More PenTesting Web Platforms

July 17, 2011 Leave a comment

Great resource found here:

Web Pentesting

Company/Developer URL
OWASP InsecureWebApp OWASP
Web Security DOJO Maven Security Consulting
Gruyere (antigo Codelab / Jalsberg) Google
Hacme Game NTNU
SPI Dynamics SPI Dynamics
Acunetix 1 Acunetix
Acunetix 2 Acunetix
Acunetix 3 Acunetix
PCTechtips Challenge PC Tech Tips
Damn Vulnerable Web Application DVWA
Mutillidae Iron Geek
The Butterfly Security Project The Butterfly Security
Hacme Casino McAfee
Hacme Bank 2.0 McAfee
Updated HackmeBank McAfee
Hacme Books McAfee
Hacme Travel McAfee
Hacme Shipping McAfee
Moth Bonsai Sec
Stanford SecuriBench Standford
SecuriBench Micro Standford
BadStore BadStore
WebMaven/Buggy Bank Maven Security
EnigmaGroup Enigma Group
XSS Encoding Skills – x5s (Casaba Watcher) X5S
Exploit- DB Exploit DB
The Bodgeit Store The Bodgeit Store
LampSecurity MadIrish
hackxor Hackxor
WackoPicko WackoPicko
RSnake’s Vulnerability Lab RSnake


War Games

Company /
Hell Bound Hackers Hell Bound Hackers
Vulnerability Assessment Kevin Orrey
Smash the Stack Smash the Stack
Over the Wire Over the Wire
Hack This Site Hack This Site
Hacking Lab Hacking Lab
We Chall We Chall
REMnux REMnux


Insecure Distributions

Company /
Damm Vulnerable Linux DVL
Metasploitable Offensive Security
de-ICE Hacker Junkie
Moth Bonsai Security Software
PwnOS Niel Dickson
Holynix Pynstrom
Categories: Uncategorized

PenTesting Web Apps

May 29, 2011 Leave a comment

One of the projects I will be working on this summer is developing a “Break In Lab” for students to test their hacking skills. As such finding well supported platforms to perform pen-tests on is a must. Here is a list compiled by

S.No. Vulnerable Application Platform
1 SPI Dynamics (live) ASP
2 Cenzic (live) PHP
3 Watchfire (live) ASPX
4 Acunetix 1 (live) PHP
5 Acunetix 2 (live) ASP
6 Acunetix 3 (live) ASP.Net
7 PCTechtips Challenge (live)
8 Damn Vulnerable Web Application PHP/MySQL
9 Mutillidae PHP
10 The Butterfly Security Project PHP
11 Hacme Casino Ruby on Rails
12 Hacme Bank 2.0 ASP.NET (2.0)
13 Updated HackmeBank ASP.NET (2.0)
14 Hacme Books J2EE
15 Hacme Travel C++ (application client-server)
16 Hacme Shipping ColdFusion MX 7, MySQL
18 OWASP Vicnum PHP, Perl
19 OWASP InsecureWebApp JAVA
20 OWASP SiteGenerator ASP.NET
21 Moth
22 Stanford SecuriBench JAVA
23 SecuriBench Micro JAVA
24 BadStore Perl(CGI)
25 WebMaven/Buggy Bank (very old)
26 EnigmaGroup (live)
27 XSS Encoding Skills – x5s (Casaba Watcher)
28 Google – Gruyere (live) (previously Jarlsberg)
29 Exploit- DB Multi-platform
30 The Bodgeit Store JSP
31 LampSecurity PHP
32 hackxor Perl(CGI)
33 OWASP – Hackademic PHP
Categories: Uncategorized

WordPress 3.1 on Server 2008 R2 Core

May 13, 2011 2 comments
Howdy All! I thought it would be pertinent for a first post to cover how the web site is set up! My goal was simple, to create a secure and low resource consuming web server to host this wonderful word press blog you are all now viewing!
The setup itself is not too tricky but calls for just a bit more excitement over the traditional windows server installation considering the command line intensive nature of server core. Lets start by talking about the different technologies we will be using:
  1. Windows Server 2008 R2 Core
  2. PHP
  3. MySQL
  4. Word press
To start lets discuss setting up Windows Server 2008 R2 Core. Server Core is a minimal server installation option for computers running on the Windows Server 2008 R2 operating system. Server Core provides a low-maintenance server environment with limited functionality. For this blog, server core was a natural choice as I wanted to deploy it in a virtual environment with limited memory resources. Currently the server works wonders with only 512MB of ram and a single 3GHz processor. Quite a feat for the latest Windows OS.
Anywho, lets get to the good stuff. The installation of server core is identical to any other version of Server 2008 R2.
  1. Insert your media of choice, if you do not happen to have a copy of Server 2008 R2 you can grab a ISO from Microsofts Trial Software Website.
  2. Power up the computer and wait for setup to load, select your language of choice and click Next.
  3. Click Install Now
  4. Enter your Product ID now if you have one, otherwise you can activate it later, click Next.

  6. Select the edition of Windows you would like to install depending on your licensing scenario, in our case it will be Windows Server 2008 R2 Web Server and click Next.
  7. Accept the license terms, and click Next.
  8. Select Custom Installation as we are going to format the drive and create a new installation, configure your disk as you see fit and click Next.
  9. Wait for the installation to complete, when done you will be presented with a Ctrl + Alt + Del screen, go ahead and log in, you will be prompted to change credentials.
  10. Finally we are presented with all that is server core, no interface just a lone command prompt
  11. The next thing we need to do is configure the server for our environment, fortunately there is a handy little tool to help up. Type sconfig to start the System Configuration Utility

    Use this utility so set the Computer Name (Option 2), Windows Update Settings (Option 5), Download and Install Windows Updates (Option 6), Configure Network Settings (Option 8), and set the Date and Time (Option 9). You can also configure remote management options via either Remote Desktop (Option 7) or MMC / Server Manager (Option 4).
  12. Finally we need to enable IIS to host the word press blog. This is done by using the pkgmgr tool and the following command:
    start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;IIS-CGI
Once all of the applicable windows updates have been applied and the server configured, it is time to move onto the next step, Installing PHP.
  1. Visit to download the latest Installer version of PHP, this version contains a packaged .msi which makes installation incredibly easy.
  2. Run the following command to start the installation of PHP:
    msiexec.exe /i C:PATH_TO_FILE.msi
  3. Accept all defaults in the installation, and voila! PHP is installed, it does not get much more simple than that!
  4. Now we need to make a few tweeks to make sure PHP is configured correctly. Using the command line, navigate to the installation directory of PHP, and perform the following:
    Copy c:INSTALLATION_DIRphp.ini-recommended c:INSTALLATION_DIRphp.ini
    Notepad php.ini
    – Change: extension_dir=”c:phpext”
    – Uncomment: extension=php_mysql.dll
    – Add: Extension=php_gd.dll
    – Save the file php.ini and exit notepad All done with PHP!
Now we get to install and configure MySQL
  1. Download the latest version of MySQL from, once again make sure to download the MSI installer.
  2. Using similar syntax execute the .msi file: msiexec.exe /i PATH_TO_FILE.msi

    – At Welcome, Click next
    – Select Typical, Click next
    – Click Install, Next all the way and Finish.
    – Instance Configuration will now begin:
    – At Welcome, Click next
    – Select Standard Configuration, Click next
    – Select Install as Windows Service, Click next
    – Specify the root password and Click next
    – Click Execute and Finish
  3. Now we need to configure the MySQL database. We do so with the following commands:
    – Execute c:Program Files (x86)MySQLMySQL Server 5.0binmysql.exe –u root –p
    – Key in your root password specified earlier.
    mysql> create database wordpress;
    mysql> grant all privileges on wordpress.* to ‘wordpress’@’%’ identified by ‘password’;
Now all that is left to do is set up WordPress and we are good to go!
  1. Download the latest version of WordPress from
  2. Extract the contents of the File to c:inetpubwwwrootwordpress
  3. Make a copy of the sample configuration file:
    cd c:inetpubwwwrootwordpress
    copy wp-config-sample.php wp-config.php
  4. Now using notepad edit the configuration file to speak with our database: notepad.exe wp-config.php change the following lines:
    – define(‘DB_NAME’, ‘wordpress’); // The name of the database
    – define(‘DB_USER’, ‘wordpress’); // Your MySQL username
    – define(‘DB_PASSWORD’, ‘password’); // …and password
    – define(‘DB_HOST’, ‘localhost’); // Change this to IP address of your database
    Make sure to save the changes when done
  5. Now we fire up our browser of choice and visit the following link, http://<Server>/wordpress/wp-admin/install.php and start configuring WordPress
So in conclusion we have managed to sucessfully set up WordPress on Server Core 2008 R2! We have a light weight, secure, very fast OS to serve our every need! I want to extend some credit to Dennis Chung and his blog for giving me guidance in my initial explorations in setting up WordPress on Server Core.
Categories: Windows