Grab a copy of Docker for your platform here: https://www.docker.com/community-edition#/download Follow the installation guide and tune the docker system to run with as much memory and CPU as you're willing to feed to it.
Local Debian instance: debian:latest
Metasploit: remnux/metasploit
Chrome via VNC (Useful for investingating malware sites): siomiz/chrome
WordPress Scan: wpscanteam/wpscan
OpenVAS Scanner: mikesplain/openvas
Splunk Enterprise w/20GB/Day License!: store/splunk/enterprise
Google Rapid Response: grrdocker/grr:latest
All instances can be acquired with docker pull - For example: docker pull debian:latest
If you want to save the state of a container, use : docker commit <container id> yourname/containername:latest
Once you create a container, you can delete the original repository you pulled it from with: docker rmi [original/location] - If its a local container you can keep overwriting the name.
To Pause a docker instance: docker pause [containerid]
To Stop a docker instance: docker stop [containerid/name]
To purge it from running processes: docker rm [container id/name]
To restart a stopped/paused instance: docker start [container id/name]
To execute an interactive session when a machine is already up and running another cmd: docker exec -it [container id/name]
To Detach from an interactive session but leave running: CTRL-SHIFT-P then CTRL-SHIFT-Q
Resume from a detached session with: docker attach [container id/name]
Copy Docker Containers from one Host to another (via USB/ETC): docker save -o fileimage [container id/name]
Then on the new host: docker load -I fileimage
Get a list of running docker containers with: docker ps
You can adjust networking settings within docker using: docker network
All docker commands come with useful help. For example: docker network help
There are other Log Collection technologies out there, such as Graylog, ELK, OSSIM, etc. However in my opinion, Splunk is the Microsoft of log collecting, and you're likely to encounter it at most businesses; so its a good tool to learn. This doesn't mean you shouldn't use the others too!
Splunk is kind enough to provide a free docker template for Temporary/IR/Labs/Training usage. This container allows the collection of up to 20GB/Day of any type of log, and the license is valid for a full year.
First you need to create a persistent data store for logging; without this the logs will disappear when you stop the container:
docker run --name vsplunk -v /opt/splunk/etc -v /opt/splunk/var busybox
Then you should start Splunk. Read the license agreement here: https://www.splunk.com/en_us/legal/splunk-software-license-agreement.html Then, if you accept:
docker run -d -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_USER=root" -p "8000:8000" -p "514:514/udp" -p "1514:1514/udp" -p "514:514" -p "1514:1514" -p "8089:8089" -p "9997:9997" --volumes-from=vsplunk store/splunk/enterprise
Then you can connect to it by visiting http://127.0.0.1:8000
You can only have one user with this license and the password is default at admin:changeme
You can make your updates, such as change the hostname, install Applications, change the web password, update the system, etc. Once finished, use:
docker commit <container id> yourname/splunk_image:latest
This is especially useful if you're a Windows user and want to investigate a suspicious site without the risk of infecting your local machine.
The browser is not high performance and CUT/PASTE is a pain in the butt with VNC - but it gets the job done.
docker run -p -id 127.0.0.1:5900:5900 siomiz/chrome
OpenVAS is a community fork of Tenable Nessus; shortly before Nessus went commercial some folks forked it and built their own platform. Now; its a decent "free" competitor to the Nessus product, with a community of security folks developing plugins.
The web interface makes it easy for anyone with just a little experience scanning to get started.
docker run -d -p 443:443 --name openvas mikesplain/openvas
Once launched, login to the web interface via https://localhost:443 and accept the certificate. You can adjust the -p 443:443 if you need to use a different port. Credentials are simply:
Username: admin
Password: admin
Because, what security microservices package would be complete without Metasploit?
docker run --rm -it -p 4444:4444 -v ~/.msf4:/root/.msf4 -v /tmp/msf:/tmp/data remnux/met
Set the data directories (.msf and /tmp/msf) and port (4444) to match your needs. The updates (gems/plugins/etc) will take 2-5 minutes. Once done you'll be in your tmp/data directory.
Run: ./msfconsole and pwn away.
Google Rapid Response is an excellent tool for remote host system analysis. There is a host of things you can do with this tool and the good folks maintaining it are adding more capabilities every week.
We wont tell OpenText you're using it instead of Encase. :)
docker run -e EXTERNAL_HOSTNAME="grrdocker.yourcompany.com" -e ADMIN_PASSWORD="GoogleRapidResponse" --ulimit nofile=1048576:1048576 -p 0.0.0.0:8000:8000 -p 0.0.0.0:8080:8080 grrdocker/grr:latest
For folks running Wordpress - its probably a pretty good idea to also check it with WPSCAN pretty regularly.
Maintaining WPSCAN takes time and resources. Or you can just use the Docker Image and let the folks over at WPScanTeam take care of the maint for you:
Launching a scan is as simple as:
docker run -it --rm wpscanteam/wpscan -u https://yoururl.com
Malware reverse engineering is a highly specialized skill - but the folks at Avast are trying to help by providing a decompiler that converts 32bit binaries into human understandable C or Python representations.
Its not always perfect, but it does an excellent job and is even integrated into various platforms like Alienvault's OTX.
To output a python representation of a Win32 Bit binary:
docker run --rm -v `pwd`:/samples blacktop/retdec -k -l py --cleanup [file]
Or just run it without -l py if you prefer C.
You will need to change `pwd` to reflect the path you're using if you run this on Windows. OSX/Linux will interpret that as your current working directory.
NOTE: This image is pretty large - at ~5 GB. it is the largest in this list.
There are so many other Docker packages available, you should look at https://store.docker.com for the packages you're interested in.
From IDS (Suricata/Snort) to Honeypots (Dionaea, ModernHoneyNet) to full blown images of Kali Linux.
The only limit to Docker containers is your imagination.