Configuring the BIG-IP and PHP "Hack-It-Yourself" Auction Site

ltwagnon · ‎25-Sep-2013

I've been writing a series of articles on the features and capabilities of the BIG-IP ASM...here are the links for your reading pleasure:

In those articles I've used a fictitious auction site to test the ASM. Several people have inquired about this auction site and they wanted to know how to configure it so that they could get their own hands dirty with testing and configuring their ASM. Well, this article outlines the steps needed to get your own BIG-IP ASM and PHP Auction site up and running. Then, it's up to you to try out all the cool features of the ASM.

Required Software

I used virtual machines to set up and configure the BIG-IP and the auction site. You can use whatever hypervisor you want, but for the purposes of this article, I'll show you how it's done using VMware workstation. So, here's the list of software you will need to make all this happen:

VMware Workstation (free trial available here). I'm using a Windows PC, but you can use Linux if you want.
BIG-IP Virtual Edition (make sure you have the ASM module).
The PHP Auction Site VMware files.

UPDATE: The Google Drive folder that has all the download files is here: https://drive.google.com/drive/folders/0B4xC7Uw8ziLER3RqZXZWTFZTcW8?resourcekey=0-shweDpAzbgSyDTAkHq...

Caveat: This article assumes you already have a licensed and configured BIG-IP system, so I will just focus on the PHPAuction side of things. If you don't have the BIG-IP Virtual Edition, contact your sales rep and ask for a copy. Also, if you need help licensing and configuring the BIG-IP Virtual Edition, check out these solutions on AskF5:

Licensing the BIG-IP system: http://support.f5.com/kb/en-us/solutions/public/7000/700/sol7752.html?sr=32111581
BIG-IP Virtual Edition Setup Guide for VMware: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ve-setup-vmware-11-4-0.html

Virtual Network Configuration

Before loading up the PHP Auction site, you need to complete the following steps to configure the VMware Workstation Virtual Network Editor (shown in the picture below). If you have already set up your BIG-IP Virtual Edition, you may have already stepped through this configuration. If that's the case, you will want to make sure the settings for your VMnets are the same as the settings shown below.

Delete any existing VMnets EXCEPT for VMnet0
Click the "Add Network" button, and add VMnet1, VMnet2, and VMnet3

VMnet0 Settings

Since you kept the VMnet0 settings, you don't have to do anything else with that one. Here's a quick screenshot of the VMnet0 settings:

VMnet1 Settings

After you confirm the VMnet0 settings, select VMnet1 (this net will act as the out of band management) and configure it as follows:

Select the Host-only (connect VMs internally in a private network) option
Select the "Connect a host virtual adapter to this network" checkbox
Clear the "Use local DHCP service to distribute IP address to VMs" checkbox
For the Subnet IP, enter 10.128.1.0 and for the Subnet mask enter 255.255.255.0

VMnet2 Settings

After you confirm the VMnet1 settings, select VMnet2 (this will act as the external VLAN for access to 0.0.0.0) and configure it as follows:

Select the "NAT (shared host’s IP address with VMs)" option
Select the "Connect a host virtual adapter to this network" checkbox
Clear the "Use local DHCP service to distribute IP address to VMs" checkbox
For the Subnet IP, enter 10.128.10.0 and for the Subnet mask enter 255.255.255.0
Click the "NAT Settings" button
- For the Gateway IP enter 10.128.10.1 and then click OK.

VMnet3 Settings

After you configure the VMnet2 settings, select VMnet3 (this will act as the internal VLAN where the server image exists) and configure it as follows:

Host-only (connect VMs internally in a private network) option selected
Connect a host virtual adapter to this network checkbox cleared
Use local DHCP service to distribute IP address to VMs checkbox cleared
For the Subnet IP enter 10.128.20.0 and for the Subnet mask enter 255.255.255.0
Ensure that the “Connect a host virtual adapter to this network” checkbox is cleared. This prevents your local workstation from having direct access to this network. This will avoid asymmetric routing issues and also allows you to demonstrate secure remote access and full proxy features.

This concludes the network setup for VMware. Now you can install the PHP Auction virtual machine...

Install the PHP Auction Image

In VMware Workstation, select File >> Open and choose the "Open Virtual Machine Format" PHP Auction file (this will be a .ovf file).

After you import the virtual machine (you may have to accept a few license agreements, etc), then you move on to configuring the virtual machine network settings. The following screenshot shows the settings for the PHP Auction virtual machine. You will need to customize the three Network Adapters to the settings shown in the picture below (you will use the three custom VMnets you just created), but you shouldn't need to configure anything else on this screen.

After the virtual machine imports correctly, you can power it on and let it boot up. When the boot up completes, you will see the following login screen:

The login is "root" and the password is "default". So, go ahead and login and then you can leave it alone...you won't need to touch it again.

Configure the BIG-IP

Now it's time to make sure the BIG-IP is set up correctly to protect the traffic flowing to/from the auction site. First, create a pool (I called it "auction_pool" but you can call it whatever you want) with node address 10.128.20.150 and service port 80. This pool only has one member. The following screenshot shows you the details for the auction pool.

Next, you create the virtual server. I called it "auction_vs" but you can call it whatever you want...just don't call me Shirley. The IP address for the virtual server is 10.128.10.35, and I chose service port 443 so I could test out some crazy SSL capabilities. But, you can choose port 80 if you want. Keep in mind that if you choose port 443, you should create an SSL client profile and configure the appropriate certificate and key combo for the profile. The following screenshot shows the details of the virtual server configuration.

The Final Touches

OK...now that the BIG-IP is all set up and the PHP Auction virtual machine is running, you should be able to access the auction site from your browser of choice. One other optional thing you can do is add the virtual server IP address of the auction site to the "hosts" file in WIndows. You should be able to locate this file at: C: >> Windows >> System32 >> drivers >> etc. You can add the IP address to the file and then provide a host name for the auction site...the example below shows the name "auction.f5demo.com" but, again, you can choose something different if you want.

So, the final check is to make sure all this works. Notice that the "auction.f5demo.com" worked as expected. You can also use the IP address "10.128.10.35" if you want.

I hope this information is helpful. Feel free to comment and/or ask questions as needed. Also, be sure to check out the articles that dig deeper into the configurations and capabilities of the ASM!

Praveen_Kumar_K · ‎14-Nov-2013

Hello John,

I am going through all your security related article, i should say i was looking for this. Your articles are very simple and easy to understand.

Which version of F5 with ASM you are using on Vmware workstation.

I can find only above version 10 virtual edition which can be used on VMware ESX/i Server. I am using Microsoft Hyper-V with 8GB ram desktop.

ltwagnon · ‎18-Nov-2013

Praveen, thanks for the question and thanks for the comments on these ASM articles...I'm glad they are helping!

I am using ASM version 11.3 (virtual edition) and VMware Workstation version 9. The virtual edition BIG-IPs are designed to work with many different hypervisors, so you should be good with either VMware or Microsoft Hyper-V. BIG-IP VE also works with XenServer, KVM, and Amazon Web Services. Let me know if you need more detail on any of these and I can get you the specifics. Thanks again!!

fx_91779 · ‎23-May-2014

Hi John,

I've converted hack-it from Redhat to Debian, and it's upgradeable

Please check this link: https://www.dropbox.com/sh/09dkjicaes2hygo/AAAmW_XMF3N-KQ_nIpvEnogla?dl=0

ova & readme available

Thanks

ltwagnon · ‎23-May-2014

Budi, thanks so much for doing this...great work!!

John

VFB · ‎10-Sep-2014

Has anyone gotten this to work with VMWARE Fusion?

John_Buchanan · ‎24-Sep-2014

I've got the vm running on VMware Workstation 10.x, but all I get from Apache is a 404 error. Should this run pretty much out of the box? Would you expect to see this error result if I have not followed the network interface configuration quite as shown? Myself and a colleague went through the instructor lead ASM class last week and are eager to get the hack-it site up and running to run through some labs again as well as aid in development of implementation of ASM in our production environment. thank you

hardi_ameen · ‎10-Oct-2015

please can you provide the users login, I studentx as a username and password is not working! appreciate your advice!

Luis_Villalobos · ‎23-Oct-2015

Hardi, the user will be student1, student2, student3, etc. with student1, student2, student3 as password.

Valentine_96813 · ‎18-Nov-2015

Just downloaded this and the student logins are not working. Anyone else having this issue?

Valentine_96813 · ‎18-Nov-2015

Okay, nvm. If you took the ASM class, the student IDs were already created. If you download the auction site from Devcentral, you have to register all the IDs you want to use by clicking 'Register now' on the auction home page once you install it using the directions above. Oh, an you must fill in every field with something, its required.

dgalati_13969 · ‎23-Nov-2015

Hi, I downloaded this from Google Docs and I was able to load it into VMware Workstation Pro 12. I followed the instructions on this article but I cant ping the Auction Server so I cant get the Pool or VS to come up. Needless to say I cant log into the auction site. Is there more getting the auction site up and going? Thank you,

Dai_Do_203354 · ‎02-Dec-2015

Great! Thanks!

ltwagnon · ‎20-Jan-2016

FYI...Budi Ang created another version of the Hack-it site using OpenBSD 5.4 and using chroot httpd. Check it out here: https://www.dropbox.com/sh/zwf7fnx8jdyaozl/AAD_iLju4iF5HzLLHwokMBLna?dl=0

zeropixel_23561 · ‎19-May-2016

I have the local F5 ASM running in my mac os x vmware, and I have setup the network adapters. I downloaded OpenBSD 5.4 ova and plan to install in my local VM vmware, so I can test it with the Hack-it site. I cannot make the network adapters changes for OpenBSD because it may mess up my local F5 ASM? I have followed debian-f5-asm-amd64-README.txt to make changes on dns and dhcp. Could you please advise. Thanks!

Harry1 · ‎22-Dec-2016

Hello John,

i just tried to download PHPAUCTIOn with ASm. could you please help me out that how can i block SQLinjection attack however i applied asm policy but still i am able to inject user's database with sql injection for example 'OR 1=1. also not able to see that malicious event in ASM.

dany508_223775 · ‎27-Dec-2016

Hi,

Has anyone got this working with VMware fusion? I tried to import the Debian version, however, It's not working straight away. In spite of manually adding interfaces still, it's not seen when starting the VM. Apache, MySQL start without issues but I have an issue with the network interfaces.

Thanks!

dany508_223775 · ‎27-Dec-2016

Loaded the Redhat version.It started working straight away!!!

dany508_223775 · ‎27-Dec-2016

Thanks John..Awesome work..

Noah_Milhim_231 · ‎18-Jan-2017

Hi Dear; I tried installing the ASM and PHPauction VMs, ASM cannot reach PHPAuction site on 10.128.20.150 VMnet3(internal vlan) as per the steps, could you please share the network settings from ASM side.

ltwagnon · ‎01-Mar-2017

The ASM configuration steps are toward the end of the article. Make sure you update your hosts file to reflect the IP address changes as well. That was one thing that confused me for a little bit. If you are still having problems, maybe you can share what steps you have taken and then we can try to figure out what might be causing the actual problem. Thanks!

ltwagnon · ‎01-Mar-2017

@prak, do you have your attack signatures enabled? Even if you have the policy applied, you need to make sure attack signatures are not in staging mode. When the ASM blocks a request, the block details should show up in the logs. Here's an article that talks about attack signatures: https://devcentral.f5.com/s/articles/the-big-ip-application-security-manager-part-4-attack-signature...

¬†

flipperbox77_32 · ‎07-Jun-2017

Hi There, I'm wondering if there is a Citrix Xen Server version of this Auction Site, I'd tried to run this VMWare version to Citrix, but no luck(Kernel panic: VFS: Unable to mount root fs on 8:03). thanks in advance.

ltwagnon · ‎06-Jul-2017

Hi flipperbox77. I'm not aware of a Citrix Xen Server version of this site, but there is a Debian version you can mess with. Here's the link: https://drive.google.com/file/d/0B4xC7Uw8ziLEenpVd3lhdUVIak0/view

This site was created several years ago, and it's not actively supported (to my knowledge) so I'm not sure how many versions are out there for all the various platforms. Hope this helps!

Andrew_Husking · ‎27-Aug-2017

Is there a way to build this into a VM ourselves?

It would be great to build in docker and for testing ASM in Azure/AWS etc.

Cheers,

ltwagnon · ‎28-Aug-2017

Hi Andrew. Unfortunately, this web app is old and not supported any more (that I know of), and I've had problems finding the person who created it originally. I can ask around to see if we have something similar for docker, azure, asm, etc. I can let you know what I find out. Thanks!

F5_Fan_162146 · ‎30-Aug-2017

Second the request to publish instructions on setting up env in aws.

Duncan_Proffitt · ‎06-Apr-2018

Great post. So, doing this in HTTP worked like a dream. Some crazy SSL stuff HAD to be done. (the challenge was on!)

Set up different VS (although using the same dest add, but with different port - 443) Created custom pool as well (added a custom ssl monitor to see what's happening - still red) Pool member 10.128.20.150:443 - showing down (although parent node 10.128.20.150 is showing up)

Created custom SSL client profile Created self-signed cert & key to add to the custom profile But when https://10.128.10.35/ I get the attempted cert exchange, but it fails with ..

An error occurred during a connection to 10.128.10.35. SSL peer was unable to negotiate an acceptable set of security parameters. Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT

So, my thoughts were that the cert is at fault. (we'll get to that later)

The HTTP stuff works ok.

So a couple questions from the Noob

1) Can I set up HTTP & HTTPS profiles for the site to run side-by-side, or will I have to bring down the HTTP vs? 2) I set up a self cert to make this happen, I assume that any details will be acceptable in the cert, and I dont have to use the settings in the training manuals? 3) Are there specific settings in the self-cert creation I need for this exercise Thanks in advance D.

SOLUTION FOUND - PICNIC (Problem in chair, not in computer) One HAS to remember to allow 443 on the self IP!! (DOH) {slinks away, slightly ashamed}

Dojs · ‎24-Apr-2018

I build my lab here in the v13 and works well. Changed the IP, and trying to take time to insert all studentX to users. Great Lab

KVHCL_366398 · ‎09-Jul-2018

Hi John could you please provide the PHP Auction Site for Hyper V.

MSZ · ‎31-Oct-2018

Can anyone explain the traffic flow with details like encryption/Decryption through f5?

We have an website with HTTPS enabled. We have LTM We have ASM SSL offloading on F5

Internet --> F5 --> Webserver

What will actually do the F5 here for incoming traffic and for outgoing traffic ?

Somil_319871 · ‎07-Feb-2019

Good stuff John, I need some test scripts from different vulnerability catagory as want to test with & without ASM for a POC, appriciate if you can help pls.

Amresh008 · ‎13-Mar-2019

It's not working for me guys, having followed all the steps - This page cannot be displayed.VIP is not pingable from the PHP machine, but the server is.

Kevin_Davies · ‎10-Apr-2019

When your on the hackit site you can access the admin pages by changing the URL to /admin/admin.php. Then you can reset passwords or create accounts.

Podikkandi · ‎03-Sep-2019

Same for me too...

After configuring the SNAT and interfaces of BigIP in webserver series and VIP series, its working fine.

I think those steps are not mentioned here

Yogi · ‎14-Oct-2019

I have Hyper-V on my machine and while I am converting the VMDK files to vhd it do not load the OS.

nibble · ‎25-Apr-2021

Thank you for this article!

FrancisOlivier · ‎23-Jun-2021

Can you please provide default http login/pwd ?

hardi_ameen · ‎26-Jun-2021

for the F5 Utility access through GUI:

username: admin

password: admin

tmsh access using ssh:

username: root

Password: default

FrancisOlivier · ‎26-Jun-2021

Thanks you very much hardi.ameen for the info 👌

Mohanraj · ‎22-Oct-2021

Can anyone help this links are not working

https://www.dropbox.com/sh/zwf7fnx8jdyaozl/AAD_iLju4iF5HzLLHwokMBLna?dl=0

https://www.dropbox.com/sh/09dkjicaes2hygo/AAAmW_XMF3N-KQ_nIpvEnogla?dl=0

Mohanraj · ‎22-Oct-2021

Links over here need access to the files.

The PHP Auction Site VMware files (Redhat version available here) and (Debian version available here).

RKRam · ‎09-Nov-2021

yes, it need access to download this files.

can anyone help to download this file.

ltwagnon · ‎15-Dec-2021

See if this link works better:

https://drive.google.com/drive/folders/0B4xC7Uw8ziLER3RqZXZWTFZTcW8?resourcekey=0-shweDpAzbgSyDTAkHqy-iw&usp=sharing

fazlan · ‎16-Dec-2021

I can access the auction site via http ( port 80 ) but when i try to access it via port 443 its not working. Does it work only in port 80 ?

ghchee · ‎12-Feb-2023

Hi ltwagnon ,

my vmware workstation got some issue,
Can the PHP Auction Site setup on "Oracle VM VirtualBox"?

GH Chee

DevCentral