LTR101 - Disposable Attack Containers (DAC)

My take on using docker for disposable attack images, basically leveraging docker images for Bug Bounties & Pentesting.

LTR101 - Disposable Attack Containers (DAC)

For those of you who follow me on Twitter and the Internet, you might have seen recently I've been playing around with Docker. Frankly if it wasn't for m0rv4i's post on how it all works, I don't think I'd have gotten into it.

Anyway here's my take on using docker for disposable attack images, basically leveraging docker images for Bug Bounties & Pentesting. I produced a repo of images for this purpose called DockerAttack which is going to continue to grow with some bits and pieces over the next few months.

  • What this post isn't: Anything new, revolutionary new stuff or witchcraft
  • What this post aims to be: My take on docker, how to setup env, run your first image, run the images in DockerAttack & how to fix/modify them.

TL;DR Docker

So if you've not read the post linked above, well here's a too long didn't read on docker. It's basically a way to create mini virtual machines on the fly that contain all the tools you specify. Allowing you to create temporary containers of data for different purposes, an image can be deployed quicker than a bash script and can be run on top of different platforms.

Setting Up Your Environment

Right, so there are about a million guides out there on how to setup Docker... so here's the 1000001th edition. In the DockerAttack repo I've helpfully included a script for Unix OSes that use APT as the package installer, the script pulls all the info needed to install docker and run it as a service:

# Docker Install
# Where we begin our docker story
apt-get update
apt-get install -y apt-transport-https ca-certificates
apt-get install dirmngr -y
apt-key adv --keyserver hkp:// \
--recv-keys 58118E89F3A912897C070ADBF76221572C52609D
echo 'deb debian-stretch main' > \
apt-get update
apt-get install docker-engine -y
service docker start

If you're not as far as getting a Virtual Machine (VM) setup, you can do this pretty easily; I actually did a post a few months back how to do such a thing!.

Simply run the script as root, and it will do the hard work for you, downloading docker and the relevant dependencies.

Once you're all setup with docker, you can start to create & build docker images, either by running the pre-built images I've provided or create your own. You can verify if the Docker daemon is running on your server by running below commands:

service docker status


ps awx | grep docker

Creating a Docker Image

The easiest way to create a docker image is to start out with a dockerfile and work from it, a simple pentesting one for me starts with Kali Linux then adding additional tools. Here's an example:

# Set up the basics 
# Leverage Kali Base Image
FROM kalilinux/kali-linux-docker

# Update off the bat
RUN apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

# Install the Core
RUN apt-get install sudo git wget curl git zip ccze byobu zsh golang  ufw python-pip  nikto dotdotpwn jsql nmap sqlmap sqlninja thc-ipv6 hydra dirb -y

# Prepare
RUN apt-get update
RUN apt-get dist-upgrade -y

# Install normal Packages needed
RUN apt-get install -y -u apt-utils unzip nodejs wget curl jruby nano screen htop openssl git

RUN echo "That's all folks! You're good to go hack the planet!"

# set to bash so you can set keys before running aquatone.
ENTRYPOINT ["/bin/bash"]

#  Set working directory
WORKDIR /root/

Having spoken to Rob at length about how all this works, here's my take on things. Essentially this image above will take the default Kali linux docker image then install a bunch of tools that I'd deem as being a decent core to work from for some basic bits and pieces.

Each line in the dockerfile is it's own process so you can't change directory on one line and expect the process to follow, for those actions you'd need to do something like cd /tmp/ && mkdir lol_test && touch lol_test/test. There are obviously more efficient ways of doing that, but that's an example

So save this as Dockerfile then to build it you can run:

docker build -t zsec/example .

This will build the image and slap it under the repo zsec, however, you can name this however you like, the dot tells docker to run the Dockerimage if it's in the current path. You can also reference another path so something like:

docker build -t zsec/example /tmp/Example/

...or there is also:

docker build -t zsec/example $(pwd)

This will run a docker image located at /tmp/Example/Dockerfile, notice only the path is referenced and not the actual file as docker looks for the file automatically in the directory provided.

Anyway once we've got an image built, this should go through the motions of all the things similar to a normal install script however the beauty of docker is if something breaks mid process it will cache this in an image. Basically meaning you can go and fix the dockerfile then when you rebuild it'll start from the line before shit broke!

Running Things

Right so assuming you've followed along so far you will hopefully have:

    1. Installed Docker and have it running as a service.
    1. Written, copied or edited a Dockerfile.
    1. Built said Dockerfile...Hopefully?

Next is the actual fun part of this whole process, running your newly built container/image. So to achieve this, you can run the following command:

docker run -ti -v /tmp/test:/tmp/test zsec/example

What this will do is run the created image zsec/example, it'll also mount the location /tmp/test on your host system within the docker container, meaning you can read and write files inside and outside of your container. Pair this in a Virtual Machine with VM shared folders and you can create,modify & delete files all the way from your host OS to the container and back again! Amazing right?

Anyways that command will run our image and launch an interactive shell to let us play. Now if you've downloaded DockerAttack, there are a few images in there for various purposes however open to additions if you want to contribute.

Other Tips

Other than building custom images there is other witchcraft you can do with docker, such as pulling full OSes down to play with and run how you like. So for example, if we wanted an Ubuntu image to do something we could run:

docker pull ubuntu

This will download the latest Ubuntu image from the repositories and drop it into your local repo of images. You can then hop into a shell with the command:

docker run -i -t ubuntu /bin/bash

This will leverage the newly pulled image and land you in a root bash shell on the newly created ubuntu image, now using the knowledge gained earlier you could mount a folder inside this image to interact with your host OS!

To exit the container, just type “exit” on the terminal shell. This will drop you back to the host operating system. Note that when you exit, the container will also be stopped. You can verify by performing another “docker ps -l“ command.

You can view what images you've built with the docker images, here's an example of me running this command:

root@r1pe:/home/zsec/lol/# docker images
REPOSITORY                    TAG                 IMAGE ID            CREATED       
dockerattack/attackdeploy     latest              dec395ec65a2        2 weeks ago   
<none>                        <none>              0ba396c020be        2 weeks ago   
<none>                        <none>              caf19f8dd5e0        2 weeks ago   
ruby                          latest              bae0455cb2b9        6 weeks ago   
kalilinux/kali-linux-docker   latest              b8fe82f15421        7 weeks ago   

As you can see from the list above some of the images have no name or tag, this is because they are cached builds of previous images that may have failed at one stage or another...

On top of pulling images, there are all sorts of other fun that can be had; you can search the online docker store for a specific image and pull it using docker search <search term>. This will allow you to search for specific images mentioning your search term, something like docker search kali will bring back all images that mention kali:

root@r1pe:/usr/share/tools/Sn1per# docker search kali
NAME                              DESCRIPTION                                     
kalilinux/kali-linux-docker       Kali Linux Rolling Distribution Base Image     
linuxkonsult/kali-metasploit      Kali base image with metasploit               
jgamblin/kalibrowser              Kali in a Browser                               26
jasonchaffee/kali-linux           Kali Linux Docker Container with the kali-...   11   --SNIP--

Within the output, it will show you how many stars the build has, if it's an officially supported image & if it is automated in its deployment. Which can all be very useful for other various tasks.

Anyway hopefully this post has been somewhat useful to you, and you're maybe a little more enlightenend about how docker works and what you can do with it. Happy hunting, hacking and playing!