Docker Registry - PORT 5000

Basic Info

A Docker registry is a storage and distribution system for Docker images. These images are grouped into repositories, and each repository can store multiple tagged versions of an application or service. Registries allow developers to upload (push) their images and download (pull) them to deploy containers anywhere.

By default, Docker uses DockerHub as its public registry, but organizations often set up their own on-premise Docker registries—either with the open-source distribution or the commercial Docker Trusted Registry. Other public registries also exist across the internet.

For example, pulling an image from a private registry looks like this:

docker pull my-registry:9000/foo/bar:2.1

This fetches version 2.1 of the foo/bar image from the registry at my-registry:9000. From DockerHub, the same image (if 2.1 is the latest) can be pulled with a simpler command:

docker pull foo/bar

The default port for Docker Registry is 5000, which appears in scans as:

If this service is exposed without authentication, it can leak sensitive images, configs, and secrets directly to an attacker.

Enumeration

The easiest way to discover a Docker Registry service is via Nmap:

However, since Docker Registry is HTTP-based, it could also be hidden behind proxies or reverse proxies — meaning Nmap alone might not always detect it.

Fingerprinting Tricks:

• Accessing / → usually nothing is returned.

• Accessing /v2/ → the service often returns an empty JSON:

• Accessing /v2/_catalog → may list all available repositories:

• If authentication is enabled, you’ll often see:

These simple checks confirm the service and tell you whether it’s open to the world or locked down.

Using .nse (Nmap script engine)

The default Docker Registry runs on TCP port 5000. Start by scanning:

Or with Masscan for a wide sweep:

If port 5000 is open, it’s worth testing further.

HTTP/HTTPS (Using curl)

Docker registry may be configured to use HTTP or HTTPS. So the first thing you may need to do is find which one is being configured:

Enumerate tags

This shows available versions of the image.

Fetch the Manifest of a Specific Tag

Download a Blob (Layer)

Extract and Inspect the Layer

Enumeration Using Docker

Beyond curl, you can interact directly with the target registry using the Docker client. This is often more convenient for downloading and inspecting images.

1. Pull an Image from the Target Registry

Once you’ve enumerated the available repositories with /v2/_catalog, you can pull them directly:

2. Review Image History

After pulling, check the history of the image to reveal the commands used to build its layers. These often expose secrets, build scripts, or configuration mistakes:

Example output:

Why this matters: Developers often bake in sensitive files during builds, then forget to remove them. Even if later layers overwrite these files, they remain in history.

3. Run the Image

Start a container and obtain a shell:

This drops you inside the container filesystem. Leave this running for exploration.

4. Get Another Shell Inside the Running Container

From another terminal, list running containers:

Then connect to it:

Pro Tip: Using docker exec, you can pivot inside the container, look for SSH keys, environment variables, or misconfigured services — often leading to privilege escalation or lateral movement inside the target’s infrastructure.

Automate tools for enum

Enumeration using DockerRegistryGrabber

Manually enumerating a Docker Registry with curl works, but it can be slow and repetitive when dealing with many repositories, multiple tags, and authentication. That’s where DockerRegistryGrabber comes in.

DockerRegistryGrabber is a Python tool that allows penetration testers to enumerate and dump Docker registries — both with and without authentication. It automates:

• Enumerating repositories (/v2/_catalog)

• Listing available image tags (/v2/<repo>/tags/list)

• Pulling and downloading layers locally for analysis

• Supporting Basic Authentication (username:password)

This makes it a powerful choice when exploring large or hidden registries that could store sensitive images.

Installation

Clone the repository and install dependencies:

Usage Examples

• Unauthenticated Enumeration:

  This will fetch repositories from the open registry.

• Authenticated Enumeration:

  Useful if the registry is protected by Basic Auth.

• Dumping Images:

  This downloads the full image layers for offline inspection (config files, secrets, etc.).

Authentication

Docker Registry may also be configured to require authentication. The first check is as simple as hitting the catalog endpoint with curl:

Possible Responses

• If authentication is required:

• If no authentication is required:

👉 If you encounter authentication, you can attempt brute force attacks against the registry’s credentials. Common wordlists like rockyou.txt can be used with tools such as Hydra or custom scripts.

Once valid credentials are discovered, you can use them to enumerate the registry. With curl, the syntax is:

Hydra

This will return the repositories available under that account, which you can then pull and inspect for secrets or misconfigurations.

Exploitation

Pulling Sensitive Images

If pulling is allowed:

Then inspect the image layers:

Hackers often extract secrets from inside these images. Look for:

• .env files

• Configs in /app/config or /root/

• Hardcoded passwords in source code

Example:

Backdooring Docker Images

Once you can pull and push images to a misconfigured Docker Registry, you effectively have the power to inject malicious code into production workloads. Two common exploitation techniques are WordPress image backdooring and SSH image backdooring.

Backdooring a WordPress Image

If the registry contains a WordPress image, you can embed a simple PHP webshell:

1. Create your webshell

2. Create a Dockerfile that inserts it into WordPress

3. Build and push the malicious image

Result: Next time the target pulls and runs this WordPress image, you’ll have remote code execution via the /app/shell.php?cmd=id endpoint.

Backdooring an SSH Server Image

Attackers can also abuse SSH-based images for persistent access.

1. Pull and run the target’s SSH image

2. Extract the SSH configuration file

Modify it to allow root login:

3. Create a Dockerfile that adds the modified config & a backdoor password

4. Build and push the backdoored image

Result: If deployed, you gain root SSH access with the password you injected.

Poisoning the Registry

If push is enabled without authentication, the situation is catastrophic. An attacker can poison existing images:

Now every time a developer pulls app:latest, they get your backdoor. This is supply chain compromise at its worst.