Skip to content

Manual Shepherd Set Up (Windows)

Jump to bottom
Mark Denihan edited this page Oct 23, 2015 · 10 revisions

To manually create your Security Shepherd server in windows, follow the following steps;

  1. Download the Security Shepherd Manual Pack
  2. Install Apache Tomcat 7
  3. Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!
  4. Extract the Security Shepherd Manual Pack
  5. Copy the sql files extracted from the pack to the bin directory of MySql
  6. Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )
  7. Type the following commands to execute the Shepherd Manual Pack SQL files;
source coreSchema.sql
source moduleSchemas.sql
  1. Open the webapps directory of your Tomcat instance
  2. Delete any directories that are there already
  3. Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat
  4. Start Tomcat
  5. Open the temp directory of Tomcat
  6. If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!
    13.b) If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.
  7. Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )
  8. Sign into Security Shepherd with the default admin credentials (admin / password)
  9. Change the admin password (Can't be 'password' again)

To run Tomcat on both port 80 & 443

Make sure JAVA_HOME is set;

  1. Right click My Computer and select Properties.
  2. On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.

For 443 (HTTPS) firstly generate the self signed certificate

"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA

The following is an example of filling out the details for the cert. You can choose your own.

Enter keystore password:  passw0rd
Re-enter new password: password
What is your first and last name?
  [Unknown]:  Paul Stone
What is the name of your organizational unit?
  [Unknown]:  Security Shepherd
What is the name of your organization?
  [Unknown]:  OWASP
What is the name of your City or Locality?
  [Unknown]:  Baile Átha Cliath
What is the name of your State or Province?
  [Unknown]:  Laighin
What is the two-letter country code for this unit?
  [Unknown]:  IE
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?
  [no]:  yes
 
Enter key password for
    (RETURN if same as keystore password):  <RETURN>

This will create a file under C:\Users\YOUR_USERNAME.keystore

Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:

<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" 
               connectionTimeout="20000" URIEncoding="UTF-8" />

<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" 
		SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
		clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" 
		keystorePass="passw0rd" keyAlias="tomcat"/>

Redirect traffic to 443 (HTTPS)

If you want to redirect traffic to secure 443 (HTTPS) add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml

<security-constraint>
        <web-resource-collection>
                <web-resource-name>Entire Application</web-resource-name>
                <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
                <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
</security-constraint>
  1. To setup and install MonogoDB for the NoSQL Injection Level found in shepherd, follow the steps to install here: https://docs.mongodb.org/manual/tutorial/install-mongodb-on-windows/
  2. Use the MongoDB shell to execute the mongoSchema.js file: https://docs.mongodb.org/manual/reference/method/load/
  3. Time to Play!
Clone this wiki locally