Dockerfile for custom Blue Team container

By technese - Last updated: Monday, November 11, 2024

To build a Docker container designed for a complete Security Operations Center (SOC) blue team defense cycle, based on a Kali Linux image, you can use the following Dockerfile. This setup focuses on installing tools widely used for threat detection, incident response, and defense. The tools are selected to cover different aspects of the SOC defend cycle.

Here’s a Dockerfile to get you started:

# Use Kali Linux as the base image
FROM kalilinux/kali-rolling

# Update and install necessary packages and tools
RUN apt update && apt -y upgrade && \
    # Install general networking and investigation tools
    apt -y install nmap net-tools iputils-ping dnsutils traceroute \
    htop iftop tcpdump whois curl wget \
    # Install common SOC tools
    && apt -y install wireshark tshark snort suricata fail2ban ufw \
    # Install log analysis and SIEM tools
    && apt -y install logstash elasticsearch kibana filebeat \
    # Install forensic tools
    && apt -y install autopsy sleuthkit foremost volatility \
    # Install incident response and threat intelligence tools
    && apt -y install maltego openvas metasploit-framework yara \
    # Install additional blue team tools for analysis and response
    && apt -y install zeek osquery auditd lynis \
    # Install command-line text editors and utilities for investigation
    && apt -y install nano vim less jq tree \
    # Cleanup to reduce image size
    && apt clean && rm -rf /var/lib/apt/lists/*

# Setup entry point to bash for interactive use
CMD ["/bin/bash"]

Key Components

Build and Run

  1. Build the Docker image:
   docker build -t soc-blue-team:latest .
  1. Run the Docker container:
   docker run -it --cap-add=NET_ADMIN --net=host soc-blue-team:latest

This setup includes a range of Kali tools focused on SOC defense and cyber defense capabilities for monitoring, detection, response, and forensic analysis in a SOC environment. Adjustments may be necessary based on the specific requirements of your blue team operations.

Source: ChatGPT

Filed in General

Dockerfile for custom Red Team container

By technese - Last updated: Monday, November 11, 2024

To update and install the best Kali Linux tools for a complete penetration testing (Red Team) attack cycle in a Docker container, you can follow these steps. This setup ensures the tools are installed for each phase: reconnaissance, scanning, exploitation, post-exploitation, and reporting.

  1. Create a Dockerfile for a custom Kali image:
   # Start with the official Kali Linux Docker image
   FROM kalilinux/kali-rolling

   # Update and upgrade Kali packages
   RUN apt update && apt -y upgrade

   # Install general utilities
   RUN apt -y install curl wget vim git net-tools 

   # Install reconnaissance tools
   RUN apt -y install nmap enum4linux dnsenum theharvester dirb gobuster ffuf smbclient nbtscan

   # Install vulnerability scanners
   RUN apt -y install nikto metasploit-framework openvas sqlmap lynis

   # Install exploitation tools
   RUN apt -y install sqlmap hydra john exploitdb metasploit-framework msfpc seclists patator

   # Install post-exploitation tools
   RUN apt -y install crackmapexec mimikatz powershell-empire responder impacket-scripts

   # Install privilege escalation tools
   RUN apt -y install linpeas linux-exploit-suggester windows-exploit-suggester-2 enum4linux

   # Install reporting and documentation tools
   RUN apt -y install eyewitness dradis faraday

   # Clean up cached files
   RUN apt clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
  1. Build the Docker Image with the following command:
   docker build -t kali-red-team .
  1. Run the Docker Container:
   docker run -it kali-red-team /bin/bash

This Dockerfile installs essential tools across each phase of the attack cycle and prepares a Kali Linux environment ready for penetration testing. You can add or modify tools as needed based on specific objectives or targets.

Source: ChatGPT

Filed in General

Kali Docker tools install

By technese - Last updated: Monday, November 11, 2024

apt update && apt install -y \
nmap \
nikto \
theharvester \
dnsenum \
dnsmap \
maltego \
recon-ng \
openvas \
wapiti \
wpscan \
metasploit-framework \
beef-xss \
sqlmap \
aircrack-ng \
kismet \
reaver \
john \
hydra \
hashcat \
medusa \
autopsy \
sleuthkit \
binwalk \
burpsuite \
zaproxy \
wireshark \
ettercap-text-only \
mitmproxy \
empire \
responder \
faraday \
set \
radare2 \
ghidra \
weevely \
netcat-traditional 1.10-47 \
proxychains4 \
tor \
macchanger

Source: https://www.kali.org/tools

Filed in General

Parrot Security: tool categories

By technese - Last updated: Monday, November 11, 2024

parrot-tools-automotive/parrot6 6.2.0 all
Pentest tools for vehicle hacking

parrot-tools-cloud/parrot6 6.2.0 amd64
Pentest tools for cloud environments

parrot-tools-forensics/parrot6 6.2.0 all
Pentest tools for forensics

parrot-tools-full/parrot6 6.2.0 amd64
Metapackage that installs a full penetration testing environment

parrot-tools-infogathering/parrot6 6.2.0 all
Pentest tools for information gathering

parrot-tools-maintain/parrot6 6.2.0 all
Pentest tools for maintaining access

parrot-tools-password/parrot6 6.2.0 all
Pentest tools for password attack

parrot-tools-postexploit/parrot6 6.2.0 all
Pentest tools for post exploitation

parrot-tools-pwn/parrot6 6.2.0 all
Pentest tools for exploitation

parrot-tools-reporting/parrot6 6.2.0 all
Pentest tools for reporting

parrot-tools-reversing/parrot6 6.2.0 all
Pentest tools for reverse engineering

parrot-tools-sniff/parrot6 6.2.0 all
Pentest tools for network sniffing

parrot-tools-vuln/parrot6 6.2.0 all
Pentest tools for vulnerability analysis

parrot-tools-web/parrot6 6.2.0 all
Pentest tools for web analysis

parrot-tools-wireless/parrot6 6.2.0 all
Pentest tools for wireless exploitation

Source: https://parrotsec.org/docs/introduction/what-is-parrot

Filed in General

Configure a separate PHP-FPM pool for each vhost. This allows each vhost to have its own isolated PHP-FPM process, which communicates over its own unique socket

By technese - Last updated: Monday, November 11, 2024

To create a separate FastCGI socket for each virtual host (vhost), you’ll typically need to configure a separate PHP-FPM pool for each vhost. This allows each vhost to have its own isolated PHP-FPM process, which communicates over its own unique socket. Here’s how you can set it up:

1. Configure Separate PHP-FPM Pools

PHP-FPM allows you to define multiple pools, each with unique settings, including its own socket. By creating a separate pool for each vhost, you can control resources independently and enhance security and isolation.

  1. Locate the PHP-FPM Pool Configuration Directory:
  1. Create a New Pool Configuration File for Each Vhost:
  1. Edit Each Pool Configuration File:
  1. Repeat for Each Vhost:
  1. Restart PHP-FPM:

2. Configure Apache for Each Vhost to Use the Correct FastCGI Socket

In your Apache configuration, you need to configure each vhost to use its respective FastCGI socket.

  1. Define Each Vhost in Apache (in /etc/apache2/sites-available/):
  1. Example Apache Configuration:
   <VirtualHost *:80>
       ServerName vhost1.example.com

       # FastCGI configuration for vhost1
       FastCgiExternalServer /var/www/vhost1/cgi-bin/php-fcgi -socket /var/run/php/php7.4-fpm-vhost1.sock -pass-header Authorization -pass-header Content-Type
       DocumentRoot /var/www/vhost1

       <Directory /var/www/vhost1>
           Options +ExecCGI
           Require all granted
       </Directory>
   </VirtualHost>

   <VirtualHost *:80>
       ServerName vhost2.example.com

       # FastCGI configuration for vhost2
       FastCgiExternalServer /var/www/vhost2/cgi-bin/php-fcgi -socket /var/run/php/php7.4-fpm-vhost2.sock -pass-header Authorization -pass-header Content-Type
       DocumentRoot /var/www/vhost2

       <Directory /var/www/vhost2>
           Options +ExecCGI
           Require all granted
       </Directory>
   </VirtualHost>
  1. Reload Apache:

Summary

By configuring a separate PHP-FPM pool and socket for each vhost, each site operates in isolation with its own dedicated FastCGI process. This setup not only enhances security but also allows for resource control per vhost, preventing one site from monopolizing resources at the expense of others.

Source: ChatGPT

Filed in General

Disable monitor blanking on Debian with LXDE for remote access using NoMachine and VNC

By technese - Last updated: Sunday, November 11, 2018

Edit file: /etc/xdg/lxsession/LXDE/autostart
Remove:
@xscreensaver -no-splash

Append:

@xset s noblank
@xset s off
@xset -dpms

Sources: https://raspberrypi.stackexchange.com/questions/752/how-do-i-prevent-the-screen-from-going-blank

Filed in General

Patch vSphere 5.5 Updates

By technese - Last updated: Saturday, September 22, 2018

https://kb.vmware.com/s/article/2008939
(OLD: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2008939)

http://www.v-front.de/2014/09/vmware-releases-vsphere-55-update-2.html

Filed in General

Search for string in file system in Linux

By technese - Last updated: Thursday, October 22, 2015

Search for the string ‘root’ in the entire filesystem

# grep -H -R root ./* | cut -d: -f1

Source: http://www.cyberciti.biz/faq/howto-search-find-file-for-text-string

Filed in General

Shrink qemu qcow2 files

By technese - Last updated: Thursday, October 22, 2015

Excerpt from source:

Windows Guest

1.Delete all unnecessary files, empty recycle bin
2.Defragment drive (you might need to do this several times, until you see it “compacted” well)
3.Use sdelete to zero free disk space. Please note that this operation will cause that all drive free space will be filled by zero, so the virtual machine image will grow to the maximum size.

Using command prompt

sdelete -c c:

Linux/FreeBSD Guest

# dd if=/dev/zero of=./zero bs=1M
# sync
# rm -f ./zero

Note, the bs parameter is important, since it greatly reduce time necessary to complete this task.

Host
Convert image to the same format that is currently is (e.g. qcow2 => qcow2)… during this procedure it will release unused space.

# qemu-img convert -O qcow2 w2k3.qcow2 w2k3-shrinked.qcow2

Source:
http://mindref.blogspot.com/2011/07/shrink-qcow2.html

Download sdelete from here:

https://technet.microsoft.com/en-us/sysinternals/bb897443.aspx

Filed in General

Find files larger than 50 megabytes in Linux

By technese - Last updated: Thursday, October 22, 2015

Find files larger than 50 megabytes

$ find . -type f -size +50000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'

Reference: http://www.cyberciti.biz/faq/find-large-files-linux

Filed in General