Official Site Of The Xakep 4T english version

Have you ever thought about legal hacking? Is it possible to do the things you love and pump your pentesting skills without breaking the law? Where is it safe to try out some injections and run experiments with web-exploits, without thinking of your VPN is enabled or not? How to test your hackers’ knowledge, starting the path from a scripts’ bug to the very system root? You know… There is the way!

We are often asked the same question: "How to learn hacking?". The answer is simple: study it just like any other subject. At first, you need to deeply and thoughtfully study the theory and only then proceed to practice. The only difference is that there are a lot of books fully ready for studying mathematics, but not hacking. It just looks like there aren’t. You will rebel: "What do you mean there aren’t? What about those shareware programs or any web-resource. There are so much of them. They are great hackers’ "playgrounds”, aren’t they? ". You know, that is an option, anyway. But first, you have every chance to quickly finish running experiments which have been started in such a way. And secondly, taking the bull by the horns with trying to analyze some serious web-resources having no experience under belt is just like a leap without looking forward. Such kind of "activity” is neither safe, nor smart. There is a better option!

Many companies which are involved in training information security professionals prepare them to be ready to face different kinds of problem situations. They are the same as math exercises, but only in pentest context. Similar to math solutions are also offered by enthusiasts who show different hack techniques by the example of them. Old versions of some well-known products are often taken as a basis, because they are full of uncorrected vulnerabilities. Sometimes such quests are made from scratch, but anyway, they have some purposely embedded bugs which can be successfully exploited. Some of such websites are hosted directly on the www and offer a unique][-quest to pass (such as our project at www.ring0cup.ru), others require installation on your own web server and still others are distributed as a virtual machines’ image, so you just run it and that’s it. So, today we’ll try to deal with and unscramble the diversity of similar projects.

Damn Vulnerable Web App

Usually, creators of web applications like to boast with a high reliability of one’s product and their built-in WAF (a firewall for web applications) in every possible way, but they really bashfully laugh off in case if there’s another bug found in their script. By contrast, "Damn Vulnerable Web App” (DVWA) developers, categorically state that the live web-server installation is not acceptable, because the application is... "damn vulnerable":). All the most common mistakes which have ever been made by amateur programmers are gathered in one place, so now you do have a possibility to exercise in committing different kinds of attacks.

The most popular PHP/MySQL bundle was chosen as platform, so for the same reason we begin our review starting with DVWA. If you want to save some time on setting up a web server you should download a "ready to use” web server assemblies like Denwer or XAMPP. Actually, the only necessary thing is unpack the files to the public html-directory and type the http://127.0.0.1/dvwa/index.php in browsers’ address line. You won’t even have to mess about with the database manual creation, because there is a "Create/Reset Database" menu button. But if you still want something to fix, this can be done through editing the /config/config.inc.php . Another point concerns the PHP settings. You need to make sure that all the appropriate changes were made to PHP.ini file.

magic_quotes_gpc = Off
allow_url_fopen on
allow_url_include on

Also, DVWA project is regularly updated. In late 2009, it was even purchased by investors, so it is quite possible that soon we should expect some significant improvements.

Mutillidae

Initially, the creator of this project was going to make a web-applications pentesting video tutorial for beginners, which had to include the explanation of the pentesting basics. The creator got in a mess when it came closer to choosing a suitable platform in order to showcase different vulnerabilities. He just couldn’t find it. Most of the solutions were too hard to explain the basics for beginners who just have started their conversance with the problems of web-applications’ security. That’s the way the Mutillidae project was born.

The creator had taken a list of ten types of OWASP Top 10 vulnerabilities: SQL-injections, XSS, CSRF, and so on and wrote some scripts, so any solicitous could try out for the exploitation of each of them. Scripts’ code was intentionally written in a very simple way, in order to facilitate the understanding of the vulnerabilities. Mutillidae can be easily installed on Windows, TUX and even XAMPP based servers. All databases one-click creatable. You should just choose the "Setup/reset the DB" option from the projects’ main page. Creator offers to sequentially read the information about each of the OWASP Top 10 vulnerability and try ones hands at Mutillidae after sorting out the every exploit. If your try was successful, the second part of the quest is to fix a bug that was found.

WebGoat

When the Mutillidae’s creator was talking about the majority of hackers' quests are not designed to suite the beginner’s level and the WebGoat quest suit is among those too. The project is remarkable because it is being developed within the above mentioned OWASP (Open Web Application Security Project). There’re also a large number of security-utilities which are produced under OWASP auspices. But if the two previous projects are PHP oriented, then here you will face the Java code. For J2EE-applications hosting there’s a standard TomCat-server which is already included in the WebGoat assembly and configured in order to be ran in as simple as possible:

1. Unpack WebGoat-OWASP_Standard-xxzip to your work directory.
2. Start TomCat's daemon, by launching the webgoat.bat file. (System has to have a fresh J2EE installed).
3. Turn on your browser and follow http://localhost/WebGoat/attack.
4. Authorize as a guest/guest.
5. Now take a fling at searching vulnerabilities.

Usually, all quests are tied to some real problem. E.g. in one of the quests you will be asked to make an SQL-injection in order to steal a list of fake credit numbers. Some quests are accompanied by a training component which shows the user some useful hints and the appropriate vulnerable code.

SecuriBench

After passing all the intricate quests of WebGoat application you can switch to a more complex project which name is Stanford SecuriBench. The fact is that the developers didn’t write it from scratch with intentionally made vulnerabilities. Instead, they went the other way and gathered a selection of 8 real-life programs. All of them are written in Java: jboard forum engine, bloggers’ blueblog script and so on. Of course, all old and raw releases with no Bugtraq show up were selected as the samples. Nevertheless, these are real-existing applications and their creators have already thought of their protection, so using these exploits will not be that easy. Basically, SecuriBench is just a collection of vulnerable programs, so you’ll have to install and configure each of them manually and of course you should surely take care of configuring Tomcat server before.

It is noteworthy that this project was born during its creators were working on tools for code static analysis, so if you seek a guinea pig to test some code research tool the SecuriBench application is just what you needed.

Moth

Another collection of real-existing applications is presented in the Moth project. Nevertheless, it has a completely different form. It differs from other projects with its distribution kit which is presented in the form of a virtual machine image including Ubuntu 8.10 installed. Actually, in order to run it you’ll have to have any VMware product which is able to launch a virtual machine image file (including the free VMware Player).

Originally, Moth was configured to receive all the network settings from DHCP-server, so you should make sure that the virtual machine’s network settings are suitable (e.g. my router automatically assigns IPs, so I just have to choose a Bridged mode, which allows the virtual machine to enter the physical network). Next, start a virtual machine, log into the system (moth/moth), check system’s assigned IP address with "ifconfig” and enter the Moth admin panel through: http://<moth-ip_address>. Now you’re on the main page. Here you can browse the scripts of some known products which were pre-installed on the web server: Wordpress 2.6.5 blog engine, Vanilla 1.1.4 forum script and other PHP/MySQL based scripts, as well as a single Java+Tomcat6+MySQL project.

In order to enhance the reality of what is happening, there are three ways to access the script here: directly, using the mod_security and using the PHP-IDS:

1. http://moth/w3af/audit/xss/simple_xss.php?text=<script>alert('xss');</script>
2. http://moth/mod_security/w3af/audit/xss/simple_xss.php?text=<script>alert('xss');</script>
3. http://moth/php-ids/w3af/audit/xss/simple_xss.php?text=<script>alert('xss');</script>

Mod_security and PHP-IDS represent a WAF (Web Application Firewall) and offer an additional protection for Web applications (see details in our "Firewall for Web applications" article in the October issue of "Hacker"). Each of them maintains a detailed log of suspicious requests, so this is a great way to understand how the WAF works and how it can be deceived. The project is permanently updated and its creators promise adding a vulnerable application which will be written in Python and Ruby in the near future.

Information Security products’ test platforms

The Moth distribution kit has been created with a certain specific purpose. The same way as we had configured a system for convenient antivirus software testing with a help of virtual machines the author of Moth have collected vulnerabilities of different web projects in order to be able to conveniently test automatic security scanners. As a result, he got a platform which helped him to test some commercial products and an open source w3af framework, which was specially designed to simplify the search and exploitation of vulnerabilities in web applications. You should know that commercial security scanners’ manufacturers are actively engaged in the creation of such field testing platforms too. Eventually, where else can they debug their products and show their capabilities to clients?

Thus, Acutenix WVS developers offer as many as three web sites which are built on different platforms: testphp.acunetix.com, testasp.acunetix.com, testaspnet.acunetix.com. HP test resource (in theory, meant for their HP WebInspect) is located at zero.webappsecurity.com. IBM Rational AppScan hacking platform address is demo.testfire.net. Don’t try breaking in there to manually find some bugs. Instead, you can make a try to do it with some automatic scanner.

Vulnerable OS

The creator of pWnOS decided not to limit his OS with web applications, but to create a whole vulnerable system on basis of a virtual machine image. The main task for you is to "get the root access". The legend is as follows: you are a pentester, who was hired to study the security of some dedicated server. That's where the game starts. You will experience live hosts search by nmap, vulnerable services searching, receiving SSH access certificates, local exploits detecting and so forth. It’s a paradise for beginners, in one word. You can find some tips, passing recommendations and instructions on how to make this thing work on VirtualBox here forums.heorot.net.

We have already written about the Damn Vulnerable Linux project a couple of times. Perhaps, this project is the most branded from all we talk about today. For those who’d like to train on searching for vulnerabilities will like this distribution kit because here you can find some buggy daemons, which can be easily exploited, and vulnerable scripts, allowing the most common types of attacks (SQL-injection, XSS, etc.), also there are some simply not enough secured applications, which were intentionally left by its developers. The system is distributed as a LiveCD-image and is easy to run on a virtual machine using VMware or VirtualBox software.

Another project, which is named as De-ICE PenTest is no longer a single system. Now it’s 3-in-1. The legend is as follows: a CEO of some company should hold a pentest of his IT infrastructure in order to report to the Board of Directors. For the sake of appearance, he hires some rookie and instructs him to pentest one of the servers, being convinced that everything is more than secured. When you deal with this task, you will be asked to do a more complex pentest of another system. This is the second quest. When critical errors emerge even here, the director provides you with a range of IP-addresses and says: "Do whatever you want"! Each of these three tasks is distributed as a LiveCD and can also be run on virtual machines. Here you can find some configure instructions and passing tips de-ice.hackerdemia.com/doku.php.

Cracking and reversing

Throughout the last part of the material we have dealt exclusively with web-hacking bypassing the programs hacking. What should do those who’d like deal with reversing? Fortunately, reversing has never had problems with quests. Beginners and experienced crackers and reversers can entertain themselves with some small programs that were specifically designed to be cracked. I'm talking of so-called crackmes which can be downloaded from the web. E.g. www.crackmes.de or www.tdhack.com. For convenience, they have been sorted by complexity starting from simple tasks, which were specially designed for those who are just mastering the debugger, to complex puzzles with mass debugging tricks which can compete with some real programs’ serious protection. You can always ask a huge cracker’s community to help you if you are in a rut. By the way, if you really decided to deal with cracking, I’d recommend you to read some of our old stuff which is called "Cracking is simple" published in ][# 08/2005 issue. We have considered all main points and the simplest methods analyzing the one of the most popular crackmes' assembling there.

Exploits development

If you will carefully examine the description of the latest exploits, it’ll be easy to notice that most of them can exploit some older versions of applications that are still in use. The hottest example is IE8, which is running on Vista/W7 and can’t be exploited. However we can see even some public exploits coming out each month for the IE 6/7, which is running on XP. So we’ll start from IE. But where can we get the older versions of it if the system had upgraded IE to 8 long time ago? Internet Explorer Collection will help us with that. Just with a single installer you can set up all versions of Internet Explorer at once and if necessary switch quickly between them. This software registers the various IE engines and makes it so that they don’t conflict with each other. But we must bear in mind that older versions of browsers may have some problems running on the latest versions of Windows.

So you got it, but what about the other browsers and different software? Where those old vulnerable versions can be found? Of course, the vulnerability is better to look for in some new versions. It’s more correct, I’d say :). Services like oldapps.com and oldversion.com, which host the old versions of different software, will help you if you still want to exercise with some ready-to-use exploits in order to get one's bearings. E.g. you can easily download a few dozens of different Winamp versions, starting from release 0.2. Just imagine how much time has passed!

Do you really need this all?

You can read any number of ready-made manuals and follow someone to repeat the alleged "hacking", or you can download some ready-to-use exploits and try to use them without absolute understanding of what they’re doing. Do you really need this? Is it interesting for you? After all, if you make sense of it all and make your every step understanding what you are doing, you will definitely enjoy the process a lot more. This material is unlikely to be useful for experienced pentesters but if you just about to start your pentest journey, take these decisions on the note. Some more effective and safe way to learn the basics of pentest just don’t exist.

Hackers’ brain-twisters

One of the most interesting ways to have fun with hacking is to rack one’s brains over some hacker’s brain-twister and they are, actually, the hacking quests. Some of these quests have a rating, which depends on time needed to decide a problem and the number of incorrect attempts to enter the result. If you ever tried to pass our ][-contests, then you’ll understand what I’m talking about. Several quests are still available within the ring0cup.ru project, so if you want to try one’s hand in searching some malicious Trojan creator and stealing his logs or encryption of some dumped traffic, having company’s financial flows in it, then welcome! There’re a lot of web-resources having such quests in their armory. So here’s a brief about some of them:

• mod-x.com. In this online game you act like one of the agents of the Mod-X structure. You are given a certain task and you have to accomplish it. Tasks are divided into different levels of complexity, so the farther you go, the more fun to play.
• hax.tor.hu /welcome. In this quest you will have to warm up by doing five simple tasks.
• quest.fsb-my.name/index.php. This is a very good quest, which offers a huge variety of different tasks, including crackmix.
• vicnum.ciphertechs.com. It’s a kind of "Capture the flag" competition, which includes a large number of ][-tasks. By the way, you’ll be able to browse the game from the inside because the project is an open source one.

This list can go on and on. Anyway, if this list won’t be enough for you (probably it won’t), I’d recommend you a nice web-resource at hackergames.net, which contains more than 150 quest and the challenge references (players’ comments included), as well as manuals on how to pass them.