Web Vulnerabilities and WebGoat

I’ve completed the Web Goat tutorials. This is an excellent resource to introduce yourself to web vulnerabilities. It’s a stand alone vulnerable web application. A series of exercises are provided that walk you through the exploitation of these vulnerabilities.

The tutorials are backed with a strong list of solution videos.

I’m using the free version of Burp Suite to intercept browser traffic.

Just a couple of things of interest, in case you are new to the whole area of web vulnerabilities. I’m running Web Goat on Windows XP. If you are running Windows you will need to install Java on your machine. You will also need to include Java in your Windows PATH to start the Tomcat server that comes with Web Goat.

Also, for those looking for an introduction to web vulnerabilities. Here’s an excellent intro video to the area from the NY Poly Cryptocity site

Create a Virtual Windows Domain with Virtual DMZ (Part 4)

For the final part of my network I am moving my IIS server into a Screened Subnet . I need to change the IP address of the web server and place it between a Wingate Firewall and pfSense Firewall (acting as a firewall this time as opposed to the router only function from earlier). I’ve discussed installing and configuring pfSense in a earlier post.

My actual PC (my host) acts as the outside world to the internal network contained in my Oracle Virtual Box. The network now looks this

I contact the web server in the diagram via the IP address 192.168.1.7 which is the IP address issued by the DHCP on my Wireless Network piped into my home by my ISP. The URL looks something like this, http://192.168.1.7/mywebsite. This URL is entered into a browser from my physical PC.

The URL hits the Wingate Firewall where I have a redirect rule to redirect to the IIS web server (192.168.100.10). The Web server then contacts the MySQL Server on the Ubuntu machine (10.0.10.10). It does this via a TCP rule on port 3306 (3306 is the default TCP port for MySQL) opened up on the pfSense Firewall. No other communication is permitted from the DMZ web server to the internal network.

I can now probe, attack and map this network from my host PC (192.6.0.1). A good lab to work with. As it happens I won’t be doing that just yet!

Going back to my Hands-On goals I’m diverting to the New York Polytechnic online resources and Webgoat tutorials. I’ll be posting my progress through both of these areas as I go.

One last thing. The Windows XP machines on my internal network do not currently have internet access. In the coming weeks I’ll come back and correct this when I deploy a web proxy to my internal network and open up communication through my DMZ to allow these machines contact the web.

Hope this was of interest and use to anyone reading this!

Install WinGate
1. Download WinGate from here
2. I’ll leave the WinGate guys show you how to install the firewall
3. If you are using this for lab purposes it comes with a single free licence. Ideal for this purpose.
4. Set up your two network interfaces. One should be your external connection (e.g. internet). The other should be your protected internal network.

Create A Redirect Rule on WinGate
1. Open WinGate admin console
2. Go to Control Panel>Extended Networking>Port Security
3. Because this is a redirect from an external network to the DMZ, select Internet Computes to the Wingate PC checkbox
4. Select the TCP checkbox
5. We are directing a HTTP request so enter 80 in the Ports to textbox
6 Enter the IP address you are redirecting to in the Redirect Packet to IP Address textbox
7. Click the Dont translate source IP address checkbox
8. Click OK to exit and save your settings

Open a TCP port on pfSense
1. Open the pfSense web console
2. Default user name and password: admin/pfsense
3. Select Firewall>Rules from the drop down menu
4. Click the WAN interface (this will be your DMZ IIS server)
5. Select the + sign to add a new rule
6 Select WAN as the Interface
7. Select TCP as the Protocol
8. Select single host or alias in the Source
9. Still in Source enter the IP address of your DMZ IIS server
10. Select single host or alias in the Destination
11. Still in Destination enter the IP address of your MySQL server on your secure internal network
12. In Destination port range select from other and enter 3306
13. In Destination port range select to other and enter 3306
14. Tick Log if you want to log your packets over this rule
15. Hit Save and wait for pfSense to apply your changes
16. Once changes are applied your rule is active

Create a Virtual Windows Domain with Virtual DMZ (Part 3)

For part 3 of my virtual network I have created an IIS Web Server hosting an old dating web site I wrote many years ago. The web server runs on another Windows XP machine (SP3).

It runs on top of MySQL Server 5.5. The MySQL Server runs on 64 Ubuntu 12.04 Desktop.

For the time being both the IIS Web Server and Ubuntu machine run on the same network. In part 4 of the network build I will move the web server into a screen subnet DMZ where it will contact the MySQL Server.

The network now looks like this

Install MySQL 5.5 on Ubuntu 12.04
1. Open a Terminal Window in Ubuntu
2. Type this command sudo apt-get install mysql-server-5.5
3. Enter your password to authenticate, and apt will download the MySQL files and install them on your Ubuntu machine. Just a note, you will be asked for your MySQL root password during this process
4. When the installer finishes you are returned to the command line
5. Type the following command to activate MySQL sudo mysql_install_db
6. Type the following command to tighten the security settings on your MySQL database sudo mysql_secure_installation
7. MySQL is up and running.
6. Here are some pointers to getting started with your MySQL installation
7. One point here, in part 4 I will be accessing MySQL remotely. This will mean giving whatever database user you are using to connect to the database special privileges. I’ll go through this in the next post

Create a Virtual Windows Domain with Virtual DMZ (Part 2)

For part two of the network I have used pfSense as a router (all firewall and NAT serveices have been disabled) and installed Oracle XE on Ubuntu 12.04. I have also installed Oracle SQL Developer on the XP Clients to connect to the Oracle db on a new subnet.

Steps to install each are as follows:

Install and Configure pfSense
1. Download pfSense
2. As I mentioned previously I’m using Oracle Virtual Box to create my virtual machines. You will need to create a virtual machine of type BSD, FreeBSD(64 bit) to install pfSense
3. You will need to enable two Network Adapters of ‘Internal Network’ type on your pfSense virtual machine
4. One should be the internal network that your Windows Domain sits on. the other Should be the network you intend to place your Unbuntu and Oracle db on
5. Kick off the install by referencing the pfSense iso through the virtual machine you have just created.
6. Select ‘1. Boot pfSense [default]’ from the boot menu
7. Select the ‘(I)nstaller’ option
8. Accept all defaults that follow. Screen shots of the installation process are here on the pfSense website
9. After installation pfSense reboots and you are asked to configure the device
10. when you are asked ‘Do you want to set up VLANs now?’ type ‘n’
11. Type ’em0′ for the WAN interface name
12. Type ’em1′ for the LAN interface name
13. Simply hit enter when prompted for the ‘Optional 1’ interface
14. Hit ‘y’ when you are asked to proceed with the names you have assigned to the LAN and WAN interfaces.
15. pfSense now applies your configuration and displays its interface menu. The device is up and running
16. All that remains is to apply the correct IP addresses to your LAN and WAN interfaces
17. Select ‘2) Set interface(s) IP Address’ from the console menu
18. For the LAN and WAN interfaces enter a valid IP address for the Windows Domain network and one for the Ubuntu machine you will create later in this part of the network creation. It’s a matter of choice what private IP address you set at this stage.
19. The IP address you set in the router will act as the default gateway for the XP machines and Ubuntu machine respectively
20. Now configure the pfSense device as a router only. This step disables the firewall functionality of pfSense. I will use pfSense as an actual firewall in a later section but for now I only need it to act as a router.
21. pfSense is now configured
22. If that didn’t make sense here’s a video link from pcaddicts explaining the installation

Install Ubuntu 12.04
1. Get the Ubuntu installation here
2. Create a Ubuntu 64bit (need this to install 64bit version of Oracle XE 11.2) virtual machine
3. The installation is quite simple, but here’s a how-to link from the Ubuntu website

Install Oracle XE 11.2 on Ubuntu 12.04
1. Get the Oracle installation here
2. Installing Oracle XE on Ubuntu can be a tricky but here’s an excellent guide on how to do it
3. Just two points on this installation, section ‘C.5. Setup Oracle environment variables’ did not work for me and I had to explicitly set the variables. I did so in the terminal window with the commands below:
export ORACLE_HOME=/u01/app/oracle/product/11.2.0/xe
export ORACLE_SID=XE
export NLS_LANG=AMERICAN_AMERICA.WE8ISO8859P1
export ORACLE_BASE=/u01/app/oracle
export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$LD_LIBRARY_PATH
export PATH=$ORACLE_HOME/bin:$PATH
4. If you want to start Oracle automatically each time your Ubuntu machine starts carry out the steps listed here in Manish Raj’s blog. Thanks Manish!
5. Finally load a sample db which you can connect to. Here’s a simple db script from the Oracle XE tutorial series. Open the tutorial and select the attachments tab to download the db script.

Install Oracle SQL Developer
1. Finally install Oracle SQL Developer on your XP Client machines
2. Set up a connection through SQL Developer and connect to your Oracle DB. Just one point here, you will need to turn off the windows Firewall to allow SQL Developer connect to the Oracle db on the Ubuntu machine.

Create a Virtual Windows Domain with Virtual DMZ Network Diagram (Part 2)

For the second part of my network creation, I am going to extend the current network to include a different subnet. This subnet is connected via a router to the XP clients on my Windows 2008 Domain. The new subnet contains an Ubuntu machine that hosts an Oracle XE 11.2 database server. In the mocked network the XP clients use Oracle SQL Developer to connect to the Oracle database hosted on the new subnet. The extended network now looks like this.

I’ve outlined how I built the new components in the next post.

Create a Virtual Windows Domain with Virtual DMZ Network Diagram (Part 1)

At the end of the Create a Virtual Windows Domain with Virtual DMZ Diagram (Part 1) my virtual network now looks like this.

The two IP addresses listed against the XP machines are the dynamically allocated addresses handed out by the DHCP server. The default gateway listed will be used to communicate with a different subnet. The subnet will be created in the next part of the network build.

The Windows 2008 Server has the Active Directory Domain Services, DHCP Server and DNS Server roles installed.

The IP range for the DHCP server is 10.0.0.20 to 10.0.0.40