224 lines
8.5 KiB
Docker
224 lines
8.5 KiB
Docker
FROM kalilinux/kali-rolling:latest
|
|
|
|
LABEL description="AI Agent Penetration Testing Environment with Comprehensive Automated Tools"
|
|
|
|
RUN apt-get update && \
|
|
apt-get install -y kali-archive-keyring sudo && \
|
|
apt-get update && \
|
|
apt-get upgrade -y
|
|
|
|
RUN useradd -m -s /bin/bash pentester && \
|
|
usermod -aG sudo pentester && \
|
|
echo "pentester ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && \
|
|
touch /home/pentester/.hushlogin
|
|
|
|
RUN mkdir -p /home/pentester/configs \
|
|
/home/pentester/wordlists \
|
|
/home/pentester/output \
|
|
/home/pentester/scripts \
|
|
/home/pentester/tools \
|
|
/app/runtime \
|
|
/app/tools \
|
|
/app/certs && \
|
|
chown -R pentester:pentester /app/certs /home/pentester/tools
|
|
|
|
RUN apt-get update && \
|
|
apt-get install -y --no-install-recommends \
|
|
wget curl git vim nano unzip tar \
|
|
apt-transport-https ca-certificates gnupg lsb-release \
|
|
build-essential software-properties-common \
|
|
gcc libc6-dev pkg-config libpcap-dev libssl-dev \
|
|
python3 python3-pip python3-dev python3-venv python3-setuptools \
|
|
golang-go \
|
|
net-tools dnsutils whois \
|
|
jq parallel ripgrep grep \
|
|
less man-db procps htop \
|
|
iproute2 iputils-ping netcat-traditional \
|
|
nmap ncat ndiff \
|
|
sqlmap nuclei subfinder naabu ffuf \
|
|
nodejs npm pipx \
|
|
libcap2-bin \
|
|
gdb \
|
|
tmux \
|
|
libnss3 libnspr4 libdbus-1-3 libatk1.0-0 libatk-bridge2.0-0 libcups2 libdrm2 libatspi2.0-0 \
|
|
libxcomposite1 libxdamage1 libxfixes3 libxrandr2 libgbm1 libxkbcommon0 libpango-1.0-0 libcairo2 libasound2t64 \
|
|
fonts-unifont fonts-noto-color-emoji fonts-freefont-ttf fonts-dejavu-core ttf-bitstream-vera \
|
|
libnss3-tools
|
|
|
|
|
|
RUN setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip $(which nmap)
|
|
|
|
USER pentester
|
|
RUN openssl ecparam -name prime256v1 -genkey -noout -out /app/certs/ca.key && \
|
|
openssl req -x509 -new -key /app/certs/ca.key \
|
|
-out /app/certs/ca.crt \
|
|
-days 3650 \
|
|
-subj "/C=US/ST=CA/O=Security Testing/CN=Testing Root CA" \
|
|
-addext "basicConstraints=critical,CA:TRUE" \
|
|
-addext "keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign" && \
|
|
openssl pkcs12 -export \
|
|
-out /app/certs/ca.p12 \
|
|
-inkey /app/certs/ca.key \
|
|
-in /app/certs/ca.crt \
|
|
-passout pass:"" \
|
|
-name "Testing Root CA" && \
|
|
chmod 644 /app/certs/ca.crt && \
|
|
chmod 600 /app/certs/ca.key && \
|
|
chmod 600 /app/certs/ca.p12
|
|
|
|
USER root
|
|
RUN cp /app/certs/ca.crt /usr/local/share/ca-certificates/ca.crt && \
|
|
update-ca-certificates
|
|
|
|
RUN curl -LsSf https://astral.sh/uv/install.sh | env UV_INSTALL_DIR=/usr/local/bin sh
|
|
|
|
USER pentester
|
|
WORKDIR /tmp
|
|
|
|
RUN go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest && \
|
|
go install -v github.com/projectdiscovery/katana/cmd/katana@latest && \
|
|
go install -v github.com/projectdiscovery/cvemap/cmd/vulnx@latest && \
|
|
go install -v github.com/jaeles-project/gospider@latest && \
|
|
go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest
|
|
|
|
RUN nuclei -update-templates
|
|
|
|
RUN pipx install arjun && \
|
|
pipx install dirsearch && \
|
|
pipx inject dirsearch setuptools && \
|
|
pipx install wafw00f
|
|
|
|
ENV NPM_CONFIG_PREFIX=/home/pentester/.npm-global
|
|
RUN mkdir -p /home/pentester/.npm-global
|
|
|
|
RUN npm install -g retire@latest && \
|
|
npm install -g eslint@latest && \
|
|
npm install -g js-beautify@latest && \
|
|
npm install -g @ast-grep/cli@latest && \
|
|
npm install -g tree-sitter-cli@latest
|
|
|
|
RUN set -eux; \
|
|
TS_PARSER_DIR="/home/pentester/.tree-sitter/parsers"; \
|
|
mkdir -p "${TS_PARSER_DIR}"; \
|
|
for repo in tree-sitter-java tree-sitter-javascript tree-sitter-python tree-sitter-go tree-sitter-bash tree-sitter-json tree-sitter-yaml tree-sitter-typescript; do \
|
|
if [ "$repo" = "tree-sitter-yaml" ]; then \
|
|
repo_url="https://github.com/tree-sitter-grammars/${repo}.git"; \
|
|
else \
|
|
repo_url="https://github.com/tree-sitter/${repo}.git"; \
|
|
fi; \
|
|
if [ ! -d "${TS_PARSER_DIR}/${repo}" ]; then \
|
|
git clone --depth 1 "${repo_url}" "${TS_PARSER_DIR}/${repo}"; \
|
|
fi; \
|
|
done; \
|
|
if [ -d "${TS_PARSER_DIR}/tree-sitter-typescript/typescript" ]; then \
|
|
ln -sfn "${TS_PARSER_DIR}/tree-sitter-typescript/typescript" "${TS_PARSER_DIR}/tree-sitter-typescript-typescript"; \
|
|
fi; \
|
|
if [ -d "${TS_PARSER_DIR}/tree-sitter-typescript/tsx" ]; then \
|
|
ln -sfn "${TS_PARSER_DIR}/tree-sitter-typescript/tsx" "${TS_PARSER_DIR}/tree-sitter-typescript-tsx"; \
|
|
fi; \
|
|
tree-sitter init-config >/dev/null 2>&1 || true; \
|
|
TS_CONFIG="/home/pentester/.config/tree-sitter/config.json"; \
|
|
mkdir -p "$(dirname "${TS_CONFIG}")"; \
|
|
[ -f "${TS_CONFIG}" ] || printf '{}\n' > "${TS_CONFIG}"; \
|
|
TMP_CFG="$(mktemp)"; \
|
|
jq --arg p "${TS_PARSER_DIR}" '.["parser-directories"] = ((.["parser-directories"] // []) + [$p] | unique)' "${TS_CONFIG}" > "${TMP_CFG}"; \
|
|
mv "${TMP_CFG}" "${TS_CONFIG}"
|
|
|
|
WORKDIR /home/pentester/tools
|
|
RUN git clone https://github.com/aravind0x7/JS-Snooper.git && \
|
|
chmod +x JS-Snooper/js_snooper.sh && \
|
|
git clone https://github.com/xchopath/jsniper.sh.git && \
|
|
chmod +x jsniper.sh/jsniper.sh && \
|
|
git clone https://github.com/ticarpi/jwt_tool.git && \
|
|
chmod +x jwt_tool/jwt_tool.py
|
|
|
|
USER root
|
|
|
|
RUN curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
|
|
RUN set -eux; \
|
|
ARCH="$(uname -m)"; \
|
|
case "$ARCH" in \
|
|
x86_64) GITLEAKS_ARCH="x64" ;; \
|
|
aarch64|arm64) GITLEAKS_ARCH="arm64" ;; \
|
|
*) echo "Unsupported architecture: $ARCH" >&2; exit 1 ;; \
|
|
esac; \
|
|
TAG="$(curl -fsSL https://api.github.com/repos/gitleaks/gitleaks/releases/latest | jq -r .tag_name)"; \
|
|
curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/${TAG}/gitleaks_${TAG#v}_linux_${GITLEAKS_ARCH}.tar.gz" -o /tmp/gitleaks.tgz; \
|
|
tar -xzf /tmp/gitleaks.tgz -C /tmp; \
|
|
install -m 0755 /tmp/gitleaks /usr/local/bin/gitleaks; \
|
|
rm -f /tmp/gitleaks /tmp/gitleaks.tgz
|
|
|
|
RUN apt-get update && apt-get install -y zaproxy
|
|
|
|
RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
|
|
|
RUN apt-get install -y wapiti
|
|
|
|
USER pentester
|
|
|
|
RUN pipx install semgrep && \
|
|
pipx install bandit
|
|
|
|
RUN npm install -g jshint
|
|
|
|
USER root
|
|
|
|
RUN apt-get autoremove -y && \
|
|
apt-get autoclean && \
|
|
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
|
|
|
|
ENV PATH="/home/pentester/go/bin:/home/pentester/.local/bin:/home/pentester/.npm-global/bin:/app/.venv/bin:$PATH"
|
|
ENV VIRTUAL_ENV="/app/.venv"
|
|
|
|
WORKDIR /app
|
|
|
|
RUN ARCH=$(uname -m) && \
|
|
if [ "$ARCH" = "x86_64" ]; then \
|
|
CAIDO_ARCH="x86_64"; \
|
|
elif [ "$ARCH" = "aarch64" ] || [ "$ARCH" = "arm64" ]; then \
|
|
CAIDO_ARCH="aarch64"; \
|
|
else \
|
|
echo "Unsupported architecture: $ARCH" && exit 1; \
|
|
fi && \
|
|
wget -O caido-cli.tar.gz https://caido.download/releases/v0.48.0/caido-cli-v0.48.0-linux-${CAIDO_ARCH}.tar.gz && \
|
|
tar -xzf caido-cli.tar.gz && \
|
|
chmod +x caido-cli && \
|
|
rm caido-cli.tar.gz && \
|
|
mv caido-cli /usr/local/bin/
|
|
|
|
ENV STRIX_SANDBOX_MODE=true
|
|
ENV PYTHONPATH=/app
|
|
ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
|
|
ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
|
|
|
|
RUN mkdir -p /workspace && chown -R pentester:pentester /workspace /app
|
|
|
|
COPY pyproject.toml uv.lock ./
|
|
RUN echo "# Sandbox Environment" > README.md && mkdir -p strix && touch strix/__init__.py
|
|
|
|
USER pentester
|
|
RUN uv sync --frozen --no-dev --extra sandbox
|
|
RUN /app/.venv/bin/python -m playwright install chromium
|
|
|
|
RUN uv pip install -r /home/pentester/tools/jwt_tool/requirements.txt && \
|
|
ln -s /home/pentester/tools/jwt_tool/jwt_tool.py /home/pentester/.local/bin/jwt_tool
|
|
|
|
COPY strix/__init__.py strix/
|
|
COPY strix/config/ /app/strix/config/
|
|
COPY strix/utils/ /app/strix/utils/
|
|
COPY strix/telemetry/ /app/strix/telemetry/
|
|
COPY strix/runtime/tool_server.py strix/runtime/__init__.py strix/runtime/runtime.py /app/strix/runtime/
|
|
COPY strix/tools/ /app/strix/tools/
|
|
|
|
RUN echo 'export PATH="/home/pentester/go/bin:/home/pentester/.local/bin:/home/pentester/.npm-global/bin:$PATH"' >> /home/pentester/.bashrc && \
|
|
echo 'export PATH="/home/pentester/go/bin:/home/pentester/.local/bin:/home/pentester/.npm-global/bin:$PATH"' >> /home/pentester/.profile
|
|
|
|
USER root
|
|
COPY containers/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
|
|
RUN chmod +x /usr/local/bin/docker-entrypoint.sh
|
|
|
|
USER pentester
|
|
WORKDIR /workspace
|
|
|
|
ENTRYPOINT ["docker-entrypoint.sh"]
|