diff --git a/README.md b/README.md index 7206b3c..1ea1e55 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,8 @@ A minimal, ultra-compressed Docker image containing a password bruteforce tool t | Image | Size | Compression | |-------|------|-------------| -| This tool | ~46KB | UPX ultra-brute | +| This tool (optimized) | 42.5KB | UPX LZMA ultra-brute | +| This tool (original) | 45.7KB | UPX ultra-brute | | Standard Alpine | ~5MB | None | | Standard Ubuntu | ~70MB | None | @@ -29,19 +30,22 @@ A minimal, ultra-compressed Docker image containing a password bruteforce tool t ### Build Process 1. **Multi-stage build** using Alpine Linux -2. **Static compilation** with musl-gcc -3. **Binary stripping** to remove debug symbols -4. **UPX compression** with ultra-brute mode +2. **Static compilation** with musl-gcc and aggressive optimization flags +3. **Enhanced binary stripping** to remove debug symbols and unused sections +4. **UPX LZMA compression** with ultra-brute mode for maximum compression 5. **Scratch base image** for minimal size ## 🏗️ Building ```bash -# Build the image +# Build the optimized image (recommended) +docker build -t bruteforce-optimized -f brute/source/Dockerfile.optimized brute/source + +# Build the original image docker build -t bruteforce-test -f brute/source/Dockerfile brute/source -# Check image size -docker images bruteforce-test +# Check image sizes +docker images bruteforce-optimized bruteforce-test ``` ## 🚀 Usage @@ -60,10 +64,17 @@ docker run --rm \ #### Crack root password ```bash +# Using optimized image (recommended) +docker run --rm \ + --volume "/etc:/etc" \ + --volume "$(pwd)/brute/source/wordlist2.txt:/wordlist2.txt" \ + bruteforce-optimized:latest \ + root /wordlist2.txt + +# Using original image docker run --rm \ --volume "/etc:/etc" \ --volume "$(pwd)/brute/source/wordlist2.txt:/wordlist2.txt" \ - --user root \ bruteforce-test:latest \ root /wordlist2.txt ``` @@ -117,6 +128,32 @@ Password successfully cracked! - Root privileges (for accessing shadow file) ### Compilation Flags + +#### Optimized Version (Recommended) +```bash +gcc -static -Os -s \ + -fomit-frame-pointer \ + -fdata-sections \ + -ffunction-sections \ + -fno-unwind-tables \ + -fno-asynchronous-unwind-tables \ + -Wl,--gc-sections \ + -Wl,--strip-all \ + -o bruteforce \ + bruteforce.c \ + yescrypt-ref.c \ + yescrypt-common.c \ + sha256.c \ + insecure_memzero.c \ + && strip --strip-all \ + --remove-section=.comment \ + --remove-section=.note.* \ + --remove-section=.eh_frame \ + bruteforce \ + && upx --lzma --ultra-brute bruteforce +``` + +#### Original Version ```bash gcc -static -Os -s -o bruteforce \ bruteforce.c \ @@ -130,9 +167,11 @@ gcc -static -Os -s -o bruteforce \ ### Optimization Techniques - **Static linking**: No external dependencies -- **Size optimization**: `-Os` flag for minimal size -- **Symbol stripping**: Remove debug symbols -- **UPX compression**: Ultra-brute mode for maximum compression +- **Aggressive size optimization**: `-Os` flag with additional optimizations +- **Enhanced symbol stripping**: Remove debug symbols and unused sections +- **UPX LZMA compression**: Ultra-brute mode with LZMA algorithm for maximum compression +- **Dead code elimination**: `--gc-sections` to remove unused functions +- **Frame pointer omission**: `-fomit-frame-pointer` for smaller binaries - **Scratch base**: No OS layer in final image ## 🛡️ Security Considerations diff --git a/README.vi.md b/README.vi.md index aa8e91c..bbd612c 100644 --- a/README.vi.md +++ b/README.vi.md @@ -15,7 +15,8 @@ Một Docker image siêu nhỏ, được nén tối đa chứa công cụ brutef | Image | Kích Thước | Nén | |-------|------------|-----| -| Công cụ này | ~46KB | UPX ultra-brute | +| Công cụ này (tối ưu) | 42.5KB | UPX LZMA ultra-brute | +| Công cụ này (gốc) | 45.7KB | UPX ultra-brute | | Alpine chuẩn | ~5MB | Không | | Ubuntu chuẩn | ~70MB | Không | @@ -29,19 +30,22 @@ Một Docker image siêu nhỏ, được nén tối đa chứa công cụ brutef ### Quy Trình Build 1. **Multi-stage build** sử dụng Alpine Linux -2. **Biên dịch tĩnh** với musl-gcc -3. **Strip binary** để loại bỏ debug symbols -4. **Nén UPX** với chế độ ultra-brute +2. **Biên dịch tĩnh** với musl-gcc và các cờ tối ưu tích cực +3. **Strip binary nâng cao** để loại bỏ debug symbols và các section không sử dụng +4. **Nén UPX LZMA** với chế độ ultra-brute để nén tối đa 5. **Base image scratch** để giảm kích thước tối đa ## 🏗️ Build ```bash -# Build image +# Build image tối ưu (khuyến nghị) +docker build -t bruteforce-optimized -f brute/source/Dockerfile.optimized brute/source + +# Build image gốc docker build -t bruteforce-test -f brute/source/Dockerfile brute/source # Kiểm tra kích thước image -docker images bruteforce-test +docker images bruteforce-optimized bruteforce-test ``` ## 🚀 Sử Dụng @@ -60,10 +64,17 @@ docker run --rm \ #### Crack mật khẩu root ```bash +# Sử dụng image tối ưu (khuyến nghị) +docker run --rm \ + --volume "/etc:/etc" \ + --volume "$(pwd)/brute/source/wordlist2.txt:/wordlist2.txt" \ + bruteforce-optimized:latest \ + root /wordlist2.txt + +# Sử dụng image gốc docker run --rm \ --volume "/etc:/etc" \ --volume "$(pwd)/brute/source/wordlist2.txt:/wordlist2.txt" \ - --user root \ bruteforce-test:latest \ root /wordlist2.txt ``` @@ -117,6 +128,32 @@ Password successfully cracked! - Quyền root (để truy cập file shadow) ### Cờ Biên Dịch + +#### Phiên Bản Tối Ưu (Khuyến Nghị) +```bash +gcc -static -Os -s \ + -fomit-frame-pointer \ + -fdata-sections \ + -ffunction-sections \ + -fno-unwind-tables \ + -fno-asynchronous-unwind-tables \ + -Wl,--gc-sections \ + -Wl,--strip-all \ + -o bruteforce \ + bruteforce.c \ + yescrypt-ref.c \ + yescrypt-common.c \ + sha256.c \ + insecure_memzero.c \ + && strip --strip-all \ + --remove-section=.comment \ + --remove-section=.note.* \ + --remove-section=.eh_frame \ + bruteforce \ + && upx --lzma --ultra-brute bruteforce +``` + +#### Phiên Bản Gốc ```bash gcc -static -Os -s -o bruteforce \ bruteforce.c \ @@ -130,9 +167,11 @@ gcc -static -Os -s -o bruteforce \ ### Kỹ Thuật Tối Ưu - **Link tĩnh**: Không có dependency bên ngoài -- **Tối ưu kích thước**: Cờ `-Os` để giảm kích thước -- **Strip symbols**: Loại bỏ debug symbols -- **Nén UPX**: Chế độ ultra-brute để nén tối đa +- **Tối ưu kích thước tích cực**: Cờ `-Os` với các tối ưu bổ sung +- **Strip symbols nâng cao**: Loại bỏ debug symbols và các section không sử dụng +- **Nén UPX LZMA**: Chế độ ultra-brute với thuật toán LZMA để nén tối đa +- **Loại bỏ code chết**: `--gc-sections` để loại bỏ các hàm không sử dụng +- **Bỏ frame pointer**: `-fomit-frame-pointer` để giảm kích thước binary - **Base scratch**: Không có layer OS trong image cuối ## 🛡️ Cân Nhắc Bảo Mật diff --git a/brute/source/Dockerfile b/brute/source/Dockerfile index a941d52..fc7cec6 100644 --- a/brute/source/Dockerfile +++ b/brute/source/Dockerfile @@ -1,6 +1,14 @@ +# Multi-stage build: Use Alpine for building, scratch for final image FROM alpine:latest AS build +# Install build dependencies +# build-base: gcc, make, and essential build tools +# musl-dev: C library headers for static linking +# linux-headers: Kernel headers for system calls +# upx: Ultimate Packer for eXecutables - binary compression tool RUN apk add --no-cache build-base musl-dev linux-headers upx + +# Set working directory for all subsequent operations WORKDIR /src # Copy all yescrypt source and header files flat @@ -10,17 +18,32 @@ COPY yescrypt/yescrypt-common.c . COPY yescrypt/sha256.c . COPY yescrypt/insecure_memzero.c . +# Copy main bruteforce source code COPY bruteforce.c . +# Basic compilation with size optimization +# -static: Create statically linked executable (no external dependencies) +# -Os: Optimize for size, not speed +# -s: Strip all symbol table and relocation information RUN gcc -static -Os -s -o bruteforce \ bruteforce.c \ yescrypt-ref.c \ yescrypt-common.c \ sha256.c \ insecure_memzero.c \ + # Basic binary stripping: + # --strip-all: Remove all symbol and debug information + # --remove-section=.comment: Remove compiler/version comments && strip --strip-all --remove-section=.comment bruteforce \ + # UPX compression with standard settings: + # --ultra-brute: Try all compression methods and use the best result && upx --ultra-brute bruteforce +# Final stage: Start with completely empty image (scratch) FROM scratch + +# Copy only the final compressed binary from build stage COPY --from=build /src/bruteforce / + +# Set the default command for the container ENTRYPOINT ["/bruteforce"] \ No newline at end of file diff --git a/brute/source/Dockerfile.optimized b/brute/source/Dockerfile.optimized index 0527dbf..2514cce 100644 --- a/brute/source/Dockerfile.optimized +++ b/brute/source/Dockerfile.optimized @@ -1,18 +1,39 @@ +# Multi-stage build: Use Alpine for building, scratch for final image +# Alpine is the smallest base image (~5MB) with package manager FROM alpine:latest AS build +# Install build dependencies with --no-cache to prevent package cache storage +# build-base: gcc, make, and essential build tools +# musl-dev: C library headers for static linking +# linux-headers: Kernel headers for system calls +# upx: Ultimate Packer for eXecutables - binary compression tool RUN apk add --no-cache build-base musl-dev linux-headers upx + +# Set working directory for all subsequent operations WORKDIR /src -# Copy all yescrypt source and header files flat +# Copy all yescrypt source and header files flat (no subdirectories) COPY yescrypt/*.h . COPY yescrypt/yescrypt-ref.c . COPY yescrypt/yescrypt-common.c . COPY yescrypt/sha256.c . COPY yescrypt/insecure_memzero.c . +# Copy main bruteforce source code COPY bruteforce.c . # Enhanced compilation with maximum size optimization +# Each flag explained: +# -static: Create statically linked executable (no external dependencies) +# -Os: Optimize for size, not speed +# -s: Strip all symbol table and relocation information +# -fomit-frame-pointer: Don't keep frame pointer in registers (saves one register) +# -fdata-sections: Place each data item in its own section (enables dead code elimination) +# -ffunction-sections: Place each function in its own section (enables dead code elimination) +# -fno-unwind-tables: Don't generate unwind tables for exception handling +# -fno-asynchronous-unwind-tables: Don't generate async unwind tables +# -Wl,--gc-sections: Remove unused sections during linking (dead code elimination) +# -Wl,--strip-all: Strip all symbols during linking RUN gcc -static -Os -s \ -fomit-frame-pointer \ -fdata-sections \ @@ -27,13 +48,29 @@ RUN gcc -static -Os -s \ yescrypt-common.c \ sha256.c \ insecure_memzero.c \ + # Additional binary stripping to remove specific sections: + # --strip-all: Remove all symbol and debug information + # --remove-section=.comment: Remove compiler/version comments + # --remove-section=.note.*: Remove all note sections (build info, ABI notes) + # --remove-section=.eh_frame: Remove exception handling frame information && strip --strip-all \ --remove-section=.comment \ --remove-section=.note.* \ --remove-section=.eh_frame \ bruteforce \ + # UPX compression with maximum settings: + # --lzma: Use LZMA compression algorithm (better ratio than default) + # --ultra-brute: Try all compression methods and use the best result && upx --lzma --ultra-brute bruteforce +# Final stage: Start with completely empty image (scratch) +# This ensures absolute minimum size - no OS layer at all FROM scratch + +# Copy only the final compressed binary from build stage +# --from=build: Copy from the build stage, not from host COPY --from=build /src/bruteforce / + +# Set the default command for the container +# Array format prevents shell interpretation and reduces overhead ENTRYPOINT ["/bruteforce"] \ No newline at end of file