Bento : A Minimal Fedora-Based Container For Penetration Tests

A bento (弁当, bentō) is a single-portion take-out or home-packed meal of Japanese origin. Bento Toolkit is a simple and minimal docker container for penetration testers and CTF players.

It has the portability of Docker with the addition of X, so you can also run GUI application (like burp).

Prerequisites

To run bento you need Docker and a Xorg server on your host machine. On Windows you can use vcxsrv, xming, cygwin.

We tested this config with vcxsrv and cygwin.

  • vcxsrv: just start XLaunch and follow the setup
  • cygwin: you have to install xorg first, then start XLaunch.

Installation With Docker

  • git clone https://github.com/higatowa/bento && cd ./bento
  • generate keypair and put authorized_keys, containing your public key, in ./keys.
  • docker build -t bento .
  • Since we need to forward X to our machine we need first to get its ip, and then to execute: docker run --cap-add=NET_ADMIN --device /dev/net/tun --sysctl net.ipv6.conf.all.disable_ipv6=0 -p 22:22 -d bento
  • Connect via ssh to the docker machine and forward port 6000 (Xorg) with ssh -R 6000:localhost:6000 -L 8080:localhost:8080 tamago@bentoip
  • On first login you will be asked to change the password.

For GUI tools just run them from the terminal:

Installation With Docker Compose

To be able to quickly deploy multiple instances of bento we decided to write a docker-compose file.

This isn’t only for style but we also added a collaborative pad, codimd.

During our work we have the need to share informations on the target so we decided to implement in bento the solution we use daily.

The pad is exposed by default on port 3000.

Replace the step 3 and 4 of Installation with Docker chapter with:

docker-compose build and docker-compose up

in the project directory.

If you wanto to deploy only bento without codimd:

docker-compose up bento

Known Issues

  • Burp embededed browser is not working if run as user. We addressed this in issue #3. We found the issue and while we are waiting for the Portswigger team to fix it, we wrote a small workaround, just run the /home/tamago/burp_fix/burp_fix.sh as root and it will fix it.

Current Tools & Utilities

We don’t like bloated distros so we are keeping this container as minimal as possible, adding only tools useful for web and infrastructure PT and CTF but, remember, we are always open to suggestions.

Here is a list of tools and utilities:

Download
R K

Share
Published by
R K
Tags: Bentofedorapenetration test
4 years ago

Recent Posts

Starship : Revolutionizing Terminal Experiences Across Shells

Starship is a powerful, minimal, and highly customizable cross-shell prompt designed to enhance the terminal…

1 day ago

Lemmy : A Decentralized Link Aggregator And Forum For The Fediverse

Lemmy is an innovative, open-source platform designed for link aggregation and discussion, providing a decentralized…

1 day ago

Massive UX Improvements, Custom Disassemblers, And MSVC Support In ImHex v1.37.0

The latest release of ImHex v1.37.0 introduces a host of exciting features and improvements, enhancing…

1 day ago

Ghauri : A Powerful SQL Injection Detection And Exploitation Tool

Ghauri is a cutting-edge, cross-platform tool designed to automate the detection and exploitation of SQL…

1 day ago

Writing Tools : Revolutionizing The Art Of Writing

Writing tools have become indispensable for individuals looking to enhance their writing efficiency, accuracy, and…

1 day ago

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

2 days ago