Give me six hours to chop down a tree and I will spend the first four sharpening the ax.
Abraham Lincoln
NixOS config geared towards pentesters and security researchers.
TL;DR - This VM / build will probably be useful for pentesting exams and people interested in security research.
The goal of this NixOS config is to bundle as many bookmarks / shell aliases / docker images / Firefox extensions / git repos / tools as possible to make my pentesting life easier. I didn't invest the time to customise my base installation before because these customisations were not easily or consistently portable.
I didn't want to invest the time customising a machine, getting used to the customisations, and then having to tweak a new build to get to the same place. This all changed when I discovered NixOS. Now I can customise to my heart's content (almost, with the exception of Firefox extension settings) and deploy these customisations on any device.
My quest to divorce the data from the tin continues..
The easiest way to get up and running is via the nightly OVA image available here (9.8GB). The VM comes with KDE rather than i3wm by default because I appreciate that you probably don't want to learn all of my i3wm shortcuts. You can of course build your own VM using the build_vm_virtualbox.sh script and by customising the VirtualBox VM "host" file.
Here is a list of things I'd like to do for this project:
- Docker image
- Working VM image
- Set up build pipeline
- Refactor code
- Review resources.sh
- Review / replace init.sh script
- Review scripts
- Review repos/
- Review docker images
- Refresh README (up to date examples)
I have made a conscious effort to ensure that docker images and tools which run on this build are only accessible on your machine, but I don't have a build pipeline which checks this, nor do I scan this repo for security issues. You have been warned.
This NixOS config comes with a few things to make my life easier while pentesting (some of these resources are available after running the resources.sh script).
- Over 521 software packages
- 329 zsh aliases
- Over 450 security-focused bookmarks:
- 63 podcasts
- 65 YouTube channels / playlists
- 47 online labs
- 34 news resources
- 29 search engines
- 24 newsletters
- 17 Telegram channels
- 304 git repos
- 173 docker images
- 36 web applications
- 28 Firefox extensions
- Text-only offline Wikipedia
- Jupyter Notebooks for pentesting
Here are some security-focused Firefox bookmarks.
All available here (and more).
Deploy externally accessible, web-based file browser in one command.
Deploy externally accessible nginx instance in one command.
Deploy a vulnerable lab in one command.
Deploy an Ubuntu docker image with an arbitrary port exposed in one command.
Deploy an SMB share in the current working directory in one command.
Deploy a Tor array (a arbitrary number of docker instances which all connect to the Tor network individually and expose incrementing ports) in one command.
This script it pretty important to the build. I haven't got it building on top of the VM image yet, but it's responsible for pulling git repos, docker images, and other resources. I recommend you run this if you install maxos.
docker build . -t maxos-vm-builder
docker run --privileged -v `pwd`:/mnt maxos-vm-builder
Use unstable ISO (https://www.google.com/search?q=nixos+iso+unstable) for flake support.
# Set SSH key for GitHub
nix-env -i git
git clone git@github.com:rascal999/maxos.git
cd maxos/
OR
curl -L https://bit.ly/3yCeldM -o master.zip
unzip master.zip
cd maxos-master/
./scripts/init.sh