ghostwire

A lean, no-nonsense web / network / AD toolkit that runs anywhere Docker runs.
Bring your targets, scope, and a SOCKS pivot — ghostwire handles the rest.

---

Table of contents

• What’s inside
• Requirements
• Repo layout
• Docker Compose (recommended)
• Merged Compose quickstart (PowerShell)
• Docker CLI alternative
• Quickstarts
• Using the SOCKS pivot
• Common flows (consent / lab)
• Files in/out
• Self-test
• Updating
• Troubleshooting
• Intended use
• Credits
• Changelog (high-level)

---

🔎 What’s inside

Core CLI

• Web: gobuster, nikto, sqlmap, wfuzz, whatweb, wafw00f, joomscan, wpscan (wp wrapper)
• Network: nmap, masscan, dnsutils, iputils-ping, traceroute, netcat-openbsd, socat, tcpdump, iproute2, openssl, classic enum4linux
• AD / Auth: python3-impacket (module entrypoints exposed as CLIs), krb5-user, ldap-utils, smbclient, ldapdomaindump, bloodhound (venv; bloodhound-python alias), smbmap
• Cracking: hashcat (CPU OpenCL via POCL), john, hydra
• Wordlists: SecLists at /opt/seclists → $SECLISTS

Extras

• Network & service: snmp, ike-scan, patator
• Wireless (needs NET_RAW/NET_ADMIN caps): aircrack-ng, reaver
• Stego & forensics: steghide, exiftool, binwalk, foremost, bulk_extractor (built from source)
• Mobile / reverse: apktool, jadx (CLI + GUI), MobSF (cloned only)
• Cloud & containers: Trivy, AWS CLI v2
• AD/Windows post-ex (cloned only): PowerSploit, Empire
• Python (venv): pypykatz, arjun, commix, volatility3, objection, frida-tools, NetExec (nxc, plus crackmapexec shim)
• Go recon stack (installed, then Go removed): ffuf, nuclei, jaeles, amass, subfinder, httpx, dnsx, katana, waybackurls, anew, unfurl, s3scanner, kerbrute, gitleaks

Helpers

px (SOCKS5 wrapper), pxcurl, pxwget · savehere · out · update-seclists · session-log
gw-wifi-capture, gw-usb-capture, gw-ssh-agent-check, gw-gpu-check
Impacket wrappers: psexec, wmiexec, secretsdump, ntlmrelayx, atexec, ticketer, GetUserSPNs, GetNPUsers, addcomputer, smbserver

---

⚙️ Requirements

• Docker and Docker Compose v2
• For SOCKS: reachable SOCKS5 (default 127.0.0.1:1080)
• For GPU: vendor drivers on host + container runtime (--gpus all for NVIDIA)

---

🧰 Repo layout

• Dockerfile.total → single multi-stage Dockerfile (stages: web, wifi, net, mobile, ad, total)
• docker-compose.yml → recommended way to build/run per stage with build.target
• docker-compose.merged.yml → convenience to build/run all stages/services at once

---

🧩 Docker Compose (recommended)

Create docker-compose.yml at the repo root:

version: "3.9"

x-common: &common
  build:
    context: .
    dockerfile: Dockerfile.total
    # Optional feature flags:
    # args:
    #   ENABLE_POWERSPLOIT: "1"
    #   ENABLE_EMPIRE: "1"
    #   ENABLE_CLOUDMAPPER: "1"
    #   ENABLE_MOBSF: "1"
  environment:
    # On Linux use 127.0.0.1; on Docker Desktop use host.docker.internal
    SOCKS5_HOST: ${SOCKS5_HOST:-host.docker.internal}
    SOCKS5_PORT: ${SOCKS5_PORT:-1080}
  volumes:
    - ./:/work
    - ./artifacts:/shared
  # Linux-only, optional:
  # network_mode: "host"
  restart: unless-stopped
  env_file: [.env]

services:
  web:
    <<: *common
    build: { target: web }
    container_name: ghostwire-web

  wifi:
    <<: *common
    build: { target: wifi }
    container_name: ghostwire-wifi
    cap_add: [ "NET_RAW", "NET_ADMIN" ]

  net:
    <<: *common
    build: { target: net }
    container_name: ghostwire-net

  mobile:
    <<: *common
    build: { target: mobile }
    container_name: ghostwire-mobile

  ad:
    <<: *common
    build: { target: ad }
    container_name: ghostwire-ad

  total:
    <<: *common
    build: { target: total }
    container_name: ghostwire
    # GPU (optional)
    # gpus: "all"

Optional .env:

SOCKS5_HOST=host.docker.internal   # Linux: 127.0.0.1
SOCKS5_PORT=1080

Compose commands

# Build all stages
docker compose build

# Start one
docker compose up -d total    # or web|wifi|net|mobile|ad

# Shell
docker compose exec total bash

# Logs
docker compose logs -f total

# Stop & remove
docker compose down -v

Linux host networking: add network_mode: "host" to services that need it (Linux only).

---

🧩 Merged Compose (PowerShell quickstart)

Using the included docker-compose.merged.yml:

# Build every service
docker compose -f .\docker-compose.merged.yml build

# Start everything
docker compose -f .\docker-compose.merged.yml up -d web wifi net mobile ad total

# Shell (pick one)
docker compose -f .\docker-compose.merged.yml exec ad bash
docker compose -f .\docker-compose.merged.yml exec web bash
docker compose -f .\docker-compose.merged.yml exec wifi bash
docker compose -f .\docker-compose.merged.yml exec net bash
docker compose -f .\docker-compose.merged.yml exec mobile bash
docker compose -f .\docker-compose.merged.yml exec total bash

# Quick presence check (AD)
docker compose -f .\docker-compose.merged.yml run --rm ad bash -lc ^
  "set -e; for c in psexec secretsdump wmiexec ntlmrelayx atexec ticketer GetUserSPNs GetNPUsers addcomputer smbserver ldapdomaindump bloodhound smbmap evil-winrm nxc; do command -v `"$c`" >/dev/null || { echo missing: $c; exit 1; }; done; echo OK:ad"

# Stop & clean
docker compose -f .\docker-compose.merged.yml down -v

---

📦 Docker CLI (alternative)

# build a base tag
docker build -t ghostwire:dev -f Dockerfile.total .

# build stages
docker build -t ghostwire:web    -f Dockerfile.total --target web .
docker build -t ghostwire:wifi   -f Dockerfile.total --target wifi .
docker build -t ghostwire:net    -f Dockerfile.total --target net .
docker build -t ghostwire:mobile -f Dockerfile.total --target mobile .
docker build -t ghostwire:ad     -f Dockerfile.total --target ad .
docker build -t ghostwire:total  -f Dockerfile.total --target total .

# run (Linux host with local SOCKS)
mkdir -p artifacts
docker run --rm -it --network host \
  -e SOCKS5_HOST=127.0.0.1 -e SOCKS5_PORT=1080 \
  -v "$PWD:/work" -v "$PWD/artifacts:/shared" \
  --name ghostwire \
  ghostwire:dev

---

🚀 Quickstarts

A) Compose + local SOCKS (Linux)

mkdir -p artifacts
# optional (Linux only): add network_mode: "host" under 'total'
docker compose up -d total
docker compose exec total bash

B) Docker Desktop (Mac/Windows)

mkdir -p artifacts
# .env should set SOCKS5_HOST=host.docker.internal
docker compose up -d total
docker compose exec total bash

C) WiFi capture & USB (Linux)

docker compose up -d wifi
docker compose exec wifi bash
# inside:
sudo -n tcpdump -D || true
gw-wifi-capture wlan0 /shared/wifi.pcap
gw-usb-capture  usbmon0 /shared/usb.pcap

D) GPU cracking (Linux / WSL2)

# add under the 'total' service (Compose):
gpus: "all"

docker compose up -d total
docker compose exec total bash -lc 'gw-gpu-check && hashcat -I'

---

🧦 Using the SOCKS pivot

One-off via wrapper

px curl -I https://example.com
px gobuster dir -u https://example.com \
  -w "$SECLISTS/Discovery/Web-Content/directory-list-2.3-medium.txt" \
  -x php,js,html -o /shared/gobuster.txt
px sqlmap -u "https://example.com/?id=1" --batch
px nmap -sT -Pn -n example.com

Environment-wide

export ALL_PROXY="socks5h://${SOCKS5_HOST}:${SOCKS5_PORT}"
export HTTP_PROXY="$ALL_PROXY" HTTPS_PROXY="$ALL_PROXY" NO_PROXY="127.0.0.1,localhost"

Raw SYN/UDP scans & packet capture do not traverse SOCKS.

---

🧰 Common flows (consent / lab)

Subdomains → probe → scan → nuclei

subfinder -silent -d example.com | anew /shared/subs.txt
httpx -silent -status-code -title -follow -l /shared/subs.txt -o /shared/httpx.txt
masscan -p1-65535,U:1-65535 --rate 5000 -iL /shared/subs.txt -oL /shared/masscan.txt || true
nuclei -l /shared/httpx.txt -o /shared/nuclei.txt

Fuzz (dirs/params)

ffuf -u https://example.com/FUZZ -w "$SECLISTS/Discovery/Web-Content/common.txt" -o /shared/ffuf.json
wfuzz -u https://example.com/page?FUZZ=1 -w "$SECLISTS/Discovery/Web-Content/burp-parameter-names.txt"
arjun -u https://example.com/page -oT /shared/arjun_params.txt

WordPress / CMS

wp --url https://example.com --enumerate vp,vt,u
joomscan --url https://example.com

Active Directory (authenticated discovery)

nxc smb 10.0.0.0/24 -u user -p '***' --shares
ldapdomaindump ldap://10.0.0.10 -u 'lab.local\user' -p '***' -o /shared/ad
python3 -m impacket.examples.secretsdump lab.local/user:'***'@10.0.0.10 -outputfile /shared/secrets

Windows post-ex (remote shell)

evil-winrm -i 10.0.0.5 -u 'user' -p '***'

Binary & mobile

binwalk -e firmware.bin -C /shared/fw
apktool d app.apk -o /shared/app
jadx -d /shared/jadx app.apk

Forensics

foremost -i disk.img -o /shared/foremost
bulk_extractor -o /shared/be_out disk.img
exiftool sample.jpg

Code & secrets scanning

trivy fs --severity MEDIUM,HIGH,CRITICAL .
gitleaks detect -s . -r /shared/gitleaks.json

---

📁 Files in/out

• Work in /work (bind-mounted from your current folder)
• Export artifacts to /shared (bind-mounted e.g. to ./artifacts)

savehere report.txt
out /bin/uname -a

---

🧪 Quick self-test (inside the container)

whoami && pwd
[ -w /work ] && echo "/work ok" || echo "NO /work"
[ -w /shared ] && echo "/shared ok" || echo "NO /shared"
curl -I https://example.com || true

# presence / versions (selection)
nmap --version
masscan --version
gobuster -h | head -n 2
wfuzz --version
whatweb --version
wafw00f --version
sqlmap --version | head -n 1
hashcat --version
hydra -h | head -n 1
ffuf -V
nuclei -version
nxc --version || true
wp --version || true
pypykatz --version || true
volatility3 --help | head -n 1

---

🔧 Build args, env & volumes

• Build args: BASE_IMAGE=ubuntu:24.04, SECLISTS_SHA=HEAD, feature flags ENABLE_POWERSPLOIT, ENABLE_EMPIRE, ENABLE_CLOUDMAPPER, ENABLE_MOBSF
• Environment: SOCKS5_HOST (default 127.0.0.1), SOCKS5_PORT (default 1080), SECLISTS=/opt/seclists, ARTIFACTS=/shared
• Volumes: VOLUME ["/shared", "/work"]
• Healthcheck: verifies nmap, hashcat, python3 reachability

---

🔄 Updating

• SecLists: update-seclists

• APT tools:

  sudo apt-get update && sudo apt-get install --only-upgrade \
    gobuster nikto sqlmap wfuzz whatweb wafw00f \
    nmap masscan hashcat john hydra python3-impacket

• Python tools: rebuild the image to keep the venvs consistent.

---

🆘 Troubleshooting

• “container name already in use” — pick a new name (e.g., --name ghostwire2) or remove the old: docker rm -f ghostwire
• Windows path issues — prefer --mount or forward slashes in -v paths
• No GPU devices — ensure host drivers + nvidia-container-toolkit (Linux) or WSL2 GPU support (Windows), then run with --gpus all
• SOCKS not reachable — on Docker Desktop, use host.docker.internal for the host IP

---

✅ Intended use

Red team / pentest / DFIR / training only — on systems you own or have explicit written permission to test. You are responsible for complying with laws, contracts, and your Rules of Engagement.

---

🙏 Credits

This image repackages superb work from many OSS projects (see individual repos/licenses). OCI labels are included in the image metadata.

---

📝 Changelog (high-level)

• Added: Compose recipe with per-stage services and build targets
• Added: Merged Compose quickstart (PowerShell)
• Added: network/service (snmp, ike-scan, patator)
• Added: wireless (aircrack-ng, reaver)
• Added: stego/forensics (steghide, exiftool, binwalk, foremost, bulk_extractor)
• Added: mobile/reverse (apktool, jadx), CMS (joomscan, wpscan)
• Added: Python venv tools (pypykatz, arjun, commix, volatility3, objection, frida-tools, NetExec)
• Added: Go recon stack (ffuf, nuclei, jaeles, amass, subfinder, httpx, dnsx, katana, waybackurls, anew, unfurl, s3scanner, kerbrute, gitleaks)
• Added: Trivy, AWS CLI v2, impacket wrappers, linpeas.sh, helpers