During Week 11, what are your experiences with Security Shepherd?
Which deployment method (VMware / VirtualBox / Docker) did you choose, and why?
How many challenges did you complete?
When you encountered issues, what kind of steps did you take to resolve the issues and forge onward?
Nicholas Fabrizio says
Security Shepherd is a very interesting virtual machine and I enjoyed being able to try and exploit some of the vulnerabilities. I decided to run the Security Shepherd 3.1 virtual machine on VMware since that is the hypervisor I’ve been using all semester. I was able to resolve the issue with the network adapters not showing up after finding an thread on the OWASP GitHub repository. This thread suggested to release/renew the dhcp client ip addresses and that worked for me (link is below). As of this writing I was able to complete 11 of the challenges and some took me awhile, for example the challenge “What is Mobile Insecure Data Storage?”. I’ve learned to make sure to read the readme.txt file first because it may contain valuable information which could save you a lot of time troubleshooting.
https://github.com/OWASP/SecurityShepherd/issues/551
Kelly Sharadin says
Hi,
I agree reading documentation is the best first step in many scenarios.
Anthony Wong says
Completely agree here as well. Only thing I didn’t find in the documentation was the login credentials for Security Shepherd… I only knew once Professor Bailey mentioned it in class.
Kelly Sharadin says
When you unzipped the security shepherd zip – you should have received a readme.txt thats where the instructions for install and password are
Anthony Wong says
Oh I see it now… I was looking in the wrong folder the entire time.
Zhuofu Wang says
Agree. Any official file will help. And the community (The SecurityShepherd bug page https://github.com/OWASP/SecurityShepherd/labels/Bug) is also a useful way to find the solution.
Amelia Safirstein says
Youtube has been really helpful for me when I run into issues as well! There are tutorials on virtually everything.
Bryan Garrahan says
Thanks for sharing nick! I’m going to see if this works with me in version 3.1
Anthony Wong says
I chose to use VirtualBox because my Kali and Metasploitable machines were deployed there and added Security Shepherd and Security Dojo to the same network. In the beginning of the semester, I tried to work with VMWare, but ran into a ton of issues and found it difficult to work with. As I completed more challenges, they became more difficult and took me a while to complete. I completed 8 challenges in Security Shepherd. Also, I briefly used Dojo to try XSS and generated an alert. Overall, both installations went pretty smoothly for me. The main problem I ran into was not being able to access Security Shepherd, but was resolved by rebooting the VM.
Kelly Sharadin says
Hi,
Not related to the web apps but I understand what you’re saying about putting things on the same network. Actually, understanding virtual networks helped me understand networking in general. Every frustration is a learning process 🙂
Anthony Wong says
Hi Kelly,
I definitely want to keep building on my network knowledge. I will have to take a look more into virtual networks to help with this. Thanks!
Kelly Sharadin says
Deployed on VirtualBox and had no issues connecting. Each exercise builds upon the previous exploit so it’s a pretty logical path which I found very helpful in understanding the increasing complexity/ what to look for when sending requests. I got up to exercise 5 and received some operational issues that may be related to my build but I will have to investigate further.
Anthony Wong says
As I went on past exercise 5 (?), I personally found them more difficult to solve. Did you experiment with Security Dojo at all?
Kelly Sharadin says
Yes, I posted on the other discussion post. Overall I found security dojo is less intutive than security shepherd. I also didnt realize it was just the DVWA inside of the security dojo VM. When lockdown begin earlier this year – I spent sometime learning BurpSuite and played around with DVWA. There are some good walkthroughs avaliable to help guide you as I said its doesnt build as logical as Security Shepherd so you really need web app knowledge to move through the challenges
Anthony Wong says
Completely agree. I struggled with Dojo and was lucky to find a decent amount of tutorial videos to help out.
Amelia Safirstein says
I did the same thing with DVWA! I agree though that Security Shepherd is more intuitive. I found myself needing to find hints and follow some video tutorials in DVWA to get through.
Anthony Wong says
@ Kelly’s post.
Zhuofu Wang says
I tried to deploy the Security Shepherd on VMware but failed. It kept giving me some error about the network connection. Although I have debugged and modified the settings, it still can’t be solved. Then I tried to deploy the Security Shepherd on VirtualBox, every thing is going smoothly. I have completed 4 exercises so far and am preparing to do more exercises during the weekend.
Anthony Wong says
Hi Zhoufu,
Browsing through the readme.txt., it does mention VirtualBox is recommended which makes me believe they are aware of all the VMware issues.
Zhuofu Wang says
Hi Anthony,
Yeah, they provide a .ova file, which is the import format of VirtualBox. The import format of VMWare should be the .vmdk file. I’m more prefer to use VMWare, so I tried to deploy it on VMWare first. In most cases, VMWare supports the import of .ova format, but some minor problems may occur.
Amelia Safirstein says
I deployed Security Shepherd in Virtualbox since I already had Kali running through that hypervisor on the machine that I wanted to use. I have completed four challenges so far and plan to continue practicing. The only issue I’ve run into so far is not being able to log into the admin account with the server admin login credentials. Reading the “Read Me” sheet the entire way through was useful!.
Bryan Garrahan says
I chose to deploy security shepherd via the VMware virtual environment I’ve been using this semester. I actually ran into the same issues we walked through in class when I was attempting to deploy version 3.1. Initially, I didn’t have much success troubleshooting the problem with YouTube videos and articles I was reading compared to some of the previous programs we needed to install. However, I ended up installing version 3.0 and had much more success doing so. At the moment, I’ve completed 2 challenges but plan on completing the rest by the end of the semester.