img source: wearecentralpa.com

My email used to be bombarded with spam or phising emails either for Paypal, Maybank or CIMB and sometimes Amazon as well. Usually these emails are in the same format (sometimes even same wordings), same email subject and lil bit different header images and of cause different sender address. But today (the email actually received yesterday but I only open my trusted Thunderbird today) the content is lil bit different, convincing enough and yeah even the sender address seems like from legitimate source for the unsuspecting users.

As usual my Thunderbird categorized this email as probable Scam Email (as for some of my unfortunate friends email as well haha). Anyway for the first time I just remove the Scam tag and let the image load (after checking the email content source of cause).

As you can see the link stated in this email SEEMS to point to actual maybank2u website. But wait.. do not click it yet. Just move your mouse over the link and you can see the exact place where this link will lead you..

Yup.. Instead of going to maybank2u website, the link actually will lead (or mislead in this case) you to http://foto.asmul.com/gallery2/modules/icons/iconpacks/KSIcons/M2ULogin.doaction=Login.htm . So what if you really click on that link? For a start Firefox will not publish the site immediately but will give you an ample warning about that site instead.

And if you superbly ignorant or stubborn and choose to ignore the warning instead, you will be presented with this page

Ok even though the page bear resemblance with the actual maybank2u login page (refer image below) but IF you compare with these two, there are few glaring items that HOPEFULLY will make you aware that you are in a wrong/spoof/phising/tipu/kencing site.

The most obvious one is the address of the link. IF you are presented with maybank2u login page but the url shows address others BUT maybank2u’s, close your browser/tab and for precautionary move, run your antivirus or whatever anti spyware/bot/adware that you have in order to detect any possible unwanted malware (malicious software) downloaded unwittingly into your precious computer.

Like in this case, instead of having this address on the url field: https://www.maybank2u.com.my/mbb/m2u/common/M2ULogin.do?action=Login; you can see the address actually is http://foto.asmul.com/gallery2/modules/icons/iconpacks/KSIcons/M2ULogin.doaction=Login.htm with maybank2u login page.

Besides there’s a date on actual maybank2u’s login page, there are other differences that you should notice. Be my guest to download the images and play the “spot the different” between those images yourself as I’ve had enough of this game during my school years

The real maybank2u's login page

Well what will happen if you login or inserting your credential at this page..

Unless your username is testing and the password is 12345678abcd, you have nothing to worry about. And even with this false information, the page will “process” and lead you to another page..

Yup.. the infamous “update your Profile” page. Again unless your email is spongebob@krustykrab.com (is it yours?? sorry but I think you do not have maybank2u account rite? You do?…)

And the rest of the process is similar with the old phising scam.. Get TAC number, enter your TAC number, and the usual do not login to your account within 24 hours..

That’s for now. it seems there’s something interesting from the traffic generated by these activities. Will update on later post.

Oh yeah, it seems the site has been taken down

Anyway.. be careful and IF you have doubts, ALWAYS call your bank whenever you received any email from them. Just for confirmation and yeah you have to call them even you know that their Customer service is SUCKS..

Pic source: kellepcharles.blogspot.com

Greeting guys..

I’ve spent the past two weeks getting the draft for forensic readiness policy complete for submission to our client in Indonesia. To be honest this time around I need to assist our sister company there in designing an SOC for that particular client. In sense of security policy, bulk of the task was done by my colleague there. She’s very good in integrating the client’s security policies into ours. I really impressed with her works tho

So what the heck is Forensic Readiness Policy?

The main objectives of this policy are to maximize the usefulness of incident data and minimize the cost of forensics during incident response. Very clear eh? Well the elements of forensic readiness usually:

• How Logging is done
• What are the activities/items that being logged?
• Intrusion Detection System (Network and host based)
• Forensic Acquisition
• Evidence Handling

So before this post become a mini howto, better for me to stop till there. Nowadays more and more organizations aware on the importance of preserving or maintaining a proper record especially on their network traffics (based on my limited encounter lah.) There was a time when firewall or filtering via the boundary routers can be considered enough for network security. Now it seems that at least Intrusion Detection Systems (IDS) is the must have within the list of security devices for an organization (whether there are analysts or at least people monitoring this IDS outputs is another story). Also from my (limited) experience, most of our clients do have either one or more logs repository. Again the question whether if these logs are reviewed or not is not for me to answer.

So what does it mean?

It means that nowadays the www is not as wild wild web like it used to be. You hit and then you left the scene without much fuss on the trail. Bypassing filtering device like firewall is something cool but now if you brag on how you managed to bypass layer 3 and 4 filtering device, I guess people will just shrug off and ignore you. Now there are mechanisms to detect your activities whether on network or on the attacked system itself. Hacking is not Harry Porter stuff and you do leave a trail. Sooner or later, your “hacking” activities trails will lead to you.

With this kind of policy and many other similar policies as well, organizations perhaps are well prepared to detect and respond to any security incidents. Because for me, eventually you will be hacked or compromised. The important thing that you have to remember is how do you detect, respond and recover from these attacks.

Prepared - source :www. antithesiscommon.com

So bragging about your “hacking” activities in forums or blogs IMHO is a NO NO. It makes the task for the LEA easier especially when you include your handler in the page that you “hacked”

Anyway, somehow crime doesn’t pay

Recently one of my friends performed penetration testing on one of our client’s networks. Well most of the times the penetration testing will be done based on “white box” testing technique and yeah sometimes the client of cause request “black box” technique as well. And sometimes we just performed both of these techniques also. During the “black box” session, he mentioned that it seems that this particular client has some sort of content filtering device or mechanism that managed to block most of his attack assessment techniques. I assume that this client has an IPS installed on their network. No, this is not IPS bashing posting from me OK?

http://www.thetechherald.com/article.php/200817/811/

OK.. So after few more others failed attempts on manipulating the user queries, my friend decided to (based on what he told me) use the old IDS evasion techniques like fragmentation overlaps and fragmentation overwrite with little expectation but voilà, he managed to bypass the IPS or content filtering devices of that client. Of cause he executed his next tasks happily and I think he is lil bit astonished by how these filtering devices still can be deceived by old techniques.

http://archive.networknewz.com/networknewz-10-20021016NetworkDenialofServiceAttacksCanyouhackit.html

Actually it is quite difficult for me to comment on this because this is based on my friend’s story and I was not there to see the actual technique that my friend used to bypass the IPS (my assumption but my friend told me that the client did mention on their content filtering device). Maybe he used the fragmentation techniques to evade the IPS, and maybe he combines that technique with other as well.

Anyhow here is my view on this matter.

http://www.markhoustonrecovery.com/relapse_prevention_.php

This condition does prove few things. First of all, it shows that prevention eventually fails. To be honest with you, I do really love that phrase. I do not know about you but most of the time I always being asked on the necessity of having IDS since IPS managed to do what ever IDS meant to do and on top of it, instead of only detecting, it also can perform active responses like reject or deny. Some of my students in my training classes also express their intention of removing the IDS since they have or acquired the latest content filtering appliance.

OK. Maybe they were right. Why you still want to keep the “old” technology since the “latest” one is available where the “latest” is the enhancement or evolution of the “old” one? Hmm but then perhaps most of us forgot that the “holy grail” of IDS is to achieve minimum or better still 0 false positive outputs from these IDSes (which in practice is impossible). I believe these “enhanced” technology also inherit the same “holy grail” as the old one.

To make things more difficult, the positioning of these two systems in the network. In order to provide active responses to any malicious packets, IPS/content filtering/layer 7 firewalls (network based) usually will be emplaced in line with the network flow. For firewall (either network based or personal/host based), the best practice is to have a “default deny” policy where it will allows only selected traffics/transactions and denies the rest of them. Can IPS or any content filtering mechanism/device be implemented according to that kind of policy? Be my guest to answer this..

http://www.linuxfocus.org/English/May2003/article292.shtml

While as IDS is only providing the detection services, usually this device will be em placed at the network access points where it can monitors the network or network segments that suppose to be monitored, passively without interrupting the network flow. Even though the IDS is collecting every single bit of data and inspect those traffics right up to the application layer, it wont pose any problems or interruption to the network.

So does this mean we should start throwing our IPS out from our network? Does this mean that IPS is bad and IDS is good? No. It just means that substitution of these two do not improve your security posture at all. I also believe that these two must be seen as complementary of each other.

The best thing is to identify your monitoring zones, have your IPS filtering the allowed traffics into the network by the firewall, have your IDS then scrutinize the traffics filtered by the IPS and this traffic again will be filtered by the personal/host based/application level firewalls.

Anyway, that’s my view only and as usual I welcome any other opinions as well.

http://www.linux.org.au/projects/grants/

Nowadays, either people are getting lazier than before or the technology is becoming too convenient  for us. We used to go to the bank for financial matters, to respective utility companies for settling our monthly utility bills, go to the shop/mall for shopping. Now everything (mostly) can be done via click of the mouse. In fact wifey once bought  traditional food/cookies via internet and that goodies were sent via Pos Laju. By the time we receive that particular parcel, I think some of the cookies were not in their original shape and crushed

And recently I received this in one of the posts comment section awaiting to be approved by me

Tired of a competitor's site? Hinder the enemy? Fed pioneers or copywriters? 

Kill their sites! How? We will help you in this!
Obstructions of any site, portal, shop! 

Different types of attacks: Date-attack, Trash, Attack, Attack, etc. Intellectual
You can work on schedule, as well as the simultaneous attack of several sites. 

On average the data, ordered the site falls within 5 minutes after the start.
As a demonstration of our capabilities, allows screening. 

Our prices 

24 hours of attack - $ 70
12 hours of the attack - $ 50
1 hour attack - $ 25

Contact via ICQ: 588 666 582

Ahh.. Let me think.. Hmmm there are one of two websites that I love to shut those down. These guys loves arguing with me so better to shut them up by shutting down their sites..

Lol just kidding guys. No offend ok? I love visiting your sites btw And yeah, to be honest I didn’t call those as argument but it’s more like intellectual discourse

On serious note, it seems that this person/group has sent/posted their offererings to various websites/forums. And yes, the ICQ ID number does exist but no detail information (of cause lor for this purpose

Maybe the content is lil bit confusing but perhaps that comment originally in German language and he used translator to translate those into English. German because so far if you search on the email address of the owner, it seems that most of this comment were done using network belongs to Deutsche Telekom AG. (Note to my friend, Deutche is NOT Dutch spelled in a fancy spelling OK?)

If you have 70 bucks (I guess it’s in USD and not using Euro € due to exchange rate perhaps) to spare, why not buzz him/her/them via ICQ? And good luck for that anyway LoL. (And please dun target this blog btw)

Is this service for real or not, I dun have any idea but if it is then I think the economy crisis is worst than I thought

I think somewhere around January, I did mention to my colleagues on the possible rise of cybercrime cases due to the world economy crisis. There will be more spam email than before, more phising emails than before and yes, this time the target has been shifted to client or user side Why? Because it is a “lucrative”, often overlooked, less controlled and high in numbers. Instead of controlling few servers in that particular organisation (and difficult as well because most of the times these servers will be highly protected, monitored as those machines are in the high priority list ) why not just concentrate on the users. 1% of let say 1000 users is not bad eh? My friend mel posted one of the trick of misleading the users at security.org.my

There are many ways or patterns of how these phising emails may looked like. Previously it’s about how “our” bank’s servers were DDoSed and the needs of so called re-activation or re-verification of our accounts. For that purpose we need to login to our online account, retrieve the TAC number and submit those information (user name, password and TAC numbers) to the “verification” servers that happened to be located outside of Malaysia. Oh yeah, failed to perform this activity, your account will be terminated within 24 hours. As simple as that. One more thing, once you’ve “verified” (submitting the information to the “verification” server), you are not allowed to use your online account for 48 hours. Hmm I thought all these internet thingy/stuffs usually processed within seconds if not miliseconds.. LoL.

Now the trend is “Unblock you Account” email.

“Unblock your Account

For security reasons, your Maybank2u.com account has been blocked due to inactivity or becouse of too many failed login attempts.

Please login at maybank2u to restore your account access.

Online banking: Login

Maybank Berhad

https://www.maybank2u.com.my

© 2001-08 Maybank. All rights reserved.”

Thunderbird thinks that this email is scam. I love thunderbird

Cool eh… Too many failed login or due to inactivity (in sense of what? Never logged on? Less money transaction?) and this will caused your online account suspended. And yeah, it seems that one of the largest banks in our country is trying to save every penny that instead of inform me directly via phone call, they chose to send an email with poor spelling (if you want to “phis”, do it properly) and what the heck what kind of official email send to “undisclosed recipient”?. It doesn’t matter whether my balance is RM2.75 or RM 2.75 million, I am still your customer and you used my money for your business (credit creation.. ever heard of this? that’s why you need to have minimum balance), so please send a direct email ONLY to me OK? lol.

Sorry for that rant. Maybe because it is MOURNday… ANyway, further checking will reveal that this email is not from maybank (in fact if you look at the sender’s email address, you will know right away that this is non valid email.) There is not MX record for maybank2u.com.my. Maybank2u.com.my is only a domain specifically for web purpose, no other functions OK? This means that the only valid email that you will received from maybank personnel should has this address => blabla@maybank.com.my and NOT blabla@maybank2u.com.my or any other. Expect next time these phisers will use maybank.com.my as the sender email address . For that just take note that you should call any maybank branches (or your branches) for verification. Better still, you go there and talk to their representative.

For the email that I received, the email actually was sent from an insurance company called Alandale Insurance Agency. As the source of the email revealed that it was sent from a server called server.alandale.com (and if you query for its MX record, server.alandale.com is used as the mail exchanger with priority 5). I guess maybe one of the users’ machines was infected by worm that utilizes the email traffics on spreading its spam etc.

The best part is, the guy or gal who created this phising email has the audacity to use one of the images in yours truly website for this phising purpose.. Sigh..

Oh yeah.. all the links point to this site : http://75-149-136-211-connecticut.hfc.comcastbusiness.net/indexx.html which has been reported as “Web Forgery” by firefox.. (ok not by firefox)

Nice try guys

It seems that my previous posting did offend some people. I want to take this opportunity to say sorry to whoever offended either directly or indirectly by that post and there are no malicious intentions in it. As most of the people in this particular industry I can call them as my friends and professional colleagues. But with that in mind, these people also entitled for their comments, views and opinions.

A comment from y0muds is a comprehensive and long one (Sorry dude, I just dunno why but akismet consider your comment as spam and I guess perhaps because of the length).

Anyway like I mentioned before, I do have intention to attend the hackaton day as most of presentations on that particular day are dealing with web intrusion as perhaps there are some techniques on detection or prevention that can be implemented for our daily operations. Alas, I have to abandon that idea as I have other important matter that I have to attend.

Anyway, I think both of the parties have given their views and opinions; I guess now is the time for us to chill out ok? Take a break, have a glass of nescafe (Maya Karin said nescafe has a high level of antioxidant) and a cigar…

p/s: Anyway I do like to have this kind of interaction.. Just like the ones that we had at security.org.my during the hackingexpose event Ahaq…

And NO, I do not like to raise contraversial issue or disturb other people nerves like most of you tend to believe.

I’m just an ordinary, happy and nice guy.. Honest..

http://www.dailystrength.org/people/110944/photos-videos/item/293887

As usual, Monday is a very bad day for me. Dun ask me why but perhaps I’m watching /reading too much Garfield and influenced by this fat lazy but adorable cat obsession on hating Mondays . So while doing my usual Monday activities (this of cause after reading my emails especially the ones in the inbox as I’ve filtered other emails to their respective mailing list folders, so the ones arrived in the Inbox are usually meant for me personally:)), one of my friends “buzzing” me via one of the Internet Messenger clients.

—–Snip—–
my_friend: awat hang tak mai s emalam
my_friend: hackaton
soulkipper: aku balik ktn ler
my_friend: cybercert sucks arr  die nye  demonstration hackin
my_friend: gile lame
my_friend: sep baik a ku duk kat *******
soulkipper: btw aku not 1337 enuff
soulkipper: hahaha
my_friend: tak bukan leet
my_friend: ade mamat tu(bukan adli  maupun mahmud)
my_friend: nak tunjuk
my_friend: remote file inclusio n nue  attcak
my_friend: tapi
my_friend: haha
my_friend: global variable dlm php.ini
my_friend: lupe
soulkipper: remote file inclusion
soulkipper: alaaa
my_friend: nak enable
soulkipper: tu lama punya
my_friend: so buatx2 tak jadi
my_friend: haha

——-snip———-

I do believe that my friend has really good intention on mentioning those. Perhaps in the future the presenter can show some latest trend and techniques or emphasis on the rise of client side attacks on the net. I also believe that the speakers or presenters had gone through their presentation materials and the live demo steps and methods. Maybe some unexpected condition arised during the presentation time hence the unsuccessful live demo.

If I’m not mistaken during the 2007 Technical forum at PWTC, one of the presenters who tried to show some demo on Bluetooth hacking also failed. SO this kind of thing may happened to anybody. It happens to me a lot during my training sessions especially when dealing with my VMWares..Sigh..

If it was me then;

soulkipper: kalu aku, aku tunjuk je structured threat analysis using open source tools
soulkipper: abih cite
soulkipper: takpung collecting Network based evidence using open source tools

Yeah, I will do some demo on performing structured threat analysis or collection network based evidence using open source tools like argus, tcpdump, snort, tcpflow etc..

Hmm maybe I can use this topic for my next knowledge sharing session or we called it here “kopitiam session”. Materials? I can collect the network traffics and do the demo on the virtual machine. Eh.. I forgot that currently I’m using the “borrowed” laptop. I dun think running virtual machines on this laptop is a good idea…

Ahh later

p/s: To protect the identity of my friend, I have to filter some of the communication content between us

My friend’s gave a presentation on the mod_security usage last few weeks to a group of users from the government. In his presentation he gave a demo on how mod_security managed to prevent “blind sql injection” attacks on the application run on mod_security enabled web engine. He even received a thunderous applaud from the audience once he concluded his presentation. However one of the attendees asked one good question afterward.

“My friend said you do not need to installed any WAF (web application firewall). All you need to do is fine tune the firewall filtering policies and that’s it.”

Well that view is not wrong. No sir, it’s not wrong at all. But then again, security is about minimizing the risk from being compromised. But still, it doesn’t matter how vigilant you are in following the security processes because eventually everything that you’ve done are not enough to prevent your asset from being compromised.

Lets take a building (we call this building, Building A) as an example. Most of the time (and most of the building), the only place accessible for anybody is the lobby (and perhaps the toilet also). When you try to access beyond the lobby, usually you need to register yourself at the registration table  placed before the lift lobby. Usually you need to identify yourself by presenting your ID card, inform your destination (and sometimes purpose of visit as well) received guest pass and off you go to your destination.

Now if let say that’s the only defensive measures that the building have, the risks for the building tenants to be compromised is high. Agree? Ok now we want to fine tune the filtering process at the reception, let say everybody must be body searched or provide other detailed information or other checking methods, I believe the queue will be long and the time taken for any guest to proceed to their destination will definitely not short. Hence due to the hassle that each guess need to face before proceed with their tasks, they will decided against visiting that particular building in the future.

So now let create another example, we call this building, Building B. Besides the need to register at the reception, it also equiped with doors that require access pass. Every guess will be issued access pass only to the intended floor and office (Even some offices in a building have their own lobby or reception). On top of that, your movement within the building will be monitored by CCTVs and if you appeared to be in the wrong floor or doing something funny, the friendly security guard will waste no time in coming to you and do any action necessary. Meaning there are many security layers for these buildings and we can assume that the risks for the tenants to be compromised is not as high as the building that has only reception table as the defensive measure (Building A). Agree?

Like I said before, both of the security measures taken by building A and B is not wrong. But then again, security is about reducing the risk of being compromised. So for you, what kind of security measures that you want to implement?

The ones like Building A (only perimeter defense – firewall via reception) or Building B (firewall – reception, IDS – CCTVs, Host Based or WAF – doors that require access card)?

That’s my opinion btw

Again.. Sorry for the long Hiatus.. Anyway I did received an email from one of my friends at CyberSecurity Malaysia..

“maybe u can pos something useful & reminder in your blog & security.org.my to remind your blog visitors bout this malware.
thanks bro..”

Ahhh the link.. http://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/647/index.html

Yeah guys.. This ain’t no HOAX. In fact, there are few entries in SANS Handler’s diary regarding the increase of DNS polling performed by the infamous Conficker or Dowandup (from 250 different domain names per day to 500 ).

Read it here : April 1st – What Will Really Happen?

Btw Felix Leder, Tillmann Werner of The HoneyNet Project produced one good writeup “Containing Conficker“. I recommend you guys to download that paper and read it. Also read another good writeup of Conficker variants by SRI here.

Also you can now identify possible Conficker infected machines by performing network scanning via NMAP or NESSUS.

For NESSUS the related plugin description :PluginID 36036

How to scan using NMAP can be read from this site : www.skullsecurity.org

For removal instructions and tools, just follow the links provided in special Conficker page at Dshield site.

There you go folks. Sorry it’s lil bit late and yeah I’m lil bit tight right now..

p/s: Btw my friend mel already post an entry regarding Conficker worm at security.org.my

Dun know about you guys but during my time (not that long ago lah), the only avenues for me to test my newly acquired skills and tools (most of the time to test the tools and scripts -yeah I used to be a script kiddie ) are servers, websites, routers belong to other people. Ahh forgot to mention that I used to test these tools on other PCs in the CyberCafe as well . In that time also IRC chatrooms can be the testing ground and learning centre as well. Mind you that at that time, VMWare just founded and the first product (VMWare Workstation) only delivered a year later Nowadays  you only need a PC/laptop, internet browser (for WIMP users, no worries on this part) and you dun even have to be connected. Thanks to OWASP’s WebGoat Project

So what is WebGoat? Let this lazy bum quote the Goal of this WebGoat project from its page.

“The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot”

“WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application”

What I can conclude is WebGoat is the right avenue for you to learn the Web application attack techniques (Nowadays most of the attacks are layer 7 attacks ) Instead of performing the “try and error” (the old school) way on the applications belong to others, you can learn these techniques and why the application succumbed to those techniques without causing any damage to others belonging. Hey it also saves you from any entanglement with the Law as well.

With that spirit, I decided to have WebGoat installed onto one of our testing machines (virtual that is) in lab environment so the Analysts can learn and play around with the application.

One thing that I didn’t notice is the size of WebGoat is around 83MB and took some time for me to complete the download process as it seems that our line decided to drag its feet while transporting the data. Sigh.

WebGoat requires JDK to be installed first. So when I run the usual make install command at jdk15 port (/usr/ports/java/jdk15), I was presented by this message:

IMPORTANT: To build the JDK 1.5.0 port, you should have at least
2.5Gb of free disk space in the build area!

Please place the downloaded file(s) in /usr/ports/distfiles
and restart the build.
Whaaaa… I need to download those files manually. With the download “speed” that I have at that time, I have to download :

jdk-1_5_0_14-fcs-src-b03-jrl-05_oct_2007.jar = 55MB

jdk-1_5_0_14-fcs-bin-b03-jrl-05_oct_2007.jar  = 2.1 MB

jce_policy-1_5_0.zip = 10K  (Thank God)

tzupdater-1_3_11-2008i.zip = 288K (Fortunately)

bsd-jdk15-patches-8.tar.bz2 = 800K

So once finish downloading all those files, the installation process commenced immediately and after a looooooooooong while it completed.

Next is the process of extracting the WebGoat application onto my virtual server and some configuration performed:

a). Defining the JAVA_HOME

b). As by default WebGoat meant to be run on localhost, a simple configuration in sense of providing the listening IPs and Ports in the server_80.xml file within the tomcat/conf/ directory of the WebGoat folder.

But the moment I execute webgoat.sh start80, I’ve been presented by this message:

“Please set JAVA_HOME to a Java 1.5 JDK install”

And it doesn’t matter how many times I define those fields (including symbolic link as well) the message keeps on appearing when I tried to start the application. So I search through google and discover this technique:

Delete the check code of the java version, put export JAVA_HOME=to the installed jdk location at the top of the script which made my webgoat.sh look like this:

ayoi# less webgoat.sh
#! /bin/sh

SYSTEM=`uname -s`
CATALINA_HOME=./tomcat
PATH=${PATH}:./tomcat/bin
export CATALINA_HOME PATH
export JAVA_HOME=/usr/local/jdk-1.5.0
chmod +x ./$CATALINA_HOME/bin/*.sh

case “$1″ in
start80)
cp -f $CATALINA_HOME/conf/server_80.xml $CATALINA_HOME/conf/server.xml
$CATALINA_HOME/bin/startup.sh
printf “\n  Open http://127.0.0.1/WebGoat/attack”
printf “\n  Username: guest”
printf “\n  Password: guest”
printf “\n  Or try http://guest:guest@127.0.0.1/WebGoat/attack \n\n\r”
sleep 2
tail -f $CATALINA_HOME/logs/catalina.out
===============SNIP==================

So when I execute the webgoat.sh start80 command, voila..

ayoi# ./webgoat.sh start80
Using CATALINA_BASE:   ./tomcat
Using CATALINA_HOME:   ./tomcat
Using CATALINA_TMPDIR: ./tomcat/temp
Using JAVA_HOME:       /usr/local/jdk-1.5.0

Open http://127.0.0.1/WebGoat/attack
Username: guest
Password: guest
Or try http://guest:guest@127.0.0.1/WebGoat/attack
===============SNIP=========================

The WebGoat is now running and ready to be hacked