Skip to content

Pentestbox setup

We use pentestbox as an isolated, capability-restricted container for offensive tooling to protect your host OS and limit the potential blast radius.

It is our standardized Kali-based Docker image with kali-linux-headless and additional tools we use in pentest workflows.

Images are published for linux/amd64 and linux/arm64. Docker pulls the variant that matches your host.

Prerequisites

  • Network access to registry.internal.syslifters.com.
  • Docker: Docker Desktop on Windows and macOS, Docker Engine on Linux.

Install Docker

Windows

  1. Install Docker Desktop for Windows.
  2. Enable the WSL 2 backend if prompted during setup.
  3. Verify the installation:
powershell
docker version

macOS

  1. Install Docker Desktop for Mac.
  2. Verify the installation:
bash
docker version

Linux

  1. Install Docker Engine for your distribution.
  2. Add your user to the docker group so you can run containers without sudo:
bash
sudo usermod -aG docker "$USER"

Log out and back in (or restart your session) for the group change to take effect.

  1. Verify the installation:
bash
docker run hello-world

Pull the image

bash
docker pull registry.internal.syslifters.com/tools/pentestbox:latest

Run the container

The run command below:

  • Drops all capabilities, then adds only what scanners like nmap need (NET_RAW, NET_ADMIN, NET_BIND_SERVICE).
  • Mounts your Downloads folder at /pentest inside the container as the working directory for project files.

Linux / macOS

bash
docker run --rm -it \
  --cap-drop=ALL \
  --cap-add=NET_RAW \
  --cap-add=NET_ADMIN \
  --cap-add=NET_BIND_SERVICE \
  -v "$HOME/Downloads:/pentest:rw" \
  -w /pentest \
  registry.internal.syslifters.com/tools/pentestbox:latest bash

Windows

powershell
docker run --rm -it `
  --cap-drop=ALL `
  --cap-add=NET_RAW `
  --cap-add=NET_ADMIN `
  --cap-add=NET_BIND_SERVICE `
  -v "${env:USERPROFILE}\Downloads:/pentest:rw" `
  -w /pentest `
  registry.internal.syslifters.com/tools/pentestbox:latest bash

WARNING

Do not use --network host on Docker Desktop (macOS/Windows). Tools that modify iptables with NET_ADMIN can destabilize Docker in that mode. Use the default bridge networking instead.

Shell alias

To avoid typing the full docker run command each time, add a shortcut to your shell config.

Linux / macOS

Add to ~/.bashrc or ~/.zshrc:

bash
alias pentestbox='docker run --rm -it --cap-drop=ALL --cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=NET_BIND_SERVICE -v "$HOME/Downloads:/pentest:rw" -w /pentest registry.internal.syslifters.com/tools/pentestbox:latest bash'

Reload your shell config:

bash
source ~/.bashrc   # or: source ~/.zshrc

Start the container with:

bash
pentestbox

Windows

Add to your PowerShell profile ($PROFILE):

powershell
function pentestbox {
  docker run --rm -it `
    --cap-drop=ALL `
    --cap-add=NET_RAW `
    --cap-add=NET_ADMIN `
    --cap-add=NET_BIND_SERVICE `
    -v "${env:USERPROFILE}\Downloads:/pentest:rw" `
    -w /pentest `
    registry.internal.syslifters.com/tools/pentestbox:latest bash
}

Reload the profile:

powershell
. $PROFILE

Start the container with:

powershell
pentestbox

Limitations

LimitationGuidance
Docker Desktop on macOS/Windows has no real layer-2 networkingARP, LLMNR, multicast, and Responder-style attacks need a bridged Kali VM, not pentestbox
--network host on Docker Desktop can break Docker when tools modify iptablesAvoid host networking on Desktop; use default bridge networking
Container is for tooling convenienceNot a replacement for full VM setups on engagements that need layer-2 access