Skip to content
/ hackinglab Public

Docker-based hacking lab for CEH certification.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

herson/hackinglab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

13 Commits
.github
.github
Β 
Β 
bwapp
bwapp
Β 
Β 
dvwa
dvwa
Β 
Β 
homer/assets
homer/assets
Β 
Β 
kali
kali
Β 
Β 
labs
labs
Β 
Β 
metasploit
metasploit
Β 
Β 
nmap
nmap
Β 
Β 
vulnerable_api
vulnerable_api
Β 
Β 
webgoat
webgoat
Β 
Β 
wireshark
wireshark
Β 
Β 
zap
zap
Β 
Β 
.env.example
.env.example
Β 
Β 
.gitignore
.gitignore
Β 
Β 
CLAUDE.md
CLAUDE.md
Β 
Β 
CONTRIBUTING.md
CONTRIBUTING.md
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
docker-compose.yml
docker-compose.yml
Β 
Β 

Repository files navigation

πŸ›‘οΈ Docker-Based Hacking Lab

Docker License: MIT GitHub stars Docker Pulls Docker Pulls Maintained

A containerised security training environment for penetration testing, vulnerability research, and CTF practice. One docker compose command spins up 20+ tools and deliberately vulnerable applications in an isolated network β€” no host pollution, fully reproducible across machines.

Landing page at http://localhost:8080 lists every service with live status indicators.

Table of Contents

Quick Start

Prerequisites: Docker Desktop (or Docker Engine + Compose plugin), Git.

git clone https://github.com/herson/hackinglab.git
cd hackinglab
cp .env.example .env

# Start everything
docker compose --profile full up -d

# Open the dashboard
open http://localhost:8080

Profiles

Use profiles to start only the subset you need β€” helpful on machines with limited RAM.

Profile What starts RAM (approx)
(none) Landing page only < 100 MB
web-apps All vulnerable web applications ~3 GB
api All vulnerable APIs + crAPI infrastructure ~2 GB
scanners ZAP + OpenVAS ~2 GB
tools Kali, Metasploit, Nmap, Wireshark, Burp Suite ~4 GB
full Everything ~8 GB 
# Web application targets only
docker compose --profile web-apps up -d

# API security targets only
docker compose --profile api up -d

# Mix profiles freely
docker compose --profile web-apps --profile api up -d

# Stop everything
docker compose --profile full down

Services

Landing Page

Service Port URL
Homer Dashboard 8080 http://localhost:8080

Vulnerable Web Applications (--profile web-apps)

Service Port URL Covers
DVWA 2580 http://localhost:2580 SQLi, XSS, CSRF, File Upload, Command Injection
WebGoat 2581 http://localhost:2581/WebGoat OWASP Top 10 interactive lessons
bWAPP 2583 http://localhost:2583 100+ vulnerability categories
OWASP Juice Shop 3000 http://localhost:3000 OWASP Top 10, gamified challenges
Mutillidae II 2584 http://localhost:2584 Adjustable security levels
OWASP WrongSecrets 2585 http://localhost:2585 Secrets mismanagement
DVNA 2586 http://localhost:2586 Node.js-specific vulnerabilities
Vulnerable WordPress 2587 http://localhost:2587 CMS plugin/theme exploits
NodeGoat 4000 http://localhost:4000 Secure Node.js coding lessons

Vulnerable APIs (--profile api)

Service Port URL Covers
crAPI 2590 http://localhost:2590 OWASP API Security Top 10
crAPI Mailbox 2592 http://localhost:2592 Email flows for crAPI
VAmPI 6000 http://localhost:6000 OWASP API Security Top 10
Vulnerable API 2500 http://localhost:2500 Injection, auth bypass

Security Scanners (--profile scanners)

Service Port URL
OWASP ZAP 2582 http://localhost:2582
OpenVAS 9392 https://localhost:9392

CLI / GUI Tools (--profile tools)

Service Access
Kali Linux docker compose --profile tools exec kali /bin/bash
Metasploit docker compose --profile tools exec metasploit msfconsole
Nmap docker compose --profile tools exec nmap nmap <target>
Wireshark X11 forwarding β€” docker compose --profile tools exec wireshark wireshark
Burp Suite X11 forwarding β€” docker compose --profile tools exec burpsuite burpsuite

Labs

Step-by-step guided scenarios in the labs/ directory:

Lab Target Topics
01 β€” SQL Injection Fundamentals DVWA Union-based, blind, sqlmap, defence
02 β€” API Security: OWASP API Top 10 VAmPI BOLA, broken auth, mass assignment, function-level auth
03 β€” Cross-Site Scripting Juice Shop DOM, reflected, stored XSS, filter bypass

Common Commands

# View logs for a specific service
docker compose logs -f dvwa

# Shell into a running container
docker compose --profile web-apps exec dvwa /bin/bash

# Rebuild a custom image after Dockerfile changes
docker compose --profile web-apps build dvwa
docker compose --profile web-apps up -d dvwa

# Stop and remove containers + volumes (full reset)
docker compose --profile full down -v

Contributing

See CONTRIBUTING.md for how to add a new service, write a lab scenario, or fix a bug.

Bug reports and feature requests: use the issue templates.

Sponsoring

If this lab saves you time or helps your learning, consider sponsoring:

Sponsor funds go towards maintaining images, writing new lab content, and keeping the project up to date with emerging vulnerability classes.

License

MIT β€” see LICENSE.

Disclaimer: This lab is for educational purposes only. Always obtain proper written authorisation before testing any system you do not own.

Herson Cruz Β· @hersoncruz Β· github.com/herson/hackinglab

About

Docker-based hacking lab for CEH certification.

Topics

docker-compose hacking-tool hackin ceh

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Sponsor this project

  •  
Learn more about GitHub Sponsors

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages