微信扫一扫Exegol for Offensive Security
Overview
Exegol is a Docker-based pentest environment with 100+ pre-installed offensive tools, managed via a Python CLI wrapper. It replaces traditional Kali VMs with fast, reproducible, disposable containers.
Core concept: exegol start <name> <image> creates a ready-to-hack container in seconds. All tools, resources, and configurations are pre-loaded.
For the complete CLI reference, images list, and resource catalog, see exegol-reference.md in this skill directory.
When to Use
- User needs to set up a pentest/red team environment
- User wants to launch tools available in Exegol (BloodHound, Burp, Responder, CrackMapExec, etc.)
- User is doing HTB, CTF, or lab work and needs a quick environment
- User asks about container-based offensive security setups
- User needs to manage multiple engagement environments simultaneously
When NOT to use: For defensive/blue team tooling, forensics-only workflows, or general Docker questions unrelated to security testing.
Quick Reference
| Task | Command |
|------|---------|
| Start interactive container | exegol start mypentest full |
| Start with workspace | exegol start client1 full -w ./engagement/ |
| Start with current dir | exegol start client1 full -cwd |
| Start with VPN | exegol start htb full --vpn ~/vpn/lab.ovpn |
| Start with logging | exegol start client1 full -l -w ./engagement/ |
| Run single command | exegol exec mypentest 'nmap -sV 10.10.10.1' |
| Run GUI tool in background | exegol exec -b mypentest burpsuite |
| Temp container for one-off | exegol exec --tmp full 'whatweb http://target' |
| List containers/images | exegol info |
| Stop container | exegol stop mypentest |
| Remove container | exegol remove mypentest |
| Install an image | exegol install full |
| Update everything | exegol update |
Engagement Setup Workflow
1. Choose the Right Image
| Image | Use Case |
|-------|----------|
| full | General pentest, full toolkit (50GB+) |
| ad | Active Directory / internal pentest |
| web | Web application testing |
| light | Quick recon, limited disk space |
| osint | OSINT / reconnaissance only |
| free | Same as full but community edition (delayed releases) |
2. Create the Engagement Container
# Standard engagement setup with workspace and logging
exegol start <engagement-name> <image> -w /path/to/engagement/ -l
# Example: Internal AD pentest
exegol start acme-internal ad -w ./acme-corp/ -l
# Example: Web app pentest
exegol start webapp-audit web -w ./webapp-audit/ -l
# Example: HTB lab with VPN
exegol start htb full --vpn ~/vpn/htb-lab.ovpn -w ./htb/
3. Network Configuration
| Scenario | Config |
|----------|--------|
| Host network (default) | No flag needed, shares host interfaces |
| VPN to target network | --vpn ~/path/to/config.ovpn |
| VPN with credentials | --vpn config.ovpn --vpn-auth creds.txt |
| Isolated container | --network disable |
| Container-to-container | --network docker |
| Port forwarding | -p 8080:8080 -p 4444:4444 |
4. Privilege Options for Specific Attacks
# WiFi / network sniffing (needs NET_ADMIN)
exegol start wifi full --cap NET_ADMIN -d /dev/bus/usb/
# USB device access (Proxmark, Rubber Ducky, etc.)
exegol start hw full -d /dev/ttyACM0
# Full privilege (use sparingly)
exegol start lab full --privileged
Pentest Workflow Patterns
AD / Internal Pentest
# Create container with AD image
exegol start internal ad -w ./client-engagement/ -l --vpn client-vpn.ovpn
# Inside container:
neo4j start # Start Neo4j for BloodHound
bloodhound-ce # Launch BloodHound CE (port 1030)
crackmapexec smb 10.0.0.0/24 # Network discovery
responder -I eth0 # LLMNR/NBT-NS poisoning
bloodhound-python -d domain.local -u user -p pass -c All # Collect AD data
Default credentials inside container:
| Service | User | Password |
|---------|------|----------|
| Neo4j | neo4j | exegol4thewin |
| BloodHound CE | via web UI | exegol4thewin |
| Empire | empireadmin | exegol4thewin |
Web Application Pentest
# Create container with web image
exegol start webapp web -w ./webapp-audit/ -l
# Inside container:
burpsuite # Launch Burp Suite (proxy on 8080)
nuclei -u https://target.com # Automated vuln scanning
sqlmap -u "http://target/page?id=1" # SQL injection testing
ffuf -u http://target/FUZZ -w /opt/resources/... # Directory fuzzing
Recon / OSINT
exegol start recon osint -w ./recon/
# Inside container:
subfinder -d target.com # Subdomain enumeration
httpx -l subdomains.txt # HTTP probing
theHarvester -d target.com -b all # Email/domain harvesting
Privilege Escalation (Using Built-in Resources)
Resources are available at /opt/resources inside every container:
| Resource | Path | Purpose |
|----------|------|---------|
| LinPEAS | /opt/resources/linux/linPEAS/ | Linux privesc enumeration |
| WinPEAS | /opt/resources/windows/winPEAS/ | Windows privesc enumeration |
| Mimikatz | /opt/resources/windows/mimikatz/ | Windows credential extraction |
| Chisel | /opt/resources/linux/chisel/ | TCP/UDP tunneling |
| ligolo-ng | /opt/resources/linux/ligolo-ng/ | Network pivoting |
| SharpHound | /opt/resources/windows/SharpHound/ | AD collection |
| PrintSpoofer | /opt/resources/windows/PrintSpoofer/ | Windows privesc |
| GodPotato | /opt/resources/windows/GodPotato/ | Windows privesc |
| netcat (static) | /opt/resources/linux/nc | Reverse shells |
# Serve resources to target via HTTP
cd /opt/resources && python3 -m http.server 8888
# Or transfer specific tool
python3 -m http.server -d /opt/resources/linux/linPEAS/ 8888
Multi-Container Engagements
Run parallel containers for different phases or targets:
# Recon container
exegol start recon-phase osint -w ./engagement/recon/
# Attack container with VPN
exegol start attack full --vpn client.ovpn -w ./engagement/attack/ -l
# C2 container
exegol start c2 full -p 443:443 -p 80:80 -w ./engagement/c2/ -l
Switch between containers by spawning new shells:
exegol start attack # Opens new shell in existing "attack" container
Credential Management (exegol-history)
# Add credentials found during engagement
exh add creds -u 'admin' -p 'P@ssw0rd!' -d 'ACME.LOCAL'
exh add creds -u 'svc_sql' -H 'aad3b435b51404eeaad3b435b51404ee:...' -d 'ACME.LOCAL'
# Set active credentials as environment variables
exh set creds
# Add discovered hosts
exh add hosts --ip 10.10.10.1 -n dc01 -r "Domain Controller"
exh add hosts --ip 10.10.10.5 -n web01 -r "IIS Web Server"
# View current context
exh show
# Bulk import
exh import creds --file found_creds.csv --format CSV
Logging & Evidence
# Enable logging at container creation
exegol start engagement full -l -w ./engagement/
# Logs are stored in /workspace/logs/ (asciinema format by default)
# Replay a session:
asciinema play /workspace/logs/session.cast
Logging methods:
asciinema(default) — records terminal sessions, replayablescript— raw terminal recording
Customization (my-resources)
Personal configs persist across all containers via ~/.exegol/my-resources/:
| Path | Purpose |
|------|---------|
| bin/ | Custom tools (auto-added to $PATH) |
| setup/zsh/aliases | Custom shell aliases |
| setup/zsh/history | Custom command history |
| setup/python3/requirements.txt | Python packages to auto-install |
| setup/apt/packages.list | APT packages to auto-install |
| setup/bloodhound/customqueries_merge/ | BloodHound custom queries |
| setup/firefox/policies.json | Firefox extensions, bookmarks |
| setup/load_user_setup.sh | Custom setup script (runs on first start) |
Common Mistakes
| Mistake | Fix |
|---------|-----|
| Trying to modify container config after creation | Container options are set at creation only. Remove and recreate. |
| Forgetting -l for logging | Always use -l on real engagements for evidence |
| Using --privileged everywhere | Use specific --cap flags instead (e.g., --cap NET_ADMIN) |
| Not setting workspace | Always use -w to persist data outside the container |
| Running out of disk space | full image is 50GB+. Use light or ad/web for focused work |
| VPN not working | VPN auto-switches to docker network mode. Check with exegol info <container> |
| GUI apps not displaying | Ensure X11 is not disabled. On macOS, install XQuartz. |