Usage

Raspwn emulates a vulnerable Linux web server. To use it just boot Raspwn then connect to RasPwn OS via WiFi.from your favorite pen-testing set-up. (We like Kali, ParrotS, BlackArch and Pentoo)

SSID - RasPwn OS
Password - In53cur3!

Once you have connected you can explore the 192.168.99.0/24 subnet and the *.playground.raspwn.org domain. The Raspwn Web Playground can be found at http://playground.raspwn.org (192.168.99.13)

Network services running in Raspwn OS include -

• Bind (192.168.99.1, 192.168.99.10) - DNS Server
• Postfix (192.168.99.18) - Mail Transfer Agent
• Dovecot (192.168.99.18) - Mail Client Server
• Samba (192.168.99.10) - Windows File Sharing Server
• Apache2 (192.168.99.13) - Web Server
• Nginx (192.168.99.7) - Web Server
• MySQL Server (127.0.0.1) - Database Server
• OpenSSH (92.168.99.1) - SSH server

Playground Web Applications

Intentionally Vulnerable Web Applications-

• OWASP Bricks - https://www.owasp.org/index.php/OWASP_Bricks
• Damn Vulnerable Web Application (DVWA) - http://www.dvwa.co.uk/
• OWASP Hackademic - https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project
• OWASP Mutillidae II - https://sourceforge.net/projects/mutillidae/
• Peruggia - https://sourceforge.net/projects/peruggia/
• WackoPicko - https://github.com/adamdoupe/WackoPicko
• WebGoat - https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Out-Of-Date Web Applications

• Concrete 5.6.3.4 - https://www.concrete5.org/
• Drupal 6.34 - https://www.drupal.org/
• Drupal 7.34 - https://www.drupal.org/
• Joomla 2.5.28 - https://www.joomla.org/
• Joomla 3.4.0 - https://www.joomla.org/
• osCommerce 2.3 - https://www.oscommerce.com/
• phpBB 3.0.13 - https://www.phpbb.com/
• Wordpress 3.8.1 - https://wordpress.com
• Wordpress 4.1 - https://wordpress.com
• Zen-Cart 1.5.4 - https://www.zen-cart.com/
• PhpMyAdmin 3.4.11 - https://www.phpmyadmin.net/
• Samba SWAT 3.6.6 - https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/SWAT.html
• Roundcube 0.7.2 - https://roundcube.net/

The admin account for web applications is -

user - admin <admin@playground.raspwn.org>
password - Pa55w0rd!

The Web applications exist in their own little Universe. Each gets it's DNS from Raspwn and all mail outgoing to the *@playground.raspwn.org is delivered to the local mail server at mail.playground.raspwn.org and can be retrieved via IMAP or viewed from a browser via Roundcube in the Playground. Everything from DNS to MTA to MySQL to Apache2 is already set up.

Two email accounts have been set up with the credentials -

IMAP/SMTP Server - <mail.playground.raspwn.org>

user 1 - <admin@playground.raspwn.org>
password - Pa55w0rd!

user 2 - <mrbill@playground.raspwn.org>
password - OhNoMrBill!

(More email accounts can be added too but that's a 'coming soon'.)

If you wish to customize RasPwn or play Red vs. Blue, you can logon locally or via SSH. The default credentials are:

user - pi
password - pwnme!

RasPwn images are put together from snapshots of Debian Linux. This allows us to create a vulnerable system image without breaking the system stability. The end effect is that RasPwn is a fly in amber. The current snapshot is http://snapshot.debian.org/archive/debian/20150203T222332Z/. By Default the system is headless. However, xorg can be installed via apt-get (in fact any package from the Debian snapshot repo can be installed.) Just connect eth0 to the internet (from behind a firewall of course) and do sudo apt-get install desired-package .

The current documentation is minimal (sorry) I'll be adding more as I can.

NOTE - It is possible to connect eth0 to the internet and use RasPwn as a (possibly the world's most insecure) wireless router however - IF YOU DO SO PLEASE DO SO FROM BEHIND NAT AND A FIREWALL! DO NOT EXPOSE ANY RASPWN INTERFACES DIRECTLY TO THE INTERNET OR FORWARD INTERNET TRAFFIC TO RASPWN IN ANY WAY!!!

WE ARE NOT KIDDING WHEN WE SAY INTENTIONALLY VULNERABLE.