A small arsenal of useful docker containers and a script to easy start, stop and manage them.
Project description
Container Arsenal
container-arsenal (car) is a collection of docker containers that have been proven to be useful during security assessments / CTFs. Each container is represented by a docker-compose file and its corresponding resources. Additionally, container arsenal ships a Python script that can be used to manage the containers.
Description
During a security assessment it is often required to install additional services on your attacking machine. Some common examples include:
- Hosting a FTP server to provide a payload that can be loaded via XXE.
- Hosting a SAMBA share to allow file sharing with a Windows machine.
- Hosting a WebDaV server to allow easy uploads from a remote host.
- Hosting a ssh server to forward ports via remote port forwarding.
- Hosting an AJP proxy to connect to tomcat's JSERV ports.
- [...]
While I'm usually working on a VM with snapshots from a clean state, installing these kind of services feels still wrong. I always get the feeling that I pollute my machine with stuff that I actually do not want to be on it.
Docker becomes more and more popular among pentesters. To be honest, I think a lot of people overdo it a little bit and when they start to run everything inside a dedicated container. However, for the services mentioned above, Docker seems to be ideal to get an easy manageable solution.
Installation
car can be build and installed as a pip package. The following command installs car for your current user profile:
$ pip3 install car
You can also build car from source by running the following commands:
$ git clone https://github.com/qtc-de/container-arsenal
$ cd container-arsenal
$ python3 setup.py sdist
$ pip3 install dist/*
Additionally, car ships a bash-completion script. The completion script is installed automatically, but relies on the completion-helpers package. If completion-helpers is already installed, autocompletion for car should work after installing the pip package. Otherwise, you may need to copy the completion script manually:
$ cp car/resources/bash_completion.d/car ~/.bash_completion.d
Example Workflow
Imagine you play a CTF and want to forward a port from a remote Linux host there you only have a non interactive reverse shell. You can use a SSH server for this purpose and you want to create one quickly on the fly. With the container-arsenal installed, you would just type:
[pentester@kali ~]$ car run ssh
[+] Resource folder '/home/pentester/arsenal/ssh' does not exist.
[+] Creating new resource folder.
[+] Running: 'sudo car_ssh_folder=/home/pentester/arsenal/ssh car_ssh_port=22 docker-compose up'
Creating network "ssh_default" with the default driver
Creating car.ssh ... done
Attaching to car.ssh
car.ssh | [+] IP address of the container: 172.19.0.2
car.ssh | [+] No password was specified.
car.ssh | [+] Generated random password for user 'default': 1C4GMsSq
car.ssh | [+] Adjusting volume permissions.
car.ssh | [+] Creating login log.
car.ssh | [+] Starting sshd
And your ssh server is up and running. As you can see, a random 8-digit password is created automatically for the user default
and a resource folder on your local filesystem ~/arsenal/ssh
was created. To verify that everything is working one can ssh
into the container and create a file. The corresponding file can then be found inside the corresponding resource folder:
[pentester@kali ~]$ ssh 127.0.0.1 -l default
default@127.0.0.1's password:
~ $ echo test > file
~ $ Connection to 127.0.0.1 closed.
[pentester@kali ~]$ ls -l arsenal/ssh/file
-rw-r--r-- 1 pentester pentester 5 Aug 6 18:00 arsenal/ssh/file
To stop the container, you can simply close it from the launching terminal by pressing ctrl-c
or you launch car stop ssh
from a different terminal.
[pentester@kali ~]$ car stop ssh
[+] Running: 'sudo car_ssh_folder=/home/pentester/arsenal/ssh car_ssh_port=22 docker-compose stop'
Stopping car.ssh ... done
The resource folder of the corresponding container will stay alive and can be reused on the next startup. If you want to start with a
clean resource folder, you could either remove it manually or run car clean ssh
like in this example:
[pentester@kali ~]$ car clean ssh
[+] Removing top level resource folder '/home/pentester/arsenal/ssh' (container: ssh)
Available Containers
The following paragraph lists all currently available containers inside the arsenal. Notice that each container folder contains a separate README.md where you can find more specific information about the corresponding container. Just click on the links listed below:
- ajp - AJP proxy server to access JSERV ports via HTTP.
- ftp - vsftpd server that allows authenticated and anonymous access.
- h2b - A http-to-binary proxy that allows accessing non-HTTP services via HTTP.
- mysql - Just a mysql server with randomly generated, password protected user accounts.
- neo4j - Plain Neo4j database. Useful for tools like BloodHound.
- nginx - nginx server with WebDav enabled. Supports HTTP and HTTPS.
- samba - samba share that supports authenticated and anonymous access.
- ssh - ssh server with randomly generated user account. Remote port-forwarding is enabled.
- tftp - A simple tftp server.
Configuration
After installing the container-arsenal, a configuration file will be placed at ~/.config/car/car.toml
.
This configuration file contains default mappings for the provided containers. The configuration for the
samba container looks for example like this:
[containers]
volume_base_path = "~/arsenal"
[...]
[containers.samba]
samba_folder = "<@:BASE:@>/samba"
public_folder = "<@:BASE:@>/samba/public"
private_folder = "<@:BASE:@>/samba/private"
nb_port= "139"
smb_port = "445"
As you can see, the configuration file does specify a volume_base_path, which is by default set to ~/arsenal
.
This is there your container volumes will be stored. The individual locations for the volumes are configured
in the different container sections. The above samba container will run with two volumes that will be mapped
to ~/arsenal/samba/public
and ~/arsenal/samba/private
.
The top level folder ~/arsenal/samba
is also included in the configuration file, but will not be mapped into
the container. Each container needs a top level folder definition with the naming scheme <CONTAINER_NAME>_folder
.
car needs this top level folder information for managing resource and permissions. For containers that do not
require subfolders, like the ssh container, a top level folder is even sufficient.
Internally, the folder definitions from the cat.toml
file are just included into the docker-compose.yml
file of the corresponding container. The docker-compose.yml
of the samba container does look like this:
version: '3.7'
services:
car.samba:
container_name: car.samba
image: car/samba
build: .
volumes:
- ${car_public_folder}:/share/public
- ${car_private_folder}:/share/private
- ./scripts/start.sh:/scripts/start.sh
- ./config/smb.conf:/config/smb.conf
- ./config/supervisord.conf:/config/supervisord.conf
ports:
- "${car_nb_port}:139"
- "${car_smb_port}:445"
If you want persistent configuration changes, the car.toml
file is the correct location to make these. However,
sometimes you want only some quick changes that only apply for one particular situation. In this case, mirroring is the
recommended solution. As an example, imagine that you need a ssh container that is running on port 2222 instead of 22.
In this case, the first step you take is to mirror the ssh container:
[pentester@kali ~]$ car mirror ssh
[+] Copying base folder of container 'ssh' to current working directory.
[+] Done.
[pentester@kali ~]$ ls -l ssh/
total 28
-rw-r--r-- 1 pentester pentester 849 Aug 6 17:57 Dockerfile
-rw-r--r-- 1 pentester pentester 1590 Aug 6 17:57 README.md
drwxr-xr-x 2 pentester pentester 4096 Aug 6 17:57 config
-rw-r--r-- 1 pentester pentester 382 Aug 6 18:05 docker-compose.yml
drwxr-xr-x 2 pentester pentester 4096 Aug 6 17:57 resources
drwxr-xr-x 2 pentester pentester 4096 Aug 6 17:57 scripts
-rwxr-xr-x 1 pentester pentester 913 Aug 6 17:57 toggle-root.sh
As you can see, mirroring just copies the directory of the corresponding docker container to your current working directory. Inside
this directory you can find all files that were used for the container configuration. Inside the docker-compose.yml
file, all environment variables that were mentioned before, are replaced by their default values. A mirrored docker-compose.yml
looks therefore like this:
version: '3.7'
services:
car.ssh:
container_name: car.ssh
image: car/ssh
build: .
volumes:
- /home/pentester/arsenal/ssh:/home/default
- ./scripts/start.sh:/scripts/start.sh
- ./config/sshd_config:/etc/sshd/sshd_config
ports:
- "22:22"
If you want to apply your custom port change now, you can simply modify the mapping inside the docker-compose.yml
and then run:
[pentester@kali ssh]$ car run .
[+] Running: 'sudo docker-compose up'
Recreating car.ssh ... done
Attaching to car.ssh
car.ssh | [+] IP address of the container: 172.19.0.2
car.ssh | [+] No password was specified.
car.ssh | [+] Generated random password for user 'default': uXWO2tDB
car.ssh | [+] Adjusting volume permissions.
car.ssh | [+] Creating login log.
car.ssh | [+] Starting sshd
On another terminal, we can quickly verify that the ssh server is now exposed on port 2222:
[pentester@kali ~]$ ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 4096 *:2222 *:*
LISTEN 0 128 [::]:111 [::]:*
Acknowledgements
When creating the containers for this project I looked on many different repositories for useful Dockerfiles. Certain parts of the Dockerfiles provided inside this repository are probably very similar to the one of other repositories. I did not wrote down all the references, but If you think that your name should be listed here, feel free to contact me.
For all the others I want to say thank your for providing access to their Dockerfiles on Github <3
Further Notes
The code of this repository was written on the fly. In some locations it is a little bit ugly and may contains some bugs. It could even be that
it harms your system, since user input from the car.toml
file does not get sanitized and is used in subprocess
calls from python. I will improve
the project in these regards and be happy for each suggestion. If you just use the version from this repository without any modifications on the car.toml
file, it should be quite secure, but again: no guarantees!
Copyright 2020, Tobias Neitzel and the container-arsenal contributors.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.