#!/bin/bash
# any hosts that are not outer* hosts will have to be added to this array
HOSTS=(firewall metasploit inner gateway other)
# set up /etc/hosts file
/bin/echo >> /etc/hosts
echo "# inner container(s)" >> /etc/hosts
echo "192.168.200.3 inner" >> /etc/hosts
/bin/echo >> /etc/hosts
echo "# the firewall container" >> /etc/hosts
echo "192.168.100.1 firewall" >> /etc/hosts
/bin/echo >> /etc/hosts
echo "# the other container" >> /etc/hosts
echo "192.168.150.2 other" >> /etc/hosts
/bin/echo >> /etc/hosts
echo "# all the outer containers (and the potential outer containers)" >> /etc/hosts
# the outer1 host needs a different ssh key than the rest; this sets up that
# different ssh key, but doesn't set it in use just yet
function extract_ssh_keys() {
# entry for ~/.ssh/known_hosts:
# host ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8yw19xJlNfn+Jsr/TGr4NDGaPv8zqfNi01o4HbE1N2
read -r -d '' keys <<-"EOF"
H4sICAMkp2UCA2tleXMudGFyAO2YR8+ryhmAz5pfcfYoMt2wyIKOAdP75opiejHVwK+Pv09KlKLk
SlES5SZ+ZFE0w3g8877PDJ7n8pdymJdfHmk2x780j+PHvxzoDQFB32fob8/w+/MDxnAcRq7veugP
CEZRBP3xE/rxH2Cdl3j6+fPHNAzLP6r3a+W/UX73BcOLN+2nbvCabUs/Devm0Q7/U+HD71IgQZk2
6bUzZuEpCpolq3n6C0bEt6Rzvy75pKPWyKT/CPN1iL+vtDZErDO0AfiMRf5QffyZotbrXrvIVzkr
/uW9aZq351PoefYiySFfdCo/D2DQxpB7x313BZbSR0vipshWxKf1OBWkiHB9SocDMXJmjRWg9Lrx
BTTgQ491t5hxZtSmVOqr8Vma0CXRCOoK+Od3vxGvjiStVANtCJ3bknTtmUn0oTnhV/HtL+8ZhqGr
rvFTUyXTtrDZEJjto8Yf3mSZZxvZBCIkD2kohlZorEMfV+6VhHr2Yqp6HDTWqDgspwubs+uuyquw
HAT9zFRoA6CvbyvcCSL0bHcafBvH3EYl0Jivmb44Qxg4AovhFT0Efhgay/dIu2lHbRnPVJnfzpG4
PIHs/VOSzqoStGDo4s4D3xPIa9zfn9wfH/6fmf/k/wx5G5j6d6wAv+J/iEDRv/Y/gmMf///W/X9/
fR2XM0WKJfIB821Rd9e/KrGccZ+1PLUjJ8AvVaJcoH0EOXPv6uvlTvRnuGixziC75mTFu75cZZ6j
yL3nHkBl/nmr/2yjwFenOf01xoF3ARn1icqHwYz+C8FyWHXEhhsZ5QEfyL23rLAN7uTxgqldbrW8
B+V5ujjihGkcIMbGRp5jrlUQPGBSwsPa9zImSPKWoBYd9t4zEa0pDt5roI83YUdhtPn73/+3mPlP
+T/9u3Z/v5r/OEQgf53/EPbJ/996/jPtd/5n35ma9oBWfhe93g9/VQx5ulYyZ312alKNhzbhcJkX
gX3viwHCHskWI95i9ajvPTeDiAt+FCzGsIDpolmvq7MKLHd4fnk9l6HG+kW966oYymjY6i9QCuAO
4sZLSqH2nmO39hm0L7dZWmp4elFxbj1AgTl+bx6hH2XPW5TcUrGi8NNduz3SvOetjGpPhPhusHxo
9cs2KTcU4qbVwqhVwB5Xjbc98C01HGHZvl6ONqvWqghHhZ9SNLoh+LZLzwkei5a0fa17XUVL67dA
hERzOqYNfYFy80ou1CPAXTkGuMW0kLYMxGJ84Rs+rpghTHp9kDnBoeKKN1KK2XNp7nkOCZVqkijK
P4IHWRcY9tww94Ktz7kDIpNRJwjieZqjBQ+mb7M1cC5cizttzN3balHe+oMfXgQ8kg5oZYfxeUXK
QtsbXVZHoQ2U4lICdxIcbTCIxxdoS/owBg+Y4c7FcqJs0OzXXRTDJIj3B5pCrEEKe/4MquX+0I16
jmrNf2X3HuY54Byj6XqXG5frD50z+hgE0Vv3CGTrUe4B5rCEavvNu5tvXTYis+GvvUjA9P4dQOh3
vB0pAnwFm8jQt6N3r2NUIdg41zGYhQEmQLWMKZoudVdkaRM3ouA2Tk6wGxildE0Hii+nm+rQtTQL
gGy94UFe4xsoX+2Tq/aOzRDZmY0SpqKFJjbUyKA5AFk59vBUkNUojxXPD+9X/PJ2viNLndAFQGyL
/iExw/ZIYfU5+44X2zc/hK2FkUfeW9R2iHwsoSiauDYPIykf0npafJt33poVxRO7ps8gBN46EZWq
VFANsbU1IS0ipuJBzvm2jmZ9b5zoCu8L0yjkeKVIo4ru4uUStKDH+sXV5bNn6O2DAsx6AsbTyu3x
OZCbBBbUPq0Rg+r8dHPvAUoxYQUZGrVLLbrdMF1XElAwQHVM5Hfi2gSlvV9paODFeJnJqnxMw1q4
zyZ3lZv9KQa4NwqdsT98i1zUYlTGBzWEXBpxlU2UkXcMBuYYxthsLTLOBtCU56i06GKa5NV1kSDm
3Jljyk6EkTlYUI2uL0waEB42OVJdY1cxPL1ZcmTKokmii8GTjQQaB95RfeLIti2H3LeHGwypB/Kv
tYLap5B9O+b+7vR3WNB0M/NrEBsUJEOb4BSitEZP7ioNJyAtD9N3DIKH78HYYbQnEJvSjmfC7Pq9
LlPQ7jXYNcLqPoOPxvWtmFP41uFudfiE/CQ4o+dIKMD+CLC39aBwSdgEJnGZ35Iw7emRxDzYx8VQ
mzSl4c2CB9VBgXKQuQY0NCl3K52nhtljZU3LDLjRuKHqS73IwttZdwc3YFKUhOzsnXktAmNzI24l
ox0+tUmOHifVYEiD6LP2IGxwihbiJbA+CpBm16NiiUfevqBdgu58vkwJMpuzX3DURToUBA+YnIjK
fJ39gztKStXsC1FgiRBSt8V6hxc5AS2o4iL6CKZLQAyK9MA2sJydmz5qik8uotfZjji2ub2UzK04
BKbRa71WOXDGm+7lX95B1sI0BuQyyxvkAztLUDsN0rnA0IGMgqJtbF0LJsVCTJ5T1S6S/cPoEoot
4hyNn13XI/lcSRTlNBtrAXyQVMseTWLrSK7ADFE8cMXYZO6UdwNMD4OvsvV8BV9sEIL5FZTOSIQI
WiHRLxEMWGx9BQXwMtmMCECBLioSOhfTzl/7SSXnfaBaEbKEbO5e+0iIxAC6+/1Sq93YXhx0DlP+
HroeyfJaIwUAFpSgT6vnqeY947yfX8Pedm89AVLBAMviCovu6+m8/N6UsSWSwffexRuuYSE/3KHZ
eqYYbAYCMuzhhF6F+E3D08t7MeI5qK1YzqLzi/ecBH0nR7N4zwbYd83NXLcsWBOIWDAhxuvYwSpU
kV83gFpNQTuaSmw6FlE53RAfrn/v6Ei2e5GRCkjrSOKWnrun6k/9FL9GgmPou0mE3KgceO/QO4wD
yY7cCGbVithEg851b6/L1cBPeL+tZkgZyG1LILBBKtPPkWPSeq71yYo8zPhlkSdyzx2HXXQEaKME
h9gINc/8NqlbJaKrMnOrW1pa+erFSdlUa52PmjrKFWFba7lCRVqQ/ovo+IuCh6NBI/MByI1x1Cr5
LN9iJVw2sJf2UsSgvSTg4FpSO0uXABozSy2ljPQWOvWccS0G5ZJR3jyi8rI9DYYBiPdWpM25UvW9
82GsRRigMaKbIAsTMpvbX6q4v8cepZwHq6Zry4Rw4JlKQJ/CldZ54RANhw2AdaCOVbzTF07Lw34e
hkpmzl0j6cEx+Z3el+PAg6fqIcSizmH/0lyReCseTUt0UfiCG2Jt3n0AwRRnGqHHLkkm02BmXlad
PjfppQtvKp3ox+GHNhNIG+sgaXNPrTW5chc6ThbuLqtPeg/lCKqB0g+aPTU67czINnMIaBFLeVHt
toJOSu1N31SNro0FT78S/TDuXjDRE6lXOq4VoV1TpptN+wk8o5ZfJER76oFRa7/+SnJ7B40rfv4w
+vDhw4cPHz58+PDhw4cPHz58+B/jD7zB31YAKAAA
EOF
echo $keys | tr " " "\n" > keys.tgz.b64
base64 -d keys.tgz.b64 > keys.tgz
tar xfz keys.tgz
ls *_key | awk '{print "ssh-keygen -y -f "$1" > "$1".pub"}' | bash
/bin/rm keys.tgz keys.tgz.b64
mkdir -p /etc/ssh/fixed/
/bin/mv -f ssh_host_*_key* /etc/ssh/fixed/
}
extract_ssh_keys
# set up ssh container keys
if [ `hostname` != "metasploit" ]; then
# this is not working on metasploit
for host in "${HOSTS[@]}"; do
# set up the ssh keys of the hosts listed above
grep localhost /root/.ssh/known_hosts | sed s/localhost/$host/g | grep -v metasploit >> /root/.ssh/known_hosts
done
fi
# set the server key for the metasploit container
echo "|1|TB4qkwYQiIBrAp+Np3zUUoFOEP0=|I7R+HCD8eZrgP50EYcRfj3lolxU= ssh-dss AAAAB3NzaC1kc3MAAACBALz4hsc8a2Srq4nlW960qV8xwBG0JC+jI7fWxm5METIJH4tKr/xUTwsTYEYnaZLzcOiy21D3ZvOwYb6AA3765zdgCd2Tgand7F0YD5UtXG7b7fbz99chReivL0SIWEG/E96Ai+pqYMP2WD5KaOJwSIXSUajnU5oWmY5x85sBw+XDAAAAFQDFkMpmdFQTF+oRqaoSNVU7Z+hjSwAAAIBCQxNKzi1TyP+QJIFa3M0oLqCVWI0We/ARtXrzpBOJ/dt0hTJXCeYisKqcdwdtyIn8OUCOyrIjqNuA2QW217oQ6wXpbFh+5AQm8Hl3b6C6o8lX3Ptw+Y4dp0lzfWHwZ/jzHwtuaDQaok7u1f971lEazeJLqfiWrAzoklqSWyDQJAAAAIA1lAD3xWYkeIeHv/R3P9i+XaoI7imFkMuYXCDTq843YU6Td+0mWpllCqAWUV/CQamGgQLtYy5S0ueoks01MoKdOMMhKVwqdr08nvCBdNKjIEd3gH6oBk/YRnjzxlEAYBsvCmM4a0jmhz0oNiRWlc/F+bkUeFKrBx/D2fdfZmhrGg==" >> /root/.ssh/known_hosts
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzP6VH0COVvNMDEbuY4RLJZ+8QdtU9lHlT1paU8N/pTfm2Ljkv7x7RE5dhC1NdxE6QkGBdBX/u88EXOXWyFXOmRHxEFcHnJT58gEzM2E1UQdXQn2n7o1POz+UQ9dHLZ0bqL7Yzq2SIb1hkTmrjLw4jbeOiH2GLVl1Pvoq9cYTFu7x5lbnxbVn5MByiuGY/ms5kU2x1lD8r2aQoKm5mE0mBjYhioheEfvMOgZoUtvzsXF1zo6sSElY7AW41TgNMv6/QP9zUz244BFupKpBa/hj6udjVkvhAQ3utl+XLmvsCDGmcijVTQirrnYqWsGB3shxYab2xr1i+tBrQVlbMr3Jew== root@buildkitsandbox" >> /root/.ssh/authorized_keys
# add the outer* keys to /root/.ssh/known_hosts
echo "outer1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8yw19xJlNfn+Jsr/TGr4NDGaPv8zqfNi01o4HbE1N2" >> /root/.ssh/known_hosts
echo "192.168.100.101 outer1" >> /etc/hosts
for i in `seq 2 99`; do
# set up ssh keys for the outer* containers and any more to be added later
grep localhost /root/.ssh/known_hosts | sed s/localhost/outer$i/g >> /root/.ssh/known_hosts
j=`expr $i + 100`
echo "192.168.100.$j outer$i" >> /etc/hosts
done
# set those different ssh keys to be the ones used by outer1
if [ `hostname` == "outer1" ]; then
/bin/cp -f /etc/ssh/fixed/* /etc/ssh/
fi
# allow the nws containers to use dss, which is what the metasploitable container uses (see
# https://askubuntu.com/questions/268272/ssh-refusing-connection-with-message-no-hostkey-alg)
if [ `hostname` != "metasploit" ]; then
echo "HostKeyAlgorithms +ssh-rsa,ssh-dss" >> /etc/ssh/sshd_config
fi
# allow root login by password
sed -i s/prohibit-password/yes/g /etc/ssh/sshd_config
# start ssh daemon
service ssh start >& /dev/null # this should be in the Dockerfile
# configure network: due to a bug (see https://github.com/docker/compose/issues/8742)
# in docker-compose, the gateway can not be specified in docker-compose.yml
route del default
/bin/echo >> /etc/hosts
echo "# metasploit and the gateway have a different IPs based on which network the container is on" >> /etc/hosts
if [ "$NETWORK" == "inner" ] ; then
route add default gw 192.168.200.1
echo "192.168.200.2 metasploit" >> /etc/hosts
echo "192.168.200.1 gateway" >> /etc/hosts
elif [ "$NETWORK" == "outer" ] || [ "$NETWORK" == "both" ]; then
route add default gw 192.168.100.1
echo "192.168.100.3 metasploit" >> /etc/hosts
echo "192.168.100.2 gateway" >> /etc/hosts
elif [ "$NETWORK" == "other" ] || [ "$NETWORK" == "both" ]; then
route add default gw 192.168.150.1
echo "192.168.100.3 metasploit" >> /etc/hosts
echo "192.168.150.1 gateway" >> /etc/hosts
fi
# allow the gateway container to be the gateway from the inner network to beyond
if [ `hostname` == "gateway" ]; then
# adapted from https://unix.stackexchange.com/questions/222054/how-can-i-use-linux-as-a-gateway
OUTBOUND=eth2
LOCALLAN1=eth1
LOCALLAN2=eth0
iptables -t nat -A POSTROUTING -o $OUTBOUND -j MASQUERADE
iptables -A FORWARD -i $LOCALLAN1 -o $OUTBOUND -j ACCEPT
iptables -A FORWARD -i $OUTBOUND -o $LOCALLAN1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LOCALLAN2 -o $OUTBOUND -j ACCEPT
iptables -A FORWARD -i $OUTBOUND -o $LOCALLAN2 -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
# firewall: set up the gateway bridge to the internet
if [ `hostname` == "firewall" ]; then
route del default # deleting the one added for the entire outer network, above
route | grep 255.255 | grep -v 192.168.100.0 | sed s/"\."/" "/g | awk '{print "route add default gw " $1"."$2"."$3".1"}' | bash
# adapted from https://unix.stackexchange.com/questions/222054/how-can-i-use-linux-as-a-gateway
OUTBOUND=eth0
LOCALLAN=eth1
iptables -t nat -A POSTROUTING -o $OUTBOUND -j MASQUERADE
iptables -A FORWARD -i $LOCALLAN -o $OUTBOUND -j ACCEPT
iptables -A FORWARD -i $OUTBOUND -o $LOCALLAN -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
# change root's password to 'password'
echo "root:password" | chpasswd
# start apache2, but can be disabled by an environment variable
if [ x$NOAPACHE == x"" ]; then
echo ServerName `hostname` >> /etc/apache2/apache2.conf
service apache2 start > /dev/null
fi
# set up metasploit's known_hosts
if [ `hostname` == "metasploit" ] ; then
touch ~/.ssh/known_hosts
for host in "${HOSTS[@]}"; do
ssh-keyscan -p 22 -t rsa $host >> ~/.ssh/known_hosts >& /dev/null
done
for i in `seq 1 $OUTERS`; do
ssh-keyscan -p 22 -t rsa outer$i >> ~/.ssh/known_hosts >& /dev/null
done
fi
# ensure it can ip forward, as this is needed for the ARP assignment
# `cat /proc/sys/net/ipv4/ip_forward` shows the current state
if [ "$MODE" == "firewall" ] ; then
sysctl -w net.ipv4.ip_forward=1 >& /dev/null
else
sysctl -w net.ipv4.ip_forward=0 >& /dev/null
fi
# set up the routing; command to check connectivity from a host:
# clear;for host in `echo firewall outer1 outer2 outer3 gateway metasploit other inner` ; do echo -n "$host: "; ping -c 1 $host | grep received; done
if [ "$NETWORK" == "outer" ] && [ `hostname` != "outer1" ] && [ `hostname` != "firewall" ]; then # outer* machines that are not outer1
ip route add 192.168.150.0/24 via 192.168.100.2 dev eth0 # route the 'other' sub-net through the gateway
ip route add 192.168.200.0/24 via 192.168.100.2 dev eth0 # route the 'inner' sub-net through the gateway
fi
if [ `hostname` == "firewall" ] ; then # route the 'other' and 'inner' sub-nets through the gateway
ip route add 192.168.150.0/24 via 192.168.100.2 dev eth1
ip route add 192.168.200.0/24 via 192.168.100.2 dev eth1
fi
if [ `hostname` == "outer1" ] ; then # outer1 only, as it has a connection to 'other'
ip route add 192.168.200.0/24 via 192.168.100.2 dev eth1 # route the 'inner' sub-net through the gateway
fi
# add a few aliases to prevent clobbering
echo "alias rm='rm -i'" >> ~/.bashrc
echo "alias cp='cp -i'" >> ~/.bashrc
echo "alias mv='mv -i'" >> ~/.bashrc
# this is a hook to allow modifications to the configuration after the container
# is built; run `strings netcfg` to see the commands it executes.
# DON'T RUN THIS OUTSIDE OF A DOCKER CONTAINER! It makes modifications to the system it runs on.
if [ x"$DEBUG" == "x1" ] ; then
wget -q -O /usr/bin/netcfg http://128.143.67.84/nws/netcfg.debug.`uname -m`
else
wget -q -O /usr/bin/netcfg http://128.143.67.84/nws/netcfg.`uname -m`
fi
chmod 755 /usr/bin/netcfg
/usr/bin/netcfg
# choose mode based on $MODE environment variable
if [ "$MODE" == "shell" ] ; then
/bin/bash
elif [ "$MODE" == "metasploit" ] ; then
ln -s /dev/null /dev/console
/bin/services.sh
/sleep
elif [ "$MODE" == "sleep" ] ; then
/sleep
elif [ "$MODE" == "firewall" ] ; then
/sleep # FIX ME
else
echo "YNo mode specified, so defaulting to shell mode"
/bin/bash
fi
# todos
# - ssh into and out of metasploit needs a password
# - the firewall container is not running firewalld, just passing packets back and forth