.

Pentest Lab: Web Application Edition

<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Jul 27, 2009 3:34 pm

Pentest Lab: Web Application Edition

http://www.securityaegis.com/?p=574

Working links at the site =)

Over the last week, we busted out our red plastic shovel and our bucket shaped like a castle to dig a little bit deeper into our sandbox. Recently, we addressed the flexibility and overall necessity of a virtual lab for network pentesting, practice, and testing.

Today, we plan to expand upon that to encompass Web App. Our setup includes 7 target sites hosted on 4 VM’s. It’s important to note, that we only showcase the tip of the iceberg. The possibility of expansion is limited only by your imagination.

This lab takes substantially more prep and organization than our network lab did, as each target site has different requirements. We hosted most of our targets on XP Pro SP3 boxes, though many should work on Vista or maybe even Win7 RC.

Downloads:

MSDE2000A(required for Hacme Bank)
.Net 1.1(Required for Hacme Bank)
JDK(Required for Hacme Books)
Xampp(For DVWA and Mutillidae)
DVWA
Mutillidae
Moth VM
WebGoat
Hacme Bank
Hacme Books
Hacme Casino
SamuraiWTF

As we did with our last lab setup, we chose to keep everything self contained using a HostOnly network. We used VMware again. Not only is it free (who doesn’t love free stuff?) but it’s also powerful and flexible enough to serve our needs. Both the network lab and the Web app lab can be combined, but we chose to keep them separate for organizational reasons. Redeploying a VM takes very little effort.

This lab allows us to test many different tools, from browser based add-ons to stand alone tools. We decided to use SamuraiWTF as our attack platform for many of the same reasons we used BT pre 4 on our Network lab. It’s prepackaged with most, if not all, the tools you might need. Since it is a LiveCD, it requires minimal setup to get it up and running.

Before diving deep into this project, we highly suggest you download everything you need first. Storing everything on a USB thumb drive makes this process much easier and flow more smoothly. We also assume you have checked out the network lab article and video. If you have little or no experience with VMware (specifically VMware server) we suggest you glance over that video first for a more basic view of the VMware server usage.

Let’s get our hands dirty.

We started off by setting up Moth. Moth is a pre-configured VM image, all we need to do here is extract it to our datastore’s directory, import it, and make sure our network is configured correctly. Moth is configured to retrieve IP info from DHCP. Log in with moth:moth and ifconfig for your IP. Moth is brought to us by Bonsai-sec.com. “For almost every web application vulnerability that exists in the wild, there is a test script available in moth.”

Moth is attacked through http://(VM’s IP)

We moved on to DVWA and Mutillidae, both of which were hosted on an XP pro machine using Xampp. Very simple process here, install Xampp and move the DVWA and Mutillidae into the xampp/htdocs/ directory. Damn Vulnerable Web App is a project that @ethicalhack3r started and it’s still going strong. From our understanding, we should see a new version coming out in the next month or two. “…it’s in a completely different league to the current stable version.” DVWA features the ability to change its security settings to raise or lower the difficulty. This option makes it an awesome target for uber-noobs (like myself) to a more seasoned web app tester. Mutillidae was an Irongeek.com project. The focus here was to implement the OWASP TOP 10 into a single environment. A couple different videos about Mutillidae can be found at Irongeek.com.

Attack through http://(VM’s IP) and then browse to target

Third in line is our WebGoat machine. WebGoat is pretty self-contained, no need to install anything. Just transfer it to the VM from the thumb drive and run the .bat file. The only real work we needed to do was edit server_80.xml to allow remote connections. WebGoat is an OWASP project. One of the standout features of WebGoat is its design. It has clearly outlined goals in the form of labs. Such as, “…Stored XSS attack against the Street field on the Edit Profile page. Verify that ‘Jerry’ is affected by the attack.” But of course, the application is yours to attack in any form you like.

WebGoat is attacked through http://(VM’s IP)/WebGoat/attack (It is case sensitive)

Last of our target machines is the Foundstone machine. Each target within the Foundstone machine has its own set of requirements. For Hacme Bank, we found a great written walk through for installing to XP and making it remote accessible. Hacme Books is a fairly simple install, with a slight file modification. Hacme Casino is as simple as it gets, install and go. Foundstone has released multiple Vulnerable Web Apps for testing, of which we only showcase three. We highly suggest you visit their site check out Hacme Travel and Hacme Shipping.

Hacme Bank is attacked through http://(VM’s IP)/HacmeBank_v2_website/
Hacme Books is attacked through http://(VM’s IP):8989/HacmeBooks/
Hacme Casino is attacked through http://(VM’s IP):3000/

Of course, we need an attack platform. As stated earlier, we chose to go with SamuraiWTF. You can choose any platform you like, host machine included. But if you’ve never given SamuraiWTF a shot, there’s no better time than now. SamuraiWTF is a Live Linux environment packaged with “the best of the open source and free tools that focus on testing and attacking websites.” Nothing can lend more credibility to this release then the names of its project team. Kevin Johnson and Justin Searle, among others. It’s everything you would expect from an InGuardians project, and more.

This setup is great for anything from learning the basics to testing new tools, testing one-off attack vectors, and it can be expanded to serve may other needs. We are continuing to play around with our labs in hopes of finding something we could share with you. If you have any suggestions on how to make our setup better, or even a request for something you’d like to see in the next lab, drop us a line. We always give credit where credit is due.
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Mon Jul 27, 2009 5:28 pm

Re: Pentest Lab: Web Application Edition

Another excellent vid from Mike and Jason.
Great effort guys, and thanks.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Jul 28, 2009 12:33 am

Re: Pentest Lab: Web Application Edition

I agree with dalepearson. As same as with the first part I am pretty sure this will help many newcomers.

Thanks both of you for your efforts you are putting into this.
<<

Laz3r

Post Tue Jul 28, 2009 1:24 am

Re: Pentest Lab: Web Application Edition

Thanks for the kind words guys.  If you any suggestions, or something you'd like to see on the next edition, let us know.  I'm sure there are tons of things we could do with our lab that we haven't thought of yet.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Jul 29, 2009 11:20 am

Re: Pentest Lab: Web Application Edition

Laz3r,

depending on which direction you're looking to take this it may be interesting to add some monitoring/prevention devices to you lab for more advanced setups.

Something I'm currently working on is adding a Snort implementation to my environment to allow me to see which of the attacks and techniques I'm trialling trigger signatures (and adding custom sigs for those that don't). I'm hoping it may aid in getting a lab environment closer to real-world.

Similarly adding a virtual firewall appliance between attack and target machines with configurable rulesets, should allow to better explain the need for reverse over bind shellcode etc. Or to similate pivot and post-expoit activities. For example, pop an insecure web app to gain access to a backend DB target that isn't world accessible.

Possibilities are endless. Keep up the good work and thanks for sharing your findings.
<<

Bane

Post Mon Aug 17, 2009 10:23 am

Re: Pentest Lab: Web Application Edition

Excellent post guys. My suggestion would be to add foundstone's hackme travel and shipping to the list.
<<

Laz3r

Post Mon Aug 17, 2009 11:04 am

Re: Pentest Lab: Web Application Edition

Jhaddix wrote:Foundstone has released multiple Vulnerable Web Apps for testing, of which we only showcase three. We highly suggest you visit their site check out Hacme Travel and Hacme Shipping.


=D
Last edited by Laz3r on Mon Aug 17, 2009 11:25 am, edited 1 time in total.
<<

Bane

Post Tue Aug 18, 2009 1:49 pm

Re: Pentest Lab: Web Application Edition

Laz3r wrote:
Jhaddix wrote:Foundstone has released multiple Vulnerable Web Apps for testing, of which we only showcase three. We highly suggest you visit their site check out Hacme Travel and Hacme Shipping.


=D


How about WebGoat and Damn Vulnerable Web App than?   ;D
Last edited by Bane on Tue Aug 18, 2009 1:51 pm, edited 1 time in total.
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Tue Aug 18, 2009 2:03 pm

Re: Pentest Lab: Web Application Edition

Hey Bane,

If you read the article and watch the video you'll see we did use those two.

DVWA
Mutillidae
Moth VM
WebGoat
Hacme Bank
Hacme Books
Hacme Casino
SamuraiWTF (Attack Platform)
<<

Bane

Post Tue Aug 18, 2009 4:05 pm

Re: Pentest Lab: Web Application Edition

Jhaddix wrote:Hey Bane,

If you read the article and watch the video you'll see we did use those two.

DVWA
Mutillidae
Moth VM
WebGoat
Hacme Bank
Hacme Books
Hacme Casino
SamuraiWTF (Attack Platform)



Yeah, I was just messing around since I missed the foundstone ones.. Making a little bit of joke.. Obviously not a good one.
<<

seanolee

Newbie
Newbie

Posts: 1

Joined: Thu Feb 18, 2010 7:03 am

Post Thu Feb 18, 2010 7:09 am

Re: Pentest Lab: Web Application Edition

I am totally new to this.

Can you point me to the videos referenced above.

Also, I have installed moth, but can't access it over the netwotk

ifconfig shows only 2 devices:  lo and vnet0.

I can't understand http://<ip-addr>.

Is that done from the host?
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Thu Feb 18, 2010 8:49 am

Re: Pentest Lab: Web Application Edition

seanolee wrote:
I am totally new to this.

Can you point me to the videos referenced above.

Also, I have installed moth, but can't access it over the netwotk

ifconfig shows only 2 devices:  lo and vnet0.

I can't understand http://<ip-addr>.

Is that done from the host?



The http://<ip-addr> is the host virtual machines IP address, 127.0.0.1, or whatever.  It would be accessible from any host on your lan.

The videos are linked in the first article, http://www.securityaegis.com/?p=574.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software