MattJay Security

I’ve been messing around a bit with some purposefully vulnerable web applications and beating them up as best I can. My problem for a while was my inexperience with Linux and the lack of documentation for some of the applications I was using.

So instead of spending a lot of time learning to hack and defend I was spending a lot of time getting my java set up correctly and editing some of the shell scripts so they would stop complaining.

I figured I can’t be the only one who has these kinds of troubles so I started a fresh install of Ubuntu updated it, and i got a number of the web apps I was having trouble with up and running properly and decided I would distribute it to save some people who just want to get to the hacking all ready some time and headaches in installing all of these things.

Like I said, this is my first write up on this sort of stuff so be gentle but here is some of the guidance I can give you in getting these apps up and hackable.

First of all you can download the .ova file HERE for now. It is pretty big I apologize maybe on my next release I’ll try to use Debian or something so the lack of GUI will get it under a gig.

Use whichever VM software you prefer I know VMware accepts .ova files but if you’re using Fusion you might have to create a .vmx file for it.

It should log you in automatically but the info is
UN: hacker
PW: p@ssword
(please change the credentials ASAP!)

First you’re going to have to start apache-tomcat

$ cd Desktop/apache-tomcat-6.0.18/bin
$ sh startup.sh
Using CATALINA_BASE: /home/hacker/Desktop/apache-tomcat-6.0.18
Using CATALINA_HOME: /home/hacker/Desktop/apache-tomcat-6.0.18
Using CATALINA_TMPDIR: /home/hacker/Desktop/apache-tomcat-6.0.18/temp
Using JRE_HOME: /usr
$

You should be good, but to check open firefox and go to http://localhost:8080 and you should see the tomcat intro page.

Once tomcat is up and running you can start up WebGoat (and the fun begins!)

Navigate back to /Desktop

$ cd WebGoat-5.2/
$ sudo sh webgoat.sh start8080
(reminder: the sudo password for the default account is p@ssword which I hope you will change!)
note: sometimes after you start tomcat the first time starting WebGoat will get stuck at this:
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)

If this happens just restart the VM and start WebGoat again it should go all the way through to here:
INFO: Severver startup in XXXX ms
where the X’s are numbers.

Now you can open Firefox again and navigate to http://localhost:8080/WebGoat/attack/

It will ask you for a username and password which are both “guest”

Click the “Start WebGoat” button and go nuts. (I am aiming to do some write-ups on how to get through some of the lessons soon).

In order to start up the burp proxy that allows you to complete some of the WebGoat lessons just navigate back to the Destop and:

$ cd burpsuite_v1.2.01/
$ java -jar burpsuite_v1.2.01.jar

Easy enough.

The rest of the web apps are much easier and less buggy but also less step by step educational. These are just kind of put up and have fun in whichever way you want, the developers suggest looking at the OWASP Top Ten picking one and trying it out.

The rest just require you to start up some LAMPP

$ sudo /opt/lampp/lampp start

Check if it started up by going to http://localhost/ and seeing the XAMPP page.

Now the other vulnerable web apps are preloaded so all you have to do is navigate to them:

http://localhost/mutillidae

http://localhost/DVWA

Here are some other resources to look at to play with if you are interested in this area:

Moth – a VMware image with a set of vulnerable Web Applications and scripts. I haven’t gotten a chance to sit down and play with this one but it has come highly recommended

Samurai WTF – The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. Consider it the BackTrack of web apps.

That is all I’ve got for now, hopefully I’ll sit down and make some instructional screen cap videos in the near future.

Special thanks to Port Swigger, Damn Vulnerable Web App, OWASP WebGoat, and Iron Geek for giving me permission to distribute your applications. I appreciate it and I hope you guys keep up the amazing work.

Again download the VM: HERE

Hope you enjoy and please let me know any ways you’d like me to make this better and re-release.

Matt

For the past few months I’ve received tons of advice from a lot of established Information Security professionals on how I could get my foot in the door and start on my career path. I thought it would be useful to compile a list of links from all the different sources I’ve been sent to for such advice. I think you’ll see a few motifs throughout

One of the very firsts I read on this and I think me badgering him for help inspired him to write it comes from Kees Leune:
Tips for getting started

From here on out I’m just going to post as I think of them so this is no particular chronological order.
James Arlen (myrcurial) has also been of more help to me than I can emphasize and his talk at Last Hope was one of the earlier proverbial fires under my ass. Here is a link to his follow up to that talk at Notacon 6: BlackHat to BlackSuit – Econopocalypse Now:
Vimeo – BlackHat to BlackSuit

A more recent post was by a security professional named Bill Pennington over at the Security Catalyst blog. A two part post directly from a hiring manager is invaluable advice:

Career Advice part 1
Career Advice part 2

An absolutely awesome resource that is very young but is unbelievable for the community is DojoSec. Marcus J Carey has set up monthly briefings in the DC area that are for all intensive purposes mini-cons. If your not from the area make sure you pay attention to when they are because there are some live streams on their website where you can watch all of these amazing presentations free of charge.
I’m bringing this up mostly because of a presentation a month of so ago by Rob Fuller (mubix) titled How to go from the couch to a job in 80 hours. I was lucky enough to catch this streaming online and even got to ask Rob a question via Twitter at the end of the preso:
Vimeo – Mubix

Update:Another great listen is a recent Exotic Liability podcast that talks about a ton of great advice about starting on different paths while talking on the phone with a college student who called in:
Exotic Liability Podcast – Advice
(Thanks for the reminder Chris!)

Another recent post comes from Paul at Pauldotcom and does a really good job at summing up some of the key topics and common themes through out all of these posts:
Getting started in Information Security

Some other interesting links you might be interested in checking out would be anything in the area of expanding your knowledge. Here in no particular order are some links that I have used to help polish up my skill set and soak up other useful information along the way.

This post was floating around recently and is 100 different open courses useful in information security. I’m going to go ahead and equate it to the 77 books in the personal MBA list but for Information Security professionals:
100 open courses

These next group are just tips on free online college level education courses that we all can find use out of:
LifeHacker – Get a free college education
TeachMate
Academic Earth

I’m going to finish up with some advice of my own. Even though I’m still very young and just starting on this long and glorious path I know that I would be miles behind where I am now without following all of the advice I have been given. I’m not somebody who “settles” for whatever falls in my lap and if that is what you are then stick to the job boards.

The most important piece of advice I can offer is to be involved in the community as much as you can. There are a ton of people in the community who are very passionate about it and are more than willing to help in whatever ways they can. The easiest ways to get to know all of them is through Twitter and going to cons. Security Twits list is the one of the most valuable resources on the net for infosec people and I don’t know where I’d be without the friends that I’ve made through it.

Update:I know I’m forgetting resources, these are just the ones that stuck out off the top of my head so please feel free to leave any additional resources as comments.

In the the very first week of my Computer Security class we were presented with a broad overview of the upcoming semester. We touched everything from the CIA triad (Confidentiality, Integrity, and Availability) to discussing the more public view of security (i.e. the cyber section of the FBI and Secret Service, identity theft, etc.).

We were also presented with the following video of Richard Clarke who is the Chairman of Good Harbor Consulting, senior White House Advisor to the last three presidents and an expert in security including cyber security and counterterrorism. If you would like to watch it you can skip the first 7:30 minutes which is just PR stuff and an introduction.

“Richard A. Clarke is an internationally recognized expert on security, including homeland security, national security, cyber security, and counterterrorism. He is currently Chairman of Good Harbor Consulting and an on-air consultant for ABC News. Clarke served the last three Presidents as a senior White House Advisor. Over the course of an unprecedented 11 consecutive years of White House service, he held the titles of Special Assistant to the President for Global Affairs, National Coordinator for Security and Counterterrorism, and Special Advisor to the President for Cyber Security. His published works include the New York Times #1 bestseller Against All Enemies, Scorpion’s Gate, and Breakpoint. Mr. Clarke will be discussing the current state of the war on terrorism and what it means for homeland security and technology.”

The class was presented with the following.

“Week 1

The objectives for this week are to outline what expectations the students may have from the teacher, and what expectation the teacher has from the students. A brief preview for the semester will be provided. At the end of the week, the following topics will have been covered.

• Fundamental concepts of information security
• Common forms of malware
• Information Security Life Cycle

Assignment 1
Watch this movie and comment on it in your course blog. You can skip over the first 7:30 minutes, as they are just public relations.

Can you relate to this clip? Do you see any effects of computer security controls in your daily life? What kind of controls do you see? How do they affect you?”

If you’d like, I’d be interested to see a few responses from other people who wish to leave comments.

In the next few weeks of our meetings we covered respectively Laws and Ethics, Authentication, and Access Control. My next post or two will cover these topics and then we move on to the Defender and Attacker life cycle and break down each step along the way of each.

I struggled a bit in deciding how I wanted to approach my first attempt at blogging before finally pulling the trigger. Considering I wanted to make this a security oriented blog I hit a somewhat important obstacle, experience. After I mulled it over for a while I decided that was more of a mental obstacle than anything and decided to contribute in whatever way I can and map out the beginning of my journey into a young and exciting new field.

This being said I should probably introduce myself. My name is Matt Johansen and I’m 21 years old and just graduated from Adelphi University in Garden City New York with a BS in Computer Science and a minor in Mathematics. I am an only child born and raised on Long Island who has as much IT experience as a 21 year old can have as my first job was the sole student tech for my high school’s school district. From there I worked at Adelphi University, also as a student tech, and soon was promoted to one of four head student techs and received a ton of customer service experience as I was the guy everybody that lived on campus recognized as the “computer guy” who helped them in their dorms. This past summer I worked at Arrow Electronics as a Data Security Analyst on a team of 5 managing an Active Directory environment of over 12,000 employees internationally. During that summer internship I proved myself enough for them to ask me to come on part time while finishing my final semester at school and hopefully brought on full time when I graduated. Unfortunately, the economy hit home and Arrow Electronics was forced to lay off over 70 IT employees in a very short period of time, a group I was included in.

Okay that is my brief synopsis of my brief career. To start off on my blogging adventure I decided to discuss part of the reason my interest in entering this field was reinvigorated, a semester long special topics senior seminar with Kees Leune on Computer Security. Over the next few weeks I will be summing up my experiences in this class which were very exciting and while some of the information might not be new to all of you hopefully I will make it an interesting read in how the class was organized and what topics we covered. Stay tuned!