the host kernel.
If you escape a container or abuse Docker incorrectly configured on the host, you’re playing with real privileges.
Real-World Docker Usage
Docker is used across almost every modern tech stack. Some common use cases:
- Web apps: Frontend/backend/API components running as containers
- CI/CD pipelines: Builds and tests run inside Docker containers
- Cloud services: Many platforms (like AWS ECS or GCP Cloud Run) run apps in Dockerized environments
- Dev environments: Developers use containers to avoid “works on my machine” problems
This means:
If you compromise a machine running Docker, and it’s misconfigured, you’re likely just one good command away from root.
Why Pentesters Should Care
Docker isn’t just a developer tool. For pentesters, it’s a wide-open door if handled poorly:
- If you’re in a container: try to escape
- If you find the Docker socket: try to abuse it
- If a user is in the
dockergroup: treat it as root access - If the app you’re testing is containerized: know where to look for volume mounts, secrets, and misconfigs
Docker is both an attack surface and a privilege escalation path — especially in CI pipelines, dev boxes, and cloud workloads.
Final Thoughts
Docker is fast, efficient, and everywhere. But with convenience comes risk — and that’s where you come in.
In Part 2, we’ll dive into Docker Recon & Enumeration. You’ll learn how to detect Docker, identify whether you’re in a container, and check for misconfigured access that can be escalated.
Next Up → Docker for Pentesters: Part 2 — Recon & Enumeration