{"id":16766,"date":"2023-05-04T17:17:31","date_gmt":"2023-05-04T15:17:31","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=16766"},"modified":"2024-04-12T16:33:25","modified_gmt":"2024-04-12T14:33:25","slug":"how-to-scan-docker-containers-using-thor-part-2","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/","title":{"rendered":"How to scan Docker containers using THOR &#8211; Part 2"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; da_disable_devices=&#8221;off|off|off&#8221; global_colors_info=&#8221;{}&#8221; da_is_popup=&#8221;off&#8221; da_exit_intent=&#8221;off&#8221; da_has_close=&#8221;on&#8221; da_alt_close=&#8221;off&#8221; da_dark_close=&#8221;off&#8221; da_not_modal=&#8221;on&#8221; da_is_singular=&#8221;off&#8221; da_with_loader=&#8221;off&#8221; da_has_shadow=&#8221;on&#8221;][et_pb_row _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_text _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;]<\/p>\n<p>The <a href=\"https:\/\/www.nextron-systems.com\/?p=16747&amp;preview=true\">first part<\/a> of this blog series covers how THOR can be used to scan a Docker image. In the second part of this series, we will talk about how you can use THOR to scan running Docker containers. Now, consider this new use case: You want to check if your running Docker container was attacked by some Log4Shell exploit. To do this, we will show you how you can start THOR inside a running container!<\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;]<\/p>\n<h2>Prerequisites<\/h2>\n<ul>\n<li>Running Docker container with a shell installed (e.g. sh, bash, &#8230;)\n<ul>\n<li>In this example we will use <a href=\"https:\/\/hub.docker.com\/_\/alpine\" title=\"Alpine Linux\">Alpine Linux<\/a><\/li>\n<\/ul>\n<\/li>\n<li>THOR \ud83d\ude42\n<ul>\n<li>In this example we will use Thor-Lite. However, for a real-world usecase you should consider using the full Thor version (<a href=\"https:\/\/www.nextron-systems.com\/thor-lite\/\">Thor vs Thor-lite<\/a>).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>[\/et_pb_text][et_pb_text _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;]<\/p>\n<h2>Running THOR in a Docker container<\/h2>\n<p>First, we have to find the Docker ID of the container we want to check using: <code>docker ps<\/code>.<br \/>\nThis will list all Docker containers running on the current host.<\/p>\n<p>Sidenote: The following should also work with all the other containerization platforms (e.g. podman, Kubernetes, OpenShift, etc.).[\/et_pb_text][et_pb_image src=&#8221;https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/nice_docker_ps.png&#8221; title_text=&#8221;nice_docker_ps&#8221; _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][\/et_pb_image][et_pb_text _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;]In our example, the ID is <code>84d1624f0083<\/code>. Now we copy the THOR files to the container: <\/p>\n<pre>docker cp thor\/. 84d1624f0083:\/thor<\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;]Next, to run THOR, we need to get an interactive shell inside the container: <\/p>\n<pre>docker exec -it 84d1624f0083 \/bin\/sh<\/pre>\n<p>Inside the Docker container you can <code>cd thor<\/code> and start THOR: <code>.\/thor-lite-linux<\/code>.[\/et_pb_text][et_pb_image src=&#8221;https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/thor_run_c_nice.png&#8221; title_text=&#8221;thor_run_c_nice&#8221; _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][\/et_pb_image][et_pb_text _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;]After THOR is finished you will find the following files in the Docker container:<\/p>\n<ul>\n<li><code>{docker-id}_files_md5s.csv<\/code><\/li>\n<li><code>{docker-id}_thor_{date}.html<\/code><\/li>\n<li><code>{docker-id}_thor_{date}.txt<\/code><\/li>\n<\/ul>\n<p>These files contain all findings of the THOR scan.[\/et_pb_text][et_pb_text _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;]You can copy the reports back to your host by running the following on your host:<\/p>\n<ul>\n<li><code>docker cp 84d1624f0083:\/thor\/dffcea1e1fe9_files_md5s.csv .<\/code><\/li>\n<li><code>docker cp 84d1624f0083:\/thor\/dffcea1e1fe9_thor_2023-04-26_0728.html .<\/code><\/li>\n<li><code>docker cp 84d1624f0083:\/thor\/dffcea1e1fe9_thor_2023-04-26_0728.txt .<\/code><\/li>\n<\/ul>\n<p>Note: You have to replace <code>84d1624f0083<\/code> with our Docker ID.<\/p>\n<p>Lastly, to clean up your container run the following: <code>docker exec -it 84d1624f0083 rm -rf thor<\/code>.<br \/>\nThis will delete all files that were created in the earlier steps.[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The first part of this blog series covers how THOR can be used to scan a Docker image. In the second part of this series, we will talk about how you can use THOR to scan running Docker containers. Now, consider this new use case: You want to check if your running Docker container was attacked by some Log4Shell exploit. To do this, we will show you how you can start THOR inside a running container!Prerequisites Running Docker container with a shell installed (e.g. sh, bash, &#8230;) In this example we will use Alpine Linux THOR \ud83d\ude42 In this example we will use Thor-Lite. However, for a real-world usecase you should consider using the full Thor version (Thor vs Thor-lite). Running THOR in a Docker container First, we have to find the Docker ID of the container we want to check using: docker ps. This will list all Docker containers running on the current host. Sidenote: The following should also work with all the other containerization platforms (e.g. podman, Kubernetes, OpenShift, etc.).In our example, the ID is 84d1624f0083. Now we copy the THOR files to the container: docker cp thor\/. 84d1624f0083:\/thorNext, to run THOR, we need to get an interactive [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":16739,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[749,1,32,248,269],"tags":[713,711,277,5,607],"class_list":["post-16766","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-homepage","category-nextron","category-thor","category-thor-lite","category-tutorial","tag-container","tag-docker","tag-image","tag-thor","tag-thor-lite"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to scan Docker containers using THOR - Part 2 - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/\"},\"author\":{\"name\":\"Paul Hager\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/cda3539ca95e549d45316b14bea853eb\"},\"headline\":\"How to scan Docker containers using THOR &#8211; Part 2\",\"datePublished\":\"2023-05-04T15:17:31+00:00\",\"dateModified\":\"2024-04-12T14:33:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/\"},\"wordCount\":535,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png\",\"keywords\":[\"container\",\"docker\",\"image\",\"thor\",\"THOR Lite\"],\"articleSection\":[\"Homepage\",\"Nextron\",\"THOR\",\"THOR Lite\",\"Tutorial\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/\",\"name\":\"How to scan Docker containers using THOR - Part 2 - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png\",\"datePublished\":\"2023-05-04T15:17:31+00:00\",\"dateModified\":\"2024-04-12T14:33:25+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/#primaryimage\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png\",\"width\":1536,\"height\":768},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/cda3539ca95e549d45316b14bea853eb\",\"name\":\"Paul Hager\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e6adba4e18061540f4e1aa40fd7aa12d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e6adba4e18061540f4e1aa40fd7aa12d?s=96&d=mm&r=g\",\"caption\":\"Paul Hager\"},\"description\":\"Threat Researcher &amp; Detection Engineer @nextronsystems | @TUVienna Graduate\",\"sameAs\":[\"https:\/\/x.com\/pH_T__\"],\"url\":\"https:\/\/www.nextron-systems.com\/author\/paul\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to scan Docker containers using THOR - Part 2 - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/"},"author":{"name":"Paul Hager","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/cda3539ca95e549d45316b14bea853eb"},"headline":"How to scan Docker containers using THOR &#8211; Part 2","datePublished":"2023-05-04T15:17:31+00:00","dateModified":"2024-04-12T14:33:25+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/"},"wordCount":535,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"image":{"@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png","keywords":["container","docker","image","thor","THOR Lite"],"articleSection":["Homepage","Nextron","THOR","THOR Lite","Tutorial"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/","url":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/","name":"How to scan Docker containers using THOR - Part 2 - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/#primaryimage"},"image":{"@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png","datePublished":"2023-05-04T15:17:31+00:00","dateModified":"2024-04-12T14:33:25+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/#primaryimage","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png","width":1536,"height":768},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/cda3539ca95e549d45316b14bea853eb","name":"Paul Hager","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/e6adba4e18061540f4e1aa40fd7aa12d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e6adba4e18061540f4e1aa40fd7aa12d?s=96&d=mm&r=g","caption":"Paul Hager"},"description":"Threat Researcher &amp; Detection Engineer @nextronsystems | @TUVienna Graduate","sameAs":["https:\/\/x.com\/pH_T__"],"url":"https:\/\/www.nextron-systems.com\/author\/paul\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/16766","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=16766"}],"version-history":[{"count":18,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/16766\/revisions"}],"predecessor-version":[{"id":16874,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/16766\/revisions\/16874"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media\/16739"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=16766"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=16766"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=16766"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}