From 766eeb3d83357985f72d7c60a3e5433dc0b63391 Mon Sep 17 00:00:00 2001 From: anti Date: Sat, 18 Apr 2026 01:53:33 -0400 Subject: [PATCH] feat(ssh): add ping/nmap/ca-certificates to base image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A lived-in Linux box ships with iputils-ping, ca-certificates, and nmap available. Their absence is a cheap tell, and they're handy for letting the attacker move laterally in ways we want to observe. iproute2 (ip a) was already installed for attribution — noted here for completeness. --- templates/ssh/Dockerfile | 3 +++ tests/test_ssh.py | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/templates/ssh/Dockerfile b/templates/ssh/Dockerfile index f9db1ce..9f67c9f 100644 --- a/templates/ssh/Dockerfile +++ b/templates/ssh/Dockerfile @@ -16,6 +16,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ inotify-tools \ psmisc \ iproute2 \ + iputils-ping \ + ca-certificates \ + nmap \ jq \ && rm -rf /var/lib/apt/lists/* diff --git a/tests/test_ssh.py b/tests/test_ssh.py index 51b88f6..d2f40f0 100644 --- a/tests/test_ssh.py +++ b/tests/test_ssh.py @@ -210,6 +210,13 @@ def test_dockerfile_installs_attribution_tools(): assert pkg in df, f"missing {pkg} in Dockerfile" +def test_dockerfile_installs_default_recon_tools(): + df = _dockerfile_text() + # Attacker-facing baseline: a lived-in box has these. + for pkg in ("iputils-ping", "ca-certificates", "nmap"): + assert pkg in df, f"missing {pkg} in Dockerfile" + + def test_dockerfile_copies_capture_script(): df = _dockerfile_text() # Installed under plausible udev path to hide from casual `ps` inspection.