0 valutazioniIl 0% ha trovato utile questo documento (0 voti)
110 visualizzazioni4 pagine
Hacme Bank by foundstone, Inc. Offers a perfect "victim" for you to use as a testing target. Application simulates an online banking website with the added bonus of having numerous vulnerabilities purposely designed in for you to discover.
Descrizione originale:
Titolo originale
Www Pingtrip Com Weblog 2008 09 Installing-hacme-bank-On-xp-pro
Hacme Bank by foundstone, Inc. Offers a perfect "victim" for you to use as a testing target. Application simulates an online banking website with the added bonus of having numerous vulnerabilities purposely designed in for you to discover.
Hacme Bank by foundstone, Inc. Offers a perfect "victim" for you to use as a testing target. Application simulates an online banking website with the added bonus of having numerous vulnerabilities purposely designed in for you to discover.
By on September 07, 2008 9:20:32 PM | 15 Comment(s) Note: I've created a newer article for installing Hacme Bank on Windows 7 Whether you're evaluating a new vulnerability assessment tool, or looking to hone your application hacking skills, the Hacme Bank application by FoundStone, Inc offers a perfect "victim" for you to use as a testing target. Hacme Bank simulates an online banking website with the added bonus of having numerous vulnerabilities purposely designed in for you to discover. In this write-up I'll walk you through the necessary steps for getting the application up and running on a Windows XP Professional VMWare image. I prefer this setup for a couple of reasons. First, if an unrecoverable error condition occurs (while hurling malicious packets at the application perhaps?) you can simply revert the Virtual Machine back to a known good state. Second, by positioning Hacme Back on an isolated machine I'm able to use my everyday penetration testing rig as the attack platform. For this tutorial I'm assuming that you already have a newly built XP Pro VMWare image. The virtual machine I'll be working with is a fresh XP Pro install, with Service Pack 3 and all available updates applied via Windows Updater. Make sure you've also installed all the .Net packages and updates for version 1.1. Take a Snapshot I'm frequently reusing my XP Pro VM for exploit and vulnerability research, so VMWare's Snapshot functionality saves me from having to rebuild the OS image after every project. With that said, I'd suggest taking a "baseline" snapshot of your VM (or make a backup copy if you're using VMPlayer) before we begin. Install Internet Information Services Hacme Bank installs as a Virtual Directory under IIS, instead of being a standalone service like previous FoundStone applications, so step one is to get the web server installed. 1. Place your Windows XP Pro CD into the drive. 2. Run the Add or Remove Programs option found in the Control Panel. 3. Select Add/Remove Windows Components from the left-hand side. 4. In the Windows Components Wizard highlight Internet Information Services (IIS) and click the Details button. 5. Put a check in the boxes next to: Common Files, Internet Information Services Snap-In, and World Wide Web Service. 6. Highlight World Wide Service and click Details, then uncheck Printers Virtual Directory and click Ok. 7. Click Ok again to close the IIS options window, and click Next to complete the install. Home Home About About Search More Share When the install completes, click Finish and exit out of the Control Panel. Next, register the .NET Framework with the IIS service we just installed by opening a command window and running: c:\windows\microsoft.net\framework\v1.1.4322\aspnet_regiis -i Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) Download the MSDE 2000 Release A package from Microsoft's MSDE 2000 product page and run the executable. Accept the defaults on any prompts that appear and allow the unpackager to complete. Open a command prompt and run the following command to install MSDE: c:\MSDERelA\Setup SAPWD=HacmeBank SECURITYMODE=MIXED DISABLENETWORKPROTOCOLS =0 When the install completes, go ahead and start the service: net start MSSQLSERVER When it completes you can close the command window. Install Hacme Bank Download and unpack the install files from FoundStone's website Install the website first by running the "Foundstone Hacme Bank Website Setup v2.0" executable. For the sake of simplicity accept all the default values during the install. Warning: It is important that you select "Trusted Connection" in the next step! This is a step that many readers miss. Next, install the WebService files by running the "Foundstone Hacme Bank WebService Setup v2.0" executable. Again, accept the default settings until your reach the Database Setup screen. Here, select Trusted Connection, click Next and complete the install. Test Your Install Open IE in the VM instance and browse to http://localhost/HacmeBank_v2_Website/ You might receive a warning about IE's Intranet Settings being disabled by default. Simply right-click on the Information Bar and select Enable Intranet Settings. The Hacme Bank homepage should load and you can test the back-end system by logging into the site using the user name jv, and password jv789. If everything is working correctly you will be presented with a welcome screen. Bonus! Remote Access to Hacme Bank! First we need to modify the operating system's firewall to allow traffic to port 80. 1. Open the Windows Security Center located in the Control Panel and select Windows Firewall at the bottom of the panel. 2. Click on the Exceptions tab. 3. Click the Add Port button. 4. For the Name field enter "IIS" and "80" for the Port field, then click Ok and Ok to make the change. You can now exit out of the control panel as well. Now open a browser on the host machine (or other machine on your network). And browse to the remote web instance: http://[IP Address of the VM Image]/HacmeBank_v2_Website/ You'll be presented with a message informing you that the application, by default, will only accept requests from the local machine. This is by design due to the serious flaws that have been designed into Hacme Bank. Exposing the faux website to the internet would place the entire host at risk, so take extra care to keep it internal facing only. Open the website's config file, C:\Inetpub\wwwroot\HacmeBank_v2_Website\web.config in notepad and look for the <httpModules> section. (You should find it at the beginning of the config file.) To activate remote access we need to disable the loading of the HttpModule_onlyAllowLocalAccess module. Simply comment it out by wrapping the specific line in <!-- ... --> tags as shown below: File: C:\Inetpub\wwwroot\HacmeBank_v2\Website\Web.config ... <!-- <add name ="HttpModule_onlyAllowLocalAccess" type="HacmeBank_v2_Website.httpModules.HttpModule_on lyAllowLocalAccess,HacmeBank_v2_Website"/> --> ... Now make the same configuration change to the Web Service instance: File: C:\Inetpub\wwwroot\HacmeBank_v2_WS\Web.config <?xml version="1.0" encoding="utf-8" ?> <configuration> <system.web> <httpModules> <!-- <add name ="HttpModule_onlyAllowLocalAccess" type="HacmeBank_v2_Website.httpModules.HttpMod ule_onlyAllowLocalAccess,HacmeBank_v2_WS"/> --> Now hit reload on your host's browser and instead of the default "Local access only" message, the website will be fully accessible. Happy Hacking! This blog is licensed under a Creative Commons License. P R O J E C T S - C O M I N G S O O N ! P R O J E C T S - C O M I N G S O O N ! DarkMail T.R.A.P. (Threat Research & Analysis Platform) A R C H I V E S A R C H I V E S 2014 April (1) 2014 April (1) 2013 March (1) 2013 March (1) 2013 February (1) 2013 February (1) 2012 June (1) 2012 June (1) 2011 February (1) 2011 February (1) 2010 November (1) 2010 November (1) 2010 October (1) 2010 October (1) 2009 September (1) 2009 September (1) 2008 September (1) 2008 September (1) 2008 August (1) 2008 August (1) 2008 July (1) 2008 July (1) 2008 April (3) 2008 April (3) Atom Syndication
Título Inari: its origin, development, and nature Transactions of the Asiatic Society of Japan Inari: Its Origin, Development, and Nature, Daniel Crump Buchanan Autor Daniel Crump Buchanan Editor Asiatic Society of Japan, 1935