So instead of spending a lot of time learning to hack and defend I was spending a lot of time getting my java set up correctly and editing some of the shell scripts so they would stop complaining.

I figured I can’t be the only one who has these kinds of troubles so I started a fresh install of Ubuntu updated it, and i got a number of the web apps I was having trouble with up and running properly and decided I would distribute it to save some people who just want to get to the hacking all ready some time and headaches in installing all of these things.

Like I said, this is my first write up on this sort of stuff so be gentle but here is some of the guidance I can give you in getting these apps up and hackable.

First of all you can download the .ova file HERE for now. It is pretty big I apologize maybe on my next release I’ll try to use Debian or something so the lack of GUI will get it under a gig.

Use whichever VM software you prefer I know VMware accepts .ova files but if you’re using Fusion you might have to create a .vmx file for it.

It should log you in automatically but the info is
UN: hacker
PW: p@ssword
(please change the credentials ASAP!)

First you’re going to have to start apache-tomcat

$ cd Desktop/apache-tomcat-6.0.18/bin
$ sh startup.sh
Using CATALINA_BASE: /home/hacker/Desktop/apache-tomcat-6.0.18
Using CATALINA_HOME: /home/hacker/Desktop/apache-tomcat-6.0.18
Using CATALINA_TMPDIR: /home/hacker/Desktop/apache-tomcat-6.0.18/temp
Using JRE_HOME: /usr
$

You should be good, but to check open firefox and go to http://localhost:8080 and you should see the tomcat intro page.

Once tomcat is up and running you can start up WebGoat (and the fun begins!)

Navigate back to /Desktop

$ cd WebGoat-5.2/
$ sudo sh webgoat.sh start8080
(reminder: the sudo password for the default account is p@ssword which I hope you will change!)
note: sometimes after you start tomcat the first time starting WebGoat will get stuck at this:
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)

If this happens just restart the VM and start WebGoat again it should go all the way through to here:
INFO: Severver startup in XXXX ms
where the X’s are numbers.

Now you can open Firefox again and navigate to http://localhost:8080/WebGoat/attack/

It will ask you for a username and password which are both “guest”

Click the “Start WebGoat” button and go nuts. (I am aiming to do some write-ups on how to get through some of the lessons soon).

In order to start up the burp proxy that allows you to complete some of the WebGoat lessons just navigate back to the Destop and:

$ cd burpsuite_v1.2.01/
$ java -jar burpsuite_v1.2.01.jar

Easy enough.

The rest of the web apps are much easier and less buggy but also less step by step educational. These are just kind of put up and have fun in whichever way you want, the developers suggest looking at the OWASP Top Ten picking one and trying it out.

The rest just require you to start up some LAMPP

$ sudo /opt/lampp/lampp start

Check if it started up by going to http://localhost/ and seeing the XAMPP page.

Now the other vulnerable web apps are preloaded so all you have to do is navigate to them:

http://localhost/mutillidae

http://localhost/DVWA

Here are some other resources to look at to play with if you are interested in this area:

Moth – a VMware image with a set of vulnerable Web Applications and scripts. I haven’t gotten a chance to sit down and play with this one but it has come highly recommended

Samurai WTF – The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. Consider it the BackTrack of web apps.

That is all I’ve got for now, hopefully I’ll sit down and make some instructional screen cap videos in the near future.

Special thanks to Port Swigger, Damn Vulnerable Web App, OWASP WebGoat, and Iron Geek for giving me permission to distribute your applications. I appreciate it and I hope you guys keep up the amazing work.

Again download the VM: HERE

Hope you enjoy and please let me know any ways you’d like me to make this better and re-release.

Matt

My latest post over at LiquidMatrix Security Digest.

Ran across a new breach story this weekend that almost slipped under my radar from the San Francisco Chronicle. Reportedly some “overseas” hackers broke into UC Berkeley computer systems and accessed a proverbial “shit ton” of confidential information.

The databases contained 97,000 Social Security numbers, health insurance information and nontreatment medical information, such as immunization records, names of doctors whom people may have seen and dates of medical visits, said Shelton Waggener, UC Berkeley’s associate vice chancellor for information technology and its chief information officer.

Supposedly though, the large number of Social Security numbers were contained on a separate database than the names and medical histories that coincided with them. However, they are unclear if the “oversea” hackers were able to access both sets of information to be able to match them up and assemble a complete identity.

The hackers, primarily from China and elsewhere in Asia, had access to the information for six months before they were discovered. The breach exposed the records of 160,000 people, of whom 97,000 had Social Security numbers included in the database, officials said.

This is where most of these breach articles lose me. If the people providing the data for this news article honestly aren’t sure about something like the hackers forming a complete identity, how can their IP tracking technology be so rock solid that they are sure that the hackers are legitimately from Asia. Just as Asian as 1,000 email accounts “from Asia” costing a kid in New Jersey a few dollars?

Further evidence of the crack security team’s vast knowledge of this incident is evident here:

The hackers broke into the computer system Oct. 9 and were not discovered until April 9, when administrators performing routine maintenance came across an “anomaly” in the system and found taunting messages that had been posted three days earlier, UC said.

I’d prefer not to touch this part because it seems wrong and easy but what kind of IDS do they have or some seriously huge log files to know how this attack happened 6 months later. OK that is all I’m saying about that.

There are some other people that agree with my line of thought quoted at the end of the article if you’re interested.

It seems that Amazon has had some interesting going ons recently, and by interesting I of course mean interesting.

I started to write this article last night but the Easter dinner/dessert food coma won the battle and I’m glad it did. As it turns out what was going to be an article solely about censorship in a major online community as transformed into a perfect security article overnight .

I suppose a brief recap is in order. Long story short this past Friday some homosexual themed romance novels started disappearing from the site’s sale’s rankings. Amazon first claimed that they were “excluding adult material from appearing in some searches and best seller lists.” Well it just so turns out that these lists and searches are generated using user sale’s ranks.

Step two in this story is of course a Twitter explosion of hash-tag anger which is self explanatory #amazonfail. Step three? You guessed it, an announcement from Amazon PR that claimed a glitch in the system. First I’ve heard of a homophobic glitch but I entertained the idea as plausible.

Well that’s where the news stopped on my radar last night until a very interesting turn of events this morning. A hacker known as Weev stepped forward claiming responsibility for the #amazonfail stating an exploitation of an Amazon product rating vulnerability. Apparently after a product is flagged as inappropriate enough times it is stripped from the sales rankings lists auto-magically. With some help from some Nigerian friends who registered Amazon accounts and flagged books for him, Weev systematically picked off whichever books he pleased. (Whats with hackers stepping forward lately??)

In case your interested here is the hacker’s “confession” that he posted on his LiveJournal:

Hay dude. Amazon removed its customer-based reporting of adult books yesterday. I guess my game is up! Here’s a nice piece I like to call “how to cause moral outrage from the entire Internet in ten lines of code”.

I really hate reputation systems based on user input. This started a while back on Craigslist, when I was trying to score chicks to do heroin with. My listings like “looking to get tarred and pleasured” and “Searching for a heroine to do the paronym of this sentence’s lexical subject” kept getting flagged. The audacity of the San Francisco gay community disgusted me. They would flag my ads down but searching craigslist for “pnp” or “tina” reveals tons of hairy dudes searching for other hairy dudes to do meth with. So I decided to get them back, and cause a few hundred thousand queers some outrage.

I’m logged into Amazon at the time and see it has a “report as inappropriate” feature at the bottom of a page. I do a quick test on a few sets of gay books. I see that I can get them removed from search rankings with an insignificant number of votes.

I do this for a while, but never really get off my ass to scale it until recently.

So I script some quick bash.
#!/bin/bash
let count = 1
while true; do
links -dump ‘http://www.amazon.com/s/qid=0/?ie=ASCII&rs=1000&keywords=Gay_and_Lesbian&rh=n%3A!1000%2Ci%3Astripbooks%2Ck%3AHomosexuality&page=’`echo $count`|grep \/dp\/ >> /tmp/amazon
((count++))
done

There’s some quick code to grab all the Gay and Lesbian metadata-tagged books on amazon. Then I pull out all the IDs of the given books from those URLs:

cat /tmp/amazon |sed s/.*dp\\/// |sed s/\\/ref.*//

and I have a neat little list of the internal product ID of every fag book on Amazon.

Now from here it was a matter of getting a lot of people to vote for the books. The thing about the adult reporting function of Amazon was that it was vulnerable to something called “Cross-site request forgery’. This means if I referred someone to the URL of the successful complaint, it would register as a complaint if they were logged in. So now it is a numbers game.

I know some people who run some extremely high traffic (Alexa top 1000) websites. I show them my idea, and we all agree that it is pretty funny. They put an invisible iframe in their websites to refer people to the complaint URLs which caused huge numbers of visitors to report gay and lesbian items as inappropriate without their knowledge.

I also hired third worlders to register accounts for me en masse. If you ever need a service like that, you can find them in a post like this advertising in the comments:
http://ha.ckers.org/blog/20070427/solving-captchas-for-cash/

Then they would log into the accounts, save the cookies in a cookie file and send it to me.

Then I used the cookie files like so to automated-report all the books:

for i in `cat /tmp/amazon |sed s/.*dp\\/// |sed s/\\/ref.*//`; do lynx -cookie_file=/home/avex/cookie1 http://www.amazon.com/ri/product-listing/`echo $i`/;done

The combination of these two actions resulted in a mass delisting of queer books being delisted from the rankings at Amazon.

I guess my game is up, but 300+ hits on google news for amazon gay
and outrage across the blogosphere
ain’t so bad.

Not sure if this is actually true but it certainly is interesting.

UPDATE: Some conflicting responses.. Amazon has come up with some stats to back the before-mentioned glitch.
Here’s a statement from Amazon spokesman Drew Herdener:

This is an embarrassing and ham-fisted cataloging error for a company that prides itself on offering complete selection.

It has been misreported that the issue was limited to Gay & Lesbian themed titles – in fact, it impacted 57,310 books in a number of broad categories such as Health, Mind & Body, Reproductive & Sexual Medicine, and Erotica. This problem impacted books not just in the United States but globally. It affected not just sales rank but also had the effect of removing the books from Amazon’s main product search.

Many books have now been fixed and we’re in the process of fixing the remainder as quickly as possible, and we intend to implement new measures to make this kind of accident less likely to occur in the future.