There is a docker container running on one of the active HTB machines.
In this docker container I have a socat shell running as root. With
ss -tunap I can see socat connect to my Kali VM and in my Kali VM I can see the connection with
lsof -i -P.
However, on the HTB machine itself (I got root on that machine by now) I can’t see the socat-communication neither with
lsof nor with
ss. As far as I know,
ss get their information from the /proc virtual file system. And a docker container uses the same kernel as its host. I could understand this issue if a process in a VM connects with third parties via TCP since it uses it’s own kernel. However, shouldn’t we at least be able to observe
vm-gateway or something similiar connecting to other machines?
Would be interesting to hear from someone with more insight.
just gives us a summary.
Take three terminal sessions, in the first one run a
watch 'lsof -i -P' and in the other two run
nmap -p- 10.10.10.x and
masscan p1-65535 10.10.10.x -e tun0, respectively. You will notice the difference. It is not about unprecise or unreliable output.
masscan the solution is easy, I wonder why we do not see tcp/udp connections established from a docker container or a VM.
Yeah, tcpdump or wireshark will show all traffic unless filtered.
My question remains: WHY do
ss run on the host do not display a container’s or a VM’s network-connections?
btw, doesn’t matter if you use nc, socat, ssh or whatever… for masscan the answer is easy.
I did a little research and would like to provide the following answers:
- masscan uses it’s own network-stack, so the linux-kernel is not involved besides granting permissions to the device
- a VM uses it’s own kernel and a virtual network device. The latter is bridged in one way or another, depending on the setup, to the network-device of the host.
- a docker-container uses the same kernel but probably its network-connections are located at a different place of the /proc-virtual-filesystem than usual.
Especially the last point involves a little bit of speculation, so please don’t rely on that and don’t nail me down on that. Further input is welcomed. If you know where to look in /proc you are my man (or woman).
Can you tell me a machine, preferable retired, wher I can see this issue? Then I can take a look later today.
You could setup JuiceShop as a docker container and ssh into it. Ssh from host to container will show up with netstat, ss and lsof running on the host.
When you ssh from your JuiceShop-container to another machine, i.e. you have a root-server running somewhere, you will see that traffic with netstat, ss and lsof on your root-server and in your docker-container, but not on your host.