Have you ever thought about legal hacking? Is it possible to do the things
you love and pump your pentesting skills without breaking the law? Where is it
safe to try out some injections and run experiments with web-exploits, without
thinking of your VPN is enabled or not? How to test your hackers’ knowledge,
starting the path from a scripts’ bug to the very system root? You know… There
is the way!
We are often asked the same question: "How to learn hacking?". The answer is
simple: study it just like any other subject. At first, you need to deeply and
thoughtfully study the theory and only then proceed to practice. The only
difference is that there are a lot of books fully ready for studying mathematics,
but not hacking. It just looks like there aren’t. You will rebel: "What do you
mean there aren’t? What about those shareware programs or any web-resource.
There are so much of them. They are great hackers’ "playgrounds”, aren’t they?
". You know, that is an option, anyway. But first, you have every chance to
quickly finish running experiments which have been started in such a way. And
secondly, taking the bull by the horns with trying to analyze some serious
web-resources having no experience under belt is just like a leap without
looking forward. Such kind of "activity” is neither safe, nor smart. There is a
Many companies which are involved in training information security
professionals prepare them to be ready to face different kinds of problem
situations. They are the same as math exercises, but only in pentest context.
Similar to math solutions are also offered by enthusiasts who show different
hack techniques by the example of them. Old versions of some well-known products
are often taken as a basis, because they are full of uncorrected vulnerabilities.
Sometimes such quests are made from scratch, but anyway, they have some
purposely embedded bugs which can be successfully exploited. Some of such
websites are hosted directly on the www and offer a unique][-quest to pass (such
as our project at www.ring0cup.ru),
others require installation on your own web server and still others are
distributed as a virtual machines’ image, so you just run it and that’s it. So,
today we’ll try to deal with and unscramble the diversity of similar projects.
Damn Vulnerable Web App
Usually, creators of web applications like to boast with a high reliability
of one’s product and their built-in WAF (a firewall for web applications) in
every possible way, but they really bashfully laugh off in case if there’s
another bug found in their script. By contrast, "Damn Vulnerable Web App” (DVWA)
developers, categorically state that the live web-server installation is not
acceptable, because the application is... "damn vulnerable":). All the most
common mistakes which have ever been made by amateur programmers are gathered in
one place, so now you do have a possibility to exercise in committing different
kinds of attacks.
The most popular PHP/MySQL bundle was chosen as platform, so for the same
reason we begin our review starting with DVWA. If you want to save some time on
setting up a web server you should download a "ready to use” web server
assemblies like Denwer or
Actually, the only necessary thing is unpack the files to the public
html-directory and type the http://127.0.0.1/dvwa/index.php in browsers’ address
line. You won’t even have to mess about with the database manual creation,
because there is a "Create/Reset Database" menu button. But if you still want
something to fix, this can be done through editing the /config/config.inc.php .
Another point concerns the PHP settings. You need to make sure that all the
appropriate changes were made to PHP.ini file.
magic_quotes_gpc = Off
Also, DVWA project is regularly updated. In late 2009, it was even purchased
by investors, so it is quite possible that soon we should expect some
Initially, the creator of this project was going to make a web-applications
pentesting video tutorial for beginners, which had to include the explanation of
the pentesting basics. The creator got in a mess when it came closer to choosing
a suitable platform in order to showcase different vulnerabilities. He just
couldn’t find it. Most of the solutions were too hard to explain the basics for
beginners who just have started their conversance with the problems of
web-applications’ security. That’s the way the Mutillidae project was born.
The creator had taken a list of ten types of OWASP Top 10 vulnerabilities:
SQL-injections, XSS, CSRF, and so on and wrote some scripts, so any solicitous
could try out for the exploitation of each of them. Scripts’ code was
intentionally written in a very simple way, in order to facilitate the
understanding of the vulnerabilities. Mutillidae can be easily installed on
Windows, TUX and even XAMPP based servers. All databases one-click creatable.
You should just choose the "Setup/reset the DB" option from the projects’ main
page. Creator offers to sequentially read the information about each of the
OWASP Top 10 vulnerability and try ones hands at Mutillidae after sorting
out the every exploit. If your try was successful, the second part of the quest
is to fix a bug that was found.
When the Mutillidae’s creator was talking about the majority of hackers'
quests are not designed to suite the beginner’s level and the WebGoat quest suit
is among those too. The project is remarkable because it is being developed
within the above mentioned OWASP (Open Web Application Security Project).
There’re also a large number of security-utilities which are produced under
OWASP auspices. But if the two previous projects are PHP oriented, then here you
will face the Java code. For J2EE-applications hosting there’s a standard
TomCat-server which is already included in the WebGoat assembly and configured
in order to be ran in as simple as possible:
- Unpack WebGoat-OWASP_Standard-xxzip to your work directory.
- Start TomCat's daemon, by launching the webgoat.bat file. (System has to
have a fresh J2EE installed).
- Turn on your browser and follow http://localhost/WebGoat/attack.
- Authorize as a guest/guest.
- Now take a fling at searching vulnerabilities.
Usually, all quests are tied to some real problem. E.g. in one of the quests
you will be asked to make an SQL-injection in order to steal a list of fake
credit numbers. Some quests are accompanied by a training component which shows
the user some useful hints and the appropriate vulnerable code.
After passing all the intricate quests of WebGoat application you can switch
to a more complex project which name is Stanford SecuriBench. The fact is that
the developers didn’t write it from scratch with intentionally made
vulnerabilities. Instead, they went the other way and gathered a selection of 8
real-life programs. All of them are written in Java: jboard forum engine,
bloggers’ blueblog script and so on. Of course, all old and raw releases with no
Bugtraq show up were selected as the samples. Nevertheless, these are
real-existing applications and their creators have already thought of their
protection, so using these exploits will not be that easy. Basically,
SecuriBench is just a collection of vulnerable programs, so you’ll have to
install and configure each of them manually and of course you should surely take
care of configuring Tomcat server before.
It is noteworthy that this project was born during its creators were working
on tools for code static analysis, so if you seek a guinea pig to test some code
research tool the SecuriBench application is just what you needed.
Another collection of real-existing applications is presented in the Moth
project. Nevertheless, it has a completely different form. It differs from other
projects with its distribution kit which is presented in the form of a virtual
machine image including Ubuntu 8.10 installed. Actually, in order to run it
you’ll have to have any VMware product which is able to launch a virtual machine
image file (including the free
Originally, Moth was configured to receive all the network settings from
DHCP-server, so you should make sure that the virtual machine’s network settings
are suitable (e.g. my router automatically assigns IPs, so I just have to choose
a Bridged mode, which allows the virtual machine to enter the physical network).
Next, start a virtual machine, log into the system (moth/moth), check system’s
assigned IP address with "ifconfig” and enter the Moth admin panel through: http://<moth-ip_address>.
Now you’re on the main page. Here you can browse the scripts of some known
products which were pre-installed on the web server: Wordpress 2.6.5 blog engine,
Vanilla 1.1.4 forum script and other PHP/MySQL based scripts, as well as a
single Java+Tomcat6+MySQL project.
In order to enhance the reality of what is happening, there are three ways to
access the script here: directly, using the mod_security and using the PHP-IDS:
Mod_security and PHP-IDS represent a WAF (Web Application Firewall) and offer
an additional protection for Web applications (see details in our "Firewall
for Web applications" article in the
of "Hacker"). Each of them maintains a detailed log of suspicious requests, so
this is a great way to understand how the WAF works and how it can be deceived.
The project is permanently updated and its creators promise adding a vulnerable
application which will be written in Python and Ruby in the near future.
Information Security products’ test platforms
The Moth distribution kit has been created with a certain specific purpose.
The same way as we had configured a system for convenient antivirus software
testing with a help of virtual machines the author of Moth have collected
vulnerabilities of different web projects in order to be able to conveniently
test automatic security scanners. As a result, he got a platform which helped
him to test some commercial products and an open source w3af framework, which
was specially designed to simplify the search and exploitation of
vulnerabilities in web applications. You should know that commercial security
scanners’ manufacturers are actively engaged in the creation of such field
testing platforms too. Eventually, where else can they debug their products and
show their capabilities to clients?
Thus, Acutenix WVS developers offer as many as three web sites which are
built on different platforms:
testaspnet.acunetix.com. HP test resource (in theory, meant for their HP
WebInspect) is located at
zero.webappsecurity.com. IBM Rational AppScan hacking platform address is
try breaking in there to manually find some bugs. Instead, you can make a try to
do it with some automatic scanner.
The creator of pWnOS decided not to limit his OS with web applications, but
to create a whole vulnerable system on basis of a virtual machine image. The
main task for you is to "get the root access". The legend is as follows: you are
a pentester, who was hired to study the security of some dedicated server.
That's where the game starts. You will experience live hosts search by nmap,
vulnerable services searching, receiving SSH access certificates, local exploits
detecting and so forth. It’s a paradise for beginners, in one word. You can find
some tips, passing recommendations and instructions on how to make this thing
work on VirtualBox here
We have already written about the
Linux project a couple of times. Perhaps, this project is the most branded
from all we talk about today. For those who’d like to train on searching for
vulnerabilities will like this distribution kit because here you can find some
buggy daemons, which can be easily exploited, and vulnerable scripts, allowing
the most common types of attacks (SQL-injection, XSS, etc.), also there are some
simply not enough secured applications, which were intentionally left by its
developers. The system is distributed as a LiveCD-image and is easy to run on a
virtual machine using VMware or VirtualBox software.
Another project, which is named as De-ICE PenTest is no longer a single
system. Now it’s 3-in-1. The legend is as follows: a CEO of some company should
hold a pentest of his IT infrastructure in order to report to the Board of
Directors. For the sake of appearance, he hires some rookie and instructs him to
pentest one of the servers, being convinced that everything is more than secured.
When you deal with this task, you will be asked to do a more complex pentest of
another system. This is the second quest. When critical errors emerge even here,
the director provides you with a range of IP-addresses and says: "Do whatever
you want"! Each of these three tasks is distributed as a LiveCD and can also be
run on virtual machines. Here you can find some configure instructions and
Cracking and reversing
Throughout the last part of the material we have dealt exclusively with
web-hacking bypassing the programs hacking. What should do those who’d like deal
with reversing? Fortunately, reversing has never had problems with quests.
Beginners and experienced crackers and reversers can entertain themselves with
some small programs that were specifically designed to be cracked. I'm talking
of so-called crackmes which can be downloaded from the web. E.g.
convenience, they have been sorted by complexity starting from simple tasks,
which were specially designed for those who are just mastering the debugger, to
complex puzzles with mass debugging tricks which can compete with some real
programs’ serious protection. You can always ask a huge cracker’s community to
help you if you are in a rut. By the way, if you really decided to deal with
cracking, I’d recommend you to read some of our old stuff which is called "Cracking
is simple" published in ][# 08/2005 issue. We have considered all main
points and the simplest methods analyzing the one of the most popular crackmes'
If you will carefully examine the description of the latest exploits, it’ll
be easy to notice that most of them can exploit some older versions of
applications that are still in use. The hottest example is IE8, which is running
on Vista/W7 and can’t be exploited. However we can see even some public exploits
coming out each month for the IE 6/7, which is running on XP. So we’ll start
from IE. But where can we get the older versions of it if the system had
upgraded IE to 8 long time ago?
Internet Explorer Collection will help us with that. Just with a single
installer you can set up all versions of Internet Explorer at once and if
necessary switch quickly between them. This software registers the various IE
engines and makes it so that they don’t conflict with each other. But we must
bear in mind that older versions of browsers may have some problems running on
the latest versions of Windows.
So you got it, but what about the other browsers and different software?
Where those old vulnerable versions can be found? Of course, the vulnerability
is better to look for in some new versions. It’s more correct, I’d say :).
Services like oldapps.com
and oldversion.com, which
host the old versions of different software, will help you if you still want to
exercise with some ready-to-use exploits in order to get one's bearings. E.g.
you can easily download a few dozens of different Winamp versions, starting from
release 0.2. Just imagine how much time has passed!
Do you really need this all?
You can read any number of ready-made manuals and follow someone to repeat
the alleged "hacking", or you can download some ready-to-use exploits and try to
use them without absolute understanding of what they’re doing. Do you really
need this? Is it interesting for you? After all, if you make sense of it all and
make your every step understanding what you are doing, you will definitely enjoy
the process a lot more. This material is unlikely to be useful for experienced
pentesters but if you just about to start your pentest journey, take these
decisions on the note. Some more effective and safe way to learn the basics of
pentest just don’t exist.
One of the most interesting ways to have fun with hacking is to rack
one’s brains over some hacker’s brain-twister and they are, actually, the
hacking quests. Some of these quests have a rating, which depends on time
needed to decide a problem and the number of incorrect attempts to enter the
result. If you ever tried to pass our ][-contests, then you’ll understand
what I’m talking about. Several quests are still available within the
ring0cup.ru project, so if
you want to try one’s hand in searching some malicious Trojan creator and
stealing his logs or encryption of some dumped traffic, having company’s
financial flows in it, then welcome! There’re a lot of web-resources having
such quests in their armory. So here’s a brief about some of them:
- mod-x.com. In this
online game you act like one of the agents of the Mod-X structure. You
are given a certain task and you have to accomplish it. Tasks are
divided into different levels of complexity, so the farther you go, the
more fun to play.
/welcome. In this quest you will have to warm up by doing five
quest.fsb-my.name/index.php. This is a very good quest, which offers
a huge variety of different tasks, including crackmix.
vicnum.ciphertechs.com. It’s a kind of "Capture the flag"
competition, which includes a large number of ][-tasks. By the way,
you’ll be able to browse the game from the inside because the project is
This list can go on and on. Anyway, if this list won’t be enough for you
(probably it won’t), I’d recommend you a nice web-resource at
contains more than 150 quest and the challenge references (players’ comments
included), as well as manuals on how to pass them.