In our previous article you had learnt how to configure a web server using ubuntu system with the help of LAMP services for designing your own pentest lab. Today you will how to configure the famous 4 web application (DVWA, bWAPP, SQLI and Mutillidae) inside web server for web penetration (WAPT) practices.
Let’s Begin!!
Open the terminal and login with root user and move inside html directory using following command.
sudo bash
cd /var/www/html
Basically to operate all web application on browser through localhost you should download and configure these web application inside html directory only.
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications.
Download dvwa inside html using following command.
wget https://github.com/ethicalhack3r/DVWA/archive/master.zip
Now type following command step by step to configure dvwa.
ls
From given image you can see we have downloaded master.zip file, now unzip this file using below command.
unzip master.zip
After unzip, move file and folder of DVWA-master into dvwa
ls
mv DVWA-master dvwa
ls
cd dvwa
ls
After then move inside config in order to rename config.inc.php.dist into config.inc.php
cd config/
ls
mv config.inc.php.dist config.inc.php
gedit config.inc.php
Now open config.inc.php using above command, here you will observe that db_password is p@ssw0rd. But remove the password and left it blank space for db_password.
After leaving blank password save config.inc.php
Now run web application in browser through URL: localhost/dvwa/setup.php
As shown in given image a web page will get open for dvwa setup, now click on given tab Create/ Reset Database.
Login into web application through URL: localhost/dvwa/login.php by default the username and password is admin: password respectively for login into dvwa.
Using above step for installation you can configure dvwa in your web server and perform web penetration testing by exploiting given vulnerabilities.
bWAPP
A buggy web application is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.
Now download bwapp and then unzip that folder.
wget https://sourceforge.net/projects/bwapp/files/latest/download
cd /var/www/html
Now shift bwapp from download directory to html directory using move command
mv /home/raj/downloads/bwapp_latest/bwapp .
ls
Now you can observe we have bwapp inside html directories.
Now make following changes inside the file “setting.php” for its configuration.
cd admin
ls
gedit setting.php
Here remove the password “bug” for db_password as done above.
Now Leave blank space for db_password and then save the file.
Now browse web application through URL: localhost/bwapp/install.php
As shown in image a web page will get open for installation; now click on given link “click hereto install wapp”. After that your bwapp will get successfully install and will ready for penetration testing.
Now use default username and password bee: bug for login into bwapp and start your practice.
SQLI
SQLI labs to test error based, Blind boolean based, Time based.
cd /var/www/html
Download SQLI dhakkan inside html directory and then unzip it.
wget https://github.com/Audi-1/sqli-labs.git
unzip master.zip
Copy all file and folder of sqli-labs-master into sqli using following command
mv sqli-labs-master sqli
Now open web application inside browser using URL: localhost/sqli Click on “Setup/reset Database for labs”
This will create database setup for lab and after that it will be ready for SQL penetration testing. This lab is design for mainly sql injection attack each lesson have different sql error.
OWASP Mutillidae II Web Pen-Test Practice Application
OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an “assess the assessor” target for vulnerability assessment software
Download mutillidae using following command
wget https://sourceforge.net/projects/mutillidae/files/latest/download
cd /var/www/html
Move file and folder of mutillidae from inside download into var/www/html by typing following command
mv /home/raj/Downloads/mutillidae
This web application does not required extra configuration setting you can directly open it inside browser using URL: localhost/mutillidae
Now use your pentesting skill to exploit its vulnerability.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
The post Configure Web Application Penetration Testing Lab appeared first on Hacking Articles.