If you are pentester or security researcher, then you will definitely spend hours in searching for vulnerable systems, and once you have found one the next step is to exploit it, but this can be very time consuming and may or may not be possible depending on the target, but if the target is in your local network you can use the pentest lab which lets you test various tools like nmap, metasploit, hydra, SQLMap, etc on a vulnerable target with just one command.
This local pentest lab leverages docker compose to spin up multiple victim services and an attacker service running Kali Linux. If you run this lab for the first time it will take some time to download all the different docker images.
./lab.sh --up --all-services
./lab.sh --overview all
ssh root@kali -o "UserKnownHostsFile /dev/null"
The lab should work out of the box if all needed dependencies are installed. At startup the lab will run a dependency check.
Start the lab
git clone https://github.com/oliverwiegers/pentest_lab cd pentest_lab ./lab.sh -u
By default the lab will start all victim services and one red team service. Other services can be started and added. More information on this down on this below.
For further usage information consider reading the help message shown by
./lab.sh -h | --help.
- yq (The Python version. Not yq-go.)
The lab has a build in dependency check which runs at startup. This also can be run manually
For ease of use a Heimdall interface was added that is exposed to
localhost:7000. All services that are exposed to your local machine and can be accessed via browser are listed there. Changes that will be made to the interface are automatically saved in
./etc/heimheimdall. This directory is than turned into
./etc/heimdall.tar while stopping the lab. This tar archive will be extracted on starup. Both
./etc/heimdall are ignored by git by default.
Used wallpaper can be found here.
This lab knows the following four types of services.
The default red team service – the Kali service – is a pretty basic Kali instance. Nonetheless
kali-tools-web metapackage is installed. For a web application testing lab the basic web testing tools seem to be useful. This can be changed by editing the Dockerfile from which the image is build. This is located at
./dockerfiles/kali. The kali service installs these dotfiles by default. This is also changable by tweaking the Dockerfile.
Even though monitoring services are blue_team services as well these are split up in a different category.
This stack provides log and performance observation functionality.
For further information on single instances see below.
Currently the monitoring setup is made of the following services:
- Grafana – Visualize logs and metrics.
- Loki – Ship docker logs to grafana.
- Prometheus – Ship metrics to grafana.
- cAdvisor – Gather container ressource usage and metrics and ship to prometheus.
The Grafana instance provides two dashboards one for logs and one for metrics.
These are pretty basic. One could add more by adding dashboards via the Grafana interface. These dashboards will be lost when the grafana volume is deleted. To permanently add dashboards consult the Provisioning Docs by Grafana. Used directories for provisioning are located at
To change settings via Grafana interface one must login as
admin. The credentials are the default ones:
For Loki beeing able to gather docker logs this lab installs the Loki Docker Driver as Docker plugin.
For Prometheus beeing able to access performance metrics of the containers running in the cluster cAdvisor is used.
To add additional services a little knowledge of
docker-compose.yml files is needed. The
docker-compose.yml in the root of this repository is auto generated when the lab starts. This process uses the yaml files located unter
➜ pentest_lab tree ./etc/services ./etc/services ├── blue_team │ └── endlessh.yml ├── default.yml ├── monitoring │ ├── cadvisor.yml │ ├── grafana.yml │ ├── loki.yml │ └── prometheus.yml ├── red_team └── victim ├── beginner │ ├── bwapp.yml │ ├── dvwa.yml │ ├── hackazon.yml │ ├── tiredful.yml │ ├── webgoat.yml │ └── xvwa.yml ├── expert │ └── juice-shop.yml └── intermediate └── ninjas.yml
Which services will be started is controlled by invoking
./lab.sh with the corresponding options. To permanently disable a service remove the
.yml file extension.
An example of a victim service would be:
bwapp: labels: class: 'victim' cluster: 'pentest_lab' level: 'beginner' image: raesene/bwapp ports: - '8080:80' networks: pentest_lab: ipv4_address: 10.5.0.100 hostname: bwapp volumes: - bwapp-data:/var/lib/mysql
Note: If a service requires some kind of installation at first usage use
docker inspect <image_name> to find out where the docker image stores the data and add a volume pointing to this directory. In the example above this is:
volumes: - bwapp-data:/var/lib/mysql
This ensures that you don’t have to setup the service again every time you restart the lab. But if you want to reset the lab and completely start over again you can use
./lab.sh -p | --prune. This will delete all resources owned by the lab.
The reason we used static IP addresses is that the Kali box needs to have an IP address that doesn’t change to simplify SSH login. More in information in the Tips/Tricks section down below.
- Red team services start at 10.5.0.5
- The Kali service has 10.5.0.5.
- Blue team services start at 10.5.0.50
- Victim services start at 10.5.0.100
- Monitoring services start at 10.5.0.200
If you add services and there is additional information that is useful for anyone running this lab you can add this information to
./etc/services_info. Content of this file will be printed as is line by line by running
For an easy connect to the Kali service one could add the following to
Host kali User root Hostname 10.5.0.5 UserKnownHostsFile /dev/null StrictHostKeyChecking accept-new
So instead of
ssh email@example.com -o "UserKnownHostsFile /dev/null" one could run
For tmux users the following will attach to a tmux session automatically:
Host kali User root Hostname 10.5.0.5 UserKnownHostsFile /dev/null StrictHostKeyChecking accept-new RequestTTY yes RemoteCommand tmux -L tmux new-session -As hacktheplanet
pentest_lab (this link opens in a new window) by oliverwiegers (this link opens in a new window)
Local penetration testing lab using docker-compose.