{"id":13845226,"url":"https://github.com/righettod/toolbox-pentest-web","last_synced_at":"2025-03-24T03:31:10.038Z","repository":{"id":38321249,"uuid":"229086699","full_name":"righettod/toolbox-pentest-web","owner":"righettod","description":"Docker toolbox for pentest of web based application.","archived":false,"fork":false,"pushed_at":"2024-04-14T06:21:24.000Z","size":50483,"stargazers_count":121,"open_issues_count":2,"forks_count":30,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-04-14T14:53:15.162Z","etag":null,"topics":["docker","pentesting","web"],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/righettod/toolbox-pentest-web","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/righettod.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2019-12-19T15:43:36.000Z","updated_at":"2024-04-15T18:01:07.495Z","dependencies_parsed_at":"2024-04-15T18:11:10.233Z","dependency_job_id":null,"html_url":"https://github.com/righettod/toolbox-pentest-web","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-pentest-web","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-pentest-web/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-pentest-web/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-pentest-web/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/righettod","download_url":"https://codeload.github.com/righettod/toolbox-pentest-web/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245204484,"owners_count":20577359,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","pentesting","web"],"created_at":"2024-08-04T17:03:16.741Z","updated_at":"2025-03-24T03:31:05.022Z","avatar_url":"https://github.com/righettod.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# :factory: Welcome to my digital forge\n\n💚 Image full credits go to **Dirk Hoenes**: `https://pixabay.com/users/ptdh-275507`.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"forge.jpg\"\u003e\u003c/p\u003e\n\n![MadeWitVSCode](https://img.shields.io/static/v1?label=Made%20with\u0026message=VisualStudio%20Code\u0026color=blue\u0026?style=for-the-badge\u0026logo=visualstudio) ![MadeWithDocker](https://img.shields.io/static/v1?label=Made%20with\u0026message=Docker\u0026color=blue\u0026?style=for-the-badge\u0026logo=docker) ![AutomatedWith](https://img.shields.io/static/v1?label=Automated%20with\u0026message=GitHub%20Actions\u0026color=blue\u0026?style=for-the-badge\u0026logo=github) ![AuditedWith](https://img.shields.io/static/v1?label=Audited%20with\u0026message=Snyk\u0026color=blueviolet\u0026?style=for-the-badge\u0026logo=snyk)\n\n\u003e [!TIP]\n\u003e Even though this box is primarily intended for offensive operation, many tools and scripts can also be used for defensive purposes, for example, in [CI/CD pipelines](https://www.atlassian.com/continuous-delivery/principles/continuous-integration-vs-delivery-vs-deployment) as security validation.\n\n📒 Quick access:\n\n* [Cheat sheet](docs/README.md).\n* [Index of the scripts](docs/10-SCRIPTS_INDEX.md).\n\n🎯 The goal of this image is to provide an, always up to date \"box\", containing materials (tools + scripts) useful in the context of the assessment of a web-based application: site, API, etc.\n\n📢 The image is based on the **[alpine](https://hub.docker.com/_/alpine)** base image. Previously, it was based on the **[kali-rolling](https://hub.docker.com/r/kalilinux/kali-rolling)** image but the final size of the image, once the toolbox was built, was really too heavy (more than 14GB).\n\n:iphone: Recently, I started to add content for mobile assessment to gather information/tools in a single box.\n\n:label: [Issues](https://github.com/righettod/toolbox-pentest-web/labels/idea) with the label `idea`, contains general ideas on a project/code/script/payload/research/etc not necessarily directly linked to the toolbox itself. Indeed, as this project is my central toolbox's forge, I used it also to gather/centralize my ideas.\n\n# :battery: Health status\n\n![Audit the toolbox image](https://github.com/righettod/toolbox-pentest-web/actions/workflows/audit_docker_image.yml/badge.svg?branch=master)\n\n![Check cheat sheet links validity](https://github.com/righettod/toolbox-pentest-web/actions/workflows/check_cheatsheet_external_links.yml/badge.svg?branch=master)\n\n![Update scripts index](https://github.com/righettod/toolbox-pentest-web/actions/workflows/update_scripts_index.yml/badge.svg?branch=master)\n\n![Update nmap scripts index](https://github.com/righettod/toolbox-pentest-web/actions/workflows/update_nmap_scripts_index.yml/badge.svg?branch=master)\n\n![Build and deploy the toolbox image](https://github.com/righettod/toolbox-pentest-web/actions/workflows/build_docker_image.yml/badge.svg?branch=master)\n\n![Build PostgreSQL extension](https://github.com/righettod/toolbox-pentest-web/workflows/Build%20PostgreSQL%20extension/badge.svg?branch=master)\n\n![Build DLL Hijacking library](https://github.com/righettod/toolbox-pentest-web/actions/workflows/build_dll_hijacking_lib.yml/badge.svg?branch=master)\n\n![Build Hash Extender linux binary](https://github.com/righettod/toolbox-pentest-web/actions/workflows/build_hash_extender_binary.yml/badge.svg?branch=master)\n\n# :hammer_and_pick: Box enhancement approach\n\n## Projects\n\n* [SecLists](https://github.com/danielmiessler/SecLists).\n* [Nuclei templates](https://github.com/projectdiscovery/nuclei-templates).\n* [Param-Miner](https://github.com/PortSwigger/param-miner).\n\n## Approach\n\n```mermaid\nsequenceDiagram\n    participant T as Toolbox  \n    participant S as SecLists\n    participant N as Nuclei templates\n    participant P as Param-Miner\n    alt Is a missing discovery dictionary entry\n        T-\u003e\u003eS: Propose a PR with the missing element\n        S-\u003e\u003eT: Get updates from the GitHub repository once the PR is merged\n    end \n    alt Is a missing detection generic point\n        T-\u003e\u003eN: Propose a PR with the missing template\n        N-\u003e\u003eT: Get updates from the GitHub repository once the PR is merged\n    end\n    alt Is a missing hidden http parameter/header entry\n        T-\u003e\u003eP: Propose a PR with the missing element\n        P-\u003e\u003eT: Get updates from the GitHub repository once the PR is merged\n    end     \n    alt Is a missing useful existing tool\n        T-\u003e\u003eT: Add the tool in a way to always use the latest version\n    end       \n    alt Is a missing specific need or without existing tool\n        T-\u003e\u003eT: Add a new custom scripts\n    end  \n```\n\n# :whale: Toolbox ecosystem\n\nI have created and maintain several public toolboxes (as docker images), for which, the present toolbox `toolbox-pentest-web` is the central one:\n\n```mermaid\nmindmap\n  root[\"💻toolbox-pentest-web\"]\n    id1(\"🔬toolbox-codescan\")\n    id2(\"📋toolbox-jwt\")\n    id3(\"📝toolbox-regex\")\n    id4(\"🏹toolbox-patator\")\n```\n\n* [toolbox-pentest-web](https://github.com/righettod/toolbox-pentest-web): Toolbox for pentest of web based application.\n* [toolbox-codescan](https://github.com/righettod/toolbox-codescan): Toolbox to perform offline scanning of a code base.\n* [toolbox-jwt](https://github.com/righettod/toolbox-jwt): Toolbox with different scripts having for the objective to perform different kinds of attacks against JWT tokens.\n* [toolbox-regex](https://github.com/righettod/toolbox-regex): Toolbox to have a local instance of RegExr to create regex against sensitive/private content.\n* [toolbox-patator](https://github.com/righettod/toolbox-patator): Toolbox to have a always up to date docker image of the tools named [patator](https://github.com/lanjelot/patator).\n\n# :desktop_computer: IDE VSCode\n\n* [Online in Gitpod](https://gitpod.io/#https://github.com/righettod/toolbox-pentest-web)\n* [Local in DevContainer](.devcontainer.json)\n\n# :books: What does it contain?\n\n## Build\n\nThe folder **[build](build)** contains utility internal scripts and materials used to build the docker image.\n\n## Tools\n\nAll tools are installed in the folder **/tools** and a transfer zone between the container and the host has been defined via the folder **/tools/reports**.\n\n## Helper scripts\n\n\u003e [!TIP]\n\u003e The [index](docs/10-SCRIPTS_INDEX.md) of all the scripts available is automatically updated, at each **push** on the **master** branch, via this [workflow](.github/workflows/update_scripts_index.yml).\n\nThe folder **[scripts](scripts)** contains helper scripts for some operations using embedded tools.\n\n## Misc\n\n\u003e [!TIP]\n\u003e The trial of the software [Foxit PDF Editor](https://www.foxit.com/individuals/) can be used to create custom malicious PDF files.\n\n\u003e [!TIP]\n\u003e This [app](https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/signature-standalone) or [site](https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/sign-a-document) can be used to generate a `XAdES`/`CAdES`/`PAdES`/`JAdES` signed files.\n\n\u003e [!TIP]\n\u003e The VBA code, stored in the file [malicious-office-macro-vba.vbs](misc/malicious-office-macro-vba.vbs), can be used to create a custom office malicious file.\n\nThe folder **[misc](misc)** contains materials that can be used for testing specific cases like for example when an app is using:\n\n* [HTTP Signature](https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12).\n* [eIDAS certificate and key materials](https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation).\n* RSA **weak** key pair:\n  * [RSA 512 bits private key](misc/rsa-512-private.pem) / [RSA 512 bits public key](misc/rsa-512-public.pem).\n  * [RSA 1024 bits private key](misc/rsa-1024-private.pem) / [RSA 1024 bits public key](misc/rsa-1024-public.pem).\n* RSA **[JWK](https://datatracker.ietf.org/doc/html/draft-jones-json-web-key) format** key pair:\n  * [RSA 2048 bits private key](misc/rsa-2048-private.jwk.json) / [RSA 2048 bits public key](misc/rsa-2048-public.jwk.json)\n  * Corresponding [JSON Web Key Sets](https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets) [file with the public key only](misc/rsa-2048-public.jwks.json).\n  * Corresponding [JSON Web Key Sets](https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets) [file with the private key only](misc/rsa-2048-private.jwks.json).  \n* File upload feature accepting Microsoft Office documents, PDF documents, SVG images and so on:\n  * [Word 97-2003 format template document](misc/doc-word-doctemplateformat-with-vba-macro.dot) with a VBA macro performing a HTTP GET request to a defined domain. \n  * [Word 97-2003 format document](misc/doc-word-docformat-with-vba-macro.doc) with a VBA macro performing a HTTP GET request to a defined domain.\n  * [Word 2003 XML format document](misc/doc-word-wordxmlformat-with-vba-macro.xml) with a VBA macro performing a HTTP GET request to a defined domain.\n  * [Word OpenXML format document](misc/doc-word-wordopenxmlformat-with-vba-macro.docm) with a VBA macro performing a HTTP GET request to a defined domain.\n  * [PDF document](misc/doc-pdf-with-link-to-malicious-file.pdf) with a link to a file considered as a malware by some Antivirus or Browsers.\n  * [PDF document](misc/doc-pdf-with-embedded-lazagne-file.pdf) with an embedded (attached) build of [LaZagne](https://github.com/AlessandroZ/LaZagne) file considered as a malware by some Antivirus or Browsers.\n  * [PDF document](misc/doc-pdf-with-embedded-malicious-file.pdf) with an embedded (attached) file simulating a malicious file.\n  * [PDF document](misc/doc-pdf-with-malicious-files-concatenated.pdf) with an malicious file, considered as a malware by some Antivirus or Browsers, concatenated at the end after the delimiter `[NEWFILE]` (see below for the extraction of the malicious file from the pdf).\n  * [XPS document](misc/doc-xps-with-malicious-apps.xps) embedding files ([LaZagne](https://github.com/AlessandroZ/LaZagne) and [Mimikatz](https://github.com/gentilkiwi/mimikatz)) detected, as malicious programs, by antivirus (at least from [VirusTotal](https://www.virustotal.com/) ones).\n  * SVG image with an XSS payload, see files `misc/doc-test-xss-*.svg` for the different versions.\n  * [Java application](misc/malicious-java-app.jar), as an executable jar file compiled for Java 1.8 minimum runtime, performing a HTTP GET request to a defined domain.\n  * [Go application](misc/malicious-go-app.go), as an native executable, performing a HTTP GET request to a defined domain:\n    * [Build for Windows 64 bits](misc/malicious-go-app-windows-amd64.exe).\n    * [Build for Linux 64 bits](misc/malicious-go-app-linux-amd64.bin).\n\n💻 Use the code below to extract the executable file ([LaZagne.exe](https://github.com/AlessandroZ/LaZagne/releases/tag/v2.4.6)) from the PDF file [doc-pdf-with-malicious-files-concatenated.pdf](misc/doc-pdf-with-malicious-files-concatenated.pdf):\n\n```python\ndelimiter = \"5b4e455746494c455d\"  # String \"[NEWFILE]\" encoded in HEX\nwith open(\"doc-pdf-with-malicious-files-concatenated.pdf\", mode=\"rb\") as f:\n    content_hex = f.read().hex()\ndelimiter_position = content_hex.find(delimiter)\nbin_file_hex = content_hex[delimiter_position + len(delimiter):]\nbin_file_bytes = bytes.fromhex(bin_file_hex)\nwith open(\"malicious-files.exe\", mode=\"wb\") as f:\n    f.write(bin_file_bytes[1:])\n```\n\n## Templates\n\nThe folder **[templates](templates)** contains several scripts/files that can be used, as a basis for custom scripts, to speed-up the implementation of a POC.\n\n## Dictionaries\n\nThe folder **[dictionaries](dictionaries)** contains several, home-made custom dictionaries, that can be used for discovery operations.\n\n## Technical hints\n\nThis **[file](docs/README.md)** contains several technical hints for different kinds of context/issues/goals.\n\n💻 It's my tailor made cheat sheet.\n\n# :hammer: Build image locally\n\nUse the following set of commands:\n\n```bash\n$ git clone https://github.com/righettod/toolbox-pentest-web.git\n$ cd toolbox-pentest-web\n$ docker build . -t righettod/toolbox-pentest-web --file Dockerfile\n...\n```\n\n# :bookmark_tabs: Container usage\n\n## On a docker host for direct access\n\n### Native docker on Linux or MacOS\n\n```bash\n# Create a volume to share files with the container (ex: reports)\n$ docker volume create --name shared_space\n$ docker volume inspect shared_space\n# Run container\n$ docker run -v shared_space:/tools/reports -p 127.0.0.1:80:80 -i -t righettod/toolbox-pentest-web /bin/zsh\n$ docker run -v shared_space:/tools/reports -p 192.168.206.128:80:80 -p 192.168.206.128:443:443 -i -t righettod/toolbox-pentest-web /bin/zsh\n# Build image into local cache\n$ docker build -t righettod/toolbox-pentest-web .\n# Remove image from local cache\n$ docker rmi -f righettod/toolbox-pentest-web\n```\n\n### Docker for Windows\n\n```bat\nrem Run container and defines a shared folder\nC:\\\u003e docker run -v F:/SharedFolder:/tools/reports -p 127.0.0.1:80:80 -i -t righettod/toolbox-pentest-web /bin/zsh\n```\n\n## For remote ssh access\n\n\u003e [!CAUTION]\n\u003e Private key to use for SSH authentication is [here](ssh-private-key.pem). This box is intended to be used as a toolbox for a **short running period**.\n\n\u003e [!IMPORTANT]\n\u003e When deployed on Kubernetes, the **SYS_CHROOT** / **AUDIT_WRITE** / **NET_RAW** capabilities are required in the security context.\n\n1. Run the container on the target docker host using the following command line:\n\n```bash\n$ docker run -p 22:22 righettod/toolbox-pentest-web\nServer listening on 0.0.0.0 port 22.\nServer listening on :: port 22.\n...\n```\n\n2. Access the container, via SSH, using the following command:\n\n```bash\n$ ssh -i ~/.ssh/ssh-private-key.pem root@[DOCKER_HOST_IP]\n➜  ~\n```\n\nAdd `\"StrictHostKeyChecking=no\"` in case of trouble with the remote keys because they are unique for each built image:\n\n```bash\n$ ssh -o \"StrictHostKeyChecking=no\" -i ~/.ssh/toolbox-ssh-private-key.pem root@[DOCKER_HOST_IP]\n➜  ~\n```\n\n# :package: Container registries\n\nImage is published into the following registries, every week, via this [workflow](https://github.com/righettod/toolbox-pentest-web/actions):\n\n* [DockerHub](https://hub.docker.com/r/righettod/toolbox-pentest-web) container registry.\n* [GitHub](https://github.com/righettod/toolbox-pentest-web/pkgs/container/toolbox-pentest-web) container registry.\n\n# :shield: Security\n\n* Refer [here](SECURITY.md) for information about reporting a vulnerability.\n* Image is audited every week, by [Snyk](https://snyk.io/) and this [workflow](https://github.com/righettod/toolbox-pentest-web/actions/workflows/audit_docker_image.yml), to detect presence of any vulnerability.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frighettod%2Ftoolbox-pentest-web","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frighettod%2Ftoolbox-pentest-web","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frighettod%2Ftoolbox-pentest-web/lists"}