CyberSec Linux

Delving into the Shadows: Ethical Hacking with Kali Linux and Damn Vulnerable Web App (DVWA)

Today, we'll guide you through the process of using Kali Linux to interact with Damn Vulnerable Web App (DVWA), a deliberately insecure web application designed for security training.
ghost
ghost
4 min read
Delving into the Shadows: Ethical Hacking with Kali Linux and Damn Vulnerable Web App (DVWA)
Practice makes perfect

Welcome back, intrepid Sages! You've crafted your portable Linux lab, and perhaps some of you have even chosen the specialized toolkit of Kali Linux, drawn by the mysteries of the Guardian's Lair (Cybersecurity). Now, it's time to put those tools to ethical use and venture into the simulated dangers of a vulnerable web application. Today, we'll guide you through the process of using Kali Linux to interact with Damn Vulnerable Web App (DVWA), a deliberately insecure web application designed for security training. Remember, the goal here is learning and ethical exploration within a controlled environment. Never attempt to use these techniques against real websites or systems without explicit permission.

Why DVWA? Your Ethical Hacking Playground:

DVWA is an invaluable resource for aspiring cybersecurity professionals. It provides a safe and legal environment to:

  • Understand Common Web Vulnerabilities: Learn firsthand how flaws like SQL Injection, Cross-Site Scripting (XSS), and Command Injection work.
  • Practice Your Kali Linux Tools: Utilize the vast array of security tools included in Kali to identify and exploit these vulnerabilities.
  • Develop Ethical Hacking Skills: Hone your reconnaissance, scanning, exploitation, and reporting techniques in a controlled setting.

Setting Up Your Target: Damn Vulnerable Web App (DVWA)

To practice your Kali skills, you'll need a running instance of DVWA. The easiest way to do this in your learning lab is within your virtualized environment. Here's how:

Install a Web Server and PHP: DVWA is a PHP-based application, so you'll need a web server (like Apache) and PHP installed on your Kali Linux VM. Open your Kali terminal and run:Bash

sudo apt update
sudo apt install apache2 php libapache2-mod-php php-gd php-mysql

Download and Configure DVWA:

  • Navigate to the /var/www/html directory: Bash
cd /var/www/html
  • Download the DVWA source code. You can use wget: Bash
sudo wget https://github.com/ethicalhack3r/DVWA/archive/master.zip
  • Install unzip if you don't have it: Bash
sudo apt install unzip
  • Unzip the downloaded file: Bash
sudo unzip master.zip
  • Rename the extracted directory to dvwa for easier access: Bash
sudo mv DVWA-master dvwa
  • Navigate into the DVWA configuration directory: Bash
cd dvwa/config
  • Edit the config.inc.php file to configure the database connection. You can use a text editor like nano: Bash
sudo nano config.inc.php
  • Find the $_DVWA database settings and update them. For a basic setup, you can often use the defaults: PHP
$_DVWA['db_server']   = '127.0.0.1';
$_DVWA['db_database'] = 'dvwa';
$_DVWA['db_user']     = 'root';
$_DVWA['db_password'] = ''; // Default is often blank

Save and exit the file (Ctrl+X, then Y, then Enter in nano).

Create the DVWA Database:

  • Install the MySQL server (if you haven't already): Bash
sudo apt install mysql-server
  • Start the MySQL service: Bash
sudo systemctl start mysql
  • Secure your MySQL installation (optional but recommended): Bash
sudo mysql_secure_installation
  • Log in to the MySQL server as root: Bash
mysql -u root -p

(If you set a root password during mysql_secure_installation, enter it here).

  • Create the DVWA database and user, and grant it privileges: SQL
CREATE DATABASE dvwa;
CREATE USER 'dvwauser'@'localhost' IDENTIFIED BY 'password'; -- Replace 'password' with a strong password
GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwauser'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
EXIT;
  • Go back to the DVWA configuration directory (cd /var/www/html/dvwa/config/) and edit config.inc.php again to reflect the database user and password you just created.

Start the Apache Web Server:Bash

sudo systemctl start apache2

Access DVWA in Your Browser: Open your Kali Linux web browser (usually Firefox) and navigate to http://localhost/dvwa/.

Setup DVWA: You'll likely see a setup page. Click the "Create / Reset Database" button at the bottom to initialize the DVWA database tables.

Log In: The default credentials for DVWA are usually:

  • Username: admin
  • Password: passwordChange these immediately after logging in for security reasons if you intend to keep this setup running for a while.

Exploring Vulnerabilities with Kali Linux Tools:

Now that you have DVWA running, you can start practicing your ethical hacking skills using various tools available in Kali Linux. Here are a few examples to get you started:

Information Gathering (Reconnaissance):

  • whois <target_ip> or whois <target_domain>: Gather information about the domain registration.
  • nslookup <target_domain>: Query DNS records.
  • nmap -sV <target_ip>: Scan for open ports and services running on the DVWA server (from your Kali VM's perspective, the target IP is usually 127.0.0.1).

Exploiting SQL Injection:

  • Navigate to the "SQL Injection" section in DVWA.
  • Try entering single quotes (') in the User ID field to see if it causes an error, indicating a potential SQL Injection vulnerability.
  • Use tools like sqlmap (pre-installed in Kali) to automate the process of finding and exploiting SQL Injection flaws. For example: Bash
sqlmap -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --forms --dbs

(Adjust the URL based on the DVWA page).

Exploiting Cross-Site Scripting (XSS):

  • Navigate to the "XSS (Reflected)" or "XSS (Stored)" sections in DVWA.
  • Try entering <script>alert('XSS')</script> in the input fields and see if the JavaScript code executes. This indicates an XSS vulnerability.
  • Explore tools for more advanced XSS exploitation.

Exploiting Command Injection:

  • Navigate to the "Command Injection" section in DVWA.
  • Try entering simple commands like ls or ip addr in the input field to see if they are executed on the server.
  • Explore ways to execute more complex or malicious commands.

Remember the Ethical Code:

As you explore these vulnerabilities, always remember the ethical implications. Your learning should be confined to your controlled environment (your Kali VM interacting with your DVWA setup). Never attempt to probe or exploit real websites or systems without explicit, written permission.

Your Journey into the Shadows Begins:

By setting up Kali Linux and DVWA, you've created a valuable training ground for understanding the world of cybersecurity. Experiment with the various tools in Kali, explore the different vulnerability types in DVWA, and most importantly, learn how these weaknesses can be exploited and how to prevent them. This hands-on experience will be invaluable as you continue your journey to becoming a knowledgeable and ethical Sage of the Digital Caverns! In our future explorations, we'll delve deeper into specific Kali Linux tools and exploitation techniques. Stay curious and explore responsibly!

You might also like

Subscribe to devops miami newsletter and stay updated.

Don't miss anything. Get all the latest posts delivered straight to your inbox. It's free!
Great! Check your inbox and click the link to confirm your subscription.
Error! Please enter a valid email address!