How to install and configure Foundstone Hacme Bank on Windows Server 2003 R2

“Hacme Bankâ„¢ is designed to teach application developers, programmers, architects and security professionals how to create secure software. Hacme Bank simulates a “real-world” web services-enabled online banking application, which was built with a number of known and common vulnerabilities. This allows users to attempt real exploits against a web application and thus learn the specifics of the issue and how best to fix it. The web services exposed by Hacme Bank are used by our other testing applications including Hacme Books and Hacme Travel.” (FoundStone Web Site)

In this article I would like to explain how to install Hacme Bank 2.0 under  Windows Server 2003 R2. To do this I have install a virtual Windows Server 2003 R2 32bit under Virtual Box for Linux, running on Ubuntu 10.04 LTS (2.6.32-28-generic).

Now we can start the installation and configuration process :)

1. Download Hacme Bank required components

2. Install Windows Components

  • Microsoft IIS – No download needed you could install it in Windows 2003 en you need there for the 2003 CD.
    Go to Control Panel –> Add and Remove Software –> Add and Remove Windows Components –> and turn on IIS vink under Application Server.

3. Install Components and Update your system.

We need to install downloaded components and update Windows Server. Please be sure to follow this installation order because some components are related to others.

  • Install Windows .NET Framework 1.1. It is a simple “Next-Next-Finish” setup. I have deselected SDK and examples before continue.
  • When installation ends reboot your server.
  • Install the MSDE – Microsoft SQL Server 2000 Desktop Engine.
  • When installation ends reboot your server.
  • After reboot start a Command Prompt and move under your MSDE install dir (in my case C:MSDE) and run the following command:  C:MSDE>setup.exe SAPWD=’password’
  • Open your Internet Explorer and browse http://www.windowsupdate.com to update your system with new components.
  • When update finish reboot your server.
  • Go under services (type services.msn under “Start”->”Run”) and check that MSSQLSERVER is stopped. If not stop it.
  • Run “regedit” to open Registry Editor and follow this path: HKEY_LOCAL_MACHINESoftwareMicrosoftMSSqlserverMSSqlServer. Look for “LoginMode” parameters and change the DWORD key to 2. This action will turn on Mixed Mode. Please read the Microsoft KB at http://support.microsoft.com/kb/325022
  • Open a command prompt and run the following command: C:WINDOWSMICROSOFT.NETFRAMEWORKV1.1.4322aspnet_regiis.exe -I
  • When the ASP.Net update end go under IIS Management (or run inetmgr under “Start”->”Run”)
  • Be sure that ASP.NET v.1.1.4322 status is set to Allowed
  • Install Foundstone Hacme Bank Web Services. I have choose standard installation with default webdir and port 80.
    When you will be prompted for SQL authentication leave all as default (local, user sa, blank password) and click on next.
  • Install Foundstone Hacme Bank Web Site. I have choose standard installation with default webdir and port 80.
  • Reboot your server.

4. Configure Hacme Bank for access from local network

By default Hacme Web Bank allow access from localhost (127.0.0.1) only. If you want to access your test site from local network you must edit configuration files.

  • Open web.config under C:InetpubwwwrootHacmeBank_v2_Website using a text editor.
  • Check for “HttpModule_onlyAllowLocalAccess” and comment this line.
    To comment you must add “<!–” before the line and “–>” after.
  • Type inetmgr in “Start”->”Run” to poen IIS Manager and restart Default Web Site

Finish!

Now you can start your experience from local network against the Web Bank :)

This guide has been created based on os3.nl post.

Comments

  1. artemis says

    Hey Andrea,

    Thanks so much for the walkthrough. I had run into a problem with installing Hacme Bank, and your post helped me resolve it. Much appreciated.

    Best,
    “artemis”

Leave a Reply

Your email address will not be published. Required fields are marked *