Bento : A Minimal Fedora-Based Container For Penetration Tests

A bento (弁当, bentō) is a single-portion take-out or home-packed meal of Japanese origin. Bento Toolkit is a simple and minimal docker container for penetration testers and CTF players.

It has the portability of Docker with the addition of X, so you can also run GUI application (like burp).

Prerequisites

To run bento you need Docker and a Xorg server on your host machine. On Windows you can use vcxsrv, xming, cygwin.

We tested this config with vcxsrv and cygwin.

  • vcxsrv: just start XLaunch and follow the setup
  • cygwin: you have to install xorg first, then start XLaunch.

Installation With Docker

  • git clone https://github.com/higatowa/bento && cd ./bento
  • generate keypair and put authorized_keys, containing your public key, in ./keys.
  • docker build -t bento .
  • Since we need to forward X to our machine we need first to get its ip, and then to execute: docker run --cap-add=NET_ADMIN --device /dev/net/tun --sysctl net.ipv6.conf.all.disable_ipv6=0 -p 22:22 -d bento
  • Connect via ssh to the docker machine and forward port 6000 (Xorg) with ssh -R 6000:localhost:6000 -L 8080:localhost:8080 tamago@bentoip
  • On first login you will be asked to change the password.

For GUI tools just run them from the terminal:

Installation With Docker Compose

To be able to quickly deploy multiple instances of bento we decided to write a docker-compose file.

This isn’t only for style but we also added a collaborative pad, codimd.

During our work we have the need to share informations on the target so we decided to implement in bento the solution we use daily.

The pad is exposed by default on port 3000.

Replace the step 3 and 4 of Installation with Docker chapter with:

docker-compose build and docker-compose up

in the project directory.

If you wanto to deploy only bento without codimd:

docker-compose up bento

Known Issues

  • Burp embededed browser is not working if run as user. We addressed this in issue #3. We found the issue and while we are waiting for the Portswigger team to fix it, we wrote a small workaround, just run the /home/tamago/burp_fix/burp_fix.sh as root and it will fix it.

Current Tools & Utilities

We don’t like bloated distros so we are keeping this container as minimal as possible, adding only tools useful for web and infrastructure PT and CTF but, remember, we are always open to suggestions.

Here is a list of tools and utilities:

Download
R K

Share
Published by
R K
Tags: Bentofedorapenetration test
5 years ago

Recent Posts

Comments in Bash Scripts

What Are Bash Comments? In Bash scripting, comments are notes in your code that the…

7 hours ago

Shebang (#!) in Bash Script

When you write a Bash script in Linux, you want it to run correctly every…

1 day ago

Bash String Concatenation – Bash Scripting

Introduction If you’re new to Bash scripting, one of the first skills you’ll need is…

1 day ago

Learn Bash Scripting: How to Create and Run Shell Scripts for Beginners

What is Bash Scripting? Bash scripting allows you to save multiple Linux commands in a file and…

2 days ago

Bash if…else Statement – Bash Scripting

When it comes to automating tasks on Linux, Bash scripting is an essential skill for both beginners…

2 days ago

Bash Functions Explained: Syntax, Examples, and Best Practices

Learn how to create and use Bash functions with this complete tutorial. Includes syntax, arguments,…

5 days ago