GoatPen is a diverse collection of vulnerable applications and infrastructure, affectionately referred to as "goats," designed for learners to practice their skills. Currently, GoatPen includes AWSGoat (AWS Security), GCPGoat (GCP Security), AzureGoat (Azure Security), GearGoat (Automobile Security), and ICSGoat (ICS Security), with more in the development and concept stages. Together, these tools have garnered over 2,700 stars and 1,200 forks on GitHub, reflecting their popularity and utility in the security community. Each member of GoatPen is actively maintained and updated.
Deploying these tools is made simple with GoatPen, requiring only Docker on your local system. GoatPen's built-in deployment helpers ensure a smooth setup of individual components, offering flexibility and ease of use for security professionals and developers. This platform also makes it easy for enthusiasts and learners to discover and keep up with the latest updates and additions to these security tools.
The project will be divided into modules and each module will be a separate goat application/infrastructure. It will leverage IaC through terraform, Google Cloud Build, and Google App Engine to ease the deployment process.
Presented at
Developed with ❤️ by INE
- Shell
- NextJs
- Python 3
- Terraform
- Docker
- Google Cloud Platform
- A Linux/Windows/MacOs Machine with docker installed
- Editor level access to a google cloud project
- Project specific gcp credentials
GoatPen can be run in two configurations (APP_MODE's)
-
cli: Deploy/Destroy all goat modules by interacting through the cli
-
web: Deploy/Destroy all goat modules by interacting through the web gui, deployed on Google App Engine
Here are the steps to follow:
Step 1. Clone the repo
git clone https://github.com/nishantsharmax/goatpen
Step 2. Update SubModules
cd goatpen
cd modules && git submodule update --init --recursive
Step 3. Build GoatPen image
cd ..
docker build . -t goatpen
Step 4. Run the container in either web or cli mode.
Web Mode
Required Inputs:
GCP_PROJECT_NAME: GCP Project to deploy GoatPen's Web GUI on GAE
SERVICE_ACCOUNT_EMAIL: GCP Service Account Email to be used by GoatPen
docker run -it -e GCLOUD_PROJECT=<GCP_PROJECT_NAME> -e APP_MODE=web -e ADMIN_PASSWORD=Admin@123 -e SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_EMAIL> --name goat-pen-web goatpen
CLI Mode
Required Inputs:
GCP_PROJECT_NAME: GCP Project to deploy GoatPen's Web GUI on GAE
SERVICE_ACCOUNT_EMAIL: GCP Service Account Email to be used by GoatPen
SERVICE_ACCCOUNT_KEY_PATH: Local Path to GCP Project Service Account file
docker run -it -e GCLOUD_PROJECT=<GCP_PROJECT_NAME> -e APP_MODE=cli -e GOOGLE_APPLICATION_CREDENTIALS="/app/secure/service-account-key.json" -v <SERVICE_ACCCOUNT_KEY_PATH>:/app/secure/service-account-key.json --name goatpen-cli goatpen
Web Deployment Process Screenshots
Step 4. Deploy required module
Step 5. Destroy required module TODO: add screenshot for destroy module usage from cli
GoatPen is designed to make it easy for contributors to keep on adding vulnerable applications/infrastructures that could be deployed by without any dependency on the user's system.
How it works:
For each module added there's a cloudbuild.yml file in the directory web/assets/goat-pen-assets/build-files
. This configuration file can cutomize the deployment process as per each goat app.
For each module to be added to the web gui,
the required input file is to be added at web/assets/goat-pen-assets/input-files
, a sample file is available at web/assets/goat-pen-assets/input-files/example.json
Furthermore to add information about each web gui deployment it can be added to web/assets/goat-pen-assets/md-files
, these will be rendered as markdown on the web gui.
Rishappreet Singh Moonga, Software Engineer, INE rmoon@ine.com
Shantanu Kale, Lab Infrastructure Team Lead, INE skale@ine.com
Nishant Sharma, Director, Lab Platform, INE nsharma@ine.com
For more details refer to the "GoatPen.pdf" PDF file. This file contains the slide deck used for presentations.
- Contributions in the form of code improvements, module additions, feature improvements, and any general suggestions are welcome.
- Improvements to the functionalities of the current modules are also welcome.
- The source code for each module can be found linked as submodules in
modules/
this can be used to add existing applications into goatpen.
This program is free software: you can redistribute it and/or modify it under the terms of the MIT License.
You should have received a copy of the MIT License along with this program. If not, see https://opensource.org/licenses/MIT.