For those of you who follow me on Twitter and the Internet, you might have seen recently I've been playing around with Docker. Frankly if it wasn't for m0rv4i's post on how it all works, I don't think I'd have gotten into it.
Anyway here's my take on using docker for disposable attack images, basically leveraging docker images for Bug Bounties & Pentesting. I produced a repo of images for this purpose called DockerAttack which is going to continue to grow with some bits and pieces over the next few months.
- What this post isn't: Anything new, revolutionary new stuff or witchcraft
- What this post aims to be: My take on docker, how to setup env, run your first image, run the images in DockerAttack & how to fix/modify them.
So if you've not read the post linked above, well here's a too long didn't read on docker. It's basically a way to create mini virtual machines on the fly that contain all the tools you specify. Allowing you to create temporary containers of data for different purposes, an image can be deployed quicker than a bash script and can be run on top of different platforms.
Setting Up Your Environment
Right, so there are about a million guides out there on how to setup Docker... so here's the 1000001th edition. In the DockerAttack repo I've helpfully included a script for Unix OSes that use APT as the package installer, the script pulls all the info needed to install docker and run it as a service:
#!/bin/bash # Docker Install # Where we begin our docker story apt-get update apt-get install -y apt-transport-https ca-certificates apt-get install dirmngr -y apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 \ --recv-keys 58118E89F3A912897C070ADBF76221572C52609D echo 'deb https://apt.dockerproject.org/repo debian-stretch main' > \ /etc/apt/sources.list.d/docker.list apt-get update apt-get install docker-engine -y service docker start
If you're not as far as getting a Virtual Machine (VM) setup, you can do this pretty easily; I actually did a post a few months back how to do such a thing!.
Simply run the script as
root, and it will do the hard work for you, downloading docker and the relevant dependencies.
Once you're all setup with docker, you can start to create & build docker images, either by running the pre-built images I've provided or create your own. You can verify if the Docker daemon is running on your server by running below commands:
service docker status
ps awx | grep docker
Creating a Docker Image
The easiest way to create a docker image is to start out with a dockerfile and work from it, a simple pentesting one for me starts with Kali Linux then adding additional tools. Here's an example:
# Set up the basics # Leverage Kali Base Image FROM kalilinux/kali-linux-docker # Update off the bat RUN apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y # Install the Core RUN apt-get install sudo git wget curl git zip ccze byobu zsh golang ufw python-pip nikto dotdotpwn jsql nmap sqlmap sqlninja thc-ipv6 hydra dirb -y # Prepare RUN apt-get update RUN apt-get dist-upgrade -y # Install normal Packages needed RUN apt-get install -y -u apt-utils unzip nodejs wget curl jruby nano screen htop openssl git RUN echo "That's all folks! You're good to go hack the planet!" # set to bash so you can set keys before running aquatone. ENTRYPOINT ["/bin/bash"] # Set working directory WORKDIR /root/
Having spoken to Rob at length about how all this works, here's my take on things. Essentially this image above will take the default Kali linux docker image then install a bunch of tools that I'd deem as being a decent core to work from for some basic bits and pieces.
Each line in the dockerfile is it's own process so you can't change directory on one line and expect the process to follow, for those actions you'd need to do something like
cd /tmp/ && mkdir lol_test && touch lol_test/test. There are obviously more efficient ways of doing that, but that's an example
So save this as
Dockerfile then to build it you can run:
docker build -t zsec/example .
This will build the image and slap it under the repo zsec, however, you can name this however you like, the dot tells docker to run the Dockerimage if it's in the current path. You can also reference another path so something like:
docker build -t zsec/example /tmp/Example/
...or there is also:
docker build -t zsec/example $(pwd)
This will run a docker image located at
/tmp/Example/Dockerfile, notice only the path is referenced and not the actual file as docker looks for the file automatically in the directory provided.
Anyway once we've got an image built, this should go through the motions of all the things similar to a normal install script however the beauty of docker is if something breaks mid process it will cache this in an image. Basically meaning you can go and fix the dockerfile then when you rebuild it'll start from the line before shit broke!
Right so assuming you've followed along so far you will hopefully have:
- Installed Docker and have it running as a service.
- Written, copied or edited a Dockerfile.
- Built said Dockerfile...Hopefully?
Next is the actual fun part of this whole process, running your newly built container/image. So to achieve this, you can run the following command:
docker run -ti -v /tmp/test:/tmp/test zsec/example
What this will do is run the created image
zsec/example, it'll also mount the location /tmp/test on your host system within the docker container, meaning you can read and write files inside and outside of your container. Pair this in a Virtual Machine with VM shared folders and you can create,modify & delete files all the way from your host OS to the container and back again! Amazing right?
Anyways that command will run our image and launch an interactive shell to let us play. Now if you've downloaded DockerAttack, there are a few images in there for various purposes however open to additions if you want to contribute.
Other than building custom images there is other witchcraft you can do with docker, such as pulling full OSes down to play with and run how you like. So for example, if we wanted an Ubuntu image to do something we could run:
docker pull ubuntu
This will download the latest Ubuntu image from the repositories and drop it into your local repo of images. You can then hop into a shell with the command:
docker run -i -t ubuntu /bin/bash
This will leverage the newly pulled image and land you in a root bash shell on the newly created ubuntu image, now using the knowledge gained earlier you could mount a folder inside this image to interact with your host OS!
To exit the container, just type “exit” on the terminal shell. This will drop you back to the host operating system. Note that when you exit, the container will also be stopped. You can verify by performing another “docker ps -l“ command.
You can view what images you've built with the
docker images, here's an example of me running this command:
[email protected]:/home/zsec/lol/# docker images REPOSITORY TAG IMAGE ID CREATED dockerattack/attackdeploy latest dec395ec65a2 2 weeks ago <none> <none> 0ba396c020be 2 weeks ago <none> <none> caf19f8dd5e0 2 weeks ago ruby latest bae0455cb2b9 6 weeks ago kalilinux/kali-linux-docker latest b8fe82f15421 7 weeks ago
As you can see from the list above some of the images have no name or tag, this is because they are cached builds of previous images that may have failed at one stage or another...
On top of pulling images, there are all sorts of other fun that can be had; you can search the online docker store for a specific image and pull it using
docker search <search term>. This will allow you to search for specific images mentioning your search term, something like docker search kali will bring back all images that mention kali:
[email protected]:/usr/share/tools/Sn1per# docker search kali NAME DESCRIPTION kalilinux/kali-linux-docker Kali Linux Rolling Distribution Base Image linuxkonsult/kali-metasploit Kali base image with metasploit jgamblin/kalibrowser Kali in a Browser 26 jasonchaffee/kali-linux Kali Linux Docker Container with the kali-... 11 --SNIP--
Within the output, it will show you how many stars the build has, if it's an officially supported image & if it is automated in its deployment. Which can all be very useful for other various tasks.
Anyway hopefully this post has been somewhat useful to you, and you're maybe a little more enlightenend about how docker works and what you can do with it. Happy hunting, hacking and playing!
Subscribe to ZeroSec - Adventures In Information Security
Get the latest posts delivered right to your inbox