π₯½ dwn
d(ockerp)wn - a docker attack tool manager
introduction
dwn
is a "docker-compose for hackers". Using a simple YAML "plan" format similar to docker-compose
, image names, versions and volume / port mappings are defined to setup a tool for use.
features
With dwn
you can:
- Configure common pentest tools for use in a docker container
- Have context aware volume mounts
- Dynamically modify port bindings without container restarts
- And more!
installation
Simply run pip3 install dwn
.
usage
dwn
is actually really simple. The primary concept is that of "plans" where information about a tool (such as name, version, mounts and binds) are defined. There are a few built-in plans already available, but you can also roll your own. Without arguments, just running dwn
would look like this.
β― dwn
Usage: dwn [OPTIONS] COMMAND [ARGS]...
__
___/ / _____
/ _ / |/|/ / _ \
\_,_/|__,__/_//_/
docker pwn tool manager
by @leonjza / @sensepost
Options:
--debug enable debug logging
--help Show this message and exit.
Commands:
check Check plans and Docker environment
network Work with networks
plans Work with plans
run Run a plan
show Show running plans
stop Stop a plan
To list the available plans, run dwn plans show
.
β― dwn plans show
dwn plans
ββββββββββββββββββββ³ββββββββββββββββββββββββββββββββββββββββ
β name β path β
β‘βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β sqlmap β /tools/dwn/plans/sqlmap.yml β
β wpscan β /tools/dwn/plans/wpscan.yml β
β gowitness-report β /tools/dwn/plans/gowitness-report.yml β
β msfconsole β /tools/dwn/plans/msfconsole.yml β
β gowitness β /tools/dwn/plans/gowitness.yml β
β nginx β /tools/dwn/plans/nginx.yml β
β cme β /tools/dwn/plans/cme.yml β
β netcat-reverse β /tools/dwn/plans/netcat-reverse.yml β
β semgrep-sec β /tools/dwn/plans/semgrep-sec.yml β
β semgrep-ci β ~/.dwn/plans/semgrep-ci.yml β
β neo4j β ~/.dwn/plans/neo4j.yml β
ββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββ
11 plans
To run a plan such as gowitness
screenshotting https://google.com, run dwn run gowitness --disable-db single https://www.google.com
. This plan will exit when done, so you donβt have to dwn stop gowitness
.
β― dwn run gowitness --disable-db single https://www.google.com
(i) found plan for gowitness
(i) volume: ~/scratch -> /data
(i) streaming container logs
08 Feb 2021 10:46:18 INF preflight result statuscode=200 title=Google url=https://www.google.com
β―
β― ls screenshots
https-www.google.com.png
A plan such as netcat-reverse
however will stay alive. You can connect to the plans TTY after it is started to interact with any shells you may receive. Example usage would be:
β― dwn run netcat-reverse
(i) found plan for netcat-reverse
(i) port: 4444<-4444
(i) container booted! attach & detach commands are:
(i) attach: docker attach dwn_wghz_netcat-reverse
(i) detach: ctrl + p, ctrl + q
Attaching to the plan (and executing nc -e
somewhere else)
β― docker attach dwn_wghz_netcat-reverse
connect to [::ffff:172.19.0.2]:4444 from dwn_wghz_netcat-reverse_net_4444_4444.dwn:46318 ([::ffff:172.19.0.3]:46318)
env | grep -i shell
SHELL=/bin/zsh
read escape sequence
You can get a running plan report too
β― dwn show
running plan report
ββββββββββββββββββ³ββββββββββββββββββββββββββββββββββββββββ³βββββββββββββ³ββββββββββββ
β plan β container(s) β port(s) β volume(s) β
β‘ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β netcat-reverse β dwn_wghz_netcat-reverse_net_4444_4444 β 4444<-4444 β β
β β dwn_wghz_netcat-reverse β β β
ββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββ΄βββββββββββββ΄ββββββββββββ
And finally, stop a plan.
β― dwn stop netcat-reverse -y
(i) stopping 2 containers for plan netcat-reverse
networking
dwn
lets you dynamically map ports to plans without any container restarts. Networking commands live under the dwn network
subcommand. Taking the nginx plan as an example, we can add a port mapping dynamically. First, start the nginx
plan.
β― dwn run nginx
(i) found plan for nginx
(i) volume: ~/scratch -> /usr/share/nginx/html
(i) port: 80<-8888
(i) container dwn_wghz_nginx started for plan nginx, detaching
Next, test the communication with cURL
β― curl localhost:8888/poo.txt
haha, you touched it!
β― curl localhost:9000/poo.txt
curl: (7) Failed to connect to localhost port 9000: Connection refused
Port 9000 is not open, so let's add a new port binding and test connectivity
β― dwn network add nginx -i 80 -o 9000
(i) port binding for 9000->nginx:80 created
β―
β― curl localhost:9000/poo.txt
haha, you touched it!
updating plans
The dwn plans pull
command can be used to update the images
defined in plans. To only update a single plan, add the plan name after pull
. Eg: dwn plans pull nginx
.
writing plans
A dwn plans new
command exists to quickly scaffold a new plan. While only a few options are needed to get a plan up and running, all of the options that exist in the Python Docker SDK for the run call are valid tags that can be used.
license
dwn
is licensed under a GNU General Public v3 License. Permissions beyond the scope of this license may be available at http://sensepost.com/contact/.