VulnReport Docker Container – DIY Pentest Reporting

I (not so) recently setup a VulnReport Docker container in my lab, and I wanted to share the process.

VulnReport Docker - Introduction

If you have never used it before, VulnReport is an, "Open-source pentesting management and automation platform by Salesforce Product Security".

I've pushed to use this at work as a vulnerability management and reporting platform. It makes life a bit easier on the reporting end, and allows for things like finding templates and report generation.

For more information, you can always visit the GitHub repository.

Prerequisites

First, I setup a new Ubuntu server VM.

VulnReport Docker - Ubuntu Setup

I went through the install using default settings for the most part, and finished the process.

VulnReport Docker - Install Complete

Next, when that was complete, I updated all the already installed packages.

VulnReport Docker - Apt Update and Upgrade

I also updated my distribution, since the ISO that I was using was only on 16.04.

When that finished, I installed Docker.

The Digital Ocean tutorial made it super easy, and I had Docker up and running fairly quickly.

VulnReport Docker - Docker Status

VulnReport Docker - Installation

With my system and Docker installed, it was time to create the VulnReport container.

First, I pulled down the existing container. I know that this one is a bit old, but it makes life easier than creating one of my own for now.

VulnReport Docker - Container Pull

Next, I ran the container, making sure to add the -t flag for a TTY.

VulnReport Docker - Container Run

I was then able to interact with my newly configured container.

VulnReport Docker - Docker Interact

Inside of the new container, I started up all the requisite services.

sudo /etc/init.d/redis-server start
service postgresql start

Next, I ran the SEED script, to handle the first configuration. When that was complete, I was able to run nohup start.sh, and start the service!

VulnReport Docker - Start

Verification

With my service running, it was time to verify that the install was successful.

When I visited the IP of my virtual machine, I saw a VulnReport login page.

VulnReport Docker - Login

Using the default credentials of admin/admin, I was able to successfully login to the dashboard!

VulnReport Docker - Dashboard

VulnReport Docker - Conclusion

While this post only covers the basic installation of VulnReport, I think it is useful to have in a lab environment.

We are not using this on my team at work, but we are moving towards this solution. That said, I'm hoping to use this setup for mock reports as well as various interviews/certifications/etc.

If you have any configuration tweaks or suggestions, or even another platform to check out, then please let me know!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration tester for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.