Check whether OS running in 「virtul enviroment」
in with 0 comment

Check whether OS running in 「virtul enviroment」

in with 0 comment

背景


由于Docker技术的流行,越来越多的网站将网站运行所需的环境部署在不同的docker容器中,以提高系统的安全性。如果我们在获取一个linxu的webshell之后,若不对当前的环境信息进行有效收集,很难进行更深入的渗透。本文介绍如何有效判断当前的环境是否在虚拟容器中,从而为下一步渗透作准备。


docker环境探测

通过查看/proc/1/cgroup

/proc/1/cgroup中含有docker等字眼时,该环境可能在docker环境下。


docker环境下查看:

root@55ff7ae5bdae:~# cat /proc/1/cgroup
14:name=systemd:/docker/55ff7ae5bdaedc0fdfc8b8b572e4c25172718f1800ae1f3354a70217e5eab82f
13:pids:/docker/55ff7ae5bdaedc0fdfc8b8b572e4c25172718f1800ae1f3354a70217e5eab82f
12:hugetlb:/docker/55ff7ae5bdaedc0fdfc8b8b572e4c25172718f1800ae1f3354a70217e5eab82f
11:net_prio:/docker/55ff7ae5bdaedc0fdfc8b8b572e4c25172718f1800ae1f3354a70217e5eab82f
10:perf_event:/docker/55ff7ae5bdaedc0fdfc8b8b572e4c25172718f1800ae1f3354a70217e5eab82f
9:net_cls:/docker/55ff7ae5bdaedc0fdfc8b8b572e4c25172718f1800ae1f3354a70217e5eab82f
8:freezer:/docker/55ff7ae5bdaedc0fdfc8b8b572e4c25172718f1800ae1f3354a70217e5eab82f
7:devices:/docker/55ff7ae5bdaedc0fdfc8b8b572e4c25172718f1800ae1f3354a70217e5eab82f
6:memory:/docker/55ff7ae5bdaedc0fdfc8b8b572e4c25172718f1800ae1f3354a70217e5eab82f
5:blkio:/docker/55ff7ae5bdaedc0fdfc8b8b572e4c25172718f1800ae1f3354a70217e5eab82f
4:cpuacct:/docker/55ff7ae5bdaedc0fdfc8b8b572e4c25172718f1800ae1f3354a70217e5eab82f
3:cpu:/docker/55ff7ae5bdaedc0fdfc8b8b572e4c25172718f1800ae1f3354a70217e5eab82f
2:cpuset:/docker/55ff7ae5bdaedc0fdfc8b8b572e4c25172718f1800ae1f3354a70217e5eab82f
1:name=openrc:/docker
root@55ff7ae5bdae:~#

真实环境下查看:

root@kali:~# cat /proc/1/cgroup
10:freezer:/
9:blkio:/
8:pids:/
7:net_cls,net_prio:/
6:perf_event:/
5:memory:/
4:cpuset:/
3:cpu,cpuacct:/
2:devices:/
1:name=systemd:/init.scope
0::/init.scope
root@kali:~#

查看/.dockerenv

同过查看是否存在/.dockerenv文件,若存在,表明是在docker环境下。


docker环境下查看:

root@55ff7ae5bdae:~# ls -alt /.dockerenv
-rwxr-xr-x 1 root root 0 May  8 07:31 /.dockerenv
root@55ff7ae5bdae:~#

真实环境下查看:

root@kali:~# ls /.dockerenv
ls: 无法访问'/.dockerenv': 没有那个文件或目录
root@kali:~#

查看/proc/1/sched

在docker虚拟环境中时,查看/proc/1/sched:


docker环境下:

root@55ff7ae5bdae:~# cat /proc/1/sched | head -n 1
startWebLogic.s (8212, #threads: 1)
root@55ff7ae5bdae:~#

真实环境下:

root@kali:~# cat /proc/1/sched | head -n 1
systemd (1, #threads: 1)
root@kali:~# 

通过启动进程判断

在一般真实的环境中,linux首先启动的进程是init,或者systemd,而在docker环境中则不一定。


真实环境下

root@kali:~# ps -q1
   PID TTY          TIME CMD
     1 ?        00:00:02 systemd
root@kali:~# 

docker环境下:

root@55ff7ae5bdae:~# ps -p 1
  PID TTY          TIME CMD
    1 ?        00:00:00 startWebLogic.s
root@55ff7ae5bdae:~#

reference

https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
https://unix.stackexchange.com/questions/3685/find-out-if-the-os-is-running-in-a-virtual-environment

Responses