Docker for Pentesters
Docker is truly one of the most fascinating changes to come to software development over the last 10 years. While the concept of containerization has been around since 1979; starting with the advent of chroot. Docker has revolutionized how containerization works. Docker made it easy to not only use containers but downloading fully functional environments can be done with a single Docker command line. This provides a lot of opportunities to create portable environments that penetration testers, security researchers, and others can pull, view, and see real exploits and Proof of Concepts (PoCs). In addition to distributing PoC environments, some communities like the creators of Parrot OS have been put their security operating system in Linux containers making it even more portable.
Finding Docker images is easy! A quick Google search can lead you to many sources but I recommend using Docker Hub. It’s also important to vet your images before pulling (downloading) them because they could be malicious.
Please pull images from reputable sources.
Parrot OS in Docker
The Parrot Project is an all-in-one framework for cybersecurity, software developers, and privacy enthusiasts. They have taken their Linux distribution and ported an enormous amount of their functionality into a Docker container. This allows the Parrot OS Docker image to be run on Windows, Digital Ocean, or anywhere you can run Docker. It is really that portable.
I wrote a nice article showcasing some of the Parrot Docker image’s functionality.
Portable Security Applications
Some security applications are actually web applications that have been made portable through Docker. In this example, I will cover OWASP’s ZAP Baseline Scan.
OWASP’s ZAP Baseline Scan
The ZAP Baseline Scan Docker image can be used to scan websites for vulnerabilities. Because this is in a Docker container it can be easily incorporated into a DevSecOps pipeline for integrated security testing of applications. I also included a link to a sample GitHub Action for automated scanning.
# pull zap baseline scan docker pull owasp/zap2docker-stable # running a scan against my blog docker run -t owasp/zap2docker-stable zap-baseline.py -t https://www.mrjamiebowman.com
Docker Vulnerable Web Apps
There are plenty of exploitable web applications that you can pull from Docker hub. These pre-configured environments come loaded with vulnerabilities that are mostly practical for learning how to do bug hunting.
Damn Vulnerable Web App (DVWA)
Damn Vulnerable Web App (DVWA) is a classic vulnerable application that has been around for ages. Pulling the Docker image for DVWA is easy and fun! Try it out!
docker pull vulnerables/web-dvwa docker run --rm -it -p 80:80 vulnerables/web-dvwa
OWASP’s Juice Shop
docker pull bkimminich/juice-shop docker run --rm -p 3000:3000 bkimminich/juice-shop # browse to http://localhost:3000 (on macOS and Windows browse to http://192.168.99.100:3000 if you are using docker-machine instead of the native docker installation)
Docker for CVEs/PoCs
Suppose you are a security researcher and you’ve just discovered a bug in a WordPress plugin. Using Docker Compose it’s easy to create a GitHub repository that allows other security professionals to pull the image, spin up a MySQL database, WordPress and have the exact vulnerable plugin installed to demonstrate the PoC and exploit. This is a great way for pen-testers to learn, practice, and distribute their PoCs.
# run vulnerable wp code snippets plugin in docker git clone https://github.com/vulncrate/wp-codesnippets-cve-2020-8417.git cd wp-codesnippets-cve-2020-8417 docker-compose up
I hope this expands people’s views on Docker and contributes to the community. If I missed anything or think something I should add, leave a comment below. If you like what I create, add me on LinkedIn, Twitter, follow my blog, YouTube channels, and future concepts like VulnCrate, Hackaco, and my personal YouTube.