Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/righettod/toolbox-pentest-web
Docker toolbox for pentest of web based application.
https://github.com/righettod/toolbox-pentest-web
docker pentesting web
Last synced: about 1 month ago
JSON representation
Docker toolbox for pentest of web based application.
- Host: GitHub
- URL: https://github.com/righettod/toolbox-pentest-web
- Owner: righettod
- License: gpl-3.0
- Created: 2019-12-19T15:43:36.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2024-04-14T06:21:24.000Z (8 months ago)
- Last Synced: 2024-04-14T14:53:15.162Z (8 months ago)
- Topics: docker, pentesting, web
- Language: Python
- Homepage: https://hub.docker.com/r/righettod/toolbox-pentest-web
- Size: 48.1 MB
- Stars: 121
- Watchers: 9
- Forks: 30
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
Awesome Lists containing this project
- awesome-hacking-lists - righettod/toolbox-pentest-web - Docker toolbox for pentest of web based application. (Python)
README
# :factory: Welcome to my digital forge
đź’š Image full credits go to **Dirk Hoenes**: `https://pixabay.com/users/ptdh-275507`.
![MadeWitVSCode](https://img.shields.io/static/v1?label=Made%20with&message=VisualStudio%20Code&color=blue&?style=for-the-badge&logo=visualstudio) ![MadeWithDocker](https://img.shields.io/static/v1?label=Made%20with&message=Docker&color=blue&?style=for-the-badge&logo=docker) ![AutomatedWith](https://img.shields.io/static/v1?label=Automated%20with&message=GitHub%20Actions&color=blue&?style=for-the-badge&logo=github) ![AuditedWith](https://img.shields.io/static/v1?label=Audited%20with&message=Snyk&color=blueviolet&?style=for-the-badge&logo=snyk)
> [!TIP]
> Even though this box is primarily intended for offensive operation, many tools and scripts can also be used for defensive purposes, for example, in [CI/CD pipelines](https://www.atlassian.com/continuous-delivery/principles/continuous-integration-vs-delivery-vs-deployment) as security validation.đź“’ Quick access:
* [Cheat sheet](docs/README.md).
* [Index of the scripts](docs/10-SCRIPTS_INDEX.md).🎯 The goal of this image is to provide an, always up to date "box", containing materials (tools + scripts) useful in the context of the assessment of a web-based application: site, API, etc.
📢 The image is based on the **[alpine](https://hub.docker.com/_/alpine)** base image. Previously, it was based on the **[kali-rolling](https://hub.docker.com/r/kalilinux/kali-rolling)** image but the final size of the image, once the toolbox was built, was really too heavy (more than 14GB).
:iphone: Recently, I started to add content for mobile assessment to gather information/tools in a single box.
:label: [Issues](https://github.com/righettod/toolbox-pentest-web/labels/idea) with the label `idea`, contains general ideas on a project/code/script/payload/research/etc not necessarily directly linked to the toolbox itself. Indeed, as this project is my central toolbox's forge, I used it also to gather/centralize my ideas.
# :battery: Health status
![Audit the toolbox image](https://github.com/righettod/toolbox-pentest-web/actions/workflows/audit_docker_image.yml/badge.svg?branch=master)
![Check cheat sheet links validity](https://github.com/righettod/toolbox-pentest-web/actions/workflows/check_cheatsheet_external_links.yml/badge.svg?branch=master)
![Update scripts index](https://github.com/righettod/toolbox-pentest-web/actions/workflows/update_scripts_index.yml/badge.svg?branch=master)
![Update nmap scripts index](https://github.com/righettod/toolbox-pentest-web/actions/workflows/update_nmap_scripts_index.yml/badge.svg?branch=master)
![Build and deploy the toolbox image](https://github.com/righettod/toolbox-pentest-web/actions/workflows/build_docker_image.yml/badge.svg?branch=master)
![Build PostgreSQL extension](https://github.com/righettod/toolbox-pentest-web/workflows/Build%20PostgreSQL%20extension/badge.svg?branch=master)
![Build DLL Hijacking library](https://github.com/righettod/toolbox-pentest-web/actions/workflows/build_dll_hijacking_lib.yml/badge.svg?branch=master)
![Build Hash Extender linux binary](https://github.com/righettod/toolbox-pentest-web/actions/workflows/build_hash_extender_binary.yml/badge.svg?branch=master)
# :hammer_and_pick: Box enhancement approach
## Projects
* [SecLists](https://github.com/danielmiessler/SecLists).
* [Nuclei templates](https://github.com/projectdiscovery/nuclei-templates).
* [Param-Miner](https://github.com/PortSwigger/param-miner).## Approach
```mermaid
sequenceDiagram
participant T as Toolbox
participant S as SecLists
participant N as Nuclei templates
participant P as Param-Miner
alt Is a missing discovery dictionary entry
T->>S: Propose a PR with the missing element
S->>T: Get updates from the GitHub repository once the PR is merged
end
alt Is a missing detection generic point
T->>N: Propose a PR with the missing template
N->>T: Get updates from the GitHub repository once the PR is merged
end
alt Is a missing hidden http parameter/header entry
T->>P: Propose a PR with the missing element
P->>T: Get updates from the GitHub repository once the PR is merged
end
alt Is a missing useful existing tool
T->>T: Add the tool in a way to always use the latest version
end
alt Is a missing specific need or without existing tool
T->>T: Add a new custom scripts
end
```# :whale: Toolbox ecosystem
I have created and maintain several public toolboxes (as docker images), for which, the present toolbox `toolbox-pentest-web` is the central one:
```mermaid
mindmap
root["đź’»toolbox-pentest-web"]
id1("🔬toolbox-codescan")
id2("đź“‹toolbox-jwt")
id3("đź“ťtoolbox-regex")
id4("🏹toolbox-patator")
```* [toolbox-pentest-web](https://github.com/righettod/toolbox-pentest-web): Toolbox for pentest of web based application.
* [toolbox-codescan](https://github.com/righettod/toolbox-codescan): Toolbox to perform offline scanning of a code base.
* [toolbox-jwt](https://github.com/righettod/toolbox-jwt): Toolbox with different scripts having for the objective to perform different kinds of attacks against JWT tokens.
* [toolbox-regex](https://github.com/righettod/toolbox-regex): Toolbox to have a local instance of RegExr to create regex against sensitive/private content.
* [toolbox-patator](https://github.com/righettod/toolbox-patator): Toolbox to have a always up to date docker image of the tools named [patator](https://github.com/lanjelot/patator).# :desktop_computer: IDE VSCode
* [Online in Gitpod](https://gitpod.io/#https://github.com/righettod/toolbox-pentest-web)
* [Local in DevContainer](.devcontainer.json)# :books: What does it contain?
## Build
The folder **[build](build)** contains utility internal scripts and materials used to build the docker image.
## Tools
All tools are installed in the folder **/tools** and a transfer zone between the container and the host has been defined via the folder **/tools/reports**.
## Helper scripts
> [!TIP]
> The [index](docs/10-SCRIPTS_INDEX.md) of all the scripts available is automatically updated, at each **push** on the **master** branch, via this [workflow](.github/workflows/update_scripts_index.yml).The folder **[scripts](scripts)** contains helper scripts for some operations using embedded tools.
## Misc
> [!TIP]
> The trial of the software [Foxit PDF Editor](https://www.foxit.com/individuals/) can be used to create custom malicious PDF files.> [!TIP]
> This [app](https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/signature-standalone) or [site](https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/sign-a-document) can be used to generate a `XAdES`/`CAdES`/`PAdES`/`JAdES` signed files.> [!TIP]
> The VBA code, stored in the file [malicious-office-macro-vba.vbs](misc/malicious-office-macro-vba.vbs), can be used to create a custom office malicious file.The folder **[misc](misc)** contains materials that can be used for testing specific cases like for example when an app is using:
* [HTTP Signature](https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12).
* [eIDAS certificate and key materials](https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation).
* RSA **weak** key pair:
* [RSA 512 bits private key](misc/rsa-512-private.pem) / [RSA 512 bits public key](misc/rsa-512-public.pem).
* [RSA 1024 bits private key](misc/rsa-1024-private.pem) / [RSA 1024 bits public key](misc/rsa-1024-public.pem).
* RSA **[JWK](https://datatracker.ietf.org/doc/html/draft-jones-json-web-key) format** key pair:
* [RSA 2048 bits private key](misc/rsa-2048-private.jwk.json) / [RSA 2048 bits public key](misc/rsa-2048-public.jwk.json)
* Corresponding [JSON Web Key Sets](https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets) [file with the public key only](misc/rsa-2048-public.jwks.json).
* Corresponding [JSON Web Key Sets](https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets) [file with the private key only](misc/rsa-2048-private.jwks.json).
* File upload feature accepting Microsoft Office documents, PDF documents, SVG images and so on:
* [Word 97-2003 format template document](misc/doc-word-doctemplateformat-with-vba-macro.dot) with a VBA macro performing a HTTP GET request to a defined domain.
* [Word 97-2003 format document](misc/doc-word-docformat-with-vba-macro.doc) with a VBA macro performing a HTTP GET request to a defined domain.
* [Word 2003 XML format document](misc/doc-word-wordxmlformat-with-vba-macro.xml) with a VBA macro performing a HTTP GET request to a defined domain.
* [Word OpenXML format document](misc/doc-word-wordopenxmlformat-with-vba-macro.docm) with a VBA macro performing a HTTP GET request to a defined domain.
* [PDF document](misc/doc-pdf-with-link-to-malicious-file.pdf) with a link to a file considered as a malware by some Antivirus or Browsers.
* [PDF document](misc/doc-pdf-with-embedded-lazagne-file.pdf) with an embedded (attached) build of [LaZagne](https://github.com/AlessandroZ/LaZagne) file considered as a malware by some Antivirus or Browsers.
* [PDF document](misc/doc-pdf-with-embedded-malicious-file.pdf) with an embedded (attached) file simulating a malicious file.
* [PDF document](misc/doc-pdf-with-malicious-files-concatenated.pdf) with an malicious file, considered as a malware by some Antivirus or Browsers, concatenated at the end after the delimiter `[NEWFILE]` (see below for the extraction of the malicious file from the pdf).
* [XPS document](misc/doc-xps-with-malicious-apps.xps) embedding files ([LaZagne](https://github.com/AlessandroZ/LaZagne) and [Mimikatz](https://github.com/gentilkiwi/mimikatz)) detected, as malicious programs, by antivirus (at least from [VirusTotal](https://www.virustotal.com/) ones).
* SVG image with an XSS payload, see files `misc/doc-test-xss-*.svg` for the different versions.
* [Java application](misc/malicious-java-app.jar), as an executable jar file compiled for Java 1.8 minimum runtime, performing a HTTP GET request to a defined domain.
* [Go application](misc/malicious-go-app.go), as an native executable, performing a HTTP GET request to a defined domain:
* [Build for Windows 64 bits](misc/malicious-go-app-windows-amd64.exe).
* [Build for Linux 64 bits](misc/malicious-go-app-linux-amd64.bin).đź’» Use the code below to extract the executable file ([LaZagne.exe](https://github.com/AlessandroZ/LaZagne/releases/tag/v2.4.6)) from the PDF file [doc-pdf-with-malicious-files-concatenated.pdf](misc/doc-pdf-with-malicious-files-concatenated.pdf):
```python
delimiter = "5b4e455746494c455d" # String "[NEWFILE]" encoded in HEX
with open("doc-pdf-with-malicious-files-concatenated.pdf", mode="rb") as f:
content_hex = f.read().hex()
delimiter_position = content_hex.find(delimiter)
bin_file_hex = content_hex[delimiter_position + len(delimiter):]
bin_file_bytes = bytes.fromhex(bin_file_hex)
with open("malicious-files.exe", mode="wb") as f:
f.write(bin_file_bytes[1:])
```## Templates
The folder **[templates](templates)** contains several scripts/files that can be used, as a basis for custom scripts, to speed-up the implementation of a POC.
## Dictionaries
The folder **[dictionaries](dictionaries)** contains several, home-made custom dictionaries, that can be used for discovery operations.
## Technical hints
This **[file](docs/README.md)** contains several technical hints for different kinds of context/issues/goals.
đź’» It's my tailor made cheat sheet.
# :hammer: Build image locally
Use the following set of commands:
```bash
$ git clone https://github.com/righettod/toolbox-pentest-web.git
$ cd toolbox-pentest-web
$ docker build . -t righettod/toolbox-pentest-web --file Dockerfile
...
```# :bookmark_tabs: Container usage
## On a docker host for direct access
### Native docker on Linux or MacOS
```bash
# Create a volume to share files with the container (ex: reports)
$ docker volume create --name shared_space
$ docker volume inspect shared_space
# Run container
$ docker run -v shared_space:/tools/reports -p 127.0.0.1:80:80 -i -t righettod/toolbox-pentest-web /bin/zsh
$ docker run -v shared_space:/tools/reports -p 192.168.206.128:80:80 -p 192.168.206.128:443:443 -i -t righettod/toolbox-pentest-web /bin/zsh
# Build image into local cache
$ docker build -t righettod/toolbox-pentest-web .
# Remove image from local cache
$ docker rmi -f righettod/toolbox-pentest-web
```### Docker for Windows
```bat
rem Run container and defines a shared folder
C:\> docker run -v F:/SharedFolder:/tools/reports -p 127.0.0.1:80:80 -i -t righettod/toolbox-pentest-web /bin/zsh
```## For remote ssh access
> [!CAUTION]
> Private key to use for SSH authentication is [here](ssh-private-key.pem). This box is intended to be used as a toolbox for a **short running period**.> [!IMPORTANT]
> When deployed on Kubernetes, the **SYS_CHROOT** / **AUDIT_WRITE** / **NET_RAW** capabilities are required in the security context.1. Run the container on the target docker host using the following command line:
```bash
$ docker run -p 22:22 righettod/toolbox-pentest-web
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
...
```2. Access the container, via SSH, using the following command:
```bash
$ ssh -i ~/.ssh/ssh-private-key.pem root@[DOCKER_HOST_IP]
âžś ~
```Add `"StrictHostKeyChecking=no"` in case of trouble with the remote keys because they are unique for each built image:
```bash
$ ssh -o "StrictHostKeyChecking=no" -i ~/.ssh/toolbox-ssh-private-key.pem root@[DOCKER_HOST_IP]
âžś ~
```# :package: Container registries
Image is published into the following registries, every week, via this [workflow](https://github.com/righettod/toolbox-pentest-web/actions):
* [DockerHub](https://hub.docker.com/r/righettod/toolbox-pentest-web) container registry.
* [GitHub](https://github.com/righettod/toolbox-pentest-web/pkgs/container/toolbox-pentest-web) container registry.# :shield: Security
* Refer [here](SECURITY.md) for information about reporting a vulnerability.
* Image is audited every week, by [Snyk](https://snyk.io/) and this [workflow](https://github.com/righettod/toolbox-pentest-web/actions/workflows/audit_docker_image.yml), to detect presence of any vulnerability.