Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

Artifact Registry

Default Ports: 5000, 8081, 8082, 8443

Artifact registries store container images, packages, Helm charts, build outputs, and release files. In pentests, exposed registries can leak private images, packages, source archives, CI tokens, secrets in layers, and write paths for supply-chain abuse.

Connect

Using Docker CLI

Use Docker to validate container registry read or write access.

docker login registry.target.com
docker pull registry.target.com/project/image:tag
docker image inspect registry.target.com/project/image:tag

Using curl

Registry APIs are HTTP-based and easy to fingerprint.

curl -i https://registry.target.com/v2/
curl -I https://repo.target.com/
curl -I https://harbor.target.com/

Using Package Managers

Native package managers confirm real developer and CI access paths.

npm ping --registry https://repo.target.com/repository/npm/
curl -I https://repo.target.com/repository/maven-public/
curl -I https://repo.target.com/repository/pypi/simple/
helm repo add target https://repo.target.com/chartrepo/project
helm search repo target

Using skopeo

skopeo inspects remote images without pulling into Docker.

skopeo inspect docker://registry.target.com/project/image:tag
skopeo inspect --tls-verify=false docker://registry.target.com/project/image:tag

Recon

Service Detection with Nmap

Scan common Nexus, Artifactory, Harbor, and Docker Registry ports.

nmap -p 80,443,5000,5001,8081,8082,8083,8443,9000 -sV target.com
nmap -p 80,443,5000,8081,8082,8443 --script http-title,http-headers target.com
nmap -p 443,8443 --script ssl-cert,ssl-enum-ciphers target.com

Product Fingerprinting

Product type determines API paths and permission checks.

curl -I https://repo.target.com/service/rest/v1/status
curl -I https://repo.target.com/artifactory/api/system/ping
curl -I https://harbor.target.com/api/v2.0/systeminfo
curl -I https://registry.target.com/v2/
httpx -u https://repo.target.com -title -tech-detect -status-code

Repository Path Discovery

Repository names reveal package ecosystems and deployment flows.

curl -I https://repo.target.com/repository/maven-public/
curl -I https://repo.target.com/repository/npm-private/
curl -I https://repo.target.com/repository/pypi/simple/
curl -I https://repo.target.com/repository/docker-hosted/v2/

Authentication Review

Compare anonymous, user, and CI token access.

curl -i https://registry.target.com/v2/
curl -u user:password -i https://registry.target.com/v2/
curl -H 'Authorization: Bearer TOKEN' -i https://registry.target.com/v2/

Enumeration

Docker Registry Enumeration

Docker Registry API may expose catalogs and tags.

curl -s https://registry.target.com/v2/_catalog | jq
curl -s https://registry.target.com/v2/project/image/tags/list | jq
skopeo inspect docker://registry.target.com/project/image:tag

Nexus Enumeration

Nexus REST APIs expose repositories, assets, components, and formats.

curl -u user:password https://repo.target.com/service/rest/v1/repositories | jq
curl -u user:password "https://repo.target.com/service/rest/v1/search?repository=maven-public" | jq
curl -u user:password "https://repo.target.com/service/rest/v1/assets?repository=raw-hosted" | jq

Artifactory Enumeration

Artifactory APIs reveal repositories, builds, and artifacts.

curl -u user:password https://repo.target.com/artifactory/api/repositories | jq
curl -u user:password https://repo.target.com/artifactory/api/system/ping
curl -u user:password https://repo.target.com/artifactory/api/search/artifact?name=*.jar | jq

Harbor Enumeration

Harbor APIs expose projects, repositories, tags, and robot accounts.

curl -s https://harbor.target.com/api/v2.0/projects | jq
curl -s https://harbor.target.com/api/v2.0/projects/PROJECT/repositories | jq
curl -s https://harbor.target.com/api/v2.0/projects/PROJECT/repositories/REPO/artifacts | jq

Image Layer Review

Image layers can contain secrets, configs, and build leftovers.

docker pull registry.target.com/project/image:tag
docker save registry.target.com/project/image:tag -o image.tar
trufflehog filesystem image.tar
syft registry.target.com/project/image:tag

Attack Vectors

Anonymous Read Access

Anonymous reads can expose private code, packages, and images.

curl -s https://registry.target.com/v2/_catalog | jq
docker pull registry.target.com/project/private-image:latest
npm view package-name --registry https://repo.target.com/repository/npm/

Weak Credentials

Registry accounts are often reused by CI and developers.

docker login registry.target.com
curl -u user:password https://repo.target.com/service/rest/v1/repositories

Leaked Tokens

Search CI configs and source repositories for registry credentials.

rg -n 'docker login|NEXUS|ARTIFACTORY|HARBOR|REGISTRY|npm_token|_authToken' .
rg -n 'password|token|apikey|secret' .github .gitlab-ci.yml Jenkinsfile Dockerfile

Package or Image Push Abuse

Write access can allow package poisoning or image tampering.

docker tag test-image registry.target.com/project/test-image:pentest
docker push registry.target.com/project/test-image:pentest
npm publish --registry https://repo.target.com/repository/npm-hosted/

Sensitive Artifact Exposure

Artifacts may include backups, source archives, SBOMs, configs, or logs.

curl -u user:password "https://repo.target.com/service/rest/v1/search?name=backup" | jq
curl -u user:password "https://repo.target.com/service/rest/v1/search?name=config" | jq
curl -u user:password "https://repo.target.com/service/rest/v1/search?name=secret" | jq

Post-Exploitation

Artifact Inventory

Save repository, image, package, and tag listings as evidence.

curl -u user:password https://repo.target.com/service/rest/v1/repositories > repositories.json
curl -s https://registry.target.com/v2/_catalog > registry-catalog.json
curl -s https://registry.target.com/v2/project/image/tags/list > image-tags.json

Secret Review

Review pulled artifacts and images for credentials.

trufflehog filesystem extracted-artifacts/
gitleaks detect --source extracted-artifacts/
syft registry.target.com/project/image:tag -o table

CI/CD Pivot Review

Registry data often reveals deployment systems and build identities.

rg -n 'jenkins|gitlab|github|azure|kubernetes|helm|deploy|prod|staging' extracted-artifacts/
rg -n 'registry|repo|nexus|artifactory|harbor' extracted-artifacts/

Useful Tools

Tool	Purpose
`docker`	Image pull/push testing
`curl`	Registry API checks
`skopeo`	Remote image inspection
`helm`	Helm repository checks
`npm` / `pip` / `mvn`	Package repository checks
`trufflehog` / `gitleaks`	Secret scanning
`syft`	SBOM and image inventory
`httpx`	Web fingerprinting

Security Misconfigurations

Misconfiguration	Risk
Anonymous read access	Private package or image disclosure
Anonymous or broad write access	Package poisoning or image tampering
Weak registry credentials	Supply-chain compromise
Leaked CI tokens	Privileged registry access
Secrets in image layers	Credential exposure
Public build artifacts	Source and config leakage
Overbroad robot accounts	Project-wide abuse
Outdated registry software	Known vulnerability exposure

Want to Practice These Techniques?

Artifact Registry

Connect​

Using Docker CLI​

Using curl​

Using Package Managers​

Using skopeo​

Recon​

Service Detection with Nmap​

Product Fingerprinting​

Repository Path Discovery​

Authentication Review​

Enumeration​

Docker Registry Enumeration​

Nexus Enumeration​

Artifactory Enumeration​

Harbor Enumeration​

Image Layer Review​

Attack Vectors​

Anonymous Read Access​

Weak Credentials​

Leaked Tokens​

Package or Image Push Abuse​

Sensitive Artifact Exposure​

Post-Exploitation​

Artifact Inventory​

Secret Review​

CI/CD Pivot Review​

Useful Tools​

Security Misconfigurations​