π Image full credits go to Dirk Hoenes: https://pixabay.com/users/ptdh-275507
.
Tip
Even though this box is primarily intended for offensive operation, many tools and scripts can also be used for defensive purposes, for example, in CI/CD pipelines as security validation.
π Quick access:
π― The goal of this image is to provide an, always up to date "box", containing materials (tools + scripts) useful in the context of the assessment of a web-based application: site, API, etc.
π’ The image is based on the alpine base image. Previously, it was based on the kali-rolling image but the final size of the image, once the toolbox was built, was really too heavy (more than 14GB).
π± Recently, I started to add content for mobile assessment to gather information/tools in a single box.
π·οΈ Issues with the label idea
, contains general ideas on a project/code/script/payload/research/etc not necessarily directly linked to the toolbox itself. Indeed, as this project is my central toolbox's forge, I used it also to gather/centralize my ideas.
sequenceDiagram
participant T as Toolbox
participant S as SecLists
participant N as Nuclei templates
participant P as Param-Miner
alt Is a missing discovery dictionary entry
T->>S: Propose a PR with the missing element
S->>T: Get updates from the GitHub repository once the PR is merged
end
alt Is a missing detection generic point
T->>N: Propose a PR with the missing template
N->>T: Get updates from the GitHub repository once the PR is merged
end
alt Is a missing hidden http parameter/header entry
T->>P: Propose a PR with the missing element
P->>T: Get updates from the GitHub repository once the PR is merged
end
alt Is a missing useful existing tool
T->>T: Add the tool in a way to always use the latest version
end
alt Is a missing specific need or without existing tool
T->>T: Add a new custom scripts
end
I have created and maintain several public toolboxes (as docker images), for which, the present toolbox toolbox-pentest-web
is the central one:
mindmap
root["π»toolbox-pentest-web"]
id1("π¬toolbox-codescan")
id2("πtoolbox-jwt")
id3("πtoolbox-regex")
id4("πΉtoolbox-patator")
- toolbox-pentest-web: Toolbox for pentest of web based application.
- toolbox-codescan: Toolbox to perform offline scanning of a code base.
- toolbox-jwt: Toolbox with different scripts having for the objective to perform different kinds of attacks against JWT tokens.
- toolbox-regex: Toolbox to have a local instance of RegExr to create regex against sensitive/private content.
- toolbox-patator: Toolbox to have a always up to date docker image of the tools named patator.
The folder build contains utility internal scripts and materials used to build the docker image.
All tools are installed in the folder /tools and a transfer zone between the container and the host has been defined via the folder /tools/reports.
Tip
The index of all the scripts available is automatically updated, at each push on the master branch, via this workflow.
The folder scripts contains helper scripts for some operations using embedded tools.
Tip
The trial of the software Foxit PDF Editor can be used to create custom malicious PDF files.
Tip
The VBA code, stored in the file malicious-office-macro-vba.vbs, can be used to create a custom office malicious file.
The folder misc contains materials that can be used for testing specific cases like for example when an app is using:
- HTTP Signature.
- eIDAS certificate and key materials.
- RSA weak key pair:
- RSA JWK format key pair:
- RSA 2048 bits private key / RSA 2048 bits public key
- Corresponding JSON Web Key Sets file with the public key only.
- Corresponding JSON Web Key Sets file with the private key only.
- File upload feature accepting Microsoft Office documents, PDF documents, SVG images and so on:
- Word 97-2003 format template document with a VBA macro performing a HTTP GET request to a defined domain.
- Word 97-2003 format document with a VBA macro performing a HTTP GET request to a defined domain.
- Word 2003 XML format document with a VBA macro performing a HTTP GET request to a defined domain.
- Word OpenXML format document with a VBA macro performing a HTTP GET request to a defined domain.
- PDF document with a link to a file considered as a malware by some Antivirus or Browsers.
- PDF document with an embedded (attached) build of LaZagne file considered as a malware by some Antivirus or Browsers.
- PDF document with an embedded (attached) build of NetCat file considered as a malware by some Antivirus or Browsers.
- PDF document with an embedded (attached) file simulating a malicious file.
- PDF document with an malicious file, considered as a malware by some Antivirus or Browsers, concatenated at the end after the delimiter
[NEWFILE]
(see below for the extraction of the malicious file from the pdf). - XPS document embedding files (LaZagne and Mimikatz) detected, as malicious programs, by antivirus (at least from VirusTotal ones).
- SVG image with an XSS payload, see files
misc/doc-test-xss-*.svg
for the different versions. - Java application, as an executable jar file compiled for Java 1.8 minimum runtime, performing a HTTP GET request to a defined domain.
- Go application, as an native executable, performing a HTTP GET request to a defined domain:
π» Use the code below to extract the executable file (LaZagne.exe) from the PDF file doc-pdf-with-malicious-files-concatenated.pdf:
delimiter = "5b4e455746494c455d" # String "[NEWFILE]" encoded in HEX
with open("doc-pdf-with-malicious-files-concatenated.pdf", mode="rb") as f:
content_hex = f.read().hex()
delimiter_position = content_hex.find(delimiter)
bin_file_hex = content_hex[delimiter_position + len(delimiter):]
bin_file_bytes = bytes.fromhex(bin_file_hex)
with open("malicious-files.exe", mode="wb") as f:
f.write(bin_file_bytes[1:])
The folder templates contains several scripts/files that can be used, as a basis for custom scripts, to speed-up the implementation of a POC.
The folder dictionaries contains several, home-made custom dictionaries, that can be used for discovery operations.
This file contains several technical hints for different kinds of context/issues/goals.
π» It's my tailor made cheat sheet.
Use the following set of commands:
$ git clone https://github.com/righettod/toolbox-pentest-web.git
$ cd toolbox-pentest-web
$ docker build . -t righettod/toolbox-pentest-web --file Dockerfile
...
# Create a volume to share files with the container (ex: reports)
$ docker volume create --name shared_space
$ docker volume inspect shared_space
# Run container
$ docker run -v shared_space:/tools/reports -p 127.0.0.1:80:80 -i -t righettod/toolbox-pentest-web /bin/zsh
$ docker run -v shared_space:/tools/reports -p 192.168.206.128:80:80 -p 192.168.206.128:443:443 -i -t righettod/toolbox-pentest-web /bin/zsh
# Build image into local cache
$ docker build -t righettod/toolbox-pentest-web .
# Remove image from local cache
$ docker rmi -f righettod/toolbox-pentest-web
rem Run container and defines a shared folder
C:\> docker run -v F:/SharedFolder:/tools/reports -p 127.0.0.1:80:80 -i -t righettod/toolbox-pentest-web /bin/zsh
Caution
Private key to use for SSH authentication is here. This box is intended to be used as a toolbox for a short running period.
Important
When deployed on Kubernetes, the SYS_CHROOT / AUDIT_WRITE / NET_RAW capabilities are required in the security context.
- Run the container on the target docker host using the following command line:
$ docker run -p 22:22 righettod/toolbox-pentest-web
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
...
- Access the container, via SSH, using the following command:
$ ssh -i ~/.ssh/ssh-private-key.pem root@[DOCKER_HOST_IP]
β ~
Add "StrictHostKeyChecking=no"
in case of trouble with the remote keys because they are unique for each built image:
$ ssh -o "StrictHostKeyChecking=no" -i ~/.ssh/toolbox-ssh-private-key.pem root@[DOCKER_HOST_IP]
β ~
Image is published into the following registries, every week, via this workflow: