Bento : A Minimal Fedora-Based Container For Penetration Tests

A bento (弁当, bentō) is a single-portion take-out or home-packed meal of Japanese origin. Bento Toolkit is a simple and minimal docker container for penetration testers and CTF players.

It has the portability of Docker with the addition of X, so you can also run GUI application (like burp).

Prerequisites

To run bento you need Docker and a Xorg server on your host machine. On Windows you can use vcxsrv, xming, cygwin.

We tested this config with vcxsrv and cygwin.

  • vcxsrv: just start XLaunch and follow the setup
  • cygwin: you have to install xorg first, then start XLaunch.

Installation With Docker

  • git clone https://github.com/higatowa/bento && cd ./bento
  • generate keypair and put authorized_keys, containing your public key, in ./keys.
  • docker build -t bento .
  • Since we need to forward X to our machine we need first to get its ip, and then to execute: docker run --cap-add=NET_ADMIN --device /dev/net/tun --sysctl net.ipv6.conf.all.disable_ipv6=0 -p 22:22 -d bento
  • Connect via ssh to the docker machine and forward port 6000 (Xorg) with ssh -R 6000:localhost:6000 -L 8080:localhost:8080 tamago@bentoip
  • On first login you will be asked to change the password.

For GUI tools just run them from the terminal:

Installation With Docker Compose

To be able to quickly deploy multiple instances of bento we decided to write a docker-compose file.

This isn’t only for style but we also added a collaborative pad, codimd.

During our work we have the need to share informations on the target so we decided to implement in bento the solution we use daily.

The pad is exposed by default on port 3000.

Replace the step 3 and 4 of Installation with Docker chapter with:

docker-compose build and docker-compose up

in the project directory.

If you wanto to deploy only bento without codimd:

docker-compose up bento

Known Issues

  • Burp embededed browser is not working if run as user. We addressed this in issue #3. We found the issue and while we are waiting for the Portswigger team to fix it, we wrote a small workaround, just run the /home/tamago/burp_fix/burp_fix.sh as root and it will fix it.

Current Tools & Utilities

We don’t like bloated distros so we are keeping this container as minimal as possible, adding only tools useful for web and infrastructure PT and CTF but, remember, we are always open to suggestions.

Here is a list of tools and utilities:

Download
R K

Share
Published by
R K
Tags: Bentofedorapenetration test
4 years ago

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

12 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

12 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

2 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago