Tools/SSL-Sniffer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Changed composition to make it easier to user

Browse Source
This commit is contained in:
Christian Risi 2025-06-25 16:12:08 +02:00
parent cc7f8bcba8
commit fa8d967748
9 changed files with 86 additions and 218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@ -1,4 +1,7 @@
config/*/*
private/**
services/**
**/http/*
!**/*.gitkeep
!**/*.example
!**/*.example
!**/http/example.conf

28
compose.yaml
View File

@ -1,34 +1,10 @@
services:
vulnbox:
privileged: true
env_file:
- ./config/vulnbox/.env
build:
context: ./vulnbox
dockerfile: DOCKERFILE
volumes:
- ./vulnbox/nginx:/etc/nginx/
- ./private/:/services-keys
ports:
- 8080:80
- 3000:3000
- 3443:3443
- 0.0.0.0:22:22
networks:
- test-net
entrypoint: entry.sh
express-tls:
build:
context: ./services/ExpressTLS
dockerfile: DOCKERFILE
volumes:
- ./private/ExpressTLS:/workspace/keys
networks:
- test-net
ports:
- 0.0.0.0:8443:8443
networks:
test-net:
network_mode: host
entrypoint: entry.sh

10
vulnbox/DOCKERFILE
View File

@ -1,10 +1,10 @@
FROM alpine
ENV PATH "$PATH:/docker-bin"
ENV PATH="$PATH:/docker-bin"
RUN apk update && apk upgrade
RUN apk add nginx openssh openrc \
nano openssl git nginx-mod-stream \
RUN apk add nginx openrc \
openssl nginx-mod-stream \
nginx-mod-http-headers-more \
tcpdump
@ -16,12 +16,8 @@ RUN chown -R www:www /www
RUN cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig
# SSHD
RUN rc-update add sshd
RUN touch /run/openrc/softlevel
COPY ./ssh/sshd_config /etc/ssh/sshd_config
WORKDIR /docker-bin
COPY ./helper-scripts /docker-bin

38
vulnbox/nginx/grpc/example.conf Normal file
View File

@ -0,0 +1,38 @@
# Example conf
# Example TLS endpoint
server {
more_clear_headers Server;
listen PORT ssl;
http2 on;
location / {
grpc_pass grpc://127.0.0.1:PORT;
}
ssl_certificate /services-keys/Example/cert.pem;
ssl_certificate_key /services-keys/Example/key.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
}
# Example Termination endpoint
server {
more_clear_headers Server;
listen 127.0.0.1:PORT;
http2 on;
# Here put the service you need
location / {
grpc_pass grpcs://127.0.0.1:PORT;
}
}

37
vulnbox/nginx/http/example.conf Normal file
View File

@ -0,0 +1,37 @@
# Example conf
# Example TLS endpoint
server {
listen PORT ssl;
more_clear_headers Server;
location / {
proxy_pass http://localhost:8080;
}
ssl_certificate /services-keys/Example/cert.pem;
ssl_certificate_key /services-keys/Example/key.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
}
# Example Termination endpoint
server {
more_clear_headers Server;
listen 127.0.0.1:8080;
# Here put the service you need
location / {
proxy_pass https://127.0.0.1:PORT;
}
}

23
vulnbox/nginx/http/prova.conf
View File

@ -1,23 +0,0 @@
server {
listen *:3443 ssl;
ssl_certificate /services-keys/ExpressTLS/cert.pem;
ssl_certificate_key /services-keys/ExpressTLS/key.pem;
ssl_protocols TLSv1.3;
location / {
proxy_pass http://localhost:3080/;
}
}
server {
listen 127.0.0.1:3080;
location / {
proxy_pass https://express-tls:8443/;
}
}

7
vulnbox/nginx/nginx.conf
View File

@ -3,14 +3,11 @@ user nginx;
# Set number of worker processes automatically based on number of CPU cores.
worker_processes auto;
# Load ngx_stream_module
# Load Modules
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;
@ -37,9 +34,9 @@ http {
'"$http_user_agent" "$http_x_forwarded_for"';
# Includes virtual hosts configs.
include /etc/nginx/http/*.conf;
include /etc/nginx/grpc/*.conf;
}
stream {

33
vulnbox/nginx/stream/ssl-termination.conf
View File

@ -1,33 +0,0 @@
upstream backend_ssl_ter {
server localhost:3080;
}
upstream backend {
server https://express-tls:8443;
}
server {
listen 3443 ssl;
more_clear_headers Server;
proxy_pass backend_ssl_ter;
ssl_certificate /services-keys/ExpressTLS/cert.pem;
ssl_certificate_key /services-keys/ExpressTLS/key.pem;
ssl_protocols TLSv1.3;
}
server {
more_clear_headers Server;
listen 3080;
proxy_pass backend;
}

123
vulnbox/ssh/sshd_config
View File

@ -1,123 +0,0 @@
# $OpenBSD: sshd_config,v 1.105 2024/12/03 14:12:47 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# Include configuration snippets before processing this file to allow the
# snippets to override directives set in this file.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to "no" here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to "no" to disable keyboard-interactive authentication. Depending on
# the system's configuration, this may involve passwords, challenge-response,
# one-time passwords or some combination of these and other methods.
#KbdInteractiveAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
# Feel free to re-enable these if your use case requires them.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp internal-sftp
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server