Professional Documents
Culture Documents
Mutillidae - Lesson 1 - How To Install Mutillidae On Fedora 14 PDF
Mutillidae - Lesson 1 - How To Install Mutillidae On Fedora 14 PDF
Mutillidae - Lesson 1 - How To Install Mutillidae On Fedora 14 PDF
|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page |Views:
9369
(Mutillidae: Lesson 1)
{ How to Install Mutillidae on Fedora 14 } Help
ComputerSecurityStudent
pay for continued
research,
Section 0. Background Information resources & bandwidth
What Mutillidae?
OWASP Mutillidae II is a free, open source, deliberately vulnerable
webapplication providing a target for websecurity enthusiast.
With dozens of vulns and hints to help the user; this is an easyto
use web hacking environment designed for labs, security enthusiast,
classrooms, CTF, and vulnerability assessment tool targets. Mutillidae
has been used in graduate security courses, corporate web sec training
courses, and as an "assess the assessor" target for vulnerability
assessment software.
PreRequisite Lab
Fedora: Lesson 1: Installing Fedora 14
Note(FYI):
Please do not used your Hardened Fedora 14 VM.
You must create a new Fedora 14 VM.
Lab Notes
In this lab we will do the following:
1. Install Apache Webserver
2. Install Mysql Server
3. Install PHP
4. Install and Configure Mutillidae
Legal Disclaimer
As a condition of your use of this Web site, you warrant to
computersecuritystudent.com that you will not use this Web site for
any purpose that is unlawful or that is prohibited by these terms,
conditions, and notices.
In accordance with UCC § 2316, this product is provided with "no
warranties, either express or implied." The information contained is
provided "asis", with "no guarantee of merchantability."
In addition, this is a teaching website that does not condone
malicious behavior of any kind.
Your are on notice, that continuing and/or using this lab outside your
"own" test environment is considered malicious and is against the law.
© 2013 No content replication of any kind is allowed without express
written permission.
Section 1: Configure Fedora14 Virtual Machine Settings
1. Start VMware Player
Instructions
1. For Windows 7
1. Click Start Button
2. Search for "vmware player"
3. Click VMware Player
2. For Windows XP
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 1/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
Starts > Programs > VMware Player
2. Edit Fedora Virtual Machine Settings
Instructions:
1. Highlight fedora14
2. Click Edit virtual machine settings
3. Edit Network Adapter
Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. DO NOT Click on the OK Button.
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 2/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
4. Edit Network Adapter
Instructions:
1. Click the Options Tab
2. Virtual machine name: Fedora14 Mutillidae
3. Click the OK Button
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 3/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
Section 2: Login to Fedora14 Mutillidae
1. Start Fedora14 VM Instance
Instructions:
1. Start Up VMWare Player
2. Select Fedora14 Mutillidae
3. Play virtual machine
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 4/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
2. Login to Fedora14 Mutillidae
Instructions:
1. Login: student
2. Password: <whatever you set it to>.
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 5/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
Section 3: Open Console Terminal and Retrieve IP Address
1. Start a Terminal Console
Instructions:
1. Applications > Terminal
2. Switch user to root
Instructions:
1. su root
2. <Whatever you set the root password to>
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 6/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
3. Get IP Address
Instructions:
1. ifconfig a
Notes (FYI):
As indicated below, my IP address is 192.168.1.112.
Please record your IP address.
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 7/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
Section 4: Disable SELinux
1. Open the SELinux config file with gedit
Instructions:
1. gedit /etc/selinux/config 2>/dev/null &
Notes (FYI):
1. gedit, is a text editor for the GNOME Desktop.
2. /etc/selinux/config, is the file name that gedit will open.
3. 2>/dev/null, sends standard error messages to a black hole
(/dev/null).
4. The "&" is used to open gedit in the background.
5. If you are the Linux Guru feel free to use the VI editor instead.
2. Delete enforcing
Instructions:
1. Arrow down to SELINUX=enforcing
2. Highlight the word "enforcing" and press the delete button
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 8/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
3. Replace enforcing with disabled
Instructions:
1. Replace "enforcing" with the word "disabled"
SELINUX=disabled
2. Click Save
3. Click the "X" to Close
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 9/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
4. Open the SELINUX config file with gedit
Instructions:
1. setenforce 0
2. sestatus
Notes (FYI):
setenforce is used to modify the mode SELinux is running in.
Generally, I do not support disabling SELinux. However, we are
going to turn this server into a vulnerable machine by later
installing Mutillidae.
Section 5: Disable Firewall
1. Disable the Firewall
Instructions:
1. service iptables stop
2. chkconfig iptables off
Notes (FYI):
Again, I do not support disabling the firewall. However, we are
going to turn this server into a vulnerable machine by later
installing Mutillidae.
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 10/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
Section 6: Install Apache httpd Server
1. Download httpd
Instructions:
1. yum install httpd.i686
2. y
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 11/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
2. Start Apache
Instructions:
1. service httpd start
This starts up the Apache Listening Daemon
2. ps eaf | grep httpd
Check to make sure Apache is running.
3. chkconfig level 2345 httpd on
Create Start up script for run levels 2, 3, 4 and 5.
Section 7: Install mysql and mysqlserver
1. Install mysql
Instructions:
1. yum install mysql.i686
2. Is this okay [y/N]: y
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 12/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
2. Install mysqlserver
Instructions:
1. yum install mysqlserver
2. Is this okay [y/N]: y
3. Start Up mysqld
Instructions:
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 13/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
1. service mysqld start
4. Start Up mysqld
Instructions:
1. chkconfig level 2345 mysqld on
Creates the start up scripts for run level 2, 3, 4 and 5.
2. mysqladmin u root password samurai
Sets the mysql root password to "samurai"
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 14/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
5. Login to mysql
Instructions:
1. mysql uroot p
2. samurai
3. show databases;
4. quit
6. Allow Remote Access to MySQL
Note(FYI):
Allowing remote access is not part of the Mutillidae installation.
This step just provides an additional vulnerability used in
following labs.
Instructions:
1. echo "use mysql; GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'samurai'
WITH GRANT OPTION;" | mysql ‐uroot ‐psamurai
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 15/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
Section 8: Install PHP
1. Install PHP
Instructions:
1. yum install php.i686
2. Is this okay [y/N]: y
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 16/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
2. Install phpmysql
Instructions:
1. yum install phpmysql
2. Is this okay [y/N]: y
3. Install phppear
Instructions:
1. yum install phppear phppearDB
2. Is this okay [y/N]: y
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 17/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
4. Install phpmbstring
Instructions:
1. yum install phpmbstring
2. Is this okay [y/N]: y
5. Open php.ini
Instructions:
1. gedit /etc/php.ini 2>/dev/null &
Notes (FYI):
The "/etc/php.ini" file is the PHP configuration file.
2>/dev/null, sends standard error messages to a black hole
(/dev/null).
The "&" is used to open gedit in the background.
If you are the Linux Guru feel free to use the VI editor instead.
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 18/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
6. Search php.ini
Instructions:
1. Search > Find...
2. Search for: ; extension
3. Click the Find Button
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 19/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
7. Add Extension
Instructions:
1. Below the '; extension_dir = "./"' add the following line
extension=mysql.so
2. Click Save
3. Click "X" to Close
8. Restart Apache
Instructions:
1. service httpd restart
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 20/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
Section 9: Install wget
1. Install wget
Instructions:
1. yum install wget
2. Is this okay [y/N]: y
Note(FYI):
1. If you followed the Fedora 14 build instructions verbatim, you
will not need to install wget.
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 21/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
Section 10: Install Mutillidae
1. Download and Unzip Mutillidae
Instructions:
1. cd /var/www/html/
2. wget hៀ�p://www.computersecuritystudent.com/DOWNLOADS/LATEST‐mu匏�llidae‐2.5.11.zip
3. unzip LATESTmutillidae2.5.11.zip
2. Open MySQLHandler.php
Instructions:
1. cd mutillidae/classes/
2. ls lrta
3. gedit MySQLHandler.php 2>/dev/null &
Note(FYI):
1. The MySQLHandler.php file is the Mutillidae database configuration
file.
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 22/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
3. Add Database Password
Instructions:
1. Arrow down to line 39 > static public $mMySQLDatabasePassword =
"";
Place the word samurai in between the quotes after the "="
sign.
From: static public $mMySQLDatabasePassword = "";
To: static public $mMySQLDatabasePassword = "samurai";
2. Click the Save Button
3. Click X to Close
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 23/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
4. Change Ownership
Note(FYI):
This step is not necessary.
This step is to supplement additional SQL Union attacks.
Instructions:
1. cd /var/www/html
2. chown apache:mysql mutillidae
3. chmod 770 mutillidae
4. ls ld mutillidae
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 24/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
5. Start Firefox
Instructions:
1. Click on the Firefox icon
6. Setup/Reset the DB
Instructions:
1. http://localhost/mutillidae
2. Click on setup/reset the DB
7. Setting up the database...
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 25/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
Instructions:
1. Click the OK Button
8. Welcome to Mutillidae
Note(FYI):
1. If you see the below screen, then congratualations on setting up
Mutillidae on a Fedora server.
Section 11: Proof of Lab
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 26/27
12/4/2016 Mutillidae: Lesson 1: How to Install Mutillidae on Fedora 14
1. Proof of Lab
Instructions:
1. echo "use nowasp; show tables;" | mysql uroot psamurai
2. date
3. echo "Your Name"
Replace the string "Your Name" with your actual name.
e.g., echo "John Gray"
Proof of Lab Instructions
1. Press both the <Ctrl> and <Alt> keys at the same time.
2. Do a <PrtScn>
3. Paste into a word document
4. Upload to Moodle
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson1/index.html 27/27