Skip navigation
All Places > Metasploit > Blog > Authors mariuscorici

Metasploit

3 Posts authored by: mariuscorici

After Metasploitable in the Cloud and bWAPP, CTF365 has increase both, the number of "vulnerable by design" servers and operating systems by adding HacmeBank and HacmeCasino as vulnerable web applications courtesy to McAfee through Fundstone.

 

The machines runs on Windows Server 2008 and WindowXP thanks to Microsoft through their Bizspark Startup Program and they are accessible to anyone who has a Free CTF365 account.

 

Hacme Bank

Hacme BankTM is designed to teach application developers, programmers, architects and security professionals how to create secure software. Hacme BankTM simulates a “real-world” online banking application, which was built with a number of known and common vulnerabilities such as SQL injection and cross-site scripting.”

 

HacmeBank.png

 

Hacme Casino

Hacme CasinoTM is a learning platform for secure software development and is targeted at software developers, application penetration testers, software architects, and anyone with an interest in application security.”

 

hacmeCasino.png

 

By adding these components to our free pentest lab, we hope to help new comers and ethical hacker wannabes find their way into the security industry as qualified security professionals.

If you’re an InfoSec instructor or teacher, feel free to use these applications in the cloud to create webcasts and teach your students. Also, if you’re a screencaster, feel free to use them in your video tutorials. Don’t forget to share your creations and experiences with the infosec community. We’d love to hear about them

 

You can access the servers at:

http://hacmebank.ctf (http://10.195.2.5)

http://hacmecasino.ctf (http://10.195.2.6)

 

In order to access them, please remember that you have to be logged into our CTF365 VPN.

If there’s a vulnerable-by-design server or web app that you’d like to see in the CTF365 cloud, leave the information for us in a comment below. We’ll review it and, if we think it’ll be a valuable contribution, we’ll add it to the cloud in the future.

We believe that entry level resources should be open and free of charge for anyone who wants to dive into the InfoSec industry. Through this, we think we can make the Internet a little bit safer.

This guest blog comes to us from Marius Corici from CTF365. When asked to describe himself he gave me the following: "I enjoy being an entrepreneur and discovering new solutions for old problems. Motto: Think a lot to do less and preserve energy to provide simplicity."

 

There is no doubt that the best way to learn Information Security is hands-on and to make this easier, the guys from Rapid7 and Metasploit created Metasploitable, a server that is vulnerable by design.

 

Beside its vulnerability as a server, they (the guys from Metasploit) added more special "ingredients" (vulnerable by design applications) like Damn Vulnerable Web Application from RandomStorm or Mutillidae from OWASP.

 

 

Metasploitable represents the perfect place to start learning penetration testing as a light introduction. Its popularity has spread across the InfoSec community and become a study framework for most infosec students as well as for some training companies. One reason it has become so popular is that Metasploit framework is the most popular penetration testing framework according to this survey where it got an whopping 82% among PenTest frameworks. Many PenTest OS vendors, like well known Offensive-Security's BackTrack/Kali Linux, recommend to practice on Metasploitable to learn how to use their operating systems. A quick search on YouTube shows there are over 1800+ videos containing "Metasploitable"

 

Metasploitable-1080.jpg

 

It's free, open source, and if you wanted to use it, there were some specific steps to follow in order to get it properly installed into your virtual environment.

Until now.

The team behind CTF365, gladly announce to you that there is a new way to access Metasploitable and practice FREE in the cloud.

 

Why is that special?

1) Being over The Internet, helps to simulate the real thing.

2) Need someone to help you? You can use the CTF365 IRC service.

3) In case you want to create a video tutorial on the fly, you can now do so, without the need to create your own virtual environment.

4) Want to study using tutorials like the one from Offensive-Security Metasploit Unleashed ?

5) As an InfoSec instructor it is much easier to show live to your students.

6) In case you want to quickly test new PenTest tools.

And I'm quite sure you can find few more reasons why.

At this moment it is deployed as a non persistent image, which means that we have set up a period of time before we reset it to its initial state. This is in case some of you manage to break it. In the future we hope to get enough hardware to make it as a individual and persistent instance.

 

All registered users get FREE access to Metasploitable 2. Once you register into CTF365 and setup your VPN you'll be able to access Metasploitable at http://metasploitable.ctf. Please remember: No VPN, no access.

 

CTF365 it’s a top notch training platform with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services regarding training, learning and improving offensive and defensive web security. We're glad to offer this functionality to help everyone stay more secure.

 

Any questions? Glad to answer. Stay secure while having fun. :-)

By Guest Blogger Marius Corîci, ctf365.com

 

Before I start, I would like to thank the Metasploit team at Rapid7, and the Kali Linux team at Offensive-Security for their kindnesses to let us use their logos on our platform. I'd especially like to thank hdmoore and ckirsch at Rapid7 as well as Mati Aharoni at Offensive Security. This means a lot to us.

 

Note: If this article is TL;DR, then I recommend you just go to CTF365.com create an account, create a team and start play with it.

landingSmall.png

 

A little bit of history before introducing CTF365

 

In October 2011, we started the HackaServer Project, a web security testing platform using the power of crowd sourcing. When we were building HaS we had to come up with a way to create a spin off in case things were not moving in the direction that we anticipated. I have to mention that HaS is not open for business yet because of one simple reason: We are a very small team.

 

A short recap

 

Information Security through Gamification is not a brand new concept. In fact is quiet old, as old as the Internet: It is called CTF – Capture The Flag. The DefCon conference had one of the first CTF competitions. You can check CTF Time to see where a CTF has taken place, which are organized by CS faculties, companies or even governments agencies.

 

Why CTFs?

The best way to learn is to learn on the job. Gamification improves skills, and provides education and training. Learning information security through gamification increases students/employee engagement, improves retention rate and speeds up the learning curve/process. At the same time, it is entertaining, challenging, community-driven and hands-on for the students and employees participating in it.

 

Today's CTF competitions are very diverse, going all the way to attack-and-defense scenarios where Red Teams and Blue Teams play against each other. Teams often show an unparalleled level of effort and dedication.

 

However, traditional CTFs have these issues:

 

  • Short duration – CTFs typically only take between 24 hours and a few days.
  • On-site – Many CTFs require you to be physically present at the venue.
  • Few and far between – CTFs don't happen on a regular schedule, and they happen all over the globe.
  • Not beneficial for work – Because CTFs aren't centrally organized, there are no universal scores that are meaningful to a penetration tester's hiring manager.
  • Artificial – Many CTFs don't resemble a real-life network and restrict the players with plenty of rules.

 

 

So why another CTF when there are already so many?

 

We, the team behind CTF365, decided that is time to change the way CTF is designed and held by bringing a brand new approach and push security gamification at a bigger scale: World Wide. Our goal is to create the Internet replica of a real-life network where security professionals, security students and security wannabe to get continuous training on real man-made servers and infrastructures, not intentionally vulnerable servers.

 

How is that possible?

 

We did asked ourselves, too. It looks like we've made it. Although there is a lot more to do, our IaaS is flexible enough to mimic the real world. CTF365's flexible platform allows users to connect their own infrastructure, whether they are cloud-based, private or dedicated servers. We have already proven that is possible to have servers tested in the cloud, for example with Metasploitable on HackAServer.com. You can read this article right here on the Rapid7 Community.

 

Companies and organizations can set up their own CTF infrastructure within minutes, and all their users achievements can be added to the user's general performance. This feature will engage more users at future conference CTFs.

 

 

Who is it for?

 

  • Blue Teams, Red Teams, CERT/CSIRT - Offensive and defensive specialists can improve their trainings on life-like enviroments.
  • CTOs, System Administrators – Can experiment with server configurations and see if they can be defeated.
  • Security Vendors – Can test their WAFs and other software as well as hardware.
  • Security Training Companies – Improve their students retention rate on life-like environments.
  • Information Security Recruiters – Security Certificates are very important but user performance and achievements as security professional are a true testament of their abilities.
  • Web Security organizations like OWASP – Spread awareness among web developers and DevOps.
  • InfoSec Conferences – Participants really want to have fun and have their achievement count.

 

 

Where are we now?

 

At this moment, CTF365 is in Alpha Stage which means it's up and running with a small number of teams (over 30 teams) and there are +11,000 registered users and +900 teams ready to play all over the world. Being in Alpha means that we're still in the developing stage and those who have access to Alpha and future Beta can experiment and get a sneak peak at the live system.


Once we have scaled up our hardware, we'll be ready to let everyone to get in. During the Alpha and Beta phases, most users are security professionals from various pentesting and security training companies. As referrals for the pre-release environment, we also accept infosec professionals as well as infosec instructors/teachers. If you would like early access, just let me know.

 

The bottom line

 

“Security will never be perfect, but can be pushed to perfection.”


According to Frost & Sullivan, the global population of information security professionals will increase by 332,000 to 3.2 million at the end of year and reach ~5 million by 2017. The Internet grows faster than the world’s capacity to provide security-aware system administrators and engineers. We need to close this gap.


CTF365 aspires to build a playground to improve the training possibilities for information security professionals.


Sign up for a CTF365 account now!

Filter Blog

By date: By tag: