BreakingLab is a powerful Bash script to manage vulnerable web applications using Docker. It simplifies the process of setting up, running, and stopping various security testing labs locally or exposing them to a network.
Inspiration: Originally inspired by pentestlab.
- Modular Architecture: Clean separation of code (
breakinglab.sh), configuration (config/), and libraries (lib/). - GitHub Import: Import Docker projects directly from GitHub URLs with Auto-Sanitization and conflict resolution.
- Dynamic Menus: Interactive 2-column menu system with search-by-name/number and status indicators (
[ON]/[OFF]). - Public Exposure:
start_publiccommand to easily expose containers to your LAN (great for classrooms/CTFs). - Stack Grouping: All containers automatically grouped under "BreakingLab" in Docker Desktop.
- Cross-Platform: Fully compatible with Linux (Kali/Ubuntu) and Windows (WSL2).
- Safety: Built with
set -euo pipefailand extensive dependency checking.
-
Clone the repository:
git clone https://github.com/TiiZss/BreakingLab.git cd BreakingLab -
Run the installer (Optional): This ensures you have all dependencies (docker, git, curl, nc) and links the script globally.
chmod +x install.sh ./install.sh
Or just run it directly:
chmod +x breakinglab.sh ./breakinglab.sh
You can use BreakingLab interactively via the menu or by passing arguments directly.
Simply run the script with no arguments to launch the dashboard.
./breakinglab.shFrom here you can search for projects, start/stop them, and check their status using the number or name.
View all available Docker and Online labs.
./breakinglab.sh listThis will download the image, configure /etc/hosts (for WSL/Linux), and launch the container mapped to 127.x.x.x.
# Syntax: ./breakinglab.sh start [project_name]
./breakinglab.sh start bwapp
./breakinglab.sh start web4pentesterNote: The browser will open automatically. If not, click the URL shown in the terminal.
Want to host a lab for a class or CTF? Use startpublic.
# Syntax: ./breakinglab.sh startpublic [project_name] [bind_ip] [bind_port]
# Example: Bind bWAPP to all interfaces on port 8080
./breakinglab.sh startpublic bwapp 0.0.0.0 8080Students can now access http://YOUR_LAN_IP:8080.
Stops and removes the container to free up resources.
./breakinglab.sh stop bwappSee which labs are currently running (green for ON, red for OFF).
./breakinglab.sh statusPermanently removes the project configuration and cleans up associated resources (containers, hosts entries).
./breakinglab.sh delete <project_name>Launches strictly online resources (like PortSwigger Academy or RedTiger).
./breakinglab.sh online portswiggerBreakingLab includes a curated list of vulnerable apps configured to run out-of-the-box.
- OWASP: bWAPP, WebGoat (7.1, 8.0, 8.1), Juice Shop, Mutillidae II, Bricks, Security Shepherd.
- PentesterLab: Web For Pentester I.
- Injection: SQLi Labs (Audi, OxNinja), NoSQLi Lab, GraphQL API.
- CMS: Vulnerable WordPress, Drupal (via simple label).
- Others: DVWA, Altoro Mutual, Security Ninjas, Java Vulnerable Lab, Vulnado, SSRF-Lab, Damn Vulnerable RESTaurant, BTS Lab, exploit.co.il, Vulpy.
- PortSwigger Academy, TryHackMe, HackTheBox, VulnHub, RedTiger, Root-Me, and more.
- Include Drunk Admin Web Hacking Challenge
- Include OWASP Broken Web Applications Project
- Include GameOver
- Include Damn Vulnerable Web Services
- Include VulHub project
- Include CSPF ASP Vulnerable Lab
- Include CSPF PHP Vulnerable Lab
- Include CSPF Android Vulnerable Lab
Contributions are welcome!
- Fork the repository.
- Create a feature branch (
git checkout -b feature/AmazingFeature). - Add a new Project:
- Copy
config/projects.d/_template.conf.exampletoconfig/projects.d/docker_yourproject.conf. - Fill in the details (Image, IP, Port, etc.).
- (Optional) If you need custom startup commands, create
scripts/hooks/yourproject_pre.shoryourproject_post.sh.
- Copy
- Commit your changes.
- Open a Pull Request.
Top Collaborators:
Distributed under the MIT License. See LICENSE for more information.