Hacktive Blog

TL;DR https://github.com/hacktivesec/ghostwire

Traditional pentesting distributions (and the Docker versions as well) have become heavy, hard to maintain, and inconsistent across different environments. Ghostwire was created to offer a simpler alternative: a minimal, repeatable, and transparent Docker toolkit with an essential set of tools for web, network, Active Directory, mobile, and post-compromise analysis.

The project is based on a single multi-stage Dockerfile, Dockerfile.total, from which other specialized Dockerfiles (web, net, ad, wifi, mobile, total) are derived. This approach keeps the structure clear, reduces complexity, and avoids duplication.

The image uses Ubuntu 24.04, runs as a non-root user (ghost), and mounts two directories: /work for project files and /shared for persistent output. SecLists is already included under /opt/seclists.

The tool stack is intentionally minimal:

• Web: gobuster, sqlmap, ffuf, nuclei, wpscan, joomscan, whatweb, wafw00f
• Network: nmap, tcpdump, socat, netcat-openbsd, snmp, ike-scan, patator
• Active Directory: impacket, ldap-utils, smbclient, ldapdomaindump, bloodhound (venv), smbmap, enum4linux, NetExec
• Cracking: hashcat (CPU OpenCL via POCL), John, Hydra
• Forensics and reverse engineering: bulk_extractor, steghide, exiftool, binwalk, foremost, apktool, jadx
• Cloud: Trivy, AWS CLI v2

The Python tools live in a dedicated venv that hosts components such as ldapdomaindump, bloodhound, smbmap, pypykatz, arjun, commix, objection, frida-tools. NetExec uses a separate venv to avoid conflicts.
The Go utilities (ffuf v2, nuclei, jaeles, amass v4, subfinder, httpx, dnsx, katana, waybackurls, anew, unfurl, s3scanner, kerbrute, gitleaks) are compiled at build time, and the Go toolchain is removed afterwards.

Ghostwire integrates a SOCKS pivot system via px, which dynamically generates a proxychains4 configuration to route individual commands. pxcurl, pxwget, and support for standard environment variables (ALL_PROXY, HTTP_PROXY, HTTPS_PROXY) are also available. Operations based on raw sockets remain outside the tunnel, as expected.

Essential scripts and utilities are included: savehere, out, session-log, gw-wifi-capture, gw-usb-capture, gw-gpu-check. Heavier frameworks such as PowerSploit, Empire, CloudMapper, and MobSF are optional and can be enabled only via build args.

Usage is straightforward: clone the repository, build the required stage via Docker Compose, and work inside the container with /work and /shared mounted. The ghost user has sudo inside the container, while keeping the environment isolated from the host.

An important point is that many GUI tools once considered “mandatory inside the distro” — such as Burp Suite, Wireshark, Ghidra, IDA Free, CyberChef desktop — are now available and work perfectly on both Windows and macOS. Ghostwire therefore focuses on CLI tools, leaving GUIs on the host, where they integrate better, reduce complexity, and do not bloat the Docker image.

The project is available under the Hacktive Security organization, ghostwire repository on GitHub.

Ghostwire aims to remain a clear, stable, and easily maintainable toolkit. To achieve this goal, user contributions are essential: reports, suggestions, optimizations, tests, and documentation improvements all help keep the project lean without introducing unnecessary components.