How to Remotely Access Someones IP Address: What is Damn Vulnerable Web App (DVWA) ? with installation tutorial (Easy Language)

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

DVWA is generally used for security professionals this wonderful application can be very helpful as they can practice for loopholes and also how does security for a website can be made they can use 'low','medium','hard' and 'impossible' mode for checking their skills by mastering these skills on this web app.

Steps for installing DVWA on a Virtual Machine Using Fedora 14-

Section 1: Configure Fedora14 Virtual Machine Settings

Start VMware Player
- Instructions
  1. For Windows 7
    1. Click Start Button
    2. Search for "vmware player"
    3. Click VMware Player
  2. For Windows XP
    - Starts --> Programs --> VMware Player
Open a Virtual Machine (Part 1)
- Instructions:
  1. Click on Open a Virtual Machine
Open a Virtual Machine (Part 2)
- Instructions:
  1. Navigate to Virtual Machine location
    - In my case, it is G:\Virtual Machines\Fedora14 - DVWA
  2. Click on the Fedora14 Virtual Machine
  3. Click on the Open Button
Edit the virtual machine settings
- Instructions:
  1. Highlight the Fedora14 VM
  2. Click on Edit virtual machine settings.
Edit Network Adapter

Instructions:
1. Click the Hardware Tab
2. Highlight Network Adapter
3. Select Bridged: Connected directly to the physical network
4. Select the OK Button

Section 2: Login to Fedora14

Start the Fedora14 VM Instance
- Instructions:
  1. Select Fedora14
  2. Play virtual machine
Login to Fedora14
- Instructions:
  1. Login: student
  2. Password: <whatever you set it to>.

Section 3: Open Console Terminal and Retrieve IP Address

Start a Terminal Console
- Instructions:
  1. Applications --> Terminal
Switch user to root
- Instructions:
  1. su - root
  2. <Whatever you set the root password to>
Get IP Address
- Instructions:
  1. ifconfig -a
- Notes:
  - As indicated below, my IP address is 192.168.1.116.
  - Please record your IP address.

Section 4: Disable SELinux

Open the SELinux config file with gedit
- Instructions:
  1. gedit /etc/selinux/config 2>/dev/null &
- Notes (FYI):
  1. gedit, is a text editor for the GNOME Desktop.
  2. /etc/selinux/config, is the file name that gedit will open.
  3. 2>/dev/null, sends standard error messages to a black hole (/dev/null).
  4. The "&" is used to open gedit in the background.
  5. If you are the Linux Guru feel free to use the VI editor instead.
Delete enforcing
- Instructions:
  1. Arrow down to SELINUX=enforcing
  2. Highlight the word "enforcing" and press the delete button
Replace enforcing with disabled
- Instructions:
  1. Replace "enforcing" with the word "disabled"
    - SELINUX=disabled
  2. Click Save
  3. Click the "X" to Close
Open the SELINUX config file with gedit
- Instructions:
  1. setenforce 0
  2. sestatus
- Notes (FYI):
  - setenforce - is used to modify the mode SELinux is running in.
  - Generally, I do not support disabling SELinux. However, we are going to turn this server into a vulnerable machine by later installing Mutillidae.

Section 5: Disable Firewall

Disable the Firewall
- Instructions:
  1. service iptables stop
  2. chkconfig iptables off
- Notes (FYI):
  - Again, I do not support disabling the firewall. However, we are going to turn this server into a vulnerable machine by later installing Mutillidae.

Section 6: Install Apache httpd Server

Download httpd
- Instructions:
  1. yum install httpd.i686
  2. y
Start Apache
- Instructions:
  1. service httpd start
    - This starts up the Apache Listening Daemon
  2. ps -eaf | grep httpd
    - Check to make sure Apache is running.
  3. chkconfig --level 2345 httpd on
    - Create Start up script for run levels 2, 3, 4 and 5.

Section 7: Install mysql and mysql-server

Install mysql
- Instructions:
  1. yum install mysql.i686
  2. Continue to next step
Install mysql
- Instructions:
  1. y
Install mysql-server
- Instructions:
  1. yum install mysql-server
  2. y
Start Up mysqld
- Instructions:
  1. service mysqld start
Start Up mysqld
- Instructions:
  1. chkconfig --level 2345 mysqld on
    - Creates the start up scripts for run level 2, 3, 4 and 5.
  2. mysqladmin -u root password dvwaPASSWORD
    - Sets the mysql root password to "dvwaPASSWORD"
Login to mysql and create dvwa database
- Instructions:
  1. mysql -uroot -p
  2. dvwaPASSWORD
  3. create database dvwa;
  4. quit

Section 8: Install PHP

Install PHP
- Instructions:
  1. yum install php.i686
  2. y
Install php-mysql
- Instructions:
  1. yum install php-mysql
  2. y
Install php-pear
- Instructions:
  1. yum install php-pear php-pear-DB
  2. y

Section 9: Install wget

Install wget
- Instructions:
  1. yum install wget
  2. y

Section 10: Install Damn Vulnerable Web App (DVWA)

Download DVWA
- Note(FYI):
  - DVWA-1.0.7.zip is an older version. ComputerSecurityStudent provides this zip file, since it is no longer available at google source.
  - The most recent version can be found at http://www.dvwa.co.uk/
- Instructions:
  1. cd /var/www/html
  2. wget http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson1/DVWA-1.0.7.zip
    - Grab the DVWA-1.0.7 application.
    - Remember to down the zip file from computersecuritystudent and not googlecode.
  3. ls -l | grep DVWA
    - Confirm DVWA-1.0.7.zip was downloaded
Unzip Package
- Instructions:
  1. unzip DVWA-1.0.7.zip
Remove Zip File
- Instructions:
  1. ls -lrta
  2. rm DVWA-1.0.7.zip
  3. y
Configure config.inc.php
- Instructions:
  1. cd /var/www/html/dvwa/config
    - This is the configuration directory for DVWA.
  2. cp config.inc.php config.inc.php.BKP
    - Make Backup copy
  3. chmod 000 config.inc.php.BKP
    - Remove Permissions to the Backup Copy
  4. vi config.inc.php
    - This is the configuration file for DVWA that handles the database communication from the Web App.
Configure config.inc.php
- Instructions:
  1. Arrow down to the line that contains db_password
  2. Arrow right and place your cursor on the second single quote
  3. Press "i"
    - This puts the vi editor into INSERT mode.
  4. Type "dvwaPASSWORD"
  5. Press <Esc>
    - This takes the vi editor out of INSERT mode.
  6. Type ":wq!"
    - This save the config.inc.php file.
Restart Apache
- Instructions:
  1. service httpd restart
    - Restart Apache
  2. ps -eaf | grep -v grep | grep httpd
    - Make sure Apache is running.
Start up a Web Browser
- Instructions:
  1. Applications --> Internet --> Firefox
- Notes(FYI):
  - At this point, you can start up a web browser on any computer on your network (Windows, Mac, Whatever you want).
DVWA Database setup
- Instructions:
  1. http://192.168.1.116/dvwa/setup.php
    - Replace 192.168.1.116 with the IP Address obtained from Section 3, Step 3.
  2. Click the Create / Reset Database button
DVWA Creation Messages
- Instructions:
  1. You should see the below database created, data inserted, and setup successful messages.
  2. Click on Logout
Login to DVWA
- Instructions:
  1. Username: admin
  2. Password: password
Welcome to DVWA
- Note(FYI):
  1. Click Here for subsequent lessons.

Section 11: Proof of Lab

Proof of Lab
- Instructions:
  1. echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
  2. date
  3. echo "Your Name"
    - Replace the string "Your Name" with your actual name.
    - e.g., echo "John Gray"
- Proof of Lab Instructions:
  1. Do a PrtScn
  2. Paste into a word document
  3. Upload to Moodle

How to Remotely Access Someones IP Address

Tuesday, 9 February 2016

What is Damn Vulnerable Web App (DVWA) ? with installation tutorial (Easy Language)

No comments:

Post a Comment