Pentestbox setup
We use pentestbox as an isolated, capability-restricted container for offensive tooling to protect your host OS and limit the potential blast radius.
It is our standardized Kali-based Docker image with kali-linux-headless and additional tools we use in pentest workflows.
Images are published for linux/amd64 and linux/arm64. Docker pulls the variant that matches your host.
Prerequisites
- Network access to
registry.internal.syslifters.com. - Docker: Docker Desktop on Windows and macOS, Docker Engine on Linux.
Install Docker
Windows
- Install Docker Desktop for Windows.
- Enable the WSL 2 backend if prompted during setup.
- Verify the installation:
docker versionmacOS
- Install Docker Desktop for Mac.
- Verify the installation:
docker versionLinux
- Install Docker Engine for your distribution.
- Add your user to the
dockergroup so you can run containers withoutsudo:
sudo usermod -aG docker "$USER"Log out and back in (or restart your session) for the group change to take effect.
- Verify the installation:
docker run hello-worldPull the image
docker pull registry.internal.syslifters.com/tools/pentestbox:latestRun the container
The run command below:
- Drops all capabilities, then adds only what scanners like nmap need (
NET_RAW,NET_ADMIN,NET_BIND_SERVICE). - Mounts your Downloads folder at
/pentestinside the container as the working directory for project files.
Linux / macOS
docker run --rm -it \
--cap-drop=ALL \
--cap-add=NET_RAW \
--cap-add=NET_ADMIN \
--cap-add=NET_BIND_SERVICE \
-v "$HOME/Downloads:/pentest:rw" \
-w /pentest \
registry.internal.syslifters.com/tools/pentestbox:latest bashWindows
docker run --rm -it `
--cap-drop=ALL `
--cap-add=NET_RAW `
--cap-add=NET_ADMIN `
--cap-add=NET_BIND_SERVICE `
-v "${env:USERPROFILE}\Downloads:/pentest:rw" `
-w /pentest `
registry.internal.syslifters.com/tools/pentestbox:latest bashWARNING
Do not use --network host on Docker Desktop (macOS/Windows). Tools that modify iptables with NET_ADMIN can destabilize Docker in that mode. Use the default bridge networking instead.
Shell alias
To avoid typing the full docker run command each time, add a shortcut to your shell config.
Linux / macOS
Add to ~/.bashrc or ~/.zshrc:
alias pentestbox='docker run --rm -it --cap-drop=ALL --cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=NET_BIND_SERVICE -v "$HOME/Downloads:/pentest:rw" -w /pentest registry.internal.syslifters.com/tools/pentestbox:latest bash'Reload your shell config:
source ~/.bashrc # or: source ~/.zshrcStart the container with:
pentestboxWindows
Add to your PowerShell profile ($PROFILE):
function pentestbox {
docker run --rm -it `
--cap-drop=ALL `
--cap-add=NET_RAW `
--cap-add=NET_ADMIN `
--cap-add=NET_BIND_SERVICE `
-v "${env:USERPROFILE}\Downloads:/pentest:rw" `
-w /pentest `
registry.internal.syslifters.com/tools/pentestbox:latest bash
}Reload the profile:
. $PROFILEStart the container with:
pentestboxLimitations
| Limitation | Guidance |
|---|---|
| Docker Desktop on macOS/Windows has no real layer-2 networking | ARP, LLMNR, multicast, and Responder-style attacks need a bridged Kali VM, not pentestbox |
--network host on Docker Desktop can break Docker when tools modify iptables | Avoid host networking on Desktop; use default bridge networking |
| Container is for tooling convenience | Not a replacement for full VM setups on engagements that need layer-2 access |