Uncategorized

Easy script to install and run WebGoat, DVWA, Mutillidae II, bWAPP and more in Kali Linux (x64)

If you are a developer looking for insight into web security or a security professional looking to practice a bit, deliberately vulnerable web applications is a great way to practice and educate yourself on web application security.

There are quite a few to choose from, and they all have their pros and cons.

Installing them, on the other hand, could be a bit of a time waster. Before docker was widely adopted, making sure all dependencies where met and running all of them along side each other  would require some time and effort.

With Docker it’s now really easy. But I like to automate stuff as much as possible, so I put together a quick bash script to make it even simpler (and faster.)

Note! All scripts are tested on x64 only (not x86). Tested on both live and installed systems running Kali Linux 2018.2 (and 2018.1 before it).

Currently these applications are supported by the script.

  • bWAPP
  • WebGoat 7.1
  • WebGoat 8.0
  • Damn Vulnerable Web App
  • Mutillidae II
  • OWASP Juice Shop
  • WPScan Vulnerable WordPress
  • OpenDNS Security Ninjas

So let’s get started. First fetch the script. If you got git installed just clone the repo on github. If you do not have git installed go to https://github.com/eystsen/pentestlab and download the files there.

git clone https://github.com/eystsen/pentestlab

If you get a question about username/password then you probably typed something wrong. After cloning is completed (takes a few seconds), enter the new folder that contains the script with the cd command.

cd pentestlab

If you haven’t installed Docker, then you can do so by running the docker install script, or take a look at Docker documentation for the up to date steps to install Docker.
The docker installation script in this git repo is made for Kali 2018.2 (and 2018.1) x64 but should probably work for other x64 versions, and possible also other distros (at least debian based ones). Just run the following command.

./install_docker_kali_x64.sh

Press enter to accept (Y)es after apt-get shows you everything that will be updated. It runs an update first, so there might be quite a few packages. Then you are ready to start up the different webapps.
If you want to get started right away just run:

./pentestlab.sh start bwapp

The script will download the docker file for bWAPP and run it with localhost network mapping. It will let you know where it is available and list any actions or info you need the first time you use the app, like default username/password.

# The other apps can be started with one (or all) of these commands
./pentestlab.sh start webgoat7
./pentestlab.sh start webgoat8
./pentestlab.sh start dvwa
./pentestlab.sh start mutillidae
./pentestlab.sh start vulnerablewordpress
./pentestlab.sh start juiceshop
./pentestlab.sh start securityninjas

Most of these applications require you to click a link or a button to kickstart the database initialization. bWapp needs you to do this, but it is as easy as clicking the link.
For bWapp the script will output something like this:


DONE!

Docker mapped to http://bwapp or http://127.5.0.1

Remember to run install.php before using bwapp the first time.
at http://bwapp/install.php
Default username/password: bee/bug
bWAPP will then be available at http://bwapp

So go to http://bwapp/install.php and click on the “install database” link. This will only be required the first time you start bWAPP. Next time you start bWAPP it will not be necessary.

Similar output will be given for WebGoat 7.1, WebGoat 8.0, Damn Vulnerable Web App (DVWA) and Mutillidae II.

The script can also show you status of all local running application.

./pentestlab.sh status

Will show you status like this:

bWaPP                                             running at http://bwapp
WebGoat 7.1                                    not running
WebGoat 8.0                                    not running
DVWA                                               running at http://dvwa
Mutillidae II                                     not running
OWASP Juice Shop                          not running
WPScan Vulnerable WordPress   not running
OpenDNS Security Ninjas              not running

Remember to stop the app when you are done. You can continue any time by just running start command again.

./pentestlab.sh stop bwapp

Just running the script without parameters will give you a help screen.

./pentestlab.sh

Like this one:

Local PentestLab Management Script (Docker based)

Usage: ./pentestlab.sh {list|status|info|start|stop} [projectname]

This scripts uses docker and hosts alias to make web apps available on localhost

Ex.
./pentestlab.sh list
List all available projects
./pentestlab.sh status
Show status for all projects
./pentestlab.sh start bwapp
Start project and make it available on localhost
./pentestlab.sh stop bwapp
Stop the docker container
./pentestlab.sh info bwapp
Show information about bwapp proejct

Dockerfiles from:
dvwa – Ryan Dewhurst (vulnerables/web-dvwa)
mutillidae – Nikolay Golub (citizenstig/nowasp)
bwapp – Rory McCune (raesene/bwapp)
webgoat(s) – OWASP Project
Juice Shop – Bjoern Kimminich (bkimminich/juice-shop)
Vulnerable WordPress – WPScan Team (wpscanteam/vulnerablewordpress)
Security Ninjas – OpenDNS Security Ninjas AppSec Training

So, that is it. I created this script for myself, but hopefully it can be useful for others too.

Have fun! And happy hacking! 🙂

 

SSH Tunnelling Part 1 (Local)

This is an often misunderstood feature and I’ll try my best to explain it briefly.

I’ll be using three computers designated as client, destination and ssh-server.

client
The client computer witch runs all the commands and uses the tunnel afterwards

destination
Where the client would like to connect to

ssh-server
A computer running ssh daemon where the client has access.

The Scenario
The client would like to connect to destination, but for some reason is unable to. Maybe a firewall is preventing outbound traffic to that port, or maybe the destination is restricting ip address that can connect. There are many reasons why going through a third party can be usefull.

The solution
ssh -L 5050:cnn.com:80 bob@ssh-server

This command will bind the local client port 5050 through an encrypted tunnel ending up at the ssh-server. Using bob as the username to gain access to the ssh-server. Communication from ssh-server to the website will not be encrypted, as it is no longer inside the tunnel. To specify further; communication will not be encrypted by the ssh-tunnel, but if the communication was already encrypted on the client before entering the tunnel, it would still be when leaving ssh-server.

The destination will only see a connection from ssh-server, even if it originated from the client.

So http://localhost:5050 on the client will now show cnn.com. Although tunnelling to a website is a bad idea, because a webpage usually requires many other sites (content, script and stylesheet may be hosted on a subdomain or simmilar), and may try to redirect to other port or addresses. But it illustrates the point.

ssh on non-standard port
What if the ssh deamon is listening on a different port?  say port 2022.
just add -p 2022 like this:

ssh -L 5050:cnn.com:80 bob@ssh-server -p 2022

Update for Seeed Quad Relay for .NET Gadgeteer

IoT is really taking off these days and options are seemingly endless. Raspberry Pi and Arduino is getting more press and uses by the minute.

.Net Micro Framework is also getting an update these days and it’s still a very nice rapid prototyping platform. Inspired by the resent surge in embedded development I started a small project using a few bits and pieces I got laying around. One of them was a Seeed Quad Relay for .Net Gadgeteer. Unfortunatly Seed have abandoned support for this unit.

I didn’t really want to buy a new relay so I started to look at how to port it to the newer frameworks. Due to a change in how digital output works in .netmf a direct recompile doesn’t work.

In order to compile a proper module you need WIX (Windows Installer XML Toolset). I had a few issues with this and since  the source code for the module is dead simple I ended up just including it in the project. That means no visual connection to the mainboard. It was just so easy and fast to do that I couldn’t resist skipping the entire recompile module step.

public class Relay : Gadgeteer.Modules.Module
{
    private DigitalOutput relay1;
    private DigitalOutput relay2;
    private DigitalOutput relay3;
    private DigitalOutput relay4;

    public Relay(int SocketNumber)
    {
        Gadgeteer.Socket socket = Gadgeteer.Socket.GetSocket(SocketNumber, true, this, null);
        this.relay1 = DigitalOutputFactory.Create(socket, Gadgeteer.Socket.Pin.Three, false, this);
        this.relay2 = DigitalOutputFactory.Create(socket, Gadgeteer.Socket.Pin.Four, false, this);
        this.relay3 = DigitalOutputFactory.Create(socket, Gadgeteer.Socket.Pin.Five, false, this);
        this.relay4 = DigitalOutputFactory.Create(socket, Gadgeteer.Socket.Pin.Six, false, this);
    }

    public bool Relay1
    {
        get
        {
            return relay1.Read();
        }

        set
        {
            relay1.Write(value);
        }
    }
    public bool Relay2
    {
        get
        {
            return relay2.Read();
        }

        set
        {
            relay2.Write(value);
        }
    }
    public bool Relay3
    {
        get
        {
            return relay3.Read();
        }

        set
        {
            relay3.Write(value);
        }
    }
    public bool Relay4
    {
        get
        {
            return relay4.Read();
        }

        set
        {
            relay4.Write(value);
        }
    }

}

How secure is your firewall?

Introduction

For your home or small office network, the firewall is probably the single most important piece of hardware.

Note! For the remainder of this post I’ll use the term firewall. I know a firewall and a router is not the same thing, but for homes and small offices it’s almost always the same device)

It’s your first defense against attacks from the Internet, and it usually provides necessary services like DHCP, NAT and probably DNS forwarding.

If your firewall is compromised then a MITM attack is trivial. All devices inside are open to all sorts of attack and manipulation.

So, how secure is your firewall? 

Most firewalls today never get updates. And an alarming number of devices have backdoors installed fresh from the factory (by the manufacturers themselves).

Like this TP-link device with remote execution in root context, without any authentication. It’s on the LAN side, but if even one device inside your network is briefly compromised, it would be easy to maintain a persistent presence.

Link: http://sekurak.pl/tp-link-httptftp-backdoor

Or quite a few of Netgear and linksys (even a few Cisco). This backdoor gives you full access to the router. You can even reset the password to log in as a authenticated admin.

http://arstechnica.com/security/2014/01/backdoor-in-wireless-dsl-routers-lets-attacker-reset-router-get-admin

It got patched, but it turns out that it’s still there:

http://arstechnica.com/security/2014/04/easter-egg-dsl-router-patch-merely-hides-backdoor-instead-of-closing-it

If that is not enough, some firewalls even have features that doesn’t even require any hacking to gain access.

Asus’ AiCloud feature on higher end consumer devices gave everyone on the Internet full access to your router.

http://www.securityfocus.com/archive/1/526942

For a good summary of this issue, take a look at this Ars Technica article

http://arstechnica.com/security/2014/02/dear-asus-router-user-youve-been-pwned-thanks-to-easily-exploited-flaw

Configuration on a home or soho-firewall is usually performed via a Web interface. This means that the firewall is exposing a webserver to the Lan side.

A webserver that is rarely updated is frankly a bit worrying. Especially considering the damage that could be done if your firewall is compromised.

 

What to do about it?

I strongly recommend that you build your own firewall.

Firewall hardware is cheap and you can use any old computer, but it’s preferable to buy hardware with low power requirements. This will result in less or no noise, smaller device and less generated heat.

I would also recommend to deny access to the web configuration of your firewall, also from LAN side.  To do this you need to have 3 network interfaces. 1 for WAN, 1 for LAN and 1 for access to the Web configuration of the device. Of course, this is not a good idea if you regularly need to access your firewall configuration. Most people rarely do, so having a dedicated network port to do configuration is not a big problem

I tried to do this on a Cisco Small Business firewall like the ISA 550 and it just ignores any rules to drop packets from LAN to port 80/443 (web) on any interface.

Building your own firewall will give back control.

Hardware

An Alix board or an Atom board is recommended (links below).

You need at least two network adapters (but I would recommend 3, so you can dedicate one interface for configuration purposes).

Software

Distributions like pfsense, dd-wrt and ipcop are easy to configure and you’ll have access to regular updates.

I’ve been using pfSense on an Alix board for years, and it’s rock stable. It manages 50mbit without any issue at all.

But iif you need even more throughput, or more features like IDS or VPN, then you’ll need a board with better performance.

Give it a go!

Hardware inks: 

  • Alix boards at http://www.pcengines.ch
  • One with 3 LAN ports http://www.pcengines.ch/alix2d13.htm
  • Or the more powerfull APU series: http://www.pcengines.ch/apu.htm
  • A powerfull Atom board: http://www.asrockrack.com/general/productdetail.asp?Model=C2550D4I

Software links:

Tutorials/getting started links:

PFsense custom DHCPD configuration

pfSense is my prefered router/firewall distro. It’s rock solid and has tons of features.
You can run pfSense on any PC, but if you want to keep the power and heat down to a minimum you can use an Alix board (http://www.pcengines.ch/alix.htm) APU2 board (https://www.pcengines.ch/apu2.htm) or similar. Alix boards are no long supported, but APU2 works fine.

One of the few things you can’t do in pfSense is modify your dhcpd.conf file directly.
For the vast majority of deployments, the built in control you have will be more than enough. It supports multiple vlans, and custom options. But…
If you need something special, like running a DHCP Server for several IP subnets over Layer 3 switches, then you need a different approach. Or maybe you just like to maintain a single file instead of using the GUI interface.

This is not a common requirement for a network, but it does happen.
I had a test-lab with a few Layer 3 switches and several subnets. I wanted to have an easy one-file configuration for the entire network using only the low-power pfSense router. So I had to figure out a way to do that.

There is no dhcpd.conf file you can edit in pfsense because it’s generated on each boot using the config.xml file (managed by all the settings in the GUI). The problem is that if you want any special settings in your dhcpd.conf file, it might not be supported by the config.xml markup and/or the GUI.

The solution is pretty simple. Just stop the DHCP daemon after boot, replace the dhcpd.conf file and restart the daemon.

DHCP daemon starts in a chrooted environment in /var/dhcpd, so all files are located with this folder as a parent.

If you don’t have a monitor on your router, you can enable SSH or use a serial console cable.
It’s also possible to do almost everything using the Diagnostics -> Edit File menu item in the GUI. To create a file, just enter the full path and click Save.

ScreenClip

This solution requires two files.

1) 
The first one is a script, like this:

#/bin/bash
killall -3 dhcpd
cp /var/dhcpd/etc/dhcpd.override /var/dhcpd/etc/dhcpd.conf
/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid le1 le0

Save it as: /usr/local/etc/rc.d/dhcpdoverride.sh

pfSense will run any script in this folder (/urs/local/etc/rc.d/) after it has started. The only requirements is the execute flag and that the file ends with .sh
So you’ll need to run this command as well:

chmod +x /usr/local/etc/rc.d/dhcpdoverride.sh

IMPORTANT NOTE!
The last command in this file may be different from system to system. Notice that one or more interfaces are being listed at the end. It’s easy to get the exact command of your system if you have done the initial configuration in GUI (included the interfaces you’ll be using).

Just run this command:

ps axww | grep dhcpd

The output should look something like this:

[2.1.3-RELEASE][root@pfSense.localdomain]/var(35): ps axww | grep dhcpd
38392  ??  Ss     0:00.04 /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid le1 le0

I’m using two interfaces with DCHPD, so two interfaces are listed at the end.

2)
The second file is your own dhcpd.conf file.
If you have a file already then just save it as:
/var/dhcpd/etc/dhcpd.conf.override

If you don’t have a file already made, you can do the initial configuration in the GUI and just copy the file that is created. Then you have a good starting point.

After you have done your initial configuration in the GUI you can copy it like this:

cp /var/dhcpd/etc/dhcpd.conf /var/dhcpd/etc/dhcpd.conf.override

OR, using the GUI, like this

Go to Using Diagnostics -> Edit file:
open /var/dhcpd/etc/dhcpd.conf
then edit the filepath to /var/dhcpd/etc/dhcpd.conf.override and click Save

And that’s all!

Now you can edit dhcpd.conf.override with IP subnets, or anything you like.
An example of dhcpd.conf with multiple subnets:

option domain-name "localdomain";
default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
ddns-update-style none;
authoritative;

#Subnet Alpha
subnet 10.50.150.0 netmask 255.255.255.0 {
  pool {
    range 10.50.150.100 10.50.150.200;
  }
  option routers 10.50.150.3;
  option domain-name-servers 10.50.150.3;
}

#Subnet Delta
subnet 10.18.200.0 netmask 255.255.255.0 {
  pool {
    range 10.18.200.100 10.18.200.200;
  }
  option routers 10.18.200.2;
  option domain-name-servers 10.50.150.3;# ex. a static IP address for a printer

  host HPPrinter { # example of a static IP address for a device
    hardware ethernet xx:xx:xx:xx:xx:xx; # replace the MAC address
    fixed-address 10.18.200.10;
    option host-name "HPLaserJet";
  }
}

NOTE!
You’ll need to replace the xx:xx:xx…  with the actual MAC address of your device.
And also;
If you are doing this to create subnets, you will also need to enable DHCP relay on your switch or routers between these subnets.

 

You can edit the override file from WebGui using the edit file menu.