OWASP Broken Web Applications

Thanks to Anthony Towry for suggesting this VM. I managed to get it installed on my ESXi host recently without too much trouble. Initially it wouldn't run but after converting it with VMWARE vCenter Converter it runs perfectly.

WebGoat wasn't exactly what I was expecting though. On the project homepage it is described like this:
"WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application."
I began the first lesson, HTTP Splitting, and it states in the lesson plan that Stage 1 teaches you how to do HTTP Splitting attacks while stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poinsoning. But I am at a loss to find the actual lesson! As far as I can tell it doesn't actually teach you how to perform the attack just gives you a platform to perform the attack.

The solution video shows you how to complete the attack but it doesn't explain why you are doing each stage. I'm not looking to be spoon fed but as a newbie to web application security I was hoping for a bit more information.

Am I missing something? An accompanying guide perhaps?

Web Application Testing

So I've finally booked my OSCP exam for the end of this month which leaves me a few weeks to revise what I have learnt. Even with the extension I was not able to compromise every machine in the lab but I got a large chunk of them!

With the benefit of hindsight I think I should have approached the course differently. While it was certainly helpful to have the two weeks off to concentrate solely on the course you can't think of it like a normal 09:30 - 17:00 five day course at a training centre. Although my evening time is limited it would have been helpful to use the time between study weeks to kick off large port scans, brute force password checking etc. This would have saved quite a bit of the "quality" time I had dedicated to my training.

Anyway the course has certainly been extremely useful and it has definately accelerated my learning. The only area I still feel a bit weak on though is web application attack vectors. This is covered at the end of PWB and therefore I did not have as much time to spend in the labs with this as I would have liked. I also think that this is such a vast topic that it would require a course all to itself. I am going to try and fill some of the gaps in my knowledge before the exam.



My pen tester contact had mentioned to me previously that a good source of information on web application attacks is the OWASP project (www.owasp.org). The Open Web Application Security Project (OWASP) is a 501(c)(3) not-for-profit worldwide charitable organization focused on improving the security of application software. Browsing through their site they have a project called WebGoat which is designed to teach people how to test for and exploit typical web vulnerabilities. I'm going to install it and see what its like, if I get the time I will try and post up the installation procedure and usage.

Time flies...

I've just realised its been a while since I last posted (again). I have been so engrossed with training for PWB (and other unplanned events) that I didn't realise it has almost been two months since my last post!

I'm about three quarters of my way through the course material now but I'm just about to run out of labtime so will have to extend. I am hoping to schedule the exam for the end of January.

One of the modules I have been working on includes a section on auxiliary modules within the Metasploit framework. This includes (amongst many other things) a lot of scanning utilities that I had previously used other tools for - TCP SYN, ACK, NBT, SMTP, SNMP and ARP scanning to name a few. My initial reaction to this was "why would you use anything else?". If MSF can do scanning, service enumeration, and exploitation why bother with the other tools.

After a bit of testing however I found a lot of these modules to be unreliable. Particularly the TCP scanning tools. They seem to crash quite regularly with memory errors if you are scanning multiple hosts. Think I might stick with Nmap in future.

EDIT: Just discovered Unicornscan. Unicornscan has its own dedicated TCP/IP stack so is very fast. It has saved me a lot of time when scanning multiple hosts in the labs.

PWB End of Week 1

I've just finished my first week of study and I think this picture just about sums things up. Wow! I can't tell you how much I am enjoying this course.

In the first few pages they state "This course throws you into the deep end - very quickly" and they are not kidding. By the end of the first day I was writing shell scripts to automate tasks and by the end of the week I was writing them in Python. I'm not a programmer so this was a steep learning curve for me but what a feeling when that script runs and gives the intended result. The course does not spoon feed you the answers either like some other courses I've been on in the past so you really do have to engage brain.

So far I've been focusing on Information Gathering techniques (with the likes of Google Hacking, Whois/DNS, SNMP and SMTP Reconnaissance) and Port Scanning (mostly with Nmap). I couldn't believe how much information is out there and how much you can find out about an organisation before you even 'touch' their network. They recommend Johnny Long's "Google Hacking for Penetration Testers" for further information but the latest version is four years old now If anyone comment on whether this is still relevant or if there is something more recent that would be appreciated.

I'm only a week in but I would thoroughly recommend this course. It has definitely given me the shot in the arm I was looking for and I have learnt so much more (and more quickly) than if I had tried to do it purely "self taught". The course is a mix of lab guide and videos and while there are some inconsistencies between the two and the occasional inaccuracy (one section in both the guide and the video describes a tool called goog-mail.py which is no longer present in Backtrack, I had to download it from another site) it is not enough to hold you up for very long.

I am glad I opted for the 60 days of lab time as well. I suppose it depends on how much free time a person has but for me I don't get that much time in the evenings so I will need to spread it out and there is a LOT more to learn.

One thing I would definitely recommend is getting the lab guide printed out and bound before you start. It comes in PDF format and it is 300+ pages but I found it so much easier to read when it was printed out on a couple of trees. Sorry mother nature!

Brief Update

I've not posted for a little while so just a quick update to prove I'm not dead! I've finally organised my PWB course and I'm due to start tomorrow. I've got the week off work to study and then another week in a months time. In between I plan to study in the evenings.

I've got sixty days of labtime so I will have to complete the exam by the end of December. Its going to be a tough couple of months but I'm really looking forward to it and can't wait to get started!

Obviously I won't be able to share any details of the course on here but I will try and post some progress updates as I go.

Net Disco

I thought I would check out Netdiscover this evening as recommended in a comment on my 'Beginning' post (thanks again!). Netdisco. is an active/passive ARP reconnaisance tool written by Jaime Penalba and is included with the BackTrack5 distribution.

I am guessing that it works by sending out ARP requests for IP addresses in the subnet/range you wish to scan as a way of determining how many live hosts there are on the network. I also suspect that the "passive" mode doesn't send any requests it just sits there and monitors what other ARP requests it sees.  I am going to use Wireshark (a tool most network engineers are familiar with!) to try and see what it actually does.

So this is the screen you see when you fire up the tool. I won't go through all the options but the main ones appear to be -r (specify the subnet you wish to scan), -p (passive mode) -s (amount of time in milliseconds between each arp request) and -c (number of times to send each ARP request). I imagine that the -s option would be useful if you are trying to avoid triggering any Intrustion Detection Systems, too many ARP requests from the same source address in a short amount of time could look  suspicious!

So I've started with a normal scan using netdiscover -r 192.168.1.0/24 -s 1000
I don't have any IDS at home to avoid but I wanted the scan to proceed fairly slowly so I could watch what happened in Wireshark.

This confirms that ND is sending ARP requests to each address in order to see if there is anything alive out there. The timestamps confirm the space between requests at 1 second.
Interestingly ND appears to use a false IP address for its ARP requests - 192.168.1.67! The IP address of the BT5 VM is 192.168.1.17 so I am not sure where this came from. Looking back through to the start of the capture I can not see any checks being performed to see if this address was available or not so I wonder how this address was decided upon? Further investigation required!


The results show nine live IPs detected which is the same amount as detected by AutoScan the other day. I have an additional VM running this time but because the BT5 host is left out of the scan the total is the same. The vendors are identified automatically from the OUI of the MAC address but again, as with Nmap, the iPhone wasn't recognised. Perhaps a new version/database update is required?





At this point I wonder why all the IPs are in order apart from the Nintendo lurking at the bottom. The capture shows that ND sent an ARP request for .13 in order but no response was recieved:




I trawl through the capture looking for some clues when I come across this:

Bingo! ND must automatically add hosts that it sees ARP traffic from even when doing an active scan. This must be the way it detects hosts when using the -p option as it will not be sending any requests. I might try and find out if it adds hosts it sees any kind of traffic for or just ARP broadcasts.

Back to skool...

I've been looking into some qualifications and training courses to give me a bit of a kick start. I have noticed that a lot of the job advertisments for pen testers list CREST's (Council of Registered Ethical Security Testers) Registered Tester as a desirable qualification to have so I thought I would start my investigations there.

I sent an email to CREST to ask if they provide or recommend any training courses for the Registered Tester exam. I got a fairly detailed response the next day explaining that there are currently no plans to offer training courses as they wish to ensure there is never a conflict of interest where the training provided also provides the examination. They sent links to a couple of courses that may or may not provide suitable preperation for the exam but at this time they were not officially endorsing them. They also sent me the titles of a couple of books recommended by the assesors (Hacking Exposed and Network Security Assessment) but I don't think I could learn enough from books to pass the exam - which includes a practicle element.

I've seen EC Council's Certified Ethical Hacker advertised a lot but I don't think it is CESG approved like CREST. On the plus side there is an associated training course and it seems to be widely available but on the negative side I haven't seen any jobs that are looking for CEH people. I decided to take a punt and email the pen tester that was on site at the start of the year to see if he was able to offer any recommendations.

To be honest I wasn't expecting a reply as the guy must be quite busy and we only met the once! A few days later though and I recieved a really detailed reply with a long list of recommendations on where to start, an overview on what the job was like and what you must be prepared to do (long hours, travelling, working alone etc.) He also highly recommended a course by Offensive Security called "Penetration Testing with Backtrack". EDIT - I have also since been recommended this course by several of the nice people on the Security Focus mailing list!

PWB is an online training course with a strong hands on element. It is self paced learning but you have to pay for labtime in 30 day increments. It also includes a qualification to become an Offensive Security Certified Professional. The certification process seems pretty hardcore as you are given 24 hours at the end of your alloted labtime to break into an unknown network using the skills you learnt on the course!

I have had a read through the syllabus for the course and it seems very comprehensive. There are a lot of areas that I know I'm going to be fairly weak in to begin with so I think it will prove to be quite a challenge. But it is often said that doing anything worthwhile is never easy! I've decided to go for 60 days of lab time as the average time to go through the course materials is approximately 80 hours and I don't think I will find the time to do this in just one month.