Use Packer to create docker images

Using Packer (packer.io) to create ephemeral docker based penetration testing images -
Example Egressbuster – this is required to effectively test the egress filtering during internal penetration assessments and potentially red teaming.

Install packer: refer (https://www.packer.io/downloads.html)
Install Docker CE: refer (https://docs.docker.com/install/linux/docker-ce/ubuntu/)
Clone Egressbuster on your kali VM : refer (https://github.com/trustedsec/egressbuster)


Packer script is

{
  "variables": {
    "repository": "ubuntu",
    "tag": "1.0",
    "root_password": null
  },
  "builders": [{
    "type": "docker",
    "author": "",
    "image": "ubuntu:latest",
    "commit": true,
    "changes": [
     "USER ubuntu"
    ]

   }],
  "provisioners": [
   {
     "type": "shell",
     "inline": [
       "apt-get update -y && apt-get install -y sudo",
       "apt-get dist-upgrade -y && apt-get autoremove -y && apt clean -y && apt-get install -y bash-completion curl net-tools iputils-ping git python iptables",
       "sleep 15",
       "groupadd -r ubuntu",
       "useradd -m -d /home/ubuntu -s /bin/bash -r -g ubuntu ubuntu",
       "echo 'ubuntu:newpassword' | chpasswd",
       "adduser ubuntu sudo",
       "cd /home/ubuntu/",
       "git clone https://github.com/trustedsec/egressbuster.git"
     
     ]

 }],

   "post-processors": [
    {
      "type": "docker-tag",
      "repository": "{{user `repository`}}",
      "tag": "{{user `tag`}}"
    },
    {
  "type": "shell-local",
  "inline": ["echo foo"]
  }
  ]
}



Run Packer to create build as shown below:

sudo packer build -var "repository=ubuntukb" -var "tag=1.0" -var "root_password=somepassword" ubuntu.json

The below command will allow docker container all the capabilities to control the networking on the host, in order for it to run the Egressbuster (which needs iptables)

sudo docker run --cap-add=NET_ADMIN --net=host -it --rm ubuntukb:1.0

Note the –rm makes sure all the container files are removed after we exit from it.
Tip also consider using --headless

The container already has the egressbuster downloaded to the Ubuntu user’s home directory, the following is the format of the command.

python egress_listener.py

sudo python egress_listener.py 192.168.1.110 enp0s3 0.0.0.0/0

 Note: use of 0.0.0.0/0 accepts connection from anywhere.

Further use the personal kali vm during the test to connect the C2 vm:

egressbuster.py (optional_flag_shell)

egressbuster.py 192.168.1.110 1-65536

Note: you can optionally use “shell” flag

Security considerations:


  1. Docker container is being run with “Net Admin” Privileges, this is required because this container has to use IP Tables, we can expose individual ports but we use IP tables to allow all ports (which is needed for Egressbuster) we need to do this.
  2. Whilst running egress container if there are other containers running on same VM and exposing ports there could be potential conflicts, so therefore only egressbuster container can be used while it’s running.
  3. While running packer script note you are setting a password for “root” user. Also the new user (in this example ubuntu) has it’s password set as well. Embedding passwords in text files is not best practice :-P. I need to improve on this.
  4. Consider using source IP address of the client for the egress listener.



Some commands worth remembering:

Pruning: 

$ docker image prune
$ docker container prune
$ docker volume prune
$ docker network prune

 Workaround

Image

$ docker rmi $(docker images --filter "dangling=true" -q --no-trunc)
$ docker rmi $(docker images | grep "none" | awk '/ / { print $3 }')

Container

 $ docker rm $(docker ps -qa --no-trunc --filter "status=exited")

Volume

$ docker volume rm $(docker volume ls -qf dangling=true)
$ docker volume ls -qf dangling=true | xargs -r docker volume rm

Network

$ docker network rm $(docker network ls | grep "bridge" | awk '/ / { print $1 }')
Location: 11 Pinchfield Ln, Wickersley, Rotherham S66 1FD, UK

Comments

Rent A Helper Moving said…
I admire this article for the well-researched content and excellent wording. Read more info about Moving Supplies in Bloomfield NJ. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much.
11:27 PM
AFA Systems Ltd said…
Excellent job, this is great information which is shared by you. This info is meaningful and factual for us to increase our knowledge about it. about packaging automation systems So please always keep sharing this type of information.
9:49 PM
Rent A Helper Moving said…
Nice info, I am very thankful to you for sharing this important knowledge. This information is helpful for everyone. Read more info about Moving Companies Verona NJ. So please always share this kind of information. Thanks.
5:30 PM
Nancy said…
This may be layered for simpler storage and display. Additionally, this kind of specialized packaging enables the to be smaller than the thing it is keeping, avoiding some more expensive process cycles. PE Cling Film
4:57 PM
Post a Comment

Popular posts from this blog

The correct way to install Jython (for Burpsuite)

You need to install Jython the correct way in order to ensure some of the Burp plugins work correctly. Some of these Burp plugins depend on Python libraries for e.g. requests, so installing Jython and then using  $ wget https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/jython-installer-2.7.2.jar $ java -jar jython-installer-2.7.2.jar -s -d /path/to/install/jython -t standard Further for e.g. if you need requests install it like this: Download requests-2.25.1.tar.gz from the official repo ( https://pypi.org/project/requests/#files ), then go to that directory in terminal, and type the following command, java -jar /Users/brutus/Downloads/jython-standalone-2.7.2.jar setup.py install
Read more

RFID cloning with Proxmark3 Easy

Image
In this post, I would like to explain how in a recent Red Team engagement, I successfully managed to clone an RFID Access Control card and gained entry into the premise. #TheKit The client was using HiD 125khz cards. I used "Proxmark 3 Easy" which is a low cost RFID cloning kit, is a stripped down version of the real “ Proxmark 3 RDV 2 ”. The "Proxmark3 easy" does not support several things like battery, relaying and doesn't have an amplifier, also it has a smaller memory. But the device is quite sufficient during a Red Team Physical engagement. It looks something like this when you order on Amazon. I wanted to build a mobile RFID cloning kit and use it for my Red Team engagements, but note with this setup the scanning distance of 6cm is useless in real engagements, I'm not that brave enough and you really have to get up close to clone a card so the setup initially didn't work, however I got lucky and me and my partner found a lost targe
Read more

Extracting an IPA; App distributed through Testflight

So in one of my iOS app pentest the app was distributed on TestFlight, I needed a clean IPA to makesure, I review the app after unpacking it. The option was for me to use a Jailbroken device and use Ext3nder, which allows the app to be re-packaged. Once you do that you could use SCP to download the IPA and use it to analyse or side load through xCode.
Read more