Over the last week, we busted out our red plastic shovel and our bucket shaped like a castle to dig a little bit deeper into our sandbox. Recently, we addressed the flexibility and overall necessity of a virtual lab for network pentesting, practice, and testing.

Today, we plan to expand upon that to encompass Web App. Our setup includes 7 target sites hosted on 4 VM’s. It’s important to note, that we only showcase the tip of the iceberg. The possibility of expansion is limited only by your imagination.

This lab takes substantially more prep and organization than our network lab did, as each target site has different requirements. We hosted most of our targets on XP Pro SP3 boxes, though many should work on Vista or maybe even Win7 RC.

Downloads:

MSDE2000A(required for Hacme Bank)
.Net 1.1(Required for Hacme Bank)
JDK(Required for Hacme Books)
Xampp(For DVWA and Mutillidae)
DVWA
Mutillidae
Moth VM
WebGoat
Hacme Bank
Hacme Books
Hacme Casino
SamuraiWTF

As we did with our last lab setup, we chose to keep everything self contained using a HostOnly network. We used VMware again. Not only is it free (who doesn’t love free stuff?) but it’s also powerful and flexible enough to serve our needs. Both the network lab and the Web app lab can be combined, but we chose to keep them separate for organizational reasons. Redeploying a VM takes very little effort.

This lab allows us to test many different tools, from browser based add-ons to stand alone tools. We decided to use SamuraiWTF as our attack platform for many of the same reasons we used BT pre 4 on our Network lab. It’s prepackaged with most, if not all, the tools you might need. Since it is a LiveCD, it requires minimal setup to get it up and running.

Before diving deep into this project, we highly suggest you download everything you need first. Storing everything on a USB thumb drive makes this process much easier and flow more smoothly. We also assume you have checked out the network lab article and video. If you have little or no experience with VMware (specifically VMware server) we suggest you glance over that video first for a more basic view of the VMware server usage.

Let’s get our hands dirty.

We started off by setting up Moth. Moth is a pre-configured VM image, all we need to do here is extract it to our datastore’s directory, import it, and make sure our network is configured correctly. Moth is configured to retrieve IP info from DHCP. Log in with moth:moth and ifconfig for your IP. Moth is brought to us by Bonsai-sec.com. “For almost every web application vulnerability that exists in the wild, there is a test script available in moth.”

Moth is attacked through http://(VM’s IP)

We moved on to DVWA and Mutillidae, both of which were hosted on an XP pro machine using Xampp. Very simple process here, install Xampp and move the DVWA and Mutillidae into the xampp/htdocs/ directory. Damn Vulnerable Web App is a project that @ethicalhack3r started and it’s still going strong. From our understanding, we should see a new version coming out in the next month or two. “…it’s in a completely different league to the current stable version.” DVWA features the ability to change its security settings to raise or lower the difficulty. This option makes it an awesome target for uber-noobs (like myself) to a more seasoned web app tester. Mutillidae was an Irongeek.com project. The focus here was to implement the OWASP TOP 10 into a single environment. A couple different videos about Mutillidae can be found at Irongeek.com.

Attack through http://(VM’s IP) and then browse to target

Third in line is our WebGoat machine. WebGoat is pretty self-contained, no need to install anything. Just transfer it to the VM from the thumb drive and run the .bat file. The only real work we needed to do was edit server_80.xml to allow remote connections. WebGoat is an OWASP project. One of the standout features of WebGoat is its design. It has clearly outlined goals in the form of labs. Such as, “…Stored XSS attack against the Street field on the Edit Profile page. Verify that ‘Jerry’ is affected by the attack.” But of course, the application is yours to attack in any form you like.

WebGoat is attacked through http://(VM’s IP)/WebGoat/attack (It is case sensitive)

Last of our target machines is the Foundstone machine. Each target within the Foundstone machine has its own set of requirements. For Hacme Bank, we found a great written walk through for installing to XP and making it remote accessible. Hacme Books is a fairly simple install, with a slight file modification. Hacme Casino is as simple as it gets, install and go. Foundstone has released multiple Vulnerable Web Apps for testing, of which we only showcase three. We highly suggest you visit their site check out Hacme Travel and Hacme Shipping.

Hacme Bank is attacked through http://(VM’s IP)/HacmeBank_v2_website/
Hacme Books is attacked through http://(VM’s IP):8989/HacmeBooks/
Hacme Casino is attacked through http://(VM’s IP):3000/

Of course, we need an attack platform. As stated earlier, we chose to go with SamuraiWTF. You can choose any platform you like, host machine included. But if you’ve never given SamuraiWTF a shot, there’s no better time than now. SamuraiWTF is a Live Linux environment packaged with “the best of the open source and free tools that focus on testing and attacking websites.” Nothing can lend more credibility to this release then the names of its project team. Kevin Johnson and Justin Searle, among others. It’s everything you would expect from an InGuardians project, and more.

This setup is great for anything from learning the basics to testing new tools, testing one-off attack vectors, and it can be expanded to serve many other needs. We are continuing to play around with our labs in hopes of finding something we could share with you. If you have any suggestions on how to make our setup better, or even a request for something you’d like to see in the next lab, drop us a line. We always give credit where credit is due.