Ormond Blog

As I have been preparing to teach my security course, I wanted to incorporate a variety of tools into the course so that students gain a more technical understanding regarding security topics such as general DOS commands, cryptography, stegonography, secure networks, access controls, application security, database security, incident disaster and response, etc. Anyway, I searched for effective tools to examine application and database insecurities with a way to track individual student progress. Enters WebGoat. WebGoat allows you test a bunch of insecurities to gain an understanding of possible weaknesses when building a web application and database. You could run the standalone jar file per the instructions; however, I wanted each user to have access to their own account so these were the steps I followed to make this possible: Download Maven binary zip file, extract it, and save the directory where you want. Download and install the latest Java JDK. Add JAVA_HOME to the environment variables by opening System Properties and then clicking Environment Variables on the Advanced tab Add the path to the JDK you installed in Enter JAVA_HOME as the Variable name and the directory to your JDK as the Variable value Click OK twice. Click edit while selecting Path under the System variables Add two new path variables %JAVA_HOME%in and the bin folder in the Maven folder you saved in Click OK twice. Check to see if Maven is running by running the following in command prompt: mvn -v Install Git. Open command prompt, navigate to where you want to download WebGoat, and run the following: git clone https://github.com/WebGoat/WebGoat.git git clone https://github.com/WebGoat/WebGoat-Lessons.git cd WebGoat git checkout develop mvn clean compile install cd .. cd WebGoat-Lessons git checkout develop mvn package xcopy "targetplugins*.jar" "..WebGoatwebgoat-containersrcmainwebappplugin_lessons" cd .. If you want to add more users to track individual logins, follow these instructions before continuing. Note: The spring-security.xml file is located at WebGoatwebgoat-containersrcmainwebappWEB-INF. If you skip this step you can still login with the guest, webgoat, and server default accounts. If you remove the guest, webgoat, and server account, make sure you delete the following from the login.jsp file located at WebGoatwebgoat-containersrcmainwebappWEB-INFpages: <br/><br/> <h4>The following accounts are built into Webgoat</h4> <table class="table table-bordered" style="width:400px;"> <thead> <tr class="warning"><th>Account</th><th>User</th><th>Password</th></tr> </thead> <tbody> <tr><td>Webgoat User</td><td>guest</td><td>guest</td></tr> <tr><td>Webgoat Admin</td><td>webgoat</td><td>webgoat</td></tr> </tbody> </table> <br/><br/> The Show Source, Show Solution, Show Plan, Show Hints, and Restart Lesson links will duplicate unless you hide (style=”display:none“) the following lines of code in the main.jsp file located at WebGoatwebgoat-containersrcmainwebappWEB-INFpages. <button class="btn btn-primary btn-xs help-button" id="show-source-button">Show Source</button> <button class="btn btn-primary btn-xs help-button" id="show-solution-button">Show Solution</button> <button class="btn btn-primary btn-xs help-button" id="show-plan-button">Show Plan</button> <button class="btn btn-primary btn-xs help-button" id="show-hints-button">Show Hints</button> <button class="btn btn-xs help-button" id="restart-lesson-button">Restart Lesson</button> Run the standalone jar file: cd WebGoat mvn package cd webgoat-container/target java -jar webgoat-container-7.1-SNAPSHOT-war-exec.jar Note: you can specify the port or address to run WebGoat by adding the following after the previous line: --p <port> --address <address> OR -p <port> -a <address> Open WebGoat in your browser by visiting: http://localhost:8080/WebGoat/ OR http://127.0.0.1:8080/WebGoat/

Running your own server may be useful for many reasons. Currently, I run my own server to host my course databases and web applications. I recently updated to the latest version and ran into issues where I had to step through the whole setup process again. Since it took me way longer than I hoped, I documented the whole process in case I have to do it again. Here are the steps: Downloading and Installing WAMPServer (WAMP) Download WAMP here: http://www.wampserver.com/en/ (Note: my instructions will be for installing WAMPServer 3 – 64 bit & PHP 5.6.15 & PHP 7) Install WAMP using the recently downloaded file. You may need to install the Visual C++ Distributable located here: https://www.microsoft.com/en-us/download/details.aspx?id=48145 Restart your computer. Start WAMP. Configuring Remote Connection to Your Server Be sure you have your server assigned a static IP address. Open your httpd.conf file by clicking on the WAMP icon in right side of your taskbar. Select Apache and then httpd.conf. Find and replace the following lines: <Directory /> AllowOverride none Require all denied </Directory> With: <Directory /> Options Indexes FollowSymLinks Includes ExecCGI AllowOverride All Order deny,allow Allow from all </Directory> Find and replace the following lines: <Directory "C:/wamp64/www/"> ... Require local </Directory> With: <Directory /> ... Allow from all </Directory> Your server should now be accessible remotely using your static IP address. Configuring Access to Your Database Open your my.ini file by clicking on the WAMP icon in the right side of your taskbar, select MySQL, and then my.ini. At the very end of the my.ini document add the following line (replace [server’s IP address] with your server’s static IP address): bind-address = [server's IP address] Click the WAMP icon in the right side of your taskbar and select phyMyAdmin. Login using root as the username and leave the password blank. Immediately change the root password by clicking the User Accounts tab. Locate the root account and click Edit privileges. Click Change password near where you clicked on the User Accounts tab. Type in your new password twice and then click Go. You will need to log back in after changing your password. Next, I recommend that you add an administrative user (leave the root user alone) by doing the following: Click the User Accounts tab again. Click Add user account. Type the new user in the User name and Password fields. Be sure to define where this user can connect from. If you want this user to access from any location, leave the % as default. Select whether you will create a database for this user (i.e. Create database with same name and grant all privileges). Determine what privileges this user will have (e.g. Grant all privileges on wildcard name (username\_%)). Decide whether the user will have global privileges or certain privileges as desired. Click Go when you are finished. Repeat for any other users. Configuring Your Website Locate the www directory (by default it is found at C:wamp64www) and drop all your web files there. You should now be able to view your website by navigating to your server’s IP address in a browser. Configuring SMTP for Sending Emails Download the php_smtp.dll here: http://www.topdll.com/download/php_smtp.dll Save this file to C:wamp64inphpphp5.6.16ext. Edit the php.ini file under the dynamic extensions to include the following: extension=php_smtp.dll Restart the server and your SMTP server should be ready to go. Additionally, you can download PHPmailer to help with sending emails. Configuring the Server Timezone In the php.ini file, change the following line: date.timezone = "UTC" To: date.timezone = "US/Central" Note: be sure to change the timezone to the correct one unless you live in the central timezone. Configuring File Upload Size and Total Uploads In the php.ini file, change the following line: upload_max_filesize = 2M To: upload_max_filesize = [desired max upload size] In the php.ini file, change the following line: max_file_uploads = 20 To: max_file_uploads = [desired max uploads] Configuring InnoDB When I queried the information_schema metadata, I wanted to see how the foreign keys of one table are related to other tables. To do this, I made the following change: Open the my.ini file by clicking the WampServer icon, then MySQL, then my.ini. Find the following line: default-storage-engine=MYISAM Change it to: default-storage-engine=INNODB Configuring Mongo Find and download the php_mongo.dll. Save this file to C:wamp64inphpphp5.6.16ext. Edit the php.ini file under the dynamic extensions to include the following: extension=php_mongo.dll Restart the server and you should now be able to use PHP with Mongo. Configuring Oracle Find and download the php_oci8_11g.dll. Save this file to C:wamp64inphpphp5.6.16ext. Edit the php.ini file under the dynamic extensions to include the following: extension=php_oci8_11g.dll Enable the following extension too: extension=php_pdo_oci.dll Restart the server and you should now be able to use PHP with Oracle.

I just created a bunch of chambers (39 to be exact) for Escape – The Curse of the Temple. Most of these have been inspired by other people’s ideas from Board Game Geek. I love this board game. Check out the tiles by clicking below:Download Here

After running Office 365 on my Windows machine for several months, a notification popped up saying that I was using an unauthorized or expired license. I was completely confused because I knew my license was legit and other machines that were using the same license seemed to work fine. After several hours of struggling to find the solution to my problem I stumbled upon this page by Deploy Windows. I tried reactivating my license only to get an error that says: We’re sorry, something went wrong and we can’t do this for you right now. Please try again later. (0x8004FC12) The solution as explained by Deploy Windows is to do the following steps: Change the NoAddingComponents registry key from 1 to 0 under HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesActiveDesktop Change both the NoActiveDesktop and NoActiveDesktopChanges registry keys from 1 to 0 under HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer Open an elevated command prompt and run the following commands: net localgroup Administrators LocalService /add fsutil resource setautoreset true C: netsh int ip reset resetlog.txt Open up one of the Microsoft Office applications and it will say that “Activation was successful” and then relaunch the Microsoft Application again and everything should work. What a headache but now I can be productive again.

An irritating behavior for someone who is running Windows 7, Windows 8, or Windows 10 is that when you click on an application where you have multiple windows open, it will give a preview as a thumbnail for each open window. Then you have to click a second time on the thumbnail for it to switch to the window you want to use. According to www.howtogeek.com, you can perform a simple hack that will toggle through the last active window: Hit the Windows key. Type regedit and hit enter. Navigate to the following directory by clicking the arrows next to each folder: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced In this directory, right-click on the right side and select New → DWORD (32-bit) Value. Name this LastActiveClick. Set the value to 1 by double clicking it and changing the value under Value Data to 1. Either log off or restart the explorer.exe process through the task manager.

After spending a couple hours trying to figure out how to connect remotely to MySQL on WampServer, I finally figured it out. The web didn’t offer one comprehensive solution to the problem, so I decided to post the steps I took which enabled me to finally connect. Install WampServer on your server computer Open the my.ini file located at "\wamp\bin\mysql\mysql5.6.17". Note the 5.6.17 may differ based on your version. Find the line that says [mysqld]. Add this code after this line: bind-address = [server_ip] Replace [server_ip] with the static IP address of your server. Open config.inc.php located at "\wamp\apps\phpmyadmin4.1.14". Note the 4.1.14 may differ based on your version. Locate the following code: $cfg[‘Servers’][$i]['host'] = '127.0.0.1' Change the 127.0.0.1 to the static IP address of your server. Configure your firewall to allow connection through the default Apache and MySQL ports. Open the control panel on the server computer Select System and Security –> Windows Firewall –> Advanced Settings In the left pane, select “Inbound Rules” and then choose “New Rule…” on the right pane. Select “Port” and click “Next” Select “TCP” and enter the default ports for Apache and MySQL (80, 3306) in the text box next to "Specific local ports:" Note: be sure to change these if you changed them in your wampserver (i.e. my.ini). Choose “Allow the Connection” and click “Next” Check all the domains you want to allow these ports (i.e Domain, Private, Public) Specify a name for this rule and click “finish” Restart all services and now you should be able to connect to your database.

Download This is a .pptm file so you need to enable macros!Setting Up Jeopardy After you open the file, you will need to change the categories to match the categories of your Jeopardy game. Do this by clicking all the yellow Jeopardy images and then send them to the back. Fill in the categories, then send the categories back again behind the Jeopardy images. Then go through all the slides and add your answers, questions, and categories. Using the Daily Double On one of the final slides is a slide as shown below. Follow the instructions on this slide to add a daily double to your game. Remember to add one under normal Jeopardy and one under Double Jeopardy. Playing Jeopardy Run the PowerPoint and click on the number corresponding to the contestant/team’s choice (e.g. 100 under category 1). This will advance to the slide that corresponds to the category and number selected. The numbers will automatically fade, but you can still click on categories even with the numbers gone. After the contestant/team has answered the question, make sure you click the scoreboard image to advance to the scoreboard. Click inside the text box for the corresponding team/individual and enter/change the score accordingly. After entering the score, click the home icon to return back to the Jeopardy categories. After all the answers have been chosen, click the Double Jeopardy image on the Jeopardy categories slide to advance to Double Jeopardy. Playing Double Jeopardy Double Jeopardy is identical to normal Jeopardy. Follow the instructions as you did previously. After all the answers have been chosen, click the Final Jeopardy image on the Double Jeopardy categories slide to advance to Final Jeopardy. Playing Final Jeopardy Enter in a wager for each contestant/team, then click to show the answer. Click one more time. Wait until the music runs out, then reveal the correct question. If the contestants/teams got the correct answer, sum up the wager and score, otherwise, subtract the wager from the score.

 Download This is a .xlsm file so you need to enable macros! For those using versions prior to Excel 2007, I have programmed it to use the ribbon but the game may still work.I decided to combine all the games from my previous posts into one file. In addition to the games highlighted in previous blog posts, this includes a scorecard for Phase 10, Pit, Rook, Rummikub, Uno, and Tic Tac Toe (1×1 to 5×5 versions).

Download This is a .xlsm file so you need to enable macros! For those using versions prior to Excel 2007, I have programmed it to use the ribbon but the game may still work. Using the Ribbon Buttons Even though the buttons to start a new game and run the timer are found on the board, I also included them in the ribbon for convenience. Playing the Game By clicking "New Game" all the tiles in the boggle board are reshuffled. You can start the timer by clicking "Start." It will start counting down. Once the time runs out, it will beep and the board will clear so that players can’t continue writing down anymore words. If you choose to, you can click the start button again and it will stop the clock.

Download This is a .xlsm file so you need to enable macros! For those using versions prior to Excel 2007, I have programmed it to use the ribbon but the game may still work. With Connect Four, starting from some code I borrowed online (sorry I do not remember where), I decided to revamp it and make it more customizable. The additions I made to the game include playing two players, more robust code, and a few other changes. Using the Ribbon Buttons To reduce clutter on the screen, I decided to add all actions performed into the ribbon (see below). This ribbon menu gives you access to start a new game against a computer or against a friend. It also gives you control over who goes first. Playing the Game The object of the game is to get four in a row, either vertically, horizontally, or diagonally. Click the column that you want to drop the piece in and it will fill in the lowest circle with your color.

Download This is a .xlsm file so you need to enable macros! For those using versions prior to Excel 2007, I have programmed it to use the ribbon but the game may still work. This game is taken from an example I found on the internet by Charlie Jans (removed link because website no longer works). However, I completely reworked it so that the code is more robust. It has four players and has a lot more functionality in some areas. Using the Ribbon Buttons To reduce clutter on the screen, I decided to add all actions performed into the ribbon as shown in the next screenshot. This ribbon menu gives you access to start a new game, roll the dice, buy/sell houses, mortgage/unmortgage property, offer deals to other players, change the board name between five different editions, or save and close at the click of a button. Computer players will automatically perform all these actions. Some buttons are only enabled when the player has met the minimum requirements to perform the given operation. For example, buying houses is disabled if the player doesn’t own a monopoly. Playing the Game Game play starts by entering the number of players (from 2 to 4 players) which will clear the board if needed. If you want to change human players to computer players, click the cell that says "Player #" at the top of a player’s property list. To roll, click the "Roll Dice" button in the middle of the board or in the excel ribbon. If the next player is a computer it will automatically roll. After purchasing property, the property will show up in the player’s property list and mark the land tile as "Sold P#." If the property is already sold it will deduct the rent owed. If the space isn’t property, appropriate action is performed such as drawing a community chest or chance card. Mortgaging or unmortgaging property will change the status back and forth from "Sold P#" to "Mort P#" and mark it red if it is mortgaged. Buying houses/hotels will place a house shape on the board. Buying Property When a player lands on a property that isn’t owned, this following window will pop up giving the player the opportunity to purchase the property or put it up for auction: If the player decides to purchase the property, the title deed will pop up displaying details about the property such as rent, cost of houses, and mortgage value. Rent is highlighted in red. If a player owns a monopoly without houses, the value will double except on railroad and utility spaces. Instead, the rent value for these spaces will change based on quantity owned. See below for sample property deeds: After a player owns property, he/she can double-click the property name in their property list and it will display the title deed once again. Auctioning Property If the player declines to purchase property or lack funds, the property is auctioned off. The window below pops up (see below) where the player after the one who declined the property starts the bid. The starting price is at half the value of the property. The bidder can increment the current bid by as much as they want. If a bidder passes, their status changes from "Active" bidder to "Passed." After all but one bidder passes, the last bidder wins the bid and receives the property at the "Current Bid." Forced Mortgage or Selling Houses In the case that the player owes more cash than they have, a window will pop up presenting options to either mortgage property, sell houses, or declare bankruptcy by quitting. By clicking on "Mortgage Property" a window to mortgage property is shown as discussed in the next section. If the player doesn’t have any houses, then the "Sell House" button is disabled. In the event that any player declares bankruptcy, all property, cash, get out of jail free cards, etc. shift from the bankrupt player to the player where rent is owed. If rent is owed to the bank, all property goes back to the bank. Mortgaging/Unmortgaging Property When a player opts to mortgage or unmortgage property whether by choice or not, the mortgage window is made visible (see below). In this window there are two pages: a mortgaging page and an unmortgaging page. The player decides which property they want to mortgage or unmortgage. After doing so, the window is refreshed to show current property status. When a property is mortgaged, the font of the property is set to strikethrough. By mortgaging, the player adds the mortgage value to their current cash. When unmortgaging, the player will be charge a 10% interest fee. Trading Property Anytime during the game when two players have property, a player can propose a trade as long as they are one of the two players with property. By proposing a trade the window below opens and loads the player’s property in the left side of the window. The player can then select a player to trade with and it populates the other player’s property in the right side of the window. Property can be selected for trade and multiple selections can be made as shown in the screen shot. Additionally, the player can designate a certain amount of cash they offer or demand with the trade. After all fields are filled, the player then clicks "Offer" which will proceed with the offer. The player making the offer is then prompted to confirm the offer is correct before sending the offer to the other player as shown in the screen shot at the bottom right of this page. After the player makes the proposal, the recipient receives the offer as shown in the window below. If the player is a computer, everything is handled in the background and the computer will accept or reject the offer. The recipient player can evaluate the offer and decide whether or not they accept or decline the offer. If the offer is declined, the offering player is notified that the offer was rejected. Buying and Selling Houses Buying and selling houses or hotels on property is set up very similar to the "Mortgage Property" window. When a player has a monopoly they can purchase houses or hotels (see below). Houses are purchased at the cost shown. Every time a building is purchased, the window is refreshed so the player has to build houses and hotels evenly. After purchasing a house or hotel, it is placed on the board as shown in the image below as a green house or a red hotel. After building houses or hotels on property it updates the property title deed as seen below. Since Board Walk has a house built on it, the line about owning one house is colored red. Getting Out of Jail Whenever a player is in jail, when they roll the dice the window to the right opens and prompts the user to either use a chance or community chest card if they have one, pay the $50 fine, or roll the dice in attempt to roll a double. After three rolls of no doubles, the player is forced to pay the fine and leave jail. The get out of jail free cards are shown in the player’s property list right next to the cash.

Download This is a .xlsm file so you need to enable macros! For those using versions prior to Excel 2007, I have programmed it to use the ribbon but the game may still work. Using Ribbon Buttons Even though the buttons to start a new game, end your turn, undo tile placement, and swap out your tiles are found on the board, I also included them in the ribbon for convenience. Playing the Game The Scrabble board lists the quantity of each letter, score for each letter, the tiles remaining (upper right-hand corner), etc. There are four buttons to click to continue with game play: "New Game", "End Turn", "Undo", and "Swap." New Game Button By clicking the "New Game" button, it will clear the board and start a new game. Before clearing the board it will ask how many players you want to play in the game (1-4 players). The user form prevents the user from entering any character except one through four. After entering the number of players then it asks for each player’s name and populates the tiles next to the player’s name. After starting a new game, the first player takes their turn by highlighting the center cell. By highlighting the cell, a prompt asks the player to enter one of the tiles they currently own. If the player enters an invalid character or a letter they don’t own, then nothing happens. After a player enters a letter it is replaced with a dash (-). See below for user form for entering letters and for changes in the players tile set. The player can then continue building the rest of the word off the center tile. It will only prompt the user to enter a letter if the player can build there. This game tests all directions and handles tile placement for the first, second, and consecutive tiles. In the case of a blank tile, the player enters space and it changes to a special tile form (see below). Here the player can enter any letter they want. When the blank tile is placed on the board the letter shows up in red font so that it isn’t scored. After the player finishes their turn, they click the “End Turn” button. Clicking the “End Turn” button checks the validity of the word(s) added to the board, scores the points earned (factoring in the word and letter multipliers for all word combinations), and advances to the next player’s turn. If the word is invalid (see below), it will undo the tiles and advance to the next player. It displays all the words that are not valid. The valid word check compares against the excel dictionary. If the player uses all seven tiles they will receive an extra 50 points to their score. Undoing Tile Placement After a player has placed tiles and they decide against their decision, they can click the “Undo” button and it will erase all the tiles placed, replace all the tiles in the players list, and start the turn over. The player can then begin placing tiles again. Swapping Tiles On the occasion that the player receives a bunch of tiles they don’t want or they can’t place anything because of the combination of tiles, the player can choose to swap out one, two…or all the tiles that they currently have if they want. Every letter entered into the form replaces the same letter on the worksheet with a dash. If a player deletes a letter they entered, it is placed back into the spreadsheet. Below is an example of what it looks like when a player decides to swap out tiles.

Download This is a .xlsm file so you need to enable macros! For those using versions prior to Excel 2007, I have programmed it to use the ribbon but the game may still work. Using the Ribbon Buttons Even though the buttons to start a new game, roll the dice, and rank all players are found on the board, I also included them in the ribbon for convenience. Playing the Game The score sheet is completely interactive. When the player clicks "New Game," it asks how many players will be playing. For each player, they enter their name which is then populated into the spreadsheet. When a player has finished rolling what they want, they then click inside the cell to put their score. The computer then calculates according to the dice and criteria needed and puts the correct value into the cell. Any time during the game, players can click "Rank" and it will reorganize the scorecard placing the leader at the top. Rolling the DiceThe player clicks "Roll" which randomly rolls the dice. The player can then choose which dice they want to keep by either clicking anywhere within the cells or the checkmarks next to the dice. The selected dice will change to the color black. After three rolls, the player is required to place their score in the score sheet. The game prompts the user to place their score if they try to roll more than three times. Click anywhere on the scorecard to add your score to that particular scoring item. The two photos below are an example of what it looks like before the user selects the dice they want to keep and after they have selected the dice.

Download This is a .xlsm file so you need to enable macros! For those using versions prior to Excel 2007, I have programmed it to use the ribbon but the game may still work. Playing the Game During the course of the game you will roll the dice and choose to move clockwise or counter-clockwise around the board. If you land on a white space, nothing happens. If you land on a colored space you will be asked a question related to the color category listed to the right of the board. These categories can be renamed to whatever categories you desire. If the player answers the trivia question correctly, that category is marked as “completed” for the given player. After capturing all categories, you will automatically advance to the final (center) space where you will be asked a question relating to the black category. If you answer this question correctly, you will win the game. Trivia Questions In order to change the trivia questions, click on the “Questions” spreadsheet and change the question accordingly. Make sure you remember to change the multiple choice answer. Limitations This game does not work as a one-player game but does support up to four players. In order to change the number of players, manually type the number of players you would like to play with and click the new game button. This version of the game only has support for 10 questions per category. I built it that way as I originally designed this to work for my class. With a few modifications, this could support more questions. You would need to change some of the coding and information in the hidden columns on the first spreadsheet. All questions are setup as multiple choice questions rather than the original Trivial Pursuit style question.