1) Deploy an Attack Vector

1) Deploy an Attack Vector

The Attack Vector runs the BlackNoise events. It is deployed on your network to execute offensive actions (events) according to the chosen scenario and based on the configured campaign technical settings.



1️⃣ Prepare the Attack Vector installation

1a) Requirements for running a BlackNoise Attack Vector

The BlackNoise Attack Vector is a Docker container. You need a computer with Docker to run it. This computer will be the host.
Computer specs
  • CPU: x86_64 or ARM architecture
  • RAM: 2 GB
  • Storage: 16 GB
Software specs
  • Operating System: Linux or Windows. The use of Linux is recommended.
  • Docker: Docker engine v27.0.0 and above


1b) Host setup steps

For Linux Hosts
    Install a Linux OS such as Debian, Ubuntu, RedHat or Fedora.
    Install Docker Engine. Do not install it using the distribution packages. Install Docker from the official editor manual using their repository:  https://docs.docker.com/engine/install .
For Windows host
  • It is recommended to install a Linux virtual machine on the Windows host and then refer to the previous case.
  • If you are unable to set up a VM on the host, please install Docker Desktop with WSL. The source IP displayed for events in the BlackNoise app for this case will differ from the host OS's IP, showing the IP address of the Docker eth0 network interface (typically 192.168.65.3).
General settings
  • The Attack Vector utilizes the IP address of the host OS on which it is installed. You may configure either DHCP or a static IP address based on the host's requirements.
  • If the host OS has multiple network interfaces, ensure that the default route is assigned to only one interface. Failure to do so will prevent the Attack Vector BlackNoise from operating correctly.
  • For virtual machines, the network interface must be configured in bridge mode.
  • The host must have an NTP service configured and running to ensure accurate and continuous system time synchronization.
  • The host must be configured with an internal DNS service to allow name resolution for other servers and workstations.


1c) Network flows allowing connection between Attack Vector and BlackNoise app

Open the following flows to enable connection:
  • Protocol: HTTPS (TCP/443)
  • Domains:  in.blacknoise.co , *.in.blacknoise.co, and  registry.blacknoise.co 
  • Direction: outgoing flows
Important: No protocol interruption.
To successfully establish a secure connection between the Attack Vector and the BlackNoise platform, ensure HTTPS connections remain intact without any protocol breaks. Specifically, intermediate devices must not decrypt TLS traffic from HTTPS connections, as this would hinder secure end-to-end communication necessary for optimal operation.
Once the host is ready, you can proceed to step 2).


2️⃣ Install the Attack Vector

    From from the Resources > Attack Vectors page, click the Create attack vector button in the top right
    Provide a name (alias) for this Attack Vector. The Docker container will be automatically generated from this alias.
You can also set up several parameters for this container, including a proxy, a DNS server, and an NTP server.

The proxy will be used for the Attack Vector's connection to the BlackNoise web application: Attack vector -> Proxy -> Web app
  • The Attack Vector does NOT support proxy authentication. Unauthenticated connections to the BlackNoise web app must be allowed by the proxy to allow the Attack Vector to connect to it.
  • The Attack Vector does NOT support TLS decryption at the proxy level. As such, the proxy must be configured to not decrypt communications between the Attack Vector and the BlackNoise web app.
    Copy the docker command from the screen and paste it into the terminal of the previously deployed computer (the host) to execute it. You can also provide a DNS server to be used by Attack Vector. Please refer to the FAQ to add this option within the following command ( https://doc.blacknoise.co/p/ps6ZTNIhewUzS9/Untitled#5yRgILGUh2OIg1 ).
The host must be connected to the network and have an IP address before launching the docker command; otherwise, the Attack Vector won't initialize.
If you want to install the Attack Vector from a Windows host OS using Docker Desktop, you may need to split the command into 2 parts (docker login and then docker run) because the separator && is not always recognized by Windows.
    The attack Vector shows up in the web app list. The container image is downloaded and started. Once the authentication between the Docker container and the BlackNoise web app is done, the Attack Vector is ready to use (ie. operational). This is shown by a green dot. It can now be used in an attack campaign.

This sketch cannot currently be displayed in exports
A red star next to the version number of an Attack Vector indicates an available update. Click the Attack Vector to open the details modal. The update command appears at the top.

Information The deployment of the virtual Attack Vector (docker) is not working on Linux
If you have an error message such as:
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock
Your user does not have the rights to execute some Docker commands. Add your user to the docker group: 
sudo usermod -aG docker your-username

Please refer to our FAQ for technical details to ensure communication between Attack Vector and Target Systems