Docker is a very useful platform for penetration testers, as many tools today are packaged into containers to run in Docker. It helps to not worry about installing dependencies that may break your testing VM or OS. Here are some common commands that I use when I work with containerised tools.

#Displays a list of images available on your system.
sudo docker images

#List running Docker containers
sudo docker ps

#Starts (or creates if not existing) the containers defined in the docker-compose.yml file
sudo docker-compose up -d 

#Stop all containers
sudo docker-compose down

#Delete Docker image (from docker ps output)
sudo docker rmi 6037dc305bb2

#Enter a Docker container (get NAMES from docker ps output)
sudo docker exec -it image_name sh

#Maps a host directory to the container to save scan results and logs permanently
sudo docker run --rm -v $(pwd)/loot:/root/loot image_name

#Runs the container on the host network stack for better scanning and sniffing (e.g., Nmap/Responder)
sudo docker run --rm --net=host -it image_name

#Forwards a specific port to catch reverse shells or host malicious web servers
sudo docker run --rm -p 4444:4444 -it image_name

#Injects sensitive credentials or API keys (like Shodan/Censys) without saving them in the image
sudo docker run --rm -e API_KEY=your_key_here image_name

#Forces the container to use a specific shell or tool regardless of its default entrypoint
sudo docker run --rm -it --entrypoint /bin/bash image_name

#Completely wipes all engagement artifacts, including volumes and unused images
sudo docker system prune -a --volumes