Professional Documents
Culture Documents
HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED CONTACT US
|SECURITY TOOLS >> Damn Vulnerable Web App >> DVWA v1.0.7 >> Current Page |Views:
148327
Pre-Requisite Lab
Fedora: Lesson 1: Installing Fedora 14
Note(FYI):
Please do not used your Hardened Fedora 14 VM.
In Fedora 14, Lesson 1, Section 11, Step 2 you created a VM
specifically for DVWA.
Lab Notes
In this lab we will do the following:
1. Install Apache Webserver
2. Install Mysql Server
3. Install PHP
4. Install and Configure DVWA
Legal Disclaimer
As a condition of your use of this Web site, you warrant to
computersecuritystudent.com that you will not use this Web site for
any purpose that is unlawful or that is prohibited by these terms,
conditions, and notices.
In accordance with UCC § 2-316, this product is provided with "no
warranties, either express or implied." The information contained is
provided "as-is", with "no guarantee of merchantability."
In addition, this is a teaching website that does not condone
malicious behavior of any kind.
You are on notice, that continuing and/or using this lab outside your
"own" test environment is considered malicious and is against the law.
3. Get IP Address
Instructions:
1. ifconfig -a
Notes:
As indicated below, my IP address is 192.168.1.116.
Please record your IP address.
Section 4: Disable SELinux
1. Open the SELinux config file with gedit
Instructions:
1. gedit /etc/selinux/config 2>/dev/null &
Notes (FYI):
1. gedit, is a text editor for the GNOME Desktop.
2. /etc/selinux/config, is the file name that gedit will open.
3. 2>/dev/null, sends standard error messages to a black hole
(/dev/null).
4. The "&" is used to open gedit in the background.
5. If you are the Linux Guru feel free to use the VI editor instead.
2. Delete enforcing
Instructions:
1. Arrow down to SELINUX=enforcing
2. Highlight the word "enforcing" and press the delete button
3. Replace enforcing with disabled
Instructions:
1. Replace "enforcing" with the word "disabled"
SELINUX=disabled
2. Click Save
3. Click the "X" to Close
4. Open the SELINUX config file with gedit
Instructions:
1. setenforce 0
2. sestatus
Notes (FYI):
setenforce - is used to modify the mode SELinux is running in.
Generally, I do not support disabling SELinux. However, we are
going to turn this server into a vulnerable machine by later
installing Mutillidae.
Section 5: Disable Firewall
1. Disable the Firewall
Instructions:
1. service iptables stop
2. chkconfig iptables off
Notes (FYI):
Again, I do not support disabling the firewall. However, we are
going to turn this server into a vulnerable machine by later
installing Mutillidae.
Section 6: Install Apache httpd Server
1. Download httpd
Instructions:
1. yum install httpd.i686
2. y
Or
yum install -y https.i686
2. Start Apache
Instructions:
1. service httpd start
This starts up the Apache Listening Daemon
2. ps -eaf | grep httpd
Check to make sure Apache is running.
3. chkconfig --level 2345 httpd on
Create Start up script for run levels 2, 3, 4 and 5.
Section 7: Install mysql and mysql-server
1. Install mysql
Instructions:
1. yum install mysql.i686
2. Continue to next step
2. Install mysql
Instructions:
1. y
3. Install mysql-server
Instructions:
1. yum install mysql-server
2. y
4. Start Up mysqld
Instructions:
1. service mysqld start
5. Start Up mysqld
Instructions:
1. chkconfig --level 2345 mysqld on
Creates the start up scripts for run level 2, 3, 4 and 5.
2. mysqladmin -u root password dvwaPASSWORD
Sets the mysql root password to "dvwaPASSWORD"
3. Install php-pear
Instructions:
1. yum install php-pear php-pear-DB
2. y
Section 9: Install wget
1. Install wget
Instructions:
1. yum install wget
2. y
Section 10: Install Damn Vulnerable Web App (DVWA)
1. Download DVWA
Note(FYI):
DVWA-1.0.7.zip is an older version. ComputerSecurityStudent
provides this zip file, since it is no longer available at google
source.
The most recent version can be found at http://www.dvwa.co.uk/
Instructions:
1. cd /var/www/html
2. wget
h&p://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson1/DVWA-
1.0.7.zip
Grab the DVWA-1.0.7 application.
Remember to down the zip file from computersecuritystudent and
not googlecode.
3. ls -l | grep DVWA
Confirm DVWA-1.0.7.zip was downloaded
2. Unzip Package
Instructions:
1. unzip DVWA-1.0.7.zip
3. Remove Zip File
Instructions:
1. ls -lrta
2. rm DVWA-1.0.7.zip
3. y
4. Configure config.inc.php
Instructions:
1. cd /var/www/html/dvwa/config
This is the configuration directory for DVWA.
2. cp config.inc.php config.inc.php.BKP
Make Backup copy
3. chmod 000 config.inc.php.BKP
Remove Permissions to the Backup Copy
4. vi config.inc.php
This is the configuration file for DVWA that handles the
database communication from the Web App.
5. Configure config.inc.php
Instructions:
1. Arrow down to the line that contains db_password
2. Arrow right and place your cursor on the second single quote
3. Press "i"
This puts the vi editor into INSERT mode.
4. Type "dvwaPASSWORD"
5. Press <Esc>
This takes the vi editor out of INSERT mode.
6. Type ":wq!"
This save the config.inc.php file.
6. Restart Apache
Instructions:
1. service httpd restart
Restart Apache
2. ps -eaf | grep -v grep | grep httpd
Make sure Apache is running.
7. Start up a Web Browser
Instructions:
1. Applications --> Internet --> Firefox
Notes(FYI):
At this point, you can start up a web browser on any computer on
your network (Windows, Mac, Whatever you want).