Chuyển đến nội dung chính

Hướng Dẫn Thực Hành - (How to Install DVWA in Fedora : Lesson 1)

DVWA là hệ thống lab dùng cho việc nghiên cứu các lỗi bảo mật thông dụng của ứng dụng web, trong bài hướng dẫn sau đây chúng ta sẽ cài đặt DVWA trên một máy Linux dùng Fedora 14. Ngoài việc cài đặt để hiểu rõ hơn về DVWA các bạn có thể tải về các bản dựng sản để thực hành trên máy ảo mà không cần phải cài đặt, hoặc cài đặt trên máy chạy hệ điều hành Windows (cài thêm bộ ứng dụng AppServer là được).
  • What is Damn Vulnerable Web App (DVWA)?
    • Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
    • Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
  • Pre-Requisite Lab
    • Fedora: Lesson 1: Installing Fedora 14
      • Note: Only required if you don't already have a Fedora instance.
  • Lab Notes
    • In this lab we will do the following:
      1. Install Apache Webserver
      2. Install Mysql Server
      3. Install PHP
      4. Install and Configure DVWA
  • Legal Disclaimer

       Bài lab chỉ dùng cho mục đích học tập.
Section 1. Configure Fedora14 Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player
  2. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight fedora14
      2. Click Edit virtual machine settings
  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click on the OK Button.

Section 2. Login to Fedora14
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14
      3. Play virtual machine
  2. Login to Fedora14
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

Section 3. Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal
  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>
  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes:
      • As indicated below, my IP address is 192.168.1.116.
      • Please record your IP address.

Section 4. Install Apache httpd Server
  1. Download httpd
    • Instructions:
      1. yum install httpd.i686
      2. y
  2. Start Apache
    • Instructions:
      1. service httpd start
        • This starts up the Apache Listening Daemon
      2. ps -eaf | grep httpd
        • Check to make sure Apache is running.
      3. chkconfig --level 2345 httpd on
        • Create Start up script for run levels 2, 3, 4 and 5.
  3. Configure Firewall
    • Instructions:
      1. System --> Administration --> Firewall
  4. Firewall Configuration Startup
    • Instructions:
      1. Click the Close button
  5. Authenticate
    • Instructions:
      1. Supply the root password
      2. Click Authenticate
  6. Turn On WWW
    • Instructions:
      1. Click the WWW Check Box
      2. Click the Apply Button
  7. Override Settings
    • Instructions:
      1. Click Yes
Section 5. Install mysql and mysql-server
  1. Install mysql
    • Instructions:
      1. yum install mysql.i686
      2. Continue to next step
  2. Install mysql
    • Instructions:
      1. y
  3. Install mysql-server
    • Instructions:
      1. yum install mysql-server
      2. y
  4. Start Up mysqld
    • Instructions:
      1. service mysqld start
  5. Start Up mysqld
    • Instructions:
      1. chkconfig --level 2345 mysqld on
        • Creates the start up scripts for run level 2, 3, 4 and 5.
      2. mysqladmin -u root password dvwaPASSWORD
        • Sets the mysql root password to "dvwaPASSWORD"
  6. Login to mysql and create dvwa database
    • Instructions:
      1. mysql -uroot -p
      2. dvwaPASSWORD
      3. create database dvwa;
      4. quit
Section 6. Install PHP
  1. Install PHP
    • Instructions:
      1. yum install php.i686
      2. y
  2. Install php-mysql
    • Instructions:
      1. yum install php-mysql
      2. y
  3. Install php-pear
    • Instructions:
      1. yum install php-pear php-pear-DB
      2. y
Section 7. Install wget
  1. Install wget
    • Instructions:
      1. yum install wget
      2. y
Section 8. Install Damn Vulnerable Web App (DVWA)
  1. Download DVWA
    • Note(FYI):
      • DVWA-1.0.7.zip is an older version.  ComputerSecurityStudent provides this zip file, since it is no longer available at google source.
      • The most recent version can be found at http://www.dvwa.co.uk/
    • Instructions:
      1. cd /var/www/html
      2. wget http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson1/DVWA-1.0.7.zip
        • Grab the DVWA-1.0.7 application.
        • Remember to down the zip file from computersecuritystudent and not googlecode.
      3. ls -l | grep DVWA
        • Confirm DVWA-1.0.7.zip was downloaded
  2. Unzip Package
    • Instructions:
      1. unzip DVWA-1.0.7.zip
     
  3. Remove Zip File
    • Instructions:
      1. ls -lrta
      2. rm DVWA-1.0.7.zip
      3. y
  4. Configure config.inc.php  
    • Instructions:
      1. cd /var/www/html/dvwa/config
        • This is the configuration directory for DVWA.
      2. cp config.inc.php config.inc.php.BKP
        • Make Backup copy
      3. chmod 000 config.inc.php.BKP
        • Remove Permissions to the Backup Copy
      4. vi config.inc.php
        • This is the configuration file for DVWA that handles the database communication from the Web App.
  5. Configure config.inc.php  
    • Instructions:
      1. Arrow down to the line that contains db_password
      2. Arrow right and place your cursor on the second single quote
      3. Press "i"
        • This puts the vi editor into INSERT mode.
      4. Type "dvwaPASSWORD"
      5. Press <Esc>
        • This takes the vi editor out of INSERT mode.
      6. Type ":wq!"
        • This save the config.inc.php file.
  6. Restart Apache
    • Instructions:
      1. service httpd restart
        • Restart Apache
      2. ps -eaf | grep -v grep | grep httpd
        • Make sure Apache is running.
  7. Start up a Web Browser  
    • Instructions:
      1. Applications --> Internet --> Firefox
    • Notes:
      • At this point, you can start up a web browser on any computer on your network (Windows, Mac, Whatever you want).
  8. DVWA Database setup  
    • Instructions:
      1. http://192.168.1.116/dvwa/setup.php
        • Replace 192.168.1.116 with the IP Address obtained from Section 3, Step 3.
      2. Click the Create / Reset Database button
  9. DVWA Creation Messages  
    • Instructions:
      1. You should see the below database created, data inserted, and setup successful messages.
      2. Click on Logout
  10. Login to DVWA  
    • Instructions:
      1. Username: admin
      2. Password: password
  11. Welcome to DVWA  
    • Informational (FYI):
      1. Click Here for subsequent lessons.
Section 9. Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
      2. date
      3. echo "An Toàn Thông Tin"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "EDU VN"
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Paste into a word document
      3. Email to AnToanThongTin.Edu.VN@Gmail.Com


 

  
Nhãn:

Bài đăng phổ biến từ blog này

Pentest lab - Metasploitable 2

Today I will walk through different ways of exploiting Metasploitable 2, the newer release of Rapid7’s popular vulnerable machine. First, what is Metasploitable? Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques. In my lab environment, the IP of the attacker machine is 192.168.127.159, and the victim machine is 192.168.127.154. Since this is a test lab, I won’t be concerned about stealth. Instead, I will try to get the most information out of the scans. Let’s start by port scanning the target with nmap. I did a full port, aggresive scan against the target. Here are the results. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 ...
Đọc thêm

Metasploitable 2 vulnerability assessment

A vulnerability assessment is a crucial part in every penetration test and is the process of identifying and assessing vulnerabilities on a target system. In this part of the tutorial we will be assessing the vulnerabilities available on the network side of the Metasploitable 2 virtual machine. We will be assessing the web applications on the Metasploitable 2 machine in a later tutorial. In the previous Metasploit enumeration and fingerprinting tutorial we’ve learned that the Metasploitable 2 machine contains a lot of vulnerabilities. We have collected valuable information about the target system which we will be using to find known vulnerabilities both on- and offline. Exploitation of these vulnerabilities will be demonstrated in the next exploitation tutorial. In this tutorial we will be looking at a few different ways to perform vulnerability analysis. We will be manually searching for exploits, use scanning tools like Nmap with scripts and we will be...
Đọc thêm

CEH v9 (CEHVIETNAM.COM) - Hacking Metasploitable Lab

CEH v9 : Hacking Metasploitable VM In this guide, I will demonstrate how to root a Metasploitable 2 virtual machine. Metasploitable is an intentionally vulnerable Ubuntu machine. I’ll explore just a few of the many ways Metasploitable can be attacked, from vulnerabilities in common services to little known exploits and web vulnerabilities. I’ve set up Kali Linux and Metasploitable VMs in VirtualBox on the same network (bridged mode). Kali – 192.168.56.101 Metasploitable – 192.168.56.102 - Hãy thay IP của bạn cho thích hợp Contents   1 Footprinting 1.1 Ping 1.2 Traceroute 2 Scanning 2.1 Port Scanning 2.2 OS Fingerprinting 2.2.1 nmap 2.2.2 xprobe2 3 Enumeration 3.1 FTP (TCP 21) Enumeration 3.2 Telnet (TCP 53) Enumeration 3.3 SMTP (TCP 25) Enumeration 3.4 VNC (TCP 5900) Enumeration 3.5 X11 (TCP 6000) Enumeration 3.6 RLogin (TCP 513) Enumeration 3.7 IRC (TCP 6667) Enumeration 4 Exploitation 4.1 FTP Exploit 4.2 VNC Password Cracking 4.3 IRC E...
Đọc thêm