With the recent end of support for Windows XP I figured now was a good time to rewrite my 2008 tutorial on installing Hacme Bank. My XP tutorial continues to receive a substantial amount traffic from search engines so is another reason to give the article a facelift. The Hacme Bank application (originally provided by FoundStone, Inc and now owned by McAfee) offers a perfect “victim” for you to use as a testing target. Hacme Bank simulates an online banking website with numerous application vulnerabilities purposely designed in for you to discover.
The virtual machine I’ll be working with for this tutorial is a fresh Windows 7 Professional x86 install, with Service Pack 1 and all available updates applied via Windows Update.
Take a Snapshot
If you’re using a virtual machine for this tutorial I’d suggest taking a “baseline” snapshot of your VM (or make a backup copy if you’re using VMPlayer) before continuing. If something should go wrong during the tutorial it is extremely convenient to be able to roll-back to a pristine state.
Install Internet Information Services
Hacme Bank installs as a Virtual Directory under IIS so the first task is to get the web server installed. If IIS isn’t currently installed the simplest way to install all the necessary components is to open a Command prompt and run the following command (this takes a few minutes to complete and will return to a prompt when complete):
start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-Security;IIS-RequestFiltering;IIS-WebServerManagementTools;IIS-ManagementConsole;IIS-ManagementScriptingTools;IIS-ManagementService;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn
If IIS is already installed you can verify the required components are enabled through the Control Panel:
- Open Control Panel and click on Programs.
- In the Programs and Features section, click the link for Turn Windows features on or off.
- Expand the Internet Information Services tree and then expand the Web Management Tools tree.
- Check all the boxes under the Web Management Tools tree as well as everything under the IIS 6 Management Compatibility tree.
- Expand the World Wide Web Services tree and under Application Development Features put a check next to ASP.NET. The screenshot below shows the proper configuration:
- Click ‘Ok’ and wait for the installation process to complete. When the install completes exit out of the Control Panel.
.NET Framework v1.1
Hacme Bank has a dependency on .NET v1.1 (which isn’t included in Windows 7) so you need to install the .NET Framework Version 1.1 Redistributable Package.
- Download the .NET v1.1 package from Microsoft http://www.microsoft.com/en-us/download/details.aspx?id=26
- Run the ‘dotnetfx.exe’ installer and follow the prompts.
Microsoft SQL Server 2000 Desktop Engine (MSDE 2000)
I haven’t had time debug the compatibility issues with HacmeBank and SQL Server 2012 Express, so for simplicity use the old MSDE 2000 Release A package. It can be downloaded from Microsoft’s MSDE 2000 product page. Run the executable and accept the defaults on any prompts that appear and allow the un-packager to complete. A warning may appear that you can ignore by clicking “This program installed correctly”.
Now open a command prompt and run the following command to install MSDE (and see next step for the compatibility warning):
C:\MSDERelA\Setup SAPWD=HacmeBank SECURITYMODE=MIXED DISABLENETWORKPROTOCOLS=0
The Program Compatibility Assistant will display a warning regarding known compatibility issues with MSDE. Simply click “Run Program”.
When the install completes, go ahead and start the service:
- Launch the services.msc components from the Start Button->Search box
- Right-click on the ‘MSSQLSERVER’ service and select ‘start’.
Tweak the Registry for “Install MSI as Admin” Option
The HacmeBank packages are Microsoft Installers(MSI) and require Administrator privileges to install, but Windows 7 doesn’t provide a Context Menu (right-click) option for running MSIs as Administrator. There are two solutions, the first (which I cover below) is to add the missing option to the Context Menu. The second option is to open a Command Prompt as Administrator and run the MSI’s from the command line.
If you’re familiar with RegEdit you can make the following edits manually:
[HKEY_CLASSES_ROOT\Msi.Package\shell\runas] @="Install &As Administrator..." [HKEY_CLASSES_ROOT\Msi.Package\shell\runas\command] @="msiexec /i \"%1\""
Or you can download the Registry File I’ve created and simply merge the changes:
- Download installMSIasAdmin.reg registry file.
- Double-click on the registry file and follow the prompts.
Install Hacme Bank
Download and unzip the install files from McAfee’s website
Install the website first by running the “Foundstone Hacme Bank Website Setup v2.0” MSI. If you installed the Registry File in the previous step you can simply right-click on the MSI file and select ‘Install as Administrator’.
For the sake of simplicity accept all the default values during the install.
Install the WebService files by running the “Foundstone Hacme Bank WebService Setup v2.0” executable (either by using the “Install as Admin Content Menu option, or an Administrator CMD Window). Again, accept the default settings until your reach the Database Setup screen. (SEE SCREENSHOT BELOW!) Here, select Trusted Connection, click Next and complete the install.
Change IIS AppPool Settings
- Launch the ‘inetmgr’ component from the Start Button->Search box
- In the left-hand panel expand the ‘Sites’ and then the ‘Default Website’ trees.
- Select HacmeBank_v2_Website’
- In the right-hand panel click on ‘Basic Settings’ link
- Click the ‘Select’ button next to the ‘Application Pool’ field.
- In the ‘Application Pool’ pulldown menu choose ‘Classic .NET AppPool’ and click ‘Ok’ twice.
- Repeat the last 3 steps for the ‘HacmeBank_v2_WS’ AppPool settings.
- Select ‘Application Pools’ in the left-hand panel
- In the center panel select ‘Classic .NET AppPool’ and click the ‘Advanced Settings’ link in the right-hand panel.
- In the ‘Advanced Settings’ window, select the ‘Identity’ property under the ‘Process Model’ section.
- In the ‘Built-in Account’ menu select ‘LocalSystem’ and click ‘Ok’ twice and close the IIS Manger window.
This is an optional step but is an easy solution for eliminating the issue with “localhost” in the browser being mapped to the IPv6 local address (::1) which causes nag messages in HacmeBank.
Simply run the Microsoft FixIt tool available here and follow the prompts.
Test Your Install
Open IE from you Win7 device and browse to http://localhost/HacmeBank_v2_Website/
You might receive a warning about IE’s Intranet Settings being disabled by default, simply click on Don’t show this message again.
The Hacme Bank homepage should load and you can test the back-end system by logging into the site using the user name jv, and password jv789. If everything is working correctly you will be presented with a welcome screen.
Bonus! Remote Access to Hacme Bank!
First we need to modify the Windows 7 firewall to allow traffic to port 80.
- Start -> Control Panel
- System and Security
- Under the Windows Firewall heading click ‘Allow a program through the Windows Firewall’
- Click the ‘Change settings’ button
- Check the HTTP protocol in the list: Word Wide Web Services(HTTP)
Now open a browser on another machine on your network and browse to the remote web instance: http://[IP Address of the VM Image]/HacmeBank_v2_Website/
You’ll be presented with a message informing you that the application, by default, will only accept requests from the local machine. This is by design due to the serious flaws that have been designed into Hacme Bank. Exposing the faux website to the internet would place the entire host at risk, so take extra care to keep it internal facing only.
Open the website’s config file, C:\Inetpub\wwwroot\HacmeBank_v2_Website\web.config in Notepad (running as Administrator) and look for the
<httpModules> section. (You should find it at the beginning of the config file.)
To activate remote access we need to disable the loading of the HttpModule_onlyAllowLocalAccess module. Simply comment it out by wrapping the specific line in
<!-- ... --> tags as shown below:
~@C:\Inetpub\wwwroot\HacmeBank_v2\Website\Web.config … <!–
–> … ~@
Now make the same configuration change to the Web Service instance: