👏 Image full credits goes to Dirk Hoenes: https://pixabay.com/users/ptdh-275507.

🎯 The goal of this image is to provide an, always up-to-date "box", containing materials (tools + scripts) useful in the context of the assessment of a web based application: site, api, etc.

⚙️ The image is based on the kali-rolling base image without any metapackage installed.

📱 Recently, I started to add content for mobile assessment to gather informations/tools in a single box.

Image above was created with Draw.io. The source XML file is here.

The folder build contains utility internal scripts used to build the docker image.

All tools are installed in the folder /tools and a transfert zone between the container and the host has been defined via the folder /tools/reports.

The folder scripts contains helper scripts for some operations using embedded tools.

The folder misc contains materials that can be used for testing specific cases like for example when an app is using:

• HTTP Signature.
• eIDAS certifcate and key materials.

The folder templates contains several scripts/files that can be used as basis for custom scripts to speed-up the implementation of a POC.

The folder dictionaries contains several home made custom dictionaries that can be used for discovery operations.

This file contains several technicals hints for differents kinds of context/issues/goals.

👀 It's a kind of cheat sheet.

Use the following set of commands:

$ git clone https://github.com/righettod/toolbox-pentest-web.git
$ cd toolbox-pentest-web
$ docker build . -t righettod/toolbox-pentest-web --file Dockerfile
...

Native docker on Linux or MacOS:

# Create a volume to share files with the container (ex: reports)
$ docker volume create --name shared_space
$ docker volume inspect shared_space
# Run container
$ docker run -v shared_space:/tools/reports -p 127.0.0.1:80:80 -i -t righettod/toolbox-pentest-web /bin/zsh
$ docker run -v shared_space:/tools/reports -p 192.168.206.128:80:80 -p 192.168.206.128:443:443 -i -t righettod/toolbox-pentest-web /bin/zsh
# Build image into local cache
$ docker build -t righettod/toolbox-pentest-web .
# Remove image from local cache
$ docker rmi -f righettod/toolbox-pentest-web

Docker for Windows:

rem Run container and define a shared folder
C:\> docker run -v F:/SharedFolder:/tools/reports -p 127.0.0.1:80:80 -i -t righettod/toolbox-pentest-web /bin/zsh

Private key to use for SSH authentication is here.

This box is intented to be used as toolbox for a short running period.

1. Run the container on the target docker host using the following command line:

$ docker run -p 22:22 righettod/toolbox-pentest-web
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
...

2. Access the container, via SSH, using the following command:

$ ssh -i ~/.ssh/ssh-private-key.pem root@[DOCKER_HOST_IP]
➜  ~

Add "StrictHostKeyChecking=no" in case of trouble with the remote keys because they are unique for each built image:

$ ssh -o "StrictHostKeyChecking=no" -i ~/.ssh/toolbox-ssh-private-key.pem root@[DOCKER_HOST_IP]
➜  ~

Image is published here each day or at each commit on the master branch.