Use Packer to create docker images
Using Packer (packer.io) to create ephemeral docker based penetration testing images -
Example Egressbuster – this is required to effectively test the egress filtering during internal penetration assessments and potentially red teaming.
Install packer: refer (https://www.packer.io/downloads.html)
Install Docker CE: refer (https://docs.docker.com/install/linux/docker-ce/ubuntu/)
Clone Egressbuster on your kali VM : refer (https://github.com/trustedsec/egressbuster)
Packer script is
{
"variables": {
"repository": "ubuntu",
"tag": "1.0",
"root_password": null
},
"builders": [{
"type": "docker",
"author": "",
"image": "ubuntu:latest",
"commit": true,
"changes": [
"USER ubuntu"
]
}],
"provisioners": [
{
"type": "shell",
"inline": [
"apt-get update -y && apt-get install -y sudo",
"apt-get dist-upgrade -y && apt-get autoremove -y && apt clean -y && apt-get install -y bash-completion curl net-tools iputils-ping git python iptables",
"sleep 15",
"groupadd -r ubuntu",
"useradd -m -d /home/ubuntu -s /bin/bash -r -g ubuntu ubuntu",
"echo 'ubuntu:newpassword' | chpasswd",
"adduser ubuntu sudo",
"cd /home/ubuntu/",
"git clone https://github.com/trustedsec/egressbuster.git"
]
}],
"post-processors": [
{
"type": "docker-tag",
"repository": "{{user `repository`}}",
"tag": "{{user `tag`}}"
},
{
"type": "shell-local",
"inline": ["echo foo"]
}
]
}
Run Packer to create build as shown below:
sudo packer build -var "repository=ubuntukb" -var "tag=1.0" -var "root_password=somepassword" ubuntu.json
The below command will allow docker container all the capabilities to control the networking on the host, in order for it to run the Egressbuster (which needs iptables)
sudo docker run --cap-add=NET_ADMIN --net=host -it --rm ubuntukb:1.0
Note the –rm makes sure all the container files are removed after we exit from it.
Tip also consider using --headless
The container already has the egressbuster downloaded to the Ubuntu user’s home directory, the following is the format of the command.
python egress_listener.py
sudo python egress_listener.py 192.168.1.110 enp0s3 0.0.0.0/0
Note: use of 0.0.0.0/0 accepts connection from anywhere.
Further use the personal kali vm during the test to connect the C2 vm:
egressbuster.py (optional_flag_shell)
egressbuster.py 192.168.1.110 1-65536
Note: you can optionally use “shell” flag
Security considerations:
Some commands worth remembering:
Pruning:
$ docker image prune
$ docker container prune
$ docker volume prune
$ docker network prune
Workaround
Image
$ docker rmi $(docker images --filter "dangling=true" -q --no-trunc)
$ docker rmi $(docker images | grep "none" | awk '/ / { print $3 }')
Container
$ docker rm $(docker ps -qa --no-trunc --filter "status=exited")
Volume
$ docker volume rm $(docker volume ls -qf dangling=true)
$ docker volume ls -qf dangling=true | xargs -r docker volume rm
Network
$ docker network rm $(docker network ls | grep "bridge" | awk '/ / { print $1 }')
Example Egressbuster – this is required to effectively test the egress filtering during internal penetration assessments and potentially red teaming.
Install packer: refer (https://www.packer.io/downloads.html)
Install Docker CE: refer (https://docs.docker.com/install/linux/docker-ce/ubuntu/)
Clone Egressbuster on your kali VM : refer (https://github.com/trustedsec/egressbuster)
Packer script is
{
"variables": {
"repository": "ubuntu",
"tag": "1.0",
"root_password": null
},
"builders": [{
"type": "docker",
"author": "",
"image": "ubuntu:latest",
"commit": true,
"changes": [
"USER ubuntu"
]
}],
"provisioners": [
{
"type": "shell",
"inline": [
"apt-get update -y && apt-get install -y sudo",
"apt-get dist-upgrade -y && apt-get autoremove -y && apt clean -y && apt-get install -y bash-completion curl net-tools iputils-ping git python iptables",
"sleep 15",
"groupadd -r ubuntu",
"useradd -m -d /home/ubuntu -s /bin/bash -r -g ubuntu ubuntu",
"echo 'ubuntu:newpassword' | chpasswd",
"adduser ubuntu sudo",
"cd /home/ubuntu/",
"git clone https://github.com/trustedsec/egressbuster.git"
]
}],
"post-processors": [
{
"type": "docker-tag",
"repository": "{{user `repository`}}",
"tag": "{{user `tag`}}"
},
{
"type": "shell-local",
"inline": ["echo foo"]
}
]
}
Run Packer to create build as shown below:
sudo packer build -var "repository=ubuntukb" -var "tag=1.0" -var "root_password=somepassword" ubuntu.json
The below command will allow docker container all the capabilities to control the networking on the host, in order for it to run the Egressbuster (which needs iptables)
sudo docker run --cap-add=NET_ADMIN --net=host -it --rm ubuntukb:1.0
Note the –rm makes sure all the container files are removed after we exit from it.
Tip also consider using --headless
The container already has the egressbuster downloaded to the Ubuntu user’s home directory, the following is the format of the command.
python egress_listener.py
sudo python egress_listener.py 192.168.1.110 enp0s3 0.0.0.0/0
Note: use of 0.0.0.0/0 accepts connection from anywhere.
Further use the personal kali vm during the test to connect the C2 vm:
egressbuster.py
egressbuster.py 192.168.1.110 1-65536
Note: you can optionally use “shell” flag
Security considerations:
- Docker container is being run with “Net Admin” Privileges, this is required because this container has to use IP Tables, we can expose individual ports but we use IP tables to allow all ports (which is needed for Egressbuster) we need to do this.
- Whilst running egress container if there are other containers running on same VM and exposing ports there could be potential conflicts, so therefore only egressbuster container can be used while it’s running.
- While running packer script note you are setting a password for “root” user. Also the new user (in this example ubuntu) has it’s password set as well. Embedding passwords in text files is not best practice :-P. I need to improve on this.
- Consider using source IP address of the client for the egress listener.
Some commands worth remembering:
Pruning:
$ docker image prune
$ docker container prune
$ docker volume prune
$ docker network prune
Workaround
Image
$ docker rmi $(docker images --filter "dangling=true" -q --no-trunc)
$ docker rmi $(docker images | grep "none" | awk '/ / { print $3 }')
Container
$ docker rm $(docker ps -qa --no-trunc --filter "status=exited")
Volume
$ docker volume rm $(docker volume ls -qf dangling=true)
$ docker volume ls -qf dangling=true | xargs -r docker volume rm
Network
$ docker network rm $(docker network ls | grep "bridge" | awk '/ / { print $1 }')
Comments