Pentest with Docker


Docker container for Penetration Testing


The author does not hold any responsibility for the bad use of this tool, remember that attacking targets without prior consent it’s illegal and punished by law.

docker for pentest



Note: The docker pull command serves for downloading Docker images from a registry (default pulls images from Docker Hub)


Official Kali Linux for Docker

Short Description: This Kali Linux Docker image provides a minimal base install of the latest version of the Kali Linux Rolling

Docker Pull Command:

docker pull kalilinux/kali-linux-docker



Metasploit for Docker

Short Description: Metasploit image with steroids (nmap, tor and postgress)

docker pull strm/metasploit


Metasploit Framework for Docker

Short Description: An image of the famous Metasploit-Framework tool for pentesting.

docker pull phocean/msf



Metasploitable2 for Docker

Metasploitable2 – pristine condition

docker pull meknisa/metasploitable-base




Social Engineer Toolkit (SET) for Docker

Short Description: Dockerfile for building a Social Engineer Toolkit (SET) container



OWASP Zed Attack Proxy for Docker

Short Description: Current stable OWASP Zed Attack Proxy release in embedded docker container

docker pull owasp/zap2docker-stable


WPSCAN for Docker

Short Description: WPScan is a black box WordPress vulnerability scanner

docker pull wpscanteam/wpscan



Damn Vulnerable Web Application (DVWA) for Docker

Short Description: Ubuntu container with v1.9 of Damn Vulnerable Web App (

docker pull originalsix/docker-dvwa



Vulnerable WordPress for Docker

Short Description: Vulnerable WordPress container

docker pull wpscanteam/vulnerablewordpress



Dockerfile for BeEF (the Browser Exploitation Framework)

for Docker

Short Description: This Dockerfile allows to build a Docker image for the BeEF framework for XSS browser exploitation

docker pull janes/beef



OWASP Mutillidae II Web Pen-Test Practice Application

Short Description: Docker container for OWASP Mutillidae II Web Pen-Test Practice Application

docker pull citizenstig/nowasp



OWASP Juice Shop for Docker

Short Description: OWASP Juice Shop – An intentionally insecure Javascript Web Application

docker pull bkimminich/juice-shop



The Docker Bench for Security checks

Short Description: The Docker Bench for Security checks for all the automatable tests in the CIS Docker 1.6 Benchmark.

docker pull diogomonica/docker-bench-security



OpenDNS Security Ninjas AppSec Training for Docker

Short Description: Security Ninjas: An Open Source Application Security Training Program.

docker pull opendns/security-ninjas



OWASP WebGoat Project for Docker

Short Description: OWASP WebGoat Project docker image

docker pull danmx/docker-owasp-webgoat



The OWASP Security Shepherd project for Docker

Short Description: The OWASP Security Shepherd project is a web and mobile application security training platform.

The OWASP Security Shepherd Project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skill set to security expert status.

docker pull ismisepaul/securityshepherd



The OWASP NodeGoat project for Docker

Short Description: The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.



Shellshock (Vulnerability as a service) for Docker

Short Description: Vulnerability as a service: showcasing CVS-2014-6271, a.k.a. Shellshock.

This docker container is based on Debian Wheezy and has been modified to use a vulernable version of Bash (bash_4.2:2b:dfsg-0.1).

docker pull hmlio/vaas-cve-2014-6271



Heartbleed (Vulnerability as a service) for Docker

Short Description: Vulnerability as a service: showcasing CVS-2014-0160, a.k.a. Heartbleed

A Debian (Wheezy) Linux system with a vulnerable version of libssl and openssl and a web server to showcase CVS-2014-0160, a.k.a. Heartbleed.

docker pull hmlio/vaas-cve-2014-0160



SambaCry (Vulnerability as a service) for Docker

Short Description: SambaCry remote vulnerable environment with Samba 4.5.9

Samba in 4.5.9 version and before that is vulnerable to a remote code execution vulnerability named SambaCry. CVE-2017-7494 allows remote authenticated users to upload a shared library to a writable shared folder, and perform code execution attacks to take control of servers that host vulnerable Samba services.

docker pull vulnerables/cve-2017-7494


WackoPicko for Docker

Short Description: WackoPicko is a vulnerable web application used to test web application vulnerability scanners. (infos from github)

docker pull adamdoupe/wackopicko