anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(ssh): add ping/nmap/ca-certificates to base image

Browse Source 
A lived-in Linux box ships with iputils-ping, ca-certificates, and nmap
available. Their absence is a cheap tell, and they're handy for letting
the attacker move laterally in ways we want to observe. iproute2 (ip a)
was already installed for attribution — noted here for completeness.
This commit is contained in:
anti
2026-04-18 01:53:33 -04:00
parent f462835373
commit 766eeb3d83
2 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
templates/ssh/Dockerfile
View File

@@ -16,6 +16,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
inotify-tools \ inotify-tools \
psmisc \ psmisc \
iproute2 \ iproute2 \
iputils-ping \
ca-certificates \
nmap \
jq \ jq \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*

7
tests/test_ssh.py
View File

@@ -210,6 +210,13 @@ def test_dockerfile_installs_attribution_tools():
assert pkg in df, f"missing {pkg} in Dockerfile" assert pkg in df, f"missing {pkg} in Dockerfile"
def test_dockerfile_installs_default_recon_tools():
df = _dockerfile_text()
# Attacker-facing baseline: a lived-in box has these.
for pkg in ("iputils-ping", "ca-certificates", "nmap"):
assert pkg in df, f"missing {pkg} in Dockerfile"
def test_dockerfile_copies_capture_script(): def test_dockerfile_copies_capture_script():
df = _dockerfile_text() df = _dockerfile_text()
# Installed under plausible udev path to hide from casual `ps` inspection. # Installed under plausible udev path to hide from casual `ps` inspection.