Sunday, July 29, 2012

Congratulations Ash!

I wanted to drop a quick note and say congratulations to my friend Ash for completing the GSE! If you have read this blog in the past, Ash and I sat for the GSE together in 2011 and he just finished his last bit to earn the GSE! 

Saturday, July 14, 2012

Portable WAPT VM Networking

The last post discussed the requirements and what would be used to set up a portable WAPT lab. This post will focus on setting up lab networking. If you are familiar with VMware network options, you will find absolutely nothing new, but I wanted to include it for people who may not be familiar with it.

Hosting known vulnerable operating systems, and applications has obvious risks, and its important to understand the different networking options to minimize the risks. There are three networking options, NAT, Bridged, and Host Only in all VMware products.

VMware Bridging, known as Bridge, places guest on the network as if they were physically connected to the network. Bridged guests appear and can be access on the network the same as the host system.

VMware NAT’ing, known as NAT, is similar to other types of Network Address Translation. All guests in the NAT network are assigned individual IP address, but share the same IP address as the host system to access the Internet. Default NAT settings permit no access to guests using NAT. With modification to the NAT configuration, its possible to access guests behind the NAT.

VMware Hosting , known as Host-Only, is a network in which all the guests are on the same network, but are not accessible from any other networks. There is no known way at this time to access a Host-Only guest from outside the Host-Only network.

Bridge networks biggest advantage is its biggest disadvantage, which is guests are accessible by anyone on the same network(s). Since the WAPT is hosting known vulnerable web applications that can lead to complete compromise of the underlying operating system, there is high risk with bridge networking. An additional challenge, especially if using static IP’s for the lab, is all guests may require their IP’s to be changed on every network.

NAT’ing’s biggest advantage is guests have Internet access, while not being accessed from other systems. If the applications need Internet access without being accessible by other networks this is a good option. However, misconfiguration can allow the guest to be accessible from other networks.

For the portable WAPT, Host-Only is the recommended networking option. No guests have access or are accessible to/from other networks. If hosts need access, add a guest with two network interface cards (NIC) that act’s like a router/firewall. For web applications you can configure this VM to be a reverse proxy /web application firewall as well.

Since Host-Only networking is used, any network/subnet can be used. I recommend picking a RFC 1918 network that wont normally appear on any networks you will be connecting to.  Once the network address is picked, in this case 172.16.254.x/24, assign static IP address for all hosts. For the portable lab I have chosen the following:

            Samurai WTF –
            OWASP Broken Web Apps –
            Hacme – 172.16..254.201

With the network “designed and configured” the next steps will setting up the different VM’s. In the next post I will discuss setting up the Samurai WTF and OWASP Broken Web Apps VM.

Friday, July 6, 2012

Portable Web Application Penetration Testing Lab

This posting is the first in a series that will talk about building a portable web application penetration testing (WAPT) lab. After lab setup I may continue the series on attacking the lab. The first part will cover the reasons why I am trying this, hardware and software used in building a portable WAPT lab. FYI to the reader, I have not done this yet, so consider this a work in progress and will be blogging through the process of building this lab.

This started because of challenges I have with WAPT lab access. I have VPN access to my home network but sometimes I don’t have Internet access, such as when on planes and trains. In the past I have loaded my lab on one system, but I tend to change systems often. Depending on the situation I will switch from various laptops, desktops and operating systems.  To overcome this challenge I have decided to build a portable lab that I can access from any system. This lab must be accessible from a computer with a USB port and works with Windows, Linux and Mac OSX.

To accomplish the portability requirement I bought a Western Digital 500 GB My Passport USB drive. This drive is able to support both USB 2.0 and 3.0. Although firewire is quicker, one of my systems doesn’t have a firewire port. If speed does become an issue I will consider replacing the USB drive.

For virtualization software my choice is VMWare. I have no problems with the others like VirtualBox, I just happen to use VMWare.  I use three different VMWare products, Workstation on Windows, Fusion on Mac and Player on Windows and Linux.  Although I am doing this on VMWare, this concept should theoretically work with other virtualization software.

My original WAPT lab is based on a blog article from, which I highly recommend the blog to anyone interested in pentesting.  For my portable lab I plan on the same concept, however I plan to have more targets.

My targets will consist of two systems, one prebuilt VM’s with lots of targets and one VM I will build. The prebuild VM’s are the OWASP Broken Web Application.  The VM that I will build is for the Foundstone Hacme Series (Hacme Bank, Hacme Books, Hacme Casino, Hacme Shipping and Hacme Travel). I may add additional VM’s and applications at a later date.

For the attacking VM I will be using Samurai WTF 2.0 from Kevin Johnson and crew. For web application pentesting, this is my preferred platform and if you have not checked it out I highly recommend it. If you download it and don’t know the user name and password please checkout this web site

Next posting I will talk about setting up VMWare, the target VM’s and the Attacking VM. As I work on this lab, I may come back and change things as I try them.
Site Meter