www pingtrip com weblog 2008 09 installing-hacme-bank-on-xp-pro

8/12/2019 Www Pingtrip Com Weblog 2008 09 Installing-hacme-bank-On-xp-pro

1/4

| Share |

Installing Hacme Bank on an XP Pro VMWare ImageBy on September 07, 2008 9:20:32 PM | 15 Comment(s)

Note: I've created a newer article for installing Hacme Bank on Windows 7

Whether you're evaluating a new vulnerability assessment tool, or looking to hone your application hackingskills, the Hacme Bank application by FoundStone, Inc offers a perfect "victim" for you to use as a testingtarget. Hacme Bank simulates an online banking website with the added bonus of having numerousvulnerabilities purposely designed in for you to discover.

In this write-up I'll walk you through the necessary steps for getting the application up and running on aWindows XP Professional VMWare image. I prefer this setup for a couple of reasons. First, if anunrecoverable error condition occurs (while hurling malicious packets at the application perhaps?) you cansimply revert the Virtual Machine back to a known good state. Second, by positioning Hacme Back on anisolated machine I'm able to use my everyday penetration testing rig as the attack platform.

For this tutorial I'm assuming that you already have a newly built XP Pro VMWare image. The virtualmachine I'll be working with is a fresh XP Pro install, with Service Pack 3 and all available updates appliedvia Windows Updater. Make sure you've also installed all the .Net packages and updates for version 1.1.

Take a Snapshot

I'm frequently reusing my XP Pro VM for exploit and vulnerability research, so VMWare's Snapshot functionality saves me from having to rebuild the OS image after every project. With that said, I'dsugges t taking a "baseline" snapshot of your VM (or make a backup copy if you're using VMPlayer)before we begin.

Install Internet Information Services

Hacme Bank installs as a Virtual Directory under IIS, instead of being a standalone service likeprevious FoundStone applications, so step one is to get the web server installed.

1. Place your Windows XP Pro CD into the drive.

2. Run the Add or Remove Programs option found in the Control Panel.

3. Select Ad d/Remove Windows Components from the left-hand side.

4. In the Windows Components Wizard highlight Internet Information Services (IIS) and click theDetails button.

5. Put a check in the boxes next to: Common Files, Internet Information Services Snap-In , andWorld Wide Web Service .

6. Highlight World Wide Service and click Details , then uncheck Printers Virtual Directory and clickOk .

7. Click Ok again to close the IIS options window, and click Next to complete the install.

HomeHome AboutAbout Search
http://www.foundstone.com/us/resources-free-tools.asphttp://www.pingtrip.com/http://www.pingtrip.com/abouthttp://www.pingtrip.com/abouthttp://www.foundstone.com/us/resources-free-tools.asphttp://www.pingtrip.com/weblog/2014/04/installing-hacmebank-on-windows-7http://www.addthis.com/bookmark.php?v=300&pubid=ra-4efcce5619b2248chttp://www.pingtrip.com/abouthttp://www.pingtrip.com/


2/4

When the install completes, click Finish and exit out of the Control Panel.

Next, register the .NET Framework with the IIS service we just installed by opening a commandwindow and running:

c:\windows\microsoft.net\framework\v1.1.4322\aspnet_regiis -i

Microsoft SQL Server 2000 Desktop Engine (MSDE 2000)

Download the MSDE 2000 Release A package from Microsoft's MSDE 2000 product page and runthe executable. Accept the defaults on any prompts that appear and allow the unpackager tocomplete.

Open a command prompt and run the following command to install MSDE:

c:\MSDERelA\Setup SAPWD=HacmeBank SECURITYMODE=MIXED DISABLENETWORKPROTOCOLS

=0

When the install completes, go ahead and start the service:

net start MSSQLSERVER

When it completes you can close the command window.

Install Hacme Bank

Download and unpack the install files from FoundStone's website

Install the website first by running the "Foundstone Hacme Bank Website Setup v2.0" executable.For the sake of simplicity accept all the default values during the install.

Warning: It is important that you select "Trusted Connection" in the next step! This is a step thatmany readers miss.

Next, install the WebService files by running the "Foundstone Hacme Bank WebService Setup v2.0"executable. Again, accept the default settings until your reach the Database Setup screen. Here,select Trusted Connection , click Next and complete the install.

Test Your Install

Open IE in the VM instance and browse to http://localhost/HacmeBank_v2_Website/

You might receive a warning about IE's Intranet Settings being disabled by default. Simply right-clickon the Information Bar and select Enable Intranet Settings .

The Hacme Bank homepage should load and you can test the back-end system by logging into thesite using the user name jv , and password jv789 . If everything is working correctly you will bepresented with a welcome screen.

Bonus! Remote Access to Hacme Bank!

First we need to modify the operating system's firewall to allow traffic to port 80.

1. Open the Windows Security Center located in the Control Panel and select Windows Firewall at
http://www.foundstone.com/us/resources/proddesc/hacmebank.htmhttp://www.microsoft.com/downloads/details.aspx?familyid=413744D1-A0BC-479F-BAFA-E4B278EB9147&displaylang=en


3/4

the bottom of the panel.

2. Click on the Exceptions tab.

3. Click the Add Port button.

4. For the Name field enter "IIS" and "80" for the Port field, then click Ok and Ok to make thechange. You can now exit out of the control panel as well.

Now open a browser on the host machine (or other machine on your network). And browse to theremote web instance: http://[IP Address of the VM Image]/HacmeBank_v2_Website/

You'll be presented with a message informing you that the application, by default, will only acceptrequests from the local machine. This is by design due to the serious flaws that have been designedinto Hacme Bank. Exposing the faux website to the internet would place the entire host at risk, sotake extra care to keep it internal facing only.

Open the website's config file, C:\Inetpub\wwwroot\HacmeBank_v2_Website\web.config in notepadand look for the section. (You should find it at the beginning of the config file.)

To activate remote access we need to disable the loading of the HttpModule_onlyAllowLocalAccessmodule. Simply comment it out by wrapping the specific line in tags as shown below:

File: C:\Inetpub\wwwroot\HacmeBank_v2\Website\Web.config

......

Now make the same configuration change to the Web Service instance:

File: C:\Inetpub\wwwroot\HacmeBank_v2_WS\Web.config

Now hit reload on your host's browser and instead of the default "Local access only" message, thewebsite will be fully accessible.

Happy Hacking!

This blog is licensed under a Creative Commons License .

P R O J E C T S - C O

DarkMail T.R.A.P. (Threat Research & Analysis Platform)
http://creativecommons.org/licenses/by-nc-sa/3.0/us/


4/4

A R C H I V E S

2014 April (1)

2013 March (1)

2013 February (1)

2012 June (1)

2011 February (1)

2010 November (1)

2010 October (1)

2009 September (1)

2008 September (1)

2008 August (1)

2008 July (1)

2008 April (3)

Atom Syndication
http://www.pingtrip.com/atom.xmlhttp://www.pingtrip.com/weblog/2008/04/http://www.pingtrip.com/weblog/2008/07/http://www.pingtrip.com/weblog/2008/08/http://www.pingtrip.com/weblog/2008/09/http://www.pingtrip.com/weblog/2009/09/http://www.pingtrip.com/weblog/2010/10/http://www.pingtrip.com/weblog/2010/11/http://www.pingtrip.com/weblog/2011/02/http://www.pingtrip.com/weblog/2012/06/http://www.pingtrip.com/weblog/2013/02/http://www.pingtrip.com/weblog/2013/03/http://www.pingtrip.com/weblog/2014/04/

www pingtrip com weblog 2008 09 installing-hacme-bank-on-xp-pro

Documents