Dockerfile for custom Blue Team container
To build a Docker container designed for a complete Security Operations Center (SOC) blue team defense cycle, based on a Kali Linux image, you can use the following Dockerfile. This setup focuses on installing tools widely used for threat detection, incident response, and defense. The tools are selected to cover different aspects of the SOC defend cycle.
Here’s a Dockerfile to get you started:
# Use Kali Linux as the base image
FROM kalilinux/kali-rolling
# Update and install necessary packages and tools
RUN apt update && apt -y upgrade && \
# Install general networking and investigation tools
apt -y install nmap net-tools iputils-ping dnsutils traceroute \
htop iftop tcpdump whois curl wget \
# Install common SOC tools
&& apt -y install wireshark tshark snort suricata fail2ban ufw \
# Install log analysis and SIEM tools
&& apt -y install logstash elasticsearch kibana filebeat \
# Install forensic tools
&& apt -y install autopsy sleuthkit foremost volatility \
# Install incident response and threat intelligence tools
&& apt -y install maltego openvas metasploit-framework yara \
# Install additional blue team tools for analysis and response
&& apt -y install zeek osquery auditd lynis \
# Install command-line text editors and utilities for investigation
&& apt -y install nano vim less jq tree \
# Cleanup to reduce image size
&& apt clean && rm -rf /var/lib/apt/lists/*
# Setup entry point to bash for interactive use
CMD ["/bin/bash"]
Key Components
- Network & Traffic Analysis:
nmap
,wireshark
,tshark
,tcpdump
, andSuricata
to analyze and monitor network traffic. - Log Management and SIEM:
logstash
,elasticsearch
,kibana
, andfilebeat
for log collection and visualization. - Forensics and Analysis: Tools like
autopsy
,sleuthkit
,foremost
, andvolatility
for disk and memory forensics. - Threat Intelligence and IR:
maltego
,openvas
(for vulnerability scanning),metasploit-framework
, andyara
for intelligence gathering and incident response. - Monitoring & System Auditing:
zeek
for network monitoring,osquery
andauditd
for system auditing, andlynis
for vulnerability assessment.
Build and Run
- Build the Docker image:
docker build -t soc-blue-team:latest .
- Run the Docker container:
docker run -it --cap-add=NET_ADMIN --net=host soc-blue-team:latest
This setup includes a range of Kali tools focused on SOC defense and cyber defense capabilities for monitoring, detection, response, and forensic analysis in a SOC environment. Adjustments may be necessary based on the specific requirements of your blue team operations.
Source: ChatGPT
Dockerfile for custom Red Team container
To update and install the best Kali Linux tools for a complete penetration testing (Red Team) attack cycle in a Docker container, you can follow these steps. This setup ensures the tools are installed for each phase: reconnaissance, scanning, exploitation, post-exploitation, and reporting.
- Create a Dockerfile for a custom Kali image:
# Start with the official Kali Linux Docker image
FROM kalilinux/kali-rolling
# Update and upgrade Kali packages
RUN apt update && apt -y upgrade
# Install general utilities
RUN apt -y install curl wget vim git net-tools
# Install reconnaissance tools
RUN apt -y install nmap enum4linux dnsenum theharvester dirb gobuster ffuf smbclient nbtscan
# Install vulnerability scanners
RUN apt -y install nikto metasploit-framework openvas sqlmap lynis
# Install exploitation tools
RUN apt -y install sqlmap hydra john exploitdb metasploit-framework msfpc seclists patator
# Install post-exploitation tools
RUN apt -y install crackmapexec mimikatz powershell-empire responder impacket-scripts
# Install privilege escalation tools
RUN apt -y install linpeas linux-exploit-suggester windows-exploit-suggester-2 enum4linux
# Install reporting and documentation tools
RUN apt -y install eyewitness dradis faraday
# Clean up cached files
RUN apt clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
- Build the Docker Image with the following command:
docker build -t kali-red-team .
- Run the Docker Container:
docker run -it kali-red-team /bin/bash
This Dockerfile installs essential tools across each phase of the attack cycle and prepares a Kali Linux environment ready for penetration testing. You can add or modify tools as needed based on specific objectives or targets.
Source: ChatGPT
Kali Docker tools install
apt update && apt install -y \
nmap \
nikto \
theharvester \
dnsenum \
dnsmap \
maltego \
recon-ng \
openvas \
wapiti \
wpscan \
metasploit-framework \
beef-xss \
sqlmap \
aircrack-ng \
kismet \
reaver \
john \
hydra \
hashcat \
medusa \
autopsy \
sleuthkit \
binwalk \
burpsuite \
zaproxy \
wireshark \
ettercap-text-only \
mitmproxy \
empire \
responder \
faraday \
set \
radare2 \
ghidra \
weevely \
netcat-traditional 1.10-47 \
proxychains4 \
tor \
macchanger
Source: https://www.kali.org/tools
Parrot Security: tool categories
parrot-tools-automotive/parrot6 6.2.0 all
Pentest tools for vehicle hacking
parrot-tools-cloud/parrot6 6.2.0 amd64
Pentest tools for cloud environments
parrot-tools-forensics/parrot6 6.2.0 all
Pentest tools for forensics
parrot-tools-full/parrot6 6.2.0 amd64
Metapackage that installs a full penetration testing environment
parrot-tools-infogathering/parrot6 6.2.0 all
Pentest tools for information gathering
parrot-tools-maintain/parrot6 6.2.0 all
Pentest tools for maintaining access
parrot-tools-password/parrot6 6.2.0 all
Pentest tools for password attack
parrot-tools-postexploit/parrot6 6.2.0 all
Pentest tools for post exploitation
parrot-tools-pwn/parrot6 6.2.0 all
Pentest tools for exploitation
parrot-tools-reporting/parrot6 6.2.0 all
Pentest tools for reporting
parrot-tools-reversing/parrot6 6.2.0 all
Pentest tools for reverse engineering
parrot-tools-sniff/parrot6 6.2.0 all
Pentest tools for network sniffing
parrot-tools-vuln/parrot6 6.2.0 all
Pentest tools for vulnerability analysis
parrot-tools-web/parrot6 6.2.0 all
Pentest tools for web analysis
parrot-tools-wireless/parrot6 6.2.0 all
Pentest tools for wireless exploitation
Source: https://parrotsec.org/docs/introduction/what-is-parrot
Configure a separate PHP-FPM pool for each vhost. This allows each vhost to have its own isolated PHP-FPM process, which communicates over its own unique socket
To create a separate FastCGI socket for each virtual host (vhost), you’ll typically need to configure a separate PHP-FPM pool for each vhost. This allows each vhost to have its own isolated PHP-FPM process, which communicates over its own unique socket. Here’s how you can set it up:
1. Configure Separate PHP-FPM Pools
PHP-FPM allows you to define multiple pools, each with unique settings, including its own socket. By creating a separate pool for each vhost, you can control resources independently and enhance security and isolation.
- Locate the PHP-FPM Pool Configuration Directory:
- PHP-FPM pool configurations are usually found in
/etc/php/<version>/fpm/pool.d/
(replace<version>
with your PHP version, e.g.,7.4
).
- Create a New Pool Configuration File for Each Vhost:
- Copy the default pool configuration file to create new files for each vhost. For example:
cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/vhost1.conf
cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/vhost2.conf
- Edit Each Pool Configuration File:
- Open each pool file (e.g.,
vhost1.conf
) in a text editor and configure the following settings to make each pool unique. - Set a Unique Pool Name:
[vhost1]
- Specify a Unique Socket for Each Pool:
listen = /var/run/php/php7.4-fpm-vhost1.sock
- Optionally Configure Additional Settings:
- You can configure other settings independently, such as
user
,group
,pm.max_children
, etc., to control resource usage for each vhost.
- You can configure other settings independently, such as
- Repeat for Each Vhost:
- Change the pool name and socket path in each configuration file to ensure they are unique (e.g.,
vhost2
withphp7.4-fpm-vhost2.sock
).
- Restart PHP-FPM:
- Once all pools are configured, restart PHP-FPM to apply the changes.
sudo systemctl restart php7.4-fpm
2. Configure Apache for Each Vhost to Use the Correct FastCGI Socket
In your Apache configuration, you need to configure each vhost to use its respective FastCGI socket.
- Define Each Vhost in Apache (in
/etc/apache2/sites-available/
):
- For each vhost configuration file, use the
FastCgiExternalServer
directive to point to the unique socket created for that vhost’s PHP-FPM pool.
- Example Apache Configuration:
<VirtualHost *:80>
ServerName vhost1.example.com
# FastCGI configuration for vhost1
FastCgiExternalServer /var/www/vhost1/cgi-bin/php-fcgi -socket /var/run/php/php7.4-fpm-vhost1.sock -pass-header Authorization -pass-header Content-Type
DocumentRoot /var/www/vhost1
<Directory /var/www/vhost1>
Options +ExecCGI
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName vhost2.example.com
# FastCGI configuration for vhost2
FastCgiExternalServer /var/www/vhost2/cgi-bin/php-fcgi -socket /var/run/php/php7.4-fpm-vhost2.sock -pass-header Authorization -pass-header Content-Type
DocumentRoot /var/www/vhost2
<Directory /var/www/vhost2>
Options +ExecCGI
Require all granted
</Directory>
</VirtualHost>
- In this setup, each vhost has a separate
FastCgiExternalServer
directive pointing to its dedicated PHP-FPM socket.
- Reload Apache:
- After configuring each vhost, reload or restart Apache to apply the changes.
sudo systemctl restart apache2
Summary
By configuring a separate PHP-FPM pool and socket for each vhost, each site operates in isolation with its own dedicated FastCGI process. This setup not only enhances security but also allows for resource control per vhost, preventing one site from monopolizing resources at the expense of others.
Source: ChatGPT
Disable monitor blanking on Debian with LXDE for remote access using NoMachine and VNC
Edit file: /etc/xdg/lxsession/LXDE/autostart
Remove:
@xscreensaver -no-splash
Append:
@xset s noblank
@xset s off
@xset -dpms
Sources: https://raspberrypi.stackexchange.com/questions/752/how-do-i-prevent-the-screen-from-going-blank
Patch vSphere 5.5 Updates
https://kb.vmware.com/s/article/2008939
(OLD: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2008939)
http://www.v-front.de/2014/09/vmware-releases-vsphere-55-update-2.html
Search for string in file system in Linux
Search for the string ‘root’ in the entire filesystem
# grep -H -R root ./* | cut -d: -f1
Source: http://www.cyberciti.biz/faq/howto-search-find-file-for-text-string
Shrink qemu qcow2 files
Excerpt from source:
Windows Guest
1.Delete all unnecessary files, empty recycle bin
2.Defragment drive (you might need to do this several times, until you see it “compacted” well)
3.Use sdelete to zero free disk space. Please note that this operation
will cause that all drive free space will be filled by zero, so the
virtual machine image will grow to the maximum size.
Using command prompt
sdelete -c c:
Linux/FreeBSD Guest
# dd if=/dev/zero of=./zero bs=1M
# sync
# rm -f ./zero
Note, the bs parameter is important, since it greatly reduce time necessary to complete this task.
Host
Convert image to the same format that is currently is (e.g. qcow2 =>
qcow2)… during this procedure it will release unused space.
# qemu-img convert -O qcow2 w2k3.qcow2 w2k3-shrinked.qcow2
Source:
http://mindref.blogspot.com/2011/07/shrink-qcow2.html
Download sdelete from here:
https://technet.microsoft.com/en-us/sysinternals/bb897443.aspx
Find files larger than 50 megabytes in Linux
Find files larger than 50 megabytes
$ find . -type f -size +50000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'
Reference: http://www.cyberciti.biz/faq/find-large-files-linux