Installing Hacme Bank on an XP Pro VMWare Image

Whether you're evaluating a new vulnerability assessment tool, or looking to hone your application hacking skills, the Hacme Bank application by FoundStone, Inc offers a perfect "victim" for you to use as a testing target. Hacme Bank simulates an online banking website with the added bonus of having numerous vulnerabilities purposely designed in for you to discover.

In this write-up I'll walk you through the necessary steps for getting the application up and running on a Windows XP Professional VMWare image. I prefer this setup for a couple of reasons. First, if an unrecoverable error condition occurs (while hurling malicious packets at the application perhaps?) you can simply revert the Virtual Machine back to a known good state. Second, by positioning Hacme Back on an isolated machine I'm able to use my everyday penetration testing rig as the attack platform.

For this tutorial I'm assuming that you already have a newly built XP Pro VMWare image. The virtual machine I'll be working with is a fresh XP Pro install, with Service Pack 3 and all available updates applied via Windows Updater. Make sure you've also installed all the .Net packages and updates for version 1.1.

Take a Snapshot

I'm frequently reusing my XP Pro VM for exploit and vulnerability research, so VMWare's Snapshot functionality saves me from having to rebuild the OS image after every project. With that said, I'd suggest taking a "baseline" snapshot of your VM (or make a backup copy if you're using VMPlayer) before we begin.

Install Internet Information Services

Hacme Bank installs as a Virtual Directory under IIS, instead of being a standalone service like previous FoundStone applications, so step one is to get the web server installed.

  1. Place your Windows XP Pro CD into the drive.

  2. Run the Add or Remove Programs option found in the Control Panel.

  3. Select Add/Remove Windows Components from the left-hand side.

  4. In the Windows Components Wizard highlight Internet Information Services (IIS) and click the Details button.

  5. Put a check in the boxes next to: Common Files, Internet Information Services Snap-In, and World Wide Web Service.

  6. Highlight World Wide Service and click Details, then uncheck Printers Virtual Directory and click Ok.

  7. Click Ok again to close the IIS options window, and click Next to complete the install.

When the install completes, click Finish and exit out of the Control Panel.

Next, register the .NET Framework with the IIS service we just installed by opening a command window and running:

c:\windows\\framework\v1.1.4322\aspnet_regiis -i

Microsoft SQL Server 2000 Desktop Engine (MSDE 2000)

Download the MSDE 2000 Release A package from Microsoft's MSDE 2000 product page and run the executable. Accept the defaults on any prompts that appear and allow the unpackager to complete.

Open a command prompt and run the following command to install MSDE:


When the install completes, go ahead and start the service:


When it completes you can close the command window.

Install Hacme Bank

Download and unpack the install files from FoundStone's website

Install the website first by running the "Foundstone Hacme Bank Website Setup v2.0" executable. For the sake of simplicity accept all the default values during the install.

Warning: It is important that you select "Trusted Connection" in the next step! This is a step that many readers miss.

Next, install the WebService files by running the "Foundstone Hacme Bank WebService Setup v2.0" executable. Again, accept the default settings until your reach the Database Setup screen. Here, select Trusted Connection, click Next and complete the install.

Test Your Install

Open IE in the VM instance and browse to http://localhost/HacmeBank_v2_Website/

You might receive a warning about IE's Intranet Settings being disabled by default. Simply right-click on the Information Bar and select Enable Intranet Settings.

The Hacme Bank homepage should load and you can test the back-end system by logging into the site using the user name jv, and password jv789. If everything is working correctly you will be presented with a welcome screen.

Bonus! Remote Access to Hacme Bank!

First we need to modify the operating system's firewall to allow traffic to port 80.

  1. Open the Windows Security Center located in the Control Panel and select Windows Firewall at the bottom of the panel.

  2. Click on the Exceptions tab.

  3. Click the Add Port button.

  4. For the Name field enter "IIS" and "80" for the Port field, then click Ok and Ok to make the change. You can now exit out of the control panel as well.

Now open a browser on the host machine (or other machine on your network). And browse to the remote web instance: http://[IP Address of the VM Image]/HacmeBank_v2_Website/

You'll be presented with a message informing you that the application, by default, will only accept requests from the local machine. This is by design due to the serious flaws that have been designed into Hacme Bank. Exposing the faux website to the internet would place the entire host at risk, so take extra care to keep it internal facing only.

Open the website's config file, C:\Inetpub\wwwroot\HacmeBank_v2_Website\web.config in notepad and look for the <httpModules> section. (You should find it at the beginning of the config file.)

To activate remote access we need to disable the loading of the HttpModule_onlyAllowLocalAccess module. Simply comment it out by wrapping the specific line in <!-- ... --> tags as shown below:

File: C:\Inetpub\wwwroot\HacmeBank_v2\Website\Web.config
&lt;add name ="HttpModule_onlyAllowLocalAccess" type="HacmeBank_v2_Website.httpModules.HttpModule_onlyAllowLocalAccess,HacmeBank_v2_Website"/&gt;

Now make the same configuration change to the Web Service instance:

File: C:\Inetpub\wwwroot\HacmeBank_v2_WS\Web.config
&lt;?xml version="1.0" encoding="utf-8" ?&gt;
          &lt;add name ="HttpModule_onlyAllowLocalAccess" type="HacmeBank_v2_Website.httpModules.HttpModule_onlyAllowLocalAccess,HacmeBank_v2_WS"/&gt;

Now hit reload on your host's browser and instead of the default "Local access only" message, the website will be fully accessible.

Happy Hacking!

blog comments powered by Disqus