In our previous article you had learnt how to configure a web server using ubuntu system with the help of LAMP services for designing your own pentest lab. Today you will how to configure the famous 4 web application (DVWA, bWAPP, SQLI and Mutillidae) inside web server for web penetration (WAPT) practices.

Let’s Begin!!

Open the terminal and login with root user and move inside html directory using following command.

sudo bash

cd /var/www/html

Basically to operate all web application on browser through localhost you should download and configure these web application inside html directory only.

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications.

Download dvwa inside html using following command.

wget https://github.com/ethicalhack3r/DVWA/archive/master.zip

Now type following command step by step to configure dvwa.

ls

From given image you can see we have downloaded master.zip file, now unzip this file using below command.

unzip master.zip

After unzip, move file and folder of DVWA-master into dvwa

ls

mv DVWA-master dvwa

ls

cd dvwa

ls

 After then move inside config in order to rename config.inc.php.dist into config.inc.php

cd config/

ls

mv config.inc.php.dist config.inc.php

gedit config.inc.php

Now open config.inc.php using above command, here you will observe that db_password is p@ssw0rd.  But remove the password and left it blank space for db_password.

 After leaving blank password save config.inc.php

Now run web application in browser through URL:  localhost/dvwa/setup.php

As shown in given image a web page will get open for dvwa setup, now click on given tab Create/ Reset Database.

Login into web application through URL: localhost/dvwa/login.php by default the username and password is admin: password respectively for login into dvwa.

Using above step for installation you can configure dvwa in your web server and perform web penetration testing by exploiting given vulnerabilities.

bWAPP

A buggy web application is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.

Now download bwapp and then unzip that folder.

wget https://sourceforge.net/projects/bwapp/files/latest/download

cd /var/www/html

Now shift bwapp from download directory to html directory using move command

mv /home/raj/downloads/bwapp_latest/bwapp .

ls

Now you can observe we have bwapp inside html directories.

Now make following changes inside the file “setting.php” for its configuration.

cd admin

ls

gedit setting.php

Here remove the password “bug” for db_password as done above.

Now Leave blank space for db_password and then save the file.

Now browse web application through URL: localhost/bwapp/install.php

As shown in image a web page will get open for installation; now click on given link “click hereto install wapp”. After that your bwapp will get successfully install and will ready for penetration testing.

Now use default username and password bee: bug for login into bwapp and start your practice.

SQLI

SQLI labs to test error based, Blind boolean based, Time based.

cd /var/www/html

Download SQLI dhakkan inside html directory and then unzip it.

wget https://github.com/Audi-1/sqli-labs.git

unzip master.zip

Copy all file and folder of sqli-labs-master into sqli using following command

mv sqli-labs-master sqli

Now open web application inside browser using URL: localhost/sqli Click on “Setup/reset Database for labs”    

This will create database setup for lab and after that it will be ready for SQL penetration testing. This lab is design for mainly sql injection attack each lesson have different sql error.

OWASP Mutillidae II Web Pen-Test Practice Application

OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an “assess the assessor” target for vulnerability assessment software

Download mutillidae using following command

wget https://sourceforge.net/projects/mutillidae/files/latest/download

cd /var/www/html

Move file and folder of mutillidae from inside download into var/www/html by typing following command

mv /home/raj/Downloads/mutillidae

This web application does not required extra configuration setting you can directly open it inside browser using URL: localhost/mutillidae

Now use your pentesting skill to exploit its vulnerability.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here